POPULARITY
10 episodes with 30et
15 episodes with 30et
7 episodes with 30et
3 episodes with 30et
2 episodes with 30et
Episode 65! The 2021 NFL Season is upon us, with week 1 just days away you know what time it is? It's predictions time. We welcomed the great Matthew McCarthy (@Matthodical1) to help us give predictions on your 2021 fantasy stars, breakouts, and busts. Our categories were:RB MVPWR MVPTE MVPQB MVPBiggest BustRookie MVPRookie BustMost ImprovedComeback Player of the YearIt was so much fun we didn't really look at the time, so enjoy our longest episode to date!Before our predictions, we gave our final thoughts on the preseason. Thanks again to our guest Matt who is doing a lot of great content this season. He is doing the offense show for @GridironRating Weekly! Three days a week he will be previewing and reviewing ALL the NFL games to help you be prepared in your fantasy leagues! MWF at 7:30ET...check out Matt's twitter or @GridironRating for more information.He is also an expert ranker @FantasyPros.Cheers!
Donny is joined by Syrus Yarbrough of MTV's "The Challenge: All Stars" and "The Real World: Boston." He discusses what it was like to be back on The Challenge, why some people can't leave the game in the game, and why he doesn't regret anything about his elimination. He also touches on "bad edits" and how the world has changed (and stayed the same) since he was originally on the Real World.But first, this week's pop culture panel is made up of Taria S. Faison, Chelsea - the face behind @ohnobravo, and Dr. Monica O'Neal of Bravo's "Camp Getaway." They discuss Michael Paulson's need to include the weight gain of Broadway actors in his New York Times article, Will Smith's #bigwilliechallenge, Elon Musk on SNL, and the mythical land known as Wawa (to Kate Winslet, at least). Be sure to purchase TICKETS to my 90s/2000s trivia on May 14 at 8:30ET/5:30PT! 5 rounds of nostalgic trivia! A celebrity guest from the 90s answering a full round! Prizes for the winning team!(https://www.eventbrite.com/e/90s-and-2000s-trivia-via-zoom-tickets-151735341491?ref=eios)Watch interviews and clips from "Truly Anything with Donny Hadfield-Smith," including an interview with Dr. Monica NOT AVAILABLE ON MY PODCAST, on YOUTUBE! (https://www.youtube.com/channel/UCv7e_Lz-MF3wxRxM68bKo-Q)Follow me on INSTAGRAM @realdonnywoodYou can find my guests on social media at:SYRUS: @syrusmtvCHELSEA: @ohnobravoTARIA: @weigopodcastDR. MONICA: @dr.monica Support the show (https://www.buymeacoffee.com/trulyanything)
After cancelling his recording with this week's guest, Donny records this week's episode by himself, but talking to himself is nothing new, so he feels right at home. As always, his dislike for Puck and Rachel is on display, although a DM from a former MTV employee has him thinking deeper about one one them. Then, Pedro & Sean talking to high school seniors reminds Donny of the time he was terrified to start high school because he thought he would be drugged while sending mail.Be sure to purchase TICKETS to my 90s/2000s trivia on May 14 at 8:30ET/5:30PT! 5 rounds of nostalgic trivia! A celebrity guest from the 90s answering a full round! Prizes for the winning team!(https://www.eventbrite.com/e/90s-and-2000s-trivia-via-zoom-tickets-151735341491?ref=eios)Watch interviews and clips from "Truly Anything with Donny Hadfield-Smith" on YOUTUBE! (https://www.youtube.com/channel/UCv7e_Lz-MF3wxRxM68bKo-Q)Follow me on INSTAGRAM @realdonnywood Support the show (https://www.buymeacoffee.com/trulyanything)
Fresh from Friday's episode of "Mighty Ducks: Game Changers," star of the original movies MARGUERITE MOREAU joins Donny to discuss what it was like stepping back into Connie's skates. They also discuss her time in "Wet Hot American Summer" and "Grey's Anatomy," and what she'd like to see if she revisited some of her other roles. She also shares not one, BUT TWO, Britney Spears stories!Then, Sara Zanville of Be Kind Rewind Events in LA joins Donny for a "Full House" deep dive and to answer the important questions - Why was "Fuller House" cornier than the original? Why did Joey live under the stairs? Who would you kick out if you had to move in? And most importantly - what is your dream TGIF lineup?If you enjoyed Sara and I together, be sure to purchase TICKETS to our 90s/2000s trivia on May 14 at 8:30ET/5:30PT! 5 rounds of nostalgic trivia! A celebrity guest from the 90s answering a full round! Prizes for the winning team!(https://www.eventbrite.com/e/90s-and-2000s-trivia-via-zoom-tickets-151735341491?ref=eios)Watch interviews and clips from "Truly Anything with Donny Hadfield-Smith" on YOUTUBE! (https://www.youtube.com/channel/UCv7e_Lz-MF3wxRxM68bKo-Q)Follow me on INSTAGRAM @realdonnywood Support the show (https://www.buymeacoffee.com/trulyanything)
Frank and James preview the big upcoming weekend in football and eating! They are first joined by Nick Wehry (1:26 mark) to talk about the Big Game Snackdown presented by Draft Kings slated for 4:30ET on Sunday 2/7, and what to expect from this 8-food competition. With the event scheduled to stream on Youtube/Twitch, it makes for a great 8-minute watch before the Super Bowl itself! Brandon Lerch then hops on (~26 minute mark) with the fellas and he's got receipts before previewing SB LIV for his Buccaneers! They talk props, predictions, and more surrounding the big game including the keys for Tampa Bay to bring home Brady's 7th ring! Finally the co-hosts jump into the volatile market conditions amid the rise of meme stocks and what led to it, and what the future might hold! To polish things off, the duo run through this year's Lockies to congratulate the earners of the COVID-ridden 2020. SOTW: Valentine's Day from Misterwives and Afterglow by Ed Sheeran --- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/app
February 3,2021 – In this episode of Food in the news, we discuss Super Bowl foods and snacks! Well, Tom Brady has done it again. This time leading the Tampa Bay Buccaneers to Super Bowl LV (55) against Patrick Mahomes and the Kansas City Chiefs. While you’re probably not in Raymond James Stadium in Tampa Bay to watch the game, you’ll at least be home enjoying some great food and snacks. We share some of our favourites, but also let us know yours. The game starts at 6:30ET. -------------------------------------
A slew of guests including Dennis Trusty, Andrew (Roadwarrior), Greg (Murphey), Mike McEntire (Gorgonzola) and STUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU (SHOUTOUT TO KEEP_POUNDING!!!!) join Josh to talk through all of Saturday's Breeders' Cup races. Josh and the rest of the crew will be livestreaming on Thursday and Friday at 7:30CT/8:30ET on Youtube. Support OTWL by signing up for AMWager and earn 10% back, up to $500, on all exotic and win bets made in your first 30 days! Click the link below: https://www.amwager.com/?amwaffid=OnTheWrongLead
Greg (aka Murphey) joins Josh to talk through all of Friday's Breeders' Cup races. Podcast for Saturday's races will be up Wednesday night and we will be livestreaming on Thursday and Friday at 7:30CT/8:30ET. Support OTWL by signing up for AMWager and earn 10% back, up to $500, on all exotic and win bets made in your first 30 days! Click the link below: https://www.amwager.com/?amwaffid=OnTheWrongLead
Laurel McGoff joins the KNN boys for a very special deep dive into her time on Kid Nation- fun stories that weren't shown, what the other pioneers were really like on set, behind the scenes secrets, life outside the show, and we finally get to know if Jonathan is REALLY Taylor's dad!! Thanks again to Laurel (who you can find @laurel__mcgoff1 on Twitter and @laurelmcgoff on Instagram) for kickin it with us! Catch our livestreams on Thursdays at 9:30ET/6:30 PT at twitch.tv/radishstuff
In our newest mini episode, Haley chats with returning guest Abbie Fish, founder of Swim Like a Fish Coaching and virtual swim coach. Abbie introduces us to three new swim exercises that will be sure to give your current swim-at-home routine a refresh while the pools are closed. Plus Abbie shares information on her free virtual dryland classes, available everyday at 1:30ET at freedrylandclass.gr8.com. For a visual demonstration, be sure to catch the video version of this episode on the Live Feisty Youtube channel!
Your host Scott Beutjer sits down to chat with Chad Hoover & Jason Broach The weigh-in is a live weekly check in on the pulse of the kayak bass fishing community. We check in on tournament winners, anglers and industry influencers and developers. This show is for the fans by the fans, we would love for you to weigh-in with your thoughts and opinions us every Tuesday night at 8:30ET. --- Support this podcast: https://anchor.fm/sbweighin/support
Your host Scott Beutjer sits down to chat with Matt Ball, Dusty Yakker, & Drew Greggory about the FLW KBF Cup. The weigh-in is a live weekly check in on the pulse of the kayak bass fishing community. We check in on tournament winners, anglers and industry influencers and developers. This show is for the fans by the fans, we would love for you to weigh-in with your thoughts and opinions us every Tuesday night at 8:30ET. --- Support this podcast: https://anchor.fm/sbweighin/support
Your host Scott Beutjer sits down to talk to with the first ever FLW KBF Cup Champ Clint Henderson. The weigh-in is a live weekly check in on the pulse of the kayak bass fishing community. We check in on tournament winners, anglers and industry influencers and developers. This show is for the fans by the fans, we would love for you to weigh-in with your thoughts and opinions us every Tuesday night at 8:30ET. --- Support this podcast: https://anchor.fm/sbweighin/support
Your host Scott Beutjer sits down to chat with Chad Hoover The weigh-in is a live weekly check in on the pulse of the kayak bass fishing community. We check in on tournament winners, anglers and industry influencers and developers. This show is for the fans by the fans, we would love for you to weigh-in with your thoughts and opinions us every Tuesday night at 8:30ET. --- Support this podcast: https://anchor.fm/sbweighin/support
Your Host Scott Beutjer sits down to chat with Jeff Isham & Josh Stewart The weigh-in is a live weekly check in on the pulse of the kayak bass fishing community. We check in on tournament winners, anglers and industry influencers and developers. This show is for the fans by the fans, we would love for you to weigh-in with your thoughts and opinions us every Tuesday night at 8:30ET. --- Support this podcast: https://anchor.fm/sbweighin/support
Your host Scott Beutjer sits down to talk to Amanda Brannon, Kristine Fischer, & Mel Isaacs The weigh-in is a live weekly check in on the pulse of the kayak bass fishing community. We check in on tournament winners, anglers and industry influencers and developers. This show is for the fans by the fans, we would love for you to weigh-in with your thoughts and opinions us every Tuesday night at 8:30ET. --- Support this podcast: https://anchor.fm/sbweighin/support
Your host Scott Beutjer sits down to chat with The Perkins Boys, Parker Jones, & Gene Jensen The weigh-in is a live weekly check in on the pulse of the kayak bass fishing community. We check in on tournament winners, anglers and industry influencers and developers. This show is for the fans by the fans, we would love for you to weigh-in with your thoughts and opinions us every Tuesday night at 8:30ET. --- Support this podcast: https://anchor.fm/sbweighin/support
Your Host Scott Beutjer sits down to talk with William Benini & Santos Zepeda The weigh-in is a live weekly check in on the pulse of the kayak bass fishing community. We check in on tournament winners, anglers and industry influencers and developers. This show is for the fans by the fans, we would love for you to weigh-in with your thoughts and opinions us every Tuesday night at 8:30ET. --- Support this podcast: https://anchor.fm/sbweighin/support
Your host Scott Beutjer comes at you live from the Bonafide factory, and chats with Luther Cifers & Kristine Fisher The weigh-in is a live weekly check in on the pulse of the kayak bass fishing community. We check in on tournament winners, anglers and industry influencers and developers. This show is for the fans by the fans, we would love for you to weigh-in with your thoughts and opinions us every Tuesday night at 8:30ET. --- Support this podcast: https://anchor.fm/sbweighin/support
Your host Scott Beutjer sits down to chat with Craig Dye, Dylan Fuqua, and Steve Owens The weigh-in is a live weekly check in on the pulse of the kayak bass fishing community. We check in on tournament winners, anglers and industry influencers and developers. This show is for the fans by the fans, we would love for you to weigh-in with your thoughts and opinions us every Tuesday night at 8:30ET. --- Support this podcast: https://anchor.fm/sbweighin/support
Your host Scott Beutjer sits down to chat with Richard Penny from KBF to chat about some changes in rules. He then chats with Pricilla Johnson about the Pan-Am games and more. The weigh-in is a live weekly check in on the pulse of the kayak bass fishing community. We check in on tournament winners, anglers and industry influencers and developers. This show is for the fans by the fans, we would love for you to weigh-in with your thoughts and opinions us every Tuesday night at 8:30ET. --- Support this podcast: https://anchor.fm/sbweighin/support
Your Host Scott Beutjer sits down with Matt Ball and Jermey Baker. Matt checks in from the Pan-Am tournament, and Jermey Recaps his St Claire tournament. The weigh-in is a live weekly check in on the pulse of the kayak bass fishing community. We check in on tournament winners, anglers and industry influencers and developers. This show is for the fans by the fans, we would love for you to weigh-in with your thoughts and opinions us every Tuesday night at 8:30ET. --- Support this podcast: https://anchor.fm/sbweighin/support
Your host Scott Beutjer sits down with three angler of the year winners, Jamie Denison, Cody Milton, & Jay Wallen. The weigh-in is a live weekly check in on the pulse of the kayak bass fishing community. We check in on tournament winners, anglers and industry influencers and developers. This show is for the fans by the fans, we would love for you to weigh-in with your thoughts and opinions us every Tuesday night at 8:30ET. --- Support this podcast: https://anchor.fm/sbweighin/support
Your host Scott Beutjer sits down with Josh Knichel from Dee Zee to talk about Dee Zee and their involvement in the kayak fishing community. The weigh-in is a live weekly check in on the pulse of the kayak bass fishing community. We check in on tournament winners, anglers and industry influencers and developers. This show is for the fans by the fans, we would love for you to weigh-in with your thoughts and opinions us every Tuesday night at 8:30ET. --- Support this podcast: https://anchor.fm/sbweighin/support
Your host Scott Beutjer sits down to talk with Bogdan Korostetskyi about his win at the FLW/KBF Open on Nickajack Lake. The weigh-in is a live weekly check in on the pulse of the kayak bass fishing community. We check in on tournament winners, anglers and industry influencers and developers. This show is for the fans by the fans, we would love for you to weigh-in with your thoughts and opinions us every Tuesday night at 8:30ET. --- Support this podcast: https://anchor.fm/sbweighin/support
Send Us Your Confessions And Contact Us At Confession2us@gmail.com Intagram: http://instagram.com/confession2us Facebook: http://facebook.com/confessionsessions Twitter: http://twitter.com/confession2us Live Podcast Sundays AT 7:30ET 6:30CT http://blogtalkradio.com/confessionsession or call (516)595-8282 To join in the conversation! Confession Question: Why In Relationships Do People Have Issue With Their Spouse Making Positive Decisions? Confessionals: XXXtentacion Killer Gets Charged With Murder Twitter Tale Zola Is Heading To The Big Screen ABC is bringing back Roseanne without Roseanne Called The Connors Girlfriend's Creaton Mara Brock Akil Wants To Bring Back The Show As A Movie But Is Tired Of Convincing Studios Of Its Value Oprah Becomes First Black On Forbes 500 Wealthiest People
Send Us Your Confessions And Contacts Us At Confession2us@gmail.com Instagram: http://instagram.com/confession2us Facebook: http://facebook.com/confessionsessions Twitter: http://twitter.com/confession2us Tumblr: http://confessionsessions.tumblr.com Live Podcast Sundays And Thursday 7:30ET 6:30CT http://blogtalkradio.com/confessionsession or call (516)595-8282 to join in the conversation! Confession Question: What's One Thing Your Parents Never Found Out You Did As A Child? Confessionals: G-Eazy Talks Drug Usage With Girlfriend H&M Stores In South Africa Destroyed After The Monkey Shirt Controversy Cardi B Calls Out King Yella For Lying About Having Sex With Her Eve Talks Lil Kim Throwing Shade At Her The First Time They Met
Send Us Your Confessions And Contact Us At Confession2us@gmail.com Instagram: http://instagram.com/confession2us Facebook: http://facebook.com/confessionsessions Twitter: http://twitter.com/confession2us Tumblr: http://confessionsessions.tumblr.com Live Podcast Sundays And Thursdays 7:30ET 6:30CT http:/blogtalkradio.com/confessionsession or call ((516)595-8282 to join the conversation! Confession Question: Why Is Bae Not Posting You On Social Media? Confessionals: STD Infections Hit Record High Representative Al Green Says African Americans Should Stop Going To The White House Until Trump Apologizes Fake Black Activist Social Media Accounts Linked To Russia NBA Releases Memo That Players And Coaches Stand For National Anthem
Send Us Your Confessions And Contact Us At Confession2us@gmail.com Instagram: http://instagram.com/confession2us Facebook: http://facebook.com/confessionsessions Twitter: http://twitter.com/confession2us Tumblr: http://confessionsessions.tumblr.com Live Podcast Sundays And Thursdays 7:30ET 6:30CT http:/blogtalkradio.com/confessionsession or call ((516)595-8282 to join the conversation! Confession Question: Would you be comfortable knowing your spouses close friend is someone they slept with? Confessionals: Wendy Williams Husband Caught Cheating Michelle Obama Says Women Who Voted For Trump Went Against Their Own Voice Young Dolph Shot NFL Protests Jay Z Turns Down NFL Super Bowl 2018 Halftime Performance Azealia Banks Throws Shade At Cardi B
Send Us Your Confessions And Contact Us At Confession2us@gmail.com Instagram: http://instagram.com/confession2us Facebook: http://facebook.com/confessionsessions Twitter: http://twitter.com/confession2us Tumblr: http://confessionsessions.tumblr.com Live Podcas Sundasy And Thursdays 7:30ET 6:30CT http:/blogtalkradio.com/confessionsession or call ((516)595-8282 to join the conversation! Confession Question: Why is it hard to convince the younger generation to use protection? Confessionals: Man Claims Usher Had Unprotected Sex In A Koreatown Spa Kylie Jenner Pregnant North Korea Foreign Minister Vs Donald Trump Search Warrants Issued Behind Kevin Hart Sextape
Send Us Your Confessions And Contact Us At Confession2us@gmail.com Instagram: http://instagram.com/confession2us Facebook: http://facebook.com/confessionsessions Twitter: http://twitter.com/confession2us Tumblr: http://confessionsessions.tumblr.com Live Podcast Sundays And Thursdays 7:30ET 6:30 CT http://blogtalkradio.com/confessionession or call (516)595-8282 to join in the conversation! Confession Question Of The Day: Is It Okay To Discuss Your Salary With Your Friends? Confessionals: Young Joc Caught In Public With A Dress Angela Rye And Common Go Public Pizza Hut Threatens Workers During Hurricane Irma Activist Group Leaves Politically Charged Effgies In Richmond Park Mel B Under Criminal Investigation Nicki Minaj Lashes Out At Fashion Industry For Marginalizing People Of Color Kaneeka Jenkins Jamele Hill Reprimanded For Saying Donald Trump Is A White Supremacists
Intro: Breakdown of ETSU-Wofford ahead of their 1:30ET kickoff tomorrow in Spartanburg Segments 2 & 3 (16:30) - The Route Tree w/ ETSU QB Austin Herink...Has ETSU Football played a game on a Friday in the last 15 years? Yes, just one month ago, but don't tell Herink and The Sidekick. Also, a preview of Bucs-Terriers. Segment 4 (54:15) - Bold Predictions
Send Us Your Confessions And Contact Us At Confession2us@gmail.com Intagram: http://instagram.com/confession2us Facebook: http://facebook.com/confessionsessions Twitter: http://twitter.com/confession2us Live Podcast Sundays AT 7:30ET 6:30CT http://blogtalkradio.com/confessionsession or call (516)595-8282 To join in the conversation! Confession Question: Why In Relationships Do People Have Issue With Their Spouse Making Positive Decisions? Confessionals: XXXtentacion Killer Gets Charged With Murder Twitter Tale Zola Is Heading To The Big Screen ABC is bringing back Roseanne without Roseanne Called The Connors Girlfriend's Creaton Mara Brock Akil Wants To Bring Back The Show As A Movie But Is Tired Of Convincing Studios Of Its Value Oprah Becomes First Black Woman On Forbes 500 Wealthiest People
I am SO excited to bring you this show today! We are going to talk about the ONE strategy that has impacted my sales the most this year! I'm super passionate about this topic. Honestly, I try to talk about this strategy with business owners everywhere I go. I constantly want to convince more people to use this strategy because the difference it has made for me is seriously crazy-cakes. Do you have a guess as to what it could be? Knowing me, you might think this strategy is Facebook ads, but it's not! I love this strategy because it's approachable and affordable for business owners. Facebook ads are how I get customers in the door, but this strategy is how I build relationships and sell the things I want to sell. The strategy is hosting webinars. I know you've probably heard a lot of online business owners talk about webinars over the years, and maybe you already have decided opinions about them. If you're rolling your eyes at this point and thinking, "Webinars aren't for me. Business mom out," I need you to give me a few more minutes -- and I am pretty sure I'll change your mind. :) Listen To The Show The Numbers Speak For Themselves (3:26) If you'll give me the chance, I'm going to talk about the 6 big webinar myths I hear all the time. I'm going to debunk them, and teach you the truth about making webinars work for your business. I have crazy-cool stats to share with you that speak for themselves. This past year, Brilliant Business Moms has grown an insane amount. I'm still trying to wrap my head around it! Chris and I finally sat down and did the books, like responsible business owners, and figured out where our sales were coming from. We've had $285,000 in revenue (sales in the business). $201,000 of that was from sales of my online courses. So, the courses I sell are: Brilliant Pin Promotion FB Brilliance A brand new course coming soon! The other $84,000 revenue was planner sales, primarily. And keep in mind planner season flows into 2017. So we had an awesome season, but only part of the tally accounts for 2016. Other revenue was made through some shop sales and affiliate sales. (Hint, hint... guess how I make my affiliate sales? Webinars!) Over 2/3 of my income came from course sales. And literally the main way, about 90%, of my course sales have been through webinars. People come to a free class that I hold around a given topic, they get to know me and trust me, and they get value out of that free class, whether they purchase anything or not. And then a good portion of those attendees decide they're ready to take it to the next level. They think, "If this is her free class, I know her course will be awesome!" Webinars for Physical Products (6:23) And I have to tell you, I was very close to doing a webinar to sell my physical planners. So if you're a business that sells physical products, please don't turn this episode off! I have a lot of thoughts and ideas for you. (In fact, that'll be one of the myths we debunk!) This strategy 100% applies to you. I was really close to doing a webinar to sell my planners. But to be honest, it takes a couple weeks to create a really great webinar, and the planners were selling more quickly than I anticipated. I was nervous that by the time I got my webinar together, half of the planners would be gone. The main reason I didn't do a webinar to sell planners is because the Brilliant Life Planners sold too fast. (A good problem, but still a problem!) For our next planner season, I'll get the planners to my doorstep much sooner and will absolutely make webinars part of my selling strategy. Proving Webinars Are Powerful (8:49) I want to share a few stats to prove to you that webinars are crazy powerful. One of the ways I filled my webinars with happy students was with Facebook ads. We're talking about getting people to attend my free class; and my goal was 2,000 signups. Keep in mind I'm only running these ads to cold traffic. These are 2,000 brand new people through the door who knew nothing about me before seeing a Facebook or Instagram ad. On average, I'd spend about $4,000 on advertising on average to get the 2,000 people. And I'd make about $8,000 in sales, so the profit margin is 50%. You more experienced business owners may be looking at that 50% profit margin and thinking it's way too low. And I get it. It's not awesome per industry standards, but I was mostly excited about getting to know a new audience. I spent $4,000 to get 2,000 new email signups, and I made $4,000 profit. I felt really good about that! On average, that's 63 course sign-ups out of those 2,000 webinar sign-ups. With these numbers I'm getting about a 3% conversion rate. People who are insanely good at webinars and have it down to a science can get way higher than 3%, but I felt amazing with these numbers! Because guess what? Those sales were to people who didn't know me before that webinar! One stat you'll see floating around online marketing looks something like this: Let's say you've built an email list and worked hard to have a relationship with that list. The best practice is to nurture the list over time, and then send out a ton of messages pitching your product. Conservatively, you should estimate a 2% conversion rate from those efforts to people who already know you. But I hung out with total strangers on my webinar and got a 3% conversion rate. That blows my mind! The first time I launched my FB Brilliance course, in July, I brought in 125 course sales from about 3,000 webinar signups, and those were from my email list of about 20-25K people. It was a pretty straightforward process: I emailed my list a few times, and about 3,000 people took me up on my offer. I only pitched my course and bonuses to the people who signed up to my webinar. I probably should have pitched it to my whole list, which I should have! I didn't go through all the motions of building anticipation and hint, or make tons of calls-to-action. I just said, "Let's do this!" and got the webinar out the door. And I had a 4% conversion rate! I'd prefer to do this method than bug my list like crazy for only a 2% conversion rate! Webinar sales always blow my email sales out of the water. It's just more effective. Here's one more non-webinar example. My current list has 50,000 subscribers. Only 1,600 of them purchased a planner, and a lot of these people are brand new. Many of those 1,600 weren't already on my list, but I didn't do a webinar on time management or goal setting. That conversion rate is 3%. It's better than the standard 2% conversion rate. But it also happened over a couple of months. It happened with loads of social media posts and emailing. Lots of buildup and time and content to get that 3% conversion rate from my list. Whereas, I probably could have just created an awesome webinar around goal setting and time management and had a much higher than average conversion rate. Are you excited for the potential of webinars!? I really hope that you are. Webinars are fabulous because not only will you get to show off your personality and knowledge - and get to know your audience - but also your audience becomes your friends. It's so much fun that your attendees want to walk away from the class to take action. Alright, let's get started debunking 6 Webinar Myths, plus I'll give you the Truth About Making Them Work For Your Business Myth #1: I need to be great at public speaking. (17:33) It happens all the time. When I start talking about how great webinars are, people panic! People (usually introverts) think that in order to put on a great webinar they have to be fabulous at public speaking - not true! First of all, I am not great at public speaking. Yeah, I'm a Chatty Cathy, but I'm not great at public speaking. I'm a rambler, you guys! That's just as bad as the person who doesn't have enough to say! I have so much work to do when it comes to upping my public speaking game. In terms of my experience, how many times have I been on a stage speaking to a large group of people? Maybe twice. The only time I can think back on is when I was part of a mission program with my college. I spent a couple months volunteering at an orphanage in India with a mission project. And when I came back I had to speak at a chapel service about my experience. It was supposed to be an inspirational 20 minute talk, explaining what we did and inspirational insights from the Bible. At the time, I was at the time a molecular biology major. I had no background to be inspiring! So that's one public speaking experience. Recently I did a breakout session at the Business Boutique conference in Nashville. This was in front of maybe 35-45 people. To be honest, I find that setting WAY more intimidating than a webinar, or my chapel experience, because of the close proximity. By biggest fear is that I'm going to accidentally spit on someone in the front row! But keep in mind, this Business Boutique event didn't even happen until after I fell in love with doing webinars! I am not a public speaking expert, and I haven't taken a single class on public speaking. Think about recording a podcast, it's a totally different environment. We have editors to make us sound way better than we really do, when I was recording with my sister we had each other, and we had another person doing most of the talking! Podcast recording is not really public speaking. Here's what I would say if you think you need to be great at public speaking, or have a natural speaking talent: practice is what makes you great at webinars. That's been my experience and it's what others say, too. The cool thing about a webinar is that you're the boss! You decide what you want to talk about. You create your slides, which remind you of what you want to say. And you get to practice as many times as you want. As you practice the flow will become increasingly natural. Even though I recommend you show your face in the webinar, you aren't looking out on a crowd of faces! It takes away the intimidation factor. And if you need to, you can hide behind a slide and not show your sweaty pits or wardrobe malfunction. Webinars are actually the perfect way for an introvert or a shy person to share their skills and knowledge. I know you'll get amazing at doing webinars if you just practice crafting the right kind of presentation. Now that I've done tons of webinars, an in-person event or a mixer is way scarier than a webinar! Myth #2: I have to sell an online course to make a webinar work. (24:50) I hear this myth all the time! Of course webinars are great for selling courses. I've done it, and I know lots of online business owners who are selling courses through webinars. But here's the thing. I think you'll stand out even more and be really surprised at your results if you use webinars to sell whatever it is you already sell online. Whether you sell ebooks, physical books, homemade baby goods, whatever the case is, I think that you can make a webinar work for you and your business. I've seen webinars work well for book launches. You could teach a topic related to your book, do an author Q&A, and maybe offer a juicy incentive like a book giveaway every 15 minuets for all live attendees. Sarah and I used webinars to launch our very first planner. We talked about how to balance a business and family during the presentation, and at the end of the webinar we had a special coupon code for our brand new planner. We only had a few thousand Facebook fans, less than 5,000k, and our email list was maybe 1,200 people. We had about 100-200 people sign up for each webinar (one in the morning and one in the evening). Only 20-30 people showed up live; our live attendees had so much fun, gave thoughtful and encouraging comments, and about 10 people from each webinar purchased a planner! That's a great conversion rate, about 50%. (How would it feel if you made 20 new sales a day? It's pretty exciting!) Another benefit of the live webinar is that we could answer questions. I'm thinking of so many products that I would love to get help answering my questions about them before I purchase. For example, I would love to know how to do a baby wrap. I just bought one, and I have no idea what to do with this thing! I feel like I need to practice 100 times with a baby doll so I don't drop my real baby! What if a baby wrap business offered a free class on wearing your baby and getting life done? If I saw an ad for a class like that, I would sign up for sure. And would be a super loyal customer, because they took the time to teach me how to use their product. If you sell a physical product, think about the help and value you can add by doing a webinar. I've got a few examples to get your wheels turning :) Julie Fuller of Tokyo Blossom Boutique has a fun shop and sells awesome, adorable planner accessories. Julie is super creative and has gorgeous handwriting. She decorates her planners and totally blings it out! Her planner pages look really pretty and classy. Julie is going to create a course on planner decorating. She could do a webinar showing 5 quick ways to make your planner beautiful and functional, and it'll lead right into her course! Even if her course isn't ready right away, who am I going to buy planner accessories from? Julie, because she is going the extra mile and rocked my socks off in her webinar! (And by the way I'm totally giving my biz friends assignments right now! LOL) Melissa Kaiserman of A Time for Everything sells cash envelopes systems for people on the Dave Ramsey plan, or other cash budget systems. Now, Melissa already does awesome and her sales are fantastic. But what if she did a budgeting webinar? Or a webinar on how to set up a cash budget that will work for you and your family? I think the webinar sales would blow her away! What about you? How can you use a webinar for your product in a way that makes you insanely helpful? When your customers get to know you and form a relationship with you, it would be really tough for them to switch and go to someone else. And even if they found a product they wanted from someone else, you'd likely get their feedback to improve your product! Myth #3: You need to have expensive tools and programs to run a webinar. (34:16) (And yes we're just at Myth #3. I told you I'm not a skilled public speaker. I'm a rambler!) I'm sure you've been to webinars where hosts are using Webinar Jam or Go To Webinar. If you Googled these tools, you know they are expensive. Plus, the more people you have, the more expensive they get! News flash: you don't need those expensive tools to run a webinar. Here are the tools I use to record my webinars: A Yeti microphone, which you can get for around $100. (You can also get a Snowflake microphone for around $35.) My computer. (Obviously! Hopefully you already own one, but if not you can get a decent laptop for a couple hundred dollars these days.) You Tube Live Events, using your YouTube Business account. (Which is basically like the new Google Hangouts. It's free!) Leadpages for my webinar landing page. (This is a paid service, but you can easily make a page on your own site.) Chatango for my chat option. (Which I embed on my Leadpages webinar page, and could easily be embedded on any webinar page. Also free!) Google Slides for my presentation. (This is part of your free Google Drive tools. Can you believe it!?) ConvertKit, which is my email service provider, because you want to collect signups. (An email service provider could be your biggest expense. MailChimp is free for the first 2,000 subscribers. Sarah and I used MailChimp for our first webinars!) I did choose to invest in video lights for night webinars, but you don't have to do that. If lighting is a concern, just make sure to host your webinars during the day to use natural light. That's really all you need! If you're really on a barebones budget, just grab the basics: a microphone, Mailchimp, and your website to embed your video and a free chat box--and you're good to go! To me, I feel like there's more room for things to crash with fancy systems. I've been to a lot of webinars where things go crazy. It seems that the more tech you have, the more you can get bogged down. Google Hangouts has only failed me one time in a couple years. Bottom line: hosting your own webinar is really affordable if you need it to be! Myth #4: You have to be great at selling and marketing. (39:57) A lot of people think they need to have that obnoxious salesman personality in order to make the webinar work. Maybe you're sitting in your chair right now thinking, "The thought of selling to people live freaks me out! I can't do it!" Take a deep breath. Because I DO recommend you offer something for sale at the end of your webinar! But I DO NOT want you to be sleazy or salesy! First and foremost, whether or not people buy from you, people should walk away able to take action and have a quick win. You want to focus on fabulous content and solid teaching. And what you can do in a webinar that you can't really do without video is to show off your personality! You get to be you in all your glory. Part of the fun is people seeing your mistakes, and that you have a sense of humor and can handle the mess. If you're afraid that your personality stinks, or you have quirks, know that there are people out there who jive with it. And guess what? They think your quirks are the most amazing thing about you! Here's an example: We've established that I'm super chatty and wordy and ramble on and on. I always get people who comment in webinars, "She talks too much." But I ALSO get people who say, "I love that you want to explain things in detail, it feels real that you're real." If they don't love you, they aren't your ideal audience. How do you make friends in real life? You make friends by hanging out with people, and having a real conversation. It's hard to have a relationship just off of letters, emails, or Facebook posts. The most genuine relationships happen when a real life conversation is happening. Webinars are the next best thing to a face-to-face conversation with people from all over the world. The other thing I want to say about selling is that there are formulas, or specific steps, you can take your customers through that really feel seamless and natural and lead to a sale. You get to be you--talking in your normal, non-salesy voice--and you'll get way better at it and more comfortable the more you do it. You're approaching this sale from a place where you just taught people tons of awesome stuff, and you want to help them take their business to next level. You're excited to share your product with them, and have confidence that your product will positively change their life. Myth #5: You need to have a huge audience. (46:53) I hear this a lot from business owners, "I'm not ready for a webinar because I don't have the budget to spend on Facebook ads. My audience is just too tiny. I'm nervous if I offer a webinar, it will be me and one other person." For my first webinars with Sarah, we had a small group but we had a great time I promise even if only 5 people show up, you'll have a great time! You'll get amazing practice, plus you can take the replay and use it in other situations. You could send your replay to your list, or a as a thank you to new customers or email subscribers. It's not a waste even if no one shows up, because you can use that recording in other ways. The other thing is that webinars are a great way to build your audience. The more webinars I've done, I always get new attendees who say, "My friend told me I just had to attend your class." I get emails and Facebook posts all the time from people asking for the next class! People will tell their friends about your fabulous webinar. Promise! Another thing I share about webinars I am hosting is how fun it is to hang out with like-minded people live. I love all the chatting between business moms, and when they start to collaborate with someone they've just met. It's fun to know that in this often lonely online world you can meet up with people real time. That's the incentive for signing up to a webinar. Customers don't get to connect or communicate with you when they grab your checklist or cheatsheet. Webinars are an inincredibly powerful form of communication! Myth #6: Webinars are over done, and just a trend. (53:20) Some people think webinars are just a fad. "As soon as I jump on the webinar train, webinars will be overdone and old news." Not true! I completely acknowledge that the format webinars are given in, the structure, the tools used to put them on, may change over the next decade. Sure. Absolutely. But building relationships with your customers on video? That's not going away, you guys. You see it all over. There's Facebook Live, Instagram Stories and Instagram Live, Snapchat, and YouTube - which feels like it's been around forever - aren't going anywhere. Selling and building relationships with your customers via video isn't going away. When you dig into webinars you'll realize that you're building skills you can take with you for the long haul. I think one of the reasons I'm really comfortable to hop on Facebook Live at any given point in the day is because I do webinars all the time. It becomes second nature. While we're on the subject, you could technically do a webinar just using Facebook Live. At this point it would be tricky to have a clean, polished slide presentation. But something like a baby wearing demo, craft project, Q&A, or a product launch would be great! Just set up your phone with the right kind of mounts and do the webinar right there. You could be commenting in the chat, giving people links, and telling them where to go to find your product. A webinar is simply using video to provide awesome value and sell a product. That's not going away. There are more and more people in this online marketing space using webinars to sell. You may notice your feeds are inundated with offers for free classes and lessons. But there are so many niches out there where hardly anyone is doing webinars! (Maybe yours is one of them!) Plus, I don't care who's doing what! I'm confident my webinar is way better than anyone else's. So I'll keep putting them out there, giving a lot of great value, and people will tell their friends. People who are in other niches outside of the online marketing space have a great advantage. I don't know about you, but I have loads of friends on Facebook who are body coaches. Let's say after giving myself time after this baby comes, I want to get back in shape. Maybe I want to try a beach body program and get into one a challenge group. Well, I've got 15 friends who are all selling beach body programs. How do I decide which friend I pick? (Hint, hint: There are 1,000s of others in your niche selling something similar as you! How will you set yourself apart?) I'm going to pick the friend who seems most passionate about her product and who walks the walk. I'm going to choose the one with the most knowledge and expertise, and not just fluffy duffy tips. And honestly at the top of my list is the friend I relate to the most, and I really like the most - because that's the person I'm going to have a great working relationship with. You've got to be the person in your space with the most knowledge and the most passion, who walks the walk, and who people really like. But that's a lot to live up to, right? It's a lot to cover in word format--social media posts and blog posts. Webinars are a one-stop-shop, you can accomplish all of this in an hour, and have people who all the sudden know you and like you and think you're the real deal. 5 Days to Craft Your Brilliant Webinar (1:05:50) There it is. We just busted the 6 myths about doing webinars. How are you feeling? If you're ready for next steps...take a deep breath. Don't stress. I've got you covered! I'm actually doing 5 Days to Craft Your Brilliant Webinar next week. It's a free, live video series on Facebook Live. Monday February 13th - Friday February 17th I'll be on Facebook Live everyday at 9:30am PST / 12:30ET with tips everyday on how to craft your very own webinar. After watching this series, you'll have the framework in place to get started growing your business with webinars. To prepare for this free video series, go to: brilliantbusinessmoms.com/webinarguide to grab my free 5 Days to Craft Your Brilliant Webinar Guide that includes all you'll need to follow along with the videos, plus worksheets and cheat sheets. So grab that now, before we get started Monday the 13th, to be super prepared for our 5 day class. By February 17th, you'll feel awesome about hosting your first webinar. Don't Forget To Enter Our Giveaway! (1:04:36) Before you go, don't forget about our Podcast Relaunch Giveaway! I'm giving away access to FB Brilliance (our Facebook Ads course), Brilliant Pin Promotion (on Pinterest Marketing), a Lily Jade bag, and a Brilliant Life Planner. Just subscribe to the podcast on iTunes and leave an honest, clean review by March 6th to be eligible to win one of those amazing prizes. Now it's your turn to head out there and be brilliant!
Last week, Alpesh Shah of Presidio joined us to discuss law firms and technology. With big data, ediscovery, the cloud and more, it’s of growing importance that law firms leverage technology so that they can better serve their clients. And in doing so, law firms can spend more time doing “lawyerly things” and, um, more billing. Hallmarks of this episode include: why it’s critical for law firms to leveraging technology why clients demand that law firms care about data security and extra steps law firms need to take if they want to work with healthcare providers and financial institutions Want to learn more about Presidio? Visit them online. Or better yet, email Alpesh Shah ashah@presidio.com. Subscribe Now Join us Thursdays at 1:30ET for the Live show on Youtube, or use one of the links below to add us to your favorite podcasting app. iTunes Android RSS The post Bring Your Geek To Court – IOSS 22 appeared first on Varonis Blog.
We were thrilled when Pen Testing veteran, Ken Munro joined our show to discuss the vulnerabilities of things. In this episode, Ken reveals the potential security risks in a multitude of IoT devices – cars, thermostats, kettle and more. We also covered GDPR, Privacy by Design and asked if Ken thinks “The Year of Vulnerabilities” will be hitting headlines any time soon. Munro runs Pen Testing Partners, a firm that focuses on penetration testing on the Internet of Things. He’s a regular on BBC, and most recently, he was interviewed by one of our bloggers, Andy Green. Subscribe Now Join us Thursdays at 1:30ET for the Live show on Youtube, or use one of the links below to add us to your favorite podcasting app. iTunes Android RSS The post The Vulnerability of Things – IOSS 21 appeared first on Varonis Blog.
Whether you’re a proponent of open-source or proprietary software, there’s no doubt that the promise of open-source is exciting for many. For one thing, it’s mostly free. It’s built and maintained by passionate developers who can easily “look under the hood”. The best part is that you’re not married to the vendor. Yes, there are many helpful open-source security tools as well as awesome projects based on Go. But lately, there has been a controversial case of open-source ransomware. Originally created to educate others about ransomware, it’s turned into a mashup ransomware without a way to backdoor the decryption key. In this episode, we discuss the benefits and shortcomings of open-source, a throwback to our passwords episode and more! Subscribe Now Join us Thursdays at 1:30ET for the Live show on Youtube, or use one of the links below to add us to your favorite podcasting app. iTunes Android RSS The post Go Open Source! – IOSS 20 appeared first on Varonis Blog.
After reading about an IT admin at large bank who went rogue, we put on our empathy hats to understand why. And in this episode, we came up with three reasons: Instead of being recognized as a revenue generator, IT is seen as a cost center Despite all the tests and certificates, IT people aren’t as valued as, say, doctors or lawyers And lastly, IT people are often overworked and underappreciated Could changing the way you dress and improving your communication style be the answer? What do you think? Let us know! Subscribe Now Join us Thursdays at 1:30ET for the Live show on Youtube, or use one of the links below to add us to your favorite podcasting app. iTunes Android RSS The post Moods and Motives of a Smooth Criminal – IOSS 19 appeared first on Varonis Blog.
Hackers, Executives, Military Folks, IT People who work in Insurance, even Cab Drivers all had something to teach us about security and privacy at the latest Black Hat event in Vegas. Subscribe Now Join us Thursdays at 1:30ET for the Live show on Youtube, or use one of the links below to add us to your favorite podcasting app. iTunes Android RSS The post Excellent Adventures at Black Hat – IOSS 18 appeared first on Varonis Blog.
Going from policy to implementation is no easy feat because some have said that Privacy by Design is an elusive concept. In this episode, we meditated on possible solutions such as incentivizing and making privacy as the default setting. We even talked about the extra expense of having a Privacy by Design mindset. What do you think about going from policy to implementation? Share with us your thoughts! Subscribe Now Join us Thursdays at 1:30ET for the Live show on Youtube, or use one of the links below to add us to your favorite podcasting app. iTunes Android RSS The post More Articles on Privacy by Design than Implementation – IOSS 17 appeared first on Varonis Blog.
If there’s something strange on your network, who should we call? The security team! Well, I like to think of them as Threatbusters. Why? They’re insatiable learners and they work extremely hard to keep security threats at bay. In this episode, we talk about awesome new technologies(like computer chips that self-destruct and ghost towns that act like honeypots), how to get others within your organization to take security threats seriously, and awesome threatbusters that are doing applause-worthy work. Subscribe Now Join us Thursdays at 1:30ET for the Live show on Youtube, or use one of the links below to add us to your favorite podcasting app. iTunes Android RSS The post Threatbusters – IOSS 16 appeared first on Varonis Blog.
When technology doesn’t work when it should, is it a tech fail? Or perhaps because humans are creating the technology, fails should be more accurately called a human fail? In this episode, we discuss various types of “fails”, including the latest popular Pokémon Go, why we can’t vote online and the biggest fail of all, a data breach. Pokémon Go full access, tech fail or win Is it possible to delete an entire company with one line of code? Why can’t we vote online? Should one person be blamed for a tech fail? Technologies that can predict your next security fail Parting Gifts Pokémon Go full access: tech fail or win? Cindy: This week, I’m calling our show #techfails. But in preparing for this show and thinking deeply about our fails, I just want to echo what Kilian has been voicing these past couple of episodes, that when our technology fails; like for an instance, if my Skype for business isn’t working, then my first thought is, “Oh, it’s a tech fail. I can’t believe it’s not working.” But we’re the one creating the technology. So, for me, it feels, at the end of the day, a human fail. Let’s discuss this and debate it for a bit. To set the context, there was an article in the Harvard Business Review, and eventually turned into a LinkedIn post too. It’s titled “ A New Way for Entrepreneurs to Think About IT.” It said that IT’s primarily known as a necessary evil, IT support or IT as a product. With many different types of technologies at our fingertips, we can really do a blend of both. For instance, APIs have really changed how firms interact and share information with each other. And we really take this for granted these days, because back then you’d have to get permission from legal to sign contracts before experimenting with partnerships. Now you can easily partner up with another service within API or use OAuth . It’s really increased our productivity, but it can also have some potential problems if we’re not careful. For instance, if you downloaded Pokémon Go earlier this week, you might have been given Google full access. That meant that the Pokémon people could read all your emails and send out emails for you. But since then they fixed it. I think, Kilian, they fixed it pretty quick. Kilian: Yeah, in about, I think, 24 hours, more or less, they had a patch out that it addressed it already. I think, as opposed to a technology fail, that might be a technology win, for a company really taking these concerns seriously and addressing it as soon as it’s kind of brought up. Mike: Before we get into that, I just want to know, what’s your guys’ level? How you been doing on Pokémon Go? Have you been getting out there, doing your Pokémon? Cindy: I’ve been…I actually downloaded it at the office. And I could have thrown something at somebody, but I didn’t. I’m like, “Well, I’m just doing this for work, so better not start running after people and throwing stuff at them.” Mike: You couldn’t convince the rest of the office that playing Pokémon Go was part of your job? Cindy: Actually, we had a mobile photography class earlier this week, and Michelle, our HR person, was walking around telling people that Pokémon’s gonna be there. She was doing that for me. Mike: Nice. How about you, Kilian, have you tried it? Kilian: No, I haven’t downloaded it. That would require going outside and interacting with things, maybe. Mike: The first couple ones show up right around you. And I think this is kind of where I was going with this, which is that a lot of this…in terms of tech fails, this is really about managing complexity. In terms of IT, trying to manage these external services, it’s about managing complexity on an organizational level instead of a personal one. Because when you think about what is involved for this stupid game of Pokémon Go, you’re talking about interacting with geosynchronous orbital satellites for GPS, the internet to get all these apps, these multiple different services. And to pull all that together requires this huge thing. The security issue came about because Google was asking for OAuth access, and that’s just when you use Google to log into it. You log in with your account and it has these things. And it’s so complex because even though it doesn’t look like it, it actually uses Google Maps data underneath. A trick you can do, is if you have Google Maps installed on your iPhone, you can enable offline map access. And in order to achieve the app to app communication on your sandbox apps on the iPhone, it needs all these extra permissions, and it’s just insane trying to make that work. It’s so easy when you’re building something to just like, just give me all the permissions, and we’ll slowly back it down until where it’s supposed to be. Cindy: Do you think this is kind of like, “okay, we’re gonna use external service, and then just not really look at the settings because we’re so focused on making Pokémon Go just a wonderful experience?” Mike: Well, that’s the consumer side. The level we work at, people try to look at something like Amazon web services, which this article mentions. It is fantastically complex. It’s something like 60 different individual services that do individual things and also overlap with other ones where like, oh, there’s like six different ways to send an email with AWS. There’s 20 different ways to put a message in a queue to be picked up by something else. Just trying to wrap your head around like, what actually is it doing, is just insane. And it’s possible to do the stuff. I think it’s just a really hard equation of, “Do we bring this in-house and have a dedicated person for it? Is that more or less of a threat than having this outside?” Something I see a lot of is…coming more from the app side of things is, people swearing up and down that, “I’m gonna get on a virtual private server somewhere for ten bucks a month, put my own version of Ubuntu on it and keep it up to date.” And it’s really hard to imagine that that is as secure as having a dedicated security team at AWS or Heroku or one of the other Azure platforms as a service. It’s that same scenario, sort of, at the organizational level, that either it’s a tremendous amount of effort to maintain and secure all those things yourself, or you’re essentially paying for that in your service contract. Cindy: I think those are all really good questions to ask, and it requires a huge team. Is it possible to delete an entire company with one line of code? Cindy: I kind of want to transition into another fail that’s different than asking good questions and figuring out the architecture. The next fail is a fail on many different levels. It would be interesting for us to discuss. Back in April, there was an article published and shared over 65,000 times when a small hosting company with a little over 1,500 users said that he deleted their customer’s hosted data with a single command. Then later we found out that he was just trying to market his new Linux service for his company. And then people were outraged, “He didn’t do a better job backing up,” they were outraged that he lied to server fault, like a community that really helps one another figure stuff out. It’s security, and backing up, and just technology, it’s complicated. I was a little skeptical reading the article with the headline that said “One Person Accidentally Deletes His Entire Company With One Line of Bad Code.” As you’re responsible for hosting data, you should have multiple backups. One of my favorite comments is, how do you even accidentally type that you accidentally deleted stuff? What are your thoughts and reactions to this article? Mike: Kilian, you want to go? I have my own thoughts. Kilian: Sure. First off, that’s a terrible job of advertising. I don’t know what he’s advertising for. Like, “Host with us and I might break your stuff.” I think the point he was probably going for is that it’s easy to make mistakes, so get a dedicated person that knows better. But I don’t think that really came across. For the actual command itself, a lot of people are in such a hurry to automate and make things easier that it is easy to make mistakes, especially as Mike mentioned earlier, with these vastly complicated systems with dozens of ways to do the same thing. The more the complex the system gets, the easier it is to make a mistake. Maybe it could be that disastrous. But a lot of things really have to go wrong, and kind of poor decisions made throughout the chain. But it’s conceivable that someone could have done that. Mike: Specifically, to the question that’s asked on server fault, which is like a question and answer side for these issues. There’s a lot of utilities that can either take a single or multiple different directories as arguments. So you say, “Hey, copy these two things,” or “Copy this one thing.” And so, in this, the person, they put a space so they have like: /pathfolder /. And so, that last slash got interpreted as the root of the volume they were on. And so, hey, we just destroyed everything, and everything includes all your keys and stuff. Something we talk a lot about in here is layered security, but you need layered backups and recovery as well. That was really the answer to this, is that they were on a virtual private server. In addition to just backing up the local data, their database, the files on it, it takes system images of your entire VPS and keeps it somewhere else. I am incredibly paranoid with backups, especially backups of systems like this. So I always try to even just get it out of the system that…if it’s on…in this case, it was Hetzner, which is a European hosting system, that you get that out onto S3 or you get it out on to Rackspace cloud or something else, just to try to make that a better scenario. Kilian: That’s a great point, is having multiple different…you can’t have one single point of failure in a system like this. Otherwise, you could be very vulnerable. Even for myself when I, for example, backup pictures off of my camera, I have to go to my laptop, I have to go to a network share, and then I have a separate hard drive that I plug in just for that, and then unplug and put it away afterwards. So I have three different places for it. Not that they’re that valuable like a hosting system, but silly things happen sometimes. You know, if I lose power or power surge, I lose two of my systems for some reason, I still have that hard drive that’s sitting in a drawer. Mike: I have a lot of discussions with people where they have backups and this very elaborate system. They’re like, “All right, I have my local network attach storage here, then I got this ‘nother server, and then I rotate them and do all this stuff.” That’s awesome until their house catches on fire and they lose everything. And that’s the stuff you have to think about. It’s like these things come in in weird ways, especially everything is so interconnected and everything is so dependent upon each other that you can just have these weird cascading levels of failure. And from very crazy sources of stuff. Like, DNS goes like a DNS server gets a DDoS attack. And then that actually ends up taking down like a third of the internet just because everything is so connected. Why can’t we vote online? Cindy: Our next fail…I want to know if you guys think that our inability to vote online is a human fail or a tech fail. What do you guys think? Or any opinion, really. Mike: It’s all in the execution, like all this stuff. That if there was a verifiable, cryptographically secure way of knowing that you could vote, that would be a very positive thing, potentially. It’s a really interesting mix of software and technological concerns, and people, and sociological and political concerns. What I just said about having almost a voting receipt that says, “Great, you used your key to sign, and you have definitely voted for this person and done this thing.” One of the reasons that’s never been done, even on most paper stuff, is that that was a huge source of fraud that in like the olden days, when they had voting receipts, you would go and turn them into your councilman and they would be like, “Great, here’s your five bucks for voting for me in this election.” So that’s just something that’s not done. That’s not a technical issue. It’s certainly possible to do those things, but it leads to all these other unforeseen, I don’t know if you’ve heard of the cobra effect kind of things, these horrible unintended consequences. Cindy: I think this article on why we still can’t vote online was just very thoughtfully written. It talked about how it can potentially destabilize a country’s government and leadership if they don’t get voting online right. It was really just like, wow, I can’t believe a researcher at The Lawrence Livermore National Lab said, “We do not know how to build an internet voting system that has all the security, and privacy, and transparency and verifiable properties that a national security application like voting has to have.” And they’re worried about malware, they’re worried about ransomware, they’re worried about being able to go in and track, do a complete security audit. They said something interesting too about how, in the finance system, sure, you have sensitive data, and you can go back and track where the money went more or less, if you have these systems in place. But you might not necessarily be able to do that with voting, and someone can say, “I voted for so and so,” and then change it to somebody else, and they can’t go back and verify that. There are so many elements that you need to consider. It’s not just Pokémon, or you’re not trying to create a wonderful gaming experience, or you’re not trying to back things up. They’re a multitude of things you need to take in to consider. Kilian: The one big thing, and I think the heart of it, was the need for anonymity in the voting process. That’s kind of the way it was set up to avoid coercion and some other problems with it, is you need to be anonymous when you cast that vote. By putting it online, the real down side is… Like, if you think about online banking, it’s important to know and verify that you are who you say you are, and have a transaction of that entire process so you can ensure…it’s kind of both parties know that the money transfer from X to Y or so on and so forth. And you have the track of the steps. But when you try and introduce anonymity into that equation, it completely falls apart. Because if you have that tracking data going back to somebody casting a vote, then they could be a target of coercion or something like that. Or if the opposition party finds out, they could go after them for not voting for whoever. Cindy: Yeah, they did that with Nelson Mandela. Kilian: Yep. And then the other thing too is, as a person casting a vote, if you think about it, you’re kind of trusting the system. It’s completely blackboxed you at that point. So when you click the button and say, “I vote for candidate XYZ,” you have no idea, because, again, you want to be anonymous. You don’t have that verification of the system that says, “Hey, my vote wasn’t changed to candidate ABC in the process.” You kind of have to go along with it. Even if you look back at some of the physical problems with the George W. Bush election with the ballots not lining up right with the little punches. It was punching for… I forget what the other candidate’s name was. Cindy: Al Gore? Kilian: No, no, no. It was like Paton Cannon or somebody. Whoever the third party candidate was. But they were saying, “No, no, I voted for Al Gore…” whoever, but it registered somebody else. They had to go back and manually look at that, and look at the physical paper to see that to validate that. But if you think in a digital system, if you click the button, you have no way to audit that really. Because if the system says, “No, you’ve voted for this guy,” you have no proof, you have no additional evidence to back that up, and that’s the big problem. Cindy: They actually showed this in “The Good Wife,” the TV show that is no longer around, or they just ended. The voters would go in and they would vote for someone, but then it would also give the other person five additional more votes. I think another thing to…they didn’t mention it, but I think politicians or just that kind of industry are kind of a tad bit slower in the technology side. Because Barack Obama’s campaign really set the tone for using technology and using social media to kind of engage the voters. It’s kind of like he really changed how now politicians are marketing and connecting with people. I don’t know, do you feel like they’re kind of behind? Or maybe that’s just me? Kilian: My personal opinion is, we have laws that don’t make sense with where technology’s at, because they are slow. We’re still running on laws, and been prosecuting cases with laws that were made in the ’80s and early ’90s, and even older in some cases, where technology was vastly different than what we have today. This might be off topic, but there was just, I think, a ruling that the Computer Fraud and Abuse Act could theoretically mean that if you share your Netflix password, it’s a federal crime. Now, that’s open to interpretation, but that was a story I had seen the other day. We have all this technology and it’s evolving much, much faster than the people making the regulations can kind of keep up with it. Mike: I just want to see a Poke stop at every voting registration. Cindy: Mike has Pokémon on his mind. Kilian: It’s great, it’s good fun. Cindy: Now I have Pokémon…I actually visualized us playing Pokémon at a voting station. That would be interesting. It’s too hot and humid in New York to do that. Kilian: Vote to vote or play Pokémon. Cindy: I almost want to say Poke because it’s so hot. Kilian: Well, to the candidates out there, the first one to get on top of this making a Poke stop at the voting booths in November might seize the election with the youth vote. Mike: A Pokémon at every pot. Should One Person Be Blamed For A Tech Fail? Cindy: Let’s also kind of think about potential fails, though. We’ve seen Target, Sony, the data breaches. And so, when fails happen that costs them their jobs, do you think one person should be blamed for all of it or can we also kind of say, “We don’t have the technology right yet”? Mike: It’s interesting. What we’re talking about is, there have been a lot of very large data breaches. And what seems to happen is, it happens and then depending upon how much press it gets, the CEO has to resign or doesn’t. Or in the case of the OPM, the director. The parallel that I like to think of is Sarbanes Oxley, which has had a lot of other consequences. But the big one was that the chief executive has to sign off on the financials of the company. Before, it was always there were a lot of scandals where it was like, “I’m just running the company. My CFO and the accounting group, they were doing their own thing with the funds. And I wasn’t aware that this…” Then we said this like 10,000 pounds of coconuts we had on the dock, they were rotten were actually good. We counted those in the asset, all of those kind of shenanigans. And just that thought that, okay, the finances and the statements that are put out, that is an executive level sign off, that there’s a responsibility at that level to ensure that those are correct. What we’re seeing is sort of that happening on the IT security side. That maintaining integrity of your customer’s data, of the people you’re responsible for, that is something that the executives need to say is a priority, and to ensure that in any way they can. That if they aren’t doing that, that’s their job, that they failed at their job. Now, looking through these kind of stories, you typically find that the person in charge is not a network security person, because there’s not a lot of people that get their CISSP and then say, “I’m qualified to be CEO.” That’s just not how the normal job progression works. But they need to have people in place, and they need to make sure that the right things are happening, despite not having the personal expertise to implement those but that they make it a priority and they give budget, and they’re able to balance it against the other needs of the company. Technologies that can predict your next security fail Cindy: In order to come back from a security or technology fail…there was an article about “There’s new technology that can predict your next security fail.” They are essentially talking about predictive analytics. I really like a quote that they wrote that, “It’s only as good as the forethought you put into it, and the questions that you ask of it.” If you don’t think about it, if you don’t have a whole team to work on this huge security and technology problem…because there’s only so much you can…in terms of big data, machine learning, predictive analytics, there’s a lot of stuff, a lot of elements that you’re unable to kind of account for. So if you don’t consider all the different elements in security, you can’t build that into the technology that we build. What are some other things you think that can help companies prevent or come back from a tech fail or a security fail or a human fail? Kilian: The only thing I could get in my mind there was asking the right questions. For me is from Hitchhiker’s Guide to the Galaxy. If you ask it, what’s the meaning of life, the universe and everything, it’s gonna give an answer. But what’s the question you’re really trying to get out of it? That’s all I can think of in my head. I think that’s one thing people get stuck in a lot of times, is asking the wrong questions that they need from their data. I’m sorry, Mike, I cut you off there. You were gonna say something. Mike: I’m in agreement with you, Kilian, because I think too often the question posed is, “Are we secure?” There’s no crisp answer to that. It’s never gonna be yes, we’re 100% good, because the only way to do that is not to have any data, and not to have any interactions with customers. If that’s the case, then you don’t have a business. So you have to have something. You still have to have people interacting, and the moment you have two people interacting, you’re vulnerable at some level. They can be tricked, they could do anything. And then you have networks, and the networks are talking. So it’s much more about, what is the level of risk that you find acceptable? What steps can you take towards mitigating known dangers? How much effort and time and money can you put behind those efforts? There’s no quick fix. Something we talk about a lot on this is that data is, in a lot of ways, like a toxic asset. It’s something that you need to think about like, “Oh, we have all this extra data. Well, let’s try and get rid of some of it. Just so we don’t have it around to cause us a problem, just so we don’t have it around to be leaked in some way.” There’s lots of different ways to do that and lots of benefits of doing so. Parting Gift Cindy: Now in the parting gift segment of our show, where we share things we’re working on, or something we found online that we think our viewers and listeners would appreciate. I just read that Chrysler, the car brand, is offering a bug bounty between $150 to $1,500 for finding bugs. But you can’t make it public. And also, I just updated top InfoSec people to follow. I included a whole bunch of other women that were missed. So check that out at blog.varonis.com. Mike: Who’s the one person you think we should follow that we weren’t before? Cindy: I definitely think we should be all following Runa Sandvik. She’s the new InfoSec security person. She writes about the Info security at the New York Times. She also worked on Tor, and she did this really cool rifle hack. And she wrote about that. Or someone wrote about her hack on Wired. Any parting gifts, Mike? Mike: I was gonna recommend Qualys’ SSL lab server test. If you’re unaware of what it is, you can put it in your website and it will run through all the different ways in which you’ve screwed up setting it up properly to be secure. It gives you a nice letter grade. So, a couple interesting things about this. One: It’s really hard to make one of these yourself, because to do so, you have to maintain a system that has all of the old, bad libraries on it for connecting on SSL1 and 2 and 3 that are deprecated. Just so you can make the connections and say, like, “Yes, this remote system also connects with this.” So it’s not something you want to do, and it’s not something you can do trivially. So it’s great that this is an online service. And then two: I think it’s really interesting how…they essentially just made up these letter grades for what they consider as an A, A+, B. But in doing so, they were able to really improve the security of everyone. Because it’s one thing to say, “Okay, out of 200 possible things we comply with, 197 of them.” It’s a different thing to know, “Okay, we got a failing grade because one of those three things we didn’t do was actually really, really bad and exploitable.” And to be able to compare that across sites, I think, just has a lot of incentives to make everyone improve their site. Like, “Oh, gosh, this other site is a better grade than us. We should definitely improve things.” So for those reasons, I think it’s a really great part of the security ecosystem and a great tool for all of that. Cindy: Kilian, do you have a parting gift? Kilian: I was reading an article the other day, it was pretty interesting how we all come to rely on our phones and our digital assistance, like Siri or Google Now, to make our lives easier to interact with a device. Some researchers started thinking that, “Hey, this is a good avenue for exploitation.” They started kind of distorting voice commands so they can embed it in other things, to get your phone to do stuff on your behalf. So, it’s just an interesting thing to keep aware of and how you’re using your digital assistance, because other people could start to exploit it by issuing voice commands to it to maybe direct you to a malicious site or something. It’s one more thing to kind of keep in the back of your mind. Subscribe Now Join us Thursdays at 1:30ET for the Live show on Youtube, or use one of the links below to add us to your favorite podcasting app. iTunes Android RSS The post TechFails – IOSS 15 appeared first on Varonis Blog.
Layered security refers to the practice of combining various security defenses to protect the entire system against threats. The idea is that if one layer fails, there are other functioning security components that are still in place to thwart threats. In this episode of the Inside Out Security Show, we discuss the various security layers. Human Physical Endpoint Network Application Data Cindy: Hi and welcome to another edition of The Inside Out Security Show. I’m Cindy Ng, a writer for Varonis’ Inside Out Security Blog, and as always, I’m joined by security experts, Mike Buckbee and Kilian Englert. Hi, Kilian. Kilian. Hi, Cindy. Cindy: Hey, Mike. Mike: Hey, Cindy. You call us security experts. I’m actually, where I don’t know if you can see it, “I have a fake internet job”…because I still haven’t been able to explain my job to my mom and dad. “He does something.” Human Cindy: We’ll see who’s most fake at the end, okay? So recently, Rob wrote a layered security guide and I thought it would be interesting for us to go through each of the layers and share stories that we’ve read or heard as it relates to each of the layers. The idea with layered security is that you want to make sure that you have many different layers of defense that will protect you. If there are any holes, just in case something gets in, you might have a security layer that serves as a backup that will catch it. So the first layer to start is the human layer. So that layer is all about educating people to spot scams and be cautious about the passwords that they give out, their social security numbers that they give out, their credit card information. This layer, Kilian, you talk about this a lot. I feel like, increasingly, criminals are using and exploiting services that we rely on and turning it into like an attack vector, like there is an article recently about people texting you pretending to be Google and saying, “Hey, there was this suspicious attempt to get it in.” And we talked about passwords and alternatives and using two factor and it’s kind of like, “Oh man, I have to check my text messages and make sure I’m not scammed again,” like another thing to worry about. Kilian: Oh, yeah. People, by nature, want to be trusting of other people. We kind of have been trained since day one to feel kind of bad about being suspicious … The bad guys out there know this and they exploit it. It’s so much easier to go after a person and just kind of play off of emotions because they’re far more malleable than a system, and people often are not trained or educated around security practices. And even if they are, they’re kind of trained into a certain mindset. So if they see something that looks semi-legitimate like, “Hey, a text from Google. Oh, they’re protecting me. They have my login name or my IP address or something, NIC address,” because most people are not going to investigate that closely, it’s going to look fairly legitimate like, “Oh, hey, Google’s looking out for me. This is great.” It’s very easy to, just with a little bit of a legitimacy, to get people to kind of go along with it and it’s…the con of that sort is as old as time basically and it’s only getting easier any more, too. Mike: I’ll go with something that you said Kilian, which is that it’s really about our mindset. And I think from a security practitioners’ standpoint, we’re typically very focused on exploited time and this and do this things and so we forget a lot about on the human layer which is education and like how to educate your users and to help make them part of your line of defense. I think a fun activity for that is actually to do phishing, and there is a couple of companies that do this, that do like fake phishing attacks, and then basically, so I go, “You clicked on this so we are reporting you to IT.” And it’s kind of almost like in hospitals where they like shame the doctors into making sure they wash their hands all the time. You’re kind of like trying to enforce this IT hygiene aspects on all of your users, and either hire a company or you have some free time, you can just try to phish your users individually to mess with them. Kilian: Sure. Physical Cindy: Our next layer is the physical layer , and you know, I would be like the worst security person to hire because I wanted to skip talking about this layer. There are so many layers and Mike’s like, “Why aren’t we talking about it? It’s the most important one.” And Kilian is like, “It’s often overlooked.” And I said, “It’s just the physical layer, like everybody gets that.” Tell us a little bit more about the physical layer. Kilian: I guess I’ll jump in. It is so often overlooked. We worry about firewalling the data off to protect from external attacks and stuffs that come in over the wire. But how many times in businesses do people check badges? You can walk into a corporation. If the guy sitting at the desk is distracted for a minute, and then you’re inside and nobody looks twice at you. If the doors aren’t locked in the server room, you walk in, plug in a USB device. Basically, once you have physical access to something, it’s game over. There’s no other layer of security that they probably can’t get around at that point. And we rely so much on just kind of observing people and we put a lot of faith in locks, too, like physical key locks. They’re such a terrible false layer of security. Most front door locks or bike locks or anything else are easily defeated within seconds. The physical layer is often overlooked but it’s such a false layer of security, too, that we know we have somebody watching the door. Because again, we are relying on people and people want to be trusting. Mike: What I was going to mention with respect of the physical layer was I think a lot of things are changing. So businesses are much more just personnel, lots more different, just physical branches, places, people working from all sorts of different remote situations, as well as it used to be everything was hard wired, and now, most every place has WiFi. And so you have this very different situation of like everyone in the office walking in with the WiFi radio that’s connected to the internet. But we don’t think about that. We just like, oh, we are on our cellphones, but if there’s malware on there that potentially perform an attack or some form of disruption. There are some real interesting exploit tools that basically do things like DHCP exhaustion on a network and so you have to do things like MAC filtering. I worked on a high security environment on the military. They have things like if you unplug a computer from the wall from the CAT5 and plug it back in, it won’t let it back on the network as it lost the MAC connection. You can’t just bring a laptop in and plug it into the Ethernet port in the waiting room. Things like that, like very good sensible suggestions. Cindy: I just had a paranoid thought that when I go home, I want to like install 10 locks, put on a password, and I need somehow to after-authenticate myself to get in. So in terms of a business security, like can you go overboard in terms of putting like a trillion locks on something? And then what’s kind of a good balance for an extreme paranoia or paranoid person like me? Kilian: I’ll get dogs with bees in their mouth so when they bark, they shoot bees at you. Mike: From a business standpoint, I think the biggest thing is actually more procedures, procedures around access to servers, access to changes, that kind of thing. And then from there, the procedures are implemented that helps with the recognition of what’s a threat and what isn’t. On a personal level, something that I’ve been seeing a lot more in terms of physical stuff is skimmers on ATMs. That’s probably like we were talking like a personal sort of physical attack. That’s probably the big one, that every ATM you go to, you sort of want to tap at the card holder to see if it falls off because it’s so easy to put a skimmer on. Kilian: That kind of distilled… it’s situational awareness, kind of being observant of the people and things around you, what you’re interacting with. Endpoint Cindy: Another thing we need to be alert and aware of are endpoints – protecting devices, PCs, laptops, mobile devices, from malicious softwares. People really like using endpoint protections to guard against a ransomware, and people’s found out it’s not really effective. But if it’s not ransomware, malware can really sit on your system for like six months before it’s even identified. But people also really want to protect their endpoints. What are your response and thoughts on this? Mike: I’ll go. I guess my first thought is we’re talking about layered security, and so no solution is going to be a homerun 100% of the time. And so what we are really trying to work on is percentages, reducing the surface area we can be attacked on, reducing the opportunities for an exploit. An endpoint security can certainly be part of that but it’s not a complete solution. But by limiting the types of apps that can be run, the type of traffic that can come in, it’s a way of helping to manage that risk. And that’s what we’re talking about with all layers, is how can we manage risk at all this different layers? And hopefully by doing that simultaneously at all the layers, we really improve our security much more than if we thought, “Okay, it’s just endpoint security or it’s just doing training of the users.” Kilian: The way I would think about it, too, is if you ever see the machines for like looking for gold or sifting rocks, like you have the different size of screens. Endpoint protection antivirus, I would think, is like the biggest size of screen. It’s gonna get like the bigger rocks out, so the kind of most obvious, most basic vulnerabilities. And kind of, as you go through and sift out the different pieces, that’s exactly what it is. You can just, multiple layers, sift out different things that one might not catch until you get it. And then just good patch management, too, on endpoints and servers, things like that. If you leave vulnerabilities that have been patched for 10 years on your system, that’s kind of inviting trouble in a lot of ways. But then people often overlook it. Mike: Those are the big holes in your screens as your trying to through all the data and everything is falling through these unpatched systems. Cindy: But there are a whole bunch of alerts. People get thousands of them, like daily and weekly. That’s another annoyance. You can’t actually check thousands of alerts every day. Mike: And for all this sort of systems that monitor the things, all the vendors, us included, are trying to…people talk about alert fatigue. If you get an alert every 10 minutes, like, “Oh, something’s happening, something’s happening,” like you just cease to care about. It’s not something that actually needs responded to or thought about. So there’s a lot of work with like machine learning, better filtering, and better tracking on how to handle that to reduce that amount of alert fatigue. But you’re absolutely right, Cindy. Cindy: And also make alerts that are really worth alerting on so that you’re not like, “Oh my God, my blood pressure is increasing,” and then you end up in the hospital or something. Mike: What kinds of alerts are you getting? Network Cindy: No, listen, it’s not me. I’m just hearing all these stories when I go to conferences and I go, “If I had that many alerts, I will just be like…ahhhhh! Watch out for the crazy woman.” So another layer we should talk about is network security. I’m thinking firewalls, intrusion prevention, detection system, VPNs. And I was kind of tricked to read an article that says “Utility board hears about network security.” And I was like, “Oh, they’re really serious about network security.” Like, “What about the other stuff?” So I went through and I read it. I clicked on it and I read it and they take security seriously. Like in the article, the IT director talked about network security. He made references to all those different layers that we’re talking about so far. And he made the analogy of a Swiss cheese as security and you put layers upon layers of them and said, “That even then with all the layers of cheese, a small hole, so a small hole in your security can be catastrophic.” And I thought it was just really great that they’re talking about it. And further on in that article, it mentioned that a board member requested that presentation because he had heard about a utility at a utilities conference that there was a hacking of an electrical system in Colorado. So we hear a lot about things that go wrong in companies and they’re not doing anything about it. But I really liked that they’re saying, “Hey, I’m protecting our utilities network.” And it’s a great way to get more of like security funding, too, because security systems are expensive, like whether it’s network. Even if it’s like a $200 thing, you still have to be like, why do you need this, and explain. So back to network security, the talk that they had, presentation they had, it’s a great way to just get money like, say, there is an article in Rob’s layered security guide about “ What’s the difference between a $1000 one and a $200 one?” Mike: For a firewall, you’re talking about? Cindy: For a fire…yeah. I went on a tangent. I think someone… Kilian: I mean, you brought up an interesting point. That article, I thought, was really kind of fascinating because the one thing that kind of really, if I can pick one thing a security thing that scare me on a daily basis, it’s a lot of this, like command and control type, or not command and control but the SCADA systems or the industrial control systems that run a lot of our infrastructure. And back to the unpatched systems, these things are from the whatever, ’80s, ’90s, that they said, “Oh, well, hey, we can monitor whatever, our damn controls online, stick it on a network with an IP address,” and then it controls kind of a vital piece of infrastructure, like something in the physical world that can cause a lot of damage. Or the controls at the electrical system, you can wipe out power and that will cause a lot of problems in the physical world. Network security is, again, one of the critical layers. Again, if you have to connect it to a network, at least run it through something. You still need the defense and depth across the whole board, but that’s kind of the first line of defense for a kind of network connected systems. Mike: The only other thing I was going to mention is that I think a lot of times, people think of network, especially with from a lot of employees, it’s like, “We need VPNs for very everyone. We have VPNs for everyone. We’ll be protected.” But you have to remember that also, it’s sort of like punching a hole in your firewall because VPN, it’s like making a home computer as if it was on your network, and all the ensuing issues that that can cause. Kilian: And then we can tie it right back to physical security then. On your VPN at Starbucks, you walk away for a few minutes, someone walks up, plugs something in, or you don’t lock your laptop, then the internal network’s compromised. Mike: I know for sure there has been multiple reports on people getting ransomware on their networks from, like someone at home and they get like an infection, they bring it to the IT group. Like, “Oh, Bill in IT, he’ll help me out. He’s always such a nice guy.” They bring it in. Like, “You look at this real quick? It’s real weird.” “All right, let’s plug it in the network.” And, boom, the network is now infected with ransomware. Good intentions gone awry. Application Cindy: Oh my God, I’m so scared that whenever you guys just share stories and I get like extra, extra scared. Okay, the next two on application security , that, there’s a lot to talk about in that one. I wrote a blog post about it, that our IT people won’t let me install anything on my computer. When we talk about application security, it refers to the testing and doing the work to make sure apps work as they should. But there are some drawbacks to that, which is why IT won’t let me install anything, and I have to get permission. I have to tell them why. That, I understand it’s a dangerous world out there. What are some things about application security that we need to be worried about or concerned about? Mike: Most companies, they have a mix of things. They have a mix of applications they built in-house, third party systems that they bought off-commercial, off-the-shelves of, or cut software, and then now, sort of cloud systems. We joke about cloud doesn’t exist, It’s just other people’s computers. It’s just other people…our software are running other people’s computers or software as a service type application. There’s different considerations for each of those. I think, across the board, one of the things to really think about for all of this is single sign-on, that the procedures for provisioning access to this and then removing it as people’s role change or as they come into or leave the company is incredibly important. And if it is one place where that’s most often missed, it’s in those kind of things where…I use to work at a company. I won’t say the name of it. But there phone system was separate from everything else and so that a salesperson that left, removed all their computer access, left them with their phone access, and they changed their outgoing voicemail, which for months, was just a harangue against the company, and like what blood-sucking horrible people they were and how unprofessional and incompetent. And it stayed that way for months as people called in to talk to this salesperson he was known over there. But that can happen anywhere, with timesheets software, that can happen with reporting software, the project management software. All of these things can exist somewhere on the spectrum. And without that single sign-on and really strict procedures, it’s very difficult to control. Kilian: Just kind of a little bit of side, too, as we’re developing more software and it gets more complex and we expect more out of it, that just increases the chance that there’s going to be a bug and it’s a guarantee that every piece of software you run is going to have some type of issue or bug in it. Again, especially as the citizens gets more complex and more interconnected. So it’s being cognizant of that and, again, we’ll go back to a couple of topics ago, is good patch management, making sure that the bugs are reported and then the software vendors you deal with take it seriously and patch it eventually, or soon rather than eventually. Data Cindy: And the next layer on the data layer , we talk about that a lot. I think it’s the crown jewels. We want to make sure that our health data isn’t stolen, our PCI data isn’t stolen. People are really…you hear it often in every kind of podcast or show that you hear. You kind of expect data breaches to happen. People are really hurt that that’s happening. “Oh, they’re not doing enough.” But the reality is data security is tough. What are your thoughts about this layer? Mike: We, at Varonis, we deal with structured data. Structured data, for the most part, falls under application security, so that structured data is anything that’s in the database, typically in the accesses, typically mitigated and arranged and managed through an application. I just want to make sure there isn’t direct database access somehow through the network where I exploit tools. But for the most part, that’s fairly sane. Our niche is the unstructured world which is the files and where typically, what we see is the end results of all the structured data. So the structured data is the giant Oracle database that says like, “Yes, we should actually acquire this company,” and then the unstructured is the Powerpoint that says, “We’ll do this next Monday.” And that got out, has huge implications for stock price, and Sarbanes-Oxley, and reporting, and governance, and all these things. So there’s different risks involved with those. Kilian: The thing about the unstructured data is that, there’s so much of it and it just grows so constantly. Every second of every day, at every business, somebody is putting some type of information out, sending an email, writing a document, editing a Powerpoint, any of this stuff. It’s just constant and that’s how businesses evolve and get better because they share information. They just keep producing and producing and producing it and it never seems to go anywhere. It’s like the internet never forgets. Well, your data center never forgets either. The project might be forgotten but it’s still out there somewhere, the Sharepoint site. All this team collaboration is over but it’s still up there and contains a lot of information. There’s some life cycle information on that. But things like social security numbers, those never change. There might be or there is an age on credit card information, but it’s still fairly long, several years, depending on how long it’s out there. The life cycle of this data is often overlooked and you expose yourself to a lot of risk because it ends up…again, it’s created for some legitimate reason and it’s out there for some legitimate reason, but it’s forgotten about or it’s not dealt with or disposed or even secured properly. Cindy: So to kind of wrap up, you both shared stories that I’m just like, “Oh, it’s nerve-racking,” but the overall goal is security. So we make sure we educate the people. We make sure that they don’t have access to stuff that they don’t need. We make sure they don’t get in. We make sure we protect ourselves from malware, make sure we protect our data, make sure that apps are working properly. What are some kind of wrap-up conclusions or things that I’ve missed that you want to share your thoughts on? Mike: I think we should go back to your Swiss cheese sandwich metaphor because honestly, I think it’s actually viable because the big challenge of all this is communicating this to people who are not in our business, it’s communicating it to the executives and to the users that we need to deal with. And so we say exactly that, but it’s like stacking a lot of pieces of Swiss cheese, and the more layers we have, the fewer holes there are, the less vulnerable we are. It’s a very easy to understand metaphor. Hopefully, they are lactose intolerant. But I think that is really the case. The more layers we have and the more all these things work together, the safer we are. That’s like an old powerful thing. Cindy : Kilian, do you have any last thoughts? Kilian: No, I like the metaphor. I think it’s great. I have other metaphors I use for thinking about security, but the Swiss cheese one, I think, is very visually pleasing. I guess it’s something people can recognize. Cindy: That is from the IT director in Nebraska. Like maybe he’ll listen to our podcast or join our show. Mike: I thought we decided we’re just going to start sending packets of sliced Swiss cheese to all our customers… “Stack this together until you’re secured.” Cindy: Make sure your bad guys don’t go in. Our Parting Gift Cindy: So to wrap up, our parting gift, what are some things people should check out? For me, I’m pivoting to something else. Back to our show last week, we talked about the EU’s general data protection regulation. We just published on our blog an infographic. So if you do not want to read long texts, Andy and I, we created a really informative infographic describing consumer rights, as well as obligations companies have to the consumers. So head over to our blog and check it out. Mike, do you have any parting gifts for our listeners and viewers? Mike: I was going to recommend; I was going to say I just looked at the infographics you’re talking about. It’s at blog.varonis.com, and I think it really is great. And we’re talking about educating other people, it is the perfect thing, that if you are an IT, to send to an executive or to send to some stakeholder on your company to try to get help get their minds in the right place for dealing with the new regulations. My suggestion for a parting gift was going to be a game, actually. It’s called Hack Net. It’s probably one of the few games you could get expense by your company. It looks so much like one of those, like in the movies when they’re like hacking into a system and it has everything scrolling and doing stuff. So it’s the simulation of that but it covers actual exploits, the concepts of how they are exploited, what is done. So it’s very educational but super fun to run through and has a little scenario and you actually hack into all these different systems. It’s called Hack Net. And right now, it’s $10. But I mentioned it last week, during this…summer sale, I think we’re going $5. But it’s very cool and interesting. And if you’re interested in this as a general topic, I know we have a lot of people on the IT side and not necessarily like security pentesting side, it’s a great way to really like deeply understand all those concepts. So, cool, check it out. Cindy: Cool, thanks. Kilian, do you have a parting gift? Kilian: Actually, what Mike was saying just reminded me of something. The other week, I was in Uber. I was taking a ride to the airport or train station or somewhere, and on the screen, they popped up a little thing like, “Hey, code while you go,” or something like that. And they gave you like little snippets of code and they wanted you to find the error in the code. And I thought it was a really, you know, crowdsourcing something, information, maybe for a potential job offer. But I just thought it was really interesting they were kind of doing this little application security type of initiative within the app itself like while you’re on the trip. I don’t know if the pops are for everybody but I saw it. I thought it was interesting to look at while I was on my ride. Mike: Are you saying you got a job offer from Uber? You’re leaving Varonis? You figured it out? Kilian: The next time you’ll see me with my dash cam and my car driving around. Mike: Oh, man… Cindy: Kilian might be doing both. He might be driving and working at Varonis. You never know because you know he’s fake. Thanks so much, Mike and Kilian, and all our listeners and viewers for joining us today. If you want to follow us on twitter and see what we’re doing or tell us who’s most fake on the show, you can find us @varonis, V-A-R-O-N-I-S. And if you want to subscribe to this podcast, you can go to iTunes and search for The Inside Out Security Show. There is a video version of this on Youtube that you can subscribe to on the Varonis channel. So thanks, and we’ll see you again next week. Mike: Thanks, Cindy. Kilian: Thanks, Cindy. Cindy: Thanks, Mike. Thanks, Kilian. Subscribe Now Join us Thursdays at 1:30ET for the Live show on Youtube, or use one of the links below to add us to your favorite podcasting app. iTunes Android RSS The post Layered Security – IOSS 14 appeared first on Varonis Blog.
We’ve been writing about the GDPR for the past few months now and with the GDPR recently passed into law, we thought it was worth bringing together a panel to discuss its implications. In this episode of the Inside Out Security Show, we discuss how the GDPR will impact businesses, Brexit, first steps you should take in order to protect EU consumer data and much more. Go from beginning to end, or feel free to bounce around. What is the EU General Data Protection Regulation? Who will be tasked to implement GDPR? What’s the first step you need to take to take when implementing GDPR? Data Breach Notification Brexit and GDPR Territorial Scope Tension between Innovation and Security Tips on Protecting Customer Data Final Thoughts Upcoming Webinars: July 21st English, July 28th German and French Cindy: Hi and welcome to another edition of the Inside Out Security show. I’m Cindy Ng, a writer for Varonis’s Inside Out Security blog. And as always, I’m joined by security experts Mike Buckbee, Rob Sobers, and Kilian Englert. Hey, Kilian. Kilian: Hi Cindy. Cindy: Hey Rob. Rob: Hey Cindy, how is it going? Cindy: Good. And hey, Mike. Mike: Hey Cindy, you made me go last this week. That’s all right. Cindy: This week, we also have two special guests, also security experts. Andy Green, who is based in New York, and Dietrich Benjies who is based in the UK. And they’re here to join us to share their insights on the latest General Data Protection Regulation that was just passed with an aim to protect consumer data that will impact not only businesses in the EU, Britain and the US and the rest of the world. So Hi Andy. Andy: Hey Cindy. Cindy : Hey Dietrich. Dietrich: Hi Cindy. What is the EU General Data Protection Regulation? Cindy: So, let’s start with the facts. First, what is GDPR and what are its goals? Andy: In one sentence? Can I get two? Cindy: You get two and a half. Andy: Okay, two and a half. So it stands for General Data Protection Regulation. It’s a successor to the EU’s current data security directive which is called the Data Protection Directive, DPD. And it really…I mean if you are under the rules now, the GDPR will not be a major change but it does add a few key major additions. And one of those is…well there is a stronger rules on, let’s say right to access your data. You really have … almost like a bill of rights. One of them is that you can see your data, which is maybe not something in the US we are experienced with. Also, another new thing is you have a right of portability, which is something that Facebook probably hates. In other words, you can download the [personal] data. If I were, I assume this would happen in the UK or the EU, that if you are a Facebook customer you will be able to download everything that Facebook has and have it in some sort of portable format. And I guess that [if you have another] social media service, you can then upload that data to that social media service and say goodbye to Facebook, which is kind of not something they’re very happy about. … You have almost like a consumer data rights under the new rule. I don’t know if anyone has any comments on some of these things but I think that’s…that, I think, is like a big deal. Dietrich: I’m sorry Mike. Were you going to go next? I chimed in so I suppose I’ll carry on- Cindy: Go ahead, Dietrich. Dietrich: So I think in terms of your attendance, it’s the European Union recognizing that data is…the European citizens recognize their data as important and historically, recently and historically, there has been many cases where it hasn’t been demonstrated to be appropriately controlled. And as it’s a commodity, the information on them is a commodity traded on the open market to a degree that there has just been an increasing demand to have greater safeguards on their data. And those greater safeguards on European citizen data gives them greater confidence in the market, in the electronic market that the world economic market has become. So that the two pillars, which we’ll get to, or the two tenants are Privacy by Design and accountability by design … we’ll get to a lot of things but that’s synopsis on it. Mike: I was curious about to what extent this was targeting enterprises or is it targeting, say like you brought up Facebook, which I consider an application, like a web application service. Was there an intent behind this, that it’s targeting more one or the other? Andy: Yeah. It’s definitely, I would say consumers. I mean it’s really very consumer-oriented. Dietrich: Mike do you mean in terms of it’s targeting the consumers? Yes, it’s consumer data. It’s related to but do you mean in terms of the types of businesses where it’s most applicable? Is that what you mean Mike? Mike: Well, you know, there is a decision-making framework that, so now with GDPR as the Data protection Directive to need to make decisions, that I’m building an application, I’m going to need to have new privacy features. We talked about Privacy by Design which has its own sort of tenets. Or I’m building out the policies for my company which has satellite offices all over the world and some of them happen to be in the EU. Just trying to look at the impact and look at how this should change my decision making on the business. Dietrich: Well, it’d be cynical. I’d say if you want to avoid it totally and entirely, just don’t sell to an EU citizen. Rob: Yeah, I think, to answer your question, Mike, the Facebooks of the world and these global web services are going to have to worry about it if they are collecting data. And we all know Facebook not only collects the data that you give them but it also ascertains data through your actions. And I think that’s what Andy was talking about is that it’s not just the ability to click a button and say give me my profile data back now so I can take it with me. It’s like I put that data in but I think what the GDPR is aiming to do is give you back the data that they’ve gathered on you from other sources. So tell me everything you know about me because I want to know what you know about me. And that’s, I think, a very important thing. And I really hope that the US goes in that direction. But outside of those web services, think about like any bank that serves an EU customer. So any bank, any healthcare organization, so other businesses outside of these big global web services certainly do have to worry about it, especially if you look in your customer database or any kind of…if you are a retailer, your transaction database, and you have information that belongs to EU citizens then this is something that you should at least be thinking through. Who will be tasked to implement GDPR? Cindy: So who needs to really pay close attention to the law so that you are executing all the requirements properly? Dietrich: Who needs to pay attention to it in terms of those organizations and scope? It’s pretty well spelled out that the organizations who deal with, who transfer, who process big things on processing and doing this information associated to European citizens. So if I backtrack a bit, it was where we are starting with the portability of the data, the information that we have, that organizations have on individuals and those subject access request, right to erasure, kind of the first and foremost is the protection element. Making sure that the data is protected, that we are not…organizations aren’t putting us at risk by the fact that they are holding our data and making that overexposed. Kilian: To kind of address the question more technically speaking, I think … everybody involved in the process needs to pay attention to it. From the people designing the app, Mike, if you want to launch your business, you need to realize that there are…boundaries are kind of made up anymore with technology. So right from the beginning, we’ll talk about Privacy by Design. But that needs to be the first step, all the way up to the CEO of the company or the board realizing that this is a global marketplace. So they want to get the most amount of customers, so they have to take it seriously. Andy: Yeah, I was going to say that they do have a heart at the EU … and they do make an exception … there is some language for making exceptions for smaller businesses or businesses that are not sort of collecting data on, what they say, like on a really large scale–whatever that means! What you are saying is all true but I think they do say that they will sort of scale some of the interpretations for smaller businesses so the enforcement is not as rough. And there may even be an exclusion, I forget, for under 250 employee companies. But I think you are right. This is really meant for the, especially with the fines, it’s really meant to get to C-Level and higher executive’s attention. What’s the first step you need to take to take when implementing GDPR? Cindy: So if you are a higher up or someone responsible for implementing GDPR, what’s the first step you need to look for and so you don’t miss any deadlines, so that you are planning ahead? Andy: I think we had to talk about this the other day. I’ve actually talked about it with Dietrich. Some of this is really, I’d say, like common IT sense and that if you are following any kind of IT best practices and there are a bunch of them or some standards, you are probably like 60 or 70% there, I think. I mean if you are, let’s say you are handling credit card transactions and you are trying to deal with PCI DSS or you are following some of the– forget what they call — the SANS Top 20 … So maybe I’ll say it’s sort of like putting laws around some common sense ideas. But I realize the executives don’t see it that way. Kilian: Yeah. I think the first thing you have to do is figure out if you have that data, to begin with, or where it’s at. I mean the common knowledge is you probably do. If you do some type of commerce or interact with anybody really, you are going to store some information. But kind of nailing it down where it’s at or where it might be is I think the key first step. Dietrich: And in terms of deadlines, I suppose to answer your question very directly, the deadline is May 25th, 2018, is when it comes into full force. That is the, I wouldn’t say it’s fast approaching. We still have 23 months. … Dietrich: I’ve got a clock on my laptop right there. Deadline to GDPR. Data Breach Notification Cindy: So there is also a data breach notification. What does that process entail? Like how do you get fined and how do you know that personal data has been lost or breached? What’s defined as personal data? Because there is a difference between leaking like company ID, company IP versus leaking personal data. Andy: Actually I happen to have the definition right in front of me. So it’s any information related to a person. And in particular, it can be…so it says an “identifiable person is one who can be identified directly or indirectly in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier”. So it’s really, I guess what we would call in the US, PII [personally identifiable information], but it’s broad. It’s not just a strict list of social security number or specific account numbers. Those are examples of the types of identifiers. So it’s very broad but it has to relate back to a person and they do consider the online identifiers as “relatable to a person”. Brexit and GDPR Cindy: And kind of I can’t help but ask Dietrich, will Brexiters be exempt from GDPR? Dietrich: No. Not at all. So, first off, yes. A week ago today, we cast our votes. And then a week ago tomorrow it was found out that yes, in fact, we are leaving the European Union. So the reality of that is we haven’t invoked article 50. So article 50 is that yes, we are definitely doing it. We are doing it and then we have 24 months for them to get the heck out of the European Union. The starting of that clock isn’t likely to happen for some time. For one David Cameron, who is currently our prime minister is stepping down…has stepped down. We have to wait. He said, “I’m not going to invoke. I’m going to let somebody else handle not only that process of invoking article 50 but in addition to that, negotiating the trade policies and all the things associated with the exit.” In addition to all the things associated with the exit is the adoption or exclusion of a lot of the European directives, GDPR being one. So we could just sit there and not only, so if you take that time scale that will come into play if article 50, and there is some questions on the legality of the referendum, which I won’t go into in detail but there is a lot of debate going on in the moment that we voted leave if it’s actually something that will happen. If it happens, and let’s say it will, the time scale of that activity is likely to be well after GDPR is in effect. And if GDPR does come…sorry, and even if we leave and the likelihood as in democratic country in which we live, we have cast a vote that we will leave, we could still take on GDPR as our own. We have our own Data Protection Act here in the UK. We could just bump it up with GDPR at a stroke of a pen. And that’s quite likely considering we are debating in negotiation. We will negotiate for, hopefully, as freer trade as we can do within the European Union and I’m sure that will be…it would make sense that that would be a dependent clause. Andy: And I was going to say, it looks like if you’re…since the UK has to trade with the EU, the EU countries are going to put in higher standards for e-commerce transactions. Dietrich: Yeah. They are out biggest trading partner. I believe and don’t quote me on this but I could be wrong. I think it’s 54, 54% of our exports go to the EU. And likewise, we are one of the biggest trading partners for France, for Germany, etc. Territorial Scope Cindy: So, the US, we trade with the EU and the… Dietrich: Do you? (sarcasm) Cindy: I’m really talking about territorial scope. And I’m curious if I start a business or Mike starts a business, we talked about this earlier, how will I…what’s the law in terms of me needing to protect an EU consumer’s personal data? That’s a little controversial. Go ahead Dietrich. Dietrich: Can I give you some examples on this? In the last 48 hours, I have purchased a flight from Southwest Airlines, United Airlines, I’m a European citizen. I have purchased a backpack from some random site that’s being shipped to my father. Look, I hope I’m not debt dipping myself in tax loss but anyway, you know what I mean. As a European citizen, I’m going to be in the States for three weeks as of next week. So I’m a European citizen who is going to be transacting, who is going to be purchasing stuff over there. So, considering the freedom of movement that exists, the small world in which we live where European citizens regularly travel to the US, regularly buy from sites online, I can’t see how the border is going to make any difference. Most, if not, I’d say the vast majority of organizations in the US will deal with European citizens and therefore at least for that subset of data related to European citizens, they will be…they’ll have to put in controls if they want to carry on trading with European citizens. Cindy: Go ahead, Mike. Mike: Well, I was trying to think of parallels to this. And there is one that I think a lot of people are aware of which is like the Cookie Law which is, there were some European directives around like you should have, like if you land on a website, sometimes you see those banners at the bottom that says this website uses cookies and then click to, which came out of a similar thing. That’s really only been European websites that are doing that, but that sort of a half step into this. I just wonder if that shows a model for how this is going to be adopted so that it’s only the very strictly EU sites. Andy: Yeah. I think that was, that came out of, I forget, it may have been the Data Protection Directive but you’ve got to gain consent from the consumer and they apply it to cookies, accepting cookies. So you do see that on a lot of the EU sites, that’s right. Mike: It just seems very odd because there is no…it doesn’t seem like it will improve things. It just seems like, yeah, we are getting cookies off you so here is this giant banner that gets in the way. Andy: Will they ever click no? Mike: Well, what’s interesting is that I don’t think I’ve ever actually seen like, “Yeah, no, don’t collect my cookies.” It just says like, “Hey, we are doing this so accept it or leave.” You are on my website now, so probably with a French accent. Tension between Innovation and Security Cindy: So in terms of, we talked about the cookie law, we’re talking about the GDPR. If you are a CEO and you know that there is a potential risk of anything really, and let’s say data breach, if something happens, they’re often asking, “okay, higher ups, can we work through this? Will our companies survive?” It sounds like people don’t like to be strong-armed into following certain laws. Like if I’m an entrepreneur, I’m going to come up with an idea. And the last thing I would want is like, oh, I have to follow privacy by design. It’s annoying. Rob: Yeah. I mean it’s a push and pull between innovation and security. You see this with all sorts of things. You know, Snapchat is famous for its explosive growth, hundreds of millions of active users a day. And in the beginning, they didn’t pay attention to security and privacy. They kind of consciously put that on the back burner because they knew it would slow their growth. And it wouldn’t have mattered as much if they never became a giant company like they are today. But then it came back to bite them, like they’ve had multiple situations where they’ve had data breaches that they’ve had to deal with and I’m sure devote a lot of resources to recovering from, not only on the technical side of things but also on the legal and PR side. So it is a push and pull but we see it in varying degrees everywhere. Look what Uber is doing as they expand into different markets and they have to deal with all of the individual regulations in each state that they expand to, each country. And they would love to just close a blind eye and focus on improving their technology and recruiting new drivers and making their businesses a success. But the fact of the matter is — and the EU is way out in front of everybody else on this — is that somebody has to look out for the customers. Because we just see it over and over again where in the US, it’s almost like flipping. Like we see these massive breaches where people’s healthcare information is exposed on the public web or their credit card numbers get leaked or God knows what kind of information. And it just doesn’t ever feel like there is enough teeth to make organizations really assess their situation. Like every time I apply– and I don’t do this very often, thank God!–apply for a mortgage in the US, the process, it scares me. You have to email sensitive information to your mortgage broker in plain text. They are asking for PDFs, scans of your bank account. And where that information goes, you’re just not that confident in a lot of these companies that they are actually looking at information and putting it in sensitive secure depositories, monitoring who has access to it. It’s just…without this regulation, it would be…without regulations like GDPr, it would be way worse and there would be no one looking after us. Kilian: You actually kind of beat me to the point I was going to make there Rob by couple of sentences. But, you know, fine. The businesses don’t like being strong-armed but the consumers don’t like having their entire lives aired out on the Internet. And I think you are 100% right there. It is a pain in the butt in some cases for innovation, but we keep going back to it or I will but Privacy by Design. You don’t have to make an and/or decision. If you start with that mind to begin with you can achieve both things. You can still achieve massive growth and avoid some of the problems instead of trying to patch up the holes later on. Dietrich: One thing in terms of the strong arm, in terms of the regulatory fatigue that organizations get, I have been dealing with organizations for some time and it seems that regulations are at points that the external world makes organizations focus on the only things they will focus on. And this is important. It’s important for us. I mean I kind of like…I don’t kind of like. I quite like the intent of the regulation. It’s down to protect me. It’s not something that’s esoteric. It’s something that’s quite explicit to protect more information. And if it requires a regulation for them to take heed and pay note and to get over the fact that regardless if they have been ignoring data breaches in the past, to do so in the future may cost them more than it had, then that’s probably a good thing. Andy: I was just going to say that one of the, like the one word they use in a lot of the law is just it has to do with Privacy by Design. It’s just minimize. I think if you just show that you’re aware of what you are collecting and trying to minimize it and minimizing what you collect, put a time limit on the data that you do collect, the personal data, in other words, if you’ve collected it and processed it and you no longer have a need for it, then get rid of it. It seems common sense and I think they want the companies to be thinking along these lines of, as I say, just minimize. And that shouldn’t be too much of a burden, I think. I don’t know. I mean I think as Rob was saying, some of these web companies are just going crazy, collecting everything, and it comes out to sort of bite them in the end. Mike: And this is me being cynical but I wonder if this is going to be a new attack vector. If there is like an easy way to get all your information out of Facebook, then that’s the attack vector and you just steal everyone’s information through the export feature. I don’t know if anyone else saw there is a thing that you could hijack someone’s Facebook account by sending in a faxed version of your passport. That was a means by which they would reset your password if you couldn’t do anything else and you lost access to it. They are like, “Well, this whole rigamarole, but fax in your passport,” and so people were doing that as a…I think its good intentions. I just wonder about the actual implementation, like how much of a difference it will actually make. Rob: Yeah, and I think you are right Mike that the execution is everything in this. With these regulations, we see it with failing PCI audits. PCI auditors that are checking boxes. And having worked for a software company that, in a previous job, that did retail software and was heavily dependent on collecting credit card information from certain devices and terminals and keyboard swipes and all sorts of things and gone through a PCI audit, knowing that there were holes that weren’t done by the auditors, it’s all about the execution. It’s all about following through on best practices for data security. And the regulation itself isn’t going to make you excellent at security. Tips on Protecting Customer Data Cindy: So if I’m trying to catch up… in terms… if I am not following PCI or if I am not following the SANS top 20, which is now renamed to something else like Critical Security Controls… so what are some of the things that I can start with in terms of protecting my customers’ data? Any tips? Rob: Well I mean one thing and Andy kind of touched on this is don’t collect it if you don’t have to. I think that’s the number one thing. I mean certain services out there actually make it easy for you not to touch your customers’ data. For instance, Stripe, which is a pretty popular payment provider now, if you are collecting payment information on the web from customers, you should never know their credit card number. It should never hit your servers. If you’re using something that Stripe, it basically goes from the web form, off to Stripe and you get at most the last four digits and maybe the expiration number. But as a business, you never have to worry about that part of their profile, that sensitive data. So to me, start with asking that question of what do we actually have to have. And if we don’t need it, get rid of it and let’s look at all of our data collection processes, whether it’s by paper form or web form or API, whatever the method is and decide what can we ax to just cut out the fat. Like we don’t want to have to hold your information if we don’t have to. Now, failing that, I know a lot of companies cannot do that, like Facebook’s business is knowing everything about everybody and the connections. And so in that situation, it’s a little bit different. Cindy: It’s hard because what if I’m a company and I just what if I’m a hoarder? Like I hoard my…I live in New York, my studio is tiny, what if I like to hoard? And it’s kind of like you are digitally hoarding stuff. And …. storage is cheap, why not get more? What would you say to a digital hoarder in terms of I might need this information later? Rob: I would say stop. Stop doing that! There are data retention policies that prevent you from doing that that you can implement. It’s an organization culture thing, I think. Some organizations are great at data retention, others are hoarders. It’s just bad data protection. Dietrich: Greater data retention and hoarders. We’d love to retain data. Most of the organizations we’ve talked to love to retain data. It’s nice having something to get in that stick which sits there and goes, just get rid of it. I talk to organizations now and I’ll go finally this is being implemented in such a way that we actually can go back to the business. Who doesn’t want the data deleted? It’s usually people in the business who says I may, at some time in the future, need that document that I created 15 years ago. Well not if it has anything related to an individual associated with it. In that case, you can only keep it for as long as it is a demonstrable requirement to have that. So I think it’s something at that level, which should be welcomed by organizations, not unless they are really…I mean my wife’s a bit of a hoarder. If she was running a business, she would definitely have many petabytes of information. But related to individuals, it would give me the excuse to throw it out when she isn’t looking. Andy: Right. I was going to add that the GDPR says, I mean yes, you can collect the data, you can keep it, but I think there is somewhere that says that you have to put a time stamp on it. You have to say, “This is the data I have and, okay,” if it’s five years or ten years, but put some reasonable time stamp on this data and then follow through. So sure, collect it. But make sure it has a shelf life on it. Final Thoughts Cindy: Any final thoughts before we wrap up? Silence, I love it. Michael: I was on mute, so I was talking extremely loudly while no one heard me. I was going to say my final thought was that, we kind of started this with Andy saying that a lot of this was common sense IT things. And I think that’s probably the biggest takeaway. The thing to do immediately is to, I think, just do an audit of all of your data. That’s just good practice anyway. If you don’t have that at hand, you should start doing that. Whatever the regulations are, whatever your situation, it’s very, very hard to think of a situation where that wouldn’t be to your advantage. So I think that’s the first thing and most immediate thing any company should do. Dietrich: That’s a very good point and something that also, related to GDPR, is the point within GDPR in terms of the data breach impact disbursements. That’s also understanding what you have, making sure that you have the appropriate controls around it. So that’s just understanding, going through that audit directly helps you for GDPR. Upcoming Webinars: July 21st English, July 28th German and French Cindy: Rob, you mentioned there is a webinar on GDPR. When can people tune in? … Mike: Rob told me there was a barbecue at his house for the next GDPR meeting. Just come on over, we’ll talk European regulations, smoke some brisket. Cindy: I need some help from people de-hoarding my studio. First, I need to go home and change all my passwords because I have a password problem. Now you all know I’m a hoarder. Mike: This is just leading up to you having your own Lifetime television series I mean. Cindy: That will be exciting. Mike: I’d watch it. Cindy: It will be Tiger Mom, 2.0. Rob: So yeah, so we’re having a webinar on July 21st in English and we are having another one on July 28th in German. So for anybody that’s interested in the GDPR, we are also doing it on the 28th in French. So we are having multiple languages for you and they can go to varonis.com and just search for GDPR in the upper right-hand corner and you should be able to find the registration form. Cindy: Thanks so much, Rob. Dietrich: Whether you speak it or not. Yeah, fantastic. Cindy: Thank you so much Mike, Rob, Kilian, Dietrich, and Andy. And thank you all our listeners and viewers for joining us today. If you want to follow us on Twitter and see what we are up to, you can find us @varonis, V-A-R-O-N-I-S. And if you want to subscribe to this podcast, you can go to iTunes and search for the Inside Out Security show. There is a video version of this on YouTube then you can subscribe to on the Varonis channel. And thank you and we’ll see you next week. Bye guys. Subscribe Now Join us Thursdays at 1:30ET for the Live show on Youtube, or use one of the links below to add us to your favorite podcasting app. iTunes Android RSS Want to learn more about the GDPR? Check out our free 6-part email course (and earn CPE credits!) Sign me up The post GDPR – IOSS 13 appeared first on Varonis Blog.
Few saw that one coming: Simon and David get into all of the talking points from the first leg of the CONCACAF Champions League between the Montreal Impact and Club America, joined by Andrew Wiebe, who experienced it in-person in Mexico City. Did Club America just have an off night? And are the Impact automatic favorites for the second leg?Five national TV matches are the highlight of the MLS schedule, including a UDN Friday night doubleheader, a "must-win" at the Citrus Bowl (7ET, Fox Sports 1), a peculiar Cascadia derby that might mean more to the Timbers (9:30ET, Fox Sports 1) and a heavyweight NY Red Bulls vs. LA Galaxy clash (5ET, ESPN2) that deserves a dose of LA-NY trash talking courtesy of Galaxy right back Dan Gargan.Thierry Henry makes an appearance in the mailbag, David gets heated about celebratory yellow cards and the guys try to put their finger on US rising star Jordan Morris: Is he Dominic Oduro or Landon Donovan?
© 2020-2025 Ivy Podcast Discovery LLC
