Speaker 1: 0:03

Hello, welcome to the Audit presented by IT Audit Labs. We're joined today by our CISO, eric Brown, and I'm Joshua Schmidt, as always, your producer and co-host. Today we're sitting down with Eric to have a fireside chat, without the fire, about what Eric does day to day, how IT Audit Labs helps organizations shore up their personal and data info security, and kind of get into the nitty gritty details and get a really good insight into how Eric views security from a high level and from a personal level as well. So, without further ado, we're going to turn it over to Eric Brown. We're going to talk in depth today about personal information security.

Speaker 2: 0:39

Hello, you're listening to the Audit. My name is Eric Brown and I'm the Managing Director of IT Audit Labs, and today I want to talk about personal information security. This is something that we get asked a lot about by our customers and we've done a few podcasts on this in the past, but I want to refresh the content for 2024. We're coming up on Cybersecurity Awareness Month and consolidate it down what we have into a quick, consolidated format that can be used throughout the year. As I said, we get asked a lot about personal information security and how that bridges the gap between personal security and then corporate security, and the two are linked, and we often come into organizations we'll present at the board level or senior leadership level to essentially showcase that team the importance of information security and how it's relevant to those people.

Speaker 2: 1:32

So I'll start by saying that all of us most likely all of us who are listening to this have been involved in a breach personally at some point or other in our lives and you get that breach notification email that says your data might be your social security number, might be some other personal information about you has been involved in a breach and it's not your fault. It happens because somebody that you trusted your data with had poor data security practices and that information was compromised. Now what can you do about it? There's quite a few things that you can do about it, but first it's just understand that if it hasn't happened yet, it's likely that it's going to happen, and it can go from something that is a major annoyance and takes a lot of your time to resolve to something that is just like oh okay, that's a Tuesday, it happened, not that concerned about it.

Speaker 2: 2:29

So, number one, then I'm going to start with. The first thing that you want to do is freeze your credit. So there are really three reporting bureaus Experian, equifax and TransUnion. Those are the consumer bureaus, and there's a fourth bureau that not a lot of people have heard of. It's called Inovis I-N-N-O-V-I-S.

Speaker 1: 2:49

And.

Speaker 2: 2:49

Inovis is responsible for those credit approval letters that you might get saying you've been pre-approved for a loan or whatever it is. But Inovis is using your information to produce a generalized credit worthiness about you. So you want to freeze your credit with all of each of those bureaus TransUnion, equifax, inovus and Experian.

Speaker 1: 3:15

And you can do it.

Speaker 2: 3:15

It's free to freeze your credit with each of those bureaus. By default, our credit, by the time we get a social security number, is open. It's a flaw in the system, but it is what it is. Unless you freeze your credit, it's going to be open and credit can be taken out in your name, causing long-term downstream impacts that are not good. If someone opens up credit in your name and is abusing that credit, it could have identity theft implications down the road, which getting your social security number back or getting a new social security number issued is quite a lengthy and time-consuming and often expensive process. If you do need to open up credit for a loan, you can specify the window of time by which you want that credit opened, and typically what I like to do is, if I'm going for credit, I will ask the organization that I'm working with say it's a car dealership or a mortgage broker which reporting agency they use and then unfreezing the credit specifically with that organization that's going to report credit on me.

Speaker 2: 4:29

The next thing you can do is make sure that there isn't any credit opened up in your name, and that's. Everyone is entitled to a free credit report. So you can go on and get that annual free credit report and that will tell you what credit is open in your name, and by watching that freezing your credit, you're doing a pretty good job of making sure that your social security number can't be used maliciously. All right, so we talked about credit. That's probably the number one way to protect yourself, and if you're not going to do anything else, I would start there. So then, secondly, where we see most breaches start is in email. So, using your email address as an identifier to who you are, typically we'll sign up for a reward service or whatever service we need, and email is typically an identifier for that service. So there is a website. You can go to it's have I been pwned? And Troy Hunt maintains that website. He's a security researcher, and Troy has collated millions, if not billions by now, of compromised accounts, and we'll let you look up at no cost to see if your email account has been involved in a breach. So you can go to have I been pwned, enter as many email addresses as you want, and that will tell you or show you if that email account has been involved in a breach. It's likely there's going to be something. If you've had that email address for a while, it's going to have been involved in a breach or two, maybe more. Again, not the end of the world.

Speaker 2: 6:13

There's things that you can do about that. What you're looking for here is what breach it was involved in and then where you are reusing that login and password. So if your account was, say, caught up in an Adobe breach and then also in the Ford breach, if your username which will probably be your email address and password were different, then that's great. You just have to change your password for whichever one was breached. If you're reusing the same password, that's where we get into an area where the threat actors love it, because they're able to get to multiple sites using the same login and password, and all of this is programmatically done. Nobody's sitting in their basement of their mom's house banging away on a keyboard trying your username and password. These are done thousands of times a minute by threat actors that have programs that are just going out and trying to log into a variety of sites using this database of stolen credentials. So what we like to recommend is using two things One is password manager and the second is multi-factor authentication.

Speaker 2: 7:29

So, NIST, which is an organization that's put out guidance around passwords and password complexity.

Speaker 2: 7:36

They're recommending changing the password only if the password has been involved in a breach or once a year, and they're recommending using a passphrase and coming up with a phrase that's meaningful to you but not meaningful to anyone else.

Speaker 2: 7:51

So the first day of the week is Wednesday would be an interesting passphrase, maybe a little long for some sites that haven't adopted the longer phrase passwords, but most sites will take up to 20 characters. So coming up with a passphrase again that's meaningful to you, that is a passphrase, would be a good idea to do, and storing that in a password manager because a password manager is essentially an online database could be offline as well, but recommend an online database that would contain all of your passwords. If you're like me, I probably have logins to 250 plus sites. I can't remember more than maybe five or six passwords, so I store all of those passwords in a password manager and then I'm able to just copy paste from that password manager into the site that I'm trying to go to, and most password managers will use the HavaPhone app as well as a plug into a browser.

Speaker 2: 8:55

Speaking of browsers, we don't recommend that you store your password in a browser. The browser's job is to give you a portal to the internet. It's not to secure your passwords. They don't do a good job with it. So, rather than using your favorite browser as a password manager, select one. There's quite a few out there that are some good choices.

Speaker 2: 9:19

And then the other piece was multi-factor authentication or MFA. So MFA is something that you are. So think of it as a fingerprint. Right, that's something that you are. You might use a YubiKey or some other form of a token, something you have, and then something you know which is a PIN or a password. So two of those things form multi-factor authentication. Most of us are using that already in our daily lives. Think of facial recognition on your phone. It used to be fingerprint recognition on your mobile device to get into the device, six digit pen or something like that. For that multi-factor authentication, the phone also serves as something you have. So you've got something you have. You've got that something. You are that facial recognition. There's two forms of authentication and a lot of our corporate environments are bringing in the personal device.

Speaker 2: 10:30

So you're setting up an authenticator a Google authenticator, a Microsoft authenticator, there's other third-party authenticators on your mobile device and you're logging into that device, logging into that authenticator, and then it's displaying a number on your computer screen that you're typing into the authenticator or the authenticator is producing a number that changes every minute or every 30 seconds, and then you're typing that into the application that you're trying to access.

Speaker 2: 10:55

SMS or text-based authentication is another method that you've probably seen for another a number of years, where you're logging into your bank and then they send you a text and you enter that number that was in the text field into the website to get into your bank, moving away from SMS space because it is more prone to be infiltrated by a threat actor. Threat actors, especially in our corporate environment, will create lookalike websites so they'll send a phishing email that bypasses the email filters that corporations may have and probably another podcast on how all of that works but they'll bypass the filtering. The user will click on the link. It'll pop up a page that looks a lot like a Microsoft login page or a Google login page. The user will enter credentials and then it will ask for that SMS-based authentication and the user types that information in.

Speaker 2: 12:03

It's more of a social engineering attack. It's easier to be stolen if a threat actor has access to your cellular carrier's network and a variety of attacks that happen on that. That's probably another podcast as well. Just know that SMS-based authentication is less secure than authenticator-based multi-factor authentication. So you want to set that up on your tier one accounts, like your bank accounts. Your password manager set those up on there and then eventually filter your way through your tier two or your less important accounts if they have that ability to do multi-factor authentication, which more and more are.

Speaker 2: 12:46

So next I'm going to get into email security. So on the email security side, we do a lot of business over email. Just as a society, we're interacting over email. We're interacting over messaging. On the email side, there are a few free email carriers out there, namely Google, microsoft with Hotmail, aol, yahoo maybe AOL a little bit less so now, but there are some major free providers of email and a lot of us have those email addresses. The email addresses are free because those services are mining the data in your email accounts not just yours, but hundreds of thousands of people who use those services in order to create personas and sell more advertising to us collectively as a society.

Speaker 2: 13:40

So whether or not you want to participate in that unintentional information disclosure is up to you. But to give you an alternative to that, I think those email addresses are great for specific and discrete purposes, like signing up for email where you know you have to interact with a third party. They're going to subscribe you to a mailing list and you're going to get a bunch of junk mail. That's great. That's a great use for a Gmail address, but for personal information that might be more private to you as an individual, using an email service like a.

Speaker 2: 14:16

Protonmail is a service that is going to hold your information private and not disclose that information and use that information to mine data about you. The downside is there could be a little bit of a cost to them, depending on how much mail or data you have in their service. Protonmail takes it a step further. Where the email is hosted in Switzerland, there's no data extradition laws and all of the data is encrypted, and you can even hold the keys to that encryption if you so desire. Protonmail also has VPN service, as well as a data storage and calendaring service. I like them as a mail company because of their integrity behind what they do and how they care for mail that you choose to host with them or data that you choose to host with them, and then, moving from there into SMS or phone call or phone number

Speaker 2: 15:19

management, I should say. Since many of us keep the same phone number for years, there is a possibility that you're going to end up on some form of a spam notification list on your email and you're going to get those phone calls at dinnertime trying to sell you services, or nowadays it's spamming us with political messaging to get some form of polling from you. A couple things you can do to avoid that is to have a few different phone numbers. So again, one that maybe you're going to give out more publicly for signing up for services, and then maybe one that's more private, that you really only keep for close friends, family. What have you, family? What have you? On the maybe less personal side there, google has a voice service, a VoIP, v-o-i-p or voice over IP VoIP service where you can sign up for a Google phone number.

Speaker 2: 16:25

I think this is a great one for those commercial services, because Google's in the business of mining our data, so let's give them some more spam to run through their engines is the way I think about it. But you could get one of those numbers and you can receive phone calls and texts to it. There are others, and that's a free service. There are other services that you might pay a little bit of money for that you could do the same thing. One of them is called Burner, and that'll give you quote unquote a virtual burner number that you can use and you can choose how long you keep the number. And that number might be good for maybe some more discrete purposes. You know online dating, something like that, where maybe you really don't want to give out your, your personal number, or even a number that you're going to keep for a long time, like a Google number, and that way, if the interaction is not going well, you can just delete that number, get a new one and move on from that point. And then, from an offline perspective, one of the things that we could talk about is just thinking more purposefully about what you're doing with your online slash offline content. So are you taking selfies in front of your house with the house number exposed. And then that's making its way online to social media. Are you posting about your upcoming trip and when you're going to be on vacation and you have lots of stories or what have you that might have personal information about your residence? Now people know that you are not at home and that could subject you to maybe some offline malicious activity, so be mindful of that. And then, when you are driving around town, pick up the mail, what have you. Are you protecting your personal information from third-party viewership? So making sure that letters and other things that might be addressed to you aren't face up on the car seat next to you or in the back seat right? Just having a little, just being somewhat mindful of the information that you are giving off without necessarily maybe meaning to do so, as long as you're aware of it, that's half the battle.

Speaker 2: 18:44

And then the last thing I'll say on that topic is when you are discarding prescription drugs. A lot of that information is on the bottle Might be something you don't want to throw in the trash or the recycling without taking off the label. Or a lot of the places where you can pick up prescriptions have a medicine. It's a locked medicine container, drop box where you can take unused medications and put them in that drop box. You can do the same thing with empty prescription bottles, where then they responsibly discard the private information on that label. So I think that's it, certainly open to dialogue on any of these topics.

Speaker 2: 19:30

We love coming into organizations and just starting the conversation around personal information security and then relating that to what happens on the inside of an organization. So going through that email flow of how a threat actor will do some OSINT or open source intelligence gathering and we've got a couple of great podcasts on that but spinning from open source intelligence gathering about a person or a group of people and then sending targeted content to those people in an organization and then enticing, sending enticing emails so that those people or person clicks on a malicious link and then enters their password and potentially bypasses MFA protections that are in place and then the threat actor gains a foothold in the organization and starts to pivot and move laterally, et cetera. But we come in and we'll do some pretty deep dives on how those flows happen and show some real world examples that we've been involved in to just educate the leadership and anyone that might be relevant for how these things happen so the organization can take precautions to prevent that from happening.

Speaker 1: 20:48

So you mentioned a lot there. We talked about freezing credit, checking your credit report, filing your taxes early, talked about email breaches and some tools and some techniques and some common attack vectors. What are the impacts those threats can have on an organization? You know there's the obvious stuff, you know having your credit or someone credit taken out in your name, having your identity stolen, but how does that impact an organization? You know there's the obvious stuff, you know having your credit or someone credit taken out in your name, having your identity stolen, but how does that impact an organization?

Speaker 2: 21:14

A couple of ways to answer a good question.

Speaker 2: 21:16

So on the individual side, breaches most of the time start with an individual, so a threat actor could potentially gather more information about that individual to send them targeted communications.

Speaker 2: 21:30

So that's going to be enticing for them to click on If the organization is one that the threat actor is interested in gaining a foothold in. Most of the phishing emails that we see are less targeted. It's kind of automated spray and pray, if you will, where mass communications, hundreds of thousands of emails, are sent and then the victim, so to speak, clicks on that link. An automated response is coming from the threat actor's environment and they're just moving down that chain, if you will, of infection. And rarely is it something where you have a human to human interaction, where a human is crafting a targeted message and then specifically going after one individual and socially engineering them like we would see in the spy movies. Not to say that it doesn't happen, but 99% of the emails are all automated and the responses are all automated with the intent of that threat actor either sending out additional communications to contact lists or getting a foothold in that organization and moving laterally.

Speaker 2: 22:49

So the impact to the organization is certainly could be reputational damage. It could be a pivot point where the threat actor is able to access an account and gain a foothold. We see organizations that maybe don't have the controls in place where you would separate out someone that would have local administrator access. Some organizations allow everyone to have local administrator access and install whatever they want on their computers. It's much easier for the threat actor to bypass the malware controls if there are any in place when that happens. So if an organization maybe is less mature, the impact of phishing could be greater. In addition to the reputational damage, it's the individual damage that can occur if you know.

Speaker 2: 23:48

Unfortunately, your social security number is compromised and the threat actor is able to open up credit in your name or potentially use information that they've gleaned about you in order to compromise another victim.

Speaker 2: 24:07

So if someone knew some personal information about someone, they could pivot that information and make it into much more of a compelling story to further compromise someone else.

Speaker 2: 24:21

So we think of the grandmother scenario where little Timmy's on a trip to Mexico and then grandma gets an email or a phone call that little Timmy is now hostage in Mexico and you know $2,000 of ransom is needed to get little Timmy freed. And nowadays, with voice cloning technology that's available for free or at a nominal fee, it's really easy to clone little Timmy's voice and make that much more of an enticing scenario. So along those lines, we recommend families get together and at least have a conversation about, if there is an event that takes place, what are we going to do? Right, if we're, if we're on vacation and we can't get back home, are we going to have a meeting spot? What are maybe some code words isn't the right word to use per se, but what are some of, what are some of the language we can use in order to make it much harder to be in that, in that kidnap ransom scenario, because if you ask little Timmy what his dog's name is and that information was available on social media that's not really a great question.

Speaker 2: 25:38

But if you ask little Timmy a question that only he might know that's never been posted on social media much easier to tell if the kidnapping is real or not. Certainly if it is real you want to get the FBI involved right away. So that's a whole different scenario. But the likelihood of that happening and the kidnapper reaching out to you because your family is on vacation in Mexico is pretty high.

Speaker 1: 26:08

You mentioned phishing attempts there. What are some of the best practices for training employees within an organization to recognize those threats and how do you approach training a group of people or affecting the culture of an organization to mitigate those risks?

Speaker 2: 26:23

Yeah. So a couple things you can do there. We recommend the regular phishing exercises where you're sending out a simulated phishing attack. That's somewhat relevant to the time of year, so kind of this time of year going into the holiday season loaded to some of the education around the UPS or FedEx or whatever package notifications right, the UPS or FedEx or whatever package notifications right, the postal service is not going to send you an email that says that you need to click on this link and pay a fee in order to get a package. Right, it's just not going to happen. But doing some of that education to the user so that they can see these phishing emails in situ and why they're phishing emails, is really helpful.

Speaker 2: 27:07

Creating awareness Cybersecurity Awareness Month, october it's a great time of year to just raise that general awareness about phishing and email security. And then, on top of that, it's really having the right tools and technology in place and tuned in order to prevent those phishing emails from coming in. No tool is infallible, but there are tools that are better than others and there's a way to tune those tools to get the most bang for the buck, so to speak. Right, you can. You can, of course, block everything and and then nothing would get in but you'd miss out on business emails. But so you want to tune the emails appropriately.

Speaker 2: 27:49

Generally they're going to look for things like was the domain recently created? Pretty likely that a newly created domain is more of a phishing or domain used for phishing. If the domain is a really long string of characters and numbers that isn't a dictionary word more of a chance that it's a phishing domain. And then you could look at the origin of where these emails are coming from. Some of the tools these days are getting into looking at the content of the email and looking for CEO type of fraud, where the CEO is on an airplane and sending out an email saying that they need 20 gift cards by one o'clock and you need to run out and get them, scratch the back off and give them the number. That sort of stuff can be found through analyzing the content.

Speaker 2: 28:40

So it's a multi-phased process but at the individual level I think awareness, training and just discussion with team members of you know that this is happening and sharing, where maybe somebody on the finance team, who is a frequent target, gets these emails and then is socializing it with other people on the team phishing email where somebody was trying to change their bank routing information and having plans in place of what happens. If somebody does want to change their bank routing information, do we do that all online or do we require that phone call validation? Or how are we authenticating the person as who they are, who's requesting that change? So that's another thing that we do. Josh is going into organizations and just having these higher level tabletop kind of conversations that maybe they're not having on a regular basis.

Speaker 1: 29:42

Yeah, that's great and you know with your wealth of experience. What kind of impact do you see that having on an organization when it's done well versus when it's been neglected?

Speaker 2: 29:52

One of the things I love to do is you go in and do that initial phishing assessment and then you come back six months or a year later after they've had training and conversations and put some practices and controls in place. Conversations and put some practices and controls in place, and just watching that number decrease month over month as people become more aware. Our report phishing messages and report phishing and then are just getting more attuned of what's happening in the organization. I really love going in and starting with a baseline assessment that's not too hard but seeing how many people are clicking on the link, how many people are entering information when they get into the link messages, making them harder and harder and more and more realistic, and then watching those numbers still continue to decrease because people are more trained and more aware that this is happening. And then you can also watch from a tooling perspective when you do put proper tools in the environment that's going to catch phishing and grayware spam. What have you? Just watching the amount of email traffic decrease for an organization is pretty cool to see One of the groups that we put this in for.

Speaker 2: 31:20

Maybe about nine months or so ago I was in a meeting with them and one of the leaders said I really get a lot less, or even no spam emails anymore and that's just kind of cool to hear because the stuff is actually working and they're really able to see a difference in how clean their inbox is. And, as a contrast, if you open up your inbox and there's a bunch of spam in there and there's phishing emails in there advertising emails your organization is probably not doing a great job in keeping your inbox clean and you probably need to talk to somebody to come in and help craft that, because you can get it to where there are no or very few non-legitimate business emails in that inbox and then it makes it. When one does slip through, that's a malicious email, that's a really well crafted phishing email and that slips through. It stands out like a sore thumb because the users are not seeing those non-business related emails. And then when something comes in that looks off, it just stands out.

Speaker 1: 32:29

And then how does that, from a high level, impact the larger operation of the organization in terms of meeting their goals as a team? Or have you seen that kind of trickle down into or trickle up into other facets of an organization?

Speaker 2: 32:45

Generally, josh, as the organization is spending time, money and efforts on a robust email program. We're seeing advancements in their cyber program across the board. So we're seeing that organization's maturity level increase and some of the outcomes of that, of course, will be less likelihood of an impact of a breach, better general controls around information security, authentication, having a password management system in place, having an identity governance system in place where you're getting into role-based access. So generally, we're seeing the movement up that maturity curve when the organization recognizes that information security is really an important part, not only as a business differentiator, but something that their clients are asking for as well. You're taking my data. How are you protecting that data? How are you ensuring that my data isn't going to end up on Troy Hunt's have I Been Pwned site?

Speaker 1: 34:03

And that affects the brand of the whole organization and the credibility and most likely the pocketbook too, because if they're not spending time on cleaning up mistakes or breaches, they can be more focused on their day-to-day operations and meeting financial goals and whatnot, I'd assume yeah absolutely Breach remediation.

Speaker 2: 34:26

it's a huge time and money sink. For anybody that's been through it, you know, knows this but it really is a distraction. It's cumbersome, it's a lot of work to go through and do that post-remediation investigation and cleanup work it's one of the things that we do with our customers, but you know, nobody's in the room high-fiving at that time. It's not a celebratory meeting, it's. You know they're pretty intense and can be emotional meetings because you have this set of data that you were entrusted to protect. That is now unprotected.

Speaker 1: 35:04

And just to kind of wrap things up, all of these techniques and tools and educational aspects that you've talked about do those kind of go hand in hand with helping businesses protect their data privacy and comply with regulations like HIPAA laws or CCPA or GDPR? Does that go hand in hand, or how do you help organizations navigate that task?

Speaker 2: 35:29

So, from a compliance perspective, email security is one of the things that is scrutinized.

Speaker 2: 35:38

There's others just around data sovereignty and movement of data, who has access to data but, at the end of the day, what you're trying to regulate is the right access to the right data at the right time.

Speaker 2: 35:53

So, talking to organizations about where they're storing this confidential information regardless of the regulation, there's going to be some subsets of protected information, be it a social security number or a medical record number or private information about that individual that's being protected. Storing that in the appropriate place, which is not email, is one of the conversations that can be had, and it's really tough to do, because email is a business communication medium and we're moving files back and forth. There's other ways to move that content and get that content to the right people, but it starts with a conversation and making people, or helping people become aware of how that data is being accessed, who accesses it and how that data is treated. What your email retention policy is. Are you sitting on 10 years worth of data that, if a threat actor gets into that email account now, they have 10 years worth of data that potentially could be discoverable, or is it six months worth?

Speaker 2: 37:03

of data if you have a retention policy that would limit the scope of the information stored, say in an email server Excellent.

Speaker 1: 37:11

Wow, we covered a lot of ground today, but I'm glad we did this. It gives us a really great insight to your day-to-day thoughts and perspective from a CISO and from someone who's on the ground level, helping people and organizations shore up their security posture so that they can focus on the things that are most important to their business. Yeah, good job.

Speaker 2: 37:32

You have been listening to the Audit presented by IT Audit Labs. We are experts at assessing risk and compliance, while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact. Where all our security control assessments rank the level of maturity relative to the size of your organization. Thanks to our devoted listeners and followers, as well as our producer, joshua J Schmidt, and our audio video editor, cameron Hill, you can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials and subscribing to this podcast on Apple, spotify or wherever you source your security content.