How Cyber Security Affects Business Valuation with Brandyn Fisher
Have you ever wondered how to secure your company and the value associated with technology, and intellectual property even if you’re just a small five man shop? Have you ever thought about the risk associated with your technology? Well, today I had the opportunity to visit with Brandyn Fisher of The Mako Group. The Mako Group is a cyber security type company. And what they do is they test – they go in and try to infiltrate your infrastructure to see just where the chinks in the armor are because we live in a day and age where data can be stolen and resold on the dark web.
Enjoy my conversation with Brandyn Fisher!
2:15 – Who is Brandyn Fisher?
4:15 – What does penetration testing mean for small business owners?
5:35 – What can some do by breaching a thermostat?
6:23 – Does a business need to worry about getting hacked if they are 100% cloud based?
7:57 – Is there a checklist of things a business buyer needs to look at to determine the cyber footprint and risk?
8:59 – How often are businesses doing pen testing
9:55 – What is a penetration test and how do you orchestrate one?
13:36 – Who do you target within the organization? The higher ups or someone else?
14:35 – Do you recommend tools like LastPass to keep your passwords safe?
16:23 – What does a business owner have to do to prevent intellectual property theft?
17:56 – How difficult is it for the average business owner to lock down their IP?
19:55 – How can a business protect themselves if they are using contract workers?
21:19 – So what are the most targeted industries?
25:12 – Are there favorite entry points for hackers into the average small business’ systems?
26:12 – What does a hacker do with your information?
28:43 – What can a business owner do today to make their business more secure and more valuable?
33:48 – What softwares do you endorse?
36:47 – So what’s the best way that we can connect with you in The Mako Group?
Who is Brandyn Fisher?
I work for a company called The Mako Group. We’re headquartered out of Indianapolis, and we’re a cyber risk and assurance based group. So we do really a few different things we do risk assessments, IT auditing and then security pentesting. I’ve been with a group for about seven years and in my time there I’ve done a little bit of everything under the sun. Right now, I manage and focus on managing our security testing team. We have a team of about five individuals on the security team. We perform network and application based assessments for organizations A lot of organizations do the testing for compliance reasons, but we’re finding a lot of organizations these days are doing it just to bolster their own security and to generally do better. We do the assessments to drive feedback and recommendations to businesses and try to make their recommendations reasonable and affordable. A lot of businessesI think improving security needs to be costly and we try to dispel that myth and, and show them that it doesn’t need to be costly, by looking at the people, processes and technology they are using and taking a risk based approach.
What does penetration testing mean for small business owners?
A lot of people don’t understand what all they have that can pose a risk to the organization. It’s more than just your email server and your website. your blog. People are running things like remote servers, open up VPN to the network. How are they VPN? And how are they getting access to those internal resources? There’s also firewalls that are externally facing web applications that may take sensitive information, personal information that you’re collecting, and then storing in a database that is all externally facing. Those are all attack vectors or points of entry into the network. And that’s what we focus on first and the external perimeter, how can we get into the system? The next step of that too, is assuming you’ve had a breach or assuming there’s somebody on your network, what can they do once they’re on your internal network?. And once we get into the internal network, the endpoints increase dramatically. Now we’re looking at printers, workstations, security cameras, IP phones, a Iot of devices, thermostats and TVs and whatever else might be on the network. Once they’ve gotten into that internal network, the attack surface increases dramatically. And we can do a lot more interesting things.
What can some do by breaching a thermostat?
So the thermostat, you’re not gonna be able to do the same thing. Obviously, the workstations are not to be able to get in there and get data off of it. But what we can do is try to get into that thermostat. If it’s controlling something like say, a data center/data closet, and there maybe we can turn the thermostat off or turn it up or do something bad to damage the equipment.
Does a business need to worry about getting hacked if they are 100% cloud based?
So these cloud providers should be issuing reports called a Soc 2 report. And in that report, it will outline the security controls that they have taken to protect your data and your information The report will also outline the steps that you are required to do as a user. So things like making sure you have a strong password policy in place. That’s not Google’s responsibility. That’ll be the end users responsibility to make sure that is deployed correctly throughout the enterprise. So just because you’re using a cloud based solution doesn’t mean that you’re off the hook completely. There are still things as an organization, you need to review and consider when deploying those things.
Is there a checklist of things a business buyer needs to look at to determine the cyber footprint and risk?
We actually work with buyers quite frequently when they’re going through the acquisition phase to kind of evaluate the firm they’re trying to purchase or acquire there. A couple things to consider when we’re looking at this and evaluating an organization: have they done a pen test within the last 12 months? And what were the results of that pen test? So if there’s anything critical within that pen test report, you know what the action plan doesn’t necessarily need to be remediated at this time. But what is there at least an action plan in place? Are they taking action?
How often are businesses doing pen testing?
A lot of organizations are required to do it every year. So some of the ones that are maybe under compliance or regulatory requirements they are doing every year. And then we’re finding a lot of firms that don’t have that requirement are still doing them frequently. It may not be every year, maybe every 18 months, but they are still doing on a pretty frequent and recurring basis.
What is a penetration test and how do you orchestrate one?
So the first step on penetration tests can be to identify our rules and engagement. And this is where we’re going to outline what we’re allowed to do when we’re allowed to do it, and how we’re allowed to do it. Once we have all those rules set, we have the time set on the calendar, we go ahead and start doing our thing. This is all done remotely, we’re trying to simulate a third party malicious attack on the organization. So from our offices, then we will try to attack the provided systems. And externally, there’s less we can start with that. On an external pen test, what we’re going to try to do first is passive reconnaissance, we’re gonna go out there and try to find as much information on the organization as we can without actually touching their systems. There’s a couple tools we primarily rely on for these things like Shodan or Censys, those tools go out there and do a scan of the internet on a frequent basis. And then we can go out there and search their results and see what we can find on the organization. This allows us to get a footprint without actually touching a system – without showing that we’re preparing for an attack on the system. And these tools are free and accessible to anyone.
The next thing we’re going to look for is exposed passwords, your usernames or email addresses that we can find. So we’re going to use LinkedIn. First and foremost, we can go out there and start trying to look for people within the organization that maybe we can use for email phishing, or try to reverse engineer some email addresses or usernames. We’re also going to use a tool called weleakinfo.com that is similar to the have I been pwned database, you can go out there and search the weleakinfo website and find clear text passwords that have maybe been leaked, and other data breaches that are on the dark web that are out there in a searchable format, we can go out there and search them. And if people are reusing their passwords or haven’t changed them since the last data breach that they were involved in and we’re still using them, we can go out there and try to do some credential spraying or stuffing attacks on the organization.
Who do you target within the organization? The higher ups or someone else?
It kind of depends on where we’re going with the attack. If we’re doing some kind of social engineering attack. I usually look at job titles. I’m trying to find somebody who would likely send out the message I’ve crafted. A lot of time that’s HR or IT related so I’m looking for, their positions or roles within the company. Other times we are looking for maybe somebody we believe would reuse passwords or share the same password or something like that. And sometimes that is the older generation; sometimes that’s the less technical folks who maybe are working on a manufacturing floor or in an office somewhere that don’t understand all the risks within it.
Do you recommend tools like LastPass to keep your passwords safe?
I am a big fan of tools like LastPass. I use LastPass. myself with any of those tools. However, you still have to make sure you have those configured correctly. You can still put things like multi-factor authentication in place; you can make sure they’re not signed in all the time. Obviously putting all your passwords in one place is still a big risk. But there are ways to mitigate that risk. I think it’s a great tool to make sure users are using unique strong passwords and not writing them down.
What does a business owner have to do to prevent intellectual property theft?
The first step in locking down any intellectual property is going to be identify what intellectual property you have, and where it lives. A lot of organizations assume that is on a single server. And that all they need to protect is that server. When in reality, your users are transferring that all over the network, maybe getting into their desktops or going to other places that you’re not aware of. So identifying what the data is and where it lives at the first step in securing that intellectual property. The next step is going to be to create a bubble around that when I say bubble, I mean, all your security controls that you’re applying to protect that data. You only need to apply it really to everywhere the data lives and moves, there’s no need to apply it to every workstation within the environment, you can apply it to that, that select work environment. And then you can save some money and resources there by not applying it everywhere. So once you identify where it lives, you create that bubble. And now you can start applying some controls around that to protect that data.
How difficult is it for the average business owner to lock down their IP?
A lot of organizations equate security to buying a box or buying some kind of software and protecting their environment. What we’d like to do is kind of bring that back to the people, process, and technology. We want to get to the root of everything here. Do you have the proper policies in place, and are they being implemented, doing simple things and basic things like setting up proper access controls, making sure you have a strong password policy in place, making sure users have the little privileges needed to do their job. Things like that can make sure that you’re locking down the environment without going out there and spending a ton of money. They’re things that kind of come back to the beginning of security, some basic core principles that still apply today, and they don’t require a ton of money or new tools to actually implement.
How can a business protect themselves if they are using contract workers?
I think this comes back again to the Soc 2 report, those Soc 2 reports are going to tell you exactly what you need to do to protect your data. And within those things like Dropbox or Google Drive or whatever cloud sharing servers you might be using, you can set permissions, sometimes file based, sometimes folder based, but you can set specific permissions on each of those to make sure that data within that is locked down. And then what the user can do with that our users are allowed to just read it. Can they download it? Can they send it to somebody? You can set all those individual permissions within that folder to lock it down.
So what are the most targeted industries?
It really depends on how you’re looking at it. I think Financial Services is probably the most targeted based on the cost of the attack and the number of wrecks exposed. Healthcare is also hit a lot with ransomware. And I think these two industries are targeted a lot because they’re under a lot of compliance. And a lot of organizations think compliance equals security. And what we find time and time again is just because you comply with whatever regulatory guidance you’re under or you’re meeting those regulatory requirements doesn’t mean that you were actually secure and you might be missing the mark on some other areas. The regulatory guidelines aren’t always the most direct. They can sometimes be vague on how things should be implemented. And they’re also not always all encompassing. A lot of the regulatory guidance may not touch on certain things like maybe vendor risk management, or tell you exactly how you shouldn’t put your password policy. So these organizations may be missing those kinds of things and leave themselves open to potential attacks.
Are there favorite entry points for hackers into the average small business’ systems?
One of my favorite ones to use during our assessments is sometimes UPS and a UPS delivery notification. We’ve also seen an uptick in Office365 and trying to spoof the Office365 login page. And then since we’re in the midst of this pandemic right now, there’s also been a large, large uptick in Corona virus related email phishing scams.
What does a hacker do with your information?
When someone infiltrates an organization and tries to steal data, a lot of times it’s just for the street cred to say, I’ve done it, here’s what I did. You know, some of this information is sold on the dark web or underground websites. And there’s not there’s not a ton of value in it. There’s no value in credit card numbers, they’re sold in bunches pretty cheaply. I think the real value for attackers are trying to steal personal identifiable information and, and stuff like that is stealing identities and trying to open up credit cards and, and do things profitably under people’s identities. I think that’s where we’re seeing a lot of a lot of the harm coming from opening up new loans and banks.
What can a business owner do today to make their business more secure and more valuable?
Security doesn’t have to be implemented overnight. When we talk about security, this is more of a marathon than a sprint. And that’s important to remember that you’re not going to do it overnight. They’re the first step always going to be to select a control framework, whether that’s the NIST cybersecurity framework or the Center for Internet Security top 20. But these frameworks tell you exactly here’s what you need to do to bolster the security of the organization. So after you’ve selected your framework, then you need to perform a risk assessment and map your internal controls back to that framework to see what are you doing well within the organization, and what are some areas you can improve on. And third party organizations can do this. You can do this internally – the self assessment. It’s important to get an idea of where you are, internally, before you start implementing all these controls.
I can tell you the three big areas that we look at, in every organization right away, are perimeter security. Do you have the correct perimeter security devices in place? Do you have a firewall in place? Do you have antivirus in place, those things that will help to hopefully keep out some of the threat actors? And the other things we’re going to look at is how’s your patching? How are you doing your operating system patching? Are you missing critical patches? Are you pushing those out on a regular basis? And then beyond the operating system patching? How are you doing caching things like Adobe, or Java, or iTunes, those other applications that might not be included in your patch management program? And then the final thing we usually look at is surrounding access controls. And that can be, how is your password policy? Are you using multi-factor authentication? And then what user level permissions are there? Are users local administrators on the network, or do they follow the principle of least privilege where they have little access as necessary to do their jobs?
What softwares do you endorse?
One tool I have heard of, recently is a tool called Prizza, that’s a great tool for vendor risk management for organizations who need to evaluate the risk maybe their vendors are posing to their organization. So that’s a pretty cool tool we’ve seen a little bit when working with some of our clients that we’ve liked.
So what’s the best way that we can connect with you in The Mako Group?
Best way to connect with myself would be on LinkedIn. If you’re looking to connect with The Maker Group, visit our website at Makogroup.com. Also, we’re pretty active on LinkedIn there as well.
Connect with Brandyn:
Website: The Mako Group
LinkedIn: The Mako Group
Brandyn on LinkedIn: Brandyn Fisher