Episode Transcript
[00:00:00] Speaker A: One, two, three. Come on.
[00:00:02] Speaker B: In the grand stadium of the digital landscape, where teams of innovators and hackers face off daily, there stands a commentary box like no other picture. The buzz of a pregame show, the strategy analysis of the halftime break, and the deep dives of a postgame discussion.
[00:00:21] Speaker C: All rolled into one.
[00:00:23] Speaker B: Welcome to Off The Wire, a play by play on cyber issues. Your sports desk for the big league of cybersecurity. Just like in sports, in the cyber world, understanding the play is key to staying ahead of the game. And that's exactly what we offer a podcast that brings the strategy room to you, helping you to understand the moves, the players, and the landscape like a true analyst.
Off The Wire, a play by play on cyber issues.
[00:00:56] Speaker C: Yeah. So, hi and welcome to this third episode of our podcast. We're John Watkins and Anthony Kent. And this is off the wire. So I think last time, Anthony, I think we forgot to introduce ourselves. So why don't you tell me and tell our listeners, our myriad of listeners, who you are and a little bit about yourself.
[00:01:17] Speaker A: All right? Hello, everyone. Anthony Kent. I started my It career in 2005 and bouncing back and forth. I've done things between systems administration, network administration, and also cybersecurity. And I've also got my education at ECU, and I've got my master's in technology with a concentration in cybersecurity. So, anyways, this is just one of my favorite things in life, is cybersecurity. Call me a nerd, but it is.
[00:01:46] Speaker C: You're a nerd.
[00:01:47] Speaker A: I agree.
[00:01:48] Speaker C: Yeah, me too. The concentration in cybersecurity. So how hard did you have to concentrate?
[00:01:55] Speaker A: Actually, I'll say this. My hardest class for my graduate degree was actually an advanced statistics class. Yeah, I felt like the cybersecurity courses were actually the easier of the bunch.
[00:02:09] Speaker C: Yeah, I would agree with that. I had a stats class, and just in my I have my bachelor's, I don't have my Master's, but I had a stats class. It was really hard. Really hard. Okay, well, thanks for that introduction.
I'm John Watkins. I'm also a CISSP, just like Anthony is, and we're both cyber experts. I've been doing cybersecurity for the years. You know, I love doing cybersecurity. I started out as an art major and then somehow ended up in cybersecurity, so I'll let you kind of figure that one out. But I do love Cybersecurity. I've been working I worked at a co op for about a decade now. I'm doing podcasts, and I have my own consulting company, and I go out and speak to cooperatives, and I still am helping cooperatives. I still love working with cooperatives, and cybersecurity is definitely high on my list. I also post on LinkedIn constantly, so that's going really good.
[00:03:02] Speaker A: Well, John, I do have a question for you for the podcast. Where did you just spend? Where was your last trip at?
[00:03:08] Speaker C: A little bit about that. I can tell you, that what I've been busy doing. I just went out to the Illinois and the Indiana, both STATEWIDES, and had some really good conversations with some of the It folks there for the It professionals at both of those STATEWIDES and the one in Illinois. You're going to like this because it's called the CTC Conference, which I think is familiar, right? To you?
[00:03:37] Speaker A: It is, yeah.
[00:03:38] Speaker C: So they were like, yeah, those guys in North Carolina stole our idea.
[00:03:42] Speaker A: Well, I think we're the okay.
[00:03:45] Speaker C: Okay, good. So anyway, I went out there and talked to those folks, talked about recap, which is a big thing that maybe we'll have a podcast episode on that one of these days.
And then I talked about recap, and then I talked about backdoors and breaches as a tabletop exercise tool. And it was well attended and well received.
[00:04:08] Speaker A: It's awesome.
[00:04:10] Speaker C: Thank you.
[00:04:13] Speaker A: Are you going to go to the Ctce for 2024, John?
[00:04:16] Speaker C: I need to do that.
Yeah, I do. I need to do that. I probably can find the folks that would be interested.
I was invited last year and it didn't or this year and it didn't work out. But yeah, I would definitely be interested in showing up for that.
[00:04:33] Speaker A: They actually moved it closer to where I reside. It's going to be in Wilmington, North Carolina, for 2024.
[00:04:39] Speaker C: So not in Myrtle Beach.
[00:04:41] Speaker A: Correct. Right down the road for me.
[00:04:43] Speaker C: I went to Myrtle Beach a few years ago. I spoke there, and I forget what I spoke about then, but it was so humid. It was like in August in Myrtle Beach. And I was, ugh, this was terrible.
[00:04:57] Speaker A: Well, I'm sure it's going to be about the same in Wilmington.
[00:04:59] Speaker C: Yeah, probably. So we stayed inside a lot. I think we went to Topgolf. That was the best part.
Anyway, I guess we should be talking about the podcast instead of all these conferences. But we love the co ops, right? Both of us do. So you're listening to off the Wire, and this is a podcast that's a debate format on cyber issues of the day. And we've had several listens, we were getting a lot of listeners were picking up and we're pushing that 200 mark here. I think we're going to break that before too long. So I'm happy to hear that. All right, so it keeps going on. It is available on Apple. It is available on Spotify. Of course you can get it from the website. John Watkinsconsultant.com and of course, I told this last time, but we actually accept donations, so that's that's a new thing. So we're kind of trying to monetize a little. Uh, but what are we talking about in this particular episode? Anthony this one we're going to talk.
[00:05:59] Speaker A: About Geoblocking, and the title for this one is Geoblocking. Is it the iron Mike Tyson or the Justin Bieber of data protection?
[00:06:07] Speaker C: I love that. I love that title.
That is amazing. I didn't come up with it, but I love it.
[00:06:14] Speaker A: Are you a believer or a Tyson fan?
[00:06:17] Speaker C: I'm going to be in the Tyson camp, but yeah, definitely not a I would say I would definitely say if you put those two in the ring. Now, here's the funny thing though, because Justin Bieber would probably outperform Mike Tyson in a singing contest, but if it was a boxing match, I mean, Bieber is dead in like 10 seconds, right?
[00:06:40] Speaker A: More like half a second.
[00:06:43] Speaker C: 1St punch just gone. So, geo blocking, what is Geoblocking and why is it important?
Geoblocking would be the practice of going into your firewall and, you know, every traffic that it originates from or is destined for this particular country, just block that traffic if it's going to Russia, China, Iran, whatever. And so that's the process of know. Is that a good thing, is it a bad thing? We're going to find out. That's what we're here to find out. All right, so moving right along, is this a sponsored episode? Anthony?
[00:07:19] Speaker A: Yes, it is. And let's thank our sponsor, John Watkins Consulting, and let's hear a little bit about them.
[00:07:25] Speaker B: Today's episode is sponsored by John Watkins Consulting, the cybersecurity expert electric cooperatives trust. Are you an electric co op? Struggling with limited resources and the daunting task of safeguarding critical infrastructure. John Watkins Consulting specializes in easing that struggle. With over 14 years of experience, john offers tailored solutions to fight your unique cybersecurity challenges.
Don't let the difficulty of board engagement and cultural challenges hold you back. John Watkins Consulting will guide you through these challenges, turning your pain into progress. Yes. Ready to fortify your coop's? Digital defenses? Call 937622 Eightyn or visit johnwatkinsconsultant.com. John Watkins Consulting. Turning your cybersecurity struggles into strengths.
[00:08:25] Speaker C: Okay. Thanks for that sponsor message. Mr. John Watkins Consulting. We are looking for additional sponsors. So if you would like to sponsor off the wire, contact either Anthony or myself and we'll be glad to talk to you about some sponsorship opportunities. I think we may have one in the hopper possibly coming up in the near future there. Anthony.
[00:08:50] Speaker A: All right.
[00:08:51] Speaker C: Okay. So back to, I guess, geoblocking. I guess we got to figure out do the famous coin flip that we do every time you're going to be let's do it. I guess you get to call it this time since I think I called it last time. So go ahead and call it in the air.
[00:09:08] Speaker A: Tails.
[00:09:09] Speaker C: Tails it is.
[00:09:11] Speaker A: All right. I think for this one I'm going to be for geo blocking.
[00:09:15] Speaker C: Really?
[00:09:15] Speaker A: Oh, yeah.
[00:09:17] Speaker C: I don't know. I'm glad you're going to be before it because I just can't get on board with this one.
[00:09:22] Speaker A: So if you would have won the coin toss, you would have been against Geoblocking.
[00:09:26] Speaker C: Yeah. I'm glad you are wanting to go for it because I'm just not for it.
[00:09:30] Speaker A: How do we always end up on opposite sides of the spectrum? John?
[00:09:34] Speaker C: I don't know, but it just kind of works out that way, doesn't it?
[00:09:37] Speaker A: I don't know how we get along so well.
[00:09:39] Speaker C: Yeah, well, maybe it's because we see both sides of the coin here, so to speak. Maybe that's what it is. Well, so what is geoblocking? That's like I said earlier, it's like that prohibiting the traffic based on user location. So I guess one thing that I would say right off the bat, why I don't like that there's legitimate traffic, right? Just because it's destined to or coming from, say, Russia or wherever, Netherlands, there's a ton of traffic that comes from these places that's legitimate. So if you just say, okay, no Netherlands, sorry, we're blocking you, you're not United States.
Are you running the risk of just blocking that legitimate traffic?
[00:10:22] Speaker A: Well, John, for this I'm going to get specific on the geo blocking. If you're doing IP based geo blocking, you need to just focus on blocking the incoming. I do think that you're setting yourself up for failure if you're blocking outgoing.
Well, and if you're going to do the outgoing, then I would just do the countries on the hit list, such as Russia, North Korea. But for inbound, I think for me it's always been a safe practice to block all the countries that you don't do business with incoming. So at our current location, we're blocking everything except for the US. And Canada and have had good success with that.
[00:11:03] Speaker C: And that's on the inbound side. So you're saying so it sounds like you're making a concession to me right off the bat with this outbound thing. So am I getting a point for that?
[00:11:13] Speaker A: Maybe I'll say this with a quarter of a point.
Anything. I'll say this, I really love the 80 20 rule. Okay. Just like when we were talking about the fishing test, if we can do 20% of the work and get 80% of the results, that's what I'm going to focus on. And for the geo blocking on the incoming, that's very little work for most systems and you can get 80% of the results.
[00:11:43] Speaker C: Yeah, okay, I see that. So I guess I was just thinking of that legitimate traffic. What if you have a member that resides outside the United States?
[00:11:51] Speaker A: So I've had one instance of that at my current location. They were on vacation and they were in Jamaica, I believe, and wanted to pay their bill. And we told them that basically they weren't able to make a payment online during that time and just to make it afterwards they weren't in danger of being cut off. I spoke with the member service rep and stuff like that, just to verify there was no danger of that and they didn't really have an issue with it. I explained that we do it for security purposes and they were just happy that we were being safe.
[00:12:25] Speaker C: Yeah, and I guess the other use case there that could happen is that you would have somebody that would be on vacation and trying to work, right. And then they can't get back to resources or whatever. Right.
[00:12:36] Speaker A: And I'll be the first to admit that has happened several times.
One thing I do like to stress is folks, when you're on vacation, take a vacation.
[00:12:46] Speaker C: Yeah, that's a good point. I think I've won three points here, right? That's what I'm looking at. I'm just looking at a scoreboard. I'm thinking, don't know on that.
[00:12:55] Speaker A: Let me back that just a little bit more for the folks on vacation. So most of us go through an annual audit on the finance side, but they usually have some questions. And one of those questions I've always seen at both Buckeye Rec and at Fort County is somewhere along the lines that people are taking vacations and that way that there's some kind of I'm trying to think of the term for it, but basically that they're away and they're not doing anything malicious and try to hide stuff and the folks can fill in for them. So I think doing this that kind of helps that if you got someone that has to be logged in, then you might have bigger issues than this than geo blocking.
[00:13:35] Speaker C: That's a good point. All right, so I'll give you one point. I think it's three to one or two to one? Two to one so far.
[00:13:40] Speaker A: I'll take that.
[00:13:41] Speaker C: All right, two to one.
Okay. So two to one, John. And if you disagree by the way, if you're listening and you disagree, we'd love to hear know we actually had on the last podcast, we had some really good input from a guy on LinkedIn and he was a developer at Microsoft, I think, and listened to the podcast and just gave us all this great feedback about passwords and stuff. So that was fantastic. So we love hearing that feedback from our listeners.
[00:14:06] Speaker A: For sure. Yeah, we appreciate that.
[00:14:08] Speaker C: Let's see, what about another bad idea? I mean doesn't this give you a false sense of security? Which we had this same exact thing with. This was the kind of the point that I brought up in the Phishing episode was just because you block these certain countries, that doesn't really mean you're safe from attacks originating from that country, does it?
[00:14:31] Speaker A: Well, the way I look at it, it's just another layer. I know it's kind of an antiquated term at this point, but defense in depth. I still love that term and love that practice for this. There's all kinds of script kitties out there or people that are going to be lazy and not try to get a VPN connection or use a proxy server. And you know what, this does block some of that traffic and this may stop them from digging further.
[00:14:59] Speaker C: So I guess what you're saying is that it may have limited effectiveness. Yeah, that's my whole thing. I'm not against it. Per se. I mean, I am for the purposes of this episode, but I guess my thought is I wouldn't want anybody to do this and think, oh, well, we've blocked everything outside the United States, so we're fine, we're never going to get hacked.
[00:15:17] Speaker A: Yeah, no, it definitely won't eliminate you getting hacked, but I do think it's just another good layer to add to your protection. And I'll say this for bare bones basics, and I'm sure we'll get into patching and vulnerability management. And I guess the main thing I want to get at is if you are not doing vulnerability scans on your system, you really don't know that you have an effective patch management solution. But with that, the people after the easy hacks, they're just going to be scanning, looking for weaknesses across all IPS. And you never know, this may save you. Of course it may not. They may use a proxy server or VPN connection to be able to get access. But I do think that it does protect some folks at least a little bit. What else do you got against geo blocking?
[00:16:06] Speaker C: Well, it's just a pain. I think it's a pain to keep up with.
You've got to have this block list and you've got to sit there because IPS, they just come and they go just because you block it today, you know what I mean? If you geo block, you're doing know, big blocks of countries, but you just got to maintain it.
[00:16:28] Speaker A: Well, John, let me introduce you into something called modern technology.
Now, I'll admit back in the day, matter of fact, when I was getting my bachelor's at ECU, this was something I did a project on, and I'll admit back in the day, I can't remember where it was, but there was a free source to get the IP addresses. You basically give the country code and it'll give the IP addresses and that could be updated.
So you would need to be reapplying that occasionally if you want them to stay up to date.
But that was several years ago, well over a decade ago. And I'm seeing in most systems that they natively support it, and you don't have to do it by IP address, you can do it by country code and they're automatically pulling that data. I've seen that in Palo Alto Firewalls, I've seen that in Microsoft under conditional access and also in really what you do is you just whitelist who you want to.
[00:17:32] Speaker C: And to your point on the whitelist thing, I do like that, especially in conditional access policies when you're talking about Azure or intra ID, now they call it. But I do like those conditional access policies because the fact is our employees, out of cooperative, they're not going to be working outside the United States of America. So from an employee standpoint now that's not just any general traffic, though. That's a very specific office, 365 login or whatever. Yeah, same thing with duo. They should never be doing a two factor authorization from Jamaica or wherever, even if they are on vacation. They just need to stop working if that's the I guess, you know, it just comes down to me that's kind of like my few things that I kind of think about, like to it's you're overblocking or it gives a false sense of security. It has the complexity and it's limited effectiveness which leads back to the whole false sense of security thing. I think anybody that's worth their salt in the attacker world is definitely ever going to let you know that they're coming from wherever these bad places are. It's going to come from inside the United States and you're not going to block that traffic.
[00:18:46] Speaker A: Yeah, well I'm going to give an example that doesn't really help me or help you, but it is related somewhat and that's the Microsoft, the legacy authentication which they have blocked, I believe they blocked that and I can't even remember if it was October of last year or 2021, but we had it blocked before that. But before we blocked it we were looking at what was utilizing legacy authentication and it was almost always coming from overseas IPS. And the bad part about the legacy authentication, it bypassed all of your conditional access rules that you had. So the two factor, the geo block that we had in place legacy authentication bypassed all that entire rule set. But the scary thing was I just remember looking at those log files for a couple of weeks while we were working on disabling it and making sure we weren't blocking anything or going to hinder anyone from working. But they were basically guessing user creds and passwords constantly from overseas. It was obviously in some kind of automated system.
I know that doesn't really help either of us, but I do think if you're not doing geo blocking you're going to see that traffic and see people trying to SSH into a port if you got that open or other types of authentication.
[00:20:10] Speaker C: Yeah, I think we can agree on this point that it basically gives you limited effectiveness and at least stopping that 20% or maybe it's 80%, whatever the number is.
80? You think it's 80 of the actually.
[00:20:25] Speaker A: Yeah, I don't think it's 80 but it is up there.
[00:20:27] Speaker C: Yeah, sure, whatever the number is. It doesn't matter what the point is I guess is that it is blocking the stuff that is the low level, the low hanging fruit, the easy stuff. And I guess my concept or my philosophy I guess is a better way to say it of information security or running a secure organization has always been I just want to make it a little bit harder for them to where they're like no, I'm going to the next guy. That's always kind of been my maybe that's a bad philosophy, I don't know because sorry for the other guy, but if they don't do what they need to do. But that's kind of always been my philosophy, is like, I just want to make it hard enough to where they just like, okay, this is too much, I'm going to the next one.
[00:21:09] Speaker A: Well, I'm glad you agree with me, John. That's great to know that.
[00:21:12] Speaker C: Yeah, you really presented some arguments that were just so convincing that I had to agree with you.
[00:21:20] Speaker A: I do want to throw one more stat just because I like numbers, but I did take a peek at our firewall and the geoblock rule that we have in place. It drops 294,000 packets a day on average for the last six months.
[00:21:34] Speaker C: Yeah, that's good. You should make a rap song out of that. Just dropping packets.
[00:21:39] Speaker A: I bet we can do it on Chat GPT.
[00:21:41] Speaker C: Yeah, we probably could. We'll have Max Baker, we'll have him rap it. He's good at that. Okay. Yeah, so that's good. So that's pretty much everything I think we have for this one. Oh, one thing I was going to say, it's not necessarily a real life example, but that false sense of security to me, geo blocking, if it's not done right. So I'm not totally against it, but if it's not done correctly, I think what it does is it gives that false sense of security. It's kind of like doing those banners inside your email that says, hey, this originated from an external source.
If you do that on all those emails, after a while it just gets ignored. And it's the same thing if I send every single email with that important flag on, just after a while, nothing's important.
[00:22:24] Speaker A: Yeah. Those banners, I don't think, help long term.
[00:22:27] Speaker C: No, they don't. They do for like five minutes or whatever it is in the beginning, and then after that, it's kind of like limited effectiveness. And so I guess when we're dealing with a modern attack surface and a modern threat, we want to do something that's the most effective as possible. So I'm not saying you shouldn't do this. I guess that's my conclusion. Not saying you shouldn't do this. Personally, I didn't ever do it. I just never thought it was that. I didn't want to maintain. We're small shop, we already had enough on our plate, so that was my take.
[00:23:01] Speaker A: Well, with modern technology, it's not that much work.
[00:23:04] Speaker C: Well, I'm glad to hear it. I'm glad to hear there's some modern technology that can reduce my workload.
[00:23:11] Speaker A: Thank goodness, actually.
[00:23:13] Speaker C: Okay, so kind of recap. We always do a little recap here. So basically we talked about what geoblocking is.
We talked about some of the pros, some of the cons.
I think Cisco and Palo Alto also do this by default, out of the box anymore anyways. I think it's pretty easy to turn on. We talked about some of the negatives. Maybe it is. You're going to overblock. You probably have to go back. That's where I'm talking about the maintaining part of it. It's easy to turn this on, but if you've got something that's not working, you never know where AWS server might be living somewhere and you might end up blocking some traffic. That's legitimate. Also, it could give a false sense of security if it's not done correctly. So it has limited effectiveness. And any skilled attacker, attacker is not going to do, they're going to go right around mean they're just going to come from the United States anyway. So that's all that. So now want to thank John Watkins for sponsoring the episode. We are again want to give a little shout out and ask that if you're interested in sponsoring the podcast, please contact us. We would love to talk to you about sponsorship packages where you can sponsor multiple shows or even have one whole episode dedicated to your product. And what we'll do is Anthony and I will just argue with you as why your product is even good at all. And we'll do the same thing we do with our stuff. But anyway, we would like to have some sponsors and also if you don't want to sponsor, then you can support the podcast through our donate. So we have a link to that on our web page and you can donate, you can do a one time donation or a recurring donation and all that would be totally appreciated for sure. We want to thank everybody for tuning in. We're getting more and more listeners as time goes on, so we greatly appreciate that. Anthony, any final thoughts?
[00:25:10] Speaker A: Just looking at the geo blocking again, I do think you're asking for trouble if you're blocking incoming and outgoing. I would just focus on the incoming. It's kind of the low hanging fruit, sure, but a lot of applications you're going to see that natively support this. But like John mentioned, it can give you a false sense of security. And just like I talked about the legacy authentication, that bypassed everything that we had in place. So that geoblocking was not helping us for that.
And like you said, a true pro is going to have a proxy server or VPN connection, getting them access to a United States IP.
But it's a low hanging fruit. It's another layer you can add to your defense and depth. So I definitely think if your system supports it, it's definitely worth looking into.
And also just wanted to mention appreciate any donations or sponsors. We'd love to get some funds and reinvest it in podcasts and make a better product for you all.
[00:26:18] Speaker C: Absolutely. Once again, thanks for listening to off the Wire, a play by play on cyber issues. This episode has been all about geo blocking. Is it the iron Mike Tyson or the Justin Bieber of data protection? So once again, this is John Watkins and Anthony Kent saying thank you and we'll see you next time.
[00:26:37] Speaker A: Thank you everyone. One, two, three. Come on.
[00:26:40] Speaker B: Thanks for listening to off the Wire, a play by play on cyber issues featuring Anthony Kent and John Watkins. Make sure to like, subscribe, follow and hey. Share this podcast. If you liked it, we appreciate it. Appreciate your time.
See you next time.
The views and opinions expressed in this.
[00:27:02] Speaker C: Podcast do not necessarily reflect those of John Watkins Consulting or its affiliates.
[00:27:06] Speaker B: Always consult with a qualified cybersecurity professional for tailored advice.
