EP 48: How Cyber Security Affects Business Valuation with Brandyn Fisher

Ed Mysogland  1:13  
I'm your host, Ed Mysogland. I teach business owners how to build value and identify and remove risks in their business so that one day they can sell their business at maximum value when they want how they want and to whom they want. I'm so excited to welcome Brandon Fisher from the Mako group, I was at a event at Butler University and I got to talking to Brandon about, you know, just different things about technology and how it detracts from value. So I asked him if he would be willing to come and talk to us about, you know, the things that detract as well as improved value of a business as it relates to technology and security. So Brandon, welcome to the show.

Brandyn Fisher  1:51  
Thanks for having me. I'm excited to be here.

Ed Mysogland  1:52  
So if you don't mind, can you give just kind of a high level overview of you and the Mako group, I know that you're doing an awful lot in this space. And I think our audience would really appreciate just kind of understanding what it is you guys do?

Brandyn Fisher  2:07  
Absolutely. I work for a company called the mega group. We're headquartered out of Indianapolis, and we're a cyber risk and assurance based group. So we do really a few different things. We do risk assessments, it auditing, and then security pentesting. I've been with me group for about seven years. And in my time there, I've done a little bit of everything on the sun there at the middle group. Right now I managed to focus on managing our security testing team. We have a team of about five individuals on the security team, we perform network and application based assessments for organization. A lot of organizations do the testing for compliance reasons. But we're finding a lot of organizations these days are doing just to bolster their own security and to generally do better, we do this assessments to drive feedback and recommendations to businesses and try to make their recommendations reasonable, affordable. A lot of the places I think improving security needs to be costly. And we try to dispel that myth and and show them that doesn't need to be costly by looking at the people processes and technology and taking a risk based approach.

Ed Mysogland  3:09  
So when you talk about penetration, and the funny thing is, so when I bring this up to small business owners about as far as their technology, what do they have? What are they what are they looking? What do they need to secure? You know, the first thing is, we have a website and we have email. The funny thing is when we're talking about Newsletter Lists and things like that, those are all assets and need to be locked down. So to the business owner, that's that has no clue that this is even a risk in their business. I mean, talk about the penetration testing that you're doing and what that means to small business owners.

Brandyn Fisher  3:43  
Yeah, I think you're absolutely right there. A lot of people don't understand what all they have that can pose a risk to the organization. It's more than just your email server and your website, your blog, people are running things like remote remote services, open VPN to the network, how are they VPN? And how are they getting access to those internal resources. There's also firewalls or externally facing web applications that maybe take sensitive information, personal information that you're collecting, and then storing in a database that is all externally facing. Those are all attack vectors or points of entry into the network. And that's what we focus on first and the external perimeter, how can you get into that work? The next step of that, too, is assuming you've had a breach or assuming there's somebody on your network, what can they do once they're on your internal network. And once we get into the internal network, the endpoints increased dramatically. Now we're looking at printers, workstations, security cameras, IP phones, IoT devices, thermostats, and TVs and whatever else is might be on the network. Once we got that internal network, the attack surface increases dramatically. And we can do a lot more interesting things.

Ed Mysogland  4:51  
You said thermostat, what can they do with a thermostat?

Brandyn Fisher  4:54  
So the thermostat there's you're not gonna be able to sand things, obviously the workstation to be able to get in there. To get data off of it, all we can do is try to get into that thermostat. And it's controlling something like, say, a data set or data closet, and there, maybe we can turn the thermostat off or turn it off or something like that to damage the equipment.

Ed Mysogland  5:14  
Wow. So to the business owner is saying, You know what, I'm 100%, cloud based, I use Google Google suites, you know, what, what could possibly happen? Is it incumbent on the Google on Salesforce on all my virtual assets, isn't it on them to protect, what do I need to worry about?

Brandyn Fisher  5:33  
So that's partially true. So these cloud providers should be issuing reports call a sock to report and that report will outline the security controls they have taken to protect your data and your information. That report also going to outline the steps that you are required to do as a user. So things like making sure you have a strong password policy in place. That's not Google's responsibility, that'll be the the end users responsibility to make sure that is deployed correctly throughout the enterprise. So just because you're using a cloud based solution doesn't mean that you're off the hook completely, there's still things as an organization, you need to review and consider when deploying those things.

Ed Mysogland  6:12  
When a buyer shows up, a buyer is looking at a particular business. And the entire point of their analysis is to to identify and figure out how they can mitigate their risk in the acquisition. Most overlooked areas that we find is the cyber footprint. So not only the infrastructure, but also the virtual, what's outward facing? And how do I control it? If I'm a buyer, and I'm looking at that business? What's my checklist of things that I'm hoping not to find? And better yet? How do I find them? Or when do I know I need to employ someone like you, we actually

Brandyn Fisher  6:46  
work with visitors quite frequently, when they're going through this acquisition phase to kind of evaluate the firm they're trying to purchase or acquire, there are a couple things to consider when we're looking at this and evaluating an organization. Have they done a pen test within the last 12 months? And what were the results that pen test? So there's anything higher critical within that pen test report? You know what the action plan doesn't necessarily need to remediate it at this time? But what is there at least an action plan in place? Are they are they taking action to correct these things?

Ed Mysogland  7:14  
So a pen test means penetration test, right?

Brandyn Fisher  7:17  
Yes, penetration test, we're active, we're trying to simulate an attack from a malicious threat actor,

Ed Mysogland  7:22  
I can tell you, I would imagine that I'm starting, you probably know better than I Are businesses really doing penetration testing every couple of years, or within your case every year, a lot of organizations

Brandyn Fisher  7:32  
are required to do it every year. So some of the ones that are maybe under compliance or regulatory requirements, they are doing it every year. And then we're finding a lot of firms that don't have that requirement, are still still doing frequently. It may not be every year, maybe every 18 months, but they are still doing on a pretty pretty frequent and reoccurring basis.

Ed Mysogland  7:51  
So describe what a penetration test is. I mean, how how do you orchestrate that? And I know when we were when we were visiting at Butler, it was pretty interesting how you were doing it and the surprises to those folks that were in charge and had no idea where you were going to come in at. So talking about what how the penetration test works. And what do you do,

Brandyn Fisher  8:15  
the first step to tration tests can be to identify our rules of engagement. And this is where we're going to outline what we're allowed to do when we're allowed to do it, and how we're allowed to do it. Once we have all those rules set, we have the time set on the calendar, we go ahead and start doing our doing our thing, this is all done remotely, we're trying to simulate a third party or malicious attack on the organization. So from our offices, then we will try to attack the provided systems. On an external pen test. What we're going to try to do first is passive reconnaissance, we're going to go out there and try to find as much information on the organization as we can without actually touching their systems. So there's a couple of tools will primarily rely for this things like showdown or census, those tools go out there and do a scan of the internet on a frequent basis. And then we can go out there and search their results and see what we can find on the organization. This allows us to get a footprint without actually touching the system without showing that we're preparing for an attack on the system.

Ed Mysogland  9:14  
So let me stop you there. So what is it? What is it find? I'm just sitting here saying okay, so you put this out? What are the results of what are what is something like that look like? We're gonna be

Brandyn Fisher  9:25  
able to go out there and see what services are specifically running on that system. So are they running remote desktop server that's accessible from the internet? And what what version? Are they running? They're running a IIS web server, are they running a nginx web server and what version will be able to go out there and just start pulling version and service information?

Ed Mysogland  9:44  
Anybody can see that is as long as they have this kind of platform to

Brandyn Fisher  9:49  
search? Yes. And these tools are free and accessible to anyone. So anyone who's out there right now and start searching that information. Keep going. The next thing we're going to look for is exposed the passwords or usernames or email address that we can find. So we're going to use LinkedIn. First and foremost, we can go out there and start trying to look for people within the organization that maybe we can use for email phishing, or try to reverse engineer some email addresses or usernames, we're also going to use a tool called, we leak info, that is more to the highlight and pond database, you can go out there and search the week info website and find clear text passwords that have maybe been leaked, and other data breaches that are on the dark web that are out there in a searchable format, we can go out there and search them. And if people are reusing their passwords, or haven't changed them, since the last data breach that they were involved in, we're still using them, we can go out there and try to do some credential spraying or stuffing attacks on the organization.

Ed Mysogland  10:44  
So that was a lot. So you can go into LinkedIn and identify potential targets for I mean, what is the target look like? I mean, is it lower level folks? Or is it the the upper level that that you would assume I hate to say it, but let's just say the older generation, and you know, where they have one password, that's, that's universal for everything that they do is that the targets where where's the risk here,

Brandyn Fisher  11:11  
so it kind of depends on where we're going with the attack. If we're doing some kind of social engineering attack, I usually look at job titles, I'm trying to find somebody who would likely send out the message I've crafted last time that HR IT related, so I'm looking for their, their positions or roles within the company. Other times we are looking for, maybe someone who we believe we reuse passwords or share the same password or something like that. And sometimes that is the older generation, sometimes that's the less technical folks who maybe are working on a manufacturing floor or in an office somewhere that that don't understand all the risks within it, then what's

Ed Mysogland  11:46  
your take, like on like LastPass, or one pass, or I'm trying to think of, there's a couple others that are basically a password manager that you go. So you go to a website, it populates username and password and you're off to the races is that slow anything down, or No,

Brandyn Fisher  12:03  
I am a big fan of tools like LastPass, I use LastPass. myself with any of those tools, however, you still have to make sure you have those configured correctly, you can still put things like multi factor authentication in place, you can make sure they're not signed in all the time, they're obviously putting all your passwords in one place is still a big risk. But there are ways to mitigate that risk, I think it's a great tool to make sure users are using unique, strong passwords, and not writing them down.

Ed Mysogland  12:27  
I use LastPass, too. And it's great to use it works on your cell phone. And I think everybody just doesn't understand is how universal this thing or these types of platforms are. And it's really not as inconvenient as you might think, to employ them. IP theft. When I say IP, I'm talking intellectual property. That's a big thing. You know, I know, you know, it's in the news about Chinese coming in and stealing our intellectual property from from various companies and stuff. What's the challenge to locking that down? I mean, it's password protected. And there's all kinds of barriers to prevent theft, but yet it still keeps happening. Is it more internal or external infiltration, intellectual property? And what does the business owner have to do in order to lock it down?

Brandyn Fisher  13:16  
Great question. The first step in locking down any intellectual property is going to be identify what intellectual property you have. And where it lives, a lot of organizations assume that is on a single server. And that's all they need to protect that server, when in reality your users are transferring that all over the network at Signature their desktops is doing to other places that you're not aware of. So identifying what the data is, and where it lives is the first step in securing that intellectual property. The next step is going to be create a bubble around that when I say bubble, I mean, all your security controls that you're applying to protect that data, you'll need to apply it really to everywhere that data lives in moves, there's no need to apply it to every workstation within the environment, you can apply it set that select work environment, and then you can save some money and resources there by not applying it to everywhere. So once you identify where it lives, you create that bubble. And now you can start applying some controls around that to protect that data.

Ed Mysogland  14:15  
I can hear in the mind of the business owner right now saying, Oh my God, that's one more thing I have to do. How difficult is it for a business owner to lock this down? I mean, what does that mean?

Brandyn Fisher  14:28  
A lot of organizations equate security to buying a box or buying some kind of software and protecting the environment. What we'd like to do is kind of bring that back to the people process and technology gonna get to the root of everything here. Do you have the proper policies in place? And are they being implemented, doing simple things and basic things like setting up proper access controls, making sure you have a strong password policy in place, making sure users have the little pillars needed to do their job, things like that can make sure that you're you're locking down the environment without going out there and spending a ton money, they, they're things that kind of come back to the beginning of security, some basic core principles that still apply today, and they don't require a ton of money or new tools to actually implement.

Ed Mysogland  15:12  
So since the world is continues to get smaller and smaller, and people are using platforms like Fiverr, Upwork, there's the sharing of files, or there's a sharing of Dropbox or sharing of Google folder. When you're doing that, how do you lock that down? I mean, or can you lock that down? Because I know a lot of business owners, you know, they're they're using, instead of using internal sources, it's cheaper for them to go to fiverr or wherever to get some external help. So but at the same time, you're you are opening your infrastructure to that contractor. So how do you lock that down? Or do you?

Brandyn Fisher  15:54  
Yeah, I can just come back again. So sock to report those sock two reports are going to tell you exactly what what do you need to do to protect your data. And within those things, like Dropbox or Google Drive, or whatever clustering service you might be using, you can set permissions, sometimes file based, sometimes folder based, but you can set specific permissions on each of those to make sure that data within that is locked down. And then what the user can do with it, that our users are allowed to just read it. Can they download it? Can they send it to somebody, you can set all those individual permissions within that folder to lock it down?

Ed Mysogland  16:30  
I didn't, I didn't know you could prevent it from being forwarded like in Google or Dropbox? I did not know that part.

Brandyn Fisher  16:37  
Yeah, all of them are gonna be a little bit different on what they can do. But the bigger ones should usually have that kind of permissions. I know, I know, the one we use internally will allow us to limit the Ruby and for particular folder to prevent the unauthorized sharing of data internally.

Ed Mysogland  16:53  
Yeah, no, I mean, we have data rooms and things like that, where we can dump our deals in and then control who gets to see what, when, and unlimited there, but I, and I'll have to investigate whether or not Dropbox and Google because that's the one, those are the two primary ones that most of the business owners at our level are using. So and I would assume most in the audience are at least have some exposure to them. So what are the most targeted industries?

Brandyn Fisher  17:21  
So that's kind of a tough question, it really depends on how you're looking at it. I think financial services is probably the most targeted based on the the cost of the attack, and the number of wrecks exposed. Healthcare is also hit a lot with ransomware. And I think these two industries are targeted a lot, because they're under a lot of compliance. And what a lot, a lot of organizations think compliance equal security. And what we find time and time again, is just because you comply with whatever regulatory guidances you're under, or you're meeting those regulatory requirements, doesn't mean that you're, we're actually secure and you might be missing missing the mark on some other areas, and the regulatory guidances aren't always the most direct, they can sometimes be vague on how things should be implemented. And they're also not always all encompassing a lot of the regulatory guidances may not touch on things like the vendor risk management, or tell you exactly how you shouldn't put your password policy. So the organization may be had are missing those kinds of things, and leave themselves open to potential attacks.

Ed Mysogland  18:22  
So the business owner, that's thinking, Well, you know, what, I'm off the radar. I mean, I I'm too small. I've got 10 People here in the in the office, you know, we're not so susceptible for to be attacked. Is that true? I say? No,

Brandyn Fisher  18:39  
I think I think you're right on that. I think small businesses are still a victim of the target 43% of small businesses in 2019, were a victim of some kind of cyber attack or infamous,

Ed Mysogland  18:50  
really, and so I know, just speaking to a lot of old and I keep bringing up older, but you know, those that that didn't necessarily grow up with computers, but you know, just use them as a tool. It's hard to determine what link not to click, and you find that, that most of the time, I'm hoping you can confirm this. It's not, you know, they're attacking you. You're just opening the door and welcoming, welcoming them in is that the way it works for the small business owner?

Brandyn Fisher  19:24  
Yeah, I think that's one of the primary ways attackers are getting through to firewalls and perimeter security devices is through social engineering and email phishing, they're sending those out users or clicking those or entering their credentials into a phishing website and providing access to the attacker.

Ed Mysogland  19:39  
Well, I'll tell you two of the ones that that it used to be Dropbox, you know, I sent you a link in Dropbox and that would that would start it and then then Docusign. We've seen a number, a number from Docusign. Is there other platforms that the big phishing schemes are coming through on?

Brandyn Fisher  19:59  
I think a couple that I We've seen lately one of my favorite ones to use during our assessments is sometimes ups and a UPS delivery notification. We've also seen an uptick in office 365 and trying to spoof the office 365 login page for a SharePoint or email. Yeah. And then since we're really concerned the midst of this, this pandemic right now, there's also been a large uptick in Coronavirus related email phishing scams. Yeah.

Ed Mysogland  20:25  
And that's so terrible. I think they hopefully there's a special place in hell for folks that are capitalizing on on that. And you know, and you had turned me on to the the podcast, dark net diaries. And you know, the funny thing is, you know, not all these people are, it's more gamified than it is malicious. And so I retract my go to help kind of thing, when someone infiltrate you and takes something, what are they going to do with it? I mean, what's the going rate on an email address? Or what's the going rate on on a telephone number that, you know, we're all now getting robo calls? What's the point?

Brandyn Fisher  21:04  
That's a good question. I mean, when when swing, infiltrates an organization and tries to steal data, you know, a lot of times, it's just for blood for the street cred to say, I've done it here, right? Did you know some of this information is sold on on on the dark web or underground website. And there's not there's not a ton of value in it. There's no credit card numbers, they're sold in bunches pretty cheaply. I think the real value for attackers who are trying to steal personal identifiable information and, and stuff like that is stealing identities and trying to open up credit cards and, and do things. So unfortunately, under field identity, I think that's where we're seeing a lot of a lot of the harm coming from opening up new loans and bank accounts and credit cards project.

Ed Mysogland  21:51  
Yeah, I get you. It's pretty, pretty frightening. But again, I think I continue to be surprised at how much information there is about you out there that you don't know, like you were saying, you know, the things that that you deploy to crawl the web to find things about your infrastructure? Well, I'm assuming that you have the same ability to find about people and how that works. So it's a frightening thing. As a business owner, like said, after I get done hyperventilating over all of this, you know, so what are what are some of the small cost effective steps that I can do? I know you said, you know, password policies and such, give me three steps. What can I do today to make my my business more secure, and ultimately more valuable? Because someone like you is going to show up and, and test and determine whether or not how risky the acquisition is. So what are the steps now? I said three, but if there's five, or however many, I don't care, but what are what are those things I can do today that will help me preserve the value I have in my company.

Brandyn Fisher  23:03  
So security doesn't have to be implemented overnight. When we talk about security, this is more of a marathon than a sprint. And that's important to remember that you're not going to do it overnight. They're the first steps always going to be to select a control framework, whether that's the NIST cybersecurity framework or the Center for Internet security, top 20. But these frameworks tell you exactly here's what you need to do to bolster the security of the organization. So after you've selected your framework, then you need to perform a risk assessment and map your internal controls back to that framework to see what are you doing well within the organization, and what are some areas you can improve on. And third party organizations can do this, you can do it internally the self assessment, but it's important to to get an idea of where you are internally, before you started implementing all these controls, I can tell you the three big areas that we look at, in every organization right away our perimeter security, do you have the correct perimeter security devices in place? Do you have a firewall in place? Do you have antivirus in place? Those things that will help you hopefully keep out some of the threat actors? And the other things we're going to look at is how's your patching? How are you doing your operating system patching? Are you missing critical patches or you pushing those out on a regular basis? And then beyond the operating system patching? How are you patching things like Adobe or Java, or iTunes, those other applications that might not be included in your patch management program. And then the final thing we usually look at is surrounding access controls. And that can be how's your password policy are using multi factor authentication? And then what user level permissions are there? Are users local administrator on the network? Or do they follow the principle of least privilege where they have little access as necessary to do their job?

Ed Mysogland  24:47  
Having said that, we're seeing that there is cyber insurance like cybersecurity insurance. Do you guys deal in any of that? I know you don't sell it, but I'm certain that you do. either an advocate for it or you've seen it work or not work. Any thoughts on that?

Brandyn Fisher  25:05  
Yeah, cyber insurances is a great tool, but it's a reactive tool. So it's only an helps you you have to you have had an incident or been breached. And it's not helping to actually prevent that. That being said, you know, just like your home or car insurance, that it does sort of benefit and can help you ease the burden financial burden after an incident. Because a lot of times there's there's more than just the settlements or fines that you see in the news, there's a lot of other costs associated with an incident, anyways, looking for cyber insurance and things to maybe look at and consider when evaluating different policies. Make sure you know what you're buying, a lot of the policies will range widely, we've seen some policies that will cover ransomware ransom, while others will, will not cover that. So make sure you know what you're buying. And make sure you're buying from a reputable vendor, there's nothing worse than finding yourself in an incident, going to your cyber insurance provider, and then finding out that the kind of coverage wasn't there, or there may be some misleading things. That nation knows that frauds make sure you make a reputable vendor to

Ed Mysogland  26:07  
Yeah, and a lot of insurances that it's already embedded in, in their existing insurance, I didn't know if there were like new riders and things like that, based on the platform that the business owner is running on whether or not they're you know, you can, you know, if you're 100%, cloud based, your risk is lower, because you have a third party that's managing your security, you know, versus a, you know, a server closet, that has to be considerably different, especially in a small business environment where, you know, that small business owner tends to be in charge of making sure that the updates are being done and such. So, you know, does insurance deferred, and I know, that's probably a little bit out of your wheelhouse, but have you heard or know,

Brandyn Fisher  26:53  
the cyber insurance providers we've talked to, typically, they'll come out and do some kind of assessment on the organization see, what what risks that organization has? And so I think that's where it comes into play. Where are you proud base? Or do you have an on premise data quality somewhere? And then based on that, I think they'll start offering you the different policy, pricing and stuff like that. So

Ed Mysogland  27:14  
I value so is there any software's you endorse? I know you and I are LastPass fans, anything else that you would suggest?

Brandyn Fisher  27:22  
Yes, as a company, we don't really sell resell software tools. There's nothing we endorse this way. The company, once who I have heard of recently is a tool called privo. priv the A and that's a great tool for vendor risk management for organizations who need to evaluate the risk at their vendors are posing to their organization. That's a pretty cool tool we've seen a little bit when working with our clients that we've liked. We liked recently.

Ed Mysogland  27:50  
Wow. Okay. So when we first met, and I know we're short on time, but you had introduced me to me to darknet diaries. And for those of you that are looking for an interesting podcast, and this is in your wheelhouse. I mean, it's a it's a fascinating, fascinating podcast about the dark web and the things and the people behind some of the biggest infiltrations. And I will say bad stuff, but bad stuff that happens on the internet. So we were originally to talk about this on Friday the 13th. And then this little pandemic broke out, so we had to table it. So without naming names, do you have any story that shows the the risk that the businesses that you guys are serving, anything that the Mako group can share that would make people cringe,

Brandyn Fisher  28:38  
I think one of the more the more scary things we can do these days, we're doing our red team and pentesting engagement is what we call ipv6 takeover. So IP fix is a network address on the internal network, usually, and it's handed out by default by most routers. So when when a computer connects to the network, that request this ipv6 address, and it'll be assigned one by the router, we've got a way to intercept that ipv6 request, and then potentially launch remote code on the system requesting the ipv6 address. If we can launch code onto that system, we're able to do a lot of malicious things. Sometimes we get right in there, and we already have privileged access on machine, we start doing some real nasty things. Other times, we can start trying to search for data on that machine or try to dump password hashes or clear text passwords on machine. And from there, it's pretty trivial to start pivoting throughout the network accessing other machines and servers throughout.

Ed Mysogland  29:34  
So what's the best way that we can connect with you in the maker group?

Brandyn Fisher  29:37  
Best way to connect with myself would be on LinkedIn. If you're looking to connect with the maker group, you can visit our website, Mako pro.com. Or also, we're, we're pretty active on LinkedIn there as well.

Ed Mysogland  29:49  
I'll certainly have links to everything that we talked about in the show notes, but the services that you provide, I mean, what's the service that you would suggest that if a business owner was thinking either about selling the car Have a or just to evaluate whether or not they're, whether they're secure, what's the first step in contacting the maker group and then from there, you know, what is basically the process to engage you

Brandyn Fisher  30:11  
to look into to engage with the middle group, like you said, visiting our website reaching out. From there, we can talk about what what your needs are. And it's really going to be kind of customized to what you're looking for what you're looking to do. The first step, I think, to evaluating any kind of acquisition or anything like that would be to do a risk assessment over the organization, you're looking to acquire and see what they have in place, what their needs are missing. And see if those deficiencies are significant enough to pose a high risk, we think at a high risk possible environment, or if they're small enough, where they can be easily corrected and integrated into the new environment.

Ed Mysogland  30:46  
As far as cost goes, it's just a, it's a scope thing. I'm assuming it depends on you know, how extensive your testing is, as well as how big the the organization is, right?

Brandyn Fisher  30:57  
Actually, it's all scope based, all customized and individualized to the to the client. So that's not going to break the bank, but it is, it is still based.

Ed Mysogland  31:05  
Well, Brandon, you know what it really I'm so glad that we had the chance to visit and I appreciate you sharing the your experiences and I do believe that there is technological risk, and this is something that will help business owners preserve their value. So as Brandon said, you know, if you go to Mako pro.com, you can learn a little bit more about the the Mako group or you can reach Brandon on LinkedIn and like I said, I will have links in the show notes. So Brandon, thank you so much again for being here and being a defender of business value.

Brandyn Fisher  31:39  
Thank you appreciate the time.