Welcome Back And Housekeeping

Joshua Schmidt 0:00

And I want to just make it go away. And I want to stop receiving these emails. And I started getting into it and started clicking on stuff. And then I had to break check myself. Like, no, let's not do this when I have half my attention on it. You're listening to the audit presented by IT Audit Labs. I'm your co-host and producer, Joshua Schmidt. Today we have Nick Mellum and Eric Brown, the OG crew from back in the day, 2023, I think when we started this. What it was just three of us most of the time. Got lots of guests now, but we're kicking things off today with a cyber news episode. But first we got some uh housekeeping to take care of here and icebreaker. What we got, Eric.

Eric Brown 0:38

Yeah. So and we were going to have Jen on our very own, Jen Lotsey, but she uh she was running late with uh a customer situation. So yeah, you got the crew. Um and Nick and I were at a conference. I know you want to talk about that a little bit with uh uh the other uh folks on the team last week in Orlando, and um I don't know why they do why why are you doing conferences in Orlando in the summer? Uh come on. It's like I thought it was great. You're used to that heat down there.

Nick Mellem 1:07

It felt like just like home. When I landed there, I was like, okay, we're good.

Joshua Schmidt 1:10

We're still a little sick blooded up here. We're still getting, we got to ease us into summer up there.

Nick Mellem 1:15

So the weather wasn't really a factor, but it was really nice that we could have had used the pool there because it was like a resort. Eric brought us Speedo, but he didn't get to use it.

Joshua Schmidt 1:24

Oh.

Nick Mellem 1:25

My man Kini.

Joshua Schmidt 1:26

I've been I've been trying to get Brad was asking where the uh where the merch was or where the swag was around here, and I said, You wanted an IT Autolabs man keeny, don't you? He didn't know where that was, so I had to send him some Borat memes.

CoachCon Takeaways On Growth

Eric Brown 1:39

So the conference was it was a strategic coach, which is the the Dan Sullivan um coaching group, and that was um it was about 200 or so folks down there. So it was some people brought uh a few folks on their team down. We there was five of us that attended. And I thought it was it was great, Nick. What what was your I was talking about Bill on the way over here, what was your takeaway?

Nick Mellem 2:03

Yeah, I've debriefed a few times with uh some of our internal members, including Josh, and it was absolutely, I think, for sure the best conference I've ever been to from a couple different standpoints. From the execution of strategic coach putting it on, massive win for them. Everything was executed perfectly. There was never any issues. They had beautifully catered food, excellent speakers, and they had like this energy that's tough to match, right? You get into a conference hall and sometimes it just falls on its face or it doesn't. And, you know, they executed it perfectly. But I had a lot of business takeaways, a lot of ways of thinking about things differently, how we strategize with customers and you know, soon to be hopefully customers, um, and how we think about our internal products differently, right? How they stand alone and how they're their own swim lanes and really championing those items. Yeah, it was just I got such a great energy and really boosted myself just from a business standpoint, a leadership standpoint, a networking standpoint, connections. I just got to connect with so many amazing people that I would never have had the opportunity before of all walks of life, people that have high net worths, to have very successful portfolios of business, to people that are maybe starting, maybe they have one business, but that are still as successful. But everybody draw back to many failures that turned into successes. Um, so I think that is something I took away as well that you may have failed at something before. That could be a business, it could be a project, it could be on any scale. Um, but just you know, flipping that on its head and figuring out how do we move press forward and uh and make it even better next time for a hopeful customer. So tons and tons of takeaways. I think we could have a whole episode just on this topic.

Eric Brown 3:48

And I'll just give some insight here for for people that might be listening or just a little bit about what we're talking about. So Dan Sullivan is the author of a couple of books. He just had a book that came out last week called The Greater Game. Before that, he's authored some books that are called uh Who Not How, The Gap in the Gain, and 10X is easier than 2X. So some of those are maybe similar to the more popular books that he has. The gap in the gain, that's about putting yourself in a mental state to measure backwards. So we all set goals, and the goals might be forward looking around, you know, I want to achieve X in this period of time. And as you're going through that achievement, you might be halfway there. And you know, you kind of think, like, oh, you know, I I didn't reach this milestone yet. And it it puts you in the gap because you're thinking forwards about like, oh, I'm not measuring up. But if you if you look backwards about how far you've come, it puts you in the gain because you're thinking, wow, I have achieved a lot in whatever period of time that that you're looking back and reflecting on something. So that that's the gap in the gain. And then the who not how is finding people or uh what what the strategic coach referringly or lovingly calls who's, right? So a person that is great at X. So in the consulting business, we are who's for other companies, other people. And in turn, we hire great who's that have specific knowledge in areas like AI development or um doing doing things like pen testing or whatever it is, right? You know, we've we've got a great set of who's here, strategic folks. Um and in return, it's about building that network of of who's so you can achieve something rather than how do you get this done, it's who can do this for me. And then the last book, the the 10x is easier than 2x, that's reframing your the way you look at getting things done. And the premise of the book is if if if you set a goal to do something like, okay, I'm gonna double um the company in two years or or or or what have you, um you can double by just working harder at something. So you you could burn yourself out and the team out by doubling your output. But if you stretch to say, I'm gonna do this 10 times, I'm gonna I'm gonna I'm gonna I'm gonna 10x the company in this period of time, the only way that you can 10x something is really by changing the way in which you think about delivering the service or about the services that you deliver. Because you can't just work harder to get 10x the output. So that that's the the concept of 10x is easier than 2x. And this the book that Nick was holding up called The Greater Game is really about thinking even bigger than 10x. So thinking 100x of how do you go from where you are today to maybe 100x? And the only way to do that is really by reframing what it is you're you're doing to scale.

Failures That Changed Our Paths

Joshua Schmidt 7:17

That's that's an amazing way to think about things. You know, I've been following this, uh, the guy that's been showing up on my my uh shorts feed on YouTube, and he he interviews billionaires and millionaires. He kind of does like journalistic bamboozles them into like a when they're parking their Ferrari or whatever. And one of the common themes is is the failures. And then uh I think anyone that's been an entrepreneur, Eric, you're a business owner. Uh Nick, you do you know some some stuff on your own. And then I've been a business owner doing a freelance audio video. So I was wondering if we could all share like maybe like a failure that we had experienced somewhere along our career and how it shaped our learning and our trajectory, how we got to where we are or are now. And um, I've never really uh went into the subject with you, Eric, but I mean, you know, being uh the uh the good man behind uh IT Audit Labs here, I was wondering what what was your journey like? And and did you ever have a business that failed or or that you had to restart or kind of start from zero again?

Eric Brown 8:15

Yeah, sure. So uh I I got two things for you, Josh. When when um IT Audit Labs started, it it was uh myself and I had a business partner, and this is like really early on in the inception where we were kicking around ideas for the business. And uh we we had, I think, one project that we did together. And it it was just clear from delivering that project that we probably weren't gonna be aligned long-term on the service offerings that IT audit labs would deliver. So at that point in time, we we decided to go our separate ways. And um I'm I'm not gonna say that it was a failure, but it was a great learning experience because it was like, okay, how how are we gonna actually run this business? And then how am I gonna actually run this business to um to grow and to deliver the services, the way in which I want to deliver those to our customers? And for me, it's it's not optional to be excellent in what it is we do. Um and how do we how do we take that? Bring on the right people to continue to deliver that excellence. One of the pivot points that I'm at right now is we're offering a lot of services to our customers because we all have these different skill sets from our background, but that's taking away from our focus. So it's really looking at how do we really narrow the scope of the services that that we deliver so we can we can do a couple things really outstanding and set ourselves up for the next decade, the next 50 years, what have you wise move to not just stick with the partnership because you're friends or because you you you want to work together, but actually make a sober decision that hey, I know this is not gonna align five years down the road.

Joshua Schmidt 10:08

So like let's just call it now. Just call it now. So we don't get there and have it be more painful.

Eric Brown 10:14

And the other one, the you know, the the more recent failures in in order to do business with the state government, you could you've got to be on these state contracts and and whatnot. And um, a couple of years back, uh we just dropped the ball internally on missing a deadline to get on to, or we were already on the state contract, but we had to re go through the process to stay on the contract. And for whatever reason, we dropped the ball on that. It was it was a huge gap. Um, we fixed it, fortunately. But it was one of those things where it's somebody has to own this.

Joshua Schmidt 10:50

And let's not do that again.

Eric Brown 10:52

Let's not do that again. I think that you know it was like, am I owning it? Is somebody else owning it? So we we've cleaned that up. And yeah, it was it was very stressful at at that time. But coming out of it and looking back, it it it we use that failure to really sharpen and hone how we do things internally. So I think along the themes of that conference, of how do you take your failures and how do you use those failures to to really regrow and reshape um what your future looks like.

Joshua Schmidt 11:24

How about you, Nick? Do you have any um any stories that you'd like to share?

Nick Mellem 11:28

Uh yeah, I'll share one. We and this was actually an exercise we did at the conference, and we just broke up into some small groups and and talked about these same things, the same items. And it was it's I came up a few times and uh, you know, we had a lot of good conversation. I think one of them that I was talking about was actually a personal uh fail. You know, everybody knows I spent time in in the Marine Corps, and uh, you know, when I went in, I think I I thought I was gonna be in for 20 years, um, and I was gonna be, you know, what they would consider a lifer. Uh and and looking back on it now, I've been retiring in one year. So I'd have had uh, you know, a nice retirement coming up after the after the military, but we'll we'll rewind to I think 2011 or 2012 when I was getting out. But uh I was with a another um another gal then and I was gonna, we were gonna, you know, thought we were gonna, you know, get married right away and I wasn't gonna drag a family through the you know the Marine Corps. So I ended up getting out, and two weeks after I got out, we you know, we we separated because it just wasn't working after you know I was there in in person. So who knows, maybe if that's on me or on her, but uh it didn't work out. But it was a fail at the time because I was thinking I was gonna stay in, right? But but now if I go back and I look at that, what I was considering a fail at the time, it was actually really good that it happened because it did many things. Obviously, I'm with my wife now. We've got two two daughters, but I got out and I went to college for cybersecurity. I cut my teeth on a help desk. I met Eric at an organization, and here I am today, you know, doing what we do for other organizations. Went to an amazing conference last week, had great collaboration. So if you look back at the last 10 years of what I considered a failure, it actually worked out the way it was supposed to. So I should be thanking that previous woman I was with for pushing me to get out because here I am now, right? And who knows what would have happened if I was in for another 20 years. It could have been just as good. But uh it certainly worked out. So that was one of the items that I talked about at the conference. And and if I can continue here, that was one of the things I actually really loved about this conference was those workshop style discussions that really made you look in at yourself, not just business-related items. Like, how am I operating? How am I conducting business through ourselves at IT Auto Labs to organizations? Because I think that's our ethos. That's what we're we really want to portray to our organizations we work with, is you're working with people first. And that's what you get here. You get tier one operators that are people first that want to grow with your organization. And again, continuing, that's why these organizations should be sending people to conferences. That's why these things are so important. You get so much out of it. And we had an awesome time. And I, you know, we had energy before, but I feel like, wow, did that that really filled the tanks, right? Like you're, you know, we were on the launch pad, but we got juiced up. But uh, yeah, long-winded answer, but failure for me that turned into be, you know, what I consider a success story. Nick's also banned from the blackjack table at that particular resort. Yeah, that's true. But I can't go back to a blackjack table, apparently in Thailand or the Philippines.

Joshua Schmidt 14:46

Oh well, I got I got kind of a juicy one. Um, so my band was really popping off. We had a song that went viral in 2013, 2014. We we released a song, second song we ever released, and it went organically viral. Flash forward about a year later, we were getting courted by a lot of uh big record labels and getting um a lot of interest, and emails would pop into our inbox pretty much on the daily, people that wanted to work with us, which led to um doing some touring. And we found ourselves um being courted by a guy named Jason Flom, who works with Republic Records, and he signed Lorde and I think Greta Van Fleet. Anyway, we went up to uh New York City to go play a show and to get signed, essentially. So we had these sharks swimming in the water around us. We had a manager that flew out to hang out with us in Minnesota bringing us out to dinner. Basically, it was like a done deal, right? All we had to do was go play this show and we're gonna get signed. Went out to his house, Jason Flum. He's got pictures of golfing with Bill Clinton and Kid Rock, and he's got like Andy Warhol pieces in his house using them for furniture over in in in Manhattan, overlooking you know Central Park and a high rise. And we're like, okay, this is this is strange. Had to drive all the way from Pittsburgh. So we're like 12 hours in a car into Brooklyn. We're supposed to be in the middle of this amazing uh festival where there's like 15 bands, like all really hot bands at the Brooklyn Bowl. Packed room. It's like everybody, it's like a sea of people in Brooklyn Bowl. Somehow we lost our middle slot, which would have been a slam dunk because it would have been a packed room waiting for the headliner. We were not headliners. We were an unknown band waiting to get signed. Somehow the promoter, who was a total weasel, bumped us to the back of the evening after the headliner. And Jason Flaum is in the in the room with his son and his business partners waiting to sign us. And we get bumped to midnight. Oh, a full 12 hours after we had sound checked already, waiting around all day to play. We got bumped to midnight. The the the headlining band finishes playing and everyone starts leaving the entire venue. So by the time we're into our second song, it's like there's like 50 people left. We did our best, you know, we played our set, but you know, needless to say, we got a call the next day or a text like, no, we're passing on this. Our manager didn't come out. He wasn't there to like so in hindsight, it would have been like, no, we're going on. I don't care if we play two songs, we're we're gonna go on.

Eric Brown 17:15

Right. But um and your manager would have advocated for that. Well, ostensibly. Yeah.

Joshua Schmidt 17:20

You know, like if he would have even been in the same state, you should have been doing that, right? Because his his money was on the line too, because they get a signing bonus when they sign up. And that's what the whole game was, right? So, long story short, we ended up keeping instead of signing a record contract that night, we ended up keeping our our music, and we still own it to this day, and uh we're still making money on it to this day. And we still have the freedom to, you know, use our name, use that music, perform it, uh license it and stuff. So it's hard to say what would have happened if we would have gone down that path, but I've seen a lot of other people go down that path with him over the last 10 years, and it kind of ends up going nowhere, you know. And it takes a lot to make a band work, right? But I've seen a lot of people sign and get nowhere. So so that was a hard pill to swallow, though, you know, being in my my late 20s and and that's the dream, right? Get signed. So um, but when one door closes, many open. So and uh yeah, it's a fun story. So that's my failure story.

Nick Mellem 18:18

You you mentioned Andy Warhol, and I just wanted to say that I think it's one the only reason I ever remember Andy Warhol is because he's the guy that famously never set his watch. Does anybody hear that about Andy Warhol? He never set the time or the date on his watch. But that's a very Andy Warhol thing to do. Yeah, exactly. Yeah.

Joshua Schmidt 18:35

No, he's just I just remember the Campbell suit cans and then like the Elvis being in the Doors movie, giving like Jim Morrison a golden telephone and so he could talk to God, something like that. Pretty trippy stuff. But um,

Hackers Target Vulnerability Program Gaps

Joshua Schmidt 18:50

we're gonna pivot to news now. We've been that was that was fun. That was nice to catch up with you guys a little bit. I haven't seen you in a week. One of the things that we've been discussing around here, uh, as actually popped up on Blooping Computer this week, uh hackers are after the gaps in your vulnerability program. Here's their playbook. Uh a forum thread titled Hacking for Profit where if the method offers a rare glance into how underground communities pass information about vulnerability exploitation and hacking techniques in a form of tutorial. The post written by an actor using the name Hercules is not especially long or technical. Its value lies in breaking down a complex process into clear, actionable steps. It covers how to scan, detect, assess, exploit, and monetize vulnerabilities in the wild, while also offering rare insight into the significance of vulnerability disclosure programs. So I guess my first question, then you can kind of take this wherever you want, what if you suspect uh a hacker is already into your internal documentation, they already know your game plan? Do you just switch things up or where do you go from there?

Eric Brown 19:50

Josh, so this this one hits uh close to home for me because we we've been having conversations this week about uh there's a uh a gray hat um security researcher called Chaotic Eclipse. And chaotic Eclipse is the person right now, he's in the news, um, or they're in the news for the the work that they've done on a couple of zero-day vulnerabilities that they've disclosed, one of those being Yellow Key, apparently uh July 14th, I think Patch Tuesday is another big release from this uh gray hat um individual. The bug bounty programs that um the the reason behind all of this is this individual disclosed some vulnerabilities to Microsoft in a responsible fashion, but Microsoft did not pay the individual for the disclosure because they said that he failed to provide some of the requirements along the path of the of the disclosure. I think you've got to provide video evidence, just a bunch of crap that um Microsoft in particular, I think not only failed this individual, but failed a lot of us because now we're going to be subject to these zero days that they could have found out in a responsible fashion and cleaned up their code. But now it's gonna be a a game, a whack-a-mole when these come out um on July 14th, supposedly. And you know, I I think it's it's really shameful of Microsoft um to really skirt paying these these individuals. I mean, what's it gonna cost them? A couple million bucks to satisfy the the the bug bounty program? I mean, just you know, peanuts in the in the grand scheme of things of the uh of the destruction that it could cost, um especially companies that that don't have robust security teams. Um along the lines of this article, I think the the companies that are producing the code that has the Vulnerabilities in it have a responsibility to not make the bug disclosure process arduous. And if you do have an exception for someone who's a serious threat researcher to be able to responsibly disclose and take care of that individual. Now, I know that these teams from Microsoft and Google and Adobe and whoever, right? They're they're probably getting tens of thousands of requests of alleged bug bounties that some 12-year-old found using Chat GPT. But there's some serious researchers out there as well that are providing legitimate, meaningful bugs. And you've got to be able to find the signal and the noise, just like our security agencies are finding the signal and the noise with the hundreds of thousands of requests that they're getting around nation state security. But they found a way to deal with that. And organizations like Microsoft and Google and whatnot have equal amount of resources to be able to sort the signal through the noise. I just think they failed us all on this particular instance.

Joshua Schmidt 23:11

Well put. How about you, Nick? Do you have anything

AI Lowers The Barrier For Attackers

Joshua Schmidt 23:13

to add to this?

Nick Mellem 23:13

Yeah, I think one thing that well, one of the first things I thought about reading this is, you know, if in how AI, and I did a talk on this at an organization, I think last week or the week before. It's really lowered the cost of entry for things situations like this, right? If you inject the AI topic in here. Because to do something like this, you no longer need to know how to code, right? You can you can go right on on any AI platform and and teach yourself, you know, about vulnerabilities and creating vulnerabilities and and this, that, and the other. So it's really lowered the level that we need. You had to be no computers, you had to know code, et cetera, and how to execute these things. Now you you've erased the floor, and uh so many people can get into this game of of creating vulnerabilities and disruptions and all the things Eric was just talking about. Um so you know, it's really there was a smaller playing field before, but now it's it's grown so much. So it's Eric had mentioned playing a game of whack-a-mole. Well, this this game has gotten so much bigger because of AI, et cetera. Um, so that was, you know, maybe not a takeaway that usually would be found from something like this, but it was just a different takeaway that I that I had had after looking through this article.

Eric Brown 24:27

Aaron Ross Powell Have you guys ever been on any of these websites where there are some nefarious actors maybe like trading some of this information just to kind of see how they work or I mean I think we have to dip our toe in the water here every now and again just to stay on top of morbid curiosity. And and just to be able to intelligently talk about it to um you know to our customers. This this year where it says sponsored by uh Flair. Um I think that's uh Flair is one of those that maintains persistence in chat rooms and and whatnot, so they're able to gather IOCs and uh share that with their subscribers.

Fake Open Source Sites Deliver Malware

Joshua Schmidt 25:09

This is coming from uh the hacker news. Fake sites mimicking open source tools rank high on Google to deliver malware via TDS. It says here, cybersecurity researchers have flagged a large-scale operation that impersonates open source and freeware projects to funnel unsuspecting users through a traffic distribution system and deliver malware families like Remus Stealer, an Animate Clipper, and Session Gate framework. This is something that I'm always a little curious about because some of the third-party websites are very sketchy and um they don't even have like their um, you know, license keys, you know, in done in a very professional way, let alone wondering if they're updating, patching, you know, uh finding uh vulnerabilities in their own system. And you have you know the bar to entry on creating these things, whether they're SaaS or third-party applications, is so low that uh um, you know, folks might not be thinking about those things. They just want to roll it out and make some money. So um how do you guys approach this third-party plug-in thing? And then even in deeper, um, how do you guys think about open source tools and and when when when to use them, when not to use them?

Eric Brown 26:18

We were just having a conversation on this earlier this week around educating the the teams who are going out and using third-party source code of how do you know that that source code is legitimate? Um and a couple of our customers that are moving to a more enterprise-managed GitHub instance where there's discipline around how you bring in code. Um let's just say there is some friction around that where the developers like they just want to go do their own thing. And I think that's probably the theme across many organizations where the developers don't have maybe the rigor from a devsecops perspective that that they should. And it's really easy to be enamored by, like, oh yeah, you know, get free access to you know, Claude or whatever it is. Um, and you just click on these links, and then you are bringing in potentially malicious code into your own repo. So not having those great um pipelines and management of those pipelines is is really critical.

Joshua Schmidt 27:26

Yeah, I was gonna say not only that, uh, they get excited, but it's expensive, right? That stuff adds up. I mean, some of the plugins now, you know, it's like guitar pedals. They started off being like 50 bucks and now they're like $500 and they're all bespoke and boutique and you know, handmade, and it's kind of like artisan. And I think that that probably is the same with some of these plugins. I mean, you start adding them up and you have thousands of dollars worth of software on your computer and you don't really have any way to catalog uh the security features on them. Couldn't you, as a developer though, in the from a devsec ops position, couldn't you take the code um and like run it through a cloud or a chat GPT and make sure it doesn't have anything malicious in it? Or would that probably not catch it?

Eric Brown 28:06

Or there are tools uh like AKEDO that that do this. Um VeraCode is another one that you know Akido is pretty good in in helping developers understand where those third-party links are, what what sort of vulnerabilities might be embedded in the code. But I I if you don't have the rigor and a pipeline to to do those uh source code uh inspections, you're really putting your organization at risk. And you know, there's that dichotomy of do we go fast or do we go do we do we do things securely? And you know, we're certainly leaning on the side of do doing things securely um over speed, but um I I I don't think that a lot of organizations today have that rigor built in just because it's when you start talking about code and you start talking about um third-party supply chain attacks, that just you know, it just sounds like technical mumbo jumbo. Um and it's it's along the same lines as phishing, but phishing is very visible to everybody in the organization. It's hard to make things like third-party code and the vulnerabilities in the yeah, you can talk about um things like solar winds, right, as an as an examples, but I I think that just isn't in the everyday person's repertoire of like, yeah, I heard about that, but I don't really understand how it's impactful. Like a phishing email, you can easily see how that's impactful.

Social Media Phishing And Real-Life Close Calls

Joshua Schmidt 29:43

Uh new phishing campaign exploits met a business suite to target SMBs across the US and beyond with more than 5.4 billion users worldwide. Facebook remains the world's most influential social platform and a critical marketing channel for small and medium-sized businesses. What do you spend any time, you guys, advising organizations how to interact with their social media? I know we talk a lot about it on SIP Cyber.

Eric Brown 30:05

We do. Yeah, and that would have been great if Jen was here. Um we we like checkpoint harmony email security. Indeed. Maybe to answer your your question there, some of the advice that we give is of course making sure that the people who have access to the social media platforms for organizations have the multi-factor authentication in place. They've got uh uh fishing training, they've they they have a an enhanced level of rigor around interacting with um spoofing attempts or attempts to get their credentials because we we know that uh social media platforms are one of the ways in which organizations are exploited. So those who hold the keys to be able to make those changes should be aware of the the level of of risk um in the organization. And some organizations have just completely outsourced uh social media management to to other third parties that um that that take care of it.

Nick Mellem 31:04

Yeah, I think that I thought this article was really interesting, you know, and it just shows, I think it in in the article it talks about Versal. Um it's a hosting app. And I actually use it for a couple of projects that I'm working on. And I think it just shows the that you know all these apps are being weaponized. So something you might, you know, trust and you might use. It could be, you know, this is just an example, but something you might you know use every day, you know, and you just inherently trust that app, it might show you to, you know, take a take a step back and make sure this is legitimate. But yeah, I mean, we we do these talks with uh the organizations about interacting with social media. You know, you get the same things of multi-factor authentication on social media, how to log in, you know, clicking on different, it could be a group on there, it could be a message, it could be, you know, hey, try this app for free, you know, all these different things. They've got games in social media on Facebook, et cetera. So, you know, I don't think our talk really, you know, changes after reading something like this, but I think it just shows the new ways that you know these threat actors are using and weaponizing apps such as Facebook or Versal or whatever the examples could be. Um, you know, again, it goes back to our conversation earlier of the threat landscape just continuing to grow, continue at a at a rate, you know, nobody thought was probably realistic. But a lot of this draws back to AI. You know, we have discussions virtually every day about AI disrupting the landscape of many different um areas, many different businesses, um, industries at a rate we didn't think was possible.

Joshua Schmidt 32:38

Good call. This one took me off guard because all it takes is just to hit you at the wrong time, right? Like yesterday I was yeah, we had a little party for at my house last night for my kids finishing up the school year. So I was kind of wrapping up a work day, kind of transition mode, feeding the dog, like get in the car, got a party happening, got to get the kids, and then I get this email uh from from Facebook, and it's just like, I want to take care of it, you know, and I want to just make it go away and I want to stop receiving these emails. And I started getting into it and started clicking on stuff, and then I had to break check myself. Like, no, I'm not hacked right now. My my email is safe. Um, my login credentials are safe. Like, don't let's not do this when a half half my attention on it. Yeah. Let's let's let's do this right when we're on the computer, when my brain is clear. And uh, but yeah, that's how easy it is. And and I think if Jen were here, she would say, you know, the human side of this is that it can happen to anyone. But uh that's why we're taking this so passionately. We work with companies like Checkpoint on phishing, email security. We have our 14 in one up on our website, email security. Check out itauditlabs.com. That has been the news for this week and an update from Nick and Eric coming from strategic coach, CoachCon, what's it called? CoachCon. Shout out to CoachCon.

SMS Gift Card Scams And Closing

Eric Brown 33:54

And I've got one other thing for you there, just on this side. So email is certainly a vector. Another vector is SMS or text messaging. So we we had somebody start at the organization this week, and I think on his third day, he got a quote unquote message from me asking him to buy Apple gift cards, right? So I mean it's it's interesting. You know, we do posts maybe on on um LinkedIn about you know when people are starting or joining or what have you. We ought to do a fake one. Like, you know, with but we we ought to set up a fake email and a fake employee and then have them start and then just trust all of the nonsense that just troll them out for like a half a year. Because we get like, you know, I mean he'd only been here three days, but he's already getting text messages um allegedly from me to buy those gift cards.

Joshua Schmidt 34:41

I hear you're excellent with text, it said. That's what said no one ever is what I reply. It's like that one had some funky language in it, right? Which was a bit of a g giveaway. But yes, all like I mean, if Caleb wouldn't have been paying attention or whatever, it it's shocking how fast it can happen and how amazing, how opportunistic the threat actors are. You know, like oh yeah, I haven't even made his welcome post on LinkedIn yet. And dude's already getting fishing text. Yeah. It's wild. That's wild. Uh that's just another good reason to take your security personal and organizational um seriously. Yeah.

Eric Brown 35:18

You have been listening to the audit presented by IT Audit Labs. We are experts at assessing risk and compliance while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, or all our security control assessments rank the level of maturity relative to the size of your organization. Thanks to our devoted listeners and followers, as well as our producer, Joshua J. Schmidt, and our audio video editor, Cameron Hill. You can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials, and subscribing to this podcast on Apple, Spotify, or wherever you source your security content.