In this in-depth Security Awareness Training, host Jeremy Cherny explores how a security incident can occur, as well as how people can best protect their data to remain secure.

What is a Security Incident?

A Security Incident is any breach in your CIA. CIA is an acronym for these 3 areas with the first being the Confidentiality of your internal and/or external data or systems meaning that a breach occurs when someone has access to your data that shouldn’t. The “I” stands for the Integrity of your data and systems so it’s safe from corruption and unauthorized changes. Lastly, the “A” refers to the Availability of your systems and data so they are working and ready when you need them. So when you think of security breaches, think of the Confidentiality, Integrity, and Availability of your data and systems. Remember that security is only as good as your weakest links so make sure that you have all your blind spots covered! 

Common Vulnerabilities and Exposures (CVE)

A CVE is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. Every time there is a new security hole discovered in a device or software, it is given a CVE number. Over time, these vulnerabilities and security holes have been being discovered at a much higher rate which is one of the reasons why cybersecurity is so crucial in today’s day and age. Back in 1999, there were only 1,000 or so CVE’s that had been discovered versus in 2018 alone where there were over 16,000 CVS’s discovered. Another point to be made about CVE’s is that these are only the ones we know about and there could be thousands of other vulnerabilities that are out there which just have yet to be discovered. 

Face The Facts

It’s almost certain that you will face multiple security incidents over time and although it may not be a big issue, it is still important to take the necessary steps to reduce the number and severity of security incidents. It is also important to note that even though steps can be made to reduce the number of incidents, you can’t eliminate them all because over time nothing is 100% effective. Although security incidents are becoming more complex every day, education, planning, and preparation are the only actions you can take to significantly reduce the number and scope of these incidents as well as to recover from any security incident you may face. Lastly, we advocate for you to trust no one and to always verify your security with a third party to ensure that you are staying safe. 

Top Reasons You Will Have A Security Incident

1. Using Vulnerable Technology - If you use old technology that hasn’t been updated with security patches, or new technology which hasn’t had security patches applied can lead to vulnerability. 
2. Failure To Follow Best-Practices For Installation & Configuration - For example, many in-home routers will have a default password set up and a lot of people never change that password where the best practice would be to go in and change it to protect yourself.
3. Lack of Written Policies - Written policies help you have a plan in place to protect yourself from security incidents.
4. Lack of Education For Everyone In Your Organization - When people don’t know what they should be looking out for, they’re far more likely to stumble into something dangerous.
5. Failure To Plan & Prepare - Planning and preparing is crucial to avoiding security incidents, as well as recovering when one does occur.
6. Failure To Monitor, Audit, and Maintain Policies and Systems - Consistently ensuring that all your systems are functioning properly will decrease vulnerabilities. 
7. Security is Inconvenient - Many people will avoid security because it’s an extra password, or it takes more time so they bypass it leading to a higher chance of a security incident. 
8. People Are Human - This is the biggest reason for all security breaches as everyone at some point will click something they shouldn’t by accident. 

What is Security Awareness Training?

Security Awareness Training is training and awareness for your computer users, training as part of onboarding new employees, newsletters and alerts about new security threats and scams, testing and reporting, targeted education for critical roles and repeat offenders, and lastly, ongoing education that never stops.

Host Jeremy Cherny discusses how to use Microsoft Teams as well as best practices.

What is Microsoft Teams?

If you haven't used it before, Microsoft Teams is a bit like texting or messenger on your phone in that it allows you to send messages to individuals, create group chats, and share files such as PDFs or photos. It’s much more than just that though. You can also create video chats for things such as one on ones, group chats, meetings, or video conferencing and because Teams can access apps such as SharePoint, Planner, and OneNote just to name a few, your team can work collaboratively on whatever they desire. On the whole, Microsoft Teams helps businesses because it helps keep everyone in the know and on the same page which increases communication, collaboration, and productivity.

Teams and Channels 

What is the difference between Teams and Channels? Teams are a collection of people, content, and tools surrounding different projects and outcomes within an organization. Channels are dedicated sections within a team to keep conversations and work organized by specific topics, projects, or disciplines. An easy way to look at it is the Team is the organization as a whole, and each Channel entails a specific department within that organization. Larger businesses may have to create a specific Team for each department and then create Channels for specific topics that are owned by that department. This really allows organizations to organize their work and conversations with ease. Whenever you create a Team, a Channel called General will automatically be created, and it’s up to you to create other channels to fit your organization best. 

Chatting and Conversations

Teams makes it far more efficient to communicate and collaborate due to the fact that traditionally, you would have to be doing all that communication through email. With Teams, those conversations show up as chats which speeds up the communication process tenfold. Within Teams, you have the ability to create chats which Teams calls chat-based collaboration. You have the ability to create one on one chats, group chats, chats within a specific Channel, chats in relation to documents that are being worked on, etc. How does this speed up the collaboration process? With Teams, your conversations and documents all stay in one centralized location so you have the ability to make changes, add comments, and chat with your team all in one place. Your chats within Teams are permanent so even when you exit out of, the chats are still there for you to access when you log back on. 

Files and Collaboration 

Within each team and channel, you have the ability to upload new documents, edit documents, or create new documents. You can even add cloud storage by connecting your Teams account with a 3rd party software such as SharePoint, Dropbox, ShareFile, or Google Drive. One of the best features of Microsoft Teams is that when you are uploading documents you have the option to use the “Co-Author” feature. The Co-Author feature allows multiple people to be in the same document at the same time, working simultaneously. This could be beneficial when you have a meeting agenda and multiple people are updating the agenda with their information, or if multiple people are creating a presentation and they can work together at the same time as opposed to emailing the presentation and working on it one at a time. 

Host Jeremy Cherny discusses best practices and how to use Microsoft Planner.

What is Microsoft Planner?

Microsoft Planner does not have a desktop component, it is strictly from the web. It's also from your apps on your phone and tablets. So right now, there is no desktop component. So you go to Office and sign in with your credentials. It's kind of like task management for teams. Some might call it light project management. There are a lot of different ways to look at it depending on how you're going to use it. We've started to use it here at Tobin Solutions for a few small projects. So we understand how these things work so we can support them for you.

Create an event

We're going to start by creating a new plan. For purposes of this project, we're going to create a customer appreciation event. Now when you create the event or the planner plan, you can select what privacy level. So by default, it's a private meeting - only members that you add can see the contents of it. So that would be great if you have a project or plan that is just meant for a few people. If it's something for your whole company, then you would say it's public and then you'd be able to have that there and everyone in your company would be able to go in and see that plan and have access to it. The permissions are not that granular. So at this point, you either have access to it or you don't. There's not a lot of ways of controlling access to individual tasks and elements within the plan. Down at the options, you can also add some additional information so people know what this is like a party for our favorite customer.

Groups

One thing I want to point out - and this is an important piece - is Planner works really well hand-in-hand with Microsoft Outlook. So one of the features that you may or may not be aware of with Office 365 is this concept of Groups. Groups are just groups of people in your organization. Those groups get created behind the scenes for your use in different ways. So, since I am part of this customer appreciation party plan, if I open up Outlook, you can now see under Groups, it created this customer appreciation group. When I click on that, it says, “Welcome to the customer appreciation party group.” Groups are a special thing within Outlook. We could do a whole other demonstration and webinar on that. But basically, a group has its own mailbox and its own calendar and stores all the information together. So, if you create a plan, in Planner, it's going to automatically create a group for you. Likewise, if you create a group in Outlook, it's going to automatically create a plan for you that will show up under the plans. So they work hand-in-hand.

Tasks

This is a customer appreciation event, so what are some things we're going to need to do? First, we want to click on the plus sign. Then, I think the first thing we need to do is we need to select a date for our party. That would be a task that we need to do. We may also need to select a venue that may or may not be at our office. We need to create a team. So I just created a few tasks. Right now this is under what's called a bucket that’s called to-do. We're going to talk a little more about buckets as we go forward. You can rename these buckets, but they are essentially lists of tasks. If I open up this, create the team, you'll see it's in the to-do bucket, but the progress has not started. It doesn't have a start date or a due date. There's also no description. So I could start to put that together and say, “When do I want to get this done?” And I’m going to enter that date.

Host Jeremy Cherny interviews Steve Moscarelli, Regional Sales Manager at Thales Cloud Security

“I knew that the internet was going to be the future when I was in college. I had roommates working at the New Media Lab at MIT and they were involved in building a precursor to the internet for DARPA. I also saw very clearly that the internet was built with no security at all - which really propelled me into my career.”

What are some of the things you read to stay on top of what's happening in the world of security?

So I'd recommend that everybody pay close attention to Dark Reading. In many people's opinion, it is often considered the number one site for keeping up with the constantly changing threat landscape. There's the Phil Venables website, the Bruce Schneier website, Security Current, Security Weekly, Security Week, SANS, Brian Krebs’ website, the MIT Cybersecurity Review. If I was to rank these, I'd have to say, probably Dark Reading, krebsonsecurity, SANS, Security Current. And then there's a lot of specialties, there's Healthcare Information Security, there's Data Breach Today, Payment Security. There's a myriad of places that nobody has enough time to check - Threat Post. Cyber Scoop and HelpNet. However, I think most people look at Dark Reading as often as possible.

You work with a lot of Fortune 500 companies. What do they do for security awareness training?

They do try to trick their own employees sometimes. Having them open attachments or click on URLs from emails for them to learn from a safe source. They’re also certainly emphasizing multi-factor authentication and two factor authentication. At the end of the day, if you're doing anything financial, you want a phone call. I see people doing more things on Slack and on Teams, which is not going through the traditional mail filters and SMTP gateways. People are also shying away from email. People are getting more into channels that are not monitored as much with everybody working from home, which makes things now the Wild West.

What do you see as the future of information security?

We have to get away from passwords, and that's going to be very difficult to do. If you talk to some of the leaders out there, Bruce Schneier, and Winn Schwartau and people at SANS like Lance Spitzner, or perhaps Anton Chuvakin I think that they all would like to find a way to get away from passwords. But that's a very, very difficult proposition. To do that third-party risk management is going to keep being a bigger and bigger thing. Every Tom, Dick and Harry is talking about the hack at SolarWinds right now. And SolarWinds is going to wake up a lot of companies to be very, very careful of their third party connections. It's obviously the way that a lot of companies are adversely impacted because they might not be paying attention as much as they should to who they're connected to. Like with the Target breach, that was their HVAC contractor. Starwood Marriott - they had the keys for their Oracle on the Oracle, they had the keys for VMware on their VMware. So the key for your VMware and the key for your Oracle are all on the same machine. So there were two people named in China that not only took the key for the VMware and the key for their Oracle, but they encrypted that data. So in the merger of Starwood and Marriott, there were situations where things fell through the cracks during a merger, and nobody was paying attention to the keys for their VMware and their Oracle. And, you know, obviously, with people going in an often haphazard manner to clouds, things happen, like at Capital One, I think most people know their s3 buckets were very leaky.

Host Jeremy Cherny interviews Joe Dietrich, Manager of Hosting and Storage for Dover Corporation 

“Dover Corporation is a diversified global manufacturer. We've got about 325 global locations with about 23,000 employees worldwide. What I do for Dover is lead teams that provide server and storage support, as well as Active Directory support and what we call data protection, which for us means backup and disaster recovery.”

Why is security important?

The systems and applications that run on the servers and storage that my team supports are things like Oracle, our payroll, our accounting software. Those programs are used to not only produce drawings for parts but actually deliver those drawings and blueprints to the shop floor so that they can do what we call cut chips. This means they can actually make parts. This means that security is a key infrastructure. When these programs go down or are unavailable the company stands to lose significant amounts of money.

I know you don't always work directly with the end-users, you've got the teams you manage, how do you guys stay on top of security threats?

This is going to sound very rudimentary but every place that I've worked, this has been a bit of a struggle. The first thing you need to do is understand what you have. You need to have a very solid list of the systems that you support. We start with that list because you can't secure what you don't know. For example, you don't know how big to build your fence if you don't know what you're trying to build it around. So it's extremely rudimentary, but it's just looking at what is the list of things that I'm responsible for? So you can then take that list and you can say, “Okay, I see I've got 1000 servers. Okay. Do I have an antivirus on all those servers? Do I have them reporting to things like OpenDNS? Or are they sending their logs to Splunk?”. So you can't really understand or you can't really secure things until you know how many things you have.

Do you ever find that people have blind spots? Like something where someone says, "Oh, where'd this asset come from?"

Absolutely. I know you've been in the business long enough to remember when, if you wanted a server, you bought a physical server. I remember when I came in, servers were monsters, you could not really lose that because they weighed 150 pounds. Now, especially with the proliferation of cloud technologies like Azure, AWS and Google Cloud, it is so easy to spin up new environments. It really just takes a credit card and a few mouse clicks and you can have a 1000 server farm sitting in Azure. So what we see sometimes is what we consider shadow IT. Shadow IT is where somebody in the engineering department wants to test something out, and they go to aws.com, and they spin up an environment for themselves. They've made it so simple, which is great. It doesn't take the same level of knowledge that it used to actually put in those floppy disks to install. We absolutely see that sometimes and the key then is to make sure that you educate people as to why even though it's so convenient and so easy, it might not be a good idea for the business.

How do you educate them? How do you keep your team informed on those kinds of things on security awareness? 

It's hard because as you know, new technologies are being spawned daily, which makes knowing everything impossible. What we try to do is make sure that as things come up from the various thought leaders throughout our department and some of our trusted partners, that we're getting that knowledge out there either via email, meetings, maybe pieces of training, that kind of thing. We really try to get as much information to the folks on the frontline as we possibly can.

What are some of the things you see that people can do to protect their data online?

Communication is always key. What I mean by that is if you're a small shop, and you've got maybe one IT person, making sure that that person is well-known throughout the company and is seen as someone that's a trusted resource so that somebody won't just go to AWS or Azure and spin stuff up. They'll stop by that person’s desk or they'll ping them on Teams, Skype or whatever, and just say, "Hey, I've got this idea," or "What do you think about this?" That communication is so important so that people don't feel like IT is a roadblock. People understand that IT is really a business accelerator so I think that that's really important. You talk about staying secure online, and a lot of it is just common sense stuff. A lot of people can't even understand what IT professionals do. Well, a lot of it is just extremely common sense. Take the time to read something, take the time to look at links, look at what it’s asking you to do. If you're getting emails and they’re supposedly coming from your boss, read them with a critical eye. If they're using phrases that your boss doesn’t normally use, and they're trying to get you to go around a process and just wire money somewhere that’s probably not your boss. I think part of our problem now is that we always have so much information coming at us that we just zip through things so quickly. We're scrolling through our feed of whatever it might be. It's emails that we don't sit there and read and say, hold on, you know, "Jeremy's emailing me now, and he just used a phrase I've never heard him use." Or it could be something as simple as you know, he spelled "color", but he spelled it "colour," and I've never seen him do that before, is this really him? So I think that time to maybe just slow down for a second and be critical, read things critically is so key. It's not a technology, it's just more common sense stuff.

Do you have any war stories you can share or anything where you guys had an issue or something you maybe even heard of from one of your partners that our listeners would benefit from?

Yeah, absolutely. Unfortunately, it kind of follows the theme of my last answer. We had somebody in a payroll department that saw one of these emails that were supposedly coming from a customer saying, "Hey, we've changed our banking information, now we want our payments to be sent here." Unfortunately, the person I think was trying to just rush through things and they updated that information into the system. This was something where they sent payments of a pretty substantial amount that just got sent into the ether and then they were gone. There was no recourse. If I remember correctly, it was sent outside the US and the laws and the ability of the US to reach out and reclaim this money is limited. So it was, somebody just rushing through things and not reading it with a critical eye. That's actually where I got that example of “color” vs “colour,” it was actually from that. It was supposed to come from somebody that they had been speaking to, and they just didn't read it critically, and unfortunately, it was a substantial monetary problem.

This week, we're doing something a little different on the Security Strong Podcast. It's just me, we're doing kind of a fireside chat mode here. I'm sitting in a rocking chair near the fire and I am thinking about the various awesome guests we've had since we started the podcast, I'm thinking about what we do as a security company, and I thought why don't we share some of the best practices and go through a top list of things that you can do to stay secure. 

Security as a Process, Not a Product

A lot of times when people think about security, they're thinking about buying the basics, they're thinking about buying a firewall or antivirus software. Those are products you buy and those are critical because we want to make sure we're getting those. But really those things are obvious, but if those things are not configured properly if they're not used properly, you still have a security hole and so that's what we refer to it more as a process, not a product. You might think about it like for your home where you have a lock on your front door to keep you secure, but it's engaging the lock when you’re walking out of the house by locking it that's really what has to be secure. The other thing we talked about is you've got all these different things for security. You've got the antivirus, you've got the firewall, you've got the processes down, but security is really only as good as its weakest link. So as we're talking about these different things you want to think if any of these weak links for me because that's where the breach is likely to happen. 

Why Security?

Security is really about the confidentiality of your systems, the integrity of your system, and the availability of your systems. So confidentiality of your internal-external data, making sure that only authorized users are seeing that information, the integrity of your data, making sure it's not changing so people don't mess with your payroll, and no one's messing with your contracts that isn’t supposed to be messing with your contracts. Lastly is the availability of your systems because if you can't get access to your data, you can't get access to the business programs you use.

User Accounts

User accounts are those IDs that you use on your computer that you log in with. That user that you're logging in with, is assigned various permissions and rights, and there are 2 basic categories of users: administrative users and standard users. Administrators can install software, modify software, change the configuration of software, whereas standard users typically can't. One study determined that running as a standard user would prevent attackers from exploiting 94% of the critical vulnerabilities that Microsoft patched in that same year. It used to be a very common practice for everyone to be an administrator because it was the easiest, but it's less common now. The action for this is to make sure you create a separate log-on ID with administrator privileges and only use that administrator account when you have to administer the system, like when you're patching and modifying software, otherwise, run as a standard user. That way, if you happen to catch some malware, it's less likely to impact you and your system because it can't do anything because it's not an administrator.

Password Policies 

Strong passwords mean that they're hard to guess or hack. So when we’re thinking about passwords, I like to think of one of my favorite sci-fi movies, Wargames, when he was sent to the principal's office, and he wanted to, and he wanted to get the password to the computers for the school, so we could change his grades, he opened up a drawer, and on there was a piece of paper and it wrote current password was “pencil.” So you want to make sure you're not using any single words, anything that's found in a dictionary, and no common phrases. It is better to use special characters, numbers, upper and lowercase, and spaces even. All of that makes for a good, complex password and if you need to just pad it with something, add some characters or add even a common phrase to the end of a complex password because length when it comes to a password is critical. The longer the password, the more complex it is, and the longer it takes to try to have a computer brute force or guess what that password is. Also do not reuse passwords across systems, especially websites, cloud services, because if one password gets out of your control they're going to go try that password on all the different systems that are out there. You also want to use a password manager. That way you can go into the password manager at the database. It's a secure, strong database that can't be hacked for your passwords. So the action for today is to verify that your passwords are strong.

Visit https://tobinsolutions.com/ to learn more!

Join us for our next episode by connecting with us at http://securitystrongpodcast.com/ 

Host: Jeremy Cherny interviews Amy Fallucca, CEO of Bravent 

“Bravent has been around for about four years. We are an HR consulting and recruiting company. On the HR side, we help with anything from handbooks, to advising on terminations, or employee performance. Then on the recruiting side, we work on a range of positions; professional, technical, and executive. We leverage technology to be really efficient in our process, and by doing that, we're able to save our clients money. We're typically about half the cost of contingent placement firms.”

Can you speak a little about security around your process in HR, and why security is important around that?

HR is not typically known as being the most tech-savvy group of people, I would say. Things are advancing and I'm fortunate to have worked for over 10 years within information technology companies so I think I'm a little unique from that standpoint. Security and human resources, it's so important because it's our biggest asset within our businesses. As HR professionals or business owners, it's so critical that we securely store that sensitive information we collect from employees, because, if we don't do that, we're really breaching trust. 

How do you stay on top of the security threats and issues that are out there in the HR world?

One major thing that I would advise people is just don't collect sensitive information you don't need. Minimize the amount of information that you even have. For example, I saw an application that had a social security number on it- that really doesn't need to be on the job application. You can collect that at a later point in time. So, number one is don't collect sensitive information that you don't need. Number two would be to leverage digital collection. If there is that type of information - social security numbers, dates of birth, medical information - leverage self-service entry as much as possible. So for example, if you're running a background check, many of the services give the candidate a link where they can go and enter things like their social security number - I recommend that as much as possible. The same thing goes for your employees or the people who are on your team. As much as possible,  have your digital records and an HRIS system that's secure, versus physical files. Then the third. If you use physical storage, really make sure that it's secured. This is something that we see frequently when we go and do audits of companies. The employee files might be in a file cabinet, but it's in an office where the door is open and the cabinet isn’t locked. So really, fundamental physical storage best practices, like keeping it in a locked file cabinet, having designated key holders to prevent any unauthorized access, and then knowing your record retention standards and purging things regularly.

You talk about the storage, the physical versus the digital. Are there rules for how long they have to keep any copies of any of that specific information, either paper or digital?

There are federal and state standards for how long to retain certain types of documents. It depends on the document and where you're located. I would say typically, it's between five and seven years. Again, one thing I commonly see is either they haven't stored it for long enough or they store it forever. So we've gone into companies that have been in business for 30 years, and they literally have all their paperwork for employees with social security numbers, going back that whole length of time. I think it's always great every few years to take a look at what records you have, and purge those old records according to those standards. You can do a quick Google search to find human resources record retention regulations.

Are there any best practices for HRIS systems for protecting important data?

Having proper permissions set up is a major thing. Ensuring that the human resources department vs. the managers vs. the employees all have the proper permissions - that’s one thing that can go wrong. Other than that, making sure that you do good research on the tool and understanding what their approach or level of sophistication related to security is. At this point in the game, there are tons of great HRIS systems out there that are affordable and secure. I think it's always nice to go that route, especially in a situation like COVID where you can access your data wherever you're at as opposed to having them look in those physical file folders. So I love digital.

What do you see as the future of HR information security?

As we look at the technology, I think automation of low value, repetitive tasks is really going to continue to increase. We're seeing it now, but it's just going to expand as technology advances and becomes more sophisticated. When I first started my career, I remember using a recruiting system that was so basic, it was basically an access database. It was really difficult to search, difficult to track people through a workflow. Now, we have really great recruiting systems that can post jobs automatically. I can remember going on Dice or Milwaukee Jobs and having to manually post in each of those places and now with just the click of a button that can be done. Also with things like workflow automation. If we have 50 applicants for a position, we can do Boolean search strings to find the people that are the closest match. This helps us with reviewing. Maybe in the future that happens in a more automatic way, as opposed to having to build those strings. We also have an AI sourcing tool, which is really neat. It pulls the job descriptions that we have and uses the language to go out on the web on a huge number of different sources to find people that are fit for the job. They also have some indicators in terms of who they think is more active vs. passive. It's good now, but I think in the future it's going to be great if it can do some things in terms of automating outreach in a more personalized way rather than just sending out generic emails. I think that's coming, it's just only a matter of time until it starts happening.

Host Jeremy Cherny interviews Max Palzewicz, Director of Operations at Rocketman Tech

“I started out my career in public accounting, primarily working and advising small business owners. I got my CPA and I was able to join my dad and uncle's business coaching firm, Action Coach of Southeastern Wisconsin, where I worked for a few years. I carved out a niche for myself focusing on the financials for business owners, teaching business owners, how to be financially literate, how to read and analyze their financial statements, also how to process good numbers so they could make sound decisions with them. After that chapter, I realized I wanted to actually do it myself and I wanted to go out and prove that I could build a business on my own. A friend tossed out the idea to me in late 2018, that I should learn how to implement a software called Jamf Pro. What they do is they have a mobile device management software that specializes in Apple devices, so macOS, and iOS. So that's what we started doing and I got certified to implement the software. But something happened in early 2019, where Jamf Pro stopped requiring the onboarding engagement for clients to use the software. So our whole business model of doing these one-off software implementations had been turned on its head. What we did instead was we turned his  Rolodex of 200 or so companies and we turned it into a CRM, and we started email marketing. From that, I realized that not only was his skill set highly sought after, but these system administrators that are macOS specific also make upwards of six figures or more in a lot of businesses that they work in. So it's a sought after skill and position, but it's also highly transferable where people are frequently job-hopping in this space and they tend to leave in that wake of procedures that were poorly documented because it was in their job security, it was in their best interest to do everything themselves in the macOS management space and not really document well. We realized there was a great need for a service IT company to specialize in this. A lot of IT companies try to be all things to all people so they'll do an entire vertical of services for their clients. We decided to just focus on this one thing, and that was managing Apple devices for enterprise companies.”

I don't know if all our listeners know exactly what mobile device management is nor where it fits in with security. Can you say a bit more about that?

MDM (Mobile Device Management) is kind of one of those pillars that you look for when you do a SOC 2 to a compliance test or any of those security benchmarks or standards, whether you're getting a SOC 2 to audit, or an ISO 27001 audit, or if you're just trying to follow the CIS benchmarks. Generally, you need mobile device management software to meet that compliance framework. So where MDM comes in, and Jamf Pro specifically is it's a software that's designed to interact with the management framework on iOS and macOS devices. So it allows IT to remotely interact and provision these devices so you can push down things like configuration profiles, where you might interact with System Preferences. You can also push out policies where you're deploying software or deploying different objects to the computers. But the whole idea is to allow IT to remotely interact at scale, with hundreds of thousands of devices so they don't have to do the old sneakernet of going around and troubleshooting each device individually.

What about mobile device management has improved security for people? Security is always evolving, how does Rockinman Tech stay on top of those security threats? 

What we've noticed is the modern standard for enterprise, especially in this remote work environment, is to move towards something called zero-touch deployment with a cloud identity provider through your MDM. So what most of these enterprise companies are doing and I mean, the market share tends to lean heavily towards Microsoft Azure AD for Cloud Identity. There are probably five or six other major players in there, Google has one, Ping has one, OKTA is a great one for startups and smaller companies. But Azure AD seems to be the gold standard for the fortune 500. Conversely, for Apple device management, Jamf Pro seems to be the best in class for managing macOS. So all these companies are striving towards this goal that's just barely out of reach, called zero-touch deployment. The reason it's out of reach is that they have security teams that were initially developed to manage a primarily Windows environment. But what we've seen over the last couple of decades, with executives, marketing teams, design teams, and then different developers, you start to have an influx of macOS, computers in the enterprise space, and you still need to have those computers be in compliance and be secure when they're connecting to the local area network or VPN, or just using sensitive information. But what we've seen is as we onboard those first few hundred computers that are Macs and not Windows PCs, it creates kind of a wild west environment. So the security team that was used to managing the Windows environment is trying to extrapolate or apply those windows requirements for the Apple devices or macOS computers. We find that in some cases that isn't quite appropriate, and it can cause some snags and that goal of getting to zero-touch.

What's an example of something that gets in the way of that, which would be a Windows thing that doesn't apply to the world of Mac?

I think that's a good segue into what are the differences between macOS and Windows when you talk about security because a lot of antivirus and malware and firewall stuff has been created for the Windows environment. Whereas macOS has a number of built-in security features that are unique to them which are built-in, meaning they don't need third party software to operate effectively. So for firewalls, Windows will use McAfee, you'll use the web proxy and the agent. But macOS has a built-in network firewall. On the windows side, you might use something called a KasperSky to scan applications you download from the internet. macOS has something called Gatekeeper that checks for a developer certificate and then checks now for a notarisation from Apple too. You might have malware removal and protection. So something like Symantec for Windows, Apple has XProtect that's already built into the framework and that will detect and download files and scan for malware as it comes in. BitDefender is a market leader on the Windows side too for interacting with the management framework of Windows. Apple has system integrity protection so that third-party software can't really modify or overwrite any system files. That's where we saw kernel extensions with High Sierra 10.13 and system extensions now with Catalina.

What are you seeing as the future of information security?

That's a great question that can go in a number of directions. At least for the Apple side, I see that Apple devices will continue to gain market share, and prevalence in enterprise environments because generally, our workforce is growing for the millennial cohort and that cohort tends to lean more heavily to wanting to use a Mac versus a PC. That's basically what we've done for a lot of these enterprise companies is we've created that proof of concept for the first 50 to 200, or 300 Macs to say, "Hey, these can work in your environment, and they can work securely, and they're going to improve productivity in the long run, because you're going to have fewer helpdesk tickets, and your users are going to be more satisfied." So number one, I see that trend is going to Apple is going to continue to gain market share in the enterprise space, because they've probably tapped out the consumer in terms of what they can sell to them. I'm sure they've got a few more tricks up their sleeve, but I think this is really the next frontier for them. That's also what we see in the MDM landscape because Jamf Pro seized that monopolistic market share at first. But now we see these other companies like Addigy and Kandji, starting to get funding and create MDMs that are similar, if not better than Jamf Pro and start to chip away at that market share. So those are a couple of trends I see continuing, more globally. This might be a hot take, based on what we've seen with the congressional hearings and big tech, but I can see AWS and Azure, potentially being split off from Amazon and Microsoft respectively, being separate companies. The same Telecom and Internet. Those companies have been trying to merge for years because they want to gain those efficiencies. I think it's very possible that Telecom, Internet, 5g and cloud hosting all that storage becomes more closely resembled a public utility. Because it might just be in the public's best interest to allow those to operate as monopolies. But they would have to more closely resemble public utility then.

Do you have any other side projects or fun activities besides Rocketman Tech you would like to share? 

I've always been kind of enamored with creating something that can work without you. For the most part, I've done that with my role at Rockman by handing over the business development and sales to someone else, recruiting and onboarding another engineer to help with the project management, and the execution of projects. So for about the last 10 months, I've been kind of acting as a scrum master on a startup that has been making a mobile app for the music industry. It's an app that functions similar to Google Calendar, but it allows users to be on the same calendar domain so different users can see each other's availability, and then create events and schedule with each other. I'm a musician on the side too, I play saxophone and keys. So I wanted to create something that would make our lives a lot easier for networking. So I've been acting as a scrum master, where I kind of lead the designer and developer and product owner to get the app, stable, free of bugs, develop new features, consider the user design, and the feedback there. Now we're looking at releasing it on the App Store and Google Play probably in quarter 2 of 2021 right around when the weather starts turning again, and we see music happening outside again in the Midwest.

Host: Jeremy Cherny interviews Jason Claycomb, Founder of INARMA

“INARMA is a professional services firm. The short tagline is ‘We assess controls.’ So I really like how you think of security as a process and not a product - that’s exactly what we do. We help people with the process around security. Yes, there are products involved, but those are types of solutions and we help people pick the right solutions.”

Why is security so important to you and your clients?

We've all got sensitive data. There isn’t any business that does not have sensitive data in it or where the data isn't critical to the running of the business. So we want to protect that data because, at a minimum, we've got to protect our reputation. But in some regulated industries, you have to protect data even more because of the various laws and regulations. At a minimum, hackers are going to go after credit cards, bank account numbers, social security numbers and we've all got that kind of stuff in our companies.

How do you stay on top of the latest security threats and the things your clients need to know about?

I live in this space, right? I’m talking to vendors, I’m talking to clients about what problems they’re having. I get emails from vendors and “security alert” types of services. All of the ones I use are free, too. So from there I can pick and choose what is relevant information that I need to know or my clients need to know based on what kind of clients they are. Also, podcasts like this one are super helpful as well.

How do you talk to clients about the importance of security awareness and how do you go about that training?

A lot of companies have this sort of attitude of, “It can't happen here.” The problem is, it can. Everybody is a target, though some companies are bigger targets. But for example, any one of the listeners right now, their website and their external email servers are being scanned for vulnerabilities as we speak. And so if we're not up to date, hackers are going to see the vulnerability and try and get in. Also, all of this is automated, so when we look overall at the big data breaches and the big dollar losses, that's in the big companies. However, it’s something like 60% of losses, due to any kind of cyber breach or cybersecurity computer breach, are out of small businesses. So we have to be diligent too.

What are some security tips you can give our listeners?

Whether it’s the personal side of the business side, be careful about what you post out there. People can get passwords or password reset answers from a lot of the things you’re putting online. For business, you should be thinking about how important your data is. What type is it? How critical is it? What types of protections do you have around it? Enabling multi-factor authentication is a big one. Not just relying on an ID and a password.

Host: Jeremy Cherny interviews Lori McDonald, President and CEO of Brilliance Business Solutions

“I started my career at NASA Johnson Space Center as a flight controller for the space shuttle program where I met my husband. He went on to work for Rockwell Automation and got a promotion that brought us to Milwaukee. I was trying to figure out what was as cool as space and decided the internet looked like a cool place to be. So I started Brilliance Business Solutions, a web development company with a niche in helping manufacturers and distributors implement digital commerce solutions, in 1998. Just this year we made the Inc. 5000 list.”

Why is security so important and how does that show up in your business?

We help companies to sell products online. So the solutions we build have to be secure. For customers to choose to work with us, they have to have confidence that we're helping them to build secure solutions. We have to give good advice to customers about how they go about the process of doing that, and by providing secure digital solutions, our clients give their end customers the confidence to do business with them online. So for us, it's really just a necessity in the work we do out.

How do you guys stay on top of all the latest security threats?

It is something that you constantly have to work to stay on top of. So in terms of e-commerce security, one aspect is something called PCI compliance, or the payment card industry. They have a set of standards that you have to meet in order to be able to accept credit cards. It has a series of steps that you have to take in terms of scanning sites, ensuring that your sites are meeting and passing those scans. Those processes end up being very educational. The reality is the threats are constantly changing, and you have to stay on top of aligning yourselves with other vendors in the market-software platforms that are actively working to keep their platforms secure and minimize the vulnerabilities that may exist. So training on what those platforms are doing. We are also clients of Gartner research. So we attend events that talk about best practices with respect to what's happening in digital commerce and security.

What is something people can do to protect their websites from being attacked?

One of the things that you want to ensure that you're doing is to stay on the latest version of whatever software you're running and to ensure you're applying any patches that may be available from a security perspective. A lot of companies we work with don't always stay on the latest version, it might not be feasible. But to be aware of how long it's been since your last upgrade, and what vulnerabilities exist in the application to be keeping a really close eye on that - it will depend on what platform you're on - but that's one of the most likely ways that people get hacked. Just ensuring that attention is being paid is a huge thing. When you allow your platform to be out of date, especially if it's no longer supported, that's where you can really get into trouble.

What do you see as the future of information security, especially for e-commerce websites?

Personal data privacy is growing in importance. I've been talking a lot about credit card data, but personal data is extremely important. We work with a fair amount of customers who are doing business globally. GDPR is something that comes up which stands for general data protection regulation. It's a European standard that is required to meet for EU citizens, which we can have EU citizens in the US as well, and maintains rules around how we need to enable people to ask for what data that we have on file for them, ask people to be able to remove their data and give them choices about how their data is being used. California has its guideline around data privacy as well. And I think we're going to be seeing more rules, requirements and regulations around data privacy, especially, as we all gain awareness of how our data is being used.