Listen to learn about the essentials to keep your personal data safe.
"A lot of people think they're doing all the right things to keep their data safe. However, there are things I see constantly that people are doing wrong, or not doing at all, to properly keep their data secure."
Your personal data that exists online is vast and private. Should a hacker steal your data, you could lose emails, hard drives, bank accounts, or even your business.
Noah Pack (Threat Hunter/SOC Analyst, Security+, ITF+, Sophos Certified Engineer) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to give you the essentials to keep your personal data safe.
Listen to learn:
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. I'm Jen Stone. I'm one of the principal security analysts here at SecurityMetrics. Super stoked to have with me once again, Noah.
Noah, tell us about yourself. For the I know that a lot of, of the our followers and listeners know who you are because you've been on this podcast before, and you have your own podcast with SecurityMetrics. But for people who might be joining us for the very first time today, welcome if you are. Tell us about yourself.
Thanks for the introduction, Jen. So my name is Noah Pack. I work in the threat intelligence center here at SecurityMetrics and I'm a threat hunter.
So I look for evidence that hackers have made it into our client networks and work to cut off that access and fix any vulnerabilities, stop bad guys from getting in in the future.
I love that. And, you know, so every week, you guys don't get to hear it. But internally, we get to hear about the threat to other activities and all of the things that they find for our customers because we have a managed SOC. Is that what we call it? Managed SOC? Yeah.
So it's, you know, people who can't who are small and can't afford it or don't or choose to offload that to somebody else. That's one of the things that we do here at SecurityMetrics, and and, Noah is one of the people that gets to do that. I think it's super cool. So, thank you for being here. I want you to tell everybody about the topic too.
Thanks so much for having me. So, the topic we're gonna talk about today is things you might be doing wrong to keep your data safe.
And a lot of people think they're doing all the right things, but there are things I see commonly that they're doing wrong or they forget to do or miss or something like that. So I think this is gonna be a good conversation. Let's kick it off with what's your first one? What do you wanna start with?
Something that our listeners can apply to their online shopping.
Oh, this is such a good topic because we are if you're, you know, listening in real time kind of, you know, we're heading right into shopping season. Right?
Right.
Black Friday's right around the corner.
Coming up.
And then, you know, all of the Christmas things and all of the other holidays in that are that are part of that. So tell us what people are are going to run into that's not good.
Yeah. So when I'm shopping online, I would make sure that the website you're looking at is using HTTPS instead of HTTP.
And then I would also, if it's a smaller website, use kind of a throwaway credit card, debit card.
So most of people who are listening today are like, yeah, I got it. I can tell whether it's HTTPS or not. Right. For the people who can't, give us a quick overview of what that is and how to find out.
So HTTP is hypertext transfer protocol.
Oh, that's it.
Which is kind of how the web works, going to a website. And then HTTPS, that s is, I think, just secure. Secure. Yeah. So there you go. A little bit self explanatory, but the https is encrypted so that somebody who intercepts your web traffic can't see exactly what you've done online.
Is there a quick visual people can use to know whether that's in place or not?
Yeah. Up at the search bar at the top of your browser, you should be able to click on the URL and see if it says HTTP or HTTPS.
Mhmm.
Some browsers do kind of get rid of that and instead you see a little lock icon. Yeah.
If it's HTTPS and then some other browsers, when you go to a website that's HTTP Mhmm.
It might stop you and give you a warning page Right. That says, proceed with caution.
Advanced.
Right. Yeah. You have to click advanced.
And you're like, oh, oh, no. How am I advanced enough to use this? Okay. Here's the kind of freak I am. If I'm using a website that I'm I don't know very well, I'll actually run it through SSL Labs first.
Yeah. I do the same thing. I have a whole slew of website vulnerability scanners. I'll, like, put the websites through to make sure, like, is this somewhere I wanna send my money?
And you guys can do this too. There are free online scanners that will tell you kind of the security stance of the website you're looking at. And and part of me thinks it's funny to go. Like Oh, yeah.
I just wanna know. And but the other part of me is like, how real is this site? Anybody can throw a site up. Right?
And so I'll I'll look at reviews and I'll look at, you know, try and do some intelligence gathering. What it looks a little suspect before I jump into it.
So Oh, yeah.
And a little personal story is that I was shopping for some parts for my, four wheel drive vehicle. Mhmm. So I was looking for some off road suspension and some pieces that will help me out there.
Mhmm.
And there's one website that a ton of people recommended. So I went to the website and I was going to go order some custom fabricated pieces from them, but the website looked pretty old. It looked like it had been made maybe ten years ago.
Oh.
So I thought, oh, okay. They probably have some unpatched vulnerabilities.
Yeah.
I threw that website in some vulnerability scanners Mhmm. And it came back with sixty four critical vulnerabilities.
So you gave me your credit card? No.
So I I'm looking for a reseller of their, parts, but I'll probably end up emailing the person who manages the website because there was a contact us page. And I'll let them know kind of what I found and offer some Well, and it's a really good point too because especially, on those specialty hard to find or very popular items, there's shortages everywhere right now.
So that gives a really good endpoint for these scammers to set up a fake website and take your money.
Oh, yeah.
Because you're like, oh, I found a place that has this very special game that I want that you can't find anywhere, but that's not true. So you have to be really careful that the the reputation of the site you're going to, but also the, like you said, the vulnerabilities. Mhmm. So that is a really good one. Okay. Give me another one.
Yeah. Oh, well, going off that one, you can also use services. I think there's one called privacy card.
Oh, okay.
And it allows you to essentially make a burner debit card.
Right.
So you can set, exact spending limit and then as soon as you spend that money, the card just disappears and doesn't work anymore. Yeah. So if your credit card is stolen by some sketchy website, there's really nothing that can happen about it.
So if you're like, I really wanna roll the dice on this, but I don't wanna roll the dice on all the whole thing.
Right.
Yeah. Get a burner card.
For sure. Yeah.
What's an what's another good one?
Security through obscurity. So you might have heard this phrase before, but it essentially means not really securing what you're doing online, but or with your network or your hardware, but kind of hiding the vulnerabilities.
So, I guess you could say this is akin to putting the key to your house underneath the mat instead of Yeah. Leaving it inside the lock.
Yep. I just sold my house. Yeah. And the real estate agent said I said, how do we transfer this key over to the next person? Oh, just put it under the mat. I'm like, because nobody knows that that's what everybody does.
That's insane.
But also to look.
It's the first place to look. But but also that's what a lot of people do. And in in cybersecurity, sometimes people think because other peep because they don't know something that other people don't know as well or or because they think they're renaming a server.
Let let me rename this to something, you know, kind of obscure and so nobody will be Oh, yeah.
Go look at it. Well, that's not that's not how people go and hack things anyway. They're gonna look for services. So, so so one of the things that the people need to do is is really trust that what they're setting up is good security, not just kind of trying to hide things.
Right. So in the security operation center, we have clients that are getting a variety of services from the from us. Mhmm. Some of them, we're managing their endpoints and their firewall, and we have vulnerability scans going and we're doing their compliance and kind of everything.
Yeah. But then other clients were just doing their vulnerability scans and maybe collecting logs from their firewall because that's what best fits them. Yeah. But sometimes we'll find that they've exposed SSH or RDP, which are ways to remotely access a computer on their firewall for the whole internet to see.
Yeah.
But they think like, oh, we'll hide it by putting it on port On a different port?
Yeah. By putting it on port four thousand or something instead of twenty two or three three eight nine. We see it because we see their logs.
Mhmm.
So we see that, the threat actors, the bad guys are, they find it within maybe thirty minutes and then they're trying to brute force their way in.
Yeah.
And we let the client know and the client's IT person might say something like, Oh, I never thought anybody would find that. But the truth is that these threat actors, they have more resources than us. Yeah. There's way more of them than there is of us.
And so they, they find it. Plus it's automation. Right. They have programs that are out there looking for misconfigurations and automatically hacking into them.
Yeah. And so, just because you don't know something or you think something is hard does not mean that applies to everyone. And I find that that sometimes we see that in groups where, you know, you have just enough knowledge to not know what you don't know before you actually know all of the things. That that's a that's an area where people will often make this specific mistake of Yeah.
Trying to obscure things rather than actually secure them. Yeah. This episode is brought to you by SecurityMetrics Shopping Cart Monitor Inspect. It's a revolutionary new product that can help you detect any problems with your shopping cart security, allowing you to effectively improve your ecommerce security.
Here's what I know about it. A lot of times people say, well, hey. I am PCI compliant because I passed my SAQA. Great.
You're missing most of the things that people are actually stealing information from right now. Shopping Cart Monitor was created to actually close those gaps and help you against things like made cart and other known ecommerce issues. To learn more about this shopping cart monitor, head to our website www.securitymetrics.com/shopping-cart-monitor. Give me another one.
What what else are people doing that probably they is the wrong way to secure things?
One thing that I've heard of a lot lately is ridiculous password requirements.
So some companies might think, oh, you need to have a capital letter, a lowercase letter, two Egyptian hieroglyphs, nine numbers, a Roman numeral, and your cat's birthday inside your password in order for it to be secure. Yeah. And the truth is that, yeah, that can make it harder to brute force your password, but having a longer password is usually much better than having a shorter password.
Absolutely.
And then also having multi factor authentication is much better than even having a super complicated password.
Right. So multifactor authentication is, there are a lot of misconceptions just about multifactor authentication. Maybe we could talk about a few of those things. But, one of the things that I hear a lot is, it slows me down too much. And people don't wanna do it because they it slows them down. And so what is your what is your response to that that's slowing me down on my work?
Do you not buckle your seat belt because it slows you down too much getting in your car? I mean, that that's kind of my opinion. Like, maybe it does slow you down.
Do you not yeah. Do you not lock your door when you get home? Right.
Yeah.
Oh, it takes an extra two seconds, but Yeah.
Yeah.
That's gonna give you a lot more peace of mind Yep.
And a lot more security.
But some people do, multifactor kind of wrong. Like Right. They confuse two steps with multifactor.
So maybe, talk a little bit. What is actually multi what does it even mean? What are factors?
So the factors would be something you have, something you are, and something you know.
Right.
So something you know would be your username and password.
And here's where that two step is kind of a confusion. Right? So people who put in two step passwords, so it's a username password and then another password.
That's just two steps.
That's a single factor.
Yeah. Single factors. Two things you know that is not multifactor.
Alright? Exactly right. And then something you have could be your phone with the Duo app or Google Authenticator app or even one of those little keys that you plug into your computer.
Right.
Like a Titan key. And then there's also things that you are. Yes. And that could be a fingerprint scan or in your face ID to unlock your phone.
Right. Exactly. So, it it's, it's three different things, not multiple passwords, is the really big issue that I see a lot of times. And and that's not real multifactor and it's easy to to, get past.
Oh, yeah. Having your mother's maiden name and your username and password, that single factor. Yeah. And that information is pretty freely available.
Oh, yeah. For sure.
Just look at what happened to Sarah Palin. Her Yahoo account was hacked into because the backup password was what was the name of the high school you went to.
Oh, yeah.
So the person went on Wikipedia, found it, got into her email.
Public knowledge. Yeah. Yeah. Why would anybody do that as a as a secure factor? That's that doesn't make any sense at all.
And if a website does make you put your mother's maiden name or your first pet's name, the street you grew up on Yeah.
I would recommend putting something random. Yeah. And not what the answer actually is.
I have a whole set of things that are my full my full knowledge base of myself Yeah. Because just for that reason because everybody can look up, you know, what my birth date was. Right. That's very common for everyone to know, especially especially since the era of Facebook and everybody puts all of their personal knowledge there.
And even if you remove your birthday from Facebook, people will still post on your Yep.
Timeline. There's the historical posts on your timeline that anybody can look at and figure out when that is.
Yeah. Your friends will always out you. Thanks, friends.
Yep.
Alright. What's next?
Another thing that I've seen a lot lately is not segmenting your network.
Alright. Let's talk about that a little bit about what segmentation means and then and why why it's important.
Yeah. So segmentation is like breaking up one big room into a bunch of smaller rooms.
Right.
So if you think of that in cybersecurity and in networking, that could be maybe you have one wifi network for your entire house or for your business and it's called Jen's wifi.
Yeah. And now everybody knows.
And now everyone knows. But if you want to segment it, you could make a separate one that's like Jen's guest wifi.
Yeah.
And that way, if a infected device is on Jen's guest wifi, it can't get into your desktop computer that has your banking information and your Social Security number and everything.
Right. And internally, there's sometimes I'll run into a group that says they say, yes, we've segmented our network. What they really mean is they do have a bunch of different VLANs and VLANing is just a technical way of, you know, separating out into those rooms.
So when you hear VLAN, just think a segment of the network. But all of the VLANs can talk to each other.
And and so that's not segmentation in I mean, it might be just a way to to support it from an like an IT or operational perspective. But from a security perspective, if everything can talk to everything else, that's still a flat network. That's still everything can all the bad stuff can get everywhere. So really you take segmentation and you say, alright, this this VLAN is has all of the jewels and can only be spoken to by this device in this VLAN using this particular protocol. Also, if anything else happens, we're gonna get some kind of a an alert happening. Right? So it's a really good way to know what's happening where if you segment correctly.
But it's not just like breaking it up to different named things. Right?
Yep. Breaking it up to different name differently named things that could just be security through obscurity.
Exactly. Right? Yeah.
But you've got to have those rules, like you said, preventing one device from talking to another device. Yeah. That way your credit card processing machines aren't talking to the guest who came into the coffee shop.
Yeah. You know? Good point. Alright. What else?
Another thing is knowing what is on your network.
Oh, but that's really hard.
I know it can be hard. Time. Nobody likes documentation.
Oh, yeah. These are some of the things people tell me.
Oh, I've heard them all too.
So knowing what's on your network, why is that important?
Well, if you don't know what you have, you don't know what you need to secure.
Exactly.
And different things are secured in different ways. Right? So, there are both passive and active ways to scan your network and find things that are on it. There's also manual ways.
If you're, you know, a smaller organization, there's lots of different ways to find that out. But if you don't know, how do you know you have not had a breach if you don't have enough tooling in place to tell you? Yeah. Exactly.
It's it's one of those those, kinda head in the sand things. Well, we don't know.
You might have had a database server compromised that has all your customer's records since the company was founded, but you don't even know you have that database server Yeah. Because it's plugged in underneath the stairs and the basement and it's covered in dust.
We don't use that anymore.
Yeah. And Bill said don't, don't unplug it because something will break. So you just leave it and there's some weird blinking lights on there.
And then Bill left the company, and who even knows what's going on? Okay. Those are some really good ones. Okay. Give me one more thing what you're doing wrong.
Thinking that once something is set up, it's just good to go.
So with your WiFi router, you might plug it in originally and your WiFi works and every device is connected and then every memory of your WiFi router just slips right out of your head and you never think about it ever again because it just sits behind the TV and everything just works. Right?
Yeah. Until it doesn't.
Until it doesn't or until it gets hacked. Yeah. So you've gotta update stuff. Mhmm. You've gotta keep all your devices patched.
If you have a website for your business Yeah.
You've gotta be updating everything in relation to that website. One thing so I've talked to a lot of freelance web developers, some of my friends, and they've said that it's pretty common for a business to hire them to make a website. And then they say, okay, contact me again in this amount of time and I'll come back in and maintain it, update things for you. And And the customer's like, no. I don't need that. It works.
Yeah.
It's like, oh, are you kidding me? Like Probably not the best way to approach it.
Hey. I wanna talk about maybe some some myths about cybersecurity that are kind of related to things people are doing wrong. They hear these myths, and so when they believe them, then they do things wrong. So I'm gonna give you a topic. You tell me the the related myth.
Okay.
Okay. First topic. Security awareness training.
So research has shown that not many people pay attention during security awareness training.
What? I know. Right?
So, because the myth is everybody takes training.
And it's supposed to protect the company.
Right? And it'll stop the the phishing, which is the big thing. Right? Yeah. So tell me about that.
So no amount of watching videos and doing questionnaires will prevent emails from landing in your inbox. Yeah. The intention is to prevent you from clicking on those emails.
Mhmm.
But I found this article and maybe we can link it if some listeners ask, but I think it said thirty six percent of people actually pay attention during security awareness training.
Yeah. I barely pay attention when I'm giving it. Yeah. I know it's why it's because it's the human nature. Right?
Oh, yeah.
Yeah.
We're thinking about everything but what we're doing in the moment. And, and and that's that's not good because here companies are trying to put they're putting time and money, resources towards training people if it's not sticking.
What do we do? What works better than security awareness training?
So one thing that I would recommend is upgrading your security in other areas. So having a good email spam filter and having warnings.
Depending on who your email provider is, you can set up a warning.
So when someone gets an email from outside of your organization, they get this big yellow banner that says warning this email is from an untrusted person outside your organization. Do not click any attachments or give them your data.
Yeah.
So I'd recommend that and then also endpoint security.
Mhmm.
So securing the computer that would click on the bad thing.
Yeah. You know, there's there's some companies where where and and I find it's the people who are often kind of the busiest and most helpful. They they really are motivated by good things are the ones who fail the phishing training most often, who they're the you know, they're always gonna be that clicker in the organization because they think they're doing the right thing, and they're trying to do good work, and they're trying to be helpful. And so they'll click on the things.
And there are a couple of companies where I've I've told them, look, you you have a valuable person there that you wanna keep be part of your company, but you also know that they are potentially putting you at risk. What else do you think you could do for that specific person? And so in some cases, they have put so that that person is not actually allowed to click on things. It actually strips out the, URLs from their email specifically.
So that individual is targeted as someone who is potentially high risk and has to go find a different way to get that information rather than clicking through a link.
Yeah. That's a great idea.
Yeah. So kinda, you know, the the more you can do it starts with kind of a risk assessment. Right? Right. So you don't wanna do this this, you know, big blast kinda thing for everyone, especially because of the potential impact to your business.
Right.
So, you know, you're kinda weighing and saying who needs what and how can we protect it from the individual. The better our tools get, the better security tools get, the more you can granularize it to people who kinda need that little extra support from a tool perspective.
Yeah.
And they might still be a super valuable employee like you were saying.
Absolutely.
So you wanna keep them on. Yeah. So you you just find a way. Yeah. You find a way to secure their computer extra and add additional spam filtering maybe to their email.
Exactly. Okay. I'm gonna give you another topic. You tell me what the myth is regarding this. Incognito mode.
Oh, yeah. So you've probably seen maybe you've used incognito mode in your web browser.
And once you do it, you open up your new tab in incognito mode. Mhmm. There's a little icon of a spy and it switches to dark mode, you know, which is always more secure.
Absolutely. That's, well, that's the myth, isn't it?
Exactly.
But but what is it really? So incognito mode is just stopping cookies from being saved Yeah.
Which are tiny files that save data about where you've been on the Internet.
Mhmm.
And advertisers use those to sell things to you with more targeted ads. Incognito mode also stops your passwords and your information from auto filling.
Yeah.
But incognito mode isn't going to stop your credit card number from being stolen by the website that's been hacked Yeah. That you go to. Incognito mode isn't gonna prevent you from downloading that piece of malware.
Yeah.
And You know what else? It's not gonna prevent your ISP from seeing that traffic of where you're going. It's not even gonna prevent your if you're at your company and you're doing something sketchy, and you're like, oh, totally. I'll just do it in incognito mode. Is that fooling anyone?
Oh, no. No. Your security team, they can see what websites you're going to.
They know.
There's still DNS. So they can see exactly what websites you're trying to go to.
They know and they judge.
I know I do.
So that's a good one.
Do you know a lot of people don't know that?
Oh, yeah.
So make better choices now that you know that.
And I think a feeding thing to that is that there's all these ads on YouTube for VPNs where they say, stay secure online, use freevpn dot com.
And I highly recommend against using those services. Yeah.
Because if the product is free, you are the product.
Yep. Yes.
So they might claim that they're making you private and secure, but a VPN also isn't gonna stop you from downloading malware.
Yeah.
What it is going to do is prevent your Internet service provider from seeing what websites you go to. Yeah. But then the VPN is kinda taking on that role and they're reselling your browsing habits Right. And your data to advertisers.
So you want one that is a paid service Right. That has been third party verified to not collect logs, to not all of the things that can identify what you're doing, because it's nobody's business.
Exactly.
And so if you're using a VPN to to keep you yourself and your activities private, I don't want anybody to know just how many toothbrushes I buy in a year and where Do you buy a lot?
Who doesn't? Right?
No. Whatever it is, you know, if you if you have, you know, that level of of privacy protection that you want, it's it's worth paying for, I think. Alright. Here's another one, and this is a big push for SecurityMetrics.
Tell me about the myth related to compliance.
Oh, so I've heard from many, people, like, oh, we don't need to worry about security. We're compliant.
We Yeah.
What? Yeah. Yeah.
And, you know, the other one is how many people are, like, you know, they were compliant with this standard or they're compliant and they still got hacked, yada yada. Well, this is important because the myth is that if you're compliant, you're secure, but we never ever want someone to have a false sense of security. Right. And so even when we're doing compliance activities at SecurityMetrics, I can tell you that security is put in the forefront, and then we look at how it relates to compliance. And so when people are are going through compliance, what's a good way for them to know if they're also secure?
One great way is a pen test.
Oh, for sure. Yeah.
So you can have your compliance assessment where someone like you comes in and checks all the boxes, make sure everything's set up in accordance to the standards that they have to follow. Yeah. And then you could also hire SecurityMetrics or another company to do a penetration test, which is where ethical hackers will take on the role as adversaries and they'll try to hack into your business and see what access they can get. Yeah.
And even if you're perfectly compliant Mhmm. Those pen testers, those ethical hackers, they might still be successful Yeah.
And get in. And I'd venture that our team, like, they will be successful.
They're almost always really good.
They've, like, they've won competitions at Defcon and things.
I mean Oh, yeah.
So I when I have people say to me, who do you recommend for your pen test? I'm like, depends.
What is the purpose of the pen test? Are you trying to pass compliance, or are you trying to be secure? If you're trying to be secure, I can absolutely recommend our guys because they will find a way in. Oh, they will.
They always do.
But but the the thing about these compliance assessments is, they oh, for example, PCI.
There's a lot of compliance that that I personally do that's for credit card security, which is PCI. Right? First, you start with your scope. There is when we're doing a PCI assessment, you've got the entire environment of an organization, and then you've got their PCI environment.
If I'm doing a PCI assessment, guess what security I'm not looking at? Everything else. Right? And so I have actually had, companies well, one.
I had one company that I finished their PCI compliance for just their ecommerce. I didn't even do their other PCI pieces, And they had a breach. And when we had the conversation, they said, but it didn't touch the PCI environment. I said, I know.
Because guess what? We cared about security in your in your PCI environment. But there was a part of that conversation that we had where we said, this only looks at your PCI environment and not the rest. The rest is your responsibility.
And and yet I still feel bad enough about I don't want people to so they're actually really, really good because they they finally got it. They're like, oh, oh, it's not just compliance. I have to actually care about security. And so they broadened everything to to a much more comprehensive, program, which is awesome.
But but one of the takeaways I took from that was I need to use stronger language when I talk to people, and they bring me in for a compliance assessment and not assume that they just care about that compliance environment or that they even understand what they're asking for. So you look at compliance, and and this is something that I recommend all organizations to do is if you have someone to come in and look at compliance in a certain area, great. But then you need to ask yourself who's looking at the other pieces. If you don't have a third party with eyes on all of your environment the way you have to for some of your compliance environments, chances are good you're not seeing things.
And so that's a that's a very serious pounding the table conversation that I try and have with with everyone so that they know exactly what's being missed when we do compliance.
Yeah. That's a really good thing to add in.
I got really excited about that topic. Sorry.
Because it's just so important. I want people to be secure, not just compliant.
It really is. Yeah.
Alright. What's one of your favorite myths?
I like the myth that every hack is targeted.
So you see in the news, Sony was hacked by North Korea. So, obviously, North Korea is targeting Sony.
It was over like that movie that came in.
Yeah. Exactly.
And you might think that way about other, or maybe all, hacking that some group of shady individuals and hoodies and a dimly lit room is getting together and they're like, we're gonna hack Jimmy's ice cream shop today.
That ice cream shop on Main Street, yeah, they're going down. But that's not the way that it is. Yeah.
And so, Jimmy's ice cream shop is like, I don't have anything hackable. Right. So they they actually take on that myth and don't secure themselves because they think it's always targeted, but it's not.
Right. Yeah. So they might not know it, but thousands, maybe tens of thousands or hundreds of thousands of threat actors, evil hackers out there are just scanning the Internet, looking for systems and networks that are vulnerable.
And then they have automated scripts set up to hack into those businesses and those machines and start stealing or breaking things, putting out ransomware.
They don't even have to point it anywhere. It's just off it goes into the wild blue Internet.
Right. Spray and pray.
Mhmm. And that sure gathers in a lot of targets. Yeah. Well, this has been really fun talking to you. Before we, end our conversation today, was there anything else you wanted to to add before we close?
Well, I do wanna shout out the SecurityMetrics news, which I host with my boss, Matthew Heffelfinger Heff. So tune into that. It's, also put on all the same podcasting platforms and on YouTube.
Absolutely. So I wanna encourage everyone, go and check out the news. If you haven't already, it's it's fantastic. Plus, we have a really good back catalog. We are just almost wrapping up three years of this podcast. I can't believe we've done this for three years. It's exciting.
And we're gonna be launching into the fourth year pretty soon. So if you have ideas, if you have requests, reach out. We'd love to hear from you. Well, thanks again for joining us for me and for Noah.
Take care. See you again next time. Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left.
If you prefer to listen to this podcast, it's available on all your favorite podcast platforms.
See you on the slopes.
.svg)
