VIEW TRANSCRIPT >

Transcript Episode 24 Hot Seat

Ron: (00:00) Welcome to the Insurance Hot Seat, a special series by the Geek Freaks Podcast dedicated to answering the tough questions in the insurance industry.

Music: (00:08) [Intro Music]

Ron: (00:21) Today's guest is Victor Congionti with Proven Data. And we're going to talk about, I guess, kind of the environment today that you and I are talking in.

Victor: (00:31) Sure, absolutely. So I think probably one of the most critical things that, uh, we should be talking about today is, uh, working from home remotely. Um, you, uh, saw at in news the New York governor issued an executive order he's going to issue an executive order basically stating that, uh, all, um, nonessential employees about half or sorry, about 50% of them actually, uh, should be working from home. So that's gonna open up all sorts of risks and um, know I think that's a pretty critical topic in today's, uh, environment.

Ron: (01:17) Now, now it's crazy, right? So we've had a tremendous of since...So let me back up. Before COVID, we had, I would, I would wager to say 80% of our customers, uh, didn't really have a mobile remote strategy. Right. Um, fast forward to where we are today and now we are pressing the gas down for everybody to work remotely. And as you, where you guys are in New York, I'm sure it's the clamps are going to be putting down, getting put down sooner than later. Um, it sounds like in the next day or two and, uh, it's, it's crazy to see. I've had probably 25-30 conversations about it. We probably have a 50 to 100 devices loaned out right now to allow people to work from home. Now at Proven Data, how do you guys come into play with working remotely or I guess kind of the crisis in hand? Like where do you guys fit in?

Victor: (02:15) Sure. So the vast majority of our clients are calling us as a result of a ransomware attack. And, uh, as you're, I'm sure you're aware, um, what's going on in that, in that landscape. But, uh, you know, they're, they're calling us as a result of, uh, an attack and, uh, we're essentially helping them recover their data and also protect them, um, from future threats. While also, um, removing the threat actor from their network, um, and ensuring that, uh, you know, once, once we help them recover the files, he's not going to come back and essentially, um, cause the same amount of damage by encrypting the entire network again. Um, so yeah, that's, that's where we fit in. We're also, um, right now, uh, we have a campaign to help small businesses, um, and provide, uh, free consultations and guidance to help them protect their, uh, remote infrastructures. Um, cause the big, big problem is that a lot of these small businesses, they're not set up to work from home. Right. And, uh, you know, they don't have company issued computers. They don't have, uh, you know, vast majority of these employees are, are going to be using their own, um, devices. So that's gonna pose all sorts of, uh, risks and uh, you know, I think right now, um, really have to, uh, just create awareness around that and what needs to be done, um, and get the word out.

Ron: (04:00) So to sum it up right now, Proven is kind of the, the gatekeepers of networks and infrastructure. And not only if somebody does get in, you guys are going to tell them how they did and you know, close that door essentially.

Victor: (04:15) Correct. Yeah. If we're performing like a forensic investigation, um, then yeah, we can, we can tell them, yeah, this is how they got in. This is what they did. This is the data that they exfiltrated from the network. And uh, yeah, we, uh, we, we can give them a full, uh, pretty much report on what happened.

Ron: (04:34) So from your guys' seats, are you guys seeing an increase? And I know we are, so you're probably seeing it at a much larger national level. Um, here locally we're seeing an influx of COVID emails and attempts at phishing and all that, all that kind of stuff. So are you seeing that on a much, you know, national level or much higher level that they're using COVID to, you know, make, make inroads into the network?

Victor: (05:00) Yeah, I mean, anytime there's, there's a crisis, you either, there's always going to be ways to exploit fear. And in this case, this is exactly what these hackers are doing, and a lot of their, uh, phishing campaigns, they're changing their emails. Uh, so, you know, what, what they're essentially doing is, is, uh, putting out fake, uh, information sites that, um, you know, supposedly, um, they're there for the CDC or, um, World Health Organization, um, and they're actually embedded with malware and ransomware. So that's, that's a lot of stuff we're seeing.

Ron: (05:42) So that's, yeah, and that's unfortunate. Like I was explaining to a customer, it's not going to stop, right. They're going to use the, the momentum of the current, uh, environment and situations and kind of try to ride it in and through. Have you guys had, on your end, have you guys seen a lot of, um, actual success with this recently? Or is it, um, I guess becoming more of an old hat and people are really understanding the phishing and how that's working?

Victor: (06:09) Yeah, well, I mean, a lot of our, uh, customers are coming to us. Um, you know, that specifically from a ransomware incident. Um, the good majority of these attacks are, uh, through RDP or remote desktop protocol. Um, brute force hacks. So like what they're doing, uh, for, for those that they're not familiar, uh, they're, they're, uh, cracking essentially a, a password on a network that is a, is a weak password and they are, um, doing a port scan of, of, of a network, to determine if a remote desktop is open. And then once it's open, they, they see that it's a potential target to launch these attacks. And, and, uh, I would say about 95% of the cases we see are remote desktop, uh, um, packs. Um, not so much email campaigns, but we do see, uh, you know, about the rest 5%, uh, are the email campaigns.

Ron: (07:14) That's crazy. It's crazy to think that people are still leaving those ports open, but I guess it's more of a commonplace and not really a, a forward thought when you're setting up something like that either, you know, you just easy use, let's get in and get after it and well, we never get back to closing that up.

Victor: (07:29) Yeah, exactly. And now that, um, you have these, these small businesses working from home, they're going to be open, opening up these ports and they may not have the right security protocols in place. So that's going to be a big problem. We'll be seeing a lot of those.

Ron: (07:46) Let's talk about that. Let's talk about that because that, I feel like if we're going to put the finger on the pulse of business right now, what are you seeing as far as remote working or I mean maybe five tips take away something that some of these small businesses listening can kind of maybe put an effect on their own or reach out to people like yourself and get the ball rolling.

Victor: (08:07) Sure. So first things first, I think, um, you know, as we all know, uh, and talk about so much, uh, make sure you have strong passwords. Um, utilizing a password manager is, is essential. Um, and now that you're, you're gonna be off your, your company network, it's a good idea to use a VPN. Yup. Um, and, uh, so with that, you're gonna also need to patch your network. Uh, you know, you're always going to need to patch your router. Um, and any other devices that can be potentially compromised on your network. Um, and having a, a multifactor login, right? Like two factor authentication to log in, uh, to, um, sites to your, uh, you know, if you're using remote desktop, we highly suggest that. Um, and uh, yeah, I mean I think if you have those covered, uh, you're going to stop the majority of these attacks.

Ron: (09:14) Yeah. And I think that goes so the, we don't, we don't allow, allow RDP out. So it was only internal, so you have to be VPN to get it. Um, and I don't think a lot of companies are looking at that way. Um, there's probably a lot of companies too that maybe listening right now that have that Best Buy router that's still set to admin, admin. And that's another, I know another thing that you've seen probably get popped is people don't take the proper care of their interfaces, you know, facing the outside world. So yeah. That's great to change those passwords. Get strong passwords.

Victor: (09:46) Yeah, exactly. And you guys are your MSP from, from my understanding. And just question for you. Um, what, what are you, uh, doing, um, there at your company? Um, for these, for these types of taxes? A lot of our clients actually MSPs and we see them as kind of a gateway to all these other businesses, right? So if we see an MSP compromised, um, we're also seeing like 15, 20 other clients that, uh, were compromised as a result of first hacking into the MSP.

Ron: (10:21) Oh yeah. So we take that very seriously here with us. So everything's two form factor, uh, passwords all have to be changed every 90 days for the login, right? So they needed the two form factor, uh, every interface that we use. So every web portal has two form factor enabled. Uh, we check it and then we used two, so we use, the RMM we use is backed by TeamViewer and that's even got two form factor. So you can't connect without doing two form factor. And we use a program called a Quick Pass that rotates admin passwords. So we don't actually know them. It's just kind of a copy and paste deal. So we don't, we don't get to look at the passwords anymore. We can still see them, but they're going to change in a couple days. So it doesn't matter. Um, it's just a couple of things that we do to keep ourselves safe and not liable for that kind of stuff because that's like you're saying is we're, you know, we're connected to just south of a hundred customers and if something goes wrong, we are going to be in a hot spot, right? So we have to take that, we take that very seriously with what we're doing too. And that's why we only allow, um, traditionally we only allow a certain people to VPN in or get access remotely to their stuff unless they sign waivers and all that other fun stuff. But right now how we're attacking the remote from home is we're, we're giving them access via VPN with remote desktop. Uh, kind of what you and I were just talking about or TeamViewer with to have a turned on and uh, you know, TeamViewer and back into their machines if they have a machine at home. And we've even had some people that want to take their work computers, their, their desktops home because they're, they know they're going to be out for an extended period of time.

Victor: (11:53) Yeah. We're seeing that.

Ron: (11:56) It's getting it and it's not one size fits all. Right. So we have small agencies or small customers that TeamViewer makes sense for. And then we have some larger agencies that a VPN remote desktop makes a lot of sense for. We have a few customers that run VMware Horizons, but that's all ran through AD and two form factor too. So it's been, uh, it's been crazy. It's been a lot of work and I'm sure you guys are seeing it on your end now that everybody's kinda, you know, spreading out how you know, the threats that are, I guess the threat planes are being exposed for what they are.

Victor: (12:31) Yeah, exactly.

Ron: (12:32) Have you guys seen any uptick in, you know, I guess ransomware right now? Like attacks that have been successful? Or is it just preparing for the worst now that we're, we're opening the doors, you know, I'm not opening the doors to the house, but we're unlocking the doors to the house on some level.

Victor: (12:48) Yeah. So, so right now, uh, we haven't seen so much in uptick. Um, we are, we do see like different types of campaigns targeting, you know, you know, just fear of COVID-19. And uh, we expect that to increase as the situation gets worse. So where we want to really, uh, prepare for the worst, um, you know, just, just to be proactive as possible and taking all the necessary actions.

Ron: (13:16) So tell, so tell me kind of as, as, so I'm a, I'm a, I'm a company, right? And I get attacked by ransomware. I contact you guys. What does that look like? So walk me through that process from, oh no, we're in trouble to, okay, we're going to be okay. What's that look like through, through I guess, Proven's process.

Victor: (13:37) Sure. So, yeah, a company contacts us, they set up a remote evaluation, um, sign our terms of service. We, we connect and, uh, essentially we're, we're gathering data points about the ransomware variant, how it came in, any IP addresses that are associated with, we collect a full triage. Uh, so we have like, uh, information that, uh, you know, we can conduct internal, uh, reviews about, uh, you know, if it's like a, an IP for instance that came from a sanctioned entity, we can't proceed really any further that we, after we do a, um, like kind of like a forensic analysis. Um, and uh, you know, once we collect all the data points, we then, um, we look at our data on the specific ransomware variant and, uh, we have like threat profiles we created for each of these different ransomware types and we then provide a quote to our client, um, pretty much, uh, letting them know, okay, this is, um, if it's something that they in fact have to pay the ransom, uh, let's say, we'll tell them like, okay, yeah, no backups. You know, we did all the due diligence, checked all that stuff. Um, you know, we'll tell him like, Hey, uh, you know, this, this, uh, malware actor, uh, has a history of not delivering on the keys. Right? So, you know, you want to take this risk, um, or you know, we'll tell him like the probability, like, okay, like 75% of the time that this guy has been honorable. There's been cases where, um, he's increased the ransom. Um, so, um, you know, and, and they ultimately have to make a business decision how they want to proceed, do they want to take on the risk. Um, and, uh, so from that point on, if they do approve the service, we'll provide, uh, guidance on how to, um, close up the vulnerability, um, if they didn't already decide to use us initially, uh, for the security, um, hardening and, and remediation aspect. So we'll provide guidance on that. Um, and uh, you know, then we start our process. Um, you know, you know, with all the different variants out there. Um, each one is treated differently, obviously. Um, you know, we know which ones exploit RDP. So we know that, okay, this one has to, um, we have to close up a RDP or reset passwords, do an inventory of user accounts, um, you know, and give them really detailed instructions on what to do, um, how to close up the vulnerability. Um, so yeah, that's what it looks like initially. Then we, we provide our, uh, our service, which includes, um, uh, negotiating with the threat actor on their behalf. Um, and, uh, also, you know, uh, making the ransom payment on their behalf. Um, and, uh, yeah, that's, that's pretty much it. High level. There's a lot of things in between there that, uh, you know, it's very detailed. Um, but you know, we only have 20 minutes.

Ron: (17:18) No, and I feel like a lot of people do when they do have something like that happen, they panic and they just, uh, either, you know, re restore, which is always the best, right? Cause you don't have to pay any money. It's got to make sure you have good backups going or they don't know what to do next. So it's great that companies like you guys exist. I know in our, uh, arena, it's a, it's good to have partners like you guys, um, available for customers if they do have issues. So that's awesome. And you guys have, it's interesting that you guys have to kind of keep a profile on each variant, so, you know, kind of to contact how it's going to go and what you guys learned. That's very interesting to me.

Victor: (17:54) Yeah. And also for the new variants to come out. Um, you know, that, uh, like let's say there's not a lot of information out there cause there's oftentimes where we'll see a ransomware variant, like we'll be the first ones to see it. There's no other security firm that has information on it. Um, so the first thing we do is send it to our, um, malware R and D person and, uh, he'll check the probability of it being, um, cracked or not. If it's, uh, you know, when I say cracked, I mean, is there a vulnerability in the code that the hacker was just careless and left, left open, right. Um, you know, there's, there's been cases where they were able to, uh, you know, see that, find that and, uh, essentially provide, uh, uh, working, uh, decrypter, um, without, without having to pay the ransom. So that's ideally the situation that we would, we would like to see or you know, the backup restoration of the backups. But that's, um, you know, best, best scenario.

Ron: (19:02) Yeah, we did it. We did another podcast where it says that the, we were talking about the average, uh, ransomware cost is like quadrupled right now. Used to be a couple thousand. Now it's like 40 grand to get your data back. It's crazy.

Victor: (19:14) Yeah. It's, it's nuts, I mean, like a lot, especially with these targeted attacks. Um, you know, they, they, we've seen, uh, these ransomware actors actually go onto a network, look at financial data and, and tell the, uh, the victim that, Hey, I see that you're making X amount of money. You can afford a $15 million ransom.

Ron: (19:37) Jeez. Yeah.

Victor: (19:39) You know, it's insane.

Ron: (19:40) No, and that's, it's only gonna I was just having a conversation about this this morning. It's only gonna get more sophisticated and more, um, I guess difficult to deal with. Um, so it's great that companies like yours exist and, uh, I how so if anybody wanted to reach out, so somebody's listening to this podcast gets into a jam, how do they get ahold of you at Proven?

Victor: (20:05) Best way to reach us. You can go to provendata.com or you know, we're, we're on the web, you can connect with us on LinkedIn, on YouTube, Twitter, whatever medium works for you.

Ron: (20:18) That's awesome. And uh, yeah, I, I appreciate the time it's been, it's always great to have a kind of this, Oh wait, I got another question before we get you going. Before I get you out of here right now with everybody working from home, if you had to give them, you know, a couple of tips right now as you're sitting there at your desk, at your, at home, what, what are we like from a security standpoint? Is there anything that they can do? I mean, besides have, you know, a password on their computer because they're going to be connected remotely into the network via VPN. So they're also now unlocking the door and connecting to it from a BYOD or bring your own device type situation.

Victor: (20:57) Absolutely. And I'm glad you asked me that question again cause there's one thing I did forget to mention. Um, and that's, uh, just be very careful on what links you're clicking on and uh, what emails you're receiving and even if it's from a trusted source, uh, you know, always, always verify, um, what you're clicking clicking on, um, by either calling the person that sent it or, um, using sites that are reputable. Um, if if you see an email from the world Health Organization, you're not going to, you're likely not going to get that, um, go directly to their site if you're looking for any information, um, and just be, be very careful of what you're clicking on.

Ron: (21:38) It's amazing how many of those WHO emails are going out, like they have everybody's email address in the world. Crazy.

Victor: (21:45) Yeah, I would say that that's the, the biggest, uh, biggest thing to look out for right now.

Ron: (21:52) The other thing I was thinking about too, now that we're talking about it, is making sure you have a pretty quality antivirus on the remote machine that you're using from home. And even Windows Defender at this point is a pretty good solution. But just making sure that there's something there, because again, with a split VPN that traffic's not necessarily being checked by the firewall. So just make sure you got something to cover your buns.

Victor: (22:14) Yes, exactly. Exactly.

Ron: (22:16) Because once you connect to that VPN, you're back into the network. And, uh, it could be trouble. I don't think it's going to be trouble, but it could be trouble. So. Well, perfect buddy. I appreciate the time. Um, stay safe. I would say stay warm, but it's gonna start warming up and we can't really go outside anyway, so stay, uh, stay safe. And, uh, I appreciate the time today, Victor.

Victor: (22:37) Great Ron thanks for having me on the show, I appreciate it.

Ron: (22:38) Hey, thanks buddy. Have a good one.

Victor: (22:41) You too. Take care.

Ron: (22:42) Bye. Bye.