8th Layer Insights 6.20.23
Ep 34 | 6.20.23

Something Wicked This Way Comes: PenTesting Your Environment w/Chad Peterson of NetSPI


Perry Carpenter: Hi, I'm Perry Carpenter and you're listening to "8th Layer Insights." In the field of cybersecurity, we talk a lot about the need to be ready for attacks. We talk about prediction, prevention, detection, response, and recovery. But how do we do that? How do we predict what is going to go wrong? How do we understand the different attack vectors that somebody with ill intent may take against us? One of the ways to do that is through penetration testing, through red teaming, working with people or organizations that will take on the mantle of pretending to be an adversary with the intent of exposing our flaws so that we can then proactively patch them and save ourselves some having a bad day. Today's guest is Chad Peterson. Chad is a managing director at NetSPI, a cybersecurity vendor who specializes in penetration testing as a service, helping organizations understand their attack surface, creating breach and attack simulations, and really helping organization drill down into understanding how attackers might view them and what openings attackers may have. Again, this is all with the end goal of understanding the attacker's mindset, their ability to get into your organization so that you may then close those doors. This interview with Chad is wide ranging, we talk about the importance of penetration testing, the concept of red teaming, why it's important to do this, how to approach our boards of directors about these kinds of topics, and how to think about social engineering, where ransomware comes in, the complex decisions around whether or not to pay a ransom, how to best prepare yourself for the worst day that you may ever have as a cybersecurity professional and as a business that just wants to do business. And so, if that sounds interesting to you, stay tuned, because on today's show, attack and penetration testing, red teaming, social engineering, ransomware, and more. Welcome to "8th Layer Insights." This podcast is a multidisciplinary exploration into the complexities of human nature and how those complexities impact everything from why we think the things that we think, to why we do the things that we do, and how we can all make better decisions every day. This is "8th Layer Insights," Season 4, Episode 4. I'm Perry Carpenter.

Perry Carpenter: Welcome back. Let's get straight into our interview with Chad Peterson, where we're going to talk about red teaming, penetration testing, security awareness, ransomware, talking to our boards of directors, and a whole bunch of other fun stuff. So, I hope you enjoy this interview. Let's go.

Chad Peterson: I'm Chad Peterson, I'm a managing director at NetSPI. We are an offensive security organization, been around for the greater part of 20 years. Really specialized not only in your traditional pen testing but also going a little bit further from your traditional external all the way down to the, you know, in the healthcare area, even medical devices. So it's that entire ecosystem from the external all the way down to the chip set.

Perry Carpenter: That's great. So, for folks that are hesitant to do pen testing, what would you say is the best reason to do it, as opposed to just kind of be afraid of something like bringing in a pen testing organization?

Chad Peterson: It's really to get the idea and the understanding of where you sit from a security point of view. And I like to say that the pen testing is really nothing that's not being done to your environment every day by the bad guys. It's nice to actually get a report about it and see what's going on, what's identifiable, and allow you the opportunity to address some of those risks and putting compensated controls to prevent those potential exploits to the vulnerabilities.

Perry Carpenter: So then what's a standard engagement look like?

Chad Peterson: Standard engagement for an external, we'll just stick with that one, it's identifying, you know, the external attack surface, so doing a discovery of your environment of what's on the outside. Once we identify the IPs or the domains, it's doing some manual and, well we really specialize a lot in manual testing. But it all starts with a lot of the tools out there, so you know, whether it's the commercial scan tools or some of the proprietary scan tools that we've created, it's really just to create that treasure map if you will, to know what your environment looks like. An idea of the services are running, protocols are running, just an understanding, and then from there we can look for any potential known vulnerabilities, you know, like missing patches, open ports that shouldn't be there. And then from the pen test point of view is, and this is the key, and what makes it different than just a vulnerability scan is, alright, do those potential vulnerabilities actually pose a threat to your organization? So we try to exploit those vulnerabilities to see if you can actually gain access. Now, unlike a hacker, we can do that in a more friendly way that once we do get in, or start to move around laterally in your environment, we are not collecting data or bringing systems down, those pieces, but we at least can identify those pathways into your environment, let you know and provide you steps on actual remediation.

Perry Carpenter: From your experience then, what are the paths into an environment that you can almost always count on being there? Like if there were a top three, what would the top the be?

Chad Peterson: It's interesting, I mean a lot of them are quite frankly, systems that are out of date, not patched. It's some exploitation and older code that gets reused and has some exploits, essentially hard coded in what they're doing. So they keep reusing over and over and the exploit doesn't go away. And you know, the other is quite frankly, it's organizations who have set up external access and haven't taken the precautions to minimize that access. Whether that's through things like multi factor authentication to ensure that you are who you are, and ensuring that the accounts that can be accessed from the outside don't have elevated privileges. And so it's really unpatched systems, elevated privilege, and inherent flaws that just, you know, keep repeating, like often seen in code.

Perry Carpenter: Yeah, then where does social engineering fit in with all this?

Chad Peterson: Social engineering is a great way to hit into, I think that topic of you know, what makes the human nature such a big part of the security world, and that is people generally want to help. People are generally curious. So you get some social engineering, whether it's physical social engineering of letting someone into the building, able to free them around and even helping them out, find the direction of where they're going, to sending the emails with the links, some information, something that looks too good to be true, and people click. We are a curious nature, and you know, I always use the analogy, you know, you continually walk down a hallway and you pass a door. Eventually you're going to try to open that door to see what's on the other side. If you're not supposed to be in there, we hope the door is locked, or monitored. But eventually you are going to do it, we're curious natured.

Perry Carpenter: Yeah, so have there been any specific trends that you've seen over the past, you know, time that you've been doing this, or have you seen any specific changes, maybe since the pandemic? What is the ecosystem of social engineering look like?

Chad Peterson: Perry, a lot of it, it's interesting, and I always use that, the phrase of; what's old is new again. And it's always cyclical, I mean and we are, we're still seeing the phishing attempts of, you know, the emails sent out offering something that looks great, they want you to click on a link, that link actually initiates some malicious code or something else into the environment. People do that. That hasn't gone away. We may have seen actually an increase of that when you look at the remote workforce and as we're working from home, we are right, wrong, or indifferent, when we're working in our home office, we're a little bit more at ease as if we're actually in the corporate building, sitting at your desk, everything is work. You get home and I think your defenses come down a little bit, which makes us a little bit more susceptible.

Perry Carpenter: Yeah. From a pen testing standpoint, are they any specific ways that you approach the social engineering piece of an engagement?

Chad Peterson: We actually can use, and often do use, the social environments to go beyond the pen test when we actually refer to maybe as a red tea team engagement. So you take those vulnerabilities and then how to get that inside. So, we will actually create and use different phishing emails, different scenarios to get organizations or people within the organizations to give us more info, to login give us credentials. And we can do that by, you know, things as simple as looking at an organization, seeing the people who are employed at that organization through something like LinkedIn, go through, understand a little bit more about them, and start to tailor messages specific to an individual based on their role, some things that they've posted, you know, even from a make them more personal, make it like yeah, I do know you because I also looked at your Facebook account and know what you do a little bit in your personal life. So to make those more tailored and friendly, they're more often to be clicked. So, absolutely we look at all that information and you know, take advantage of the human side of the environments.

Perry Carpenter: Yeah, so either from your past, before you joined NetSPI or in your current role, are there any great stories that are either just fun to share, because they demonstrate some aspect of human nature, or some way that you can better approach security, or that are good cautionary tales?

Chad Peterson: Yeah, you know, a lot of them come from a lot of those social engineering engagements and it's going through and you know, anything from a physical point of view of, you know, one of the things personally I'd love to do when I was doing, from the consultant side, the physical portion of a pen test is, nothing was better than to call your point of contact from their server room. And was successful to do that several times, you know, I used to joke that it's changed a little bit, and this is going to date when I was doing this activity, but the two jobs you could always go to the front door on and you were the copy repairman or you were there for coffee delivery. Two people that are always let into a building because there's always an issue. So, it's very easy to, you know, get the shirt with your name on it, the name of the organization, you get right in and they, the nice thing about the copy is they usually send you right there and point you right in front of the copy machine that's usually the problem child of the group and those are often, as you know, associated to the network, so they leave you alone and now I have an open jack to plug into and do what I need to do.

Perry Carpenter: This is interesting because I've seen a few different pen testers and it's always interesting to see the lapse of time between when they enter a building and when they are, when they've compromises a system. It's usually shockingly quick.

Chad Peterson: Yes.

Perry Carpenter: Do you--

Chad Peterson: The quicker the better. The longer you sit around, the better chance you have of getting caught.

Perry Carpenter: Yeah. So what does that generally look like? As soon as you've gotten into a building, what's the next step?

Chad Peterson: The next step is to either, depending on the story that you used to get in, it's something like, you know, the copy, it's getting there and then, you know, getting either that open network jack and putting some type of sniffer on there, or finding an empty conference room or you know, even an open workstation that you can go through. Another great thing is, we've done the-- it was a lot easier then than it is now, but you know, something as simple as we have some documentation I need to get printed out, I didn't have a chance to do it beforehand and you have it on the USB stick. Things like that can go pretty quick. But the whole idea there is to get in, blend in, not stand out, and find a way to access that environment, either through a physical connection, it's a little harder traditionally over a wireless, but still possible.

Perry Carpenter: Over the past decade or so, how much harder has it gotten? Because I, you know, I remember when I first started looking at this, you could do some basic network sniffing and you could see passwords in clear text, you could run a Wi-Fi pineapple and the stuff that you could see there was always pretty shocking. How much has that changed over the past decade? Have we gotten any better or do you still find major, major problems as soon as you're able to have that kind of view?

Chad Peterson: Yes and yes.

Perry Carpenter: Okay.

Chad Peterson: Predominantly we have gotten better, but at the same time period, where technology has gotten better so some of our tools are a little bit better to find some of that information, whether it's use of a flipper or some other components, other tools, but no, you know, it's, we've done a good job traditionally of hardening the external shell, if you will, of our environments. But as you know, once you do get inside, where social engineering gig's going to get you in, once you're inside the environments, the security is typically not a tight. So you are seeing more information once you do get that initial entry point into the environment.

Perry Carpenter: Yeah, and then is it still, with as many people having VPNs as they do now, and some of the other tightening of basic Wi-Fi security, is it still a scary thing if somebody joins a Wi-Fi network that they're not an owner of?

Chad Peterson: Depends on the architecture and how that is set up. Many times when you look at guest Wi-Fi versus corporate Wi-Fi, that guest Wi-Fi doesn't even have access typically to the same environment, so there's a gap between the two networks. In order to get into the other side, you have to authenticate and do those things, so as long as the identity and access management controls are in place, whether that's using a password plus, a multifactor, you're in pretty good shape. But we still have to do those basics and that's not always the case. Yeah, there's you know, I talk about, you know, we've all heard that story. When I talk about security of you know, the two guys in the woods and there's a bear, and you know, the one guy puts his tennis shoes on and says, you can't outrun the bear, he says, I don't need to, I just need to outrun you. And it's that same aspect, it's that hackers are like water, they're going to follow that path of least resistance. So, the harder you make it, there's usually an easier target. The sad and scary part of that is if you do have something that someone really wants, they're eventually going to get it, it may take them longer, it may take an engagement where you know, you may have to have an initial entry point into an environment and you may not get the information you were going after for 6-8-12-16-18 months, but if you have the persistence to stick in there and grab the information, eventually you will get it.

Perry Carpenter: What do you say maybe to a board of directors member, when they finally get that realization? Do you say, give up hope or do you say-- you know, what's the, you know, what's the next thing? Because that begs a number of questions when you're like, regardless of almost who you are, if you have an advanced adversary, a persistent adversary, they will get something. So, where does hope come from and how do you build resilience in that kind of ecosystem?

Chad Peterson: Hope comes in, it's, there are still additional controls you can put in so, you know, the easiest thing is to protect that individual piece of data alone. So, with the use of encryption at rest. So even if it does get to the outside, it's not usable. But the best thing you can do is train your teams on how to identify characteristics of an attack. The whole idea of having your incident response or your red team type activity, purple team, blue team, is that's that whole conjunction of the adversary versus your internal team and how they work together in these exercises is to practice this whole process of how to see activity that's not normal in your environment, earlier than later. And they refer to that as the "kill chain." The earlier in the kill chain you can see something coming into your environment before it gets to a target, the better off you are. And that's done through multiple steps, different areas of control, different roadblocks, tollgates, to really see that activity and stop it before it gets too far.

Perry Carpenter: Okay. Great. So let's take a turn specifically in some of the environments that you're interested in, which is healthcare. What are some basic observations that you have about what it's like to red team healthcare environments? Where are the major concerns? Where are the major vulnerabilities? And what's some advice to tighten that up?

Chad Peterson: Well, healthcare is an interesting one, mainly when you look at what's happening and the type of data that we deal with. The interesting thing about healthcare is your electronic health record is not only information that's great to steal identities because it has everything about you, your you know, all of your pertinent information about you personally, where you live, all your social security number information, all of that, oftentimes there's also associated with the payment activity. So, that information is there as well. So it's not only protected health information, it's also you know, monetary information. So oftentimes you'll find bank account numbers, you'll find credit card numbers, you'll see all that information. Very great if you're looking for selling something on the black market as far as an identity, it's all right there. And as we are transitioning more to these electronic health record, it's out there in a form that's easier to graduate than it was back in the day, when it was in a filing cabinet. So with that and in combination of how traditionally healthcare environments are set up from an architecture, a network point of view, it's a tough one. Identity and access management is traditionally difficult, whether that's by the nature of needing quick access to systems, so you know, there's shared passwords, there's those components that run rampant in healthcare environments, whether it's devices that don't get patched out of fear of bringing systems down, whether it's inability to patch because of mandates from a vendor. It's surprising how often you'll hear that, you know, we can't, we can't scan that machine for a penetration test or even just a vulnerability scan, because it's not that stable because it hasn't been patched in two years. Well, why hadn't it been patched? Well, because it'll void the warranty that the vendor has on the applications that we're running on that. We're not able to do that. Very alarming.

Perry Carpenter: Right.

Chad Peterson: You'll also see legacy systems, I mean you'll have, you know, inventory systems for medical supplies that could run on a device, you know, a Windows XP workstations are still rampant in healthcare. That aren't even in support by the vendor anymore. So, those things come with a lot of legacy devices which add to complexity.

Perry Carpenter: Yeah.

Chad Peterson: The other thing is you know, we talked about, they're open environments, they're really designed for ease of use to ensure that the care is available for the patient, we're not creating any roadblocks, it's an easy system. So that adds to the complexity. A lot of systems, a lot of people moving around, a lot of chaos, the systems are left open. That's another area that can really get into. A lot of these are, it's sounding scary and it just makes it a larger challenge, but don't lose hope, there's still a lot we can do with just the basic, fundamentals of understanding what the, where the environment, you know, what the environment looks like, where the data resides, and how to protect that data and whether it's through encryption, whether it's through segmented environments, and everything you can do from that basic blocking and tackling. The other thing that's difficult in healthcare is you know, identity management. You really have to follow that 80/20 rule, where you're not going to, you know, create roles for everyone in the environment. Because unfortunately, a nurse is not a nurse is not a nurse. They may be working in one area today, in another department tomorrow, even another location the next day. So it's, that makes it more complex. So it is the ability to be able to mentor and ensure that they are at least using their own identity, logging in so you can see that information. And the education, working with those for proper use of equipment. Logging in, logging off when possible. Not leaving workstations unattended. It's a lot of the quote-unquote, "basic blocking and tackling."

Perry Carpenter: Yeah.

Chad Peterson: But, as we know, so many easiest fixes are the ones that are often missed.

Perry Carpenter: Okay.

Chad Peterson: Because it's just, you know, the traditional, we start and you know, life gets in the way. We start to work.

Perry Carpenter: So, when I think about healthcare, that's one word that is like an umbrella term for lots of different environments that have different systems in it, so there's the hospital environment, which it sounds like we were talking about primarily there--

Chad Peterson: Yes.

Perry Carpenter: There's also university based healthcare, which is similar to hospital but a little bit more research intensive, there's the payer systems, which are not doing care but are managing insurance payments and a lot of records as well. Do you see any, from a pen testing perspective, do you approach those things, those areas differently or are they pretty much the same plan from the outside?

Chad Peterson: It's the same basic blocking and tackling as far as how you're approaching, you know, you're looking for the vulnerabilities, you're seeing alright, are these vulnerabilities exploitable?

Perry Carpenter: Right.

Chad Peterson: Now where the differences come in are there are nuances exactly like you talked about with the hospital systems. Just because there are more, you know, there's a more openness. Same thing when you talk about university health system. Because not only do you get the general openness of a hospital, but then you add the you know, different regulations like FERPA and things need to be open, and what you need to do at a university environment so that's always interesting. Biggest thing you need to look at all this too is you know, there's funding and security is not why they are in business. You know, they are not in the security business.

Perry Carpenter: Right.

Chad Peterson: They are in the healthcare business, so there's, it's not top of mind. It's not bringing in what needs to be done, it's you know, it's not bringing in patients, it's not bringing in healthcare, it's not that focused. I do see a bit of a difference when you start talking about the payer type environment, the insurance type of environment, still apply to HIPAA regulations and what needs to be done to protect the data, but just by the nature of how they do their business, they are usually more secure just because they can be set up like a traditional network.

Perry Carpenter: Right.

Chad Peterson: They are run like a traditional network.

Perry Carpenter: They don't have MRI machines in their break room.

Chad Peterson: Right. Yeah.

Perry Carpenter: The conclusion of our interview with Chad Peterson, after the break.

Perry Carpenter: Welcome back. So, you've touched on identity and access management a few times, and you also mentioned the fact that things need to be open and fast in hospital environments, which argues against multifactor authentication, at least as far as like using an authenticator app or something else that's going to slow down the process.

Chad Peterson: Right.

Perry Carpenter: How do we deal with that in those systems? You know, I've got an indication, because I actually used to specialize in IAM back when I was at Gartner, but from you know, I've not looked at it deeply in the past seven-eight years.

Chad Peterson: Yeah, it's still, I mean you have, instead of using the phone tokens if you will of you know, the different secure ID, those pieces that come back, you still have things that can be used a lot easier, whether it's proximity badges that you either tapped or even sensors if you're nearby. So there are other components, now some of those bring up their nuances, you know, the non-tap prox badges, were always interesting when, I don't know if you've ever watched a group of individuals in the hospital working, there's usually more than one right there. So there's some difficulty there with the non-tap proxes. But, the other ones, it's, that does help. Biometrics work great in theory, a little tough to get fingerprints when you're wearing latex gloves and some of those other components. So there are some nuances, it depends on the department where you are, what works, but identity, time's just a different form of identity management and what you can do for multifactor in those situations.

Perry Carpenter: Yeah. Is there a minimum standard right now that you're seeing across everybody or is it still a little bit of a wild west in terms of like what's happening out, throughout maybe the U.S. or the world?

Chad Peterson: Well, I think you're, you know, the regs have been there and what needs to be done to protect the identities, I think the benefit that we have is 10 years ago, multifactor was still this pain point that people felt because I had to do another thing. Today, multifactor is everywhere. It's become a part of our regular life, whether it's logging into your bank, whether it's, I mean heck, it's even, you know, available on your Facebook and some of these other components. So, multifactor is, it's almost an expectation today, versus where it was the exception 10 years ago. So, just the way people are now working and seeing those pieces, it's no longer a hindrance, it's just a part of doing it. That's helped a ton.

Perry Carpenter: Yeah.

Chad Peterson: And it's, people are becoming a bit more aware, just of what it means to protect information. And it's you know, it's, if you put it in the system, you know, and there's a reason why I'm collecting this information, anyone who's had their credit card stolen or impersonated or any of that, has felt that pain, and they kind of get that appreciation of why we're doing what we're doing. So, there are more and more personally affected stories going on that do help that process.

Perry Carpenter: So where does training come in with all of this? I guess that's a multifaceted question too, because there's training for the different teams that are involved that are doing patching and updating and understanding the issues there as far as the most frequent ways that attackers get in, but there's also training for the general end user population. Can you talk a little bit about where you've seen that work and not work? What are the benefits and limitations from your perspective?

Chad Peterson: Sure. And you're right on both sides; it's you know, whether it's table tops for your technical team of practicing how to identify and stop attacks, versus you know, basic security awareness programs that need to be done for the employees of your organization, so organizations in general are pretty good when it comes to doing some initial onboard training in their onboarding program. When an employee starts at an organization, it's just part of that whole process before you can work you need to go through all of this. The difficult thing there is the continuation training, and going through, so a security awareness program is just that, it's a program. It's not hey, here's a booklet that you get during orientation, read through it, these are our policies and procedures, have fun, good luck. It's you need to do other things throughout, and whether that's security awareness month that we have throughout many organizations participate and it's just raising that awareness, something as simple as posters that help in the break room, but it's other things as far as doing some phishing campaigns, and pieces like that. You know, things that you are working to, not to trick your employees or try to get them to fall for these activities, but to make them aware and continually remind them. You know, one of the things that I laugh about a little bit, but it actually shows that it's working, is when you look at different phishing attacks, it is when you send out a phishing email that the first time you may do it you may have 40 percent of your employees click on it. The second time you send it out, you may only have 10. Now on surface, that looks great, you know, hey, I've improved it by a multiple factor, but the thing you have to look at, alright, we've raised awareness, which is the big thing in why we are doing it, secondarily though, it could be that maybe the email wasn't crafted the same way and it was a little bit more obvious that it was fake than the first one. So, that's where you have to be a little bit careful. But it's the repetition.

Perry Carpenter: Yeah.

Chad Peterson: Keeping things in front of mind.

Perry Carpenter: And don't send out the exact same phish multiple times.

Chad Peterson: Exactly.

Perry Carpenter: At that point yeah, you're not acting like an attacker.

Chad Peterson: Right, and it's, on top of that too, Perry, it's not only the same one every time, it's you have to be careful of the numbers that you send out. It's a little easier now, maybe, since we're all remote, for the most part, but if you're together and four or five people get the same email who work within 30 feet of each other--

Perry Carpenter: Yeah.

Chad Peterson: --the success rate for that's going to go down.

Perry Carpenter: Yeah. Randomize your times, randomize your templates so not everybody gets the same thing and not everybody gets stuff at the same time.

Chad Peterson: Yeah. Right, and speaking about the same thing too is, the other thing to look at is when you have a security program, it's making the program tailored to the individual's role. And what I mean be that is your standard employee is going to get your standard, everyone's going to get this foundational piece of training. But, you know, you're system admins may need a little bit higher training, a little bit more of how to protect data. Those that are dealing in a healthcare environment, specifically with PHI, you want to talk a little bit more about the specific HIPAA regulations and why it needs to be protected and how. So, you want your training to fit the skill level and the type of information that those users are utilizing. The higher the risk, the more training.

Perry Carpenter: So, as we get ready to wrap up, are there any last thoughts that you want to leave our audience with or maybe how to approach their board, how to think about the threats, anything else?

Chad Peterson: In general, as far as a wrap up of what you need to do to, kind of going back to your question of what do you do and how do you talk to a board about the gloom and doom. There are the basic things you can do to help protect your environment and making sure you're doing your due diligence. And the first part of that is the awareness. So whether that's just understanding and having a way to continually understand your attack surface, knowing what you have on the external facing side of your environment. Being able to know when new cloud instances potentially pop up, when new systems are brought up, new applications are brought into the environment that are internet facing that you're aware of the protocols, the ports, the IPs and everything that's there. So, know your environment. The only way to protect something you're not aware of is by accident. So you do need to be able to see it.

Chad Peterson: And it's constantly and continue to look at that and looking for changes. The other thing is, you know, have a plan. And what I mean by a plan is you know, yes, you can be proactive, you can do the scanning, you can see what's going on, but we also have to plan if a breach happens, if something like ransomware does happen in your environment, you need to be ready. And that's everything from a communications plan internally, being able to identify the severity of the incident and you notice I used the word incident, because it's an incident until it's proven to be a breach. So, has enough occurred? Did information of a pertinent value get out? And does it need to be addressed? That could determine how you have to communicate back. And understanding all that and having that as a process that you can practice through with some table top exercises. The other major contingency plan is, you know, can if systems are down, the organization work? Can it run? You know, in the area of the hospital, can you still do patient intake? Can you still do everything? Can you revert back to paper? Can the processes and the why you are in business still take place? And backups, backups are something we've always been doing, but you know, one of the best defenses for ransomware tech, quite honestly, is to have a good backup. You don't have to worry about the ability to pay to get your information back if you have a clean copy in the background. So, being ready for the inevitable is probably one of the biggest things. It's like anything else, be prepared.

Perry Carpenter: Yeah.

Chad Peterson: Be prepared and practice for it.

Perry Carpenter: Let me throw one other question in there real quick, that may or not, may not be worth spending a couple minutes on but since we mentioned ransomware a couple times, we talked about the board of directors, and we talked about preparing beforehand, there is always the question about if the worst happens, do you pay or you don't pay? Which is both a practical question and an ethical question I think. And then governments and everybody else are trying to weigh in on that. With healthcare, and you potentially have you know, loss of life involved and other things like that, I think the water gets a little bit murky, right?

Chad Peterson: It does, it does.

Perry Carpenter: So how do you set up an effective policy or framework of thinking about how you deal with that if the worst happens?

Chad Peterson: You know, it goes back to having those safety nets in place, A, B, and you know, the backups that you can recover quicker. Having the ability to, when it comes to you know, loss of life or human safety, it's ensure that things like segmentation happen in your environment so those vulnerable systems are not a part, so your healthcare, your actual systems within the operating room, and those pieces are segmented off from the rest of the network wherever possible. So those aren't going to fall victim to those attacks. But as information is, in the case of a ransomware, do you have the ability to recover? That's really what it boils down to. If you have the ability to recover, whether it's going to take a while through backups, whether you have programs in place to still maintain doing what you need to do from a business point of view or operational point of view, it's that decision, the contingencies of whether to pay or not. Because you're right, it's-- you don't want to reward bad behavior, but at the same point in time, you do need to do what you have to do to continue. And there's that, you know, if I pay once, what's saying they're not going to come back and I'm going to have to pay twice, three times, four times down the road? It's a tough one, and that gets into a whole 'nother realm of your overall communication plans and your plans with your legal counsel and how you're going to address those things. It's a bigger, it's a bigger conversation, unfortunately or fortunately, than just your CISO and your IT department when it comes to the, do we actually pay.

Perry Carpenter: Yeah.

Chad Peterson: But the best thing you can do is alright, while we're making that decision, can I still operate? And if you can still continue doing what you need to do from an operational point of view, it disability give you that time.

Perry Carpenter: That brings us to the end of our interview with Chad Peterson. I hope that it gave you an even greater sense of the importance of pen testing your organization to find those vulnerabilities so that you can begin to close them before someone with ill intent finds them for you.

Perry Carpenter: And with that, thanks so much for listening, and thank you to my guest, Chad Peterson of NetSPI. I've loaded up the show notes with all the relevant links and references for things that we talked about today, and a little bit more that you can dig into just for fun. If you've been enjoying "8th Layer Insights" and you want to know how to help, it's actually pretty easy; just comment and leave a review on any podcast platform that allows you to do so. That let's other people know that this show is worth their time, and their time is super important so we want to point people in the right direction with these kinds of things. The other really important thing that you can do is to tell somebody else about the show. Podcasts are really difficult to find because there's so many of them and there's not a lot of great advertising out there. So telling somebody, giving that word of mouth recommendation, is super important. Please do so for this show. I'd really appreciate it. Oh, and if you're ever interested in reaching out to me, feel free to do so. You can find my contact information at the very bottom of the show notes for this episode. And while you're at it, feel free to check out my other show; Digital Folklore. It's a fun dive into the quirky and sometimes dark nature of online culture. This episode was written, recorded, sound designed, and edited by me, Perry Carpenter. The cover art for "8th Layer Insights" was designed by Chris Machowski at ransomwear.net and Mia Rune at miarune.com. The "8th Layer Insights" theme song was written and recorded by Marcos Moscat. Until next time, I'm Perry Carpenter, signing off.