Let's Talk FinCrime

Episode 17: Let’s Talk FinCrime - Being Compliant Doesn’t Mean You’re Secure

Season 3 Episode 17

Standard compliance doesn’t mean you’re completely safe. On this episode of Let’s Talk FinCrime, we’re joined by Corey White, CEO and Co-Founder of Cyvatar, as we discuss his storied career in the cybersecurity industry, how cybersecurity has changed over the years and how bad actors attack and breach your accounts in the modern age.

Corey White is a proven security industry veteran with more than twenty-five years of success building and implementing security strategies and leading consulting teams. His work encompasses virtually every industry, including government, high tech, hospitality, critical infrastructure, finance, healthcare and manufacturing.

Currently the CEO and co-founder of Cyvatar, Corey also served as the SVP of Worldwide Consulting, Chief Experience Officer at Cylance and as the Southwest Director of Consulting for Foundstone & McAfee/Intel Professional Services. He’s an avid lover of bio-hacking, manifestation, and meditation.

You can hear more of our conversation with Corey  by visiting actimize.nice.com/podcast

Unknown:

Welcome to Let's Talk fin crime, the show where we explore the human side of financial crime. We cover not only the big industry trends, but also how you can truly protect yourself and your assets. I'm Paul Coffey. I'm one of the hosts for season three. I'm in the financial markets compliance business at nice and I'm based in New York City. My career started in trading and sales in financial markets before I became poacher, turned gamekeeper and became a compliance officer. I've worked in Sydney, London, Singapore, and now New York. So I can tell you, there are bad actors everywhere. Today, our guest is Corey white, and it's great to be speaking with him. Corey is the chief executive and experience officer at Savitar. I'll let Cory explain what cyberattack is and what they do. But suffice it for me to say that they are leaders in technology enabled cybersecurity, happily disrupting $150 billion industry, Cory Gray, and thanks for joining us, people. Thanks for having me. I appreciate you taking some time to chat with me. Pleasure. Let's kick off by you telling us a bit about cyber tar and what you do by the company and yourself and your background. Yeah, yeah, I'll do a little bit background out though a couple curveballs at you. But so my background, I've been doing cybersecurity last 26 years. So I've kind of seen everything have done some of the largest incidents in the world. You can find me on WikiLeaks, unfortunately, fighting anonymous back about 10 years ago, Google, WikiLeaks, and amazingly, my emails pop up from a hack, the HBGary hack. I run again, global Incident Response Teams, penetration, testing teams, assessments, gap analysis, compliance, you name it, I've done it, you know, deployment of products. And at the end of the day, I'm gonna throw that curveball back at you all. So here's the deal. Do you believe the cybersecurity industry is trying to stop cyber attacks? One would hope so. But I think I know, given the you ask the question, I think I probably know the answer might be is the is the is the healthcare industry trying to stop the common cold? It could be? I'd like to say yes. But I guess you're going to tell me no. Yeah, I'll explain. So it and I was part of that for 23 years, I was part of that. So I'll give you an example. I do a lot of assessments and penetration testing, all that type of work. And here's the deal today, if I do a security assessment for a company, or financial company, or whatever, I'm 50 new vulnerabilities every single day come out. So if I did your assessment yesterday, 50 new vulnerabilities came out today, okay, that you don't know about. Okay. All right. And what's happened now with the cloud and such a fast moving networks nowadays, they change every single day. So I assessed you yesterday, is obsolete today. And so you take all these compliance requirements that say you have to do your yearly penetration tests? That is absolutely ridiculous. How does that? How does that secure you, that's just like, saying, I'm gonna brush my teeth once a year. From that point, and I really want to hear more about what you do, but just on that point, you know, 50, new vulnerabilities a day. Okay, so let's, let's try and what comes to my mind is, are they brand new, never, never seen before sorts of things are they are they building on, you know, is some some guy sitting in a darkened room somewhere, building on what's already gone ahead, kind of like, you know, what we're seeing with the pandemic, where, you know, where new variant comes out, and it's, it's more contagious, and it gets around quicker and all this sort of stuff. But we can use some of that's a mutation from you know, the Delta variant was a mutation of the Alpha variant. So, you know, if we know that some things work against the alpha, the alpha variant, we can we can at least sort of deploy some of those against the Delta variant. Is it kind of like that A we have these the we every day are we like, oh, you know, wow, you know, it's, it's it started from zero again, or we at least a little bit in the game. Today, let me it's really apples and oranges, what you're describing, I'll explain the two, unfortunately, you bought a very good point is actually worse than what you think. So move on abilities. When we say new vulnerabilities come out every single day, you know, your computer, you get, you know, I don't know, zoom, Adobe, I'm on a Mac and new backup into whatever. So a lot of those have security vulnerabilities and those patches, okay. And if, if you're not patching those systems, then potentially it has an exploit in there. Okay. And that is a new vulnerability. Okay. What you just described was new malware. Okay, right? Well, new malware Dalin did we have a count of new malware along with the variants that come out every day. So I spent a lot of time you know, what, a half years working for McAfee six and a half years working for silence, so pretty intimate with malware. So what ends up happening is I'll break down the whole variant thing you were describing. So what ends up happening is that with new malware that comes out, if I hack you with some malware, and then you get a signature to match it, and then you can stop it eventually, then, okay, what I would do is I would change it just a little bit, the signature a lot no longer matches it, then you have a new variant, and then I can get back and hack you again. Okay, because I'm anti traditional, AV antivirus is literally just matching signatures. Okay. And so I can create a new variant in a matter of seconds, and then literally, hack you again. So new variants are bad, new vulnerabilities are bad, everything is bad. But yeah, this is, this is turning into a scary conversation. So So okay, so going back to what you said, the question that you asked before, you know, what, I think some of the some of the some of the utilities that we see the antivirus and anti malware utilities, and so on, they put maps on and say where things are happening? I guess, well, I didn't let you finish telling us, you know, who cyber ATAR is? So let's go back to that. So I've got a bunch of questions. I think. Let's get familiar with Cyberduck. Sorry. Yeah, I think it's really important to understand the problem we're solving. So we just talked about security assessments in service in the services industry is obsolete, right? Because the the industry numeral abilities, networks change, you can't do it as a one time activity, it needs to be done as a continuous activity. That part is absolutely broken. Now let's talk about cybersecurity products. But isn't that what like, you know, if you've gotten McAfee, McAfee, or Norton or one of the one of the leading, you know, malware and antivirus utilities on your computer, you know, they my understand was, they're constantly updating you every time you turn your computer on or your phone on it goes, goes and gets an update every day and get to you know, the new patches and all that sort of stuff. So, aren't they constantly being updated? Isn't that what I pay my subscription for? Yeah, okay, let's break that down. Okay. The technology that traditional antivirus us uses was developed in 1987. Okay, it has not changed much since then. So what you just described was, okay, I want some new malware, okay. And then it's affecting all kinds of people all over the world. I've done hundreds and hundreds of incidents, as you described. So malware comes out. And then they have an incident, because antivirus is a response based solution. Okay? It is not designed to actually stop the attack. So it's brand new malware is never seen before. So there's no signature to match it. So what incident response looks like, is us coming in finding them our on those systems, submitting it to a malware analyst at McAfee, Symantec, whoever, right, they create a new signature that gets pushed down onto that system. And now you're protected. Now, what the hackers doing on the other end, is they're creating a new variant, and then they'll drop that in there. Okay. And then you got to do that process all over again. So you're always chasing, you're always chasing is not? Yeah. Well, I guess, I guess, a reasonable question would be, is it from what you've described in the process you've described? It's kind of not, it's not possible to get ahead, because you don't know what the guy in the darkened room somewhere is, is, you know, the guy with the black hat on is thinking. Well, stay tuned, I was playing how to get ahead. That's what savitar does. Okay. I want to make sure you know what, what the industry looks like, and most small to medium sized companies, they'll say, Okay, I'm gonna go buy antivirus or a vulnerability scanner or a patent. Yeah, and they'll go and they'll implement it. But most small midsize companies, they don't have a security professional, they don't have the expertise in house. So you have IT person trying to figure out security, okay. And in many cases is part of their job where they're doing it and security and they don't have security as a full time function. So what ends up happening is those products don't get fully implemented. Those systems don't get fully locked out. And so you aren't patched you don't have you know, your your antivirus on on all of your systems, you are doing all the basics that you should be doing makes you extremely vulnerable to an attack. Right. Okay. And so that is part of what is broken within cybersecurity, you buy a product, you don't implement it, you do an assessment is obsolete the next day, the construct of what we do here in cybersecurity is absolutely broken. It's not designed to stop those cyber attacks is designed to respond to the attack most you can. So that why is that why, you know, we find it, you know, and this has nothing against those companies, but, you know, your meat processing plants in you know, there was at that hack, I think, a few months ago of a company that had meat processing facilities in like several countries around the world. And they all got taken down for several days, is that because, for example, and I'm not making any aspersions about that particular company, but for example, their meat processing company, they're a food processing company, you know, they're not, they're not a cybersecurity company. So, you know, is it the case that a lot of a lot of companies in that sort of strata, you know, that sort of size and so on, they probably think, based on what you said that they probably think, well, we've got an IT guy, and we say, you know, we covered we'd secure and he says yes, and more she says yes, and good. We've you know, we've asked the question, tick the box, is that the sort of, is that what happens? A lot of companies, they just don't, they just don't they're not attuned enough. They're not knowledgeable enough to say, Well, okay, I, as you just said, it is is different from it. Security? That's, that's a bit of a new concept, I guess, for most people. That right. Is that would that be? Yeah, you see what I did? I do those incidents, and those type of companies, inevitably, the CEO, or some executive board members gonna say, why are we being attacked? We're not financial, we don't have, you know, patient information. We don't have financial information. We don't have PII, personally identifiable information, why are we a target? Well, what's changed is that they have money. Okay. Any company that has money is a target, because that's what ransomware is, right? If I can shut down your business, and encrypt your systems with ransomware, and then you're going to pay me money, then I don't I'm not after personal information. There's no intellectual property around meat, I'm sure. Maybe it is. But if they look, like what are they? Right. So we pair them has completely changed? Yeah. Now, any company that has money that they can pay out, you're now in it for ransomware. So in the past, it was, the bad actor would go and try and get names of individuals and have them and now that that's a sort of a porn adventure. And that's a two stage process. And now they've just decided to cut out the middleman. And they can just do a one stage process and say, Well, yeah, we will, you know, these companies that were hacking, they've got money, they've got money in the bank. So let's just do them kind of make sense from business from the from the bad actors business model. That kind of makes sense. Which brings me on to my next question. Okay, I've got a couple of questions here. And I'll just lay them out the areas I'd like to cover because I you know, we're getting through a bit of time here. I kind of like to know what we've touched on ransomware. But we've spoken about malware generally. And I guess, could you tell us what is meant when when you talk about malware? What does that encompass? And secondly, who are the bad actors? And where are they and how do they operate? So it fill us in on what malware is, first up? What do we mean by that? Yeah, malware is malicious software. Okay. And so anything that can be used for bad purposes, malicious purposes. And I think about it, even some of the Microsoft resource kit tools, like one of the most famous ones is PS exec as an admin tool is fantastic for administration. But also it is used quite a bit by hackers. So you might use an analogy. It's funny, I was speaking at a conference probably about 10 years ago, and I live in California and some prisoners escaped from jail and there was a dinner event that said, imagine that those prisoners escaped from jail. We're all having steak, you know, tonight we have a steak knife. Now let's take knife can be used to cut a steak, that prisoner has a steak knife in their hand, it can be used to do something bad to someone. Same thing with tools like PS exec, it can be used for good or bad so you need to be able to identify what those tools are. So that the malware Okay, depending on the use case, but something that's designed to be benign can still be could actually be co opted and used for that purpose. Oh, absolutely, it's actually called living off the land. So somebody hacks into your company, if you have a scanner, an IP scanner, so they can discover the network, they're gonna use your IP scanner. If you have an administrator mode administration tools, they can use your remote administration tools, so access your systems. So they're living off what is there, they're using the tools that you have, literally hiding in plain sight. And so that's how so many companies don't see these hikes. They don't know what tools are allowed and should be used within the network, and they're not liking that down. So who are these people? I mean, you know, they're not they're not they clearly not people who, you know, these people know what they're doing. And they're they sound like pretty sophisticated actors. I mean, are they people with, you know, university degrees in computer science? Or are they just people who, you know, didn't get out enough when they were teenagers and spent too much guy time gaming and got to know, computers? Really? Well? Who are these guys? I say all the above? I mean, a lot of them are, I've seen educated people I've seen, you know, obviously the kid in the basement type of scenario. But let's let's break down what they're doing. This is not complicated. Okay. It used to be okay. You could actually go on the internet right now. And sign up for ransomware as a service. And they will, yeah, literally, all you have to do is supply the email addresses, okay, you feed in the email addresses, connect in your Bitcoin account, they will go and execute the ransomware you know, hacks and, and against those email addresses. And then, you know, just to interrupt that, okay, you're saying, you know, ransomware, as a service, that that's just that's like me, going and deciding to, you know, try to find someone to go and, you know, rough someone up what, you know, you know, thuggery as a service. What I'm getting at here is the actual people who are so you know, what I'm saying is, if I, if I decide, okay, you know, blowers, I want to make some easy cash. And I can, from what you've said, I could go and find someone to do the hacking for me. Yes, right. That's pretty straightforward. I don't need any special skills, aside from being able to maybe go into the dark web and find and locate those people. What I'm getting at is who are the people who are actually doing the hacking, who who's the guy that's actually doing that, or the woman who's actually doing the coding and actually coming up with this hacking. Where I all all over the world, you got to think of it this way. Every single government, you know, they have this capability. They happen to have this capability to protect, you know, their countries. So they have that capability. In this stuff is really, really easy to do now, on the internet when I was doing it 20 years ago, it wasn't that complicated. You actually had to be really technical, to be able to do it, but nowadays not not so much. We'll take for example, you can Google dark side, that's the Russian hacker group that did Colonial Pipeline, there's a white on the internet about them. But again, it's a hacker group, they make 100 million a year off of ransomware attacks. So it's, it's it's everybody, okay, you can literally lay next to a ransomware hacker, you wouldn't know it. Because again, you have big coins, it's very hard to trace that. And as long as you don't get too big, then again, obviously, they're the authorities will start tracking you and, and trying to, you know, a rescue. But um, as long as small meal hackers are doing this every single day. These are your songs, you don't get to be 100 million dollar business setup, that's a decent sized business. Is that is that when they become when they sort of get that size? Is that how I remember reading recently that I think that if the if the DOJ had managed to claw back, some ransom some some ransom that had been paid out is that is that because the the guys who were doing that work were sort of big enough to that their head pops up above the parapet and the DOJ or the FBI was able to actually see who they are. Yeah, I mean, if you when you impact, you know, a country, the way they impacted impacted us. I mean, the nice folks couldn't be gas, you know, for a few days. That's pretty impactful. And what's the interesting thing about hackers, hackers still have good security. Okay. And so, the FBI didn't give all the details but at the end of the day, they were able to I apparently their Bitcoin wasn't as secure as it needs to be. So you know, we've seen that quite a bit. Hackers don't usually have very good security, they, they are used to being hacked by get. And so just just with that pipeline hack that did have a big impact, you know, basically on On the whole, you know, North American continent, you know, east of the Mississippi. Was that kind of accidentally too big. So getting getting to who the bad actors are? And you mentioned, you know, people, people around the world, I think that was tracked back to some people in Russia, correct me if I'm wrong there. But was that? Did they mean to actually create that sort of national level? Problem? Do you think? Or were they just after the money and going back to what you said before, though, just after the money, they went after a big, juicy target? And, you know, just to try and get some money? And it turned out that will actually just had, you know, national infrastructure effects? Do you think I mean, I'm probably asking you to speculate here. But where do these people normally operate? Are they just looking for the money? Or are they looking to actually create disruption as well? They're just after the money, they don't want to pay? That was not, at least my speculation here, as you said, is that that was not intentional? Because, again, yeah, what was it? I think it was, like $11 million, if I recall correctly. I mean, let's face a lot of money, that they got paid out. But if it didn't take down, you know, the gas pipelines on the East Coast, it may not have sparked an interest, lead, FBI might not have hacked back into them and gotten half of that money back. So, you know, I don't think they intended to do that. You guys think about it? I've heard a few stats, and it's absolutely all over the place. But every day between 250 to 500, ransomware hacks happen a day. We don't know the exact number because most people don't report. Okay, right. Most people they're going through and they're either just paying it, or they're just rebuilding from scratch. Some companies even go out of business, because they can't get back up and running. So there's no reporting hotline where we're tracking this, you know, the FBI has an idea, but it's not that solid, right. Really, there's no so you there's no central cyber reporting, hotline that I could bring in if I think I've been hacked. There is yeah, you can there's one, but I'm just saying most people call it right, right. Because they don't want they think their business gonna get exposed. Okay, me who wants to say that we just got hacked into and they think it ends up all over the news. And that is just as quickly as you know, so they hack itself? Yeah. So hi, Cory, we were going to take a short break. And it's been fascinating and scary, and enlightening, all at the same time. But let's take a short break, and we'll be back in a moment with our guest Corey wise. interested in hearing more about the latest trends in fighting financial crime, visit nice, atomized, calm slash events, dash and dash webinars to Learn more today. Once again, that's nice atomized.com/events-and-webinars. We're back with Corey White, a true leader in the cybersecurity industry. Corey, the first half of the session was pretty scary from my point of view that you went through a lot of things that I that I just didn't know about. And I guess a lot of people don't know about. But can you tell us more about what cyber Todd does in this space to locate and disrupt the bad actors? Yeah, absolutely. So I want to make sure we frame this appropriately. Um, you know, there's nation state type of attacks, like the Colonial Pipeline we talked about before, where they're targeted and sophisticated threat actors are hacking into a company that is actually very hard to prevent, because it's by no means necessary, and they keep going. But the majority of the hacks are what I call a drive by hack, meaning you're not using basic things like multi factor authentication, you aren't updating and patching your systems on a regular basis. So you really you're sitting duck, you're using really basic anti virus is not designed to stop the execution of ransomware is only designed to, you know, kind of prevent it after it's already executed, which makes no sense. So what we do at Savitar is we flip the whole model upside down. I mean, as I mentioned earlier, I spent 23 years doing assessments and penetration testing, which is absolutely now obsolete. So now we do assessments for free. Once we do the assessments, then we understand Oh, you aren't right. We'll be back. You don't have a room availability scans on a daily basis. So you're going to be exposed there, you don't have multi factor authentication throughout your network environment, you don't have endpoint protection, that's actually gonna block the execution of ransomware malware, you don't even know what IT assets you have. So those are like, really basic building blocks of a cybersecurity program. So once we do that free gap analysis, we don't charge to tell you what's wrong, we actually charge to fix it right? In a subscription model that you can cancel anytime. So that's what we had to do to solve this, this big gap in cybersecurity, in my opinion, and including myself, we've been doing it all wrong for a long time, you cannot stop a cyber attack being reactive, you have to be proactive, and lock yourself down. And so what in cybersecurity, we have this concept of low hanging fruit. So if you're not patched, you got weak passwords, not using multi factor authentication, don't know what your assets are. And I can easily drop any malware onto your systems and then executes. That's low hanging fruit, but that's what most companies are. And the target is small to medium sized enterprises. These are the companies that they don't have a cybersecurity expert on staff. They don't have money to do that. Yeah, they know it wrong. Yeah. Yeah. And no idea what products to buy. Okay, a lot of them will end up just, you know, signing up with some MSSP. And thinking, yeah, a managed security services provider, okay. And all they do is send you alerts, okay. So imagine it's your house, right, and some of your front doors wide open, meaning not locked. astir or secured. So when somebody walks into your house, and MSSP will send you alerts, somebody just walked through your front door, okay. And then all they do is again, they're billion dollar companies that make money off of just responding to you getting hacked. So if I can make a billion dollars, and just I'm not fixing anything, I'm just telling you when you get hacked, and then exactly, um, I don't know, there's a lot of motivation to try to stop it when I'm already a billionaire by just tell you what, some bad. So as IT sabotage, we are cyber avatars. For our members. It's a membership subscription business. And the goal is to actually stop these attacks. Okay, those basic things down so that the basic drive by hacking doesn't happen. Okay. And that will stop a lot of these hacks that are happening out there. And then on top of that, we're partnering with cybersecurity insurance companies provide insurance. They know based upon a lockdown security environment, think about what's happened in insurance call. And I'm curious what you think about previously, in cybersecurity insurance, people were getting insurance, and they just checking the boxes. You said earlier, yeah, we do all this stuff. That's the equivalent saying, I'm going to share my house. I don't have five doors or windows, I don't have any security on my house. But I'm gonna secure everything in there. I mean, ensure everything. Yeah, what insurance company is going to do that. But we were doing that in cybersecurity. Now, all these getting hacked. And now all these insurance companies are saying, wait a minute, you'll have proper controls on your network, we're not going to secure and insure you. So that's changed. So interesting. So there's a there's now like a financial driver to do it. As long as I'm just not getting ripped off. I like you, I like your analogy, you know, drive by I had a bit of a chuckle when you first mentioned that. But it sounds like you know, when you when you mentioned, you know, when you when you use the analogy of a house, it sounds like if, if if you know, if some thieves are driving around the neighborhood, they're going to be looking for literally driving by and looking for houses that have got the windows open or got the front door open and things like that, rather than the one that looks like you know, that as they drive by, they can see they've got cameras out there, they got, you know, security screens on all the windows, and there's a gate on the left, clearly lock gate, on the driveway and so on. So I see I your analogy that drive by becomes very clear there. But so these guys, these people are sort of literally combing the internet looking for, are they looking at my computer? Are they able to sort of drive by my laptop and see what my security vulnerabilities are? It's so funny. I was talking to a prospect and and he was he was able to look at this internet router logs and this firewall logs. And he told me this. I already knew it. I've seen it before. It was interesting. He's like we're being scanned by somebody every three seconds while we're just sitting on the internet. So you know, again, back to the drive by Imagine somebody driving by your house every three seconds and then a new garage door is open. Oh yeah. Nice car and there you go. They're able to see what you have, right? And they're gonna go and jingle, the front door or garage door and see if it's open. And what I'm saying is in the cybersecurity industry, if we're not patching, we don't have malware prevention, something that can actually block the execution of malware, we don't have multi factor authentication, all these basic things, then your doors open, late juggler, your doors open, and they walk in, and then you have these mssps, they'll send you an alert when that happens. I'm sorry, I don't want to learn why walks in my house, rather late with somebody trying to bang on the door, but I don't want it when they're in. It's a little bit too late. It soon forces Bolden so to speak. Yeah, this is I keep on using the word scary, I'm gonna, I'm thinking, right, I'm throwing my laptop or my phone in the bin, and I'm going off the grid. But that's the problem is we can't do that these days, you know, these devices are ubiquitous. And you used to do a lot of banking these days, a lot of banks around the world are closing branches, and going purely online and app based and all that, you know, you the old days used to be, you could go and you'd go to a book travel, you know, well imagine that being able to book travel, you go into a travel agent, and you'd sit there and they would have access to a system now you just do it all online. You can't live without modern life you can't live without without your devices. So it's what what can we in the street to, to take care of ourselves? I guess what I want to look at this from both ways, what can what can we do to take care of ourselves? And is it too late or is just a matter of time before we had? And the other? The other angle I'd like to look at here is from the regulators and law enforcement point of view, you know, what are they? Should they? What are they doing and to protect us? And actually, should we be expecting them to do it? Or do we need to take a bit of responsibility ourselves? So I guess, yeah, the first the first, sort of, I guess it's a bit circular. So the first part of that is what, you know, you know, me in the street, what can I do to protect myself with my my phone and my laptop? And whatever other devices I've got lying around? Hell yeah. I think these days, your new refrigerators are connected via the internet of things. And so should I be worried about my, my, you know, if I was to buy one of those refrigerators that's got the ice machine that you should not be worried that if I connect that to the Internet of Things, suddenly it's going to start shooting out ice all over my kitchen floor or turn my oven on at three o'clock in the morning or something? What should I be doing? Well, I mean, at the end of the day, Paul, we can't go back. Unless you really want to get off the grid, you can go back, everything is connected with IoT. I really think the basics of things. Yeah. Internet of Things. Yes. So you think about it. I tell everybody, if you're whatever bank you use, whatever you do, make sure is using multi factor authentication. Because one of the things that I was really scared for me many, many years ago, I've done some incidents of some very, very large companies that we all use. And then when you see the password database be exfiltrated out, I'm thinking to myself, damn, I'm, my password was in there. Okay. And so and then it happened two or three other times, I'm like, Okay. And so I, what I educate people and say is that Think of it this way, and this is how I approach everything. I assume that they have my password, right? Assume your passwords compromised. That's why you need multi factor authentication. Even the passphrases again, if I steal the old password database, I have your passphrase. Okay, what's the difference between a password passphrase? Yeah, passphrase is something like, you know, Cory is having an amazing time on this interview. That's a phrase, right? And so naturally, that is a long password, but it's a phrase, I can remember that versus passwords password. So that's, that's, yeah. So that's why multi factor is so important. Yeah. So multi factor. That's where, for example, you put your name in and then you you get a one time password sent to your on your phone, your banking app might generate a one time password or something like that. Is that correct? Yes. That's it. Yeah. Okay. What about thumbprint? Any kind of biometrics I'm down for I mean, I use on my laptop. I think it's important to have have that because multifactor is something you know, and something you have. So I type in your password, and you have your thumb right or finger finger or whatever. So that's, that's helpful. So it makes it harder for somebody to hack it. So even if I can, even if I can get your your, your username or something like that, that's useful. the password, is that correct? Well, yeah, think of it like this one of our clients early on the CIO of the company, they were using Office 365, right, and you go online to log into office 365. So it's very easy to go to LinkedIn or whatever, and figure out what the username may be. So that's already out there. And then you just brute forcing the password. And then what we do is some of our tools, were able to see, he actually got an alert that somebody is trying to log into your phone on these three countries overnight. And he freaked out, he was like, somebody is trying to hack my account. Let's say notice that these are all failed attempts. You guys are using factor authentication. But yes, this is what is happening on a regular basis to everybody. Or I'm trying to brute force and hack into everything. That's interesting. So is there any way to make passwords stronger in some, sometimes when you get onto something and say, okay, for your password, you've got to have, you know, special characters and can't have consecutive letters, and this and the other? Is there any? Is there any way to actually any any sort of quick tips and tricks that can be used to try and create, you know, if you just say, you know, password 123? Well, that's probably hacker 101. You know, is there something you can do to make it, you got to remember all these passwords, but like, if you have a different password for each, if you've got some routine in your mind, you change the password for every different site, you know, is that is that a good idea? Does that limit the risk? Or as you say, are they just sort of these guys able to just brute force their way through anyway? Yeah, my opinion, just because I used to have all these brute force password cracking tools, we had servers, and that's all they did was continually quiet passwords. And we did I mean, I'm think going back 10 or 15 years, think about Paul, what has happened with computing power in that timeframe. So where it would take us a few days to crack a password database? That's minutes now. Right? So it, I truly don't believe in having passwords. Now, I'm always thinking about the the impact of what this is. So there's some websites, whatever, I just, I will think, okay, if they hack into this, they can only do that. And so I don't, I don't really care about the password, sometimes I'll make something really complicated. And then when I log back in, I'll do Forgot Password. Just thinking the password is compromised. So it and then that's one less thing to remember, I can always do for that password is going to email back and sign back up again, whatever. So just, again, multi factor authentication, or really long passwords are good. But again, a lot of these companies on the back end, they get compromised, and they don't tell you. So have you ever had some some may send you a note and say, Hey, we wanted to reset your password to something stronger, we're increasing our security, are you please reset your PIN, we've reset our pins and make it more secure. Many cases asked me on the back end, not anymore. I don't do that anymore. But they've been compromised. And we had to reset all the passwords, because previous offers have been taken. So you'll see the engineering unless it's actually someone asking me to reset my password immediately he gets a phishing attack. So I I tend to probably wouldn't reset my password, but I would I would not go to the link on the email. I go. Okay, so Okay, so my I think my question that I mentioned before was, is it too late and it's just a matter of time before we get hacked? I think you've answered that. And it is too late. We've already we've already been hacked in one way or another. But I guess just to round this out, and we're bumping up towards the end of our time here. What are what are our guardians doing to protect us? Should we be relying on on regulators and law enforcement? Or should we be taking these steps of your madness into our own hands? To an extent, I think I know from what you said, I think I know what the answer is. But I'd be interested in your views on that. Yeah, absolutely. So it really comes down to just going back to the house scenario. Lock your door. Okay. In cybersecurity if, again, your past if you aren't using multi factor authentication aren't doing the basics. Your doors not locked. Okay. It's open. And so I don't know if we need the US government or some compliance regulation to tell us to lock our door. We know that our home today, you know, right now, why do we need somebody to tell us to do that in our cybersecurity? I think there is a gap in education. Most people don't understand and that's why we're doing this podcast, where the impact of not patching your system, the impact of Using multifactor authentication, the impact of using really, really basic, old anti virus, these things are not designed to stop these attacks. They're designed to tell you meal after you've been compromised, potentially. So, again, we have to do and take the responsibility ourselves and be able to do that. Wow. Okay. This has been fascinating. Cory. It really has been, and if not a little scary. But I think you've, you've opened up a whole interesting area. Okay, this is a person in the street. Yeah, hear about cybersecurity all the time and hear about all these hacks and so on, I didn't realize quite how close to home. It all is. You know, being not able to get a full tank of gas is one thing, but having these guys, you know, kind of driving past my drive by and driving by my computer and my phone every three seconds. It's a little shocking. But yeah, so look, I think we'll wrap it up there. You know, we could talk about this, I'm sure people are doing their PhD theses on this very topic. So we could go on for a long time. But I think we'll wrap it up there. And look, thank you so much for speaking with us today. And it was fascinating. And I guess thanks for filling us in on what savitar does. And if people want to get in touch with you or learn more about your work and Savitar. How can they do that? Yeah, I think the most important thing, well, the things that we as a business decided to do was really democratize cybersecurity. So you can go to cyber atar.ai and click sign up for free and you get our freemium offering external scans for free, you get to build out your cybersecurity roadmap for free. So you get visibility into where your gaps are, and what you should be doing around building out a cybersecurity program that is absolutely free. Those are things that I used to charge, in some cases, depending on size, a company, hundreds of 1000s of dollars to do. But you know, the analogy I give is just like going to a car mechanic and saying, Hey, I need you to fix my car. He doesn't fix the car, he just writes a few a detailed report of everything that's wrong with him on how recommendations and how you can fix it. That's a security assessment. Okay, it sounds ridiculous when you put it in that context. But that's what I used to do. So I had to flip it. Again, we truly are the cyber avatars for small and medium sized companies and helping them to actually get secure. So that's why we design it that way. You of course can always connect with me on LinkedIn. I'm Cory D White and only then fairly easy to find there. But I love any comments or feedback from from the audience. I'm sure that the I'm sure there are some people who will follow up and to our audience look thank you so much again for listening and please don't forget to subscribe. If you have an idea for a show or have a suggestion for a guest we'd love to hear from you. So please drop us a line at podcast at nice at demise with a z.com as a podcast at nice act demise.com. Don't forget we have bonus content for every episode available@atomise.nice.com Ford slash podcast. Look out for the next episode on your podcast service. And Cory thanks again for being with us today on let's talk in Chrome