Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall
 

 

Episode #75 - Off the Cuff Rants of The Week!

This week, the guys discuss some cybersecurity trends, tips, and words to the wise that are timely and relevant in today's technology-centric world! They discuss: 

  • Are attacks ramping up and if so, why?
  • The pros and cons of spending your cybersecurity budget on Black Hat and DefCon
  • Why you need specific objectives in your penetration testing, not just the numbers
  • The wrong and right way to establish vendor relationships
  • And more! 

Get the show notes and articles at www.CyberRantsPodcast.com
Pick up your copy of Cyber Rants on Amazon.
Need cybersecurity expertise and support? Visit us at www.SilentSector.com
Be sure to rate the podcast, leave us a review, and subscribe!

 

TOP 11 MALWARE STRAINS TO BE CONCERNED ABOUT

Chinese Hackers Use New Windows Malware to Backdoor Govt, Defense Orgs

Vmware Warns of Public Exploit for Critical Auth Bypass Vulnerability

Slack Resets Passwords After Exposing Hashes in Invitation Links
Twitter Confirms Zero-Day Used to Expose Data of 5.4 Million Accounts
Twilio Discloses Data Breach After SMS Phishing Attack on Employees

Cloudflare Employees Also Hit by Hackers Behind Twilio Breach

Microsoft: Exchange ‘Extended Protection’ Needed to Fully Patch New Bugs

Microsoft Patches Windows Dogwalk Zero-Day Exploited in Attacks

Cisco Hacked by Yanluowang Ransomware Gang, 2.8GB Allegedly Stolen

Cisco Fixes Bug Allowing Rsa Private Key Theft on Asa, Ftd Devices

Snapchat, Amex Sites Abused in Microsoft 365 Phishing Attacks
 Three Ransomware Gangs Consecutively Attacked the Same Network
Automotive Supplier Breached by 3 Ransomware Gangs in 2 Weeks
New Dark Web Markets Claim Association With Criminal Cartels

10103417-small

Send Us Your Questions & Rants!

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly embellished truths
about corporate cyber security programs we're ranting we're raving and we're
telling you the stuff that nobody talks about on their fancy website and trade show giveaways all to protect you from
cyber criminals and now here's your hosts mike rotondo zach fuller and lauro
chavez welcome to the cyber ants podcast this is your co-host zach fuller joined by
mike rotondo and laura chavez and today we have an episode where we're just gonna we're just gonna rant see where it
goes we'll look at the news first and and go from there so i'm always these are always fun conversations it's always
fun to see where they go um i would expect nothing less today so mike that said why don't you kick us off with the
news morning welcome to the news uh starting off the news ohio state plays notre dame on september 3rd at 4 o'clock
on abc so that's oh wait wait wait out there io sissa announced the top 11 malware
strains to be concerned about the list following follows sisa's april 2022 list
of the top 15 most often exploited computer vulnerabilities that cyber criminals routinely leverage to slip
into targeted computer systems the agencies listed the top malware strains of last year as agent tesla
which is an information stealer azio rolt form book er
lokibot mouse island nanocore quackbot earthquakebot remcos trickbot and
gootloader you got any of those you've got problems there's a good link to assist on how to deal with it in the article
there's just one that we forgot to list it's called the flaming gooch
chinese hackers use new windows malware to backdoor government and defense orgs uh this is primarily happening overseas
they're targeting eastern european targets but you know who going to believe that that's going to
stay there an extensive series of attacks detected in january use new windows malware called port door to
backdoor government entities and organizations of the defense industry from several countries in eastern europe
kaspersky linked the campaign with a chinese apt group tracked as ta-428 no cool name unfortunately known for its
information theft and an espionage focus and attacking organizations in asia and eastern europe the threat actors
successfully compromised the networks of dozens of targets sometimes even taking control of their entire i.t infrastructure by hijacking systems used
to manage security solutions to achieve their goal the chinese cyber spies use spear phishing emails
containing confidential information about the targeted organizations and malicious code exploiting cve 2017-11882
if you have vmware you've probably heard about this already as they sent out a big bulletin but vmware warns of a
public exploit for critical auth bypass vulnerability proof of concept
exploit code is now publicly available online for critical authentication bypass security flaw in multiple vmware
products that enables attackers to gain admin privileges a week ago vmware released updates to address the
vulnerability which is cve 2022-31656
affecting vmware workspace one access identifi identity manager and v realized
automation multiple other flaws were packed that same day including a high seek severity
sequel injection flaw that will allow remote actions to attackers to gain remote execution today a vmware
confirmation code that can also exploit cbe 2022 31656 and twenty twenty two
three one six five nine so long story short patch your vmware slack resets passwords
after exposing hashes and invitation links uh slack notified roughly point five percent of its users that it reset
their passwords after fixing above exposing salted password hashes when creating or evoking shared invitation
links for workspaces uh when a user performed either of these actions slack transmitted a hashed version of their password not plain text
to other workspace members slack told us the bleep bleeping computer although this data was shared
via the new or deactivated invitation link the slack client did not store or display the data to the member's
workspace twitter confirm zero day used to expose data of 5.4 million accounts
twitter's confirmed a recent data breach was caused by a now packed zero-day vulnerability used to link email
addresses and phone numbers to users accounts allowing a threat actor to compile a list of 5.4 million user
account profiles the vulnerability allowed anyone to submit an email address or phone number verify it was so
associated with a twitter account and retrieve the associated account id the third actor then used the id to scrape
the public information for the account and the last two kind of dovetail together twilio discloses it discloses a
data breach after sms phishing attack on employees uh the cloud communications company twilio says some of its
customers data was accessed by attackers who breached internal systems after stealing employee credentials in an sms
phishing attack on august 4th 2022 toyota became unaware became aware of
unauthorized access for transformation related to a limited number of twilio customers accounts through sophisticated
social engineering attack designed to steal employee credentials basically they sent them a link say
asking them to click urls containing the twilio octa and sso keywords that would redirect them to a twilio sign in page
clone uh the sms phishing message is baited to all your employees and clicking the embedded links by warning them their
passwords had expired or were scheduled to change uh and just dovetailing off that cloudflare employees also were hit
by the same attack that hit twilio but they're saying that no cloudflare is saying that none of their employees
credentials although they were stolen where they were able to breach because of cloud fairs cloudflare's additional security
in the headlines we've got uh microsoft exchange patches that need to be done microsoft dog walk zero day exploited
there's a big cisco patch that needs to be put cisco bugs fixes bugs allowing rsa private key theft on asa and ftd
devices so microsoft windows patch tuesday was
huge this month um there's a couple other big breaches including snapchat and amex
uh three ransomware gangs can separately attack the same network automated supplier breached by three ransomware games in two weeks and lastly new dark
web markets claim association with criminal cartels so fun exciting things going on in cyber
security wow laurel what do we got boy that was those are some good headlines for this week i'll tell you
what uh to dovetail on your vmware uh patches so keep keep in mind everybody
that uh the threat actors are publishing readily available exploits for this
uh for this situation on multiple pieces of the vmware technology on the github community so if you've got vmware as
mike said please patch very and do it very quickly because uh they just keep rolling out
these exploit payloads uh so i've got a couple to talk about this week the first one is for everybody
who refuses to use discord or something to the like and decides to install something called the easy chat
server so if you are one of those individuals out there just decided to go and um
purchase and install easy chat server 3 you should look at that versioning and
make sure that you've updated because version 3 does have a remote stack buffer overflow that can be done
unauthenticated so if anybody gets a hold of that that chat server
url unfortunately you might experience problems and secondly if you are dealing with um
palo alto networks you may be familiar with panos which is palo alto's version of cisco ios or the integrated operating
system version 10 has remote code execution capabilities these are for authenticated users so
keep that in mind pretty serious but you do have the authentication boundary protecting everybody from this exploit
however authenticated individuals would be able to produce a remote code execution against version 10 of pana os
so if you're using these palo alto devices make sure that you are upgrading past version 10. and with that
zach i hear we're going to wing it today good thing i brought my buffalo wing sauce outstanding we we are and um but first i
want to give a little shout out to cloudflare based on mike's article good
job out there we i know we we we clown about you know microsoft and wordpress a
lot and stuff it's only fair that we give some props too and um you know i think cloudflare's been a great platform
for a lot of clients it seems like it makes a pen tester's job hard is that tough to or is that accurate would you
say it is accurate yeah no it really does um cloudflare does a really good job as long as you've you've implemented
everything that they've done accurately then yes it does a very good job of thwarting attacks and yeah hats off to
them for not getting hacked and causing all of their customers to to go
into some sort of very very serious uh incident response mode
there still was i mean i hate to be the debbie downer but there was still a failure on their part from a training perspective because people did click on
those links secondary security that did prevent them from
good point good point yeah so so what we do is we we pat them on the head and then we slap them too
we're gonna say something good for once but no that this is uh this show is not brought to you in part by cloudflare but
it could be so if you're with cloudflare no just kidding we're not we don't need sponsors but uh that being said we're
gonna take it but we will take your money okay um well that being said let's do a quick
commercial break and come right back and then we can uh start our rate want even more cyber rants be sure to subscribe to
the cyber rants podcast get your copy of our best-selling book cyber rants on amazon today
this podcast is brought to you by silent sector the firm dedicated to building world-class cyber security programs for
mid-market and emerging companies across the u.s silent sector also provides industry-leading penetration tests and
cyber risk assessments visit silentsector.com and contact us today
and we're back with the cyber rants podcast we were just talking about the news a lot of interesting things
happening what's going on why is it so much activity all of the sudden i mean compared to
just even the last couple weeks what summer's almost over kids are back in school
yeah kids are going back to school the hackers have more time to write payloads and hannah they're back from vacation
you know it's you know a lot of europe right now is on vacation i mean i think france closes in
august so oh yeah oh they're they're interesting as well so you're gonna have
scaled down security in a lot of places too so good point excellent point well interesting and
it's interesting to think about cyber criminals being normal people with kids and stuff like going home to their house
in the suburbs you know in their you know suv into the driveway
and getting out and mowing their lawn you know that's the reality folks
actually if they're in russia they're living in probably apartment buildings that were created were paid for by german war reparations
from world war ii on top of each other yeah much like the ones i lived in when
i was there so yeah yeah yeah unfortunately cigarettes listening to techno writing exploits for twilio you
know exactly right after you drop the kids off the kindergarten that's right that's the reality for probably for a
lot and then there are the uh the kingpins i'm sure that like we've seen in the news that do
you know do all right but um there's still some so
that being said um yeah there there's uh there's a special place for them when they die so
um anyway uh that being said yeah i mean there's there's a lot of a
lot of stuff going on in the world we are getting into
what i affectionately call busy season i guess um you know they basically as we approach q4 and i
think this is true of a lot of cyber security companies i.t companies people in compliance business
all of that a lot of things seem to happen right at the end of the year so we've we've harped before on
the idea of trying to spread out your major initiatives throughout the year starting
early in the year right um and if you have existing relationships with vendors and such that are used to that tempo of
year-end stuff and kind of have you scheduled in that's one thing but um if you go out shopping and looking for
services for the first time just remember for all organizations in our space i i think i don't i won't say
all but for a lot it's a very very busy time because people are realizing oh great we got to
catch up on this requirement that we didn't do early in the year we've been putting this stuff on the back burner
and now we got to make it happen um plus people are planning for their q1
initiatives and you know going with a calendar year so well
you also have the budget dumps right we got to use it before the end of the year and no one ever gets in trouble for
spending money on cyber security so that's excellent point yeah yeah that's
true not unless you abuse the cyber security budget to go like go go on sabbatical
with your buddy yeah we've never known anybody that did that
no i've never known anybody that did that and lost their job no i think he's i
think we're weak in this recording that's what happens but yeah the week of
this recording there's definitely some abuse of cyber security budgets going on at black hat
yeah there are some ragers there are some people that are
maybe using company funds for things that aren't necessarily you know pushing the company
forward let's just say would that be a safe bet now i've heard the conference rooms experiment rhino are very nice and they
serve a great buffet wow so you've heard blackbird
yeah so there might be some some corporate funds being pushed out um
in the uh maybe inappropriate directions but hey you know at the same time i mean cyber security professionals have it
they've got a rough job and a thankless job so maybe maybe reward them maybe throw them some some money once in a
while you know if they're you're you're running a team and um you have a little discretionary budget hey there's some
good opportunities to do it through do that through conferences and and uh trips to maui
you know you're just saying you know so that but if you said but if you ask your
people hey how was black hat and they say i never made it i got stuck in the casino you should you should certainly
you should certainly remember that for next year yeah you know that and the difference between black hat and
then uh and then def con are amazing you know black hats everybody's spending high
dollars at def con's everybody's at the pepper mill at 5 a.m you know trying to keep the puke off their shoes
a little different demographic but a lot of crossover too you see shirts on on both sides of the fence
but um yeah that's uh so interesting interesting times but um but yeah good
time for people to kind of uh rest before the storm but yeah black i mean you got to
get some cpes right like that's the requirement if you're going to send your team at least they've got to get you
know a couple hours of continuing education um yeah there's nothing like standing
wall-to-wall shoulder to shoulder with a bunch of other nerds in a conference room trying to like see one guy's keyboard you
know exactly people that are and they all got the you know they got like the yogi antennas sticking out of their
backpacks and stuff you know because yeah i'm like hey dude can i join your wi-fi yeah
there's a reason they give you pdfs of all the seminars at def con because uh you can very well just sleep through a
seminar and it still counts as cpe exactly there you go
fun stuff um we get uh
closer to the end of the year and so those are those of you that are by the time this comes out those of you that are recovering uh from def con um
uh send us your stories
send us your stories what's the most interesting thing that you want to do that happened to you
and that could be a future podcast episode on cyber ants so we got to keep it clean
but um yeah but we can you know there's ways of editing so [Laughter]
hey as we for my you know my vantage point um being
being the uh you know kind of the the business dork um you know and and thinking about
okay well what's next what's coming up um with uh you know as far as we're gonna
get a you know again a major major influx uh i would say this year's been a little bit different and i think it's
because of coven been more consistent requests and things throughout the year but i i still anticipate that it'll ramp
up tremendously i mean we're already um just just packing stuff in for q4 i mean
it's it's it's going to be a wild ride as it always is and that's where we thrive so we love it but um
that being said for those of you that are going out um shopping for vendors um because i've been on
both sides of the fence right um going out shopping for vendors being the shopper but also being the shoppie
talking with business leaders and you know csos and such uh cios and such that
are looking to establish new vendor relationships get quotes and all that stuff and there are some severe
failures that i see in soft skills and i know we've talked about soft skills before we've we've talked about
this a bit um in the past because in the tech world of course a lot of people
i mean you have to focus time on really learning your craft right um but
what i think happens to a lot of technology leaders as they become leaders they've they've um forgot that
hey now my my job has shifted it's different we have to do we have to take a different approach we have to look at
things different there's some some new education right just like you're you're always learning always evolving in
technology same thing um is true in just you know different realms of business so
um so one of the things i see um that will drive any vendor crazy and um in
the cyber security world they probably just you know will ignore it or or won't spend a lot of time with you is these
companies um that are going out and just say hey send me a number just send me a number what is this cost what does that
cost it's like if somebody ever sends you a number when you ask that they are not your vendor
you should never do business with that company if they say well i want a network pen test can you send me a price
no no it cannot because if i do um it's going to be a severe failure as
a project right there's scoping involved there's discussions we don't just need to know the number of ips we want to
know the objectives we want to know what the company really wants to get out of this who's looking at this test um
you know how you know who the timelines all that stuff goes into it and um so
when people say hey just what does this cost and they're they're gonna go um on 15 different web forms that day and fill
them out and say send me a quote you know that's something that i mean we don't even respond to it's not even you
know really worth the time and if we do it's like hey well you know we'll chat you know and and
discuss and we can scope this out for you and if they say oh well i don't have time then okay
move on we're not you know because we're never going to be the walmart of cyber security and just get you the cheapest
rate um if that's what you're looking for that's fine but um you might as well just not spend any money at all because
what do you know what are you doing um so that's that's one thing and then when you do get in
well before i move on any any other comments anything you guys have seen i'd just like to say there's nothing wrong
with walmart we're not bashing no they've they've done well they've done well they're doing pretty
good no i know i mean i've been there before it's like you know i don't want to deal with some scumbag sales guy i just want
to say you know give me a ballpark and then i'll figure out if i want to actually talk to you
because i have an idea of what my budget is but yeah you're 100 right if someone gives you a firm cost and says if they
say oh the pentax can be anywhere from 8 000 to 25 000 depending on what you have
that's fair you can talk to them if they come back and say 11 000 firm that's what it is that's a problem because they don't know
anything yeah and there are companies that will do that and lead those those that are
unknowing to believe that oh okay well if they can why can't everybody else well and they're also going to give you
like an automated pen test or some kind of you know scans called a pen test or something like that so right yeah
they'll put they'll put skippy the intern on it as soon as they realize that they underscoped it and underpriced
it so you'll get it you'll get a 425 an hour you know individual out of the
third grade to conduct your customers yeah press the button here skippy
yeah yeah that's that's um i mean we joke but that's actually
literally what happens yeah no it really does um
so um unfortunately you know that's that's the nature of the beast
um for those um organizational leaders if you're leading you know an it
or security compliance realm when you get into conversations with vendors um
and i can think of multiple scenarios that um where this has happened even just even just um you know a week or so
ago you're talking with and when you're talking with an organization that you um
may be doing business with um you want to treat them as especially in the
security realm where companies are in demand you want to treat them as a partner you know you want to treat them as somebody
that hey we're looking to establish the best possible relationship we want you know an organization that can add value
to ours and and uh vice versa you know we want to build something for the long term
so if you go in and start pulling things like some one of the things we see is uh
there i could probably create names for all the different personas i haven't dealt with so many different different
types of individuals along the year and i don't think it's malicious in a lot of cases i think it's just they haven't been taught or haven't studied uh
uh how to have these kind of dialogues and how new things like negotiation and such they go in and they'll pull
something like not not acting like they don't know much about you know a particular
um security framework or something saying oh you know it's and then just kind of asking kind of some newbie
questions and stuff and then and then they'll go in and uh later on in the conversations say
you know start to posture say oh well i got this background and that background and i've all done all this and i know that and then i got these other vendors
that i've been working with and um and then they'll um you know and then they'll just like ask
for pricing right or something like that what do you know what do you charge they won't they won't give you oh i'm paying
this of course right they don't ever want to say the first number because in all your negotiation books and all your
basic entry level stuff they always say never put out a number first never put out a number first well that's also bs
if you act because you think about it's like well that's what everybody knows that everybody's trying not to put out
the number first put out a number first you know make it make it make it too low
make it too high depending on what you're trying to do and see and start to gauge the interest right and start to
start to understand where the other side is coming but before you even talk about numbers
numbers aren't everything right so if you go in and you start having this discussion with an organization
that um is in this business all the time has these conversations all the time like your vendors right your cyber security
and compliance it vendors they're having these discussions every day so they kind of see all kinds of stuff
so don't go in don't go in posturing don't go in say oh you know and assuming they
even want your business that's another big thing is that organizations um you know certainly is
silent sector but others as well right professional services firms you can't assume that hey i'm a big company
and so they want my business because we got money to spend you know a lot of times that's not the case because they
can get that money elsewhere with organizations that are easier and more fun to deal with
so you got to think about you got to think about that as well what is my my vendor my you know treat again treat
them like a future business partner what are they really looking for what how could we make the most out of this and
how can our company as the buyer you know get the best possible service that's the best rates from them so that
comes through establishing a relationship that comes through um not posturing saying oh we're a big fish or
whatever we got money to spend so you want to do business with us because if you do that chances are they're just gonna say they're gonna you know they're
gonna entertain you oh yeah yeah yeah yeah that sounds good we'll get back to you but they're just not going to do much
for you you know when i think we we treat all of our customers extremely well but you know when we have a great
working relationship with an organization we go above and beyond i mean the team just
got you know way beyond i mean all kinds of stuff is going on that's that's that's you know outside of the formal
scope of ways to add value ways to empower the team internally all of that
and you get that through the relationship not just saying hey well we want you to give us the best possible price and we got these vendors
that you know um been working with and and and this and that we're going to pit them you know up against each other here
and that stuff never never works in our industry now if it does work
it does often work on desperate companies right organizations that don't have a lot of options
that don't have cost a customer base right um and they may be willing to bend
over backwards and do the um you know jump through hoops and put on the dog and pony show but um
that's probably not going to be your best option as far as service delivery goes um so anyway that's my that's my
teaching moment my teaching like half hour or whatever i just took up through my rant but um i mean is it is that
stuff fair to say i mean you guys seen this you know similar things are my way off base here
no you're you're on base what i what i really don't like is uh you know when you you're getting into this conversation with a vendor
and like you said the you know said individual is is not you know playing like they don't know and then all of a sudden like halfway through the
conversation they're like well i would want to tell you that i know security too i i took a security plush clash and
then for a while i was the chief technology office at the capitol hill occupied protest in portland we were
dealing with with you know hand-me-down phones and so i had to be secure yeah no and you know honestly it's not it's not
a good look for you it's really just not you know to try to try to flex your technical skills in a conversation with
a vendor it really just shows um you know personality traits that we're i can
not speaking for everybody on the call here but we're probably just not we're going to pass right yeah exactly we don't need your business that bad it's
worth dealing with bad personalities so um you know yeah just to echo what you said zach those soft skills i think are
really really important to have and just because you you just because you changed one registry can windows doesn't make
you a security expert right and you just because you're an
mssp and you've got someone that's reading the cissp book does not make you a security vendor either
um and and we've seen that as well yeah it says here on page seven that uh
yeah so oh go ahead there's two ways you can take this i mean so looking for the
right security vendor there's definitely some snake oil salesmans out there there are some companies that we've dealt with one that tried to buy us and we're like
smelled right through their bs real quick that they and they are no longer around
um you know they're definitely some snake old people and you have to be careful what you're what you're buying right are
you buying an automated pen test are you buying one with some human intelligence behind it are you just trying to check a box what are you looking for but on the
flip side there's other vendors that you're dealing with on a daily basis and you have to reign that whole process in
as well not just security but it's like your crm your
you know msp your email provider your you know all these different vendors that you deal with on a daily basis you
need to control that you need to validate their security because chances are if you're in the b2b software space
you're getting questionnaires about your security you have every right to ask those questions of everybody else as well just because blue cross blue shield
asks you a question doesn't mean you can't ask bob crm a question you know what i mean it's that kind of thing so
you need to have great due diligence in any vendor that you're dealing with that has a potential to impact your business
whether you're dealing with regulated or non-regulated business or data excuse me uh but you need to have a really
clear-eyed view of anybody you're dealing with because there's just so much
so much crap out there for lack of a better word so forgive my grossness no it's fine
i answer yes to all the security question is and anytime the question is ask me a question i just say yes
yeah that's what you're supposed to do right i'm a security i'm a security expert
um yeah you know so just so you know flip it on its head right treat treat um
whenever you're getting into a conversation if you want to get the best possible service you want to get the most um
out of your relationship with a potential uh or current vendor right um
treat them like they're part of the family part of the team that's what you want is you want vendors you want your
organization to be like one big happy team you know not um a bunch of bunch of disjointed people
that just kind of come and go and um and you'd be amazed uh how much
those uh vendors and those those partners i would call will do for you
over time i mean from referring new opportunities to new you know capabilities all kinds of things kind of
let you in on what's coming up next all of that but if you're just out there saying hey just you know um you know
you're you're expendable um they're gonna treat the relationship you know unfortunately the same way and just say
okay well you know we won't count on them being around very long and and um and move on and so
so yeah just think about that treat your treat your team like treat your vendor like your immediate team members you
know the people that report to you and and be a good leader and and you know help
you know help uh help them build help them grow and and everybody will be happy and it'll all be
roses and daisies right isn't that how it looks like rainbows rainbows and butter cakes
one thing that just keep in mind too is don't ever compromise your security vendors um integrity
by changing data or misrepresenting yourself all security vendors with certifications
have integrity clauses attached to those certifications and you can jeopardize a company by
doing things unethically we've fired two customers over this already um in in however long we've been around
uh because they've changed report data they've changed all these things things that does not jive with
uh what we did and change the meaning of a report you know changing from high risk to medium risk on a pen test and
things like that so when you do stuff like that uh at least when you're dealing with solid sector
you're gonna get fired as a customer yeah so the beauty is that's the my that's a very small minority um we've
you know the flip side is we've worked we've just worked with some awesome awesome organizations that um
you know have have these relationships where we help each other build and and grow and thrive and it's you
know people that we even keep in touch with you know if they change jobs or whatever they're you know
these are we see this as long-term not just a transactional piece so um and now
we've learned the hard way you know through getting customers like the you the ones you just described mike you
know we kind of look out for that early on which is another reason for
um that vetting right when you're in this process the interview goes both ways you
know and um and we need to make sure that the way i see it if we can't add value to a
company if we're just checking a block we're not the right vendor for them so if we if we can't add value
um and it's just a you know exercise to check off some requirement and that's it
we're not the right fit you know there are there are other organizations that'll do that and um we just yeah don't want to do that
but not that yeah i don't mean to be a silent sector commercial here but uh no that's how we think how we think you
know be transparent and put it out it is well and if you read the book cyber rants you'll understand
yeah that's what sheamus the international best seller if you haven't heard about it i'm surprised
but you know to to you know just to kind of tack on there um you know be be nice to your you know if you're in a in a
conversation with your um cyber security vendor right your your your partner for cybersecurity be nice
um if those who don't know cyberseek right now is reporting 704
548 open cyber security jobs right now in the united states
there's not enough professionals to um to accommodate that job opening number in this country so if you are in
if you are in need of cyber security services and you're meeting with an organization and you're you're being a a
mervin about you know um you know puffing up about how awesome you were back in the 80s at cyber security um and
you're trying to not be a very good personable person a company is probably going to pass because they don't want to
have to we don't want to have to go to work and deal with those personalities right we'd rather not take the money and
because there's so there's so many other businesses out there that are such a wonderful joy to work with and like you said zach like you know like 99 of all
the clients we've ever had have just been outstanding and we still have a lot of them um but you're you know you're gonna
you're gonna shoot yourself in the foot um if you you know if you start um rough handling some of the vendors especially
the cyber security space because there is no talent today just to to fulfill these needs you're gonna have to look to
uh a managed service provider for these for these uh for these things well the talent that you're going to get now
that's going to fill this is going to be entry level the senior level talent like laurel and i and a lot of our peers that we know
there are we don't have no peers peers i have no peers
we're all already engaged and we're not you know uh
you know anyway yeah we're already we're not looking for it um you know and just a shout out to all the people on
linkedin that keep selling sending me a request to interview i'm not interested uh yeah yeah thanks thanks could you
could you read my profile for once yeah i have a job you know
it's all cool that you want to offer me a hundred dollars an hour but i'm not interested thank you yeah my free pizza
in the office everything exactly yeah yeah and pizza fruit table yeah i miss
it i miss the friday potluck at the foosball table personally yeah remember uh today's friday which is
a hawaiian shirt day exactly if you want to wear a hawaiian shirt and jeans that
would be acceptable i would rather uh cut out early on a friday afternoon and go have fish tacos
and scottsdale blonde and carlos o'brien's and then uh and set my own schedule then uh
wear a hawaiian shirt on friday are you sure i don't know i don't know i don't know i'm on the hawaiian shirt side i
mean floral prints come on come on that's my favorite well hey
i'm sorry laura go ahead you know i was i i hacked my i hacked my ti
calculator when i was 15 i'm a hacker i know cyber security
i had a hardened cobalt mainframe yeah uh i think i still have a ti 83 sitting
around somewhere with i knew this magical i knew this magical mac calculation you could put in the ti
ti calculated and if you turn it upside down it said boobs [Laughter]
okay well that's enough for this episode but uh yeah these uh these random rants
are always fun um hope i hope you uh listening enjoyed it and again
rate the podcast share the episodes we're we're not necessarily the most professional
production in the world nor do we ever intend to be but we have fun doing it you know so um share the podcast rate it
uh do whatever you want do whatever you want just enjoy your day mostly and uh
check us out on the next episode have a great one we're like the jimmy kimmel of cyber
security if you say so