Show Website: https://mspbusinessschool.com/
Guest:
Name: Frank Raimondi
Linkedin page: https://www.linkedin.com/in/frankraimondi/
Company: IGI Cybersecurity & Nodeware
Website(s): https://igicybersecurity.com/ and https://nodeware.com/
About the Guest(s):
Frank Raimondi is a seasoned channel and partner strategy specialist currently associated with IGI Global, working specifically with their Nodeware product. With a wealth of experience spanning over two decades, Frank has a track record of fostering partnerships and alliances in the tech industry. He has previously held notable positions at Apple Computer and Intel, where he focused on maximizing value from hardware components and driving vendor relationships. His entry into the cybersecurity and software realm marks a significant transition from his earlier focus on hardware.
Episode Summary:
In the latest installment of MSP Business School, we are joined by cybersecurity expert Frank Raimondi from Nodeware, a part of IGI Global. This episode dives into the intricate differences between penetration testing and vulnerability scanning and their integration into the assessment processes for security validation.
We unravel the essentials defining each concept and explore their roles in fortifying MSPs against increasing cyber threats. Frank Raimondi elaborates on the vital mechanics behind vulnerability assessments and management, illustrating how these defenses act as a company's internal security checkpoints.
In contrast, he clarifies the crucial role of penetration testing performed by an external third party to ethically evaluate the security from an outsider's perspective. The conversation further navigates the relationship between these tests, cybersecurity insurance, and regulatory compliance, underlining the importance of ongoing scrutiny in an ever-evolving threat landscape.
Key Takeaways:
Vulnerability Assessments vs. Management: A snapshot of current system vulnerabilities against a continuous, proactive approach to mitigating them.
The Necessity for External Penetration Testing: MSPs must ensure that an independent third party carries out penetration tests for unbiased security validation.
Preparation for Compliance and Insurance: Active vulnerability management programs are becoming essential prerequisites for regulatory compliance and favorable cybersecurity insurance premiums.
Strategic Scheduling of Cybersecurity Tests: Implementing vulnerability management can prepare a system for penetration testing and vice versa. Importance of Cyber Hygiene: Frank highlights four pillars of cyber hygiene: security awareness training, MFA, email security, and vulnerability management.
Hosts
Brian Doyle: https://www.linkedin.com/in/briandoylemetathinq/
Robb Rogers: https://www.linkedin.com/in/robb-rogers-07415251/
Tim McNeil: https://www.linkedin.com/in/timmcneil3/
Sponsors
vCIOToolbox: https://vciotoolbox.com
OSR Manage: https://osrmanage.com
Listen to MSP Business School on the Fox and Crow Group Your IT Podcasts Network!
[00:00:00] Welcome to MSP Business School led by our Deans of Business Development, Brian Doyle,
[00:00:08] Tim McNeil, and Rob Rogers.
[00:00:11] Each week MSP Business School is committed to delivering you proven strategies, tips,
[00:00:16] and tactics for MSPs to accelerate their business growth and revenue through better sales, better
[00:00:23] marketing, and true account management.
[00:00:26] Classes start now, so let's get started. to obviously share a little bit about his background as we always do, but to have a conversation on really what the difference is between penetration testing, vulnerability scanning, and how that all kind of weaves into the assessment process for validation. So welcome Frank, thanks for joining me. Yeah, thanks Brian, and appreciate the time and appreciate the partnership.
[00:01:40] It has been great to kind of learn about each other
[00:01:45] and get to know and work together.
[00:02:43] channel introduced, but not really fully engaged. So I've come on a little over two years ago.
[00:02:45] Matthew Koenig came on about a year ago,
[00:02:48] kind of building up our presence and our participation
[00:02:52] in our value add to the channels and MSPs in particular.
[00:02:57] I've been around maybe too long, I don't know.
[00:03:02] I think we can both be accused of that some days, Frank.
[00:03:05] Yeah.
[00:03:07] We've been around in channels with, if you will, from how I like to work with companies such as BCO Toolbox and others that we're partnering with today. Yeah, it's amazing how the, you know, this is really an ecosystem industry, right? All of our products tend to compliment other areas. None of us can be experts in everything that an MSP needs in the stack. So it really gives us the ability to, you God, what, what, how much? You know, it's just all these different things that learn and then that transitioned as well and specifically in the MSP world as MSPs or resellers, if you know of ours were transitioning to MSPs, I was kind of making that same transition. So I understood a lot of what they were coming from
[00:05:40] and their struggles of what they were trying to deliver.
[00:05:45] And it's been a good and interesting into the heart of what we're going to talk about today. And that is, you know, there's a lot of confusion in the marketplace of what's a penetration test? What's a vulnerability scan? Are they the same? You know, you see some of these automated penetration testing tools, and how does that vary from more of a human-based and, you know, machine-based approach to it? So obviously, IGI has a lot of
[00:07:03] experience in that. And maybe you can help there that that could do that, you know, from from some network management tools to, you know, vulnerabilities programs like our like nodeware or rapid fire tools or, you know, the nessus and connect qualities of the world. So that's sort of the first piece, right, which is clearly a one time snapshot internal view of what's there. vulnerabilities, whether it's like the Connectwise one that came up the other day, or ones from Microsoft that come up all the time. Those are identified and normally, the MSP or the IT shop internally has to go, okay, there's a CD, I'm going to find it, how do I figure out,
[00:09:42] how do I patch it, what do I need to do?
[00:09:44] The automation of that is what, the third piece of this role is the penetration test. So if you think of the vulnerability assessments and management as the inside, the internal look, you know what you've got, you're evaluating, you're trying to protect what you have and minimize the risk surfaces, the risk attack elements.
[00:11:03] Penetration test is really something kind of an automated, if you will, or electronic attack into the system. And then there's a comprehensive, which is more a real person trying to do different things
[00:12:20] in hack-ins.
[00:12:21] So there's ranges and they're priced differently
[00:12:24] based on the number of external sort of sites better cyber insurance rates, anything along those lines. So we kind of look at, so that's kind of the penetration test. So- And let's expand on that though, because something came to mind for me when you were talking there, how would an MSP be able to identify who might need a baseline, who might need a comprehensive scan?
[00:13:40] Really, that's probably a question on the table,
[00:13:43] because most of the customers are going to go,
[00:13:44] oh, I can do a baseline and satisfy my requirement,
[00:13:46] and that's going to cost less.
[00:13:48] Well, that's going to be just fine, right? I mean, in a lot of cases that is just fine for what they're looking for. Yeah, if the systems aren't mission critical, high PII or that type of information, I'm sure that you can get away with that piece of it.
[00:15:01] Yeah, exactly.
[00:15:02] And us or any other penetration test provider
[00:15:05] is going to be able to walk you through Right. Yeah, I agree. So one of the things that I think are sort of the back and forth of what you need and when you need it. What we've seen a lot of partners do is use start with, they know they need to do a penetration test,
[00:16:20] or their customer needs one within three months, let's say.
[00:16:23] By the end of the year or by the end of the quarter,
[00:16:25] they have to have this done.
[00:17:25] test isn't for six months or a year out, you need to make sure that the work that you've been identified is being worked on.
[00:17:27] So that's where penetration tests as a starting point is followed up by vulnerability management.
[00:17:34] That you're continuously looking for things, you're checking your work.
[00:17:39] You found this vulnerability in the penetration test, And we can, there's lots of consultants, a lot of expertise in this area.
[00:19:02] If you've got a CISO engaged you've kind of touched upon that a little bit. But when we talk about those that are regulatory best based, how can vulnerability and pens tests really help them get those certifications that a company might be looking for? Well, I mean, simplistically, in more and more cases,
[00:20:22] they cannot get that certification without having
[00:20:25] an active vulnerability management Insurance, right? It is a MSP friendly, or they're basically a broker for cyber insurance. And what we're working on with them is to help the MSP better the application, right? Because if it's garbage in, it's garbage out, they're gonna get a terrible rate or they may need to be, might not even get insured.
[00:21:41] So what we're working with them on is enabling the MSP
[00:21:44] to use a report like a vulnerability management report, development aware that where the importance of this information is going to enable, you know, just it's so silly that it's not silly. This is this is such basic blocking and tackling here that it just makes sense. Right. It's it's the more you can look at things practically.
[00:23:04] Again, as you said, all these things, the acceleration of threats.
[00:24:02] data is kind of one of the primary concepts here. But as we're talking and recording this today,
[00:24:04] all the cellular carriers are having a bunch of issues,
[00:24:07] right?
[00:24:07] Now, that could be as simple as somebody
[00:24:09] made a misconfiguration yesterday,
[00:24:11] forgot to put right mem at the end,
[00:24:12] as some of my guys used to do.
[00:24:15] But you know, and there's an attack
[00:24:17] that's just looking to disable service, where there's
[00:24:19] other ones that are coming for your data.
[00:24:21] So you know, having this information
[00:24:23] and understanding where the vulnerability is
[00:24:25] and what it's too late. It does also speak to the fact that Node- Well, and just extend that to offering a pen test, right? If you're doing the right things and you're proud of what you've done and you deliver quality service, there should be no hesitation to offer a penetration test to your customer and say, hey, you're going to
[00:27:00] need this for X, Y, or Z requirement. I, we're nearing the end of our time here, Frank. So you know, what I want to ask you is if you have any closing thoughts. Oh, closing thoughts. I, you know, I kind of comes back to a bit of, you know, there's a lot of fear and uncertainty out out there about what you should do and when you should do it. What
[00:28:20] what's the first step or, you know, I've got this tool kind of
[00:28:23] does that. But I want to kind know, looking at those elements and then understanding, you know, again, it's a bit of a question in Q&A with the customer and where
[00:29:42] they're at, what they need to do a look at that and see just, get the latest information. And there's some great information there to kind of find out how to get, do a demo or just get some information that gets you started. Great stuff. Well, in addition to that, Frank, we're going to be including your link to LinkedIn
[00:31:00] so people can connect with you as part of the show notes.
[00:31:04] And as everybody knows, you can get this podcast
[00:31:06] at anywhere you download your podcast or up on YouTube.