#trusted
partner
Who's In Your Cloud?
Who's In Your Cloud?
Episode 18: Network Vulnerability & Pen Testing
/

Episode 18: Network Vulnerability & Pen Testing

Jun 7, 2022 | CYBERSECURITY, Who's In Your Cloud?

Who's In Your Cloud Blog Header Image

Welcome back to “Who’s In Your Cloud?” 21 Steps to Secure, Reliable, Trusted Technology. Brought to you by TechOnPurpose, this is Episode 18: Network Vulnerability & Penetration Testing.

In our last episode, we broke down Managed Detection and Response (MDR), explaining the important role it plays in rapidly identifying and limiting the impact of cyber threats on your business. Look back at Episode 17 to find out how this cybersecurity service does the threat hunting, monitoring, and responding to malicious activity in your business, so that you can focus on what’s important!

Now, today’s episode is all about network vulnerability and pen testing. How do you know where you’re going if you don’t know where you are? Exploring vulnerabilities and simulating attacks in your networks through pen testing can help you answer these very important questions. Here in episode 18, learn how pen testing allows you to quickly discover your network’s weak spots, allowing your IT team (like TechOnPurpose) the opportunity to fortify your cybersecurity and mitigate costly and destructive cyber risks.

Also, hear from our cyber expert cast about their available solutions and the benefits of evaluating your network security with pen testing. We’re very thankful to our partners joining us today from Cobalt, Netrix, and RCS Secure, as they help us educate our clients and prospects on the road to #secure, reliable, trusted technology!

As a reminder, we began releasing a new episode every Tuesday, starting 10/20/21, and will continue to do so through late spring of 2022, with brief time off for holidays with family and friends. We’ll also follow each Tuesday episode release with subsequent Wednesday, Thursday, and Friday posts highlighting our (3) contributing solution partners from that week’s episode. We hope you’ll find this an immersive, hopefully simple, educational, and enjoyable experience. So how do you tune in?

To easily follow the journey ahead, we’ve diversified your access options to all (23) of our coming episodes. You can follow along here on our blog or by any of the following methods:

  • Email Newsletter: sign up at techonpurpose.net/blog and have each episode delivered directly to your inbox when released.
  • LinkedIn:  follow here
  • YouTube:  follow here
  • Facebook:  follow here
  • Podcast:  follow here

Buckle up – it’s time to hit the road to #secure, reliable, trusted technology!

 

Lauren Lev  
Welcome back to “Who’s In Your Cloud?” TechOnPurpose’s vlog series where we explore the 21 steps to secure, reliable and trusted technology. I’m Lauren Lev, Marketing Manager for TechOnPurpose, but becoming increasingly more well known for my role as the host of this vlog series and well on my way to my Emmy nomination, if I do say so myself. If you’re joining us for the first time, we’re glad to have you back, but what have you been doing? You need to go check out our other episodes, and we’ve made it incredibly easy for you. You can view them on LinkedIn, Facebook, YouTube, or Spotify. And we are so generous, that we will deliver them straight to your inbox if you sign up at TechOnPurpose.net/blog. The most important thing you could do for your company right now is sign up for our free cybersecurity risk assessment at WhosInYour.Cloud. All right, we’ve got the housekeeping out of the way. Today’s episode is all about network vulnerability and pen testing, which involves exploring vulnerabilities and simulating attacks in your networks, but why? This tool helps to rapidly identify your weak spots, affording your IT team like us here at TechOnPurpose, the opportunity to fortify your cybersecurity and mitigate costly and destructive cyber risk. The rest is above my pay-grade, so let’s introduce these folks who will be able to help us out a little bit more. First up is fan favorite, Ivan Paynter, who is now the CTO of RCS Secure. After a very long hiatus, we’re so happy to have you back.

Ivan Paynter  
You know, it’s weird. I’ve never done a job shift in between a podcast, totally new ground. Man, great to be back really. I almost had to beg to be back like, “Have me back on the vlog, please!”

Lauren Lev  
Well, what are you doing at RCS Secure now?

Ivan Paynter  
Not much at all. Oh my gosh, you know, it is a complete learning experience. I used to be able to say, oh, National Cybersecurity blah, blah, blah, and certify this, and I’m a hacker, and now it’s like, holy crap that’s not security. I don’t know how to do that. No, no, Mr. CTO, that’s not an excuse anymore. Get up off of it. Little security boy, you’ve gone to a different level. So I’m being exposed to all kinds of things. And I’ve got a wonderful team. The guys know that I didn’t leave them behind, but the team that I left was probably one of the best teams I’ve ever worked for. The team that I’m with now, oh my God, just second level. And they allow me to ask questions, and then ask the same question again three more times. But you know, I’m really starting to find my ground work and we’re doing some phenomenal things. And we don’t stand still, it’s one of the things I love. We’re not waiting for it to happen, we’re making it happen.

Lauren Lev  
Okay, our next two cast members are new to the vlog. We have Cobalt’s Partner Account Manager, Laura Green . Laura, tell us a little bit more about what you do at Cobalt.

Laura Green   
Sure, yeah. Thank you guys so much for having me. I’m the Partner Account Manager at Cobalt. So I work with all different types of security companies who are partners with us. Cobalt, we specifically focus on pen tests as a service. So I make sure that all of our partners are able to provide fast, transparent, easy pen tests to their customers.

Lauren Lev  
Our other newcomer is from Netrix, Director of Sales Engineering, Matt Wilson, not to be confused with Matt Tankersley. Matt Wilson, tell us what you do and give us a little bit more of your background. 

Matt Wilson  
Sure, yeah. The “Matt” thing is going to throw us off today for sure, but we’ll navigate it. I grew up my entire life just being called Wilson. But see, that’s also a very common name, so both first and surname. So we’ll figure this out, we’ll make it happen. Yeah, I’ve spent the entirety of my almost 20 year career in information security. I like to say, I’ve been doing it since before it was cool. The last couple of years everyone hears and sees big dollar signs, and hey, I do security. I can say I’m a career nerd and wear that badge proudly. Yeah, I support our clients and our sales teams to help really align what we can do with what they need. And I grew up doing penetration testing and security assessments, appliance focus work, and I a team for a long time.  I had the benefit of managing a couple of different things, wearing a whole lot of hats. And I still get to do all that fun today. I almost have like, ADD for InfoSec, but that’s like its own thing, right? Like in InfoSec, you’re never done. So you can never know really, anything I feel. I feel like if I say I know a thimbleful, that’s probably too much. But by osmosis and just pure time in the space, maybe I know a thing or two, maybe just maybe.

Lauren Lev  
We have the old Matt, Matt Tankersley, TechOnPurpose’s founder and CEO and cyber evangelist. 

Matt Tankersley  
The old Matt, I’m okay with that. Listen, thanks, Lauren. And as always, welcome to our fabulous sassy and savvy cast of cyber experts. Wonderful to have you back. Listen, vulnerability assessment penetration testing. Firstly, let me say this is not one thing: Vulnerability Assessment is a complex and comprehensive topic and penetration testing is just one part of that equation. Right? So hopefully, we’re gonna learn a bit more about those differences. When we truly see as business owners and cybersecurity evangelists and IT and cybersecurity staff, and we truly want to uncover the cyber risks to our company, our users, our systems and data, we have to take a much more holistic look than just penetration testing- Which is not for everyone by the way. So what’s the difference and the role of these two often misunderstood and misrepresented terms? And what does physical security have to do with cyber risk? And what’s the difference between external and internal assessments? Well, thankfully, we’ve got a fabulous cast of cyber experts here to shed some light on these and related issues that our viewers or listeners need to be seriously considering if you want to achieve the highest levels of secure, reliable and trusted technology. So Lauren, let’s turn it over to Ivan first. Ivan, why is this topic important? Why should we care? And do you have any stats or stories to share with our guests/our cast/ our audience? Talk to us.

Ivan Paynter  
No, no, Matt, no stories at all. I got nothing for you. I mean, do you know me? Well, first of all, Wilson, I love the fact that you alluded to the fact that you’re 20 years in and you’re still learning. When you’re 30 years in, talk to me. I’m still learning too. And that’s the thing that I love about what you said and hate about what the old Matt said. Because in my world, Matt, and I think in Wilson’s too, there are no experts, we’re constantly learning. And that’s one of the reasons why you do penetration testing, because we’re constantly learning. The bad guys have an opportunity to do and to be in  places that we don’t even know about. I mean, just think about the slack space on your hard disk. You can’t even look at it, but we can be there. So you know, as you guys know, I like to look at things from a different perspective, maybe the darker side of things. Maybe that hat changes from that kind of off white hat to that little darker side that I have, it’s behind the door right now. But at the end of the day, you know, the reason why we do penetration testing is simply for the fact that we want to be able to identify where we are at this moment of time. Number one, where our vulnerabilities are, okay, and where we could be doing much better. And also you’ll ultimately identify what you’re doing very well, right, because it’s not always a negative. But the thing that we really need to think about, and we just talked about internal and external and physical- Look, there’s still a lot of us at home. I’ve got the greatest office in the world. I mean, how many other people have 10 monitors on one wall and  two 58″ monitors at that, right? But I can do that, because I’ve sat here for two and a half years with nothing else to do, right? Except to play with Amazon and now I feel like I know something. At the end of the day, we need to look at the home user. We need to look at the cloud, we need to look at physical security, we need to look at on premise and everything else in between. We have a lot of columns, everybody is everywhere. Data is everywhere, right? So now you really have to understand what you can access. Okay, so you want to do the physical, let’s get the guy dressed like a UPS man to walk in the front door and see the secretary or whoever is at the front door and pay attention that there’s no truck behind him. Ooh, good point, because that’s how you identify that. Let’s make sure we have the correct ID education for those users, that’s very important. Internal and external, so outside coming inside, let’s see what we can bang out inside, right? I mean, credential or non credential,  it’s the same thing. Do I have stories? Yeah, where do you want to start? I mean, it’s just a matter of understanding your environment, and really where your environment sprawls to, because it’s everywhere now. It’s at McDonald’s, or, God forbid, McDonald’s, I’m sorry, nothing wrong with that. But it’s at every coffee shop that has internet connectivity, it’s everywhere. Your environment has now moved to the Tesla that’s parked next to you at the light because that thing is beaming out an ISP. For that matter, if you know how to hack it, you can get into it, right? So your information, your clients’ information is everywhere. And we need to make sure that we know how to secure it where the vulnerabilities are. And that’s why penetration testing is the basis of really understanding where we are currently and where we have to move forward to.

Matt Tankersley  
Yeah, I’m excited to see what follows. This is a deep topic that you alluded to before we started recording. We could talk for six hours and we wouldn’t be scratching the surface. So, you know, as everybody knows, but we’ve got some newcomers. Right? We’re trying to give a concise overview of very deep topics that we’ve broken this conversation up into 21 pieces and parts. If you think about it, just sort of follow our methodology and framework of how we help people achieve secure, reliable, trusted technology. So excellent start, Ivan. Lauren, where do you want to go from here? 

Lauren Lev  
Laura, what is your take on network vulnerability and pen testing?

Laura Green   
For sure, I mean, I’m definitely gonna stick to the pen testing portion. Every vulnerability assessment combined with the penetration test will make the strongest security program, but my expertise lies in penetration testing. And like Matt mentioned, it’s not for everybody. So oftentimes, when we as companies go through a penetration test, it’s due to government issued compliance. So it’s not only important, but it’s required. That being said, I think the true goal, importance value, whatever you want to call it, for pen testing is to make sure our employees or customers or partners are secure. And they can trust the products and technologies that we’re producing. So penetration testing, the way that we help with that effort is by helping to identify and understand the aspects of your business that may be vulnerable to attack. And the main difference between the vulnerability assessment and the pen test is the human route run elements. So pen testing is a human run manual assessment. And I can go deeper about how we define pen testing, kind of what it entails. Because every network, or application, it’s unique. So we have to make sure we’re scoping pen tests and really understanding your assets in your environments. So we know which pen testers to pull in, to form that team that has the expertise required for your network, what methodologies we’re going to use. So we really try to match folks with the right pen testers to get that job done. And I think Ivan even alluded to this a little bit, like the hacker versus the pen tester, a hacker has a lot more time to get into your environment. You may or may not even know it. Whereas, a penetration tester has a limited window where they’re going after your network, so we want to make sure we have the right people who can do this quickly in the best way. So post pen test, you usually get a report. And then that can be used to, you know, satisfy customer requests, satisfy compliance, whatever it may be. As far as stories go, I’m not the most experienced on this call. But at Cobalt, we do have a state of pen testing report that we release every year. We just released our 2022 state of pen testing report. So it’s a compilation of data based on 2000 pen tests that we’ve run and interviews with security and development folks, about 600 folks. And we actually found in the report, that the vulnerabilities that are being found are the same top five vulnerabilities for the last five years. So it’s a lot of the same recurring stuff, which I think is interesting. Like, why is this happening? Why isn’t it changing? And why isn’t it improving? And we can explore more of that topic on this call together. One of the conclusions we came to is really resources and then manpower. But yeah, that’s kind of my take on pen testing, why it’s important, and we can get more into the specifics.

Matt Tankersley  
My favorite part about that whole thing was you said, “Folks” right? which tells us, you know, real quickly that she’s not sitting on the East Coast, right? She’s probably not sitting on the West Coast. She’s somewhere in the beautiful Midwest, or South somewhere. I’ve been learning about Cobalt recently, and I’m excited to learn in our next segment a little bit more about how you guys go to market and address that. I’m really intrigued by your top five and maybe we’ll get a chance to understand what those top five are. Just tell us where we need to go download it, so we can drive some more folks that way. So, Lauren, I assume you want to head over to Mr. Wilson.

Matt Wilson  
What I would add is penetration testing is a tool. It’s just a tool. It’s like saying, is a hammer better than a screwdriver? Well no, what are we trying to do?  What are we trying to build? What’s our goal? What’s our outcome? It’s one view of risk, right? If we take the proverbial pie, and we slice it up, the risk pie, penetration testing is one view. There’s other views. You mentioned physical security earlier, that’s a perspective. We can talk application security, we can talk, you know, like layer two, network security, right? There’s, there’s so many topics, as I alluded to in my intro. But you know, for us penetration testing is where we emulate an attacker and Laura, you kind of mentioned, you know, you can use that line of automated versus manual. Sure, I can subscribe to some of that, as well. But for us, it’s you know, we get to model the threat. And whether it’s external, internal, wireless, physical, mobile application, for us, it’s usually about where we started. That’s, you know, that’s the delineation. External, okay, I’m probably some random person on the internet. Internal, I’m somehow some way starting from inside your environment or some version of inside. So for us, we get less hung up on scoping that stuff. And that’s really not relevant to this conversation. But you know, when we are modeling an attack, it’s important to know that you’re not the attacker. The attackers have no morals, they have no ethics, they don’t care about your production system uptime. So you know, at times, it gets really interesting to have conversations with clients who say, I don’t want you to touch that system over there. Look, we’ll do whatever you want, you’re paying. However, the bad folks aren’t going to work that into their consideration, right? Well, I don’t have anybody working overnight, so what if something goes down? Great business question. Maybe we should think through that, right. And it’s not that we have a history of taking things offline or anything like that. But keep in mind that when we’re modeling an attacker, it’s in everyone’s best interest to make it as realistic as possible, while realizing that it’s not realistic, right? It just can’t be, because of all the other factors that I mentioned. And in terms of stories, you know, I don’t know. Do I go to the one where we had an intern climb through a ceiling tile, the one where the $2 party balloon got us into one of our hospitality clients, the time when I had to play good cop, I was actually the good cop one day and bad cop the other at an educational institution where, you know, we went into his one with student one was auditor looking person to just be a distraction and make it seem like we should be there? There’s plenty of those but I really liked some of the statistics I heard and Laura, you know, you added to something, that data you found from within your organization. There’s a lot of data, the Verizon DVIR is kind of the industry standard. It’s one of the de facto things that I go to and recommend folks do. No affiliation, nothing like that. I’ve just been reading it for 15 or so years. But you know, that’s what a lot of the research supports is the very basics, the blocking and tackling of InfoSec, the patching the hardening. You know, do all the fancy stuff too, but you got to do the basics. If you’re not doing that, what are you doing? You’re really wasting your organization’s time and resources on things that are going to be less impactful to the desired outcome, right, which is a strong cybersecurity posture. So I certainly second Lara’s, I’ll read into what you were saying there, Lara, people need to be paying attention to where the bad folks are getting in and how they’re getting in. And it’s usually some pretty straightforward things. We can get fancy. Let’s do the basics. 

Matt Tankersley  
Guys, I’d like to learn more about what each of your companies are specifically doing. And we did some high level stuff there and things that make sure that our viewing audience knows that you’re out there, what you specifically do, and of course, we would encourage you to reach out to TechOnPurpose to get plugged into some of these things at all. We want folks to know who you are. Now, I do remember, Matt, from our intro conversation before today’s recording that we talked about the timing of these tests. And I noticed that’s been a really intriguing question as we meet with people who know that for compliance reasons or some other reasons they want to, they want to do this testing. And some folks I got, you know, we need to do it now. And I love what Ivan said, how do you know where you’re going if you don’t know where you are? That’s one of the beautiful things I love about integration testing. And one of the things that we see often is, we know we have these gaps, you’ve already helped us to identify gaps, instead of investing now in that penetration testing, let’s take all these proactive measures to go ahead and get some additional security in place, then let’s do our tests. Right. And I think, you know, the verdicts out, nobody’s got to, everybody’s going to have an opinion on it. I think there’s value to both of those. And so, it might be interesting to hear, you know, each of your thoughts on the timing of that too, as we get through the rest of our session.

Matt Wilson  
Yeah, I think, you know, Matt requirements and drivers, that’s where it starts with the client. If they have one of their clients that’s demanding they have a penetration done by the end of this summer, well, then I guess we’re doing a penetration test in the relatively very near term. But I liken it to a capstone activity. Sure, could you start with a penetration test? Okay, you could, but a good consultant, in my humble opinion, is going to advise the client and coach them on some of those proactive things, those blocking and tackling things, and help maybe not ensure they’re all in place, but ensure that the client is aware of what they could have been and should be doing. If we come in and you, you’re missing, you know- I’ll date myself here. MSO, 8067. Right, Ivan, you probably go back to those days. In the medical world, if they’re still missing that Windows Server service, right. That’s what that vulnerability entailed, and then they escalated, and took advantage of. If they’re still missing that, the penetration test is over pretty quickly, if that’s on a critical system there. So back to the timing question, the client makes up the rules, we will follow them, that’s fine. We will fall in line with what the client wants, but I’m not doing my job if I’m not helping them understand how they can get more bang for their buck. You know, pull more out of us, maybe through some consulting first or through some other, you know, when we’re talking about a tool and how a penetration test is one tool, one, one perspective of your risk. There’s other perspectives that may be more beneficial. But ultimately, the client, auditor, or regulator board member says go get it done, then go get it done.

Ivan Paynter  
So I want to echo that to a degree. And we might start shifting directions here, because one of the things that I truly believe in- So first of all I’m now the CTO of RCS Secure, right. Great title. I’ve always wanted to have that title. It’s different up here. But it’s not really that different, right. I think at the end of the day, first and foremost, we have to really figure out what we’re doing and how we’re going about doing it. So on RCS we’ve got three different levels that we can take a look at. We have a basic you know, we have an advanced, and then we have a “look dude I got a guy from the NSA, he’s going to come in and he’s going to own your network.” It all depends on how far you want to go. Tankersley, you’ve heard me use the expression before: It’s like walking in the woods with your best friend. You got a bear coming after you and all you have is a BB gun. You know what you’re gonna do? I’m gonna shoot him in the leg. Because I just have to be a little bit faster than he is. My butt’s not getting eaten today. Okay, at the end of the day, there’s a lot that you guys unpacked and I want to jump into some of it. CMMC was one of the things that really brought us to a lot of compliance ease, right? We were out there willy nilly with  the 800171’s and the whole mesh realm and that’s everything that RCS is based off. It’s based on this on most of our standards and we’ve helped many people get through CMMC 1.0. Now that we have 2.0, well, we’ll figure that one out after 3.0 comes out. But the bottom line is, I really want to give everybody two different things. Number one, when you talk to a supplier, that supplier should be able to tell you what you’re doing good and what you’re doing bad right away. That initial pen test is going to be that first phone call, because I’m going to ask enough questions or one of my engineers is going to ask enough questions to tell you immediately good, bad or ugly. Your baby is adorable in your eyes, but let me tell you, the rest of the world thinks this is ugly as all get out because you’re missing ABC 123. How I get in the door and I got half a million ways I can get in the door. My favorite one is a drone that I’m going to give to your executive and he’s going to fly it around and he’s going to want to download something and plug it in and Bob’s your uncle. I’m in your network and you’ll never see me come in. A pen test is a point of time. And one of the things that Laura said that we really need to be cognizant of is to keep your company secure all the time. A pen test is not going to do that. The only thing that’s going to do that is managed services, that’s it period. The only way you can enforce all the time is to have somebody look at it all the time, because the network never stays the same. The day you pull out one thing, or the day you insert a USB stick that you found in the parking lot, your network changes. Put a new laptop in and your network changes. Your pen test now becomes null and void. Yeah, 90% of it’s there, but that one thing that you changed is now owned by you call off the company. It’s just over, right? So now, what are you doing? You’ve got to have it. Pen tests are a great basis, so is an assessment. For me, an assessment goes through the documentation, the pre procedures, the BCDRs, all that in one. There’s a lot of acronyms we’re tossing out and I never used to do that before.

Matt Wilson  
You need to put like an appendix glossary in here to use.

Ivan Paynter  
So CMMC is Cybersecurity Maturity Model Certification, the National Institute of Standards and Technology. What else did I call out? BCDR: Business Continuity and Disaster Recovery. I think that’s the basis of it. Look, at the end of the day, everybody has to do a pen test at least once a year, if not twice, you’ve got to. Your client should be calling for it, the government’s calling for it. And if you’re not intelligent enough to do it, you’re missing it. Right? Will McGowan, Founder and CEO of MCI, said, “If you can’t measure it, you miss it.” I did 20 years at Verizon, I know their book. At the end of the day, you really got to get in and know where your network is and then what you’re testing.

Matt Tankersley  
Right. Well, I’m excited to hear Lauren, what Laura has yet to add to the conversation. And I know in my infancy of learning about Cobalt, her company has an interesting structured program that addresses all these issues. We’ve been talking about timing, right, which is not just a one time thing, it’s a multiple time thing and an ongoing subscription to penetration testing. Am I doing okay, Laura?

Laura Green   
Yeah, you’ve got the pitch down. I agree with what Matt and Ivan have said about the way pen testing is approached. Matt mentioned, there’s usually a driver before you get a pen test, or someone is telling you, you need to get a pen test. And it’s usually done annually. I even, to Matt’s point, I love working with partners, because they have a really good understanding of their clients’ environments and what’s needed to improve security posture. And when they do make a pen test recommendation, it’s at the right time. Or it’s to gather that information that Ivan was mentioning before you continue to build out the program. So yeah, the way Cobalt does it, pen testing as a service is a little different. We try to make the process faster so that you can remediate your risks smarter and make your security stronger, ultimately, of course. So we have a platform and then we have a network of pen testers. So the network of pen testers, we call them our “Cobalt Core,” it’s over 400 folks. So with all those folks, we’re able to pen test faster, so we can get up and running with a pen test in two to three business days. Every engagement happens within a two week timeframe and then your report is delivered within 72 hours of the completion date. So this can be great for folks who are trying to get a pen test for compliance or an audit where they have that deadline and they need to know that that report will be delivered on that date. Additionally, we do retest for free. So this can be a really awesome value add to show that you’re improving your security over time. Okay, you know what your vulnerabilities are. You chose to remediate some, you chose to accept others, but then you went back into Cobalt, you clicked ready to retest, the pen tester goes back in, three tests for free and then it shows in the report that it’s been fixed so you can show whatever stakeholders need to know that you are improving that security over time. 

Matt Tankersley  
There’s a lot of takeaways and I’d like to hear a little bit more. And Netrix, you guys are doing a lot more than just this right here. Like all of us here, we do a lot more than just one thing. That’s what I love about Cobalt, you guys are very focused on the one thing here. And so, glad to have you guys with us. If there’s one thing I can take away from this entire conversation so far, guys, it’s that I’m never going into the woods with a BB gun. I should at least have a pellet gun. That’s awesome. I mean, I think we’ve done a great job today, very superficially, talking about a very complex topic. We’ve talked about, what is it? Why is it? We’re talking about each of you having some specific solutions and approaches to the issue.  I’m curious, you know, Lauren, I think we’re going to be done in a good time today, which is a good problem to have, because otherwise, we will be here for six hours, right? So I don’t know, Lauren, ladies choice? Let’s bring it back around the room and see if we have any additional thoughts on what our audience needs to hear about the significance and importance of this topic, and from each of you again, one more time, why specifically should they choose to be working with organizations. And Ivan, you’re the VIP cast guy, from where you came from and now you’re wearing that double hat. So we want to learn more about you guys, too. So Lauren, where would you like to go as we begin to wrap up the conversation?

Lauren Lev  
Laura, you go first? 

Laura Green   
Okay, sure.  I guess to close it out, I would just highlight that building a strong security program is not just about knowing your vulnerabilities, but really understanding the impact that an exploitation of a vulnerability has on your organization. And Ivan alluded to the data aspect. You know, what is the loss of time or revenue, if a system goes down, or the PR damage and the loss of trust, if there’s a data breach? You know, the more data driven you can be when we communicate vulnerabilities to our internal organizations, the better you can make a case for where and how to spend resources when it comes to security. So again, I’m going to plug our 2022 data pen testing report. I have recommendations, you can go to them, but I really recommend you check it out. Understand your top vulnerabilities and where to get started. Like I said, understanding your vulnerabilities is a great place to start with penetration testing. 

Matt Tankersley  
Lauren, as you consider who’s going to come up with the next last final words here, let me say I have been dealing with an experience with one of our vendor partners that, like so many vendor partners, I got a story. It’s a bit of a nightmare story. And it’s gonna validate some of what you just said, Laura, about the significance and don’t delay to understand your vulnerability kinds of things. And you think about measuring the cost, right. So I work with some rather large vendors that have, you know, like many people, had a disadvantage of an exploitation that was very costly. And what ended up happening is that they have had to drastically adopt, I mean, over the top security measures that I promise you right now have hundreds of 1000s of dollars of productivity impact in their day, all day, every day. And it wasn’t necessary if we had the right security in place, if we had known the vulnerabilities that we had in place, we could’ve taken better security metrics. But as a result of getting that problem and having your hands slapped, they had, you know, they sort of have the marketplace going, Okay, now we’re watching you with a fine tooth comb, and they’re having to adopt just ridiculous security practices. And I know even interacting with vendors that have been through that situation, it takes a task that could take 15 minutes and turns it into an hour. And now, multiply that times 1000s of employees. It’s insane. So if you want to know the cost, what it takes not to be smart enough to do this stuff proactively consider what the cost of a penetration test twice a year might be compared to costing 1000s of employees an hour plus a day. All right, well, no grading and we’re not naming names. So that’s good. Where are we going next, Lauren?

Lauren Lev  
Let’s do Matt Wilson.

Matt Wilson  
I would say, for anyone tuning in, to challenge your internal stakeholders and challenge your vendors on everything, right? And I don’t mean in an adversarial way. I mean that when you go to your internal stakeholders, and you’re asking for budget dollars to do a penetration test, or some flavor of security assessment, or for new firewalls, or for new endpoint security, whatever it is, you know, challenge your internal stakeholders to really put into place that program that Laura alluded to. If this service solution widget is going to enter your environment, make sure it’s part of an overall plan that you’re driving towards, right? And so in some ways, it’s challenging yourself to. But when you’re evaluating vendors, you know, challenge them to differentiate when you look at what is a penetration test. I often say to clients, we’re all going to say roughly the same thing, so there’s only so many ways you can say we do active reconnaissance and passive reconnaissance, and then we do this and then we do that. And then maybe that’s what, you know, we’re all gonna call it an external penetration test or internal penetration. So, really challenge your vendors to differentiate while understanding that you’re going to hear a lot of the same things and be willing to take more than just “we have the best people” because if everyone says they have the best people, that can’t be true, right? I really believe in our team and I feel they’re tremendous. But Ivan’s going to believe in his team, Laura is going to believe in her team. So we can all have the best team, we have to do better as vendors when we’re differentiating. And that’s a nice segue into, you know, Matt, you said, why work with Netrix? Again, I think there’s healthy competition out there. I don’t ever try to put down any other vendors. So please don’t interpret this as me doing so. But I do think we bring a unique perspective as both offense and defense because we do security monitoring, we bring the strategy side to the information security realm, because we do VC so but we bring more of a technologists approach to information security, like what I call the real security, because we can live in that ideal world of the InfoSec leaves that I am. But that has to translate to the business reality. So we have VCIO services just as an example of that strategy that has to extend beyond the security realm. So when you’re talking, fixing things, you want to bring solutions to bear, the greater Netrix team can do that across technology platforms. You know, we don’t need to name all the names. But as a solutions integrator, there’s a lot that we can bring to the remediation side and a good understanding of when we make a recommendation, what that’s going to translate to you and your organization practically.

Matt Tankersley  
Well, Ivan, final thoughts?

Ivan Paynter  
Final thoughts, there’s so much to say here. The first thing I want to make sure I cover is that you should always use multiple organizations to do your pen test. So if you’re comfortable with an organization, and you have a managed security service, don’t have them do your pen test. Get a third party because they don’t know your network. So you know, the two other organizations we have here, just like Laura and Wilson said- I like Wilson. I think that’s a cool name. That’s where- and RCS too, just spread the love. Okay, simply for the fact that some other people are going to have different visions of your environment and really understand it. That’s the first thing I want to hit on. You know, why RCS Secure? I always go back to the same thing that anybody asks me. You know, I’ve been doing this for a long time. I was with my previous company, which I adored, for three and a half years. But I had a lot of different offers and could have gone to a lot of different places. I went here, because they’re agile, and they’re able to move and they grow and they’re strong, but they listen. And I know we all organizations do. But the ones that I’ve worked with in the past, this is what I felt the strongest about, plus they give back. And that was another big thing. Let’s not get comfortable with where we are ever with cybersecurity. That’s why there are no cybersecurity experts. There’s a lot of people with a lot of knowledge. I believe that you know, Laura and Matt both contain a great deal. We never are experts, because it’s changing every minute, if not every second. I think Laura said it earlier on. Hackers have all day long and all night long and months and years to do what they want to do. We’ve got the opportunity to do it right one time. That’s it. And if you miss the ball, you’re owned and believe me, it’s going to be really hard to get them out. And I’ve seen this firsthand. There’s a lot of organizations that are like that. There’s so much I could go into, but the last thing that I want to leave everybody with is the mindset of don’t sit on your butt. It’s just like the older Matt said and wait for it to occur, because you’re going to spend so much more money. Get freakin’ active now, do something now because if you don’t, nobody will. I’ve lived with my wife for 22 years, she’s run this company for 18 of them. Two and a half years ago, I got the phone call when I was in Vegas, we’ve been hit. When a half a million dollars goes missing out of a small organization. It’s painful, okay. They’re the company that believed they would never get hit. Nobody wants anything with a granted company. They don’t care what your company does. They’re going to get you to understand it’s no longer “well if that happens…”. No, it’s going to happen. Take some action, have an assessment done, get a penetration done, talk to your security professional. That’s what this video-blog is all about. Call Lauren, call Matt, I don’t care, call Ghostbusters. Get active, okay? Don’t sit there and think, “This is funny. That was a cool video and there goes Ivan again.” You’ve got to take action and then double check your action. Make sure that those folks that you hire are doing their job correctly. That is going to be the bottom line. Because if you don’t do it now, if you don’t buy the Chevy now, you’re buying the Rolls Royce later. Okay?

Matt Tankersley  
Fabulous exit, guys. Wonderful job. And I’ll tell you one resounding thing I heard today. And Lauren, if I rewind to Episode One on Security Awareness Training, we said the same thing then for the same reasons. Cybersecurity, culture, philosophy has to start at the top. If you’re a business owner, if you’re an executive and cybersecurity isn’t at the forefront of your thought process that you are pushing down to your culture, every employee in every department about being aware of what phishing is, and what spam is, and what Spear Phishing is, and how to spot someone looking over your shoulder and all of that good stuff- Now, we’re all the way fast forwarded to Episode 18: Penetration Testing and I’m hearing the same things. You guys, business owners and leaders, you have to be thinking about this stuff proactively. And if you’re not taking measures, especially if you’re not taking measures, at least go get a test. You know where you can get serious about your cybersecurity. Lauren, close us out and tell folks about how they can get some more information about these organizations and plug in.

Lauren Lev  
All right. To start a free trial from any of these solution partners, send an email to and sign up for our free cybersecurity risk assessment at WhosInYour.Cloud. Next week, we’re welcoming back some familiar faces as we switch gears discussing compliance discovery and documentation in Episode 19. We’ll be discussing the need to back and maintain your critical certifications and respond to cycles of compliance reporting and potential litigation. Until next time, see you later, everybody!

Ready for your free cybersecurity survey? Discover potential vulnerabilities for your business and get a copy of our #TOPcyber21 Best Security Practices to help get you started on the road to #secure, reliable, trusted technology! Subscribe to our blog to get episodes of “Who’s In Your Cloud?” delivered direct to your inbox weekly.
Claim Your Free Cybersecurity Sruvey