Ep#97 Maintaining Security When Employees Work Remotely

Host: Jon

Please join me in welcoming cyber security architects and advisors. You Evgeniy to the show you Evgeniy. Thanks for joining me.

Guest: Evgeniy

Thank you. Happy, happy to be here.

Host: Jon

So you Evgeniy, today we're talking about cyber security. What companies are doing, now that the employees are working from home, how are they securing not only their company but the employee and the data transversing to it? So you go, let's open it up and start talking about what you mean by securing it from working from home.

Guest: Evgeniy

So let's think about this. Even before the pandemic started, we all traveled, we went to conferences, we sometimes walk from Starbucks, we sometimes went to the cottages and we connected back to our office. Or maybe we used SA applications when the pandemic started. Recently in a matter of two weeks, everyone works from home. It's created quite a big challenge for everyone because now we need to connect all the employees in a path that was maybe 5%, maybe 10%, but now it's a hundred percent of people need to connect back to the data center or connect securely to the applications in the sense. But we'll get back to this during the pandemic, everybody realizes that we want to do digital transformation and we want to move all the assets to use us. Multiple reasons. Maybe it's easier. I don't need go to reboot the server.

Guest: Evgeniy

I don't need to go and pay for the infrastructure. There are a lot of reasons why to do this and it's created a problem, an opportunity, a different methodology to secure people because the assumption right now, if you are working from the office, if you are working from home like you and me right now is sitting get our homes recording this episode or you are flying Starbucks, we want to secure your work. We don't want the bad guys to pi you back on your connection when you're connecting back to their office. We want to make sure you're not going to malicious websites and interacting with your machine. And then of course compromising the company. There were a lot of examples, not very good examples for the last couple of weeks about people hacking VPN and then basically going on somebody's machine and then going to share and doing stuff that you are not supposed to be doing. So there's a need to do this. Now there is a different part of the security to secure the data centers to secure the application company develops. Let's give an example of let's say Salesforce or CRM company. Doesn't matter which company it's they have internal employees for enterprise security, but they have their product that they need to secure as well. It's a bit different challenge

Host: Jon

Now, wait a second. So back then, you know I remember logging into the VPN, and up to gross I was still utilizing the VPN for a company. Why? Why is my comfort level changed you know I got a VPN I should be, aren't I secure? What do I have to worry about

Guest: Evgeniy

As we say security? Very good question. You know a very good topic. VPN secured the connection from my device to the camera One, it doesn't secure, it doesn't prevent from me going into bad malware websites to click on the URLs for example. But then let's think about this. If I'm working on my device and you are the bad guy, I'm not saying you're the bad guy but let us see you're the

Host: Jon

Bad guy. I'll play the bad guy in this part.

Guest: Evgeniy

Good cop and the bad cop and somehow you can get to my device, to my laptop and you now sitting on my laptop remotely. Somehow your connection to the web office is also secure. So you piggyback into my connection and you go into the office. Here's the interesting part with the traditional VPN and connectivity, it usually works by IP range. So I connect it and I have access to a variety of IP ranges. I can use scans, I can branch a map, and do many different things. It means the bad guys using my connection can do all the things as well. And in many cases, there is gonna be no difference between a developing person and a marketing person, and an accounting person helping this person in the company. They will all be connected to the office or the data center for the applications internally and get very similar access. Why? Because they will launch the applications they need and authenticate. But the bad guys will have a variety of things to do and have much, much wider access than they're supposed to. You probably all heard about the magical tone of zero trust. Who doesn't wanna go there right now too?

Host: Jon

Much. We don't have enough time to go to zero trust. That's another episode. Yeah,

Guest: Evgeniy

Zero trust is it's a journey. You know it's not a flip a switch with there. Yeah,

Guest: Evgeniy

But the VPN as traditional as we know it completely doesn't support the idea of zero trust. Because I give you the, where there's a new format we call ZT E zero network access. I allow the users to remotely connect only to the applications, not the apps that they need. So we'll define groups, we'll define the access and then you've gained Jon somebody else who connects to the applications they need so no longer can just scan or go wild from home onto the network. Of course, you can claims that the more mature companies landed people in special DMZs or for the VPN had another firewall and had more rules there. But in reality majority of the people just gave access and that's it. Now when securing the work from home, we're not just securing access to the application in the office. We also need to make sure we secure the browsing experience as well.

Host: Jon

Okay, you go, I wanna jump onto that because of the VPN right? You, you're logging into the VPN, land, and you have access to your machine that's right here. Say, we'll just theoretically right here in front of me access securing the tunnel to it. What about access? Now we're talking about working from home, but Starbucks is another example because you're not physically at the location where you don't have to VPN while you're in, you know, on-site or typically don't have to. But as an actor, I get there isn't everything that I do is usually tracked throughout the company through the VPN, like what I'm accessing. Can't I go and see or put alerts in place to trigger any of those things that are, that I don't want to happen? Or when I do have a VPN, is it just like being at the office where I'm accessing everything and now it's very hard to trace what's being happened?

Guest: Evgeniy

You just wanna have another episode about tracking the same security management and the standard part. <laugh>, Yes, the majority of the companies will take logs from the VPN concentrator from the firewall or whatever device is used for access. Now if you have, he is a developing person and he needs to do X, y, z, how the sim or the analytics platform will understand it? He supposed to access an FTP server or the finance server because this system and we are not going to your user behavior yet. Analytics, ai, machine learning, terminators. But in the traditional systems that collect logs, we create some kind of hierarchy, some kind of logic. For example, if you have any trying to create an attack and its scan time network, we will alert you about this. If you're getting, trying to access a server and he failed to log more than 10 times in a minute, there's probably something we should go on.

Guest: Evgeniy

Again, cannot type so fast or maybe it's a hundred times a minute, but understand which service you're gaining can log in and cannot log in. Why again, today log into this FTP server and suddenly try to go to the active directory on a different continent or to a different FTP server? It's very, very hard to know without additional logic. The additional logic that not always configure for everyone is the behavior component. Again, usually, log in from nine to five. Why? If he is working in two em, this could be, could be programmed, but to understand, okay, again, usually transfer not more than a hundred megabytes of files, but today he transfers to terabytes. Why? He again did, trying to quit his job and taking all the files with him or it's not GU because if getting's on vacation. So why you again, even logged in, he's on vacation.

Host: Jon

All right, I I I have to jump in there and ask you because what's the difference between if I was onsite versus remote from home? I mean, how do you tackle both of those? Because maybe I'm transferring a lot of data internally, right? Transferring, I hopped on a server and I started moving and you know, data around which that's very hard to track that it was me as a user doing that within that server. If I'm part of a group and I'm internally, but now I'm doing this work remotely, uh, through the VPN and I'm trying to do that, what, what's the difference between onsite versus not and trying to do some of these attacks now for a quick interruption, a huge shout out to our friends at Veeam for sponsoring this episode. Veeam Backup for AWS can easily protect all of your Amazon EC two RDS and VPC data. Wait for a second, they can protect my VPC data too. Yep, that's right. Simplify AWS backup and recovery while ensuring security and compliance. All right, now back to our episode, uh, through the VPN and I'm trying to do that, what's the difference between onsite versus not and trying to do some of these attacks?

Guest: Evgeniy

This is a good question. The difference between onsite and remote is onsite. We can pretty much guarantee it's you. If you don't have a clone on your laptop and we trust the perimeter on site, then we know it's you and I'm doing this and we,

Host: Jon

Yeah, it's all a good thing this is gonna be a video podcast. Yes. Because then you can see you getting on

Guest: Evgeniy

Unquote

Host: Jon

We're not, we're not touching the trust part here. We were just talking earlier. Go ahead, finish the,

Guest: Evgeniy

And when you are mode, it's much harder to know you did the truth about Evgeniy or somebody and kind of going through the Pandora box. If it's true truth Evgeniy or some hacked hack of gain your laptop or somebody stole your Evgeniy credentials because there was no multifactor of indication done or even there was a multifactor of indication done but somebody was able to social engineering or do something else to get the access, how can we know? I always give people an example of cloud versus on-prem from a user perspective. Let's say I know the root access or the secret password to the router internally and I have it, what can I do with it if I, if it's in a data center and I don't have a machine gun to get to the data center and I cannot blog myself to a console or outer even I have the password, it's probably gonna be very hard for me to log zi. But if I know your AWS username and password and there's no MFA, now I can do anything I want from the same Starbucks near you.

Host: Jon

Well, that brings up even more questions because during the whole pandemic, everybody was working from home and it was almost an explicit trust for everybody that you are who you are at home because we just can't handle the workload that's increased of those working from home to authenticate them. It. What are your thoughts?

Guest: Evgeniy

So this way there are additional things you wanna bring. You know we have the multifactor indication when we need to put some code, have to push notification. There are multiple ways to do it. A lot of companies right now introducing behavior, behavior analysis, and biometrics as well. So okay, maybe need to put a finger or maybe we'll understand how you type. It's a bit more advanced. But we also want to include a posture checker and we will go to BYOD for a second and bring you on the device. That's also important. But I can check if your device is part of my domain. Do you have some kind of certificate I gave to you? Or maybe I'll check if your device has an antivirus, EPP model language. Is your device part of a domain? Is it patched? Something else that can validate that you working from the approved device from your work home, is the mobile device management software.

Guest: Evgeniy

Another piece of applications that are pushed by your company. And if you have it, you're probably not a bad guy. Now it is creating a different problem because if I allow people to bring their devices, go to Best Buy and connect to office 65 and OnPrem, that's gonna be much harder. But, I gave you permission permitted you to use any device. Can I still validate? Can I do something else to understand you or you? And there's almost like a multilayer approach. What can I understand about who is getting from where it's coming, what devices are using, and something else I can understand whether it's beginning or not somebody else.

Host: Jon

Okay, there's a way or there you're testing on away. This is the first time I'm hearing it to understand the way I type if it's me or not.

Guest: Evgeniy

Yes, there is behavior analytics, sorry, the behavior notification programs that usually see how I tap, how fast I tap there. There could be deployed as an agent or, even in many cases deployed on the other side and a server and understand how usually quickly you type your password. There are quite a lot of applications at work on my phone and they will see how you hold your phone

Guest: Evgeniy

And they, because all of us holding the phone in the same matter. So it'll go, I understand banking, I think a lot of the banks trying to put an SDK part of the software to understand when you're trying to log into a bank it's you or somebody else. We're gonna see it's coming. There quite multiple companies working in this space and there's additional information to do this. There are already quite a lot of people using fingerprinting, of course, you know to do this. I did do it as well to understand to you it's you but it very will depend. The problem in many of these cases is we create one logic but then create exceptions because the manager, the CEO, the CEOs, and went on vacation, and then now they need to log in and they forget their magic authentication, whatever it is.

Guest: Evgeniy

So we create one exception, two exceptions, forgot to remove it or somebody didn't complete the logic to do this or people started the project and never finished the authentication part because they solve a problem where it doesn't work. Or maybe I, they did it for on-prem but never did it for SaaS applications. And because many companies move data to SaaS, CRM, Salesforce, and HR companies manual, I'm sure most of us, you and me using One Drive, Dropbox, Google Drive, or any of these applications where we save the data and then we share links and because we on the rush, we share the links, not with your email, we just have it with anyone. Because there is still a lot of stuff to do when we work from anywhere and we are in a rush, it's kind of, we're kind of global globalizing right now about the problem, how to secure it. It's not just the remote access part, it's also when we connect to the internet, could I allow you not, not even our VPN do I allow you to connect to Salesforce? Do I authenticate you and how and what I do with you when you get

Host: Jon

You're getting that provides another complex to it because I see working from home my access immediately to SaaS applications without hitting a VPN or going into the company and a VPN through it. Make my life easier. How do you balance accessing these SaaS applications, VPN encryption on the type it so I can get my work done but also stay secure because there's a point where exceptions start becoming the norm?

Guest: Evgeniy

There is a complete concept that started three, for our years ago called Sassy First framework Secure Access Service Edge. We covered this in the first two seasons and with the secure architecture podcast they have more than 25 vendors on this part. So if somebody wants to watch, there's a lot, a lot of good data. But the idea, what do you do? You let people connect over remote access. And I'm not saying VPN and remote taxes, usually DNA right now to the office. But when you wanna browse the internet and you wanna connect to your favorite applications, you're not going direct

Guest: Evgeniy

The SASI providers. It's also later on called use only Secure Service Edge has multiple locations in the world. It could be private data centers, it could be public data centers, work from home equipment. Instead of going directly to Facebook auto Salesforce, you first go into the closest pop point of the present to the provider. Where is a check we even allow to go to Facebook? Oh maybe it's a Torr site, or maybe it's a malware side. And only then do you get forwarded to this website. Now it's not just there, we're not just doing your particularizations, we also check if the place you wanna go, it's potentially a MAL website. There's data intelligence going on the backend. Collect the information when you download the file, is this file potentially malicious check in by antivirus if you upload the file are you uploading the file that potentially has customer information?

Guest: Evgeniy

So data leakage prevention, there's a lot of what's going on in this inline inspection when you brow the web and because there are multiple locations of such vendors and such infrastructure as an end user, you don't feel a lot of problems. You don't feel latency. Of course, it depends. If you are at it in Mexico and you browse the local government and somehow you got routed to New York, it probably takes you a long time. So that's why back to architecture, how it's architected. How do you know where to go, where to route the traffic?

Host: Jon

What are some of these methodologies that companies are deploying? Because here's what I'm seeing is that there's no one cure-all right to fix these and for all the trust. But now I have 10, or 15 different ways that I have secured my environment from SaaS security at the edge, VPN, remote access, and antivirus, doing. There's all this overhead that's going, how are we, how are companies managing or being able to do this not only for work from home but internal uh, employees bringing your device. I mean it just sounds like, a nightmare to try to manage all these security applications.

Guest: Evgeniy

If you're right, it is a nightmare in a way it's also a problem because now we need better collaboration and I always was kind of trying to push the idea of collaboration in teams when I did consult as part of <inaudible>. So we want the network team to talk to the security team. We want the endpoint team to talk to everybody else because if we need to secure a network and inline communication, we need to all of the people working together. We see a lot of companies move from MPLS to SDN as pls. It's a network project but on top of that, we have security. So you said don't talk to each other. They're gonna go like this somewhere, you know, and everybody eventually figures out, oh we need to talk together, but it doesn't make sense. Now if there is a government, if there is an architecture team that says put the standards to understand where you want to go, how are we gonna do this then yes you can do it.

Guest: Evgeniy

You can understand okay I want to use a cloud security web as part of SaaS from this vendor or potentially one vendor for the network connectivity of the internet. The same vendor for remote access and maybe I'll find the endpoint solution that connects and has a technology partnership with this vendor. Then I kind of created a very good set of products and not just ALA Carta best, best, best of the breed. I don't like the best-of-breed term the BO by himself. Like when I go to a restaurant, I don't want my steak ala cart, I like result and potatoes.

Host: Jon

Ah, that's a good way to put it. Let me ask you a question. Is it harder to implement some of this stuff net new or an existing enterprise meaning yes, <laugh> or, Well I was calling it the other way thinking it was gonna be enterprise would be harder. But in general, yes is the answer. All right, well it's time to wrap up the show. No, I'm just kidding. <laugh>.

Guest: Evgeniy

It depends gonna be, depend. What you have right now is your current provider for VPN, remote access security, and web gateway. We didn't touch on a lot but let's leave it away alone has the capability in the Azure section. Can you not completely move everything but use your current provider because they maybe have a new offering and you don't need to change any, If not, they need to figure out what you're gonna do. And the important part here is to try to look ahead for two, or three years to understand where is the company gonna be. Not just what we security team wants, but what's gonna happen with the business. If the business thinks, oh you know what we don't need all these offices, we're gonna close them in two years and everybody gonna work from home. So if you are just creating the best security architecture and scenario, but you're not for forget, but you're forgetting to go to the business owners, understand what they want to do and you're gonna fail.

Guest: Evgeniy

So go to the business, understand what is your plan for the next two, or three years, then align your vision to their vision because security is supposed to be enabled and not stop everyone to do the work and paying in the bud. Then you can create the architecture, the components that need to be done, have, uh, quarterly, even monthly connections with everybody cause it's, it's very, very connected right now. People need to understand what's happening and create a plan for where to go. And when you create a plan, pretty much guarantees to do change, but it's okay that you change at least you know, pivoting hundred 80% and going in a different direction. The small incremental changes are totally fine.

Host: Jon

All right you go I'm gonna switch gears a little bit and I'm gonna challenge you with something as a hot topic that's happening at least once a week. We're hearing about companies being hacked, data being, you know, exposed, uh, malicious, however, it is. Has it increased with working from home or has the bill visibility just increased now that everybody's aware of it and we're all connected?

Guest: Evgeniy

When all this happened, I will do a lot of security workshops for companies, made this debate with friends that it takes 150, 200 into pieces more days for the company understands get bridged or something happened. So the bad guys put them out and not touching them for some time to collect information. So while I can not tell you for certain, it could be that during the transition for the last two years a lot of companies got hacked. We just don't know yet about it. And now it's slowly popping. Not always the case, not always the case. The last couple of we know it was relatively quick, but definitely with the transition to working from home people not building all the policies of how people support behavior and then transitioning the PO the written policy to security controls. There are more holes, there's also less um, visibility in some cases of what people need to do and how people need to do it. And unfortunately, we always find lazy people. Like, look at what happened with Okta. Unfortunately, there was somebody that has a completely proper way how to use passwords, but they decided to put them in Excel and note that I think it was Excel instead of going and logging in and taking it. And this is awareness, this is teaching people why you shouldn't be doing this. Sometimes you wanna cut corners and then it gets slapped.

Host: Jon

Did you read it uh, in the paper an article the other day? Is it a well-known hotel chain that was quote-unquote hacked.? all right? And using a term some dis disgruntled guests did not like the way that they were treated and stumbled upon or fa figured out the password to their core router. It was 41, 2, 3, 4, right? Really. And they deleted all their data. Now I don't know the details of it but they were down for some time. I think it was like 48-plus hours and they only knew about it through reservations that were deleted and everything. That is pure laziness if that is allowed anywhere and the password is either null or password 1, 2, 3, I remember we would set those as a default and that was wrong because when you go back to it, you never change it. You just keep using it because it's easier.

Guest: Evgeniy

I'm wondering how he got to the main route but I don't, I didn't read the article so about how he got it there. But people sometimes put temporary passwords and then forget about them and don't use them. Also back to analytics and logs and internal if it happens internally in the company and there were no logs that indicated something happening, then it's just another example of unfortunately while we always tell what needs to be happening, we need to watch our assets, what we have, what we deployed. Cause if you don't know it's this not protected, we need to log everything but not everybody doing this for multiple, multiple reasons or they're lazy or they don't have enough budget also the case or they're so going and putting fires because there are not many people in the company that does not have just time. And uh, we see it a lot.

Guest: Evgeniy

Many companies don't have enough, not their security personnel to support the initiative. And if you look at what's happening in the managed service world, pretty much every bar right now offering can manage service offering as well because they're realized people don't have enough time to watch 24 7. They usually broke nine to five but it doesn't mean the bad guys are sleeping or maybe the bad guys. It's actually during it's the day for them when we are sleeping in North America. So it's perfect but nobody watching because everybody's sleeping and if we're not watching and maybe it's something triggered, then nobody will respond. It may have eight 12 hours. That's a lot of time in our world that everything can be deleted. So there's a move of more services and we see a trend. Somebody got hacked and now they hiring people, and now they have a budget.

Guest: Evgeniy

There was a lot of communication maintained for several last weeks about what can be changed and kind of a lot of my peers do. The people I see agree that we need more board awareness. We need somebody's cybersecurity on the board to explain why it's important and what we need to do and kind of always bring the idea of um, what we learning at home. When you are small, like our parents told us, don't take any from strangers If I, you need to know whom you picking up if you get lost in the park, this is, we're gonna see when you leave the house, lock the door, stuff like that. Because there is some idea of training but we are not always succeeding in transferring the stuff we do at home, and at work. On the basic encouragement with the passwords, people still believe laptops are unattended and do a lot of different things which they're not supposed to be doing.

Guest: Evgeniy

Funny enough, we recorded this in October, and October, the security awareness month for cyber security. There are a lot of jobs like oh so we only need to be secure in October or we need to only be aware in October. What about the rest of the time? It just, this is the demand where we just bring a lot of attention and I hope there will be a lot of attention. I personally, when I go live every morning am doing weekdays and bring a friend to talk about security awareness and we'll cover a topic and let people ask questions. Let's see how this goes. It's an experiment we do, but it's important.

Host: Jon

I think you touched on it. Budget is always key at the beginning of the year. It's you're setting your budget. Oh, we don't have enough money for that. Well, guess what, we don't have enough skills for that but we need to hire for that. But you ever notice how much hiring they do after an incident? Do you wanna be, you always have to think of first of all, whose data are you controlling, right? If it's not, if it's somebody else's data, you should be taking top priority on it and securing it, right? And logging everything that's happening. We'll take that as an example. The other thing is that you're responsible for it. So you should be responsible to invest a lot of time and money into making sure it's secure, making sure those who need access, have access or limiting access and controls to it, and not just setting these all in cyber security month.

Guest: Evgeniy

Yep, yep. I agree with this part and I hope people will be more aware. We'll think about this a bit more and I think it's important to ask questions. You know, if you don't know or you are not sure, it should be completely okay to move. They know what, I'll listen to Jon's episode. Tell him I'm not sure if I'm secure. What should I do?

Host: Jon

Well, that's a good question. If they say I'm not secure, what should, what should they do? What would you first tell 'em? How would you approach that?

Guest: Evgeniy

I'll understand what they mean by this. Do they afraid to browse a different website? Do they see suspicious activity on their device? Would definitely to understand if the device has endpoint security, if they're, if the testing is, where is going and how they work, We will enroll them in security awareness training to see more about which emails they can open, which emails they cannot open, what the danger about such emails. But there are a lot of activities they can do that they will be more aware of. Oh, if I see this WhatsApp message to authenticate, but I never actually tried to authenticate to a website, should I press it or not? If somebody calls me on WhatsApp or sends me a message or calls me and says, Hey, I'm your IT department, can you please approve this? I need to understand do I just approve them or them.

Guest: Evgeniy

How and what, you know, like in spy movies we always had a secret phrase when you call someone you to know who, who, who is the person. Same as the IT department. When the IT department called, they need to know, for example, in Canada, there are a lot of calls about taxes and you did pay your taxes. I'm gonna go to jail and in Canada, I'll tell, hey, we never call you, you know, there's no way we would just call you and if we call you, this is the procedure and the question you should ask us to identify that's a real person and authenticated person. Same, but a lot of things can be done to let people feel more at ease.

Host: Jon

I I always get called by IRS and they don't, and it's not them. I mean it's, I always love asking them a bunch of questions and seeing how long I can keep them on the line just to see how far I can go with them and what kind of information they're trying to pull. So IRS is the same as Canada for taxes, they're just trying to collect in, the other one. And I did a video on the, on Twitter the, uh, it was probably two months ago. They'll text me and they'll say, Hey, this is such and such, uh, CEO of the company you're working for. Uh, are you available? I need you to do me a quick favor. And I already know it's a scam right away. Cuz first of all, the CEO's not texting me. And uh, so I'll, I'll respond or I might have the CEO's number already so I I kind of know, and I, I'll be like, Yeah, sure, what's up?

Host: Jon

I need you to run to the nearest store and get Amazon gift cards. Gift cards. Um, yeah, hold on a second, and then I'll wait like 10 minutes and be like, All right, I'm there. But they don't have Amazon, they only have Apple. Is that all right? Because I can't, Yes. I need you to get me like x thousands of dollars worth. I'm like, wow, that's a lot. Can I get reimbursed right away? I have to put this on my card. Yeah, yeah, sure. Just do that and send me pictures of the thing and I will try to keep them on as long as I can and I'll be like, do people fall for this stuff? Which is amazing that people do.

Guest: Evgeniy

People can fall. Yeah, people can fall. You know,

Host: Jon

There's no way in ha I I nothing. Phone calls, all that other stuff. It's phone

Guest: Evgeniy

Calls. Yeah. But people have emails.

Host: Jon

Yeah. I, avoid phone calls on this. I'll call you back. I'm digging up the number right now. I'll, I'll call you back and I'll talk to one of a representative. It's, and then they, they stop calling or they hang up, right? And they're like, All right, this person's gonna be difficult. I'm not dealing with it. I'll, I'll work my angle on another person. Yes.

Guest: Evgeniy

Invite me to the podcast next time.

Host: Jon

What? Uh, yeah, I'll send them. You know what, that's what I should do. The next time I get it I'll drop a link to this podcast. So you got before we wrap things up, you have a podcast, speaking of that, of cyber inspiration, you wanna talk about it.

Guest: Evgeniy

There are two podcasts. You one a security architecture running with Dimitry. Yep. Where we covered the technical aspects of many companies and how they connect. And the new one I started around six weeks ago is called Cyber Inspiration podcast. And I covered the motivation and the stories of people and founders of cybersecurity vendors. The idea is to understand what happened in someone's life when they decided to start the company. There was a bad day. They so a big problem in cyber security. And then I ask what happened after how they did market validation, how the status, but people gonna buy it. Did they push the product first or did the marketing about the product? Some of the challenges, I have a dark part of the podcast, the dark side when we talk about what went wrong, quite interesting stories. You know, some people, developers disappeared, bad hires, very bad investor meetings. So quite a lot of interesting things. And I think it's interesting for people to wanna start their journey or also interesting for people that use their product to understand why they started, what motivated them, what moves them is by themself, his founders.

Host: Jon

Oh, that sounds like the dark side of it. Hmm. I'm gonna be listening to that. I, I wanna hear what some people's responses are. So you're getting before we wrap anything up, do you wanna leave the audience with some information on cyber security on some of the tips and tricks that they might be able to do, uh, including listening to the podcast?

Guest: Evgeniy

So definitely as simple stuff thinks about what you're sharing on social media. If you go to on vacation, don't tell everybody on Facebook you're going on vacation they also have your address on Facebook for example, because people know it's a good time to get in right now. Don't, I'll say ever, ever use the same passwords on social media. You bank excel ideally, you are not repeating passwords and you're using passwords everywhere. Different password management. So you can use a password manager to manage this and have different passwords in different locations. Majority of the social media and banks now support two-factor multifactor quantitation and highly suggest using this idea. Never click on links that tell you it's the password. If you get an email and say, Oh we should just do password your Facebook blah blah blah blah, blah. If you think you wanna receive your Facebook password, don't click on the link, go to Facebook and do it, freedom there. And it's not so hard to do. It's relatively simple. You just need to have password management on your device. Maybe the same, probably the same password management on your uh, phone as well. It's gonna be the simplest thing to do from my perspective. And if you get an email that is uh, too good to be true,

Guest: Evgeniy

Think about it twice, you know, before I just click on it and say, Oh let me have the Nigerian bridge.

Host: Jon

Wait, are you saying I didn't win that $10,000 that they promised me

Guest: Evgeniy

You? Maybe, but maybe they will win, or somebody else over wins

Host: Jon

<laugh>. Yeah, I don't believe those, uh, I call directly if it is, but I, that's some really good advice. I think the difficult part that folks are gonna run into is using a different password for every social media application or every application because it's really hard for us to use like30, 4or 0 different passwords. But there are password managers or password things before I close things out. What are your feelings on these? Like password saves or one pass or management systems? Are they any more secure than actually going to the websites?

Guest: Evgeniy

From my perspective, yes. Yeah, we can say, oh but LastPass got hacked or one password had issues. In the majority of the cases, there's a bigger chance if you're gonna use the same password that some of the websites sites you use, the password got hacked, they stole the password and they're gonna use this password and go to t, to the applications. Now let's say that the last pass got hacked and they got the passwords. You can go one time and change the password because the last password, one password, and all these guys even can provide you the passwords. You don't need to remember them because it just fills you the look at go change it or maybe take you three, four hours one time versus you're gonna use the same password and then well guess what happened? Every time a website got hack you need to go to change the password because you have u the same password. Oh,

Host: Jon

That's a good way. Yeah, that's a good way to look at it is thinking about it. Now it might be really easy to log into all these other websites using this one password, but if that one website got hacked, now you have to spend, you know, two, or three days trying to change all these passwords everywhere. Here you only have to go to that one site and do it

Guest: Evgeniy

Considering that you know the website got hacked and the information got stolen.

Host: Jon

Yep.

Guest: Evgeniy

Because if one of these big guys gets hacked, like last past one password, you will know where very quickly. Because it's gonna be on the internet. So you know, okay, my, my password management has a problem. I need to change password management or I need to log in and unfortunately go on all those and change the passwords. But once and three years, five years even potentially, we don't even know. Yeah,

Host: Jon

No, that's some good solid information. Well, you Evgeniy, thank you so much for joining the podcast. I hope everybody feels a little bit more secure in understanding what companies are doing and advising those that are working from home and how they're handling situations. Also some recommendations on how to enhance your security regardless of where you're at. You Evgeniy, thank you so much.

Guest: Evgeniy

Thank you, Jon. It is pleasure.

Host: Jon

All right everybody, Evgeniy, Cyber security architect, and advisor. Thank you so much for joining the Jon Myer podcast. Don't forget to hit that, like subscribe and notify because guess what, we're outta here.