A Dynamic Digital Risk Protection Strategy is an MSP Essential
In this video, CEO Kevin Lancaster discusses digital risk protection and strategies for identity protection for MSPs and MSSPs. The conversation covers the importance of establishing a baseline maturity model for security in the SMB and mid-market sectors, highlighting how understanding and aptitude vary across organizations. The video emphasizes the need for multifactor authentication, password management, and constant monitoring for compromises to protect both MSPs and their customers.<ul><li>The webinar focused on the importance of cybersecurity for MSPs and MSSPs, emphasizing the need for a baseline maturity model to enhance security practices.</li><li>Kevin Lancaster discusses the role of ID Agent and Kaseya in improving cybersecurity measures and the importance of multifactor authentication and password management.</li><li>The discussion highlights the evolution of cyber threats and the necessity for organizations to adopt a comprehensive digital risk protection framework.</li></ul>
Guests
Video Transcript
All right, day three. And, uh, really excited to have, uh, CEO Kevin Lancaster of ID agent with us for, uh, a session on Dynamic Digital. I real, really about protecting your identity, right, Kevin, for MSPs and MSPs and what they might be able to do about it. But, uh, I don't wanna spoil your thunder. Um, little quick agenda.
I'm gonna let you, you know, for those who don't know you, and I think probably most do let you do a quick introduction, a little highlight of the session, then I'm gonna have Ahmed just briefly tell us who the winners have been so far for the Capture the Flag event. We'll turn it back over to you and we'll get right on into it. But Kevin, towards yours right now, and, and again, thanks for joining us. Yeah, I'll just, uh, do brief introduction.
So my name's Kevin Lancaster and I founded, uh, ID Agent five years ago, something like that. Um, and I think maybe we've spoken on a couple of the sessions, uh, to your audience. But, uh, and we founded, uh, ID agent kind of with this, this concept of creating a baseline maturity model, uh, uh, when it comes to security for, uh, the MSP market and call it the MME market, the, the small business marketplace, right?
Because, you know, when we, uh, first got, got, uh, going, um, as we spun Id agent out of the, uh, consulting firm that we were running, uh, we were very much targeting enterprise, uh, organizations. And they understand, they understood, they understand the severity of, of, of cyber threats.
Uh, but as we look downstream, we saw that, um, you get into the, uh, the mid-market, SMB, the it, the channel, uh, space MSP space, there's, there's, uh, you know, varying degrees of, of understanding and, and aptitude.
And so, um, we entered the marketplace really just to establish that baseline show people tangible data that's out there that, you know, that shows that they have been compromised or they have the propensity or, or likelihood they'll be compromised because of their email addresses and passwords are out there. And that, you know, really started a, a pretty interesting, um, I think, you know, evolution revolution in this, uh, in this space.
And it's been really fantastic to watch the maturity, uh, um, of MSPs over the last couple of years. Uh, 'cause they've had the ability to articulate, uh, you know, really how bad it is out there to their customers. And so, my role today, uh, as we were acquired by Kaseya about 18 months ago, my role is to broaden our portfolio, uh, increase this maturity model through, uh, uh, enhancing capabilities and then, uh, acquiring, uh, solutions.
Uh, and so you'll see a lot, you hear me talk a lot about this maturity concept and, and, um, not just, you know, for your customers, right? But for MSPs as well, right? Um, as, as they're starting to mature their knowledge and, and, uh, experience in the, uh, security space. So that, that's a little bit about me. Well, we appreciate you coming on, Kevin.
And, uh, you know, and to, to your point about emails getting exposed, I was talking to you and Ahmed offline, and for those of you out there, if you visit my LinkedIn or if you, um, or join the Cyber Nation, it's just what it says, the Cyber nation.com. It's a community for MSPs and MSPs to, to share and collaborate, are all around different cybersecurity topics. Um, uh, yeah, just this morning, a database with only 350 million emails.
Were sitting on a publicly facing, uh, basically S3 bucket that, uh, and the, I guess the good news is you can use it as an MSP, kind of as a public service announcement, if you will, to your, um, prospects and customers. There is an email checker, so you can kind of maybe craft a little email together and, you know, send 'em the article or her the article, send 'em the email checker, give them recommendations to change their password.
If they don't have MFA, Hey, might be a great way to now talk about MFA with them. So, anyway, I digress. But I thought it was just interesting that you brought up email addresses. 'cause obviously blown away when I read this one. Darn leaky buckets. It's the, it don't get you every time. Yes. Um, so Ahmed, um, thanks for joining us. Few things real quick. Number one, appreciate you, uh, sponsoring the Capture the Flag competition that's been going on throughout this event.
Today is the final day. And boy, I mean, it has been a brutal competition, Kevin, by the way. Thank you for allowing Duncan, who I know is in the audience, Duncan Miller, who's been phenomenal collaborating with us. It's really been a joint effort of ID Agent Huntress and the Perch team to build a really good CTF. Um, no one even finished yesterday, but, uh, I'll let Amed tell you momentarily about the winners thus far.
Amed also because ever since we launched the Cyber Con, which was an event in April, um, they have just taken off. And I'm very happy. 'cause number one, he is a great person and they're a great company. Um, they have a protect your house offer for MSPs at no cost. And one of the things he wanted to do, he's like, Andrew, I'd like to, 'cause, you know, they always get a lot of signups, is pro, you know, have a promotion.
If someone, you know, onboards themselves and on, you know, whoever onboards a customer or two, whoever has the most aggregate, you know, I'm gonna give a prize of $500. Um, a lot of people have emailed him saying, Hey, I wanna do it. I'm knee deep in the capture of the flag, or I'm knee deep in something this week. Would you extend it? So I put a poll out, just let us know what your thoughts are, should we extend it a week. Uh, with that, Amit, just, and, and Kevin, good news for you.
There's no one right behind you. So if we bleed a little over, uh, the floor is yours, Amit. Um, why don't you share a little bit about, uh, who the winners have been thus far and, uh, what they've won. So, yeah. Yeah. Uh, okay. Andrew, uh, first of all, thank you. It's a great event. I enjoy being here. It's our pleasure to, to, um, sponsor this. Um, so today's winners, or yesterday winners are the CNWR team led by Jason. So, uh, great job for you guys.
Um, second day in a row because they're the winners of the first day also. Um, um, so yeah, you're doing great things there, over there. And, um, looking forward to this day Yeah. With you. Very much so. Jason, by the way, um, he, he, he messaged me offline. This is Jason Slagel, for those of you that are competing. You know, he was like, you know, he, he's like, next time I'm not gonna compete. Um, he's like, I want everybody to, to win. You know, he's, he's formable in this area.
And, uh, um, so, uh, that's good. But the good news is everybody's learning and growing from it. So, Ahmed, thanks again for the sponsorship. I'm gonna move you over to the audience. Thank You guys. Thank you guys. Pleasure Seeing you. And we'll see you back tomorrow. Oh, not here tomorrow, but tomorrow on that final piece. So thanks again. Yeah. Alright. Bye bye. Alright, Kevin, why don't you share out your screen. We'll make sure you're all set up. Take the floor.
Um, by the way, everybody out there, um, I'll watch, I'll watch chat, but if you could, um, oh, you'll compete, but take, won't take prizes. Okay. Alright. The, um, okay. So Kevin, that looks great. As soon as you put it in the display, you know, uh, slideshow. And then if you guys out there have questions, could I ask that you pop in into ask a question? Ideally, I'll, like I said, I'll monitor chat, but ideally, if you could, it's a lot easier for me to monitor the ask a question thing.
Um, Kevin, do you want me to pop in now and then, or save the questions to the end? Totally up to you. No, pop in, please. Please. Okay. Yeah. Um, we like, I like the conversational style, um, you know, uh, uh, you know, yeah. Presentations or interactions. So yeah, you'll see that, uh, my, uh, my, my PowerPoint or my, uh, design skills are, are limited. I apologize. Uh, they mainly consist of stick figures, but, uh, I think I, I update a, a little bit here on this one.
So, uh, so, uh, we'll jump right in. Alright, Well, the floor is yours. I'm gonna turn off my camera, but I will keep an eye out for anything. And you, when my camera comes back on, that'll give you an indication that I got some stuff for you. Okay. Good day. Yeah. Alright. Alright. So you can see my screen. What, what I'm gonna talk through today is, is this concept and, and actually Gartners, uh, create a, a category classification called digital risk protection.
And it's pretty broad, but, you know, I try to, I try to try to look at digital risk protection through this lens of a, you know, like a framework or maturity model, uh, for, for MSPs. And it's some basic concepts in here.
And, and as I mentioned, um, you know, my role, uh, within Kase as I, as I lead up the security, uh, solutions, uh, is to build progressively upon, uh, our existing technologies and, and acquire organ technologies to, to, to really build out a, a more robust, uh, security platform, right? So we'll kind of touch on, um, this, this progression kind of this, uh, pinwheel or like lifecycle, if you will, for, um, for looking at security. So bottom line is, right, we are all in this together, right?
There's, there's been his, this historical, you know, you know, we're in one of 2, 3, 4 different camps when it comes to, uh, rms and PSAs and stuff like that. But, you know, if you look at most vendors, right? Or, or, sorry, most MSPs, uh, IT organizations, you know, they, they have solutions from multiple, you know, vendors upwards of 10, 12, 15 vendors. And so the reality today is that everyone is, is, is, is really in this, in this fight together, right?
Uh, so we all have to do our part and, um, and, you know, providing solutions, you know, uh, to help, to help channel, to help our partners protect themselves and protect their customers downstream, right? So here, this gets into my wonderful, uh, my wonderful, uh, uh, uh, PowerPoint, uh, animations or, or, uh, you know, development here. But, so if you look at it, right?
I mean, this is, this is what's going on today, and we'll touch on some, some, some of the issues and what we're seeing with Secret Service, FBI, US Cert, what have you. But, you know, out here on the left, you've got the vendors, you know, you've got, uh, now organized, uh, groups trying to, to break the chain, right? Between the vendor and you the partner. Uh, if they can break the chain, if they can insert Mr.
Yuck here, and you have a, a solid chain down to your customers, they can insert Mr. Yuck, you know, all throughout the customer, the customer base, right? And that's why you're seeing, you know, advanced, persistent, targeted threats, uh, toward the MSP space, right? We'd seen it.
Going back to, so the work I'd done back in, in 1314, um, you know, through, uh, our work with government programs and, and what have you, is we'd, we'd see this, it was, it was semi-organized, but today it, it is far more organized. And I wanna give a, a couple props, right? 'cause, you know, perch, you know, of our partners in this, in, in this, uh, event, they're doing a, a fantastic job of getting out there and, and, you know, protecting infrastructure, right?
Protecting MSP infrastructure, uh, which is, you know, obviously a very, very important thing. Uh, so, you know, monitoring, we're talking about multifactor, just some of the basic things that we really all need to do as an organization or as industry to, to protect, uh, our own so we can better protect our, our customers. Gotta give props to, uh, our, our friends over at Perch, and we gotta give props, obviously, to Kyle.
Um, normally when we do some of these, uh, events, he's, you know, uh, outdoing everybody with his, uh, his, you know, animations and, and really slick, uh, presentations. So definitely gets the coolest dude, uh, award, but not in all honestly, the hunters as well.
Uh, you know, you know, really, you know, last couple of years emerging onto the scene and, and creating, you know, taking, again, if you think about it as a maturity model, taking, um, some of the, the basic concepts that we started with two years ago, layering on and, and just doing a bang up job and supporting MSPs and the channel. So you have to get props to, uh, our, our partners in, in crime across the, uh, well, not crime, but partners in, uh, I guess helping industry, uh, as well.
So, uh, little you, you know, shout outs here, but so what we're talking about, right, is, is we're seeing this, you guys are seeing this throughout. Um, you know, the news, you're, you know, some of you may have been impacted by this, but you're seeing the comp compromise one compromise, many kinda the one to many ratio.
And again, going back to 13, 14, 15, it was relatively organized, but still at that point it was well-funded organizations and, and really nation states that were antagonizing each other and, and, you know, leading up to, you know, government breaches, OPM, what have you, right? Um, the tools, the, the tricks of the trade have been, you know, somewhat commercialized.
We've talked about that on a number of, of, uh, of sessions where you go out to tour, you got the dark web markets, and you can, you know, rent a hacker for an hour. You can, you can, you know, buy exploit as a service. Um, so these tools and, and tips and tricks have been, you know, really commercialized.
And you're seeing that, and this is one of the reasons why this is propagating so fast across this industry, is that, you know, the tools are readily available to go out there and do, do damage, right? You've got the tools, you've also got data, right? And we're finding data on individuals in a number of different ways, right? You've got third party data breaches up here in the left hand side of this, you know, this, this pie.
Uh, so the stuff that's out there on tour, the deep web, dark web, what have you, um, out on some surface forums, uh, where they're dumping data. Uh, you've got surface, uh, web, um, public record sites. Uh, we'll show a link in this or some next slide. We'll show some, some stuff here.
But, uh, you've got consumer business websites out there that are aggregating data and publishing data, and then you got us as individuals posting all kinds of stuff about little Johnny's, you know, soccer team and, and stuff that can be used, exploited, uh, an individual. And this, this is what happens, right? You know, we have out there public records.
So, you know, it's not hard to find out somebody's, you know, you know, date of birth, uh, who they're married to, arrest records, court records, uh, criminal records, known associates. I mean, there this data is, is out there, right? On the right hand side, you know, this, this, uh, top right circle, as I mentioned, there's a lot of vol data that we're volunteering out there. Um, you know, to be used against individuals, uh, we're willingly posting a lot of data.
And then, as I mentioned, you've got broker data sites. So I always, you know, with some of these talks, I always, uh, like to tell people, you know, at the end of it, go out to, uh, Spokeo or Intelius or, you know, some of those sites and do a quick search on yourself, and you'll be blown away in most cases. Um, how well structured all of this unstructured data has become, right?
The ability to, uh, you know, search for a person's name, find out known associates, relatives, living or non-living previous, you know, email addresses, phone numbers. I mean, the data's out there and it's, and it's pretty, you know, pretty, you know, staggering how much, uh, data's out there and how easy it is to actually correlate this data and, and use it for exploit. So this is just kind of a sample what's going on. You know, what, what we're now seeing, right?
Is this, this matured, right? We're seeing advanced persistent threats. We're seeing organized groups going after MSPs. Again, if you go back to one of those slides, it's the one to many, right? And it's consistent.
It's, you know, it's persistent, it's advanced, it's targeted, uh, as having a conversation with a gentleman from, uh, secret Service yesterday, um, and he said that in their estimate, esti estimation, there are, you know, really two to 300 very, very well organized, uh, groups or individuals, uh, very capable individuals that are, are causing about 99% of the damage right now, particularly as it relates to the IT or the MSP space, right?
So we think about, you know, the individual in their bedroom with the hoodie or, you know, or, you know, kind of the rogue, uh, you know, employee, what have you, and that's out there, right? But you know, they've, they've kind of pegged about two to 300 really, really well organized, uh, groups or individuals, uh, that are being very, very successful with their targeted attacks.
And so, um, so that's, uh, it's really some interesting, uh, data that we are actually, uh, to grab from Secret Service, uh, yesterday. So, uh, a little bit more to come on that. But, you know, minimum, like I said, we all have to do our, our part. Um, and so just bare, you know, basics, bare bone basics, right? Multi-factor on our, on our RMMs, you know, with, with, um, within Kase, we have a platform called Paly, uh, which I now, uh, own, uh, internally.
Uh, but, you know, adding in multifactor to your RMMs is just, that's just one of those, you know, basic, you know, housekeeping items that, that, that have to be done these days. Um, with the dark web, uh, ID partners, uh, of ours, they get 10 free licenses to LY to use that to authenticate into our platform and to bull fish.
And so, uh, we allow them to use it for our platforms, and then it allows the MSPs to, to better protect themselves, uh, obviously, um, by using, you know, multi-factor password management, single sign-on eliminating passwords where, where they can, uh, so this is, again, one of these things that, you know, us as vendors, we have to do that and, and, and help, you know, better support, uh, our, our partners, uh, and their customers, right?
So I'll get into the digital, digital risk, uh, protection, um, um, model here. Um, I can't see if there's, uh, any, any questions in this view. So just, uh, you know, chime in and let me know. Um, but, um, so hopping forward, right? Nothing So far, Kevin, I'm keeping an eye on it for You. Good, good, good. Alright. So the, the concept, right, is, you know, this is a, a framework that we've created, right? It's, it's, you know, for and MSP and their customer, right?
It's making sure that the right people are tested and trained, securely accessing the right cloud, uh, applications and machines, right? They have the right privileges, and they're constantly monitored for, for compromise. And this, this is kinda the basic framework from here, and this just happens to be grouping some of the products that we, that we work with. But from here, you can extrapolate, you know, all the, or add in, you know, all the different layers of security on top of this.
But at, at the basic, you know, kinda most fundamental level, right? This is what we're, we're all trying to do, right? Making sure that our customers have, you know, they have access, they understand how bad it is, you know, we're doing security awareness training, we're testing, um, you know, they, they are accessing the right applications, they're on the right machines.
Um, we're constantly, you know, monitoring to make sure that there, there are things like, you know, the, the leaky bucket today that has three 50 million, you know, email address and, and passwords, these combo buckets. Uh, so I'll jump right into this, right? So the right people, like, for example, with paly, right? You know, we're saying you should be using a multifactor platform, you know, and this is hard for a lot of your less sophisticated customers, right?
It, it's multifactor in general is seen as a, it's friction, right? It's something that I gotta use this to log into that. Um, but, you know, everybody is, is pretty accustomed to that when they're logging into their banking, logging into, you know, Facebook platforms, LinkedIn, uh, what have you. So we are seeing, uh, uh, an accelerated adoption rate because people understand that this is something that, that has to translate into their, their business lives, right?
So it, this is all about making sure you have the right people tying into active directory, making sure they have the right, uh, groupings and privileges. And in minimum, starting, you know, with, uh, with multifactor, eliminating passwords where you can with single sign-on and, and, and, uh, and using password vaults, uh, when they have to absolutely use, uh, passwords, right? With our dark web tool, right? You know, this is, you know, part of the, you know, you know, the right people, right?
Was demonstrating, as I mentioned earlier, part of this maturity model is going in and showing that, you know, this data's out there and you have to understand that it's out there and it can be used against you. Uh, and it is being used against you. So not just your customers, but obviously with, with MSPs as well, right? The, the, you know, an epidemic of, uh, you know, credential, stuffing credential, you know, third party credential compromise using, you used to access, uh, MSP uh, systems.
It's still, you know, we've been talking about this five, six years now, you know, uh, ever since we were, you know, I was involved with the, uh, the OPM breach response, it's still just, it's perplexing that we're still having to have this conversation five, six years, you know, later, seven years on now, I think from Target, right?
Um, but you know, you have to demonstrate, you have to show these people that this is, you know, this is one of the ways that you start with that security messaging to get your customers understand that, you know, you have to take this more serious, right? Next step is testing and training. Um, is, you know, they have to understand, um, what, you know, what an attack looks like.
You know, what a, an email, they may look harmless, they may look, you know, like a one-to-one replica of your O 365, uh, you know, login. Uh, they have to understand that, you know, this is the way of the world. They understand that, uh, they have to hub over links.
They, you know, if they have any, you know, any doubt whatsoever about clicking on a, a link or responding to an email opening or downloading, you know, that they, they have cause for pause, then they probably should, should pause, right? And so with our, our, um, bull fish platform, right? We're doing security awareness training, testing, uh, library templates, you know, different types of ways to, to go in and, and, and train organizations and provide that feedback loop that's scoring.
Uh, and so it's kind of that next step in this model, right? Uh, next step, and we've talked about multifactor and single sign out, but is, is securely accessing, right? So are you using multifactor on, on your, on every application that you can use, you know, the, uh, you know, multifactor, right? We standardize on, on open id, um, that allows, you know, for other authenticators into our platforms.
Um, but, you know, again, we provide passively with, uh, our dark web, uh, and bull fish platforms. But, um, again, minimum, it's, it's secure, uh, access. Um, it, you know, and it's, it's one of those things, right? Where the fundamentals, the basics eliminate 90% of the, the issues. And that's really where we've been focused, right? Um, next step is, is, you know, making sure they're accessing the right cloud applications and machines, right?
And this, this, you know, you'll see the, you know, throughout this general theme, right? So you're whitelisting applications through launchpad, you know, you're adding applications to the libraries, you know, enforcing, you know, it, it, it giving them only, or giving customers or even internal, um, you know, employees, you know, access to specific, uh, applications, um, uh, to be, to be able to, to be used to single sign on into, and just, you know, eliminating passwords altogether.
So it's secure access, uh, and, you know, kind of taking that next step. It's the right machines, right? So making sure you're adding, you know, through policy and, and, um, you know, through O 365, uh, you're, you're allowing people to authenticate to the right machines. There's, you know, abilities to use, geolocation, restrict, you know, time-based logins, those types of things. Those, those, those are the new minimums that, um, particularly in this dis distributed environment.
Those are the new minimums that, uh, we should be doing with our partners, our customers, um, is, is, is making sure they understand that this is, this is the new norm. I'm sorry I said it. Um, but, uh, it is the new norm, right? Um, the right privileges, then that kind of goes back to, uh, configuration and, and grouping and, and policy, and, and making sure that, you know, people have access to only what they need to have access to and, and nothing more, right?
That's, uh, one of the big, uh, you know, big challenges, right? With lateral movement, you see an initial exploit, um, of, uh, somebody that has elevated privileges, um, oftentimes that that individual shouldn't have had elevated privileges, but if they have, you know, that that provides, you know, at times very, you know, unfettered access to, to, you know, move laterally, elevate, you know, additional privileges and, uh, exploit further.
And so this, this kind of, that one to many is just really, you know, it's, it's some of the, the basic cyber hygiene that, uh, we all need to be doing here. Uh, we all need to be doing our part and then can constantly monitor for compromise, right? And this is where we started, right?
We started at, you know, showing that there is a need showing that, uh, they, you know, uh, individuals, organizations need to be thinking about, um, uh, their password hygiene, and we need to be showing them anytime we have an alert, whether it's a, a current password or a derivation of a current password, or even a former password that you used five or six years ago, those things are still threats.
I mean, time and time again, we see, we have conversations with, with organizations or individuals that I haven't used that password in four years, right? But now you gotta start thinking about, well, where else did you that use that password four years ago, right? And so we'll see a lot of that as a blind spot where, you know, they may have had access to another organization's QuickBooks, right? And, you know, who knows if that, that, uh, login had been deactivated.
They, we see this time and time again with Salesforce, Salesforce, uh, you know, or, you know, individuals that have been in an organization, right? This is not necessarily in, in the purview of, of most MSPs, but, you know, somebody had left an organization, they may have, um, haven't turned off their, their Salesforce license, right? And that oftentimes has, you know, all of the customer data.
Uh, and then that's more, you know, at times it could be insider threat or, or could be, you know, malicious, you know, disgruntled former employee. But oftentimes it's it's individuals, uh, that are, are, that are password stuffing, and they're, they're, you know, scripting and, and getting into these systems. And, and it's all because, you know, there's so many damn logins for everybody to remember, right?
So we have to constantly monitor four, uh, compromises throughout our, our organizations and the customers that we, that we support. Uh, flip through, I got a couple more thing slides, you know, again, looking for passwords, looking for PII, um, and then, you know, for us it's about really demonstrating, you know, why you need to be doing this. You know, demonstrating value back to your, you know, your customers.
We'll see, uh, in, in enhanced reporting here, which is great, um, uh, with a, uh, uh, a push that we'll have in about, I guess about 10 days, we'll see a pretty significant uplift to, to our platforms and reporting and, uh, pulling in, uh, interesting surface data and, um, and, um, and breach descriptions. So see a lot of really interesting things forthcoming. We have, uh, uh, acquisitions that we'll be announcing here in about 10 days at our customer conference.
Uh, so we're trying to do our part, as I mentioned to, again, you start with the baseline, you know, start with this concept. It's digital risk protection, uh, concept, uh, that, uh, whether you're a partner of ours or not, I mean, it's something that you can take to your, uh, customers and really start to get them to understand and the buy-in why you, they need to be upping their game with security.
Uh, and so using this as a baseline, and then, you know, uh, getting into more advanced security solutions, you know, with, uh, with organizations like Perch and, and Huntress. And so that's, that's about it as far as, uh, the slides that I had or, or really kind of the, the presentation. But, um, you know, this is something that we've spent a lot of time, you know, um, you know, modeling out to make sure that we had the right group of solutions.
And, and at minimum is, is my, my role, um, is, is a lot of its focus on education is, is bringing, you know, these, again, these concepts, which might be basic to, you know, quite a few, uh, of the folks here, uh, on, on the call. But, um, oftentimes, you know, these, these are very basic, no-brainer, you know, topics. Um, but it's hard for us to articulate these things, uh, in basic terms to our customers, so they understand really why they need to do it.
And so that's, that's a lot of where we're focused from an education standpoint. Uh, and so with that, I think that's, that's all I got here with, uh, slides. I'm gonna, I'll stop sharing my, my screen here and see, uh, see, uh, how, how well I did or how bad I did. Let's see. No, you're fine, You're fine. Um, you know, uh, by the way, um, Kevin, we have, uh, six, six windows now on Crowdcast.
So, you know, if, uh, I, I was wondering if number one, if I could bring up Duncan and you guys, I think people would like to, to know, um, you know, kind of what it's like, you know, in terms of, you know, I get your report each week in term, and I think that's, it's great that you guys do that and send out, you know, what's been compromised. But maybe if you could, Hey, Duncan, thanks for joining us.
He's, uh, uh, one of the senior, uh, researcher, analyst, if you will, Duncan, I know you have a, an amazing, yeah. Basically close enough, Very strong security background. But you know, what, what's, what are some things that, you know, number one, that people should know that you're doing, you know, on a day in and day off basis at ID agent, in terms of how do you do the research?
And then number two, you know, again, I'll, I, I'm gonna plead some ignorance here, but, you know, I was reading today, for example, earlier this morning, I posted something on the, the Cyber Nation about tour. And, and, you know, people, you know, I think are starting to, you know, oh, what's tour like? And, you know, I'll gravitate in there and see some stuff.
And now, you know, there's exploits on the exit of tour that have been, uh, are, are, you know, so, so anyway, maybe you could share a little bit about what's a day in life and how do you, if you're interested in understanding what the dark web is, man, you, you're, you're playing with fire. It almost seems like as you exit back into the regular internet, Uh, you can be, uh, I mean, it's, um, I, I actually try to avoid scaring people too much with dark web stuff.
Um, but I mean, you do kind of need to know what you're doing a little bit, or at least know how, how it all works. Um, one thing actually, uh, is that Tor itself is not necessarily the dark web. Um, there's a lot of different, uh, what we call dark nets. Mm-Hmm. That all together kind of form the dark web, uh, one of which is Tor Hidden Services is probably the largest portion of it, and what most people are thinking of when they say the dark web.
But there's also like I two p, free net, zero net, a whole bunch of different ones. Um, a significant portion of my day, honestly, is just kind of checking them all out, seeing what's going on. Um, I mentioned during Kevin's talk when he was talking about rolling out MFA and, uh, customers getting a little resistant towards it, that actually one of the largest darkwood marketplaces, empire Market rolled that out to protect their customers from getting phished a few months back.
Um, and their customers lost their minds. They were so mad about MFA getting rolled out. Um, yeah, so honestly, um, if you're interested in getting into dark web stuff, um, it's really easy, uh, if you start with Tor Hidden Services, um, there's an onion browser, um, that you can download and it sort of, um, warns you if you are doing something that's, uh, insecure or a way that you could lose your privacy.
Um, you know, I think a lot of people associate the dark web with, um, criminal activities and, and that's fair. There's a lot of it on there. Um, but I mean, I'd also point out that it's actually, uh, done a lot for, uh, people in more like oppressive government regimes. It's helped them kind of hide their communications, or it's helped reporters hide their sources and under situations like that. So there's definitely a positive aspects to it as well. Yeah.
Um, sorry, I lost my train of thought. Yeah, No, but it's interesting, and, and Kevin, I'll let you chime in here too, but like, I, like I said again, uh, question away from ignorance.
'cause I don't know the dark web, but, uh, but like I said, when I was, I read this thing on The Sands, uh, you know, sands does their morning podcast and it was saying something like 70%, and again, this I'll, I'll air to you guys, but it was, there was this vulnera basically putting out a vulnerability alert that 70% of exits were basically, there was code, if you will, attached to the exit. And then as you entered back on the regular internet, you were being tracked.
And I dunno if, if you've heard of that at all, but, Um, that specific instance, no, there's a thing that people have been talking about a lot where if you can, um, ba basically you can, uh, take away someone's privacy that they gain from Tor using timing analysis. Basically, you watch as packets come in and you watch as packets come out, and you can kind of correlate them. I mean, another way that people lose, uh, privacy on Tor really easily is, uh, by logging into stuff.
'cause that's not gonna give you anything. Um, though Tor Hidden Services, what they do to kind of protect against that is they take the entire server and bring it inside of the Tor network. So there isn't really an exit node. Now, obviously, if you sit on that server, there's stuff you can do, but because of the way it's, um, its encryption and hopping works, um, if you're sitting on one end, you don't necessarily know, I don't know of any way really to get back the, uh, the original sender.
Okay. Um, but actually one thing, uh, a major exploit that's going on on tour hidden services right now is because of the way that their, uh, communication system works, basically, you can request, um, that the server starts a conversation with you.
Um, and that's that way both sides can talk without actually knowing who the other one is, um, because of a flaw in that there's a, a denial of service attack that's been going on for a really long time on toward hidden services where people just keep sending messages, requesting that the servers start talking to them, but then they never talk back, and it's actually causing massive, uh, stability problems on the entire network. Oh, Wow. Interesting.
Kevin, you're, Yeah, I know it, it's, it's one of these things, um, where we, we try not to say, Hey, go out and, and, and, and download a browser or, you know, on your browser and, and, and start surfing, right? Because to Duncan's point, um, you wanna, you wanna protect your privacy, you know, particularly with, with some of these, you know, sites and, and the ability to track back as you're exiting or what have you.
But, uh, so a lot of it is, is taking care front, setting up VPNs, anonymizing, you know, who you are. Uh, this is all relative to what your purpose is, I guess, um, you know, for going out on right on tour. But you, over the years, we haven't been, you know, big fans of saying, Hey, go out there and just start searching, right? Because, you know, it is, it, it, it was created.
Well, you know, it's been used for the past, you know, 10, 15 years, what have you, uh, to Duncan's point to, you know, in ways that, uh, allow people to communicate, uh, externally, you know, across governments cross borders and, and, um, and been very effective. But, um, it, it oftentimes it's, it's hard to protect privacy, you know, if depending on how you're setting up your browser and, and what your environment is like.
Uh, and so, um, yeah, so that, that's where you wanna be, wanna be careful. So try not to be, you know, a glowing reference or endorsing, you know, go out there and start, you know, looking for this market because, you know, it, it may be cheaper to buy, uh, prescription jugs in, in Canada. I don't know. I mean, but, uh, but, um, but yeah, it, it's, um, gotta be careful. Just gotta be careful from jump.
Well, and one caveat I would add is to, what I said also is that people have definitely been fired from their jobs for going on tour on like their work machines, so Oh, Okay. They think you're, you're the things you do through before you do 'em. Yeah, yeah. Yeah. That's a really good point. Yeah. Any questions out there? Um, you know, look, we got some of the brightest and best here. Like Kevin, uh, you know, his team ran the OPM breach, which was what, four and a half million US records? Yeah.
Government records. Yeah. The, there were, there were two exploits. Um, there was the, the current and former government employees at the time, right, of about 4.2 million people. Uh, and then there was the, the second, uh, incident, um, that, uh, both have been, um, I guess credited back to, uh, Chinese government.
But, um, that second, uh, population dealt with SF 86, um, files, um, you know, so folks that were, had a clearance or had applied for a, and, you know, on those forms, they put down individuals as references. And so that was, you know, they're both damaging, right? Because the first OPM incident, you know, they extracted the entire, you know, for a, a lot of, uh, individuals, they extracted the entire work history medical records in some cases of current and former employees.
But then with that second exploit, which was 18 ish million people, I think, um, you know, that, that, that had had your known associates. And so again, this is, this is what's, you know, kind of with the, some of the slides I had mentioned earlier, right? This is something that this has been going on from a, a nation state standpoint for forever, right? Mm-Hmm. Um, finding out, you know, who associates are.
And so before it was, was online, it was, you know, offline, it was, uh, enigma machines and, and what have you, right? But, um, you know, today it, it's, we've almost lost our, I don't know, desire, not desire, but, you know, we've, we've almost just given up on privacy to be quite honest, right? Because again, you know, if you, you, those, those three circles, that one slide with three circles, right? You've got gov, uh, data the government publishes, right?
Um, you know, and you've got data that, uh, is harvested by, you know, these big data brokers, uh, and published, right? And then you've got the data that we're putting out there, you know, as part of our everyday lives, right? Uh, and so, so that's where there's almost like that, you know, the, the sense of privacy or the concept of privacy is almost gone.
I mean, yeah, you know, if you can take big data from, you know, government sites that show mortgage information and that show, you know, everything from marriage, like I said, death certificates, you can, you can, you know, pull data out of these, these platforms like Intelli, Spokeo, true People Search, people Finder, all these sites, and then you can combine it with, um, you know, all those little nuggets that you leave out there in social media.
You know, it, it, it doesn't take much to, to exploit individuals. And you can combine that with, you know, you know, compromise email from, you know, six months ago, a year ago, five years ago, even if that password doesn't match, right? Again, that's the, that's the kind of alarming thing about some of these sites, right? They still show you what street you grew up on or, or previous addresses, right?
And so when you're, you're registering for a lot of these, you know, the, these applications, right? They're saying, all right, well set a password reminder and what street did you grow up on and what's your favorite team and what's your favorite, you know, restaurant and where you wanna, you know, where's your favorite place to vacation it? It's not hard, you know, Duncan can probably even elaborate on this.
It's not hard to, to pick out anybody and, and basically create a, a profile on somebody and ex, you know, and, and an exploit dossier, if you will. Um, you know, with just by using Google, I mean, quite honestly, Yeah.
It's, it's really not too, I mean, especially with the, the way that most people, I, I mean, you're right, Kevin, that I, I think we're, um, we're, we've gotta given up on privacy, but I think it's largely because I don't think for the most part, people understand what they're putting out there, you know? Yeah.
You, you just, I mean, and I do it too, you just hit accept on the, like, privacy stuff that pops up and I'll think about like, the data that they have available and it really doesn't take a whole lot of PII to, to put it together and get someone, you know, and, and it's actually something we run into a lot with ID agent, right? We'll, we'll pull in compromises and it'll have people's PII and they won't think it's important.
And it's like, okay, well you don't think it's important that this person has your address? Will you give me your address? Like, Yeah, it's really interesting. Are, are there any, um, concerns that, you know, a lot of these, you know, you know, sites now that their authentication is with a social media thing, like a, a Twitter or a LinkedIn? Um, I, I'm sorry, I didn't mean to cut you off. I actually think that's a good thing you do.
Um, yeah, I mean, so listen, I, I generally am against single point of failure situations, but if what we've seen with breaches like Adobe's or ones that happened even more recently, um, I don't think it's a great idea necessarily to trust a whole bunch of different people with, um, with, uh, credential security. Um, because oftentimes they really don't know what they're doing.
We're, we're seeing, we're seeing breaches that come out 20 19, 20 18, where they're just using single pass unsalted MD five to hash passwords. Like I'd rather, I mean, probably not Facebook as Facebook's, uh, requirements are kind of silly, but like, I'd much rather trust like my Google password, uh, being used instead of trusting that company with my stuff. Oh, interesting. Okay. Really good perspective, Duncan. That's really cool. Um, oh, good. We have a, let's see, we have a question here.
So let's see what we got client. Um, okay, so client question, they get, they get hit hit, they, they get hits on the dark, dark web scan on a semi regular basis. Um, Kevin, and their question is, is it worth telling people to keep changing their passwords because the user seems to think it's a waste of time if they're going to keep showing up and being forced to change. Have you ever had a, a client come to you with that con concern?
All the time, but I actually, I, I'd let, uh, donkey, you wanna, you wanna take that one? Because I, I have a pretty standard answer, but I, I'd Be happy to, I'm actually trying to parse the question. So my understanding of that question is that, uh, the, the client is having their passwords show up semi-regularly. And the question I, is the, is the password well different each time or is it just the same password is showing up constantly? Let me see if Ben, it's from Ben.
Let me see if he will come on. Which, come on. Let's see if Ben will come on. We also have another question here. Let me, uh, Ben, just let me know in chat if you would, uh, we'd love, we'd love to bring you up and kind of talk about that. 'cause that's, that's a great question, especially if your clients are asking, it means other clients are asking. So I'm sure other MSPs out here wanna know. Um, Ed's asking, well, while I wait for, um, Ben and Ben, no prob no worries.
If not, maybe if, if you don't wanna come up, just kind of clarify, um, Ben webcam, um, webcam isn't gonna co cooperate. No worries. Um, so, um, what, what, how can we try and decipher the question? I'm gonna put the, can you see the question by the way, Duncan? Yeah. In the, in the question section? Yeah, I can see It. Okay. So maybe let, let's start with one p Ed, I'll get to you next, but go ahead and ask the first part and then we'll have Ben maybe decipher via chat what he means.
So if you could ask away I am sorry, say again? Yeah, if you could just ask again, sorry. Oh, yeah. So, so Ben, to be clear, are you saying that the person's password, like the same password keeps popping up? Or is it like they changed their password, the new password that they've changed it to keeps popping up? 'cause those are two different situations. Um, I saw Jason said that it sounds like an active reset. I mean, that's only one explanation. I think there are other explanations.
Uh, this person could just keep getting Phish, for example. Uh, I've seen it happen. Uh, my mother, for example, uh, keeps getting locked out of her Netflix 'cause she keeps getting her Netflix account phished. I'm not laughing at her 'cause I can, I am through it. Yeah.
You know, look, this is one of those things where even NIST came out, what was it two years ago, uh, updated their, their stance on passwords and password rotation and you know, how often you should enforce changing passwords and, and, um, my, my general sense of this is, or my general, my thoughts is that it's royal pain in the ass. But, you know, categorize people, right? One, there, one, there's, there's gonna be an individual that will use a unique password across everything they log into.
And, and that is preferred, right? Just as long as they're not storing it on, you know, their desktop and notepad or, or Excel or something like that. 'cause that's obviously, you know, that's like, uh, individual a, you know, one A, right? Um, second individual uses the same or derivation of the same across everything they log into. So, you know, just making it that much easier, right?
Then there's, there, there are others that you think, ah, well this is a throwaway site and so I don't care if that gets compromised because it only has, you know, doesn't have my credit card information, so what do I care, right? Um, but those are often the sites that you know, because, you know, maybe the value of the data isn't as, you know, much as it would be to log, you know, exploit your bank, right?
Uh, those are the ones, often the, the organizations or the sites that have, you know, you know, lesser encryption protocols or they're, they're not, uh, they're not as strong as, as as a bank obviously. Um, so the value of the data might not, you know, to you be, you know, you know, might not be highly valuable. But if it's easily exploited and if there's any sense of PII and they can use that to, you know, hop and again, build a profile on you, then, then it's very, you know, valuable.
So I, I don't know, I, I, I still, I encouraging people to, to use, you know, different passwords. I mean, you get into, you know, password complexity and, and length. Um, generally right? The more, uh, the longer, the more complex, uppercase, lowercase, all that stuff, the better. Um, if the site has been compromised and, and it's unencrypted and it's out there in plain text, it doesn't really matter how strong your password is, right?
Um, so in those cases, it's just, it, it's using, you know, different unique passwords across everything or using, you know, password managers or, or, you know, single sign in.
Anything you can do to eliminate passwords is in my my view, you know, um, you know, the way to go, uh, multifactor obviously, but, um, yeah, it, it, this, this could, this, this at times can just turn into a game of whack-a-mole, you know, we do, we see it all the time where, uh, an individual has, has been exploited or compromised on third party systems 10 times and nine out of the 10 times the password's just very same. Mm-Hmm. The 10th time.
You know, they might have an exclamation point at the end of it, right? So, um, I don't know. It, it, it's, it, it's hard to change human behavior, but, uh, in general, if you can use unique passwords, um, you know, to me that's, that's the way to go. It's, it's hard. Um, it's annoying because we're all logging into a hundred odd applications, um, between our personal lives and our, our business lives. But, um, you know, it, it's, I dunno. So it looks like, uh, Ben got back to us.
Um, what, uh, what I would say, Ben, if the situation is that they're changing the passwords and those newly changed passwords are showing up, you probably need to take a look at what's going on with that. Also, I agree with what Tim just said about password managers. Um, Ben, if you want, um, you can reach out to your, um, uh, your, uh, your like ideation rep and, uh, get them and I, I just don't wanna give out my email on a live call.
Um, get, get them in touch with me and I'd be happy to like to talk with you and try and figure out what's going on on your guys' end. I, I thought it's okay to get out your email. Duncan, Hard pass. So Ed's asking, um, question or maybe unrelated, but, uh, oh wait, uh, wait, ed had another question I could have sworn he asked. Uh, oh, are there plans for live reporting on the portal? I guess he's a client, Kevin, does that make sense what the question is? Live reporting? Yes, there.
Uh, so we actually have a, a pretty, as I mentioned earlier, pretty robust, uh, sprint cycle in, in, um, in reporting, um, enhanced reporting coming over the next, uh, 10 and then next 27 days. So there's, there'll be, uh, quite a, a bit of enhancements, uh, across Bull Fish and on the security awareness training side.
So, um, so if you have a, a, a question for me, uh, or we need something more specific, same thing, just, uh, reach out to us and I'll, I'll, uh, I'll try to get somebody to, uh, answer that more specifically for you. Very cool. Um, what else thought we had a, uh, the question may be unrelated, but it has to do with security awareness training portion of both fish. Does that make sense to you? That's probably the same thing, yeah. Okay. Yep, yep, yep. Okay.
I'm putting a, I'm, I'm not gonna put my email out there, Duncan, but I'm gonna put a shameless plug for, um, the Cyber Nation doc. Listen, you can do whatever you want with your email. Yeah, yeah. Well thanks. I'm trying to learn from you. Um, you know, uh, we got some of the best, uh, security practitioners out there on the cyber nation now. Um, Kevin, just as you had joined, I switched platforms, so I'll send you a new, new invite. Duncan, I saw you on there. Yes, yes, yes. Okay, great.
So if you have, you know, this is gonna be a place where it's no, there's no sales pitching, there's just like the cyber call we do, it's like come out, there's great, um, you know, MSPs and MSPs and peers of yours and then great practitioners like Duncan, Kevin, the guys from Huntress, the guys from Perch, um, and there's gals now too. You've got some great, um, pen testers out there and stuff like that. So Ed, are you all your questions?
Uh, yeah, it looks like all your questions are answered. Um, um, Mihir, did you have any specific questions? I saw you putting some stuff out there. Um, let's see. Tim, Tim, Tim. Just seeing if Tim, Okay. Okay, I think we've got everything. Well, we're about a little, if we can end it up a little early here if we wanted to, Kevin, any closing thoughts or any final questions from anybody out there? Appreciate you all staying on the, the final session of the cyber trifecta.
Um, okay, thanks Mihir. Um, and then if you're competing, IE the Jason Slagel of the world or anyone else out there, um, and the C-N-C-N-W-R team, um, uh, best of success, best of luck. Thanks for making this, uh, event a lot of fun. Um, in closing on the cyber call, Kevin Monday, and you gotta come back on. You haven't been on in a while. Um, guess who's coming on Monday?
Um, CIS, the Center for Internet Security is wildly, I've been working with them for the past month and they have an initiative to get to SMBs this year, you know, for CIS and, and what's really interesting, this the top I'm sure all I'm gonna assume a lot of, you know, and if you, all the top 20 controls used to be the Sands top 20 and, um, uh, ed all Edward, I'll, I'll answer that in a second.
And so, so we're talking because, uh, they were like, well, we're, you know, we wanna start helping the, um, uh, the SMBs and they're, they were gonna come at it in a one by one fashion, kind of like how we tried to get NIST to go. You're not gonna get people to use CSF and an SM B is not going to use ccf. They're like, well, it's for SMBs. I'm like, yeah, well you download that spreadsheet and try and, you know, they, so there's this disconnect, but, so now they're wildly bullish.
They being center for net security, um, working through MSPs and MSPs, um, with their, um, uh, CSAT tool, you know, their assessment tool. Mm-Hmm. Where, um, what, what's really interesting, I'll close with this, what they've done, and I was just blown away. So, you know how they have the basic, the foundational in the organizational, they break down the controls. And, and so what they did was, um, this year, um, the lady by the way, who's coming on is the director of controls.
Phyllis Lee, who's in your neck of the woods, by the way. She was an NSA for years and years. Um, what they did was they mapped the controls over to the Mitre, uh, attack, uh, MITRE attack. Okay. So basically, check this out, everybody out there. So Mitre attack looks, you know, obviously at, you know, attack threat vectors and how they come in and, you know, ranks, obviously they have a ranking for the top attacks and things like that.
And so what she's done, and that the team has done this year said, okay, if you're an ms, you're a small business and all you can do is put in some basic security hygiene. Our basic controls, six of our basic controls. Number one, the, the tool turns off all of the tons of controls. It's just, hey, you gotta do this one. Like identification and the identity, you know, software and hardware, and then on and on and on, just the basic ones.
And then by the end, it's like, okay, if you did all these things based on Mitre attack, you would've prevented 24% of the top attacks. And here they are. If you go to foundational controls, it's like 60 something percent of attacks you would've prevented. And obviously if you put in all it goes up to like high seventies or, or low eighties.
But, um, last but not least, they're going to, um, consider, they have an on-prem version, which is multi-tenant, and they're gonna come on and talk to MSP. So I see, you know, I'm, I'm asking everybody to be there 'cause they want to talk about, you know, I'm telling them, you gotta, if you're do gonna do this, you know, you can, you can download it for free for one per or not download it. It's on the cloud for one corporation.
So the MSPs do it yourself assess, you know, against the S controls, but they're willing to look at a monthly multi-tenanted model, monthly pricing for MSPs. Um, so I, it's really interesting, uh, and it's very cool that they're thinking, uh, along those lines and working with us. So anyway, that's my long dissertation in closing. No, that, that's great. 'cause that, that's, uh, that, you know, this why I was on the, on the call yesterday with Secret Service.
We were seeing, you know, industry or, or association organizations and law enforcement really starting to, um, as best they can with their funding, but really starting to ramp up their industry outreach, right?
Um, yeah, they had in past particularly Secret Service, not a lot of people know really, you know, their full mission, but in the past they would be, they'd go to the bigger user conferences and, and try to hit more of enterprise, but that same thing, um, law enforcement, uh, you're seeing them trying to really get down into, uh, SMB and in the IT channel because, you know, they realize they have to, right? Yeah.
Um, I'll still argue that collectively you could put MSPs in this, you know, critical infrastructure category, right? Hands down, hands down. It's staggering when you talk to whether it's NIST or CIS or any of the big agencies, and you know, this, and you start to explain the multiplier effect that everybody, you all out here have. And you know, it's like, you know, you, you know, if you got the MSPs on board, you're literally, you have this massive megaphone. Yeah, yeah.
I mean, think about just the, this, this covid and that, you know, that that three month period of transition, right? I mean, think about how many, hundreds of thousands of, of, of, of very important businesses that MSPs had to help transition doctors offices, law firms, you know, you know, just everything, right? Yeah. Just regular business as well. So yeah, it's, um, I'd put them in their own kind of category of critical infrastructure.
A lot of more variables, obviously, but, um, but yeah, that's, that's good that people are thinking about, uh, this industry and SMB, that, that way, uh, moving forward. So yeah. Good on them. Well, awesome, Duncan, thanks a million for jumping on here. Always. Yeah, no problem. Your perspective, Kevin. Great. Thank you as always, and everybody out there, um, all the best for the rest of the week.
We look forward to, uh, seeing either on the cyber nation, the cyber call, and we, yes, we'll be doing more. By the way, ed, how often do we do these webinars? Will we do the cyber call every Monday at 1:00 PM And, um, uh, you can, um, yeah. Thank you so much, Kevin, for putting it out there. Yeah. Um, and you can, once you sign up there ke um, uh, Edward, you'll just, you'll automatically get the, the emails and updates. So, so with that, everybody, awesome. Have a great rest of the week.
Take care. Take Care. Thanks.
Related Videos

Right of Boom 2025 – Steve Rivera – Logically
Right of Boom 2025 – Steve Rivera – Logically

Right of Boom 2025 – Calvin Engen – F12.net
Why Vendors and MSPs Prioritize Right of Boom – Hear why Right of Boom attracts the most security-focused MSPs—and how it creates unique value for vendors and partners.

Right of Boom 2025 – Bill McLaughin – Thrive
Right of Boom continues to raise the bar as a cybersecurity conference built for MSPs. With attendance surging from a few hundred to over 1,300, the event delivers more than just technology—it’s a ...