Cold Open And Introductions

Eric Brown 0:00

As as we hire people, it's kind of you're purchasing the mistakes that they've made in the past. It's great to have talked with somebody that's lived through a breach because they know what that's like and bring all that experience with them.

Joshua Schmidt 0:18

Welcome to the audit presented by IT Audit Labs. We are coming to you live from the St. Paul studio here with Eric Brown and Samuel Kalla, our IT Audit Labs member and guest today. And we have Nick Mellon uh streaming in from Texas. Hey Nick, how are you doing? Good. How are you, boys? Good to have you. Good to see you on here. Yeah, thanks for joining us. This is our first episode with three people in the studio. So we'll see how it goes today. Yeah. Well, I'm excited to have Sam in the studio for a live news session. We got lots of toys to play with. So without further ado, I think we'll kick it off. Are you ready, Eric? Oh, I'm ready.

Eric Brown 0:54

Yeah. I mean, before we get started, does anybody want to get anything off their chest? Anybody want to, you know, come clean with anything? I think that means that Eric's got something he's got to get off his chest. No, I'm just I'm just throwing it out there so there's no surprises mid-show.

Joshua Schmidt 1:07

Just well, let's talk about Nick coming to town. Are you coming to town or what, Nick?

Nick Mellem 1:12

I haven't decided yet. Depends on how the show goes. Depends on how irritated I am after this show. The airports have been a challenge lately, I hear. Yes, an extreme challenge. But luckily, I am going to be in the truck tomorrow morning driving north.

Joshua Schmidt 1:29

Our first article today has come from NBC News, is a little bit dated, just from March 11th. Iran appears to have conducted a significant cyberattack against a U.S. company first since the war started. Says here the company Stryker said a cyberattack disrupted a Microsoft environment. An Iranian-linked hacker group has claimed responsibility for a cyberattack on a medical tech company in what appears to be the first significant instance of Iran hacking American companies since the start of the war between the countries. We we wrote a blog on this that uh should be out soon. And um I kind of like what you had what your take was on this, Eric. Do you remember what it was? What was it? Yeah, I think you were kind of talking about how the DDOS attacks have have kind of uh multiplied. Oh, yeah, yeah.

Eric Brown 2:12

We had seen that actually the pre-conflict, we saw them start to ramp up, which didn't really think anything at the time. And then a couple days later, the conflict started. So it was interesting to see that the attacks predated the actual kinetic attacks uh that that happened, what, how, four weeks ago?

Joshua Schmidt 2:34

Yeah. So the article notes that Iran linked groups have largely stuck to espionage and low impact website defacements since the war started, but it looks like this attack uh is a little of a deliberate escalation, right? Um what signals should security teams at American companies be watching for to suggest uh threat actors shifting uh from surveillance mode to disruption mode? And how do we prepare for that transition?

Eric Brown 2:59

Yeah, Nick, you're probably seeing this too. And you know, Sam, I know you do uh a fair amount of eyes on glass, so probably see some of these indicators as well, uh, but not just in distributed denial of service attacks against the exterior of a company, but we see it with phishing, right? That continues to man itself, manifest itself. Uh we saw a report come out from Google, I think it was earlier this week, where they were talking about the state of cybersecurity, uh, their mandate report. And um I think the Sciencia Institute just released a report today that was showing the cost of overall attacks over time. I think they look back over the last nine years, and the attacks over time are increasing. The cost of the cyber attack is increasing over time, and it just becomes more and more prevalent that nation states are using it as uh an attack against um us because it's an equal playing field, right? I mean, you one company could or one country could have a lot more kinetic weapons, but pretty much all equal when it comes to cyber.

Nick Mellem 4:07

It's the what's happening now, we need to communicate about as we're doing on this show. But one of the things we did at our organization or one that I'm working for is we have a stand-up meeting in the morning. Well, we added one in the afternoon, and we pretty much put it on everybody to be, you know, watching all of our tools like we always do, but paying attention to the news, what's going on, finding articles and sharing those articles. Um, so you know, if you're not seeing anything within our environment, which you know is a good thing, you know, we can still pay attention to what's going on outside. So, and then also reaching out to our partners um around different organizations, private and public um organizations, see what they're doing and if they're seeing anything. A lot that we can do, but uh yeah, it's a huge shift. You know, uh Eric already said, you know, we uh the US is over there with a lot of kinetic firepower, but uh, you know, and it's also interesting to me that they're um attacking healthcare, right? Yeah, I apparently all their phones, their phones went dark mid shift.

Joshua Schmidt 5:04

Yeah, really interesting to read this and and see what's going on. That one struck me because that's like something more like you'd hear or see in a movie. Well, everyone's phone goes off, right? Where it's it's a little more exciting, a little more palpable. Can you add some color to this, Sam? What have you seen come across your desk? Have you seen an increase in um ransomware phishing attempts or state-sponsored attacks?

Samuel Cala 5:26

Well, I spend most of my time in security around email. So you see all these attempts of trying to guide a person through social engineering on clicking somewhere. And it just takes one person to compromise the full uh environment. Um as Nick said before, information is really important. So having the possibility of sharing in between multiple teams or gathering information from multiple points, it's really important nowadays. Uh keeping keep being updated, do your reviews.

Email Phishing And Intune Admin Controls

Joshua Schmidt 6:02

I wanted to bring this back to Eric, the Microsoft Intune angles, fascinating because it flips the script on like just the trusted trusted software, right, or the trusted service that uh is being exploited. Um how do you consult with the organizations that you work with to uh you know think about their access controls for management platforms?

Eric Brown 6:21

The the accounts that are really protected, like your global level admin accounts, the guidance now is to have a second form of authorization and authentication. So maybe two admins to approve something so that if for whatever reason the MFA was bypassed, that you have essentially a second administrator that is also approving the access for the really critical applications.

Nick Mellem 6:52

You know, what's interesting here is it's it's being used as intended, right? This is what this tool is built for, to wipe machines and you know, pull and extract data, et cetera. Um so to have two admins is is the best way to go about it.

Eric Brown 7:07

Aaron Powell Well, you know you know, for Nick, um it's interesting. The Iranian threat group, the the APT group, their nickname is Charming Hitten.

Nick Mellem 7:17

You're not you're not serious, it really is. 100% serious. Wow. Oh, we need to fact check this people. Uh overwing we need a fact checker.

GitHub Actions Supply Chain Breach

Joshua Schmidt 7:29

All right. This is coming from the hacker news. This is Sam's choice. This is uh from March 24th. Uh team PCP backdoors LT, light LLM version. Okay, you can read it. A lot of a lot of jargon here, but Sam, break it down for us.

Samuel Cala 7:43

Yeah. Um, as you all know, I've been focusing a lot on software engineering and development. Uh, but focusing everything on security and agentic AI. So kind of placing all those things together. Looking around, I found this news that just put everything exactly together. So all the things that I've been looking into. My perspective is vive coding has such a uh wrong name to what you're really doing. And my perspective is you can use scar AI agents to help you develop if you don't if you know what you're doing. And that's why I was like, vive coding is not a good name for what we are using AI.

Joshua Schmidt 8:28

It's kind of like a surfer decided to code, right?

Samuel Cala 8:32

Instead of you asking your calculator to do math for you, you're using the calculator to ease your math. So it's two different things, right? This full uh presentation was done with perplexity um computer. Computer. Okay. Amazing. And I I created a podcast about it. Pretty good. So let's go a little into what happened. So in five days, right, there was a breach. Everyone is aware of GitHub, right? GitHub is a cloud service that allows us to use Git and have versioning control to different repositories. Developers use GitHub actions in order to ease their work. So GitHub Actions is a way of uh deploying those workflows that as soon as there's an action in GitHub taken, it just generates the workflow to either deploy or test. There are some providers that use these actions in order to do software evaluation. So as soon as we are using it, for example, for our development through an a tool that does the review. Kind of an example with Aikido, for example, uh as soon as there's a PR sent into a PR. A pull request. So as soon as there's a pull request, it brings the information into the developer computer. Then the developer will do a commit and a sync to the GitHub environment. As soon as that heap is done, you can do a uh merge in between the main branch and the branch that the developer has been working on. When that merge is executed, the work the action triggers. Now actions is widely used by people that use GitHub. These workflows have access to the API keys. So these API keys allows to generate push into the GitHub. Um there's something called hackerbot clock, which is a repository that is um automatically evaluating multiple repositories and checking for different vulnerabilities. And some of the vulnerabilities that got found were in these GitHub actions, that you could extra you could exploit these uh GitHub actions in order to gather those API keys. One of the people that got affected by these was the security service uh Trivi. Trivi is a scanner like Aikido, as I said before, um, that is used for multiple people. At the end of the day, it's open source. When Trivi get compromised, um and you know if it's developer, you're depending on the code of the other ones that generated a flow where at the end of the day liked LLM that was using Trivial article. Yep, yeah, sorry. No, you're good. You needed the full background in order to know what happened. I I didn't because I told you before viewers. Um gets compromised because of they using tree buy. The thread actor pushes a commit into light little lamp that basically executes a script when there's a peep install executed into these light little lamp. And that basically compromise and extends the worm. So explain it to me like I'm a five-year-old. I try to.

Eric Brown 12:02

It's a smart five-year-old Eric, you got that? Essentially it's a supply chain attack in the GitHub repository. There was code stored in GitHub. Other companies pulled it down, got compromised, and um companies that were using the light LLM product then essentially sucked in that vulnerability, then they're compromised. And the fix is for I I think what four hours later, Light LLM caught it, can download the newer version, and it's subsequently fixed. But it exposed the fact that a supply chain attack, like we've seen over the years, really has the capability to have pretty broad reach, and it's really difficult to detect and prevent if you're placing trust in these known third parties. Uh and I think Sam, was it this kind of spawns into a a different article around Trevi's certifications? Um their ISO 27,001 uh and their SOC 2. I don't know if that's in your presentation as well. But they their certifications, um, if I'm recalling correctly, came from a company, I think it's called Delve. Correct me if I'm wrong on Delphine. Yeah, on Delve. And and Delve was an AI certification company that uh would purportedly make up evidence to support the audit. So typically when you're going through an audit, you have to produce evidence that you you're satisfying w whatever the the question is in the audit. Well, Delve would go through and uh again, purportedly I haven't seen this firsthand, but produce evidence to support the the audit and kind of made it all up, and then it would essentially give you uh the certification at a fraction of the cost of a traditional auditing firm. Um so not directly related to it, uh Josh, but the the trust in the certification has now been breached because these certifications that would essentially prove that a company was handling information responsibly is now not really verifiable if it's happening and and companies are being certified in a way that does not really provide the um attestation needed to say that they are doing things in a in a secure and proper manner. And Nick, you probably got some thoughts on this because you're all in on auditing.

Nick Mellem 14:59

Yeah. And the only thing I was really going to add to that, and maybe this is a question for Sam, but it seemed after going through this whole thing, the sticky point to me is that we're optimizing always for speed and convenience and not verification.

Samuel Cala 15:12

Yep, exactly. And this has been one of the points that I always know when we're talking about again, vive coding or usage of AI. Uh, we want to move as fast as possible right now. We want to generate, generate, generate, generate, generate. Um, but we're losing caution. And we are putting our trust into, as Brown said before, these different tools that tells us that they have everything handled. Uh-huh. But are we really checking on those?

Joshua Schmidt 15:44

Didn't the Amazon just run into an issue with that? I heard that Bezos fired a bunch of his coders or his developers and they were vibe coding, and then everything went down or their Amazon Prime went down. I just exist. Yeah, I think that recently just happened. Um, we'll have to do another fact check. We've got more articles here than I have references and citations for, but tinfoil. Yeah. Well, take it away, Sam. So bring us bring us past where we're at here now and what what we're going with this.

Samuel Cala 16:14

Well, right now it's corrected. So the library is supposedly clean. Now, I have to say, TriB, when they got compromised a week ago, they said that they were clean, uh, but they didn't clean everything completely. So they tried to rotate all the keys, but they left one kit open, and that was what generated the full extension of the chain. Um, so obviously take it with a grain of salt that the library is clean, obviously.

Joshua Schmidt 16:40

If if you so if you're let's just say you know you're leading a team of developers creating an AI agent or or integrating that into a business, what's the what's kind of the 30-second takeaway here?

Samuel Cala 16:51

I will say, first of all, investigate uh the libraries that you're using. You gotta make sure that the libraries that they're using are relying on uh trustable tools. Checking the news, it's important too. You gotta keep updated every library that you have, make sure to evaluate them. And if there's a compromise, well, do the protocol for compromise.

Joshua Schmidt 17:12

And so this this article is just pointing out pretty much everything you just walked us through, right? And this is kind of the breaking news. And this just happened recently, yeah?

Samuel Cala 17:19

Yep. Yep. I've been tracing like since the TriV. Um one interesting fact about this, um GitHub got it the first time. Um Copilot didn't get it. Cloud Review did get it. Cloud Code Review didn't get it. Yeah, and CodeRabbit did get it too.

Joshua Schmidt 17:41

I wonder if there'll be like baking more of these kind of like checks into the actual tools themselves, the cloud, complexity, open AI. Right? Having a pass-through to make sure there's no malicious code embedded in into things.

Eric Brown 17:57

We're probably never gonna really get past massive attacks as all of our stuff is online. Today we have integrations across multiple technologies and platforms and SaaS applications. So it it really comes down to you know, it's unfortunate that you you trust these third-party providers, and it's not just third-party providers, right? It could be internal as well. So it it's probably equal time, effort, and money spent on the detection and recovery side than it uh is on the prevention. Because you probably never gonna be able to prevent it 100%, but how quickly can you recover from it?

Nick Mellem 18:48

Another reason for kids looking at what to do in college to go to cybersecurity.

Joshua Schmidt 18:53

OpenAI enters its focus era by killing Sora as ChatGPT maker eyes and IPO. It's ditching Sora in favor of unified AI assistant and enterprise coding tools is coming from Wired as of March 25th. What stood out uh about this to you guys and why'd you bring this up over the water cooler chat?

Nick Mellem 19:11

Well, you know, you know, and this is what a lot of Eric's talking points too. So um I'll I'll give the elevator pitch, but I think we're seeing, you know, we saw Tesla do it. They're taking away the Model S and the Model X to look at other ventures, right? Uh Tesla was working on the robots. I'm forgetting the name right now, but they're seeing the shift in the marketplace. Optimus, thank you. They're seeing the shift in the marketplace and realizing what their strongest two products are, the Model S and Model Y. Um, and they're putting these resources for the other two car uh manufacturers, or excuse me, the other two models into uh Optimus. Um and we're seeing the same thing here. I think there is probably a lot of political background and push here, is my takeaway, right? There's a lot of, I think, I don't know if this is a technical term, AI slop out there, right, that you're seeing on social media. It's fooling our grandparents, our parents who kids are using it to build any videos they want for social media or whatever the use case is. Um so I think there's an angle there. But you know, in the article, I think he's getting at, you know, they're seeing the next big thing too. So they're gonna get rid of, you know, this team, not get rid of them, they're gonna refocus uh these individuals uh that are currently, you know, working on Sora onto other ventures. Uh that's the gist of the article. And then when Eric brought it up uh earlier this week, I thought it was really interesting to see these big organizations noticing where we're going and maybe taking away something that, you know, Sora's probably a huge money generator, right? It's probably doing very well. Um and uh you know, for them to see, well, we can shift these resources and and uh make our other ventures even stronger uh for where we're gonna go. So really interesting to see uh see them doing that.

Eric Brown 20:49

Yeah, I think it goes back to that what what do you say no to to say yes to something else? You know, kind of what what are you what are you holding on to that's holding you back from moving forward? And and that's uh more of a philosophical question, personal and professional.

Joshua Schmidt 21:07

That definitely resonates with me, you know, as a freelance freelancer, and then now, you know, being at IT Addit Labs more full-time now, it's it's interesting to yeah, have those choices in your life. And it's hard sometimes it's hard to let to go because you want to do it all. I I think you're kind of Eric, you're kind of a well, I want to do it all type of person from what I know about you. But it it is okay to like let things go, let things and and new dreams emerge, let old dreams die. I think that comes with time and wisdom um and uh and a little bit of experience. So definitely resonates with me.

Eric Brown 21:40

Yeah, it's uh yeah, just there's been some some folks that are you know tangent, right? Friends or or family members um that are are maybe one or two circles removed, but have experienced deaths in their family, and we're we're all at that age where We're we're starting to see that more. You know, people in their in their 50s, 60s, what have you, um, are experiencing those those events, unfortunately. So, you know, how how much time do we have? And how are we spending that time really is you know something that that I've been spending some time thinking about is it's certainly not sitting in meetings, right? I mean, that's like a complete waste of time. So how else do we want to spend our time uh with the time that we have left? And many of us don't know how much time we've got left, but are we is everything that we're doing during the day of quality and of something that we want to do?

Joshua Schmidt 22:41

Amen. You know, that really resonates with me. I lost my mom to ALS in May, but it it kind of dovetails off this wired article. I just saw a video two nights ago. Um, Elon Musk, polar polarizing figure, say what you want. But um Neuralink just came out with a brain implant that allowed uh, I think the second patient in January of this year to uh speak an ALS patient, um, providing uh computer interface and then mapping the neural um pathways that um produce speech through a computer. Pretty amazing stuff um hits home for me. So all that wrapped together really resonates with me. Thanks for sharing.

Eric Brown 23:19

Yeah, along those lines, um my mom's gone, you know, she's 92, going through some neurocognitive decline. And yesterday we went out to a uh pickleball event. She had never played pickleball before and you know, really has a hard time um even moving. I didn't know how it was gonna go. But I had I had been earlier in the week to this pickleball place and had gotten in a conversation with the owner, and he's talking about um how he's seen people improve over time, not just you know, in the game of pickleball, but but mentally and and making those neuro or those new neurological connections through the sport of pickleball, with the idea that um making mistakes and and how you look at those mistakes. So when you miss at pickleball, if you're if you're down on yourself for missing, uh it actually slows your progression. But if you're like, oh yeah, you know, that's fine, you know, I'm just gonna hit again, and and you look at it positively, and the more attempts you have to hit, the better you're gonna be. And so I I watched this firsthand last night where um the the owner of the club he he takes people that you know maybe non-traditionally have motor function um issues, and they they were able to to to be coached and and played together. And you know, it was the first time I didn't know how it was gonna go, but um my mom did did really well and you know she could she could hit the ball back and that's awesome. We were kind of concerned, like, well, you know, is she gonna she gonna be able to balance or fall over or whatever? But no issue. She went at it an hour and a half and um it was pretty good. She wants to go back again. So I I think we'll we'll do that maybe every couple of weeks. Gotta have a pickleball ball tournament when Nick comes to town.

Joshua Schmidt 25:17

There we go.

Nick Mellem 25:19

With all that time we have. Right. Yeah. Just listening to that story, it's awesome. Um, but it just shows like I see like a cultural thing too, like uh within the organizations that organizations need to get out and do things like that because we've got people just eyes on glass too long. Right. We you we need that. It's never gonna go away. I'm not, you know, but we need to get people out of the chair, you know, encourage them to do do those things because it's gonna sharpen you know their skills. But then on the on the second hand, I'm thinking, well, and Eric had just mentioned, you know, if you hit the ball a hundred times, you know, you're gonna be a lot better than in the first you know, five to ten hits. So doing things like, you know, capture the flag events, you know, or something of that nature, hack the box, you know, using these tools, you know, to sharpen your skills. It's just a takeaway I was thinking about when Eric was explaining uh, you know, the the pickleball event.

Samuel Cala 26:08

How about you, Sam? Does it resonate with you? Of course. That throws me back to a phrase that I've been hearing a lot during the time that I've been alive. And he is you learn more from your mistakes than from success. And it's totally true. I mean, it's great to have the feeling of hey, I'm doing great, but from mistakes you kind of grow as a person.

Eric Brown 26:33

Most definitely. Well said, Sam. As as we hire people, it's kind of you're purchasing the mistakes that they've made in the past because it comes with all of their that experience, you know. So it's great to have talked with somebody that's lived through a breach because they know what that's like and bring all that experience with them.

Joshua Schmidt 26:54

We have uh something that's kind of um related to uh a recent blog article, I guess probably from a month or two ago, that Eric had had written and uh was about supply chain security. Um the FCC is now uh bans new routers made up uh made outside the U.S. over national security risks from Security Week. And Eric, you'd written a blog around uh what was it, was it uh some sort of a component that had came in the mail unopened?

Eric Brown 27:20

Well, yeah, we had ordered some some uh switches for a customer and they when they arrived it was clear that they had been opened and they should be coming directly from the distributor or the distribution or the distributor unopened and and sealed because that's uh that that's a a risk of grayware if if you're receiving product that that's been open, somebody could have compromised it. You have no chain of custody.

Joshua Schmidt 27:53

Do you know the c country of origin for that piece of hardware? I don't. It was probably China. Aaron Powell Probably doesn't matter much if it's coming in the package open, right? It doesn't really matter what where it's coming from, it's been compromised. So it looks like the FCC's, you know, I mean taken this one step further.

Eric Brown 28:09

Aaron Powell Josh, this one it it's it's really it it's interesting and it brought me back to a project I worked on, oh gosh, maybe back in 2016, 2017. We were working with a uh a really large hospital out of New York and working with a company that was hosting all of their infrastructure here in the Twin Cities. And we went in and and we were working with the hosting company in the Twin Cities, and we we'd gone in and and done an audit. And as part of that audit, we were looking for all of the networking equipment, right? So running tools on the on the network to discover what networking products were out there, and they were a Cisco shop, so you know, coming back with these Cisco devices, but then when we ran the serial numbers of the Cisco devices against Cisco's the product information tool, essentially Cisco has a tool that'll tell you how much time is left on the warranty and you know all sorts of stuff about that, there was probably 40% of those things that came back that were not Cisco equipment. So that means that they had bought product on eBay that wasn't Cisco equipment, but they were putting it in their environment and they were trying to cut corners, trying to save money. And that stuff was absolutely gray wear and likely potentially had a nation state impact to it as well. And it it was the first real-world example that I saw of this happening. You know, we we all read articles and you know, Huawei.

Joshua Schmidt 29:55

There was a Huawei kind of headline for a while there a couple years ago where it was big, big uh got a lot of attention.

Eric Brown 30:02

Yeah. And and it was before you know I started iTunes Audit Labs. And um probably one of the things in the back of my mind that came to fruition when you know we were forming the company of thinking about, well, how do we how do we help customers understand the risks of you know just buying the cheapest product out there versus going through the proper channels of procurement? And and that's when you know when when it happened to us when we received those goods on behalf of our customer um that that had been opened, it it kind of brought that all full circle and was something that we needed to get in front of and and deal with. But you know, unfortunately it happened and caused a delay in in the project.

Joshua Schmidt 30:44

So is it gonna drive the price of routers up? Do they make routers in the United States?

Eric Brown 30:48

I can't think of any.

Joshua Schmidt 30:50

Where are we gonna get our routers from now? Yeah. Well, I'll read one more question here. It's like the average American home has a router they bought Best Buy three years ago and never thought about it again. The FCC is careful to say uh existing devices aren't affected. But if the threat's real enough to ban all future imports, what should every everyday people or small business actually be doing right now if their hardware is already running from those legacy devices?

Eric Brown 31:13

That's the Nick question.

Encryption Basics And Closing Notes

Nick Mellem 31:15

Ubiquity is uh headquartered in New York. And it's built in China, Vietnam, or other Asian manufacturing hubs. Thanks, Chat GPT. Uh the interesting thing here too, Josh, is that you know, I think you're just hitting on it, is that uh, you know, we're banning future risk, you know, here, but there's still the potential risk of because there's millions of vulnerable routers that are live. Right. So until somebody updates, gets a new router, maybe you're renting a router from your ISP, you're you could potentially still have an issue here, um, you know, or unpatched, you know, any if we take it outside of the home, right, and you go to uh you know an organization, maybe a small organization, um, they can be unpatched or poorly configured, gonna have issues. But uh yeah, I mean it's it's a future, it's it's sharing up future risk, which probably not hold many other ways to do it just because there already is millions and millions of these devices out in the wild. You know, what are you gonna do until you replace them? Nothing, but that that's the fix.

Eric Brown 32:15

Aaron Powell Well it's probably a a deeper conversation, too, to as we as we look at the network and the traffic that the router's passing and how much of it is encrypted, what's not encrypted, you know, if it's coming encrypted from the endpoint, well it matters less what's in the middle unless the router is doing some form of decryption, but you would understand that if you if you were putting it in in your home or business because you'd have to put the certificate on it to de-encrypt it. Kind of like the same methodology if you're going to access something from a coffee shop and you access it via VPN. If there is a man in the middle attack, you're you're protecting yourself a little bit by encrypting all of your traffic.

Joshua Schmidt 32:57

Thanks for joining us, Sam. You've been listening to the audit presented by IT Autol Labs. My name is Joshua Schmidt, your co host and producer. Today our guest has been Samuel Kalla, IT Auto Labs member, and Eric Brown, Managing Director, and Nick Mellum. Thanks so much for listening. See you in the next one.

Eric Brown 33:12

You have been listening to the audit presented by IT Audit Labs. We are experts at assessing risk and compliance while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, or all our security control assessments rank the level of maturity relative to the size of your organization. Thanks to our devoted listeners and followers, as well as our producer, Joshua J. Schmidt, and our audio video editor, Cameron Hill. You can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials, and subscribing to this podcast on Apple, Spotify, or wherever you source your security content.