 Security is a team sport. A lot of people don't like hearing that. A lot of people have this weird view of security of they can't tell you and the obscurity by which they do things is their version of security. That doesn't work in practice. And the reality is we're all in this together. That's why it's a team sport. And what I mean by that, even if we compete, you as a person watching this and we are both IT providers competing for the same client because of our common geography or common, you know, verticals that we're going after, I believe we have a common enemy. Therefore, we have to be on the same team when it comes to security, sharing Intel, sharing knowledge, because our ultimate goal is to protect our clients from these threats. Now, in the early days of IT, and I've been working in IT for over 22 years now, yeah, I spent more time just fixing general computer failures and computers have become more reliable. The threat model changes all the time. And the current threat here in 2019 has specifically been ransomware, but overall, it's bad actors actively going against the MSPs. Why are they attacking us? What did we do, right? Well, we have keys to the kingdom. We have keys to many, many kingdoms. And it's a scaling thing. So if you want to be a bad actor who attacks a company who leverages ransomware to make profit from this illegal enterprise and they run it like a business, they have an entire staff, they have an entire process procedures are actually quite talented and quite good. They're not just amateurs in their basement. As people like to maybe portray them, these are very sophisticated bad actors. So how do you scale that business? Well, it's really easy. You attack these service providers, the service riders, us, for example, we have access to thousands of computers, lots of passwords, all kinds of fun stuff in our infrastructure that would allow them to attack a multitude of targets all at once. And we're seeing this played out very constantly right now. And I contacted, well, it was contacted by I should say, one of dental offices caught up in this entire dentist office ransomware that was hit. And it sounded like the typical thing. They attacked the service provider. And by leveraging a service provider who had about 400 dental offices, they were able to get into all those dental offices. They did a video on this before. But how did this happen? Well, the same way this one happened over here. So this is a post over on Reddit that says my daddos were broken into. And what did they do? They got in there, they leveraged access to this service rider, deleted their backups, then deployed the ransomware because a lot of people are saying but I have backups of all this stuff. And this isn't the same as when a user an end user a client clicks on ransomware and you have to restore their infrastructure. That's a different scenario. This is a scenario where the tools we use are compromised and used against us. So the tools we use are very powerful. They have full unfettered access to these systems. As in the RMM tools such as solar winds or connect wise control any of these different tools that we have embedded upon the client systems are very powerful. They're make my life so much easier it allows us to manage computers at scale. So if I have a program that I need deployed on 1000 computers, I can deploy that program on 1000 computers. If I need an update pushed, whatever I need done, this allows me to orchestrate that. That means I have to make protecting that the top priority because this is how the ransomware was deployed at scale. They gain access to that said tool, whatever that tool may be and they like to criticize and so far. And I've talked to some of the breach teams. I've talked to people. So far, none of these compromises were due to a failure on the part of the tooling company. It was not a flaw found in their tool. It was not a flaw found in the system by which that allowed them to get in. It was also very basic problems. And in the case of the data one, the person was very forthcoming, which I'm very thankful for. And that is a team player and security. They got breached, they're giving a debrief on everything they know and how it happened. This is how we can look at ways that it could happen to other service riders. What happened was no two factor authentication. There's your first problem. Second part was left things open so people could get into it. Now that's the part that's a little fuzzy because they're still trying to figure it out. But this is not uncommon with these other places. Not having a two factor. If you have 100 users and 99 of them have two factor, all it takes is one of them. Now the other thing we've learned from some of these other breaches is one, you have to be right all the time with security, but two, these breaches are having for some really basic problems. One of them is password reuse. We know it's happening. I don't know why but I meet IT people. I meet other people in my industry that don't believe in password managers. They think just it's fine. I have a complicated password. I said, Yeah, but you're using that same complicated password. You're like, Yeah, but I add two letters of the website. They come up with these convoluted answers of how they managed to have a slightly very slightly different password on each website. The problem is on each one of these logins, if one of these companies is cracked, they then spread to all of them. It's just not an effective method. You need a very long high entropy random gibberish password that is hard for you to remember. How do you manage that? You use things like last pass, one password, both of those are zero trust systems that only you have a master password that unlocks all the high entropy passwords. That's how you prevent the password reuse. Second, turn on two factor. That is just I every one of these that I've read lately has been Oh, yeah, we found out which user was breached. And it's also the person who didn't have two factor. And this is just ridiculousness, like there's not a reason not to turn this out. And so if you don't have it turned on, stop watching this video right now and go turn it on. It sounds like based on some of the reading I've done some companies and I don't know because I don't use data, they will allow you to turn it on but they don't have like an easier audit list unless you contact them. And people get busy and they don't want to contact support or ask them like this. I'm sure this will come out of here as I know the CISO data has been commenting on this particular Reddit thread, and we'll probably say Oh yeah, we're going to make that a little bit easier. But this is huge. Like for example, we use solar winds full disclosure, we can't turn off two factor, not even an option solar winds made it absolutely mandatory. We were using it before it was mandatory, but I'm so happy that they made this change. So it's like a force thing. Some of these basics just covering these basics will prevent the majority of these attacks that we've seen lately. Stopper using passwords, turn on two factor couple other things you can do is always remember principle of least privilege and make sure that you don't have any more privileges than your particular users need to get the job done. And maybe they don't regularly log in with an admin user, they log in with a general user that gets the job done. And if they need to load software, they have a more privileged user, always be auditing always be thinking about that. And just watch any system and if you can turn it on so the option goes away so they can't do something without two factor, all the better. A lot of systems support that. We use systems that do we have some that don't but we force it on anyways as a policy of our users, they can't turn it off matter of fact, you know, in for example, in the dental offices, the connectwise control software was used and undoubtedly we don't have verification of this. There was no two factor sounds like a reuse password problem again. And without two factor, the person was able to walk right in, take control and own their systems. We don't want to see this happening to anyone, especially service providers, you don't work hard to build up a 400 client base to lose it all with a minor mistake. I think, you know, feel terrible for that particular company. But these are things that we need to be aware of. We need to be aware of the risk. We have to be mitigating those risks all the time. Security is not perfect. But you don't have to make it easy for them. And remember, security is a team sport. It's a great to do these debriefs. It's great for me to share this knowledge. I'm not trying to keep anything proprietary away from anyone. Please, if you're a search writer, this is not anything, they're not selling anything. Just turn this on. Quit using these passwords, quit your fear of password management tools such as LastPass or OnePassword. I know it wardens out there too. It's an open source one. I haven't really used it. But all three of those work on that same zero trust policy, and they will make you substantially more secure because we know password reuse is a problem. It's been a problem for a long time. It should not be a problem for people that claim to be caring about Infosac or security. So please take the time to audit, take the time to look at this and don't become one of the statistics that I end up talking about. Thanks. And thank you for making it to the end of the video. If you like this video, please give it a thumbs up. If you'd like to see more content from the channel, hit the subscribe button and hit the bell icon if you'd like YouTube to notify you when new videos come out. If you'd like to hire us, head over to laurancesystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you want to carry on the discussion, head over to forums.laurancesystems.com where we can carry on the discussion about this video, other videos or other tech topics in general, even suggestions for new videos, they're accepted right there on our forums, which are free. Also, if you'd like to help the channel in other ways, head over to our affiliate page. We have a lot of great tech offers for you. And once again, thanks for watching and see you next time.