Session 1
Guests
Video Transcript
Great. Welcome everybody. We are live here with John Strand. John, good to have you with us. I heard you were battling that nasty covid. Um, it looks like you're back from the abyss. How you feeling? Yeah. Um, I would give it two outta 10 stars. Would not recommend. Um, no, I, I, I got it bad. Um, like the whole, like body aches and coughing and I got on Paxlovid. Paxlovid was awesome. And, uh, my doctor when I was like, this sucks, this sucks. They're like, well, this is a mild case.
I'm like, what the hell? Um, so I'm very lucky. Um, double vaxxed and boosted, and now I've got Paxlovid, so I'm feeling a lot better now. Um, I still have a brain fog, uh, like, you know, Joe versus the Volcano or Brain Cloud, I think it was in that movie. Um, so still recovering, but, um, looking forward to getting back in full speed in the next week and a half or so. Oh, it's great. It's great to have you back.
Um, so John, I, as I was sharing with you, um, I'm gonna leave you with the group here. I've gotta jump to a, I was double booked, um, but I'm excited to hear how everything goes today. Um, I've got my phone right near me, should you need any technical stuff, I'll be right back. But I'm gonna leave you all in great hands, uh, with John. So have an awesome session everybody. Thank you so much. Good luck, Andrew. Yeah. Alright, everybody.
Um, first I wanna say thank you so much, uh, for joining and hanging out with us this afternoon. Um, I really, really, really appreciate it, especially the feedback that we've been getting for you all. Some of the feedback was like, super easy, like kind of breaking things up into better categories and making it flow a little better. Some of it's gonna take a little bit more time on, on our side, um, but no, yes, it becomes, you know, phantom ware, right? Like, it's, it's important.
We've got our top people working on it, our top people. Um, but I kind of wanted to cover what are some upcoming, exciting things that are coming up with the, uh, with the classes and what we're doing specifically in the MSP space. And then, um, I've got a question for you.
Um, and then I'm gonna move into some news stories that are of interest to me and some of the things that we're seeing at Black Hills Information Security, um, insofar as like incident response, and then also on the penetration testing side, uh, as well. So the first thing I wanna do is I wanna share my screen and I'm just gonna share my browser window. So I'm gonna share myself, sharing myself, sharing myself, and I'm gonna go right here into, um, security for MSP class.
And I wanna talk about like, where we're at as far as the design, the ui, why we set things up the way that we did, and, uh, how this is going to change moving forward in the future based on your feedback. Which, once again, I'm very appreciative of your feedback. And if you have any questions at any time, type it in. I'll come back to the ask Me Anything window and I will answer those questions.
So the first thing is, one of the problems that, uh, we kind of noticed is if you did a search on MSP and you have like M-S-P-C-I-S and you click on this video and you watch this video, this is a very short introduction video. Um, that's really not my best picture to start this video on. Um, but it's just like a very short intro video. Uh, if we go back, um, we have some other ones as well. Um, let's go MSP again. But a lot of these are really short.
And if you look at this video in and of itself, right? If I look at multifactor authentication, um, this particular video makes absolutely like, like it's just very short five minutes and 51 seconds. And the way that the class was structured is it was meant to feed into the next section. So this is one of those things that we need to get fixed.
Um, and we've got a plan on getting it fixed, is the videos need to automatically play from this into the next section that's directly next to it, where it goes into password controls, where it goes into, uh, password spraying, and it continues to build on that concept. Um, and that's just, you know, like good play in the way that this thing needs to work. And right now, the way it is in Brightspace is you have to click the next arrow to go to the next video.
But if you're trying just to get to like MSP multi-factor authentication by itself, it's like this quick setup and then nothing. Um, whereas in the context of the class, it's a quick setup and then it starts talking about the actual technical controls associated with what are the attacks, what are the controls? How do we do an audit?
So it makes more sense as it flows from the rest of it, but it would only make sense if we can get it to the point where Brightspace Auto plays, uh, the next video. Now, Brightspace in and of themselves are like, oh yeah, we've got that, that's one of our things that we're gonna do. But there's a way that we can create the, uh, entire class in Adobe where we can set it up. So each one of these sections will automatically feed into the next section and just continue to play.
So it'll be like a carousel. So things will make more sense. Um, 'cause I've gotten a couple of people that are like, you know, you talk about this thing and it's only like five minutes and then that's it. Um, and I, it, it, it looks that way if you just go straight to that video.
But if it autoplayed the next videos, um, then it would make a lot more sense, um, as it breaks down, um, the rest of the content as it relates to everything else that's going on around that initial, uh, video that we have. So in order for us to do that, we, I think it's called score. Um, I might be mispronouncing it. Um, but it's something you do to develop course content in Adobe and then you can upload it into Brightspace.
So we basically have to just take the entire class, recreate it in that, and then upload it back up. Uh, so it takes some time for us to do that. So that is one of the concerns that we had. We can also change the look and feel of it. Um, we had a couple of people, like it's really basic. It's just like white background, could it look cooler? And we're working on making it look cooler, uh, as well. So that is something that we were working on, uh, for that.
But it's kind of cool we're getting down to some small usability things. Like you gotta click an arrow to go to the next video. I want it to autoplay. Those are small things, um, that I think are really cool. The other thing that is done, uh, let me, gosh, okay, we are creating a manager role. So instead of being confronted with 276 modules, um, if a larger company buys multiple license, there's a capability of creating a manager where you can assign specific modules.
Uh, so instead of dumping absolutely everything on everyone at once, you can actually pin tune it down. Now, just for the record, I firmly believe that people aren't going to use that. Um, people are asking for it. They're like, that's a lot and we wanna just give a handful of modules. But the problem is, what you're gonna end up with is, are you gonna manage that for 10, 15 people?
It sounds like a good idea, but I think the reality of it is people are just gonna be like, here's a whole bunch of content swim. Um, and kind of go through it. Or if you're trying to learn something, you go to the specific section. Uh, like if I wanna do memory analysis, we're gonna go into memory analysis, we're gonna talk about volatility. We've got step-by-Step Labs on how to do it, and that's how you're gonna get started. Um, it, it's kind of like Henry Ford.
You know, if, if we would've listened to our customers, um, we would've built a faster horse. So we're creating that because people are asking for it. And I do think that we're gonna get a lot more people that ask for it, but I believe that a small percentage of people will actually use it. Um, 'cause trying to manage all of this for all of the employees is gonna be somewhat difficult. Now, on the content thing, yeah, we have 276 individual videos. Um, there's about to be more.
Um, so if I go back to Antis Siphon, um, the other class that's going to be added into this, uh, here in a second, um, not a second, it's gonna be in the next couple of days, is going to be the, um, cyber deception class. Um, and I've been talking about this. We've just had to get enough people. We have a lot of classes. These are currently all the classes that we have, um, in the can right now.
So the Cyber deception class is going to be coming up, uh, next, and it's going to be added to the, um, MSP course as well. Now, with that in mind, one of the things I wanted to ask you, and I don't know how you feel about it, um, intro to pen testing is a class that I literally just wrote, and it is just a class on how to get started in penetration testing. Is this something I know it's kind of like I ask you all, like, I'm gonna stop sharing.
Would would you like me to put the intro to pen testing classes? Uh, the class in as well. Okay, so you do want that? Oh, okay. And like I said, I've been kind of surprised 'cause like we have like this, this kind of feedback, Patrick, not really. Um, and the reason why think it's important for MSPs is I think like, uh, here, lemme put it to you this way. This is a whole nother business unit that your company can do, right? And in this class we go through how to set up rules of engagement.
How do you set up scope? How do you set up a contract? How do you avoid things that are gonna burn your customers networks to the ground? It is literally one of those things that I think that, um, I think that could help MSPs. And I'm literally creating more competition for Black Hills information security. But I think it's a, it's important. Um, okay, so the cybersecurity management and leadership class that is not mine, that is, that is owned by Chris Brent.
Um, so that is a completely different course. And, um, so we might be doing that. Now. We're based on this model on what we have. We are going to be opening up sales for Antis Siphon. We're $98 a month gets you access to the entire catalog. So once again, I don't know if MSPs would be interested in that. Lemme share the window. Uh, it's right here.
So instead of just getting access to your three classes, um, basically what it's going to do is all 19 classes, uh, your team would get access to everything. So regular expressions, network forensics, security leadership would be in that. Um, network forensics with hunting, with packets, windows, post exploitation, C two emulation, all of that, uh, breaching the cloud with Bull Bullock. Um, all of that would come in. And that's something we're gonna be charging, um, $98 a month for.
Uh, so be on the lookout for that. And we do have to charge more for it just because I have just a lot of classes. And that would be an upgrade of course for you all. But my, my main goal on this is just like, now I showed you all this. You're like, I want that class. I want that class, I want that class. Um, I seriously want this to be the best possible training money you would ever spend anywhere in your entire, um, in your career. And you talked about Pluralsight, right?
I think Derek brought up a really great point. Uh, absolutely. Pluralsight has a library and you can subscribe to it and we're gonna make the individual classes for sale, but then everything's gonna be, you can get, you can get the everything per person per month. Um, so that is absolutely something that's coming up, I think sooner rather than later. My brother, I, with covid and everything, it, like, everything got weird for me.
Um, I was teaching a JSO class, uh, locally and um, in, in the middle of my JSOC class, I got a notification from an instructor on Thursday that the class he was supposed to teach on Monday, he wouldn't be able to do right or finish by Monday. So I literally wrote the intro to pen testing class over my family vacation on weekend. Um, and then I taught that class on Monday. Um, so I've been really busy with like back to back to back to back classes.
I talked about the, uh, expert witness stuff with you all where I was in, uh, Seattle on that case besides Cleveland blew up. And then I got Covid in the middle of all of this. So, and then I was teaching while I had covid last week. So it's just been really, really, really rough for me. So I haven't been talking with the team in so far as where they're at with some of the things. Um, but I do know that $98 full access to the catalog is coming up, um, here quickly.
Um, but in the short term, we'll probably just throw in the intro to pen testing class for y'all. And like I said, if you don't like it, then don't, don't do it, right? Um, but if your company is looking to try to expand your horizons and get into pen testing as a service, you absolutely should do that because it's literally everything that I've learned, all the mistakes that I've made and the things that worked at starting Black Hills Information Security and how to do it right?
And I fundamentally believe that like, if you look at a lot of MSPs, the size of your customers are not customers that we're going to get. Uh, I talked to an Ms. P at write a boom in, in, uh, Tampa, and they were like, we would like to partner with you so we can do pen testing for our customers where you do it. And we gave them our weekly rate and they were like, oh, hell no. Uh, like, like, you know, they, they, there's no way in hell that, that would work from a financial perspective.
So there's certain size of customers that we're doing at BHIS that we're the smaller customers, we aren't going to do, but it opens up additional business lines for your business, uh, for your employees to do this because, you know, you can try to do things, um, you can try to do things where you're trying to make more money on what you're doing and trying to be more effective at what you're doing. And, uh, no, we're not doing $99 pen test.
And, uh, or we can get you all to the point where you can start doing security assessments for the size of the customer base that you're doing. 'cause right now there's no one in the industry that is really doing not the SMB market, but the S market, um, that's doing security assessment services, uh, for those, for those particular market segments. And this really gets to the pay pato principle of the 80 20 rule on what you all can do.
And you can absolutely provide these services as an upcharge, uh, for your customers. So you guys can do it awesome cyber deception, do it awesome, or you can not. And that's perfectly up to y'all, um, insofar as what, um, uh, what you can do. So, like I said, trying to get that auto play requires coding and requires a certain level of development, um, on our part to get that up. It's not something where I just go in and click a button and or change a CSS and then automatically it happens.
Um, we've gotta go through and create the classes in an Adobe file format, but I can't remember what the name of it is. And then we've gotta re-upload it. So that might take us a little while, but just heads up that if everyone's actually doing this, um, you're going to have, you know, hit the next button to go to the next video. So if you go to one video and it's like CIS and MSPs, well that's one video in a chain of three, um, that ties that together. So just keep that in mind.
Uh, Damien said, ever had the s class approach customer approach you and you wanted an MSP to partner? You could offload that to, um, no. Uh, we haven't ever really had that. Um, most of the time if we have an s that comes to us, it's an s with a lot of money.
So if you're looking at like investment firms, that would probably be the s in our area where they're handling like billions of dollars and they have a very, very small footprint, but they have a ridiculously high security assessment budget. Um, so, and that's just another thing, right? As customers aren't exactly looking for these services, they just don't know that they don't know, right? So, you know, we talk about creating that community and we talk about doing these things.
And we also talked about compliance in the training and how to sell the concept of compliance and letting your customers know this isn't just you trying to get more money. This is absolutely something that they should be doing. And if you look at those compliance requirements, almost every single one of them require external penetration testing services. Now, there was a conflict of interest that I think was interesting.
If you ever get into a situation with conflict of interest, um, we have a customers that were doing SOC services and pen testing, one of the things I would recommend for you all spin up a whole nother company. Um, so like, you know, you could have like BHIS and then, you know, have like a pen testing part of BHIS and one that's doing SOC and set them up as separate corporate entities. And that'll help kind of separate that out a little bit.
You don't want to do with what we've seen with like CrowdStrike where they do MSP sort of work, um, manage security services and they do pen testing and their pen testing team. I've heard, quote unquote, that they aren't allowed to bypass CrowdStrike Falcon, um, because it makes their defense look bad. That's bad, right? You always want to do the best that you can for your customers, um, in that specific spaces as well.
Um, they don't have the funds and yes, they don't know what they actually need until it's too late, right? And that gets into education, right? That's what we're trying to do. And that cyber insurance readiness assessment is a great way to kind of sneak that in. And you don't have to do a full pen test where you're trying to get down into zero days and crap like that.
Um, doing a standard vulnerability assessment with like pen test, like can still be technically a pen test, um, and get them huge value in reducing their attack surface. And it's not something that you have to, you know, put, you know, 80 hours in every single time. Uh, so that as well. So that's pretty good. Most news articles I've come across suggest that the, the s and the m parts of SMB are being targeted more and more than larger organizations lately.
And there's two reasons for that, Damien. Um, first is that they're easy targets, right? That's absolutely true. The second thing is, it's not hitting the news at the l at the, at the, at the level that the LS get hit, right? So if you get an L that gets compromised all of a sudden, oh my word that's from page news. Like Uber came out and said, oh, well we got hacked. ha. Um, that's front page news and that changes the industry, right?
And there's a ton of money to be made in exploiting the S and the ms. Um, which this whole conversation is very bizarre, uh, but it's, you know, seeing how that actually works out, it's pretty huge. But this also goes back to kind of what Andrew and I are trying to do here, right? It isn't an issue necessarily of making money, don't get me wrong. I wanna make money. I, I want to be able to cover what we're doing and I would like to, you know, put my kids through college.
That's absolutely a thing. But if we're going back to kind of the core mission for me personally, and I think for Andrew as well, is you all are the front lines and the more I can equip you with what you need for those front lines, the better we're all going to be. So that pen testing is definitely part of it. And cyber deception is bi part of it as well. Um, which I think is huge. Don't call it a pen test for small businesses.
Such an industry speak, we call them ransomware susceptibility assessment. Absolutely. Call it whatever you want, right? And whatever resonates with your customers is what you should be calling it as well. A thousand students school that got breached with ransomware, which meant parents had to cough up to get the school back online, that never made the news at all. Absolutely. Damien's absolutely a hundred percent correct in the way that we're seeing this stuff play out.
Uh, I hear tons of organizations that are getting breached and it's just not in the news. Um, and it's really terrifying how high that threshold is. I'm seeing companies that have like 5,000, 6,000, 10,000 employees getting compromised completely. And it's nowhere near front page news because the news hype cycle is so desensitized to hacking that something literally has to be, you know, a 50 to a hundred thousand customers or millions and millions and millions, not even millions of records.
It's getting to the point where it's like tens of millions of records in order for it to be picked up on the news. That's not a good trend, right? And that doesn't speak well for a number of things. It, one of the things it doesn't speak well for is your ability to sell this, because I think it allows a lot of the SMBs to think that they're not a target. And that requires you to educate. Um, as well. I think SMBs are also being scared of losing business if it makes the news.
So keep it under wraps. Absolutely. But that also goes into, that's your job. You know, if you're working an incident and you're working a breach, you can make recommendations on what they should be doing. But there's gonna be times where they choose not to. As long as they aren't having you break the law, then you follow their lead.
And the final thing to kind of get across to a lot of businesses is if you get in front of it and you're honest with your customers, a lot of times it's not as bad as these small businesses think. And the reason why is many people are looking at hacks now as like an act of God. It's not an issue of like, well, you got struck by Lightning bill, therefore you deserved it. It's not, that's how we looked at it in the Middle Ages, right?
Like, oh my God, you're sick, therefore you are a bad person and God is punishing you. And um, seriously, that is one of the worst passwords ever. Um, but when you're looking at it, a lot of people are looking at these hacks as acts of God. It's not an issue of, you know, this is, this is, uh, God punishing you. It's just something that's happening, force majeure, um, with it as well. So I had a couple of things that I wanted to cover and keep the questions coming.
Um, I think that that's great. But like I said, my goal is to try to make this the absolute best security training dollars that your companies have ever encountered. Um, and with the full catalog for $98, it's definitely in that Pluralsight category. We're trying to make sure it's absolute top tier talent and people that are doing this excuse, I was told the password fatigue when I enlisted them for two factor Passphrase and LastPass.
Um, they don't, well, I'm glad they at least took a step in the right direction. Um, yeah, password fatigue is bad right up into the point that you get hacked and it's amazing how people get energy at that point. Uh, it's kind of crazy. So I had a couple of stories I wanted to cover, um, with you all. And like I said, keep those, uh, keep those, uh, questions coming. I won't be able to see them as I go to different tabs. I'm gonna do this one last.
Um, so one of the things I wanted to hit was keeping abreast of what is changing in the security industry for your customer base is incredibly important, right? And NIST updating guidance for healthcare cybersecurity. This is a golden opportunity for any of the MSPs that are out there that have the ability to get the ear of their customer and have a meeting to talk about how NIST is changing things, right?
And ultimately, like I said, you don't wanna be selling this stuff from the perspective of you trying to sell a a better pen, right? Wolf of Wall Street, sell me this pen. Um, that's not the way that you want this to come across. You want this to come across and say, NIST's updated guidance for Healthcare Cybersecurity.
We're going to have a forum where we're going to talk about this and you're gonna invite all of your healthcare customers to come to the forum and you can talk about the new rule, how it applies to hipaa, how it actually applies to security, and then tangentially talking about it from the perspective of how your company can actually help. Um, this is critical, right? This is a great conversation starter that isn't you going in and trying to sell something.
It's you saying, Hey, did you know about the revised Publica draft publication for nist, uh, for compliance with hipaa? A lot of your customers won't know, right? You can become that lightning rod for them to know what is the update for the NIST 866, uh, for compliance with the National Institutes of Standards and Technology as it relates to hipaa.
And I recommend not being super technical whenever you sit and you talk to your customer about these things because it just starts to go over their head. Don't try to impress them with your technical prowess, but rather really be that, that guide that can actually make this a lot easier for them to understand how the changes are impacting their organization. Um, so I'm gonna jump back over any questions on that? I think it has, it has ink. I don't know what that means.
On the topic of pen testing. Would something like prelude not be a good place to start without going on full day and zero day attacks? Or wouldn't it be relevant per se? It absolutely is, per se. Um, uh, it absolutely is relevant. So if you're looking at Prelude, prelude is an adversarial emulation framework that's free and it also has a commercial level offering.
And what you can do with Prelude or with something like Atomic Red Team is you can run it on your customer's environment for post exploitation. Um, that you can test that post exploitation. And that absolutely is part of the pen testing universe. So if you're looking at pen testing, right? You have vulnerability assessments plus exploitation is pen testing, red teaming is pen testing, assumed compromise assessment is pen testing, lateral movement security assessment is pen testing.
And by the way, all of this is in my class, which you're all getting for free, um, here in a little bit. So absolutely we talk about those things and then we talk about how you can right size it for your customer to do that proper security assessment. That it doesn't have to be super expensive or super complicated. It absolutely could be something that is implemented very quickly, cost effective in your organization as well, uh, for giving it as a service, which is cool.
Um, so yeah, don't think of it as like more work. Think of it as these are business opportunities and I'm inviting you to come to all like, like, like come compete with BHIS, uh, start hitting that me that, uh, that space that Sarah as well. Um, hipaa, safe Harbor Law, absolutely good conversation starters, anything like, it doesn't matter. Like if you're starting this conversation with this is what the government is doing, this is what PCI is doing, this is what ISO is doing. Wow.
That gets people to show up because they know what's going to impact them in the pocketbook. Um, and that's also a primed customer there as well. Alright, so that was the nist uh, Juan, and I'm gonna share that with y'all. Here we go. Um, the next one I wanted to talk about is Microsoft's blocking macros. Um, so it's not that it's really blocking macros per se. Excuse me, I'm sorry. Sorry, I should have hit the cough button.
But this is kind of funny because Microsoft, a couple of months ago stepped up and they were like, um, um, we're blocking macros and then they blocked macros. And if people downloaded things from Azure or SharePoint online, it was basically blocking the macros and saying it was potentially dangerous and Microsoft was having none of that crap.
Um, so they shut it down for a little while and then they came back, um, with a little bit better way of actually identifying whether or not something should be blocked. So specifically when you're talking about blocking macros, they're specifically talking about something called mark of the web. Whenever you download a document or an Excel spreadsheet and it is, um, downloaded through a browser, it puts the mark of the web and it will not allow macros to execute in that particular situation.
Um, and it's right here. It's like, you know, Microsoft Office users who want automatic ma macro auto blocking rule and don't wanna wait for the rollout, how to set up auto blocking macros and Microsoft Office whenever they're downloaded from the internet. So it basically says this has been disabled and you could enable it in the past, but now if you try to download something, it's like, uh, nah, we're not going to allow this.
It blocks the macros from running because the source of the file is untrusted. Um, and the rollback was specifically because whenever somebody was downloading something from Office or SharePoint online, um, it was throwing this error and uh, they had to roll back. Then they had to try to fix this to where it didn't, um, it didn't stop it from executing as soon as it came from the, um, from the web.
So for us as a pen testing company, we're just finding more creative ways to avoid the mark of a web. The other thing that we're finding out is a lot of our customers, um, are just completely disabling the security feature from Microsoft across their entire environment. 'cause it's so much of a pain in the ass.
And we've already seen it rolled back once, and I don't think it's gonna get rolled back again, but I think that a lot of companies are going to roll it back, uh, just because it makes things difficult for managing. So I want you to think of it like this. See, Microsoft will tell you, well, you can set it up with group policy and have all the users that need to have macros have them enabled. Well, two things about that. One, you're gonna do it one at a time.
If you're an organization of a hundred thousand users, your help desk is about to explode. Um, number two, um, if you decide to go that route, the attackers still have a pretty good idea who's going to have macros enabled, right? Um, if you have somebody in your environment that is working in accounting well to bet the macros are gonna be enabled, uh, for that particular individual in that organization.
So it's still gonna be relatively easy for attackers to identify, um, who actually is behind or who actually more than likely will have macros enabled. So let's go back and see if there's any questions here as well. Um, uh, prelude just looked like an easier on-ramp going full OSEP. Um, yeah, and you're right. Oh, now remember, prelude is for like assumed compromise assessment.
That is not a full penetration test, but it's one of the aspects of a penetration test, not the mark of the web, the devil is presence. Um, so it's almost like canary or token is being embedded when it comes in the web. Absolutely. Um, and you can actually like remove it. And for some of our pen tests when it was enabled, we were literally giving instructions in the email how to remove that so it would open and then they would follow it.
Um, going for the accounts, going for hr, um, absolutely right. That's exactly, uh, what we do. And remember, our job as a pen testing firm, we're not here to fight fair. Like that's what we're absolutely trying to do. One day Microsoft will pass all online docs through Sentinel One pre downloaded and then just own the security world. One, they're not gonna send it through Sentinel One defender, um, defender more than likely is what they're doing. Um, but you're right.
And they're already heading that way, right? With, uh, Sentinel, uh, Microsoft Sentinel and, uh, with, uh, with Defender. Like seriously, that is a, that is an ungodly combination. And Microsoft's like artificial intelligence, backend machine learning for categorizing good execution versus bad execution has billions of systems that are feeding it. Um, so you're not, you're right, they're just gonna own the security world once and for all and God help us all.
Uh, when that actually happens, maybe then, maybe then finally, finally people will start using Bing. All right? Some new Windows 11, um, additions, um, being added of late. I haven't seen a lot of Windows 11, uh, deployments yet. Uh, actually none so far, so fingers crossed, maybe it will be better, but yeah, that, that whole defender thing, yeah, that's, that's, that's not a joke that's coming.
Um, we have customers that are like, seriously, should we spending all these money, all this money for really expensive eds? Or should we just do defender? And that's not to say Defender and Sentinel. And, uh, and EL EL five is like, like not cheap, it's expensive, right? Um, but it's getting into some serious questions about why have a third party whenever a lot of this stuff is baked in as well. That'll be their upsell, uh, by Windows 11.
Actually, it's funny that you mentioned that because I remember they were saying that, uh, with Windows XPS P two, whenever they enabled data execution prevention and address based layout randomization, and then also with, uh, uh, randomized canaries before the return pointer. Um, and I also remember that years ago before all of that with the Microsoft gets secure stay secure initiative, um, way back in like 2003 or oh four, I can't remember exactly.
Um, so Microsoft has been trying to push that, but it's amazing how Microsoft will come up with something amazing and then find a way to shoot themselves in the foot and make it so it's just unusable. Uh, from a UI perspective, it's like, you know, like it's is like App Locker. This is amazing. Well, yeah, whatever.
Um, uh, MS A v, uh, and DOS six, oh, good memories, good memories, got nostalgic whenever I had covid using Defender application guard internally a few months, and it's pretty slick opening untrusted office stocks in virtual sandboxes, right? Um, and ultimately what they're trying to do is get all of this stuff to as much as they can, uh, in the cloud as far as macros.
Also, remember with macros, they're starting to move away from VBA and they're getting, uh, uh, JavaScript macros, which totally is not gonna be a problem at all. Uh, but if we start running, uh, like JavaScript based macros, oh my God, um, it's, it's gonna be bad, right? Uh, oh yeah. The hun the 1200 malware samples, I remember that.
Uh, and we saw that same thing used, um, I think it was Cylance with their impossible demonstration where they sent like, you know, it was like 1500 malware specimens. Look, it caught 'em all. It's like, of course it did. Um, so it's amazing what, what kind of counts as impressive, um, Atlassian, uh, reveals critical flaws in almost everything it makes and touches, um, which is bad.
Um, and I, I do like the fact that they said they have not exhausted, enumerated, all potential exhaustively, enumerated all potential consequences. Uh, that's just bad, right? So Confluence, Bitbucket, bamboo, fisheye, crucible, and Jira. Um, and it's amazing to me how quickly other vendors that are competing with Atlassian are like, oh my God, look, they're horribly incompetent. Um, your day is coming. Uh, anytime you, you have something like this that happens.
So I'm just using this as a heads up. Uh, so be very careful if you use these products. I haven't seen MSPs using Atlassian as much as, um, uh, as much as in the MSP space as I have in other spaces. Uh, Google poll's, malware, infested, infected apps on its store, over 3 million users at risk. So er um, so the whole point of this one is to kind of talk to you about where we are moving, um, at at BHIS.
So one of the things that we've realized is, um, that this whole fight for the endpoint is honestly getting to the point where the endpoint is getting more and more difficult, um, more and more difficult for us as pen testers to get access to the endpoint. And that's good, right? I mean, it's bad for me, it's bad for our company, you know, for my testers, but it's good we're finally starting to see some improvement in the way that endpoints are actually working to protect themselves.
Um, so while we're getting to the point where endpoints are getting harder and harder to get on somebody who was mentioning Sentinel One, we talked about defender, talk about CrowdStrike, talk about silence, carbon black, all of these products are getting really hard, not necessarily to bypass for initial exploitation. Um, we still can get access to a lot of these products relatively easily for initial exploitation.
That's still not that hard, but that post exploitation, lateral movement and privilege escalation is way difficult, right? So we pat ourselves on the back. Good job. Us. Um, finally, vendors are getting to the point where they do that. And what's happening now is the entire space, the entire game is changing to where the endpoint or the, the, the browser is the new battlefield and mobile apps are the new battlefield. And there's a couple of problems with this as it relates to us.
The first problem as it relates to us is many of y'all don't have visibility into mobile devices. Um, some of you do. Absolutely. Um, but at the exact same time, it's a huge blind spot and it's a blind spot for us as pen testers because many times we're not allowed to do exploitation of, um, mobile devices because they're owned by individuals. Um, so I'm just saying this as, you know, keep an eye on it. This is a space that's going to get worse, um, before it gets better.
And I honestly don't know where the end game is going to be right now. My fear is the end game is gonna be, we only know about these things when Google and Apple tell us it's a thing that we should be concerned about. Um, and we have very little root level control of these devices, so it makes doing any type of security on them, uh, difficult. Now, that being said, um, this is a piece of malware that we saw, um, I wanna say it was last week, um, in one of our customers.
And this really concerned us, um, when we first saw and really concerned us for two separate reasons. One, our security operations center was like, oh, holy crap, this is a problem. Because what it's actually doing is it's chrome loader and it's literally creating browser plugins that hook into your browser and all of the access goes into the browser itself. Alright? Now, this is a big deal and I wanna share this with you all.
And one of the reasons why it's an absolute big deal of it is be for a couple of reasons. One, um, we noticed that on the malware that we encountered in our soc, um, all of the command and control was going to Google AdSense, which is bad, like real bad. And the reason why that's, yeah, Derek nailed it. The reason why that's real bad is a lot of the firewalls that are out there completely ignore anything that's going to Google AdSense.
Um, and I haven't been able to take apart the TCP stream yet. Ethan is working on that right now. I've been busy, you know, and like not dying. Um, but we're currently taking apart. We have the Zeke traffic, we're looking at the Zeke traffic and working through it, but excuse me, um, that's bad. And this is kind of the next evolution of the malware that was using Gmail as its command and control. We talked about gcat in some of the classes. In some of our previous sessions.
We talked about malware that's using Google Mail. Um, but the one that we encountered, it was absolutely using AdSense. Um, we were able to detect it, uh, specifically because, um, AC Hunter and, uh, Rita, once again, it's a plug I guess. Um, but we were able to detect it because with our EDR, their EDR did not have visibility into their plugins on their browser. And most of the eds that you're working with do not have the ability to detect whenever something is loaded into the browser.
So specifically how, um, it was eventually detected is right now most of the vendors, let me zoom out on this just a hair a little bit. What they're focusing on is this part of the deployment, um, either A DMG or an ISO or an A HK file generated an executable, and then creating a scheduled task, which generates PowerShell script and then it loads in this Chrome extension. Um, the thing I want you to know is all of this is variable.
You can actually convince users to download directly their Chrome extension and install the Chrome extension without going through an executable. Okay? Um, and once you're in that Chrome, uh, instance, it gives you access to everything that Chrome has access to. Um, and one of my favorite things to share with everybody is, um, as an example, is a Grammarly. Is Grammarly is a route is like a, a, a, like it's a keystroke logger folks.
Um, it's literally recording absolutely everything that you type, everything that you have in an email, everything that you're putting in passwords, all of that is going up to the Grammarly servers. Um, and they're getting access to it and they're checking your grammar. So you should use this as an example of what exactly it is that attackers can get access to.
Um, if they have the ability to actually plug in, uh, create a plugin that is installed in your browser, um, which is crazy Key logger, don't use Chrome. Trust me, it's all Chrome. It's all Chrome all the way down. Um, right now I'm using Microsoft Edge, that's Chrome. Um, so if you're looking at like Microsoft or Chrome, you could go Firefox, right? That's completely there.
But remember Firefox has plugins to, um, and you can absolutely set it up so it can identify what the browser is based on the, the user age and string and give them the right plugin, uh, to install. And when we do this in spear phishing attacks, you go to a website and the website looks all jarbled and horrible. And it's like, in order to view this website, you have to install our plugin or we'll do something like Forcepoint.
In order to access the internet, you have to install the Forcepoint plugin. Okay? Um, so the browser is the new endpoint, the browser is the new battlespace. And right now we don't have a lot of visibility in this as well. Um, in their defense, they don't log secure fields like passwords. They're very transparent about their data usage. I don't trust them. And they're doing that. Derek, remember, they're doing that willingly, but they're making the decision not to do that.
They absolutely have the ability to do that as well. Um, recommend Brave. Yeah, I use Brave for my own personal stuff. Um, brave Browser. Would something like Threat Locker prevent this? No, it's not gonna be looking at your browser plugins. Um, as of right now, I don't know of any goods. Well, you can query it, right? Um, you can query the browser plugins and you can do that through group policy.
Um, but that's a really, really difficult thing and it's not an issue of just changing your browser. Um, 'cause honestly, plugins can be installed in any browser that's out there as well. Oh no. The Contact us page on our website isn't working. Zine website is down as well. Um, okay. Um, let me, it's time for me to contact people and ask. All right. Shooting it off. That's Not working. All right. Shot it off. There we go. All right, there we go. Uh, Okay, what do we got?
Um, all right, so what other questions do you have? I kind of went through all the stuff that I wanted to, like, to leave the last 15 minutes. Um, like I said, we've got some really good stuff coming for the MSP class and ultimately it's all about arming and equipping you all. Um, the best that I can, and also remember a lot of this is just, you know, I am not, you know, I'm not from the MSP space, right?
You know, if I seem a little bit disjointed, like I don't talk the lingo or, you know, it doesn't quite mesh with your view of the universe, um, that's fine. Um, that's absolutely fine. Um, is there a ask question section? I see that. Ask a question. Oh, there we go. Well email. We sign up whenever the new content is uploaded. It sure will. Absolutely. Anybody that's already subscribed, anytime we add new content, you'll get an update on that.
Are there any legal requirements for sim logging retention periods for hipaa? Um, not off the top of my head. I don't know what the actual periods are for log, uh, retention and how long it should be. What top configuration changes beside patching would you recommend for companies just getting started with security program? Oh, good one. Um, so patchings off the table. Um, let's go ahead and let's hit, um, like you go to the interest security class, it has 10, but you wanted me to pick five.
Um, so I'm going to say in addition to patching, I'm gonna say strong password policy and two-factor auth authentication. Um, that would be one and two, if you just have a customer that's just passwords only, user IDs and passwords, they're gonna get hacked. It's just, they just are. Uh, so two factor absolutely everywhere. Um, and then of course you have patching, which we've taken off the table. Um, next I would definitely look at things like app blocker with directory based, uh, policies.
Um, EDR, like a good EDR, some people had mentioned, sent one, that's, that's great. Um, looking at those types of things. And then A-U-E-B-A program, um, would be the big ones that I'd look at. It feels like a lot of the tools used in the labs are more or less on-prem solutions. Are there tools to configure those for multi-tenant? Um, unfortunately with a lot of the stuff that we're doing, I can't run commercial tools just for licensing reasons.
Um, even though a lot of the vendors are like, yes, absolutely buy a multi-thousand dollar license for every single one of your students, um, which is not going to happen. Um, so a lot of these are very much on-prem, but if you're looking at things like App Locker, that's group policy, uh, you can push that out via group policy to your customers, right? You just gotta get access to the domain controllers, um, and then setting that up as well.
Um, you know, uh, you know, so a lot of it can be pushed through policy, I would say, especially for two-factor authentication and things of those blocking JavaScript in the browser. Don't do it. Um, you can, you absolutely can. Um, so the name of the tool that'll do that is called Request Policy and allows you to block Java JavaScript. The problem with blocking JavaScript is pretty much the entire internet breaks for you.
Um, sure you're secure, but you know, anything that you're running in the cloud, you're done. Um, you need to have JavaScript. So it's not really the trouble or the hassle of trying to shut that down all the way across. Now you can with some of your, um, like your, uh, proxies, excuse me, um, with some of your, um, with some of your proxies that you're running, uh, for egress traffic proxies, I don't want to die. I am trying not to.
Um, you can actually shut it down there and say that certain sites, it's allowed. Um, but you're getting into the point where that's a lot of management and overhead, um, to set it down there as well. Do you have any advice for securing RMM tools to ConnectWise automate, or do you know for vendor RMM tool for MSPs? So I'm not gonna say that any one of them is more secure or less secure than the other ones.
I will tell you that we're right now, Andrea and I are having conversations with two of them. They wanna establish some type of bug bounty program, um, that is in play to basically open up their product to the security community and also their customers to bring in security vulnerabilities.
I'm not gonna say who they are, uh, but I will tell you that there are conversations that are now coming into play where a lot of these RMM tools, they want to be looked at as the security leaders in their space, and they realize they're gonna have to open up the kimono and they're gonna have to allow some scrutiny to come in. And there's some reticence about that, right? That's, that's scary, right?
You're afraid that if you open it up, all of a sudden you get hit by 95 vulnerabilities, that's gonna look bad, I think, from a press perspective. But I also believe that in the long run, they win. Um, so it's this constant fight between security and marketing and how they want to do that.
So as far as actually securing them, one of the things I would recommend is always go back to like, if we're gonna pop one of you all, we're gonna pop you through your password policies, getting into those tools, uh, and that's gonna be done through a password spray. Um, or it's gonna be hit through a spear phishing attack, or we're gonna intercept your user ID and password. So make sure that you have that two-factor authentication enabled. That's one of the best things that you can do.
And that's true for your customers as well. Uninstall, I'm just kidding. We watch the watcher with other tools, hunts and Threat Locker. Oh, what do we got at a small healthcare client? About 200 users run Carbon Black. Awesome. It's great. But it takes dedication. It does, but it does pay off, right? It's a lot of work. And agree with Derek when challenge, rarely do end users have true justification for install of apps. That's true. Um, but that's, that's also a political fight, right?
For your information for other MSPs, if you're not working with Huntress, they've launched a neighborhood watch program, they're offering NFR, uh, for MSP regardless of if you're a customer, which I think is just awesome. Um, you know, one of the things I don't, I don't wanna say that it's, you know, something I'm trying to avoid, but I'm realizing that if I say something good about a vendor, um, other vendors get mad and they're like, why don't you say good things about us?
And I'm just gonna tell you RES is awesome. Um, I really like the, I really like their style. Um, ninja also is pretty cool. I love working with the Ninja folks. I did, uh, one of their presentations at, and it might just be because they bought me off with a really cool little figurine they printed of me. Um, everybody has their price minus pretty low. But I like Hunter's style. Um, I love what John Hammond is doing, um, for the community, and that's just cool. I love the community.
Um, keep going, making a list. No, I'm done there. I'm done there. There's, there's, it's, it's weird. The MSP space seems to be a lot better than the security space for like internal petty squabbles. I mean, you all have them and the vendors have them, but it's nothing like the ms like the, sorry, like, like the security vendor space, uh, vendors, they come straight at you. They come straight for blood.
Uh, and I've literally had vendors threaten to sue me because they said something bad about their product. Um, and I'm just basically like, bring it at that point. Um, so it's gotten better. It's gotten better. Maybe it's just been better for me. I don't know. Um, but it, I like, I like how a lot of the vendors, they sit and have conversations with each other. And I think that's because there's a lot of like, commonality.
Um, like a lot of the people that are at like Perch came from other vendors and they've worked with each other in the past as well. Uh, FNI face didn't work in here, but better on Reddit. Yeah, it does work better on Reddit. Uh, so I spent too much time on Reddit. I need to do better. So. All right. What other questions do you all have for me? Um, like I said, I've got some more good stuff coming up. Um, we have some other, other things that are gonna be coming up for y'all.
Uh, like I said, coming up with a $98 a month thing, which I know is just stupid cheat. Um, but, uh, it's just, it's just something I, I look at the space, it's where we've gotta go. I'm not worried about this webinar. I'm in the middle of teaching a class right now, a pen testing class, uh, for a big 10 consulting firm. Uh, so I'm teaching their whole pen testing company how I do business, which is weird for me because they're like a billion dollar company. And, uh, here I am teaching them.
Uh, so it's been a long day. Also, my internet went down, uh, last week. Uh, look talking to you guys 'cause you guys experienced this last week. BHI S'S internet at one of our offices out of Rapid. Got hit the fiber link, got hit in two separate locations on the same day, two separate cities, completely unrelated, two separate digs, nailed the fiber optics, uh, the same fiber optics slide. And then for me, yesterday at my home, uh, they had a boring machine.
Not at my house, but, um, like in Sioux City, Iowa, where they were boring underneath a road. And the fiber line, they, the boar went lengthwise across the fiber conduit, um, and tore the entire fiber conduit out. So I'm still waiting for my connect, that's why I'm at my office, um, in Spearfish. So this is, uh, this is where, where I hang out, it's actually just like a flat, where we have like a kitchen and a bathroom there, and then like here. So this is where I work.
Whenever I come down to Spearfish, I don't come down here all that much, um, anymore. And it's funny, Josh, you mentioned, uh, you mentioned starlink. Um, here, I, I gotta show you this. I gotta show you this, so just gimme a second. Um, where is it? So this hit, this hit yesterday, and I'm not kidding. I literally went and ordered a starlink satellite dishes back up. Um, and it's shipped already.
So like I set up and I ordered it yesterday and I just got notification, um, that it's shipped today. I got the FedEx tracking number. And Josh, the reason why is because I live out in the middle of nowhere in South Dakota. So they're not over prescribing any of their, uh, any of their connections here. And then also with that, um, I have an ex-employee who's a very good friend of mine that works there as well. There are a few automated pen test companies popping up.
Is that something we're getting into? Hell no. Um, we're not getting into the, uh, pen test, puppy mill, industrial complex. Automated pen testing is snake oil. Stay the hell away from it. Um, and that could be a whole nother conversation that we have later on that we can get into. But no automated pen testing is not a thing. It'll never be a thing. Um, you need a human to kind of understand the context. And that could be my, my, what is it?
Um, you know, moment fighting the automated, you know, digger going through the mountain. Um, but that's okay. I'll die on that mountain and I'll die underneath it. Um, but AI, machine learning, Damian, um, good one. All right, so with that, everybody, I need to jump back to my training. I just wanna say thank you and like I said, be on lookout for updates. And I think, um, here in August, uh, we're blowing this out. Uh, the price is gonna go up $10 a month. Not for you all.
Your price stays where you're at because you guys were awesome. Um, but Andrew and I are gonna start blowing it out to the rest of the MSP space. Um, and like I said, the value is just we're, if we can make it better, let me know. Um, if we can make it better. That's what we're trying to do. All right. Thanks for the feedback, everybody, and I'll see you at the next session.
Related Videos

Right of Boom 2025 – Steve Rivera – Logically
Right of Boom 2025 – Steve Rivera – Logically

Right of Boom 2025 – Calvin Engen – F12.net
Why Vendors and MSPs Prioritize Right of Boom – Hear why Right of Boom attracts the most security-focused MSPs—and how it creates unique value for vendors and partners.

Right of Boom 2025 – Bill McLaughin – Thrive
Right of Boom continues to raise the bar as a cybersecurity conference built for MSPs. With attendance surging from a few hundred to over 1,300, the event delivers more than just technology—it’s a ...