The Audit - Presented by IT Audit Labs
Brought to you by IT Audit Labs. Trusted cyber security experts and their guests discuss common security threats, threat actor techniques and other industry topics. IT Audit Labs provides organizations with the leverage of a network of partners and specialists suited for your needs.
We are experts at assessing security risk and compliance, while providing administrative and technical controls to improve our clients’ data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, while our security control assessments rank the level of maturity relative to the size of the organization.
The Audit - Presented by IT Audit Labs
Meet the Team: Learn Their Approach to Ransomware, Breach Response, and AI
This episode offers more than just insights; it's a chance to meet the minds who have been combatting cyber threats for decades. We explore topics like ransomware, effective data breach responses, and the integration of AI in cybersecurity. Discover strategies and insights from industry leaders and learn how to fortify your digital defenses in an ever-evolving cyber landscape.
Topics Covered:
- How to navigate a ransomware attack
- Data breach response methods
- Cyber insurance challenges
- AI, cybersecurity, and the legal considerations
- Social engineering audits
Gain valuable insights into current trends and practical approaches to enhance your organization's security posture. Be sure to subscribe today!
My name is Josh. I'm the producer of the IT Audit Labs podcast called the Audit. Today we're going to get to know some of the ITAL members. We have Scott Rizdal, eric Brown, bill Harris and Nick Mellum. I'd like you guys to go around, kind of do a popcorn style, introduce yourselves and maybe give us a little background on what you do at IT Audit Labs. All right, I'll start.
Speaker 2:Hey, thanks, josh. I'm Scott Rizdal. I am a security practice lead, generally kind of a blue teamer, here at IT Audit Labs, and I spend most of my time working directly with clients, managing some security staff and also working hands on on some security projects for one of our main clients. In my free time I like to work on free software and keep up on infosec news, follow other security podcasts, twitter, x, reddit, et cetera you name it Just love soaking up that info sec news. So that's me in a nutshell.
Speaker 3:All right, this is Bill Harris, and I am focused on really the administrative aspects of cybersecurity. So I really spent a lot of time drilling down into cybersecurity policy, vulnerability management, technology, futures and security assessments in both the private and the public sectors.
Speaker 4:And Nick Mellum here, also a security engineer. My I'd say my main functions or focuses at IT labs are policies and procedures, compliance from NIST, cgs, cmmc, pci, vendor reviews. I would say my most favorite though it's got to be social engineering. So whenever that comes up, always to always down to get into some social engineering aspects, but then also risk register reviews and creation, things of that nature.
Speaker 5:And Eric Brown and I founded IT audit labs in 2018, and have been working with a couple major clients in a fractional CIO and fractional CISO role, as well as keeping IT audit labs running and keeping the great team that we've got here motivated and working on some cool things. But probably my most important duty is keeping the coffee filled here at IT audit labs. So tough job, but somebody's got to do it.
Speaker 1:I noticed you have a lot of beer in the cooler there and we probably I'll help you with that problem on Wednesday.
Speaker 5:Awesome, yeah, gonna move some inventory. We've got a craft soda place here in Minneapolis where they have all kinds of different flavored sodas, so I picked up some of that too, for the cooler should be should be pretty cool. And I guess in my free time I do a little bit of aviation. That's probably my current passion is flying, and I was able to fly a small plane to Deadwood this year for Wild West, hack and Pest and that was a fun trip and I certainly will take anybody up who wants to go. I think I've offered to Bill like, hey, let's go up, bill. Bill and I go back a number of years and before, before I flew fixed wing, I learned to fly helicopter and I actually became a helicopter flight instructor. But I don't think Bill, bill, we've never gone up, have we? There's always been some excuse about why we weren't going to go.
Speaker 4:I don't blame you, Bill.
Speaker 3:Been up in the helicopter with you. I'm going to decline any trip in a single engine plane to any place to start you with the word dead.
Speaker 4:That's a great point. My hands are sweating right now thinking about getting up in a plane that small I did. Before I I was in the military and before we deployed to Afghanistan we had to do training for helicopters and planes. So they put you in a rotisserie dunker. You know, have you seen on the videos when they throw you into the water? For, like, how, if you do a crash landing into water of any nature and then we also did it for trucks so they roll you around and they stop, and then you have to, like, undo your seatbelt, fall to the ceiling and then crawl out whatever a turret hole or whatever, but just getting you ready for conflict. And so, eric, talking about this stuff, I'm thinking flashbacks of doing this training or, if anything.
Speaker 1:Now we know why it audit labs is strategically positioned near the airport.
Speaker 4:We can bug out anytime we want.
Speaker 1:Speaking about preparing for conflict. No, I just wanted to transition to the Cisco article. Scott, would you be able to pull that up and share it with us? I don't have the fancy ad blocker that you do and I'm embarrassed to yeah, some like my little pony.
Speaker 4:Yeah, Ronny's.
Speaker 5:That I was gonna answer that.
Speaker 2:It's getting weird over here. Feel free anybody to jump in, and I guess breach is the wrong word. Cisco vulnerability that has led to a number of security incidents or breaches around the globe. If you work in Infosec long enough, the first few times, the first few years, you kind of start getting on the vulnerability disclosure train. Like it's pretty exciting stuff, like oh, I can't believe these. You know, million or billion dollar IT tools or operating systems have all these problems. Like why don't they fix them more? By the time you get five, six, eight, 10 years into your career, you're just like, you know, just another vulnerability. Yeah, no surprise at all. But sometimes there are those ones that stand out a lot and this is one of those.
Speaker 2:I think the exchange vulnerabilities from a couple of years ago, I think maybe just last year. Time Flies was another one, but it's. It's the situations where you know a well-respected, well-regarded, widely deployed product or or technology has a very fundamental flaw and then very quickly gets weaponized by Whoever you know, a nation-state, people with political or economic goals. You know, almost overnight it just sort of goes around the world and all of a sudden everyone's scrambling to catch up and this is one of those. So at a really high level it affects a lot of Cisco devices that run a version of their Firmware or their operating system that's just called iOS Xe. Next, he is just kind of a newer iteration of iOS, which has been Cisco's kind of core device operating system for a long time.
Speaker 2:What what's also cool about this one is it's it's really easy to explain and for kind of non-technical people to understand, because really All it takes is for the, the web page that is used by administrators to configure a Cisco device to be open and exposed to the internet or to a network that is otherwise accessible by bad people. It doesn't require any special access, it doesn't require any credentials. So they say it's, you know, remote, unauthenticated. Really anybody who knows about it and has just enough technical aptitude to know where to look or has read online Postings about how to weaponize it, can go in and completely take over a device, and so it lets them create a new level 15 account, which is kind of Cisco speak for a super admin account on the device and and the device is theirs.
Speaker 2:And I actually One of the clients that I work for had this happen and it took a little back and forth with some people who manage our network to To recognize that, yes, indeed, this was our device and yes, indeed, it had been compromised. But yeah, I got to. Just last week I got to deal with this firsthand and it's, it's an interesting feeling knowing that somebody else owns one of your Very core. So in our case it was a core router, so one of our two border routers, which is about as important a system as you can have.
Speaker 1:What Cisco products are out there? Like what devices would this with this effect?
Speaker 5:Isn't it? Any device that has a web management, a Cisco device that can be managed over their their web interface, so routers switches.
Speaker 3:Is that's my understanding? Yeah, anything that's exposed to the, to the public internet over HTTP or HTTPS, right for that management GUI? No, appears to be what's impacted here. So the work around so I understand it is that you would disable that there's not currently a Patch for this system that Cisco has released, unless I'm mistaken, in which case, let me know, but I thought the only way around this is to shut down that public access to that GUI.
Speaker 2:That's all, totally tracking with my understanding of the situation and who knows when this episode will air. So hopefully by then Cisco will have released a new patch to correct it. You can see on the screen here whenever this was posted, I think a few days ago, there were tens of thousands of compromised devices that security researchers were already finding out there and of course when the attackers take completely take over the device they can lock out the good guys. So, as in our case, you know we had to. We had to send a network guy out there with a thumb drive, essentially to the data centers physically, to re-image these things to a known good state. So totally reinstalled the operating system, totally reapplied the configuration and then just sort of yeah, and then of course turn off the web UI because it's still not patchable and Scott when that happened, right so they they they got access to your border router.
Speaker 5:Then Presumably they were able to to get information about the network. Do you know what other information they might have or might have been able to get from that device?
Speaker 2:Yeah, so the first thing that we just assumed was that any passwords, the login passwords or the you know kind of the enable so make me a super user after I log in password that those had been compromised, not only because they're stored using somewhat weak encryption on these, some of these devices, but also because our admins, trying to figure out if the devices were affected, tried to log in after the device was likely compromised so.
Speaker 2:So yeah, as far as other sensitive information, I guess sort of luckily these border routers by their nature are sort of outside the rest of the Network. You know they. They sit between one's internet service provider, upstream service provider and you know your own like security perimeter. So really they don't have a lot of privileged access or privileged information about the network. The most that they would have is, you know, fairly high level kind of super routes between the on-prem network space and and the internet or the upstream network. So that in itself isn't necessarily too damaging, but it's, um, it's still kind of that feeling like you know Somebody came into your house while you were gone and looked through your drawers. You know.
Speaker 4:Scott, how did you maybe you mentioned it and I missed it how did you become aware that you guys were compromised by this?
Speaker 2:Yeah, yeah, it's a good question. So Cisco released a security advisory a few days after the disclosure and Along with saying, hey, just turn off the web service. This is the problem. There's no patch. They also gave you a little kind of customized curl command, so a Linux command line web request tool that can go out and and Look for a specific Fingerprint, basically, of the implant that threat actors were using after they had compromised a device. So they compromised the device with the vulnerability, then they load into memory this little sort of backdoor and so you could use this curl command that Cisco provides to just test and see if it had been compromised and then, based on the output it spits out.
Speaker 3:You just know should most organizations even have their Cisco devices presenting a Management GUI to the internet, or should that be more on the private network?
Speaker 2:This is why, bill, this is why you make the big bucks Obvious question maybe, but maybe there's a good reason?
Speaker 2:I don't know, there there isn't, and it.
Speaker 2:You know, the usual answer is that, well, when we set it up, dot dot dot, insert, you know historical excuse here, kind of. So it's just a matter of things being set up to work and once they work you don't take away unnecessary access or turn off unnecessary, unneeded features. You know, and that seems like that's what happened here. One other interesting wrinkle to this whole thing is that, as security researchers were scanning to sort of track To see how many were still exposed day to day after this thing got announced, they noticed I think it's on the screen here they noticed a huge drop in, so from like 50 or 60,000 down to like under 10,000 Devices that were that had had the implant. And so it turned out. I think somebody discovered I don't know if it's in this article, but that the bad guys, they believe, basically went in and patched their Implant, their back door, to make it not appear that it had been compromised. So the bad guys are even coming into and quality control after the fact on their, on their compromised infrastructure.
Speaker 4:Did they say what group it was? Yeah, I don't recall the name, but they did provide, I think, two years of Social security, you know, protection for for anybody's data that was leaked.
Speaker 2:I wonder how social security numbers would have been exposed as a result of this. It's, it's very much a nuts and bolts. You know core networking vulnerability, not like a CRM product or or you know anything that would directly hold that information.
Speaker 5:Bill on these right. We'll get pulled into these things from time to time in the Administrative aftermath of something like this right, where organization recognizes that A breach occurred and then it's like, okay, now, what right? What are the downstream Ramifications? How bad is it? How is our user base or our customers impacted? So, as you look at this particular Breach and the aftermath of, say, a border router being impacted, quickly found and then cleaned up, what are some of the things that you would be looking at from a organizational standpoint of where they're looking to Do, do breach notification or potentially Bring in their insurance and their breach coach? What are some of the things that you'd be thinking about In advising some of those customers?
Speaker 3:so for this one I mean for a zero to exploit like this, it really is all about Response, right, you're not going to necessarily get ahead of it in terms of prevention, so it's about getting the quick response from the vendor to understand they found the zero to eight exploits and make sure that you are on that response list. And then the other thing that you could potentially do is in the aftermath of this is just make sure that your IDS and your IPS are really up to snuff right. Some of these, some of these events can be detected as they're in progress because they detect unusual activity. Especially in the days of artificial intelligence, some of the some of the intrusion detection systems are really pretty smart, so they'll detect that unusual activity and they'll flag it for human intervention.
Speaker 5:It's interesting too, where the position of some of these devices could sit that are getting hit right. So if they're sitting outside of maybe that IDS, ips, that firewall, that am I performing those services, and unless you are getting some of those feeds back into your SIEM, you might not really be aware of what's happening on on that device. So it is particularly interesting that the malicious actor went ahead and patched it just in case. A couple days later people are reading the article and saying, oh, we should look and see if we're vulnerable. No, we're not, we're good. And then they don't even check, they open the door back up.
Speaker 3:Yeah, and this is something you're going to see now in every, every pen test that comes out. Right From this point forward, all the pen testers are going to be looking for this exploit. Now they're going to add this to their list because it's accessible to the internet. If they've got that, if they've got that port open.
Speaker 5:And I think, for the Josh you had asked about. You know what can you do to prevent this? One of the things that that's top of mind and this is probably a few is, as you're doing, your monthly scans. Maybe you have a service, maybe you're you're working with a government agency or you're at a government agency and they have access to ceases free scans. If not, maybe you've got some form of a service that's looking at all of your exposed IP addresses and then running, essentially, a vulnerability assessment against those exposed IP addresses, and this would have come up as a vulnerability once the vulnerability was was known, but it would also come up as it, as an exposed IP address to the internet and give you something to look at as far as well. Do you really want this exposed?
Speaker 2:Maybe it's not a great idea to leave privileged, potentially privileged administrative portals or tools sitting open to the entire internet on important devices and turning them off is great, but let's say you have to keep this on for legitimate administrative business. Most network and security devices allow you to have kind of like a trusted set of IPs that you can do management things from. So even if the web UI has to be open to the internet, essentially you can restrict just a set of known, good organizational IPs who can even open that, and that would have shut this thing down before it even got started.
Speaker 1:So is this a matter of just kind of a blind spot in the security protocols of Cisco, or would this be something that should have been taken care of? Or is this just another one of those inevitable casualties of the ongoing cyber war?
Speaker 3:I think for a lot of organizations, this was preventable in terms of any damage caused. Right, a lot of organizations should not have had this port open to the whole world on their edge routers or whatever devices they have outside their network. It's usually not necessary, however. This is a zero day exploit, so there was little that they could really do to know that the vulnerability was there in the first place.
Speaker 1:Are you guys familiar with Akira? Is this kind of a bad boy on the block, so to speak, or any insights into this breach?
Speaker 4:This. I did read through the article in this one For sure. They were talking about data that was siphoned off and they are also providing protection to anybody that was in the fallout. I believe it shows yeah, right there. It says right underneath the add any personal data, personal information that was stolen in September.
Speaker 4:Oh yeah, so there you go, there are full names, date of birth, social security, healthcare information or health information. So yeah, all the juicy information was stolen. You definitely want to be locking social security numbers, if you don't already do that, on all the major credit bureaus, get on there. If you don't have an account, they're free to make. That would be critical, I think, right now to do that.
Speaker 1:Just for anybody.
Speaker 4:You should be doing that as just general practice too.
Speaker 1:So it looks like they got super transparent right away. Was that to help kind of mitigate the damage, solve the problem.
Speaker 2:I would guess some of it is led by disclosure requirements for certain industries. Oftentimes, now, it's just the law that organizations have to disclose in a reasonable amount of time. When things like this happen, and maybe doubly so if they're hoping that their cyber insurance will pay out, there's usually kind of a prescribed process that works should follow, and responsible disclosure is typically somewhere in there.
Speaker 5:And they're all going to be working under the guidance of a breach coach and a legal team that's going to vet all of the communication that goes out publicly and internally once this happened. This is critical infrastructure and there's going to be quite a few legal teams involved.
Speaker 4:I know it does mention somewhere in the article here too, about deploying all kinds of new EDR AV tools, and you can see here within decommissioning legacy systems. I know what one of the other clients I work with. That's been a big point. A big pinch point is legacy systems, and we just had Server 2012 go out of service, and this is also why it's so important to do those security scanning, penetration testing to find these kinds of systems. If you're not aware, but if they haven't said somewhere this potentially could have been the way in, is that those legacy systems? So that doing those scans every month or weekly is one of the best things you can do to protect yourself, especially for something like this.
Speaker 5:So this would be in their SCADA environment and you would typically see a separation between the SCADA environments and their internal enterprise network and that SCADA environment would be really firewalled off or completely isolated so that you makes it really difficult to hop between those networks which, if you remember the sandworm situation with Iranian centrifuges, where that essentially you took something off of an internal network and then that worm was able to move to that private network because somebody I believe it was the USB drive that they moved between the two but you'd have similar guardrails in this type of SCADA environment. I would think so it'd be interesting to see how this happened or this could be, and I'm not up to speed on this particular breach. It could be that their enterprise network was the one that was breached and not the SCADA environment that is really running the operations of the energy generation and all of this information. Now that I'm kind of thinking about it, it came from their enterprise network and the malicious actor probably did not get to that SCADA environment.
Speaker 1:How does this differ from the last article we talked about? When it's dealing with critical infrastructure, is it kind of like they're looking for anyone that can help in this situation to provide assistance? Are they tagging specific private companies like IT audit labs, or how does that work as far as the recovery process responding to this sort of thing.
Speaker 2:Your response yeah, it's pretty common these days for especially in high-profile things like this where somebody really gets taken out to bring in a third-party instant response company like Mandiant or whatever they're called now, because on the one hand it's not really economical or common to keep that level of instant response talent in-house for a lot of companies. But also, if a company does have the breach insurance, oftentimes they'll mandate that a third-party come in and handle the response.
Speaker 5:Typically what will happen, josh to echo what Scott said was that their insurance company is going to really drive what happens and there'll be a pre-vetted list of companies that the insurance company and the breach coach works with and the entity that is looking for services will leverage that list of service providers that already have a negotiated agreement with them and with the insurance company to provide the forensics work.
Speaker 5:That's going to happen and it's just a well-coordinated system of events that happens, but it's usually under the direction of that breach coach. When you're talking about something at this scale, smaller organization that if they don't have insurance or they're trying to solve the problem on their own, they may go and reach out to an organization that they find or that they've heard about to help them. But it's much more structured. In larger organizations there would have been more than likely playbooks and drills that have happened throughout the year, hopefully, of when something like this happens. Here are the people that we're going to call and going through a variety of scenarios of what happens if we're completely locked out of our systems. How do we get the contact information to know who to call or to bring in from the internal team? So it can be a well-structured operation that organizations would run tabletop exercises on to make sure that it's orchestrated properly, especially something as critical as power utility.
Speaker 2:It's really difficult in 2023 to even get cyber insurance if you don't have MFA on just about everything, If you don't have a good password policy that's enforced, you don't have some reasonably current, if not cutting edge, endpoint detection and response tool. If they really were lacking all these things on some or all of their systems, they were in the dark ages. Not to victim shame, but there's just table stakes for even being connected to the internet with your business, and it seems like maybe they didn't have a lot of that stuff yet. So I'm sure they won't waste a good crisis and they'll make a quantum leap here.
Speaker 4:It looks like the initial attack happened through stolen VPN credentials from a third-party contractor.
Speaker 2:I saw that, with presumably no multi-factor on that, so they were in Probably pretty easy.
Speaker 4:Could have been a social engineering event.
Speaker 5:It's like the target breach all over again.
Speaker 3:What's really interesting, too, about this one is there's a double whammy here. We often hear about ransomware attacks that just encrypt your data and then you pay them when they give you the encryption key. This did that, but it also got the double whammy in that they stole the data at the same time. So now they have their data outside of their network and they've encrypted their data. So what we're seeing from ransomware actors increasingly is this double whammy, where they will encrypt your data so that you can't get to it, and then they will extort you, and if you don't pay the ransom, then if you don't pay a second ransom, then they'll release your data to the public, which would be devastating for the type of information that they stole here.
Speaker 2:So what was stolen? You can see on the bottom of the screen. There. Some companies may still sort of live in that space where they don't think they're really a worthwhile target. What does an energy company have to steal? You can't siphon credit card numbers directly off of them, maybe, or whatever, but even just SSNs things that can be used for identity theft that's valuable data, and what company doesn't have that information about their employees at least, or their customers too? So really there's fewer and fewer companies that can consider themselves not a worthwhile target.
Speaker 1:And just for our audio-only listeners. The data that was stolen was full name, date of birth, social security numbers and health information. Have you, bill, worked with the Breach Coach before or anyone on the podcast today? Have you been in on the ground level of these kind of situations?
Speaker 5:I unfortunately have a couple of times with some customers where we were brought in to help to steer out of a situation that had occurred. Yeah, it's a long process. The breach I was involved with was personally identifiable information was stolen from tens of thousands or could have been stolen from tens of thousands of people. That was in the data set that was taken. So we have to assume that tens of thousands was exposed. Whether or not the malicious actors actually did anything with it, we have no way of knowing. So that's where you go through the process of using forensics organizations to assist in actually determining what was stolen or what was possibly stolen, and then going through notifications, like this organization had done and I think this organization was using Experian to provide credit monitoring for a number of years but essentially going through that work. And then the aftermath, the internal cleanup, the one that I was involved with.
Speaker 5:I think it took the better part of a year and a substantial amount of money, not just in the cleanup efforts but then the ongoing changes internally to policy and the administrative controls that were put in place technical controls that were put in place.
Speaker 5:Even four years later the organization has that memory of what occurred and it takes a while to heal from that, if ever. But as people change roles and leave the organization, new people come in. The event tends to dim and, you see, maybe ways going back to things that were happening before that caused that sloppy behavior that allowed the breach to occur in the first place. So it is really important to not dwell on what happened but make sure that the changes that were put in place for a good reason stay in place, even though sometimes they're uncomfortable to business process. They're there for a good reason and continually reminding the organization and talking about it I think openly internally is really what helps the organizations maintain a good security posture. It's frustrating when you look at companies like T-Mobile that seems to experience a major breach every year, where they don't seem to apply those lessons learned and hundreds of thousands of people are impacted, and to me that's pretty frustrating.
Speaker 1:So it sounds like the good key to any relationship is communicating, even in the cybersecurity world. Well, let's lighten it up a little bit. I thought this next article, Scott, you don't mind pulling it up.
Speaker 5:Is this another one about Nick's cat?
Speaker 1:Unfortunately this one's about AI.
Speaker 1:This is our last new article and then we'll move on to some get to know you stuff and try to wrap up at 60 minutes. I thought this was an interesting tool. I was wondering if you guys have come across it. It's called Nudge and it helps you discover who in your company are using AI tools and getting alerts when new AI tools are introduced. What are your thoughts on this? It's something that businesses should be using. Is this something that you could see yourselves using? I think it was kind of interesting. We've been talking a lot about AI lately and how that's impacting our workflow and our businesses and the security of our information, so I thought this was an interesting tool to bring up to discuss.
Speaker 4:I'm not familiar with it. It seems like a neat tool to be able to kind of go through and show you what you have in the network. The first thing I think of when I am looking through this is with how quickly this is moving. Organizations probably need to stop figure out what their stance is and figure out their standard of how they're going to move forward and how they want to implement AI and what tools they want to use before they're probably going to use a tool like this and then implement something like this and then move forward. But I think right now we're kind of letting it blow in the wind. What is the organization's stance at? How do you want to move forward with AI before you start doing that? But this could be a really interesting tool to help with that.
Speaker 1:Yeah, we're already using AI on the podcast in some way, shape or form. There's a lot of AI tools to come up with descriptions for YouTube videos, for example, or suggest titles and things like that, so it's already being used just for this podcast.
Speaker 4:We've all used chat yeah.
Speaker 5:When it comes to this thing, I'm on the other end, because trying to contain the use of AI is like trying to hold water in your hands. It's just not going to work. This tool, it's like herding cats. Yeah, it's like exactly, nick, like herding cats.
Speaker 5:This is a waste of time and money to buy this and to roll it out, in my opinion, because it might tell you some interesting stuff. It's probably more designed to be interesting to buy rather than it is interesting to use. But what are you going to do? So? What? Well, who cares if somebody is using one of 10,000 AI tools that are out there? Ai is built into Microsoft products. Now, certainly there's the chat, gpt and all of those things that we know about. Well, maybe you're not going to use it on your network, but I can pull it up on my phone with a cellular connection to the internet.
Speaker 5:And what's the point of spending any amount of time or energy implementing tools like this to catch something that you can do nothing about?
Speaker 5:My opinion is better spent, like Nick was talking about, have a plan organizationally around what it is that you're trying to protect or prevent. Are you trying to protect a certain amount of information on your users or your customers. Well, that's valid and that's worth a conversation. So understanding how you're going to protect that data is important. Or are you, say, a document or a company that's generating content, either visual content, audio content or written content? Then you do need to have some ideas about how your employees are generating content, either naturally or with AI, because if they're using AI, there could be some downstream ramifications if they're claiming that they authored it, but they were really using AI. So those are the more important conversations, again, in my opinion, to have rather than to detect something that your organization, somebody in your organization might be using while they're on your network, using your property, when they could easily just do it with their own property over a cellular network.
Speaker 2:That's one thing. We've seen a lot of kind of the initial wave of blowback against this, like the last year's AI revolution, is lawsuits, like you hinted, eric, about. All these AIs are trained on training data. That's how they work, and a lot of that training data is pulled directly off the internet or in various kind of underhanded methods that you might call scraping of one kind or another, so the AI can produce something that seems novel and new and interesting and informed.
Speaker 2:But really it's just I remember the basso-matic from SNL back in the day with John Belushi, where he puts the fish in the blender and you get out this sort of uniform fish gel. It doesn't come from nowhere. It's not really an intelligent thing creating output. It's just doing a whole lot of computation and analysis and machine learning algorithm work behind the scenes and spitting out the basso-matic version of written content or songs or whatever. So I think the legal exposure is something companies really need to keep in mind, because this is uncharted territory and there isn't legal precedent yet really for a lot of this stuff that if you just jump in with both feet without having kind of an organizational approach to it, like Nick said, you could end up in some hot water.
Speaker 3:You know, I just I was in an ISC2 conference this week and they spent a lot of time talking about AI.
Speaker 3:One of the really interesting aspects of this is that and this is a great example of a product that's taking an early swing at a problem that is so new Scott, to your point and no-transcript Right now, the, the White House and Congress are trying to get some you know, some legislation in the United States to to help Inform some decisions and some guide some, some, some rails around AI, whereas in Europe they take a much, much more prescriptive approach, right with some of the GDPR laws you have in Europe very, very prescriptive, but here in the United States it's more descriptive and there's not going to probably be a really heavy-handed.
Speaker 3:You know you have to do things specifically this way, in this way from the government. So I think tools like this will proliferate because people will be trying to follow some rough guidelines. So I think you're gonna see more of this. But I do kind of wonder if some of these things could also be solved with, like, a DNS or a URL filter to see what people are going through the corporate network to hit some of these generative AI sites. Snake oil, I.
Speaker 4:Don't know if this pertains so much, but on this on the side, I do a lot of photography and AI is huge there, so but the reason I bring it up is one of my favorite companies like a. They release a new camera yesterday and the reason why it's cool is, if you're familiar with the technology, the coalition for content, something, and authenticity I can't remember what it's called, something of that nature, but it's basically the standard now of what's real and what's not. So in the camera, when you take a picture, you're able to put in the metadata your, basically, signature that can't be altered, so, and it's a live track of what's happening. So, let's say, you take this photo, you put it on the internet and you you edit the picture. Somehow it shows the edits you've done. So if you sell the picture or move the picture, you can see.
Speaker 4:Okay, this was Eric's picture. He took it here at this time in this place and he didn't made these changes to it. I think it's a cool technology, whether it's directly related to cyber security or not. It's kind of that battle against AI and it's more moving parallel with different technologies to combat what's real, once not. You know what's a phishing email and what's not so. They kind of are a parallel technology. I did think it was neat that they came out with this to combat AI as well, as it's so prevalent in our industry.
Speaker 2:Yeah, I wonder, nick, how that would, how that would work with a, you know, a scraping and and sort of generative AI System that doesn't care about your watermark, you know, certainly it might be hard to get that through the filter of the AI At the end of the pipeline.
Speaker 4:But I guess I don't know what you're right, I don't know it enough about it as well, and this is the first I was hearing about it yesterday. But you know, you're always gonna have the issue of somebody just taking like a screenshot of the picture or something and using it that way. I think this is just an initial, you know. I don't want to say throw it at the wall and see what sticks, but it's an initial swath of something that can help Creators or whatnot. But yeah, real interesting point you made, there's, there's gonna be a lot of different angles that we're not gonna be able to protect and you know, that's kind of the industry we work in as well. We're it's 360 degrees and we're firing in all directions.
Speaker 1:What one thing I wanted to touch on today Is, if we don't get to all the fun stuff is this if someone could quickly explain you know, what is an audit, what is a security audit, that might be a bigger conversation down the road, but for somebody that has maybe got a Multi-million-dollar business that's starting to think a lot harder about cybersecurity after listening to our podcast, what does that look like for them? Can you, can you walk us through the process, quickly, give us any insights as as to what you guys do and why that's valuable?
Speaker 5:I could take a first crack at it. So an audit would be just a high level assessment by a third party of a current state Of your environment, so a point in time evaluation of your environment by someone qualified to Conduct that assessment. The outcome would be you would know what it was that was, you know, let's say it's a security audit. So you, to set that up, you would go through with with the person conducting the audit what it was that they were looking to discover and then you'd get a report at the end that would tell you that the outcomes of their tests against your environment. It could be something like physical controls where You're trying to test how hard or easy is it to get into your building after hours, for example? So did did your security company alert you when the the auditor was attempting to To get in through your front door? Could they bypass your, your side door by Cloning an employee badge and or nick, putting on the UPS uniform and carrying a package in? Could they get into your server room? Could they get somewhere where they could install something in a network check? You know these are kind of more of like a physical audit. Other audits could be. Other security related audits could be Something where someone is trying to impersonate a remote actor, that is, without being physically In your environment. How far can they get in just by using information gained from social media, open source intelligence gathering and what you, what you look like on the internet? You know, as Scott alluded to earlier? We were, we were talking about that Cisco breach. So a scan against your network? Oh, there's a vulnerability there. Now what can we do from from that entry point?
Speaker 5:Different types of audits based on what you need. There are some regulatory audits, like a PCI audit, if you're handling credit card information and and the credit card processors and merchant banks want to know that you're practicing, do care and do diligence Around how you're handling credit card data. Are you writing down the credit card data on a sticky note and then entering it into the system later, or do you have, you know really good practices around how you take credit cards, either card present or card not present and are you adhering to the industry standards? You're probably going on a long ramble about all of the different types of audits, but high level, I think that would would give a good synopsis and you know Certainly, nick bill, scott, any anything else to add there.
Speaker 4:I think for me, that point that I want to bring up is People aren't doing it enough. We're not testing social engineering enough and it's, it's so huge, from dropping a thumb drive in a parking lot, you know to, like Eric said, dressing up as a UPS driver and, you know, trying to infiltrate Any place of business. I know one we've done before was dressed up as a fire Marshal. You know you walk in with the fire chief shirt. You know style on the hat and jeans and a clipboard. You know, soon as you grab a clipboard, it's pretty much, you know, open season everywhere because people aren't going to stop you.
Speaker 4:But as I as I digress, the point of bringing up is you know we spent so many years trying to combat fishing emails and teaching our you know Co-workers and you know anybody in our organization. What is a fishing animal? What is an efficient email on how to, you know, combat that you know. Now we're seeing we're probably not putting enough emphasis on social engineering. Well, what's happening when they're in the lunchroom or they're, they're tail letting somebody tailgate them into a building and that's something we're probably not talking about enough, I think. And when we're doing these exercises, that's what we're seeing, you know we have a pretty good success rate and I think you know, starting the conversation, you know, from just the fishing side to the physical side is something we need to start doing.
Speaker 3:Yeah, that makes a lot of sense to me. I think fishing is a huge one, as you point out, nick. The other thing I see a lot of times with audits is that it's really difficult for people to identify what the gaps are right. So a lot of audits are driven by interviews and they're driven by access to the information within the organization. It's generally pretty technical in nature. So I think IT organizations need to do and are starting to do an increasingly better job of minimizing the burden on that customer to provide that information, because we have to get in there and really help them out. They may not have the expertise to supply all those answers for us.
Speaker 2:One thing about IT audits in 2023 that's different maybe from a decade or two ago is that there's some really really good frameworks out there now that are essentially free or have a nominal cost that really outline the process in a structured and data-driven way. In 2003, cybersecurity as an industry was very much the Wild West and you had just very different people doing very different types of work, and it's really matured quite a bit. So now we have these great blueprints and battle plans to use when we go into organizations that are developed by the government or by industry or by academia, and it doesn't have to be a best effort thing so much anymore. There's really good systems that practitioners like us can use to do a deep and thorough evaluation.
Speaker 5:And where our claim to fame is, so to speak, is where not only can we help on that audit side of understanding where a customer might want to be, so helping them create that roadmap.
Speaker 5:A lot of times you'll talk to a customer and they've got audit fatigue because they've been through a number of audits in a short period of time and each audit ends with a stack of papers.
Speaker 5:And I always equate it to you're driving a car, you take your car to the mechanic shop and they say, well, here's all the things wrong with it.
Speaker 5:They hand you a printout. It's the same thing that happens in the cyber world. You get your printout of everything that's wrong and typically then the person who conducted the audit, they go off and they're on to conducting another assessment the following week and you're left to take the piece of paper and figure out what to do with it. Where we really found an itch was that not only would we give them the piece of paper that told them what was wrong, but we'd also help them build a plan to correct it and oftentimes that was with either staff augmentation or coming in to run a part of their security program to really take that the corrective actions and the strategy and build the plan so that they really had a roadmap to get better and equated back to the car example. We're going to be the mechanics there that help them get that car back on the road and driving the way they would want it to.
Speaker 4:We want to be in the trenches with you.
Speaker 1:That's what I'm looking for. Yeah, all right guys. Well, we had Scott Rizdahl, eric Brown, bill Harris and Nick Mellum on today. From IT Audit Labs. I'm Joshua Schmidt. I'm the producer and co-host of the audit. Thanks so much for joining us today. This is the end of the 2023 calendar year for the audit, so we'll see you next year with some new content, new topics and the same old cast and crew here. So thanks for joining us today, subscribe and follow. You can find us on YouTube. We also have LinkedIn, instagram and Facebook as well, so check us out and hope to see you next year.
Speaker 5:Josh, one thing for next year. You think we can get Bill to grow a beard.
Speaker 1:Probably have a lot better chance than I do. I have the facial hair of a 12-year-old. I've never been able to do that. It looks pretty gross when I try to go for the beard. I'm not going to lie. I do do Captain Morgan stash, though.
Speaker 4:I'm strong.