Eric Brown: 0:05

You're listening to the Audit presented by IT Audit Labs.

Kyle Rosendahl: 0:14

All right, Welcome to the Audit. I'm here today with Nick Mellom and our guest Matt Starland. How's everybody doing today?

Nick Mellem: 0:24

Excellent here.

Kyle Rosendahl: 0:25

Really good. Good Thanks for joining us, matt. I just want to start off our recording here. Give you a chance to introduce yourself where you're involved in security, what types of projects you've done, and just tell us a little bit about yourself. Yeah, appreciate it.

Matt Starland: 0:41

Thanks, matt Starland. Been in the IT industry for a little over 20 years and maybe even longer if you include childhood. My dad had a computer business back in the early 90s so he was kind of teaching me how to work on computers and build and fix them, so going all the way from the old 8088s, 286s, 386s, so really got a good chance to see kind of the evolution of home computers and then that kind of created the passion to go into the IT industry full time. So been doing. We'll start off with help desk went from a help desk to a sysadmin, primarily working in the messaging side of the IT industry. So Microsoft Exchange, been in some big organizations from 10,000-plus users dealing with their email systems, and then started getting in the consulting world of divestitures, acquisitions and mergers, investors, acquisitions and my mergers, using that skill set of email skills and probably worked for close to 30 or 31 different companies, big fortune 500 companies, helping on what they're those mergers and acquisitions and so, granted, I've been on the operations side for, you know, 20 years. Security was more of a secondary thing and kind of saw the writing on the wall here five, six years ago with the explosion of everything being interconnected and just the amount of breaches and security issues going on and decided to kind of jump ship out of the operations side of the world and go full-time into security and so now I'm working as a full-time cybersecurity architect.

Matt Starland: 2:33

So a lot of projects using that you know operations side and implementation side of the world that I've been a part of, using those skill sets in the cybersecurity world to implement. You know technologies to help secure organizations. So you know integrating like multi-factor authentication into many applications, helping lock down and secure Active Directory, azure Active Directory, privileged access management, a lot of different. You know identity kind of base tools. So not so much on the red team side but more the blue team and I think that's my passion. There is more on the blue team side just because of being in the operations field for so long and building things. That's kind of my drive and you know goal. But now it's taking that building things and how do we use those things to protect and secure an infrastructure.

Kyle Rosendahl: 3:28

So but yeah.

Matt Starland: 3:30

I would say that's kind of been my background and I mean for hobbies and interests outside of, you know, the cybersecurity industry I would say is probably the newest thing is 3D printing. Been doing that for about a year now and I think that kind of fills that need again of building and creating things and, you know, finding solutions to problems. So that's been quite the journey, learning that and you know, and also pretty much any of my you know kids hobbies so it's become now my hobby. So that takes up a lot of time now these days too. Kids' hobbies so it's become now my hobby. So that takes up a lot of time now these days too. So anybody that's listening that has kids you can attest to where you might have been out golfing a lot or doing a lot of personal things and so now they're out of age where they're doing those things. So I've kind of shifted my role in attending them and also teaching them new stuff, whether it's IT or sports. So yeah, it's kind of my life in a nutshell here Cool, yeah, thanks.

Kyle Rosendahl: 4:30

And I mean really, the reason we invited you on here is because, with your expertise in kind of the architecture of cybersecurity and your kind of engineering experience, right, you kind of sit in that hybrid role of developing and building those tools, also coming up with new solutions to bring in new items, bring in new technologies, looking at the broader scale of infrastructure. As an architect, you sit that hybrid role. Today, nick and myself just wanted to really sit down and talk about some of the things that we're seeing in the security space. You know whether it's modern news stories that we want to hit on and just kind of talk about. You know what we're seeing, how we react to it, what we think that kind of means for security as a whole, and just kind of bring some of our own technical know-how into it.

Kyle Rosendahl: 5:24

I would like to start off talking about a news article that I saw this morning that came out on Bleeping Computer. I saw it this morning on the 20th. It came out January 19th, so a day before today, 2023. And it's another article about T-Mobile getting hacked and allowing these hackers to access and steal personal data of like 37 million accounts. We'll put the link to the article in the show notes. Here. Architects and engineers, we touch on a daily basis and then has an implication to, I would say, probably most modern companies that have any sort of web presence. And it's not the first hack that T-Mobile has been a part of. So I'd love to kind of get your thoughts on. You know, do you work with API technologies? You know what are some of the kind of modern implications of that? And with this being kind of their eighth major breach in the last five years, you know, what does that kind of mean for policy wise, for these companies who continually allow for hackers to kind of get in? Yeah, love to hear your thoughts.

Matt Starland: 6:40

Yeah, this is. You know, this is an interesting scenario. You've seen the evolution of going from installing applications on-premises to maybe back 15, 20 years ago where you didn't have well, I mean, cloud's always been around colo. You know data centers, where people would have spin up their own stuff in a somebody else's data center and then you create a vpn tunnel. I mean, some of that still exists today. But now with you know the landscape of your big major cloud providers, of google, aws, and you know azure or microsoft azure a lot of use. You know now they use the different these types of APIs that integrates into your platforms and then you provide some form of a security key, a token, certificates or some credentials to provide access.

Matt Starland: 7:37

And what I've seen usually when you get these documentation from vendors of here's how we connect our, you know hosted environment to your environment. Their goal is to integrate as quickly and as seamlessly as possible, and you know. And so when, when you look at this documentation, if you're not looking at it through the lens of, maybe, a cybersecurity professional, you're looking at it from the lens of maybe a cybersecurity professional. You're looking at it from the operation side of the world and you've got executives that are breathing down your neck to get something implemented by X date. Sometimes you know that security mindset starts to you, know you don't. You're not viewing things as much as through security lens, as you should be, and you just kind of take the vendor's word for granted and you just implement as is.

Matt Starland: 8:30

Well, when seeing these, you got to really look at what type of permissions are they asking. So, for example, let's say it's a type of technology that integrates with your email system and it needs to maybe read calendar data or somehow plug into your mailbox so that way it can seamlessly send emails from your you know exchange mailbox. A lot of these will just default to yeah, give us all access to all your mailboxes. And if you don't catch that, I mean think about this. Now you gave them some sort of a token security key account, whatever it is that has full mailbox rights across your whole environment, when only maybe a particular department needed that application. It wasn't an organization-wide application, and so it's all about reducing your risk.

Matt Starland: 9:29

So why did we give this application or that API access to several hundreds of mailboxes when it only needed 10? So now if those credentials are leaked or they weren't fine tuned to just be a particular IP address to make that connection anywhere in the world or anywhere in the US, as long as they got that credential, could in theory access all those mailboxes when it only needed five or 10. So then you get into the aspect of well, those five or 10 might not have had sensitive data in them, but maybe the other 500 that it had access to had sensitive data and yeah, so it really comes down to what you know. One thing that I push all the time and the organization that I work at is least privileged access. Sometimes that's easier said than done because you start to get into a problem of finding that fine balance between operations and security.

Matt Starland: 10:29

You know security we look at it as let's lock down, let's lock down, lock down, but then it chokes the life out of the organization to maybe effectively do business, but then at the same time too, if you don't, you leave it too open, then you run into this kind of maybe? Situation Not saying that this is exactly how the T-Mobile breach happened, but typically it can help you reduce your exposure by following that kind of least privileged access. So you know, the point I'm trying to get at is it's met with all these different cloud technologies and different apis connecting in. You really need to keep a close eye on one, what type of permissions the vendor is really asking for, you know, and and take a second look at it and just see the platform that it's connecting to, making sure that it is following you know, that principle of least privilege. But two, this goes back to your kind of um, your procurement process too, and how you're evaluating that organization and what type of security program they have in place to help reduce your risk.

Matt Starland: 11:33

So, yeah, you know, when you see these types of things 37 million current postpaid and prepaid customer accounts it's really and it happens day in and day out. You go to bleepingcomputercom or any other major web. You almost want to, you know, go live off in Alaska and live off grid sometimes. But I know this isn't the world we live in. It's becoming more interconnected. So I really find it's all about how can you reduce your risk and, you know, protecting yourself or your organization that is, you know, following that principle of least privilege. So, yeah, I that's I would say that's kind of my thoughts on. It is just, it's um, I'm not saying that there wasn't some other form of you know malicious, uh, activity that they found maybe a vulnerability, but I'm gonna say, most likely it's. My two cents is that it could have been just an overprivileged, I don't know.

Nick Mellem: 12:28

What's your thoughts on your kind of take on it. Yeah, no, matt, that's awesome. Great explanation there on your thoughts. If we cut the top off of this issue and we look in to see what's actually happening, do you? Would you, if you had to start pointing fingers? Would it go back to people being lackadaisical know-how? I mean, what are we dealing with? An issue of people just not knowing what they're doing? Lack of you know, initiative or tools, because I think the tools are getting pretty good right now. Right, we've got a lot of stuff that's really good at hunting these kind of issues down. We talked about least privileges, which we would agree with you, obviously, but if we, like I've said, if we take the top off and look down at the actual problem here, do you have any thoughts on what is contributing to this?

Matt Starland: 13:18

Yeah, part of it is. I think it could be process, you know, maybe sometimes the organizations become so large that you know the departments don't know what the left hand is doing really well, and put them in that consulting or leadership position to be able to educate or help develop processes for the lower aspect, because, just granted, it might come in a request to have this API come in at a top level where you have your architects reviewing it and seeing it, and maybe then an engineer at a lower level might be doing the implementation. Might one not have the same, you know, set of skill sets that the architect had in implementing and might have either missed a permission or maybe the architect didn't properly document something in making sure that the engineer clearly knew what to do as well? So, you know, going back, like I said, it's a process thing. So I mean it's you know and also making sure that your risk management and, you know, procurement is, you know, properly vetting these things.

Matt Starland: 14:50

So I think it comes down to really it's just process, I believe you know.

Matt Starland: 14:58

So we can get huge, you know, we can have all sorts of fun tools and everything, but there's some basics that we can always, we can easily miss from just having a foundational approach, um, you know, making sure we hire qualified individuals, but and also building in the appropriate process procedures to make sure that information from the top is, you know, processed down to those lower levels that might be implementing it.

Matt Starland: 15:26

So because I'll admit, you know, early on in my career you know if I was at the at the admin level and implementing something, you know I was just kind of a. You know if I was at the admin level and implementing something, you know I was just kind of a. You know here's the set of instructions, all right, go ahead and implement, and so if you have that, you know a certain level of architect or technical skill set, viewing that information immediately and then making sure they articulate and, you know, give appropriate information, maybe to the engineer at that lower level that's implementing it. So I don't know, I think that's a key thing there is having just appropriate processes and procedures in place.

Kyle Rosendahl: 16:03

Totally, and that makes sense. And for anyone who hasn't read the article right, I mean we're just kind of spitballing on possible ways that this could have happened and gotten away with. They didn't actually release yet as of today how the API was exploited, but essentially the attackers exploited an API which is just a kind of web connection, typically into internal data through usually like a web request. Sometimes it's a little bit different, so they're not 100% sure how, but it sounds like about 37 million people were affected and things that were gathered by the attackers were people's phone numbers, number of phone numbers that were on their account account, emails, you know, possibly the person's name, their date of birth, billing address, all of those types of personal identifiable information. That's the stuff that these threat actors were able to get a hold of, which is no small amount of data. That's still a major kind of privacy breach as far as individuals go. But a few of the things that I was thinking of while you were talking is you know, with some of the blue team work that I've done in the past, could this be a, I guess a misunderstanding? Are the big two typically, but with implementing those two or three different cloud services at a person's company, or for a large company or small company, the way that networking is done, the way that connections are made into the cloud, the way that cloud resources communicate with one another, is significantly different than how your physical networking infrastructure communicates. Right, when you're connecting routers and switches, I mean, you can see the wires, you can connect the wires, you know that the data is going to cross that cable, whereas sometimes, when you're working in a cloud environment, you set up an endpoint, you set up another endpoint, you think, oh, if they talk to one another it's just going to go right through my cloud instance, whereas a lot of times it's going to go out through the wide internet and then back into your cloud instance and there's extra configuration and pieces you have to do in your cloud platform to ensure all your data that you want to stay inside stays inside. So I don't know maybe this is a good question for both of you Is it possible that the training and the education and the pieces on how to securely implement these types of platforms just isn't caught up to where the business wants it to be at this point? Are we falling behind there? And then the second question I'll just pose right away and feel free to answer one or both.

Kyle Rosendahl: 18:55

Typically, when there's a breach like this, what I like to think of is you know there's a major breach, the safest place to be is usually with that breached company. You know, after there's an incident on an airline, airline security shoots up and the safest time to fly is typically right after that happens, right. Security tends to be the same way. Right after there's a major breach, airline security shoots up and the safest time to fly is typically right after that happens, right. Security tends to be the same way Right after there's a major breach. Usually there's a lot of money poured into security and you get a lot better tooling and detection and a safer environment. So interesting that T-Mobile has had so many issues in the last so many years. You know eight major breaches in five years and it continues to happen. So curious what your thoughts are, both on kind of the cloud training side and then also the sinking ship and having issues so I got a couple of thoughts on that.

Matt Starland: 19:45

So one you know it's funny that you bring up the whole you're, oh, I can talk from this cloud endpoint to the other cloud endpoint and I'm good to go, and it's all said and done. You know, there's, I'm good to go, but there's other things that are going on behind the scenes there. Why, kind of when you start building out your, your infrastructure, and in a cloud you know, cloud environment like that, it it is gets a little tricky because, like you said you, you lose sight of that. I know this physical cable talks here, this connects here and this connects over there, and so I know the paths come through these channels or this physical media, but in the cloud it is like we kind of make this joke that is, oh, it's maybe part of Microsoft's magic sauce or whatever going on behind the scenes. How does my VM that I built, talking to this Azure SQL as a service kind of ordeal or blob, and it's not necessarily using my VNets and everything that I spun up? How is this communicating? And there's some confusion. At least I'm not as deep as, uh, some of that networking technology, some of my counterparts that I've worked with with um and everything, but I always like to see that, um, you know, when it comes down to building some of that infrastructure, testing and validating what can I get to it from and what can't I and there's a lot of when these technologies, when you spin up all these different cloud technologies that they give you, it's kind of like plug and play ordeal. It reminds me of Windows prior to server 2008, or Microsoft, yeah, like 2003 and 2000,. When you install those operating systems, they came fully wide open, everything's installed, all the services are running, and then finally, in 2008, when you installed that server, it was stripped down Like you had to install IIS. After that you had to install, you know, do all these extra things, so those services that are available. It was kind of following that least privilege model.

Matt Starland: 22:01

And now with the cloud, because of how complicated it is and how quickly these cloud providers are trying to compete with each other and just boom, spinning new technologies left and right. It's hard for people, a lot of technologists to keep up in how these things are configured, so it seems to be that they are just leaving them wide open out of the gate by default, so that way you can get your stuff, you know up and running as quickly as possible and then all of a sudden you realize later on like wow, this blob storage was wide open to the internet and I was using this to store, you know, some protected data or whatever it might be. You know, this way, some of the places I've seen before and they didn't know about it and and so there's a lot of now different tech and they didn't know about it and and so there's a lot of now different tech. Some or it may have been out, like, for example, Palo Alto's, that rings a bell is a their prismacloud. I think I get prismacloud in which that is, you know, designs, not to give them a particular plug here, or anything like that. That's just one example of many. But they scan for those kind of known insecurities that these cloud providers are creating out of the box so you can quickly set things up. That's something to bear in mind with these cloud technologies and making sure that when you're building, things go through a validation process. Again, going back to that process procedure, you know, make sure, can I get to it internally? Can I get to it externally? Do I have a test environment, you know, in the cloud as well, and if that's not networked, can I get to that other environment's? You know cloud resource. Get to that other environments? You know cloud resource. So you know, going through your validation procedures or using a particular tool that's designed to scan for those things, make sure they're locked down and then move on, but also having reoccurring scans, so that way over privileges, you know something doesn't become over privilege during over the time. So, going back to how they've shown what, how many breaches in the last four years Eight, eight, I think, yeah To me, my thoughts are is that it comes down to maybe a company structure or something.

Matt Starland: 24:26

I mean you've got to have management behind you, so you've got to have your upper management recognize that this is something. We've got an issue here and now. What do we need to do to fix it? You know going through that incident response. Um, you know best practices of, okay, what are lessons learned? And now let's throw some money at this or time and it and get these things fixed.

Matt Starland: 24:53

You know, and where was the week? Where was that? You know weak chain, the link it. You know in the chain, where is that weak part of it? And trying to resolve that? Was it a personnel issue? Was it a technology issue? Is it gonna be perfect after you know this? Maybe not, you know. But maybe it took them some time and maybe they're taking time because there is. It's a money issue. I wouldn't think so, but again, I think you got to throw resources at it. It really comes down to upper management and get everybody in line and organized. I don't know. I think that's kind of my thoughts behind it and some of all the different organizations I previously worked at.

Nick Mellem: 25:38

Yeah, I think. Well, I'll jump in here too and I'll probably take it a step further, and I don't mean to be super cutthroat here. When I'm reading through the article, the first thing that comes to my mind is personnel. It's know-how, right, I think, one of TMO's potential biggest issues and potentially a lot of other organizations around the country or the world. We've seen a changing of the guard right. The pioneers of security are starting to retire, they're starting to leave the space, so the baton is being passed, and it's not that the younger crowd doesn't know what they're doing.

Nick Mellem: 26:12

We've lost that leadership where we're picking up the baton. I'm saying we, because it's probably in front of us. We haven't got to that point, but it is that fundamental know-how. We've lost the head that's been driving this, and now T-Mobile is left holding the bag. As far as these tools, the know-how, the process and procedures it's really everything. But from a holistic view, it is a personnel issue. As far as I'm concerned, without trying to get too technical and that's kind of where the compliance stuff comes in as well we can have all these great tools, but if we don't have the people to maintain it on a daily basis, we've lost our direction is how I think of it. I think, it's complexity.

Matt Starland: 27:04

It's kind of, I guess, the best example I give.

Matt Starland: 27:14

I remember getting, when I was getting involved in the 90s, at least in the computer industry, and at least the area I grew up in, was very blue-collared, not very technical in that IT industry.

Matt Starland: 27:23

By any means I mean not saying that there wasn't people, but it just wasn't. That wasn't always one of the primary you know economical drivers in the area that I grew up in, one of the primary you know economical drivers in the area that I grew up in. And you know, when somebody I remember hearing you know like, oh, you know computers, and they just expected you knew web developing, you know app dev, networking, every, all the all the above and and maybe that was, you know, maybe because of some of the smaller organizations that I'd seen, that was you know, maybe because of some of the smaller organizations that I'd seen, you know, maybe some of the larger ones at the time, companies wasn't the case, but at least that's what I had seen. And so when you're looked at that as, oh, you know IT, you know there's so many different areas to specialize in. You know it's kind of like the medical industry.

Matt Starland: 28:15

It's like, oh yeah, you're a nurse. People start to assume that brain surgery and all these in chiropractic care or all the different specialties that exist, and it's like, no, I'm not going to let the primary care physician do brain surgery on me. You know it's there's. There's a reason why that's in this IT industry. It's it's grown to all these different niches because of how complex it's getting in and everything. And so I believe that part of this is it goes again hiring the right people to do the you know the right type of job, and and part of that is because it's just how complex the it industry is getting. So, um, you know, finding qualified people to do this particular cyber security job or this particular help desk job, and then it also comes down to you know training also, um, your so just not just IT, it's a personnel thing.

Matt Starland: 29:14

So I don't know that's kind of how it seems to be getting with all these cloud technologies too. And just technology is growing so fast it's hard to keep up. I mean, you got your full-time job, but then it's also maybe a part-time job outside of your full-time job, just reading and educating yourself and always keeping up to speed on everything. And yeah, I think it's just. Complexity is what's the killer behind this? And you know, companies want to make money and they want to grow as fast as they can, and security is looked at as a An afterthought.

Matt Starland: 29:53

Yeah well, but if we do this it's going to take us six more months to implement. So sometimes some of that leadership makes the decision to accept the risk, and sometimes is accepting that risk more costly.

Nick Mellem: 30:11

Yeah, I think one great point that I picked up on, matt, that you were just saying is with companies want to make money, they're so concerned with hiring that one jack-of-all-trade security guy to come in that can do everything. In reality, what they need to be looking for is three or four guys some guy that's good at compliance, some guy that's your threat threat hunter, somebody that's your processes and procedures, your know-how, or your red team or blue team. So you have all these different things and, instead of thinking of it, they want the one guy that's okay at everything, instead of getting studs in every area, that can really sure up these potential issues that we're seeing now.

Kyle Rosendahl: 30:54

Yeah, agreed, and you mentioned money and you both just mentioned money and the company and they're interested in making money, right? So here's my biggest kind of pet peeve with all of this is, if you've listened to our other episodes where we're talking about data privacy in the modern world and social media companies, where you're providing them your data and it's pretty obvious that they're using that for benefit. But with a company like this and with other companies like this, when you're giving them your information, you're giving them your address, you're giving them your credit card information, your billing address, your name, social security, you name it. They ask for it.

Kyle Rosendahl: 31:37

When this many breaches of personal private information have happened in the last five years to a company that's so large, it doesn't seem like they're losing when these things happen, if that makes sense, so they're supposed to be there to protect individual data that they collect and hold on to for business purposes. When that data gets lost, where's the repercussions back against the company? I mean, there's always the argument that free economics right, you could drop T-Mobile. But can you afford to drop T-Mobile and go somewhere that's maybe more expensive or go somewhere cheaper, right? And that's the thing is are they too big and do there need to be policies and things in place that hold them to account when this type of thing happens? Right, and there's always a civil lawsuit and something that goes on in a case like this, and if you buy into it and you fill out the paperwork and you make your claim, you'll get a $50 check in the mail. It's $50, two and a half years after the fact.

Kyle Rosendahl: 32:43

Good repercussions for you, who just had your email address. Somebody take that and, whether it was sold online or not, somebody knows. Somebody knows that, then, about you and are you comfortable with that and where's kind of the repercussion come into play? Does there need to be some sort of a policy that, when it happens this many times in this short of a period and they're obviously well, maybe they're taking it seriously, but it keeps happening, right? So again, again, we keep saying they need manpower, they need know-how, they need this. There's ways to shore it up. Is it just disregard for the care of their users' data? Does there need to be something? I don't want to say government, but there needs to be some sort of framework out there that protects individuals, as more and more of our data keeps ending up at these companies and then ends up on the dark web because these companies keep losing it, right yeah?

Matt Starland: 33:53

Yeah, I think you know this is part of it. Like I started to get into my libertarian views here and making sure you know, you know, like going back to what you said, where having government step in, you know it's like, well, here come in, discipline the child. But then I'm also thinking to myself well, I also want to be careful of that slippery slope, of we've probably been down a slippery slope for a while now in many and we'll call it, quote unquote free market in our country for a while, but that's a different topic for a different day that we could go down that rabbit hole.

Matt Starland: 34:24

But I think I would go back to is um, this is where the media and or you know the news or you know personal responsibility comes into place too. And when I say media news, making sure that this isn't just on bleepingcomputercom like where's the CNN, where's the Fox, the Daily Wires, all these different news outlets. I know they're focused so heavily on the politics, but let's also take a look at the cybersecurity aspect, because I think the more and more you would get people aware of this, versus them just getting a random piece of paper in the mail that says hey, your information was breached, we're doing everything we can for it. Here's your 50 bucks and we'll give you two years of free counseling. You can see a therapist, you can go to this. There's a pastor down the road. Here too you can talk to and maybe everything will be OK.

Nick Mellem: 35:19

I free Netflix for six months.

Matt Starland: 35:23

Yeah, we'll give you our new T-Mobile package. We're including Disney+, by the way, so maybe it'll make you feel better. I really think it comes down to again personal responsibility, but also as a culture type thing, Meaning we need to get more. Maybe we, as a cybersecurity industry, got to get more involved in educating the general public on what's going on and then, as people see this, you know where do I put my money Well heck, I don't want to.

Matt Starland: 35:51

I'm not going to, you know, give T-Mobile my money now. Verizon hasn't shown anything at least, or AT&T, so I'm going to take my money and move it elsewhere, because, again, money talks. So if they start losing customers, whoa okay, now we're going to start, you know, maybe really figuring out what's going on. Why isn't Verizon and AT&T and other organizations seeing this? Well, maybe they are, and they just don't know it yet either. You know it goes back to maybe the tool sets they're using. They aren't identifying these breaches in the same nature that maybe T-Mobile is, but let's say they are, are seeing, you know, they're able to stop this or have their you know poop in a group, as we'll say, and they are preventing this. So I think that's another, that's another wake up call. So I think it comes down to educating the public and then letting them, you know, take their money and invest it in companies that will maybe take care of them better with their information, but then also not what that company is going to do for them, but then also not what that company is going to do for them, going back to, like JFK, what can you do for your country, but it's more or less. What can you do for yourself? You know what are those things that you can do as an individual to protect your identity. You know what are those types of technologies and process procedures that you can do to limit your exposure. You know making sure you don't use password 123456 on all of your 150 different accounts that you have across Disney+, Netflix, hulu, t-mobile. You know DirecTV, etc. And then when that happens, one of those are breached. Well, now they also got access to other, maybe additional information.

Matt Starland: 37:48

So you know, I think it comes. It's a kind of education and also taking personal responsibility. I hate to say that personal responsibility because it wasn't necessarily the customer's fault, but that's right. It goes back to what can we educate the customer about what they can do to limit their exposure, but then also give them the power to hear your other organizations that you can invest your money in and reduce your risk. It goes back to my previous statement risk reduction, as with it is driving a car. Why do I wear a seatbelt? I know I could possibly die in my car driving down the road, but I know that wearing a seatbelt is going to reduce that risk greatly. That same mindset and put it into technology for my personal needs too. I'm downloading applications and purchasing services from providers like T-Mobile. They're speechless folks. They're nodding left and right here. If you could see them. They're nodding, they're getting wild.

Nick Mellem: 38:59

One thing that comes to my mind, too, is just that, now that we're moving into a new age, companies need to be living in a world of. It's a matter of time before you get somebody knocking on your door versus oh, it's never going to happen to me. And we've talked about this in previous episodes about what you can do and I'm mad. That's a great point. You really need to start looking out for yourself what you can do, and I'm mad. That's a great point. Like you really need to start looking out for yourself. And it's interesting that you brought that up, because just this morning, I went to renew my driver's license and one of the questions on the sheet they wanted your full social security number written out, right, so? And I didn't do it, right, I just left it blank until I got there, and she's king in the information, right, I give her what she needs instead of writing it down.

Nick Mellem: 39:48

But I'm drawing the two back together because we're being so out of sight, out of mind. We're getting in our own way, and that's exactly what's happening here, matt, everything you're explaining. We keep tripping ourselves. We're not using these tools in the way they should be. We're not training our staff in the way that we should be educating, continuing education to pass that baton. But just one thing that came to my mind when you were going speaking. There is what I was thinking about.

Kyle Rosendahl: 40:18

So, in other words, we're all going to go buy a big piece of land in Alaska. Yep, Take all of our data with us and just live off-grid.

Nick Mellem: 40:27

Folks just lock your credit, Just freeze your credit.

Matt Starland: 40:32

Your new social media in Alaska will be your furry friends, and it's called nature. Your instant messaging is a homing pigeon and smoke signals.

Nick Mellem: 40:43

Yeah and during the next data breach, you can just tell everybody I don't care, I don't need it anymore.

Matt Starland: 40:48

But unfortunately, it is funny I don't want to digress too much, but it is funny to see some of the articles and reports things I've been reading too like how that lifestyle is actually growing quite fast. But for those who want to have the niceties of the industrial slash, technological age, it's hard to get away from having your data everywhere, and so you need to protect yourself. What are those things you can do? Um?

Kyle Rosendahl: 41:24

so we just again, we need to be better, I think, in the cyber security um industry to educate the general public and just the layman on that yeah, and I know I've had this experience when, when talking with friends who aren't into security, right, I used to coach swimming and I'd sit down with a group of coaches after a swim meet and we'd all be hanging out and they'd be like, oh, you do cybersecurity. And it's like, yeah, I do. And they're like, well, what can you tell me? You know what's interesting? And it's like, well, you know, everybody uses social media, everybody does this.

Kyle Rosendahl: 41:57

You know that if you're on social media, they're tracking this, they're watching this, they're doing this, right, you think it's all private, it's called a private message, but they can read those. You know anyone can grab your cell phone data, they can watch your call records, they know who you're talking to and they just kind of sit there and listen to it. And they're like, yeah, I didn't want to hear that, like I just don't want to know. Don't tell me that, just let me be the ugly truth.

Kyle Rosendahl: 42:24

So it's a hard thing where we kind of have to be the bearers of bad news with some of this stuff, where it's like, look, it's going to happen, your personal data is going to get out there, you know, freeze your credit, so if it does, they can't steal your money at least. Right, you know, take those preventative measures, you know. Maybe choose not to use TikTok, maybe choose not to use Twitter or Facebook, right, you know? If you want to go into a whole nother topic, twitter had a massive breach this last week as well. So you know, these, these platforms are getting breached and there's so much of your information that you just provide for free. So I mean really just that personal responsibility.

Matt Starland: 42:59

Did you guys ever read the book Data and Goliath?

Kyle Rosendahl: 43:03

I did yeah.

Matt Starland: 43:04

I don't remember who that was written by. I thought I could look it up here, but that was a for those who are listening. Going back to that, you know what Kyle just said. I didn't want to hear that. You know what his friends told him on being on swimming. It's kind of one of those types of books but I think that that, right, there is one of those pieces of education. Even being in the cybersecurity industry until I, you know, I always realize you know information. You know you go through the 900 page EULA that you sign for that free app so you can make your life easier. You know it wasn't until I read that book and a few others that I'm like wow, I didn't. I guess I never really realized how much of my data I'm just giving out for free because of in tracking, because I want this piece of software that makes my life so much easier, makes my life so much easier. So not just you know I, you know not keeping beating down T-Mobile here with.

Matt Starland: 44:09

You know A, they were the customers, but we're doing it to ourselves too, with all the free apps that we're downloading, you know, and giving them information, and one of the best examples I don't know if it was in that book or not, might've been a different book that I read but you know, with all like the tracking you're going to kyle of the information you're giving them and allowing, and location services and, um, whatever, it's pretty much no different than the pre, we'll call it. I don't know this social media age or free app age, I don't't know what, if there's a term for it, but where it would be like having you, you signed a piece of paper and you gave it to this random individual. That, uh, we'll just say they are with a target. I don't mean to be picking on target.

Matt Starland: 44:59

It's just the first thing that came to mind. Um, be picking on target is just the first thing that came to mind. Um, and they send a van to sit outside your house and to follow you as you go to best buy of 1995, you know, because you don't go to bestbuycom here now and buy stuff. So they'd follow you, they'd watch what you bought, you know whether using you know whether using you know your cash back then or whatever. I know there's charge cards too, but you're right now to check. Most people now these days use credit cards. So this is kind of what I'm getting at here. You're purchasing um tracking and then they, they go to the grocery store, they watch what you selected off the shelves and they go back to your home to watch you get back in your house what time stamps you're doing as you left, go to work. You come back to work. They know your schedule, they know what you're eating and so and we do this not just you know for a company like Target or whatever, but these apps that do the tracking services and stuff, and then that data is used to then advertise to you, used to then advertise to you. So the point I'm getting at is that going back to just this t-mobile thing, just how much data we're actually willingly giving people and kind of you know you put your fingers in yours and go la, la, la, la la, like your friends.

Matt Starland: 46:13

I didn't want to hear that because of the convenience it's giving in your life and so, moral of the story, either either go live in Alaska, off grid, and you know your new social media is your friendly furry friends out in nature Well, I guess, except for the grizzly bears, maybe they're the malicious actors, but you know it's making sure that. You know, just again, what can you do to protect yourself and limit that exposure? And that is becoming more popular. You know, with like Brave browser and you got your Proton VPNs and Nord VPNs and those different companies, but even then I'm starting to see different organizations block those connections so that way they can make sure to still track your data. So then you go back to that quick hit. Oh crap, I gotta turn my vpn off because I I need to get to this source of information and give them my idea, amazon does that yeah, I, I started uh noticing that with, uh, my particular vpn provider.

Matt Starland: 47:21

I used'm like what this website's blocking me now because I'm connecting through and so then, fortunately, if I go through a different channel of one of their other VPN servers, then it'll work. So it's like man this is making it harder for me even to get to this data. So I don't know. It's this brave new world we live?

Matt Starland: 47:40

in I know we kind of got off from our main topic. Oh, it's great Of how the AI was used to get breached, but I think the moral of the story is is that we're seeing so many data breaches going on that there's just it's a slew of problems and we as a society globally are just trying to go so fast and make life so easy that, going back to what you said, Nick, security becomes an afterthought. And is that really maybe costing organizations more money than what they realize in the data breaches?

Kyle Rosendahl: 48:17

Totally. Yeah, and that book was Data and Goliath. That's Bruce Schneier. Yeah, and that book was Data and Goliath. That's Bruce Schneier. If you listen to our Data Privacy in a Modern Era like the whole first half of that presentation basically sourced off this book. So a lot of those stories that we tell, a lot of the types of data, what they're doing with it, the analytics that they're putting into your big data a lot of it comes from this book, so super worth a read. If you haven't read it, we can put a link to that in the show notes as well.

Matt Starland: 48:46

You know, the only thing it'd be you know it's going back to the PayPal thing, but I think it's the same conversation yeah, you know, in a way it's.

Matt Starland: 48:56

You know, the only thing I could have thought of is maybe talk about if there was more technology stuff.

Matt Starland: 49:01

I know we started getting more on the, the yeah, the policy and morality I don't know how you want to call it, not morality but but, um, I guess, policy and behavior side of the world. Um, you know, we only I've maybe only touched for five, 10 minutes on the whole technology side of just know, least privilege and stuff, but that a lot of that stuff comes down to that. Um, I think that and that is just key in these breaches and you know, I think if the, if the article is that we would have talked on, was like, uh, vulnerability or exploit and things like that, maybe we could have gotten geekier on it. But a lot of these breaches are most of the time I'm not I can't say most of the time. I'm not I can't say most of the time because I don't I wasn't at the organization, but from organizations I've seen and just kind of try to dig into. A lot of it comes down to policy procedure and least privileged access.

Kyle Rosendahl: 49:57

And I think it is a least privileged thing. But it's also a you know. It says in the article they had access from november 25th and discovered it on january 5th.

Kyle Rosendahl: 50:08

It's crazy I mean they had almost a whole month and a half in the system to pull data via the api where there was an ongoing breach that that wasn't known about. That that's a very, very long window, right? So, while, yeah, there's probably an issue with how those tokens were generated for the api access and and something either got leaked or brute forced or stolen somehow for them to get that access, or maybe there's a vulnerability that nobody knows about in this specific api platform. Um, you know, we don't know how that happened. But there's also a problem of detection here, right? Because if you see 37 million records being accessed from somewhere you don't recognize, you know, usually that sets off alarm bells, especially in the defender's mind of you know. If you're doing your job and you have the detection capabilities and you're logging what you need to to find these things, typically you'll at least get an IP address of where these things are coming from, where they're going to, regions you name it and maybe these attackers were very good and had a lot of extra information and were able to blend in to the environment. But when it's so many records like this over this period of time, you know you have to think there was a chance to detect it and, again, we don't know the specifics. So I'm just, you know, throwing out ideas as someone who's worked on the Bully team for a few years now as well.

Kyle Rosendahl: 51:49

Well, thank you, matt, for joining us here today. It's been a fantastic conversation. I feel like we hit on a million and one things and didn't go nearly deep enough into any of them to do them their full justice, but very much appreciate having you on here. I appreciate it. Yeah, thank you. If you want to hear more of the audit, feel free to find us. Wherever you can find a podcast. We're on Spotify, apple, even, I think, on Amazon now. And if you want to learn more about IT Audit Labs, what we do, find our links to our socials, go ahead and head out to itauditlabscom. Thanks all.

Nick Mellem: 52:21

Thanks, guyscom.

Kyle Rosendahl: 52:22

Thanks, all Thanks guys, thanks Bye.

Eric Brown: 52:26

A well-designed framework will reduce organizational risk and improve overall security posture. Contact IT Audit Labs and have us lead your team in outlining a strategic approach to remediate organizational risk.