Speaker 1: 0:04

Welcome to the Audit presented by IT Audit Labs. I'm Joshua Schmidt, your producer and co-host. We're joined by Eric Brown and Nick Mellum. Today we're going to do a news episode, but first we have our icebreaker question Guys, what was your first job? We've all had a first job. Probably not the one we're in now.

Speaker 2: 0:21

Yeah, that's easy. Two weeks to my 14th birthday, my mom drove me up to Byerly's Grocery Store in Roseville and I had my first interview and I asked for a job to be a bag boy. So I worked at Byerly's in Roseville for like, oh man, eight years or something, doing all kinds of things. My first job was a bag boy there. Bag boy, yep, a couple hours a night after work my mom would drive me up there and a couple hours on the weekends all you could do.

Speaker 1: 0:48

Do you remember how much you made an hour?

Speaker 2: 0:49

Oh my gosh, probably like $5.85 or something, not very much, but hey, you didn't need much back then when you were 14 years old.

Speaker 1: 0:59

Nice. How about you, Eric?

Speaker 3: 1:01

I'm trying to think if it was either paper boy or snow shoveling. I lived in Frederick, maryland, at the time and the apartment house that we were living in it was like an apartment in a house. I was in fourth grade and it snowed and didn't snow often in Frederick, but it snowed and I think I got 20 bucks for shoveling the sidewalk in that apartment house. But I can't remember if I was doing that before I was doing. I think I was doing that before I was doing a paper route.

Speaker 1: 1:36

Nice State bird is the Baltimore Oriole.

Speaker 2: 1:39

Fun fact what age are you shoveling driveways at? I have fourth grade, so whatever that I don't know.

Speaker 3: 1:44

What is that 10. How about?

Speaker 2: 1:46

you.

Speaker 1: 1:47

Yeah yeah. My first job was raking leaves and doing yard work around my community for $3 an hour. Uh, my buddy and I split $6 an hour to rake, rake leaves, but their first actual real job. So you know I was entrepreneurial from a young age. The first real job was working at a golf course. I got to pick the range. You know, sit in the in the cart with the picker and listen. Listen to music and pick all the balls and then let everybody try to smack, smack.

Speaker 2: 2:15

You drive by.

Speaker 1: 2:16

Yeah, and we didn't even have a cage. Oh really.

Speaker 2: 2:19

They just had you out there. We were just yeah, did they put a hockey helmet on you or something Just like?

Speaker 1: 2:25

no, just nothing.

Speaker 2: 2:26

Went out there, just got it done. That sounds like an insurance nightmare nowadays.

Speaker 1: 2:30

Yeah Well, the thing that it taught me to do was, you know, be able to parallel park back up a car at high speed. You know, essentially driving the golf carts Good introduction to driving vehicles down the road.

Speaker 2: 2:44

That was like. The most fun thing you could do as a kid, though, is to drive a golf cart, like if your dad took you golfing, or something you were like praying that you could get to like the second or third hole quick out of sight from the clubhouse and you could take the reins of that golf cart oh, we had quite a bit of fun.

Speaker 1: 3:00

We used to drive the uh golf carts to the top of a huge hill and then put it in neutral so the governor would turn off.

Speaker 3: 3:07

And then just send it, yeah just send it.

Speaker 2: 3:10

Yeah, good time, good time. I've got some stories about that, but we should probably move along I still like driving the golf cart.

Speaker 3: 3:18

You know, I'd rather drive the golf cart than play golf.

Speaker 1: 3:21

There's always one around the clubhouse that doesn't have the governor on, and it can just go as fast, as fast as hell I would think we could disable the governor too.

Speaker 2: 3:29

Couldn't you, yeah, can't you? Could you just lift up the seat and reach your hand in there and press yeah?

Speaker 1: 3:33

yeah, they got to have those for the rangers so they can catch up to the delinquents out there yeah all us three out there raising hell.

Speaker 3: 3:41

It's fun too, you get. You get that golf cart out on first thing in the morning when it's all dew on the grass, get going downhill, power slide that thing.

Speaker 2: 3:50

Yeah, hammer the brakes, get yourself 90 degrees in no time.

Speaker 1: 3:54

Yeah, you guys are speaking my language.

Speaker 3: 3:57

We we were doing a uh work outing this is years ago at another company and sometimes at these work events, people get into the alcohol a little more than they should. I don't say and I'm recalling somebody this wasn't me, but they tipped over the golf cart and it got somehow it got submerged into the pond and the people couldn't couldn't get it out because of the the incident. But yeah, I was like, wow, you know that people, uh, you can have a good time with those things, especially when you mix alcohol I want to know what the golf course does.

Speaker 2: 4:36

Do they charge the patron that's doing that damages the vehicle, like, do you need to pay for that? Well, they charge the company. The company had to pay for it. So if we go golfing with it out of labs, we're good. You're good because we don't have alcohol, so, yeah, you're all spread.

Speaker 1: 4:51

Well, I mean, I don't think I need alcohol to send a golf cart I mean, I can pre-game it at the office if you want me to put a dent in your uh costco, you know, josh, your bar's open, Bar's open yeah.

Speaker 1: 5:06

Okay, well, we're going to get into this news episode today. This was something that Nick had brought up and I thought it was related to auditing. It's a lot in the news right now around Doge and Elon Musk's attempt to put the reins on the spending and check where the money's going. But it kind of brings up the topic of auditing in general, the importance of auditing. Um, and you know some of those concerns that we're hearing a lot in the news I thought we could talk about today of um, whether they're, you know, based in reality or fact or, you know, kind of unfounded.

Speaker 1: 5:39

So, um, this article is from the hill. It's titled Noam Defends Musk's Access to Personal Data and it says here the Department of Homeland Security Secretary Kristi Noam defended tech billionaire Elon Musk's access to sensitive data housed within the DHS's Federal Emergency Management Agency, fema, saying he's conducting a necessary audit of the federal government government. In an interview on CNN's State of the Union anchor, dana Bash asked Noam about reporting that Musk and his team at the Department of Government Efficiency have gained access to FEMA-sensitive disaster data, including personal information on tens of thousands of people. And it keeps going on here to kind of describe how Noam defended that this is necessary, but I wanted to kick it off by asking the question, you know, why are audits necessary? Why can't we just ask the guy in charge if everything's gravy, can't we just get on autopilot? I mean, the business or the government's been going a certain way for years. Why do we even need an audit?

Speaker 2: 6:38

Yeah, I think for me it's pretty easy, right, it's checks and balances, making sure everything is going all right, things come out that are new. We want to make sure that we're using best practices A lot of times, especially the people that are auditing. They're doing this every day the people that aren't specifically auditing or working in the systems. Their job is specifically that data but they're not auditing or checking what could be the best latest process and procedure. For example, like in the military, one common tactic is a left seat, right seat system.

Speaker 2: 7:10

If I'm over in a combat zone and I've been there for seven or eight months, somebody might ride along periodically to make sure we're following rules and procedures and then fast forward to the end of a deployment somebody new is coming in. You will have a left seat seat, right seat system where they ride passenger for a few days and then they'll take driver and then you know the previous driver will go to the passenger seat and those are similar to audits to me, because you're making sure everybody's following those rules and procedures and exit or entry of a combat zone. Now, and it's still probably the most grand scale right, right, the federal government you know, it's always going to be necessary to do an audit, so I think, especially me.

Speaker 2: 7:48

I totally agree with Christy here writing this article backing Doge and.

Speaker 3: 7:54

Elon.

Speaker 2: 7:55

I think we need to forget about who's probably actually doing the audit and why it's important to do the audit. In systems from IT to expenditures at the treasury, Things can get pretty egregious quickly Spenditures on anything. We need to audit systems that maybe somebody turned something off right. Keeping in simple terms that should be on, or maybe we figured out a better way to do things. And I think that's a part of our offensive mindset is we might not always know the best thing in the moment, but with trial and error we will figure out the best way to run these systems and make sure they're humming along to protect these organizations, and I think that's why we're so proficient with auditing and why it's so important that organizations that aren't auditing every day have a third party come in to comb through their system and make sure that they're running those systems how they should be.

Speaker 1: 8:48

Great answer. Thanks for that. I'm assuming Eric has something to say about this. You've been talking a lot about the Elon Musk book. I'd love to hear your thoughts on this topic, eric.

Speaker 3: 8:53

Yeah, outside of Elon Musk or whatever agency or government agency is looking at another government agency, don't care too much about that, but the principle behind it and unfortunately, in this situation, it's one of those situations where it's a we'll call it a hostile or an unwelcomed audit and that's never fun, just like it's never fun if you go through an IRS audit right, that's not a fun thing where you're saying, hey, come in and take a look at my stuff to make sure that I've done X, y and Z In organizations that we work with. Most of the time it's a friendly audit where they're inviting us in and saying, hey, we think we need some help in this area, can you take a look? You're really seeking to understand and that's what we try to do when we come into an organization and do an audit, or they might have a managed service provider that they're working with and they ask us to come in and is this managed service provider doing everything that they say they're doing contractually? I think in this case it's just one of those unwelcomed audits probably necessary. And I go back to the I was just trying to find it here.

Speaker 3: 10:05

There was an airline flight and I don't remember which one it was. I believe it was an Asian airliner. There was a cultural norm where the co-pilot was not comfortable questioning the pilot, even though, as Nick said, they have left seat, right seat, they have equal set of responsibilities. Yes, the captain is ultimately responsible for the aircraft. However, it's the co-pilot's responsibility to make sure that the items on the checklist are performed. The co-pilot will have their own set of responsibilities. The captain needs to make sure that are performed. In this particular case, there was a problem that the airliner experienced. The co-pilot recognized it and, I believe, brought it up to the captain, but the captain either didn't acknowledge it or the co-pilot wasn't comfortable bringing it up to the captain because of that cultural norm, and there was an accident as a result of that right. There was a problem and the problem wasn't addressed.

Speaker 3: 11:13

And that could be the same thing in any organization, regardless if it's the you know treasury department, fema or whatever it is right it's.

Speaker 3: 11:24

Could there be practices that are going on in the organization that you're not comfortable with that because of a reporting structure, you can't take that up to your manager and say, hey, you know you're doing this wrong right. That probably isn't going to go over well, unless the culture is really advanced in that organization. Sometimes it takes the third party to come in and really, you know, take a look right, take a pretty thorough look at what's going on in the organization and potentially uncover some things that could be improved. And maybe they're doing everything 100% right, which I hope they are. Would it hurt to have a second set of eyes come in and take a look at their environment? Probably not. As a taxpayer do I want to see this done Absolutely and I certainly welcome and I don't know if the forced audits are the right way to go or not, but I think some form of third-party oversight of these places that are spending lots of taxpayer dollars is a good thing.

Speaker 1: 12:29

That's a great answer, eric. That brings up the topic that I wanted to get into a little bit more of you know extending that trust to an auditing team right, because basically giving someone the keys to the kingdom, right, they can go into the back door, they can see everything that's going on. So if you're leading a team to do an audit, what kind of guardrails do you have in place within your team to I don't know kind of quell any anxiety that the organization might have around you having that access?

Speaker 3: 12:58

So we run into this an organization being comfortable with giving us, essentially, the keys to the kingdom.

Speaker 3: 13:06

So what we like to do is come in and really have a clear plan on here's how we're going to perform this audit.

Speaker 3: 13:13

Here's what we need from a privilege perspective, and always operate from the least privileged model and make sure that when we do access the environment, we're using MFA and all the right controls in order to get access to that environment, but then only accessing the environment that we're scoped to test. So it's upfront making sure that you have a good, clear scope. Now, of course, there's some cases where it's an audit of how the organization's controls are actually put into place. So, is the organization challenging us or are they asking us to show a badge or whatever it is, if it's a physical test? But if it's a test where everything's above board and everyone's aware of the full scope, aware of the full scope then I think that's the way to alleviate some of those concerns that teams may have. There's plenty of times where not everyone needs to be in the loop, depending on the type of tests that you're doing, but again, you can scope that and make sure that the people who do need to be aware are aware.

Speaker 1: 14:24

So just to kind of finalize this thought are there any inherent security risks to doing an audit?

Speaker 3: 14:31

I think so Right. Anytime you're giving somebody access to your environment, I see two risks that you face. One is could something happen from the security team? So a member of the security team who does have now enhanced privileges to your environment could, could they do something nefarious, either accidentally or intentionally? Right, that is a risk. And the other risk is do you have, then, insider behavior that happens as a result from now the lens being more closely inspecting things internally, like does that kick off other activity in that environment? That might be against what the business wants.

Speaker 1: 15:20

Musk is going after waste and fraud. Have you guys ever uncovered anything that was beyond what you might have initially set out to discover in terms of fraud or abuse? I know you guys do often stumble on some strange things from time to time.

Speaker 3: 15:36

Fraud and abuse, I think, are interesting terms of how you define that. I would define fraud or abuse in the scope of an audit or an examination of an environment's practices, as someone or an entity knowingly deceiving an organization. So if you had a managed service provider, for instance, that was supposed to be doing A, b, c and D and they were only doing A and B but charging for A, b, c and D, then that's fraudulent, right, that's abuse. If they were supposed to be doing A, b, c and D, then that's, you know, that's fraudulent, right, that's abuse. If they were supposed to be doing A, b, c and D and they were doing it to what they thought was the best of their ability, but maybe it wasn't what you would consider an industry standard level of ability.

Speaker 3: 16:29

I don't know that I would categorize that as fraud or abuse other than it was. Maybe just a lack of knowledge on the perspective of you know, that MSP that was engaged, but maybe they weren't doing it intentionally. Should they have had controls in place in their organization to examine the work that maybe a more junior person in the organization was doing? Well, absolutely. But that's the purpose of a routine audit or security review or whatever you want to call it, just to make sure, because we're all infallible, I mean we're all human. So certainly having those checks and balances, like Nick was saying early on, is a good thing.

Speaker 2: 17:16

My big portion was just going to be the communication. Right, I think it's important that everybody's on board before you start doing it. Uh, so that was the point I was going to bring up. But going back to your other question, I think we do I don't think it happens very often see things that we would classify as right. You know, wild or crazy or egregious. You know we might see those more like a penetration test where you'll stumble across something trying to get in, but generally in an audit that you know I'm usually involved in, it's it's helping organizations be compliant in a in a specific area. So generally you're not selling across anything too crazy. Maybe super out of date policies might freak some people out, but for the most part we're pretty good.

Speaker 1: 17:58

All right, we're gonna move on to the next one. I thought this one was interesting. You know, nick, with your military background, I'm sure you kind of found this interesting as well. But Finland is systematically addressing cybersecurity with national exercises. So tabletop exercises, right, something we've been talking a lot about lately. Last week, many heads and hands within the Northern Finnish municipal sector and critical infrastructure operators were trained in dealing with various threats in the cyber domain. This is coming from High North News. The title is Finland's Strength in Cybersecurity in the North with Extensive Exercising. Yeah, it's pretty cool to see a whole sector of a nation mobilized to perform a tabletop exercise and kind of run through some scenarios for security that might fortify them in the future. So kind of my first question to kick this off was how does this approach from Finland? What can we take away and learn from this type of posture if we're applying it to our organizations or even our own personal security?

Speaker 2: 18:57

When I first started reading this article, the first thing I thought of was how cool it is that they got a whole country on board to run an audit right, and now we don't know the behind workings. You know people might be upset about it.

Speaker 2: 19:11

Right, some people are on board, some aren't, but on the grand scheme that they got a whole country involved to do this. I wish we could see this more often. Just in the last article we were talking about having communications to get everybody within a relatively small organization on board for an audit, and we're talking about a whole country. If there's an outage of any kind, no matter what system it is coming back from that or trying to fail over to something, it's going to be a little bit clunky right, like there's going to be some processes that people are relearning or whatnot. But you know, maybe, instead of it being like, you know, very, very clunky right, 60 to 70 kind of a disaster, right, if people don't practicing these things, maybe it's 10 to 20 right, where we're just we're pretty good, we're clicking on all cylinders and they're failing over and they're bringing up these procedures as they need to. So I think anytime you can practice something that is not your day-to-day operations, it's going to set any organization up for success.

Speaker 1: 20:05

Absolutely, and we work a lot in the sled sector right With sled, and I actually just had a really interesting conversation with Trista Eric, who you set me up with, and just a little teaser she's going to be a guest in a few weeks and she takes care of some trash management there in Ramsey County where they have robots and AI, you know, going through trash, and we work a lot in the public sector right. So I thought you might have some thoughts around how important this is to kind of fortify those public services and maybe share some insights.

Speaker 3: 20:34

Fortify those public services and maybe share some insights In the roles that we play. For some of the organizations where we come in as cyber leaders or technical leaders, one of the things that I like to do and I don't necessarily announce this within the organizations, but I like to continually drill yes, both through tabletop Tabletop is great but also through live scenarios where you take a problem that is happening in the organization and the people that are working on that problem share with the rest of the team the why behind it, what they're doing or how they're doing it, so everyone learns. A recent, for instance, is working with an organization. There was a large number of devices that had outdated software on it and, for whatever reason, the organization was having difficulty removing the software from those devices and it had been going on for quite a while. Sometimes you have to let these things play out and see what happens, and in this particular instance it seemed to have played out long enough. Where action needed to be taken, and that action was the security organization had direction to go in and remove the legacy software that had not been, for whatever reason, updated, and it was an interesting drill that showcased okay, if we did need to remove something quickly.

Speaker 3: 22:16

How would we do it? What does it look like within the organization around? Who are the players that are going to have resistance? Who's going to help? What's leadership's take going to be? How high up in the organization is this going to bubble? Do we have an organization that's more security-minded or more user-minded? So I don't talk about all of these things when I'm in the organization. I just said, hey, here's what we're going to do. We're going to do it get that off of those machines, and then let all of these things organically play out. To see and learn from what happens. If this was a real-world scenario and we need to get something off of those machines quickly and the more disturbances you have in those environments like removing old software, forcing patches, forcing reboots, all of these things that instigate instability actually help the organization, because then, when it's time to do something drastic, that just becomes another Tuesday, not an oh my God. We got to breathe into a paper bag moment.

Speaker 1: 23:25

And then going through those repetitions really helps iron things out. So I find it interesting that you said that you kind of get it started and kind of observe what's happening and then you can kind of point out the weak spots or maybe the bottlenecks in the process. It also is not lost on me why you enjoy game night now. I had a light bulb moment in talking through this with Tim Herman, who will also be on the show, coming up talking more in depth about tabletop exercises in a couple of weeks, and one of the things that I thought was really cool that really related to what was the game we were playing. Eric, was it Death on the Clock?

Speaker 3: 23:58

Oh yeah, Clock Tower.

Speaker 1: 24:02

Blood on the Clock Tower Blood on the Clock Tower yeah.

Speaker 1: 24:04

Yeah, yeah. Well, like Blood on the Clock Tower where we go through cycles of day and night, I recently learned, you know, in a tabletop exercise it's not uncommon to go through a cycle and then role play and then go to okay, the breach has already happened. We've done the first round of mitigation and cleanup. Now it's the next day and the press is here, and now what are we going to do? And then we can kind of role play each stage of it, not just the initial breach. So how have you seen that fortify security in organizations that you worked with, when you're not just working on, necessarily when the breach happens and what's going to happen then, but also several days down the road?

Speaker 3: 24:44

Nick, I know you've got a lot to say on this too, but I'll just jump in on this one and kind of tie it into what I was saying before. When you do have those opportunities to shake the environment up in a way that is, on the grand scheme of things, not detrimental to the environment, like I knew that taking this piece of software out was at the most going to cause a few users a minor inconvenience, but at the most going to cause a few users a minor inconvenience, but at the end of the day, not a big deal for most of the organization. And internally there was a lot of consternation on the help desk about like oh, we're going to get all these calls. No, you're not. And it turned out that they didn't get very many calls. Sure, there was a few things that went bump in the night, but it was good to see how all of that played out.

Speaker 3: 25:41

And I think sometimes, from the Laban's perspective, not seeing the big picture, just being a player at the keyboard, sometimes they might think I'm a bit of a cowboy, right, we're coming in and just making these changes without having thought through all of this. But, believe me, I'm playing chess, I'm playing Go. I've seen this, I know how it's going to work out before I even talked about it happening. Just cool to see. Like, okay, yeah, we're going to. And I check myself around oh, did you know? Did it play out as I thought it would? Or were there areas that you know maybe they didn't work out so well, so that when the next time we do this then we can even be better at it. And we love helping organizations go through that maturity curve of, like you know, just showing that it's going to be okay. Right, it's, it's going to be all right. Things are going to continue to work.

Speaker 3: 26:39

Um, and to answer your direct question around um, how does this help in organization? Or what do we do in the aftermath? And that role-playing tabletop exercise of breach and then post-breach we're really good at that breach mitigation. You want to bring us in when the building's on fire. I myself personally get bored when the fire's out, and now we're sweeping up and doing whatever it is we need to do. Nick is great in that role. Nick is great as a maintainer, a builder, a coacher. So we work well together in that scenario of like let's get it clean, kind of a battle general type of thing. And then Nick is a good peacetime general, and not to pigeonhole you in that, nick, everybody love everybody.

Speaker 1: 27:39

So, nick, what's your favorite part of the process and how have you seen this type of tabletop exercise play out and help organizations with their security?

Speaker 2: 27:49

I don't know if I have a specific favorite part. I think for me it's all of it, because it's the end goal. It's having the organization walk away at the end and be like have maybe that aha moment of wow. That either wasn't so bad or we learned a lot and we really weren't as prepared as maybe we thought we were. For example, this is three or four years ago.

Speaker 2: 28:10

We did one that I'm just thinking of the top of my head with an organization well known. They're first responders and they need to practice. You know these outages or what have you similar to their version of a tabletop exercise. Well, they hadn't practiced it maybe close to 10 years and I think they they all had a really good time doing it right, because it's their jobs, and they kind of got to play in the Super Bowl when they maybe don't right, for example, a firefighter, right, they don't generally aren't putting out fires every day. They might be responding to a car accident, but in this tabletop exercise they got to simulate what it was like to actually do their job. So I think a lot of them like doing that and I think that's what's cool for us is we get to help and coach them through that, have those moments to become whole again or be ready for the Super Bowl, as we're using for an example.

Speaker 2: 28:58

But yeah, I think a lot of organizations do want some bit of a cowboy mentality, as Eric said, because maybe they're just afraid to press the go button or enforce these rules. Get rid of these applications, change up a process. Right, we're sending out maybe a 150 questionnaire to a vendor for secure to answer security questions when maybe we come in and we can help them meet all their compliance with 20 questions. But when you can get everybody to kind of hum along and play on the same sheet of music, you know, for me, if I had to answer your question, josh's favorite part it's maybe the worst answer I could give, but it's, it's at the end, when everybody's high-fiving and happy that you know it out.

Speaker 2: 29:42

Labs is there to maybe be that cowboy to push them through, and now they're ready for uh for lack of better term uh, doomsday now I know why you guys also like wild west hackenfest.

Speaker 1: 29:52

You get to do a little cowboy role-playing.

Speaker 2: 29:55

Coming in on horses. You know that.

Speaker 1: 29:57

Six shooter on there.

Speaker 2: 29:59

Getting everybody in line.

Speaker 1: 30:00

Right on. Okay, cool. Well, thanks for that, guys. We're going to go to the next one. This is our final article for the day.

Speaker 1: 30:07

We've talked a lot about AI and social engineering. I'm just going to read the title of the article. Here's from hacker news ai powered social engineering ancillary tools and techniques. It says here the uh social engineering is advancing fast, at the speed of generative ai. This is offering bad actors multiple new tools and techniques for researching, scoping and exploiting organizations.

Speaker 1: 30:27

In recent communications the fbi pointed out as technology continues to evolve, so do cyber criminal tactics. And just pointing out, you know we've talked about a little bit about voice cloning and manipulating people through phishing techniques and using language models. But this even goes a little bit further into some things we haven't really spoken about, and one I wanted to pull out was this open source intelligence investigation done by AI. So it seems like there are platforms out there that bad actors are using to kind of perform an awesome technique, and then they're using AI to kind of gather information quickly and then make connections between potential other victims that they could springboard off of that. What can you guys do as security experts to mitigate that risk or reduce organizational risk around the footprint that everyone's putting out there? Do you talk a lot about social media and online hygiene at companies, or how do you handle that so?

Speaker 3: 31:29

yes, can I ask a question first, though Absolutely? So yes, can I ask a question first, though Absolutely? Nick said he was getting a new cat. Do we need to have a naming thing again? We'll send out a poll after the show how many cats.

Speaker 1: 31:44

It's like man. I don't know what's going on down there. Well, samuel's cat's named Exploit.

Speaker 2: 31:47

That's a cool name I found out yesterday.

Speaker 3: 31:51

Maybe call it Austin or something of that nature yeah on the list uh, so, yes, talk about I like to talk about social media in um, like just brown bag lunch sessions with people in the organization who want to come and and learn how to protect their themselves and their family and their personal lives. You know the same old story freeze for credit. Watch what you do on social media. Multi-factor authentication, and that multi-factor authentication piece is probably the piece that plays most in the corporate environment. But having that multi-factor in place is going to help a lot and I think that's we've just got to have multi-factor everywhere, everywhere.

Speaker 2: 32:42

It's not an option anymore. Yubikeys, all the things. I'm going to jump in here on this one too, because fairly recently we had a situation that I was involved with and one of the organizations is they have a library and there's a patron using the computer there and they had asked the librarian if they could download an application, and so our whole thing is right. We're not spying on any patrons or anything like that. But when we get an alert from CrowdStrike, you know we we can't ignore that. So individual download the application. They're simultaneously on the phone with threat actor. One of our security engineers picked up on this through CrowdStrike because bells started to go off, they were downloading this malicious application and they called the library and asked the librarian if they could speak to the individual, because they think there's something nefarious going on and we want to make sure we protect our patrons, talked to the individual, stopped it in its tracks, he realized in that moment he was wrong and potentially saved this guy a lot of trouble.

Speaker 2: 33:46

So I just wanted to give maybe a worst case right of these things that are happening because it evolves around social media. I believe how it started was through Facebook, um, so you know it doesn't speak to generally why it's important to have MFA, but it's all around the security topic of training people, right Of these things happen, right that these emails that are coming in we've talked about a hundred times phishing emails and whatnot but just that, that security mindset, that having MFA on your machine, I think, is just one. That's another step to people being aware. Right, if we can create one thing, it's awareness and doing things that we preach all the time blocking your credits. Another example setting up MFA even for social media is extremely important. Even for social media is extremely important. We've all had our grandma, mom, uncle, aunts get hacked on Facebook. It's just the best example. They put a random post out there, they start friending all their friends or they change the language in their Facebook and now they can't figure out what's up and what's down.

Speaker 3: 34:48

Nick, are you saying that in the library use case example, there was a patron, a member of the public was using a library computer, was the subject of a fraudulent attack by a threat actor. The threat actor asked the person who was using the public computer to install something. The person then went to the person in charge of the library, librarian, whatever, to get permission to install this application, because the threat actor had socially engineered them into doing that and then, because it was a public machine that was under greater cybersecurity management, the threat was detected and stopped. Sadly, all true, and not a public machine that had the protections in place of a large organization, it's likely that that user would have financially fallen victim to whatever that threat actor was doing.

Speaker 2: 36:03

I would say it's all but 100% Got it.

Speaker 1: 36:07

It seems like maybe there should be some kind of a public campaign at the libraries around cybersecurity. These things tend to happen on these public computers and I don't really you know. I think the schools probably are a little bit more aware of this, a little more safeguards around the students. It seems like libraries might be one of the the main attack vectors for something like this libraries are a whole different beast because of the Data Privacy Act items.

Speaker 2: 36:35

We don't want to infringe on their privacy, but we want to make sure that they're being used appropriately and users are not going to fall victim of a crime of this nature. So, in effort of being good stewards of data and helping anybody out from an organization to an individual, that's our duty to make sure that this doesn't happen.

Speaker 1: 36:57

All right, well, are we on to cat names. Then you guys got any good ones.

Speaker 2: 37:06

I don't give it up to you guys. I can't come up with a single good cat name, but you guys seem to palm out of your bag of tricks. Nick, it's too many cats. I'll just say that we're going to have to chat about too many cats.

Speaker 1: 37:16

It's got to be something cool. It can't be like Marshmallow. No.

Speaker 3: 37:21

We were talking about doing pet insurance also as a benefit at IT Auto Labs, but Nick's going to break the bank on that, so I've got to roll that back.

Speaker 2: 37:34

You can take break the bank on that, so I got to roll that back.

Speaker 1: 37:35

But I have to be able to take another insurance policy. Yeah Well, I think the you know the cybersecurity angle would be a good one to keep your eye on there, nick, for if you want to beat us old Sam over there with the exploit.

Speaker 2: 37:47

I'll be hurting cats over here Always.

Speaker 1: 37:50

Yeah, well, that's a great place to leave it today. Thanks so much, gents, for your time. It's been a fun conversation. You've been listening to the Audit presented by IT Audit Labs. I'm Joshua Schmidt, your co-host and producer. We've been joined by Eric Brown and Nick Mellum of IT Audit Labs. Please like, share and subscribe. We have episodes every other week, lots of shorts, and we're living on Spotify these days with video, and you can also check us out on LinkedIn. If you'd like to connect, visit itauditlabscom.

Speaker 3: 38:14

We'll see you soon. You have been listening to the Audit presented by IT Audit Labs. We are experts at assessing risk and compliance, while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact. Or our security control assessments rank the level of maturity relative to the size of your organization, Thanks to our devoted listeners and followers, as well as our producer, Joshua J Schmidt, and our audio video editor, Cameron Hill. Cameron Hill, you can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials and subscribing to this podcast on Apple, Spotify or wherever you source your security content.