Nonprofit Radio for January 10, 2022: Nonprofit Software Vulnerability With log4j

My Guest:

Joshua Peskay: Nonprofit Software Vulnerability With log4j

Happy New Year! There’s a software risk gaining attention and there’s a good chance you’ll need help diagnosing and repairing it. You don’t need to horde gas, cash and toilet paper. Just be aware and do the repair. Joshua Peskay, from RoundTable Technology, sorts it out.

 

 

 

 

 

 

 

 

 

Listen to the podcast

Get Nonprofit Radio insider alerts!

 

 

Apple Podcast button

 

 

 

I love our sponsor!

Turn Two Communications: PR and content for nonprofits. Your story is our mission.

 

We’re the #1 Podcast for Nonprofits, With 13,000+ Weekly Listeners

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.
View Full Transcript

Transcript for 573_tony_martignetti_nonprofit_radio_20220110.mp3

Processed on: 2022-01-07T15:56:41.833Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2022…01…573_tony_martignetti_nonprofit_radio_20220110.mp3.687498576.json
Path to text: transcripts/2022/01/573_tony_martignetti_nonprofit_radio_20220110.txt

[00:00:10.04] spk_0:
Hello and welcome to tony-martignetti non profit radio

[00:01:11.84] spk_1:
Big nonprofit ideas for the other 95%. I’m your aptly named host of your favorite abdominal podcast. Oh, I’m glad you’re with me. I’d suffer with Producto Sigmoid itis if you inflamed me with the idea that you missed this week’s show, non profit software vulnerability with log four J Happy New Year. There’s a software risk gaining attention and there’s a good chance you’ll need help diagnosing and repairing it. You don’t need to hoard gas, cash and toilet paper, just be aware and do the repair Joshua pesky from roundtable technology, sorts it out And Tony’s take two. Thank you jean and Amy sponsored by turn to communications. Pr and content for nonprofits. Your story is their mission turn hyphen two dot c o.

[00:01:45.14] spk_2:
It’s a pleasure to welcome back Joshua pesky eh he has spent nearly three decades leading technology change for over 1000 nonprofits. It’s especially dedicated to improving cybersecurity in the nonprofit sector and works regularly with at risk organizations to address digital security challenges. He regularly presents and teachers on topics including technology strategy, cybersecurity project and Change management. You’ll find him at Joshua pesky a and the company is roundtable technology, Joshua. Welcome back to nonprofit

[00:01:54.14] spk_3:
radio It is an absolute pleasure to be here. tony Thank you so much for having me on.

[00:01:58.17] spk_2:
Oh, it’s it’s my pleasure to and it’s been the three years or some since, since 18. NTCC

[00:02:05.47] spk_3:
when you were Yeah, which was that the no that was the second to last in person in TC they did the 2019 1 and then it’s been virtual since Yeah,

[00:02:14.24] spk_2:
2nd the last yes

[00:02:16.74] spk_3:
and Happy New Year. Happy New Year to you as well. Happy holidays to you and all your listeners as well.

[00:02:26.24] spk_2:
They’re our listeners today. Not my listen, they’re ours share and share. That’s fair. Our listeners.

[00:02:30.24] spk_1:
Um all right.

[00:02:42.74] spk_2:
Log four J potential security vulnerability that uh, well it is a security vulnerability that nonprofits potentially have give us the, the the 30,000 ft view before we dive in. What, what is this log for? J?

[00:05:43.74] spk_3:
Yeah. So log four J. First of all, on a technical level is a java based, that means the programming language that it’s written in his java and it’s a logging utility that is used predominantly on servers on what are known as Apache servers which run just a huge amount of the things that run on the internet. And this logging utility um, is a little bit of code that developers used to log things that happen on the server and then generate reports or create actions to help them identify bugs or other things that would go on. So that’s what log four J is and it’s very, very widely used. Um, and unfortunately it was disclosed, I think around December 10 was when it became public knowledge that there’s a pretty rough vulnerability in it that allows an attacker to essentially take control of a server that is running log for J in an incredibly simple way. And the organizations like the center for Information security um and the cybersecurity and infrastructure security agency or cisa um they use this um terminology called si ves which is common vulnerabilities and exposures I think um I always forget what that stands for. Um yeah, common vulnerabilities and exposures are cbe, they have ratings of like 0 to 10 for how bad it is. So zero is like that’s not too bad. 10 is this is Armageddon and this is a 10 and the reason it’s a 10 okay, is twofold in the most simple way. One is that it’s a actually, I’ll say three. Okay, there’s three reasons. One is that it the vulnerability is the most, the worst thing possible that the exploit of the vulnerability allows complete takeover of the system that is exploited. So if your server is running this log four J utility and I can send it a single packet of data, I can take it over and now do anything I want on that system. So it’s really bad. Second is that at a rough estimate, uh this is running on something on the order of three billion devices um that are connected to the internet in some way. So it’s running on everything. And the third thing is that doing the exploit is incredibly easy. So a 12 year old can go download a little bit of code off the Internet and automate it and go out and find servers that are running along for J and take them over. So incredibly easy to exploit. And the combination of those three things is why all the security experts around the world started freaking out To varying degrees around December 10.

[00:05:55.54] spk_2:
Okay. And and sister calls it a 10 out of 10. Yeah, this is all very interesting. I just saw the movie. Don’t look up with Leonardo Dicaprio jennifer Adams, Meryl Streep.

[00:06:00.49] spk_3:
Someone was just telling you about this movie. I have not seen it yet, but mixed things about it. But yeah,

[00:07:24.24] spk_2:
a comment is coming to earth. Uh, they this comment is categorized as a planet killer. Uh, and the President Meryl Streep is uh, not initially focused, you know, and she, in the first meeting with the two folks who have identified this comment and its trajectory right toward Earth. You know, she decides to sit tight and assess and, and their estimate is that the comment is gonna hit Earth within six months. And it’s a it’s a planet killer. It’ll it’ll make us extinct. But she takes a sit sit tight and assess approach. Yeah. Right. So, so I’m I’m tempted. Um, No, but I don’t wanna I don’t wanna be that like physical about it. Um, but I want to keep things in perspective too. So, but 10 out of 10, you know, from sister. That’s that’s significant that obviously. So. All right. And thank you for explaining why it’s called log four J and what a logging application is. I’ve I’ve sometimes looked at logs and it’s just thousands of lines of activity that could be incremental, like every every couple of seconds or something depending on what the, what the, what the, what the activity is that the log is logging. Um it mean it means nothing to me but

[00:08:14.94] spk_3:
to write essentially a bit of code that runs on servers. Um there’s a really funny XK C D cartoon. I can, I can send you if you want to include in the show notes. Um XK C D is a cartoon by a cartoonist named Randall munroe. And he created this cartoon like two years ago. That’s like uh you know, the entire internet infrastructure. And it’s like this giant kind of house of cards thing, you know that everything is on top of. And then at the very bottom there’s like this one thing that’s holding the whole thing up and it’s like, this is a bit of code written for free and maintained for free by some developer in a small town in Nebraska. And this was like two or three years ago that he wrote this because he’s kind of like noting how so much of the critical infrastructure of the internet are just open source free projects that people maintain in their free time. And this is, this is almost literally that like this is just a utility that someone made a long time ago that no one pays for that’s free to use that was useful and everybody used it. And then it was like, oh, this has a vulnerability. We we now have to fix it and it’s everywhere.

[00:08:29.53] spk_2:
Send me a link to that that drawing because I know the one you’re talking. Another one you’re talking about. I think I saw it on your linkedin.

[00:08:35.54] spk_3:
Yes, Yeah, yeah, yeah.

[00:08:37.35] spk_2:
But I want to include it. I’m gonna put it next

[00:08:39.11] spk_3:
to your headshot show in our show notes. Yes.

[00:09:35.04] spk_1:
It’s time for a break. Turn to communications Your 2022 communications plan, lots of projects on their, lots of writing. You can take the biggest projects off your plate and outsource them. Free up staff time to devote to the work. It’s not feasible to outsource the annual report does not need to be done in house just because it always has been, doesn’t mean it has to be. How about research reports, white papers, this stuff can be outsourced. Do you need help with your writing projects in 2022? Turn to communications, your story is their mission turn hyphen two dot c o Now back to nonprofit software vulnerability with Log four J and Joshua Pesky EH

[00:09:44.04] spk_2:
And you also said it’s on three billion devices now, potentially. So it’s not just server level. Right? This could be an

[00:12:36.74] spk_3:
individual works problem. Yeah. And so, so here’s where everybody’s gonna start panicking, right? Which is, they’re like, well, if there’s three billion devices go ahead. Yeah well we don’t wanna panic. Right. Right so so people are thinking oh gosh I must have one of those devices or or more more of them in my home. And so the first thing is just you know calm down take a breath. Um But it it’s the most critical things are you know from a prioritization standpoint are things that accept input from the internet. Now this might be something that non technical people would would have difficulty understanding. But the average computer that you’re using or the printer in your home most likely is not accepting input from the internet meaning someone from the internet can’t just go and communicate with your printer or your coffee maker or your amazon Alexa. Right? Because it’s not accepting input from the internet. The way most devices on most networks and in most homes work is it’s a kind of one way invitation traffic rule. So your computer can get data from the internet and in that respect accepts input because the data comes in. But the only way data comes in is when you request it. So when you type google dot com in your web browser your computer is essentially making a request out to the internet and saying I’d like this information sent to me and then the internet sends it. But the internet can’t on its own. No one out of the internet on their own can send data to your computer without you requesting it. Okay that’s most cases, most people wouldn’t know whether their network or their devices are set up to receive input from the internet or not. But mostly they wouldn’t be they would have to have done something specifically to put themselves in a state where their home devices would be accepting data from the internet. But if you have a server that you’re using for any reason in your organization that accepts input from the internet then that server is if that server has this vulnerability on it by the time you’re hearing this podcast, it’s probably compromised already. And the term that cisa and C. I. S. And other security agencies uses assume compromise and that’s the stance they’ve had for several weeks. Now we’re recording this in december 28th. If you’re listening to this, let’s say january 15th. You know you’re and you have a server or more servers that are X. That are accepting input from the internet that have this vulnerability and you’ve done nothing about it at this point. You would assume compromise and that means um you need help. You need someone who knows how to go look at your server and look for indications of compromise and remediate them meaning fix them and undo them so that your server is not compromised. Um You’ll need help at that point. Okay

[00:13:04.94] spk_2:
let’s start with the first of all, thank you for being a calm voice and and explaining things. So you keep yourself out of jargon jail, which I appreciate our listeners appreciate. I I hate to slap you into jargon jail so

[00:13:09.83] spk_3:
but keep me keep me honest on it, tony If I, if I say stuff that’s like, you know, if I’m either being condescending or you know, you know, saying things that you are not, you know, the folks aren’t gonna understand. Call me out all the time. I

[00:13:53.94] spk_2:
will well condescending, I’ll just shut off your mic and we’ll just end perfect. I don’t I don’t tolerate condescension but jargon that’s recoverable. So let’s start with the case. Uh, you know, our listeners are small and midsize nonprofits. Let’s start with the nonprofit that does not have a person devoted to I. T. Let alone a team or you know, doesn’t have a devoted consultant. Do they need a consultant? Can they what what what should the non I. T. Affiliated nonprofit?

[00:17:13.64] spk_3:
Sure. So let’s say you’re you know f 5 to 50 person nonprofit. Maybe even up to 100 staff. Okay. And you have no dedicated I. T. Person, maybe you have an accidental Tuckey maybe of like a you know joe or jane laptop that helps you out with stuff, you know, as a consultant or maybe you work with a small managed service provider. Um someone who helps you with your technical, but let’s say you don’t have any dedicated resource. Okay. Whether you’ll need help or not, depends on whether the directions that I’m going to give you now are something you could do or you have someone in your organization who could do this. So what you would need to do okay is I’m gonna use two big words and then I’ll explain them. Enumerate and remediate. Okay. These are the two most important things to do in order. Enumerate. All right. Or enumeration is the act of figuring out what are all the things we have that may be vulnerable to this exploit. Okay. So I’ll give you just a simple example. We know uh and there’s a link will give you in the resource because again, C I s has a resource of all of the software applications, products, devices that are known to have a log for j vulnerability in that. So let’s say for example, I’m a typical nonprofit and we’re we have out of our 10 staff. We have five of them that use tableau desktop because we purchased it from tech soup and we used Tableau to do some data visualizations. That’s a really common application that lots of nonprofits would have running on their desktop. They probably aren’t updating it that regularly. Could be an older version Tableau which is now owned by Salesforce. So it shows up under Salesforce is listed in this directory of all the vulnerable applications. So you need to if you know that I have Tableau, I need to go to this list I need to search for Tableau and then I need to follow the links to see if the versions of Tableau that I have are in fact vulnerable and if so what I’m supposed to do about that, which is usually going to be to run some patch that updates it. So you need to do that for everything that you have. So the enumeration part is figuring out what’s all the software and devices that we have. Our firewalls are wireless access points are the operating systems that run on our computers, the software that runs in our computers and for many organizations, you’re already saying we have no idea about any of those things. We don’t have that written down anywhere. We don’t and that’s a real problem. And that that problem, you know, when, when you go to best practices about how to govern technology, they’ll say have an inventory, have it current, you know, having automated, so you can just go look online and right, this is why this is one of the reasons why that’s really important. If you don’t have that, this job at this time becomes extremely difficult for you. But if you don’t do it, You have no idea what vulnerabilities you have. It’s like not going in to get a physical in your doctor’s office for 20 years. You know, when you finally do go in, you’re probably gonna find a bunch of things that you maybe would have wished you found out earlier.

[00:17:20.14] spk_2:
Alright. So even before we get to remediation. Enumeration sounds overwhelming.

[00:17:47.04] spk_3:
If that sounds overwhelming then you need help. If there’s some if you have your accidental tech in your organization, you play them that part of this interview and you asked them could you do that? Apologize for sirens coming by? I don’t know how my Yeah, sorry about that. But if that person listens to it and says yes, I can do that. Give me a day or two. I’m pretty sure I can do that. Hey then you can do it if you have them listen to that and they’re like, I absolutely can’t do that. That sounds totally. Then you need help.

[00:18:01.14] spk_2:
Okay, let’s go to remediation then. So once you found out where your potential vulnerabilities are,

[00:18:07.04] spk_3:
yes, we do this

[00:18:08.04] spk_2:
patching. It sounds like in

[00:19:46.94] spk_3:
most cases exactly. So we’re saying okay, we’ve got five people running Tableau desktop, this is the remediation that we need. This is the software that needs to be updated. This is the setting that needs to be changed. I just whatever the instruction says, I need to go do it and check it off my list. So let’s say we have a sonic wall firewall that’s in our office network and that’s still running and we still have people coming to the office. So we need that to work. I need to go to the C. I. S for the enumeration piece um go see if the model of Sonic wall and the software version that we have on it. That’s our firewall. Is that listed here? If it’s not? Yeah. See we’re good. I can check that off the list if it is listed now. I need to follow the link through and see what is the remediation that I’m supposed to do to fix the vulnerability. Right. The enumeration part is I now know it’s vulnerable because it showed up on the list and then I verified it’s and it’s part of why this is hard for non technical people is you know, sonic wall has I don’t know 100 different firewalls that are out there in the world. Maybe more than that. And they’re at all different software versions. Right? And firmware versions. Firmware is like software that sits on a hardware device so it’s typically called firmware. Alright? But it’s just like software, you update it just like any other software and so I need to both see what model of sonic while I have the software or form firmware version that I’m running on it verify whether that sonic wall and that software version are vulnerable. And if so what I need to do to remediated and I need to do that for everything that I have. All right.

[00:19:56.94] spk_2:
Let’s just let’s let’s just get help. You’re just gonna have to if you don’t have someone devoted who can do this like like Joshua said play it back for them. It sounds it sounds as far into them as it does to me. You need you need you need help. You need help. Alright.

[00:21:38.64] spk_3:
And the urgency is like if if you have again public internet facing stuff, if you have if you know or think you have a server that accepts input from the internet, right? Again, if you don’t understand how to even know that, then you need help. If you have no organization that can help you understand that. But if you do know that that is by far your top priority and again, by the time you’re listening to this, if you haven’t done it, assume compromise. It’s it’s probably it’s not that it’s too late but it’s but you’ve probably been compromised already. And so the question is what do we do from that point? Um and what you’d like to do is learn about it before you learn about it from a ransomware demand. Right? Because what’s what you’re worried about is that that compromise will eventually be exploited by what what Attackers are doing is exploiting systems and then putting in persistence meaning a way for them to stay connected to the environment. Once this vulnerability is patched. So if they’ve done that, once you patch the vulnerability, it doesn’t matter because their persistence is already there on the system. Right? So the next thing they do is exploit you by doing a ransomware attack or installing crypto miner software on your server or doing any of a dozen other things to leverage the resource that they have taken over and what you’d like to do is find out that they’re there and remove them before they notify you by sending you a ransom or notice.

[00:21:47.94] spk_2:
Okay, we need help.

[00:22:04.04] spk_1:
It’s time for Tony’s take two. Thank you. Gene Takagi and Amy sample Ward our contributors, you know them, I barely I don’t even have to say it right. You know, I have to honor them

[00:22:05.94] spk_2:
to give them tribute,

[00:22:20.34] spk_1:
but you don’t really need me to introduce them. You know that Jean is our legal contributor and that AMY is our technology and social media contributor, you know this and longstanding to boot

[00:22:22.64] spk_2:
jean.

[00:22:36.94] spk_1:
Gene has been with nonprofit radio and me Since the first several shows, it was 2010 kicked off the show in July 2010. And jean was on very soon

[00:22:40.44] spk_2:
after the very first show

[00:24:03.14] spk_1:
early, early early days, AMy sample ward joined at the 100th show. So that would have been July of 2012 50 shows a year. Mhm I’m grateful. You know, they take time each time they’re coming on. You know, they come up with the topics we we exchange messages about them talk a little bit sometimes, but you know, they’re doing the lion’s share of the work and then of course, you know, thinking about how best to explain it and then spending the time to explain it all valuable for you all great value for you. So I am grateful to them for so many years of contributing to nonprofit radio and helping you listeners. Our listeners thank you jean thank you amy That is Tony’s take two. We’ve got barely a butt load more time for nonprofit software vulnerability with Log four J. This week is short less time to get aware, more time to do the repair. And I’m gonna I’m gonna keep pushing this rhyme until I can’t stand to hear it anymore. Let’s continue.

[00:24:15.94] spk_2:
If you have an I. T. Devoted team, then certainly by the time that I’m playing this that that team must know that otherwise you need to fire your team and and get a new

[00:24:30.94] spk_3:
team if you have a if you have a cybersecurity, if you have someone who purports to be a professional information technology provider, right? Whether they are your own staff or whether they are an outsourced provider And they haven’t talked to you about log 4J. And what they’re doing about it then. I don’t believe that they’re serving you very well. I think that’s fair to say,

[00:24:40.54] spk_2:
okay, well we’ll leave it at that. Well let the ceo and executive directors deal with their C.

[00:24:47.85] spk_3:
IOS and

[00:25:13.64] spk_2:
uh I. T. I. T. Managers. Okay now I looked at the uh the cisa cisa again as the cybersecurity and infrastructure security agency. Um just for context. That’s that that’s the agency that Christopher Krebs came out of in the trump administration and said that 2020 presidential election was the most secure election in the nation’s history. That’s that’s

[00:25:16.31] spk_3:
system the cyber summarily fired but that’s a separate

[00:25:20.66] spk_2:
Yes, he was he was fired but he said yes,

[00:25:24.22] spk_1:
I’m trying to stay away from

[00:25:25.78] spk_3:
I’m a huge fan of So this is

[00:25:29.20] spk_2:
offered not for political purpose. This is offered for context.

[00:25:32.74] spk_3:
Yeah, for context. That is that is set to and there there I believe part of homeland security.

[00:26:13.94] spk_2:
Yes, they are part of the homeland Security agency. Yes. And they, you know, they’re the ones who said 10 out of 10. And in at a press release they said quote, this vulnerability poses a severe risk. They called it a severe risk, end quote. So you can go there, you can go to assistant dot gov and they have a page called Apache log four J vulnerability guidance. You can search that system dot gov. Apache log four J vulnerability guidance. Without me giving you full U R. L. Of the page. Just just search that and they have a couple of valuable links as

[00:26:16.37] spk_3:
well. And and we have links to all that from our website. So if you want to start at round table, just go to our website, search log four J. You’ll find our our blog which we update as we have updates and that has all the links in it as well

[00:26:34.34] spk_2:
and that is roundtable technology dot com if you want to follow Joshua, Joshua pes K.

[00:27:00.44] spk_3:
A. Y. Yeah. Although you’re better off following at round table I. T. I’m I’m not on social as a rule like a little thing but I really don’t touch twitter or facebook really. Ever so twitter or roundtables, twitter is at round table I. T. Um And that’s a better place to follow. That’s where you’ll that’s where you’ll get updates of things. You won’t get anything from following me because I don’t post to twitter hardly hell with Joshua pesky.

[00:27:03.63] spk_2:
Don’t follow at Joshua follow at round table I. T. If you’re following Joshua pesky unfollowed, you’re wasting your you’re hurting your follower,

[00:27:13.44] spk_3:
It’s a follower following it. And uh and I don’t I don’t even know if I get notifications if you try to dm me like that, you know if you want to contact me. It’s Joshua roundtable technology dot com. It’s very easy to find me that way.

[00:27:25.94] spk_2:
Alright. Don’t use twitter, you’re hurting your ratios unfollowed

[00:27:29.49] spk_3:
him. If you ever our apologies to all you social folks, I’m just not a social guy in that regard

[00:27:35.44] spk_2:
now you sound very sociable otherwise just

[00:27:37.52] spk_3:
not really. Yeah. In person on zoom over the phone incredibly social online. Unfortunately not so much.

[00:27:44.57] spk_2:
Okay. And humble as well,

[00:27:46.94] spk_1:
let’s go to

[00:27:52.64] spk_2:
Something that you have on January 27. You have a training coming up, tell us about

[00:30:09.64] spk_3:
that. Oh my gosh we have, it’s a mouthful. So I’ll spit it out the sixth, annual, best free one hour cyber security awareness training ever. My colleague Destiny Bowers, who is an absolute delight and also brilliant and who have worked with for a long time. She and I six years ago started doing awareness trainings with the goal of giving nonprofit organizations and small businesses an opportunity to get all of their staff cyber security awareness training at least once a year for free in a way that would be easily accessible for them, would be fun and would give them some incentives to for their staff to attend. So not only is the training free for literally your entire organization to attend, But we offer prizes over the course of our one hour training, so people have an opportunity to win up to $100. We give out typically $100 gift card, $50 gift card, $25 gift card and then we’ll give out other gift cards or, or prizes throughout the training. But at the end we do a quiz that is competitive. And so if you win the quiz, you have an opportunity to win $100. Uh and an amazon gift card is what we typically give out. And so you can tell your staff your, if you’re a nonprofit leader, hey everybody sign up for this, it’s gonna be a fun training Joshua and Destiny will try to make an entertaining, brisk and enjoyable and you have an opportunity to win prizes. And if you sign up with your organizational email, you know, uh, tony at my nonprofit dot org, then roundtable will actually send the organization a list of everybody that attended the training from their organization. So if you have a regulatory requirement that says, we have to train our staff, you know, with awareness training once a year, this can actually satisfy that regulatory requirement. If you’re in new york, new york shield law requires that you provide awareness training to your staff. So you can literally satisfy this regulatory requirement by having all of your staff attend this training, which again, is free and not only free, but you can tell your staff, hey, you can even win prizes by attending

[00:30:14.94] spk_2:
right. Win big prizes, free, epic, best ever training. More, more humility

[00:30:25.64] spk_3:
from Joshua, pesky. Yeah, again, the humility best ever. Yeah. And we say that every year because of course every year is is just a little bit better than the previous year. So it continues to be the best ever training until someone comes to us and says, you know, actually the training you guys did in 2019 was better than this one. So I don’t think this was the best ever, but no one you would, you

[00:30:47.74] spk_2:
would have the best you, they would be saying that you were one upped by yourself, there wouldn’t be any other,

[00:31:00.14] spk_3:
I I can’t conceive that there could possibly be any other training other than ourselves. I really feel like Myspace of best free one hour cyber security awareness training, I feel like we are really are our only competition. I

[00:31:12.04] spk_2:
hope you know what the word means. There’s a nod to, there’s a nod to Princess Bride inconceivable that there could be another another entity offering, offer anything offering anything comparable in cybersecurity. Alright, so where do we go for this damn thing?

[00:31:20.10] spk_3:
It is, I couldn’t make it any easier for you.

[00:31:22.87] spk_2:
It’s very simple.

[00:31:54.44] spk_3:
Go ahead. Best dot r t t as in roundtable technology dot N.Y.C. as in new york city doesn’t mean you have to be in new york city to attend anywhere in the world you can attend? So best dot r t t dot N.Y.C. If you go to that, you are l you’ll go right to our registration page and send it to all your staff again, have all of them sign up and you can all compete together and compete for prizes, have a good time getting awareness training and we, I love doing it, it’s sort of our gift to the nonprofit community to try to provide this training and make it fun and accessible for everybody and we’ve had so much fun, we keep doing it year after year.

[00:32:07.24] spk_2:
Is there a video, If folks cannot attend

[00:32:23.84] spk_3:
On January 27, sign up as with all things, then a recording will be sent to you the day after and you can take that recording and you can add it to your learning management system. If you have one too you know onboard your new staff whatever you want to do but of course you can’t win the prizes unless you attend the live strengthen

[00:32:28.84] spk_2:
you have to be like you have you must be must be present to

[00:32:32.14] spk_3:
win. Yeah

[00:32:32.67] spk_2:
win the big prizes in the in the epic best ever cyber security training. You’ll have to be present on january 27th 2022. At what time

[00:33:04.54] spk_3:
is one p.m. Eastern time? That’ll be 10 AM pacific time. That’ll be noon Central time if there is anyone out there on mountain time I don’t know where you’re at in regards to daylight savings. I forget if you’re on pacific time or Central time now so you figure that one out. If you’re on Mountain time, I’m sorry I wish I knew people

[00:33:12.74] spk_2:
will know people will be able to extrapolate hopefully from the Eastern time disclosure of of one p.m. eastern

[00:33:54.04] spk_3:
and we’ve even had organizations who we know nothing about you know who aren’t clients of ours reach out to us and say you know they found it on Youtube or whatever and they said can we you know use this recording for our on boarding package for our own staff or do we need to pay you or do you have rights or anything and then I’ll answer that question now for all of your listeners tony go ahead. Free take it, it’s yours. So if you sign up, you don’t attend live, you grab the recording, you chop it up and use it to onboard your new staff for the next year. That makes us super happy. Do it with our blessing. Don’t even have to tell us. Thank you. Okay,

[00:34:22.94] spk_2:
we’ve now spent as much time talking about the january 27th training as we have the subject of the podcast and the video, which is the log four j vulnerability for nonprofits. He’s Joshua pesky. They don’t follow him so I’m not going to repeat his, his twitter handle but follow roundtable at round table i. T. The company is at roundtable technology dot com. He’s Joshua pesky eh, thank you very much,

[00:34:23.61] spk_3:
Joshua tony thank you. It’s been an absolute pleasure,

[00:34:26.81] spk_2:
my pleasure as well. Thanks so much.

[00:34:54.64] spk_1:
Next week Legal Outlook for 2022 with our Gene Takagi. If you’re not aware, you cannot repair if you missed any part of this week’s show. I beseech you find it at tony-martignetti dot com. We’re sponsored by turn to communications pr and content for nonprofits. Your story is their mission turn hyphen two dot C. O. That’s the end of the aware repair rhyme scheme. It’s now ended

[00:35:31.84] spk_0:
our creative producer is Claire Meyerhoff shows social media is by Susan Chavez marc Silverman is our web guy and this music is by scott stein, thank you for that information scotty Be with me next week for nonprofit radio big nonprofit ideas for the other 95%. Go out and be great.

Leave a Reply

Your email address will not be published. Required fields are marked *