The Audit - Cybersecurity Podcast
The Audit - Cybersecurity Podcast from IT Audit Labs features trusted security experts, industry leaders, and practitioners who unpack the threats, tactics, and trends shaping today’s risk landscape.
With 90+ episodes and a top 10% global ranking on Listen Notes, The Audit goes beyond surface-level security talk. Each episode explores real-world threats, attacker techniques, compliance challenges, cyber risk, and the decisions security teams face before, during, and after an incident.
IT Audit Labs helps organizations identify risk before attackers exploit it. Through threat assessments, security control reviews, compliance expertise, and a trusted network of partners and specialists, we help teams find their soft spots, strengthen their defenses, and make smarter security decisions.
Listen in for sharp conversations, practical insight, and a clearer view of what’s coming next in cybersecurity.
The Audit - Cybersecurity Podcast
Live Cyber News: AI Ransomware, Identity Gaps and Quantum Countdown
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
What happens when a ransomware attack takes less effort than ordering takeout? In this live news episode of The Audit, Joshua Schmidt, Eric Brown, and Nick Mellem sit down with Tabitha Senty of IT Audit Labs to break down the headlines shaping cybersecurity right now. The crew covers how AI is lowering the barrier to entry for ransomware attacks, why identity and access still sit at the center of every breach, and how threat actors are chaining together low and medium severity vulnerabilities to gain a foothold nobody saw coming.
From there, the conversation moves into social engineering and the human side of security, including DEF CON's social engineering contest and lessons on training people without fear or punishment. The crew also digs into a CISA warning on how fast AI is accelerating cyber risk, a fresh executive push on post-quantum cryptography, and closes out with a head-scratching pivot from Midjourney into full-body health scanners at spas, and everything that could go wrong with it.
In this episode:
- Why AI is lowering the cost of ransomware attacks — Identity and access are still the real entry point, and AI just makes the attack faster once someone's in.
- How threat actors chain low-severity vulnerabilities into major breaches — Eric explains why patching only highs and criticals is no longer enough to protect an environment.
- The social engineering tactics still fooling smart people — Pretexting as IT, DEF CON's live social engineering contest, and why fear-based training backfires.
- A CISA warning that cyber risk is accelerating faster than expected — The timeline for AI-driven offensive capability is no longer years away, it's months.
- Midjourney's pivot into full-body health scanners at spas — The crew unpacks the security, compliance, and data governance nightmare hiding behind a wellness trend.
If this conversation sparked something, share it with someone who needs to hear it. Like, share, and subscribe for more of the discussions shaping the future of cybersecurity and IT.
#AIRansomware #Cybersecurity #SocialEngineering #PostQuantum #IdentitySecurity #ITAudit #CyberNews #DEFCON #ThreatIntelligence #CyberRisk
Holiday Banter And Livestream Setup
Tabitha SentyBut an AI company that comes in and thinks that there's no healthcare and HIPAA regulations and does all their that piece and start to develop um equipment.
Joshua SchmidtBut it's a spa.
Tabitha SentyI could care less if it's a spa or not a spa. Um you can hack into an insulin pump on a federal employee right now because that's not protected. But let's do this. Let's throw this up there. All right, I'll be able to do that. What could go wrong, huh? What could go wrong?
Joshua SchmidtAll right, we're alive on YouTube and LinkedIn. You're listening to the audit presented by IT Audit Labs. I'm your co-host and producer, Joshua Schmidt. We have the usual suspects, Nick Mellum coming from Texas, and Eric Brown, the captain's chair. And today we have Tabitha Senti, an IT Audit Labs member. She's joining us today for our live news episode. Thanks so much for tuning in. You can comment and we will read your comments. We'll read your chats. We'll answer your questions online. If you got them, send them our way. We're going to start out with our usual icebreaker, Eric Lex the Icebreaker. So we're going to talk about the uh 250s coming up, right? Fourth of July. It's just around the corner. You're going to be hearing this after. Uh the recorded version will be after the 4th of July, but we're going live right now and we're heading up uh on the holiday here. What do you what do what plans do we have? Nick, let's start with you. You're you got the flag flying in the back there. I saw your flag earlier in your your yard. You were feeling feeling a little nostalgic today. So what do you got planned?
Nick MellemEvery day is 4th of July for me. Um I have a 25-foot flight flagpole in my backyard with uh an American flag and a Marine Corps flag um on it. And I was raising it this morning, and my wife walks out back onto the pat patio with her phone and starts playing the Marine Corps hymn. And I turned around. That was just a really funny, a funny moment. So shout out to my wife for that. But uh I'd usually keep it up because it's got a light on the top, but you know, whatever, moving on. So uh yeah, 250 Texas gets down for the for the fourth, right? All if if it's anything goes artillery cannons, like whatever you can do it. Dogs are gonna be just hiding in the room. Like in an invasion down here. Can you get fireworks down there? There's no regulation that I've ever heard of. Like it can be anything you want. So every it's crazy. I'll send you guys videos when it's going on, but it's like all day until like three o'clock in the morning. I wouldn't be surprised. I wouldn't not be surprised, but yeah, we got family coming into town for it. Um, usually we do every year somebody comes down to celebrate uh uh the fourth down here, do a little barbecue or or something, and there's a lot of events in the cities for the fourth, so it should be fun.
Joshua SchmidtSo, Eric, are you gonna be grilling up some vegan sausages or or some patties? Do you throw in on the thing? Some black bean patties on the grill or what what do you think?
Eric BrownI don't like those.
Nick MellemOkay.
Eric BrownUh because they're too mushy, right? Like the the black bean patty is too mushy. Uh and I I do like a good vegetarian patty. But like a wild rice bean mixture too. Which is what's your go-to. Impossible or beyond. Okay. Yeah. The built in stuff. I don't know what that means. Around here, there's a lot of meat eaters, and they're like, oh, you know, this is impossible or beyond. They have more chemicals in them than the regular meat. It's like, okay, slow down, buddy. But yeah, that's what we'll that's what we'll be getting. And corn.
Nick MellemThat's one thing we miss is the corn in Minnesota is elite. Oh, it's good. Whenever we have family comes down, we try to have see if they can smuggle some down here because we love it.
Joshua SchmidtTabitha and I are both gluten-free. So Tabitha's always bringing the awesome gluten-free treats. So what do you what are you whipping up for the fourth?
Tabitha SentyActually, I'll be in Boston, Seaport, um, for the fourth. So I'm going back home and all the family will be there. We're all meeting in Boston. So um staying downtown and just doing the whole Fourth of July with the family.
Joshua SchmidtNice.
Tabitha SentyYeah.
Joshua SchmidtEric, just gave us a little news article about Boston here today about the the Scots and let's pull that up.
Tabitha SentySo the best part about that is so my Nana is Scottish. She came over the boat and married my grandpa, whatever. And so um, she would have loved the world of Boston this past week with the World Cup because that was her her jam. And they have hollow legs. That's our theory. Um, that they can drink constantly and they will not be drunk, and the rest of the world will be shattered.
Nick MellemThey got some overflow tanks.
Tabitha SentyThey really do.
Eric BrownBecause they're there for the uh World Cup. Yeah. And I guess the Scott, there's 50,000 of the Scott fans that um what what do they call them? The like the soccer fans. It's if you scroll down there, uh, there's a the uh guilty army or something. The tartan army. Uh yeah. Tartan army. They drank Boston out of all of the good beer, right? I wouldn't call Sam Adams good beer. Well, they don't they left the light beer.
Tabitha SentyHey, hey, that's fighting words right here. Those are fighting words.
Eric BrownThey left the light beer, though. And and drank the button light lab drinks that's water.
Joshua SchmidtThat's not beer.
AI Ransomware And Identity First
Joshua SchmidtWell, this is a uh this is an article from the Hacker News that Tabitha brought in today for us to talk about. It's uh building a security strategy for AI-powered ransomware attacks. It says here, launching ransomware attacks used to take real effort. Now, thanks to AI AI, almost anyone can launch sophisticated attack, which changes the game for everyone responsible for protecting businesses. Tabitha, so we all know that we, you know, that these have been prolif proliferated around with the use of agentic AI and with you know LLM models that can you know whip up code. Um what made this stand out to you and what should people be doing to protect themselves?
Tabitha SentyIt doesn't necessarily mean things are faster, right? So AI makes everything so much faster. But the bottom line is the identity piece. So phishing is still your entry point. Identity and access are huge to protect. And so if we're not focusing on identity and access right away, then it doesn't matter if we're protecting um if people are using AI or not, because if they can get in, they can move unilaterally across the board. And so I think for me it was just more like if we're just focused one minute on identity. Are you clean? Can people get in? Where are your credentials stored? Like those pieces, um, if we can strengthen that, then the AI piece will have a harder time making it through that barrier. That's just my thought.
Joshua SchmidtAnd this connects with some of the work that we're doing here at IT Auto Labs around the 14 in one checking people's um email. And then also we were just in a class yesterday, right? And so we got to work with agentic AI and creating our own skills and things like that. So we can kind of see both sides of it. Did you pick up anything yesterday, Eric, that kind of relates to this?
Eric BrownI I've been going a little a little bit deep on on the security strategy side, working with one of our uh customers that um is has has been wrestling with vulnerability management. And I think we've got to take a different approach to security where the the AI has just highlighted that it used to be we gotta really focus on patching the the highs and the criticals. But what we've seen in the last three or four months with things like mythos is it's able to chain together um vectors of vulnerabilities that might be low and medium that we probably never would have thought about patching in the past. And by chaining together these um lower severity vulnerabilities, the threat actors can gain a foothold in the environment. So I I've been spending a lot of time thinking about the future of information security, and I and I think it it moves away from vulnerability management, which is absolutely important, and I don't think we take our eye off of that, but I I can't think of an organization that I've been in, other than the ones that we manage, that are um that have a good vulnerability program because there's always some excuse about Y X system is either 10 years out of support, it can't be patched, or like, I mean, you can you you know, you need to be medicated after you listen about five or ten of these excuses, because it's like the same thing. I used to like, you know, kind of early on push against it of like, well, you know, yeah, okay, but we what if you did this? What if you did that? And I think now it's what if we look at vulnerabilities differently and we just accept that they're in the environment and we raise things up higher outside of the vulnerability plane and we say, well, what do we need to do to protect this environment? An environment is always going to be, is always gonna have some vulnerabilities in it, but how do we elevate the security posture so we're not focused on, oh, you didn't patch within seven days or 14 days or whatever the SLA is? And how do we bring the security domain closer to the endpoint? And I I there's some cool tools out there. Um secure browsers, I think, help a lot with that. There's some there's some tools that that help really give just in time access. And you know, to what you were saying, Tabitha, around the identity piece, if we can keep the threat actors from elevating permissions and moving laterally, that's really where you want to get to. So how do how do we really restrict the permissions so the users only need to do what they need to do when they need to do it and not have extra permissions that they may not even be aware that they had? And I think that bleeds into AI as well, because we'll take these AI tools, you know, let's say Microsoft Copilot, if you're a copilot um subscriber, and you turn that on in your environment, it's gonna have access to everything that you have access to, even if you didn't know you had that access because you were over permissioned over here for whatever reason, right? You were in, you know, you were in the marketing department, and then you move to sales, you know, and then you move from sales to, you know, whatever. But a lot of times there isn't really good policy and governance when you move between roles that your old role gets cleaned up. So now you take these inherited permissions with you, you turn on AI four years later, and you still have access to everything that you had over here. So that I think getting better at that organizationally with administrative controls and technical controls is really where the focus should be versus just, you know, the how do we patch quicker?
Tabitha SentyI
Real-World Phishing And Whack-A-Mole
Tabitha Sentyagree.
Joshua SchmidtWhat's like the wickedest one you've seen so far that's like that's got to be made by AI? Or have you have you seen a phishing campaign or uh Oh yeah, they're they're really good.
Eric BrownAnd I I should post this on um on our site, but we've been doing some work uh around um patents and um trademarking some of the the work that we're doing here. And uh unfortunately when you when you go and to the US um patent office, trademark office to file a trademark, you put in the email address that you want to use to receive information from um the trademark office, and it's optional now to put in a phone number. When I started doing this um, you know, way back when I had the first one I did, I put in a phone number, and man, the calls I was getting. Um it was it was calls about like, you know, I'm from the trademark office, and you know, i you have to pay this amount of money and then you can use the register. And like they just had this whole thing. Um and I recorded, I think, one of those, Josh. Um and then uh a couple others that I've done, I I don't put in my phone number anymore, but I've put in um the email address because I I need to, you know, receive email about this, but I created a uh essentially a spam-only email address that I get at ITIL lab so I can filter everything that comes to this. I just know it's junk because I only sign up, I only use it to sign up for things that are going to generate spam. And and this happens to be one of them. But they they sent over a really good-looking email, you know, allegedly from an attorney from the patent office. The only thing that looked off was the domain name, and the domain name was something like, you know, patent or or um trademark registration office.com or whatever. Um, and you know, it's not coming from the USPTO.gov um email address. So you know, you could tell it was fake right there. But the I guess the point being, most people I think could be fooled by this, people that aren't in security day in and day out. Because it looks like a legitimate email telling you about your patent or your your trademark because all of that information is public once you hit that submit button. And and and that's really unfortunate that and the and the and the the government office does put warnings on their site like, you know, we're this is known fraud and so on and so forth, that if once you submit, you are likely going to get hit with all this fraud. So I I of course, as soon as I got the email, I s I forwarded it to um they had a abuse mailbox and I sent that into the abuse mailbox, but it's like whack-a-mole because the next one you do, it's gonna come from a different email address. So I think, you know, in this case, education is probably one of the better medicines.
Nick MellemI was just gonna say I get so many phone calls about your loan's been approved or whatever it is. And the, I think Eric just said playing whack-a-mole. Well, I'll go on my phone and I'll I'll block that number, right? Because I know it's bad. But, you know, when it comes with the caller ID, whatever the name is, the next day, same person. It's just a different number. So I could block a thousand phone calls, that thing's still gonna get through. You know, so we get I get them all the time, text messages too. And it's about things that you just did, right? Or like you just were like it's their Johnny on the spot. And that's a part of this article, really, is it's not only a cost of entry for the threat actors to start doing this, it's how quick they're able to mobilize and attack on like, you know, a spearfishing attack, right? They're they know what they want and they know the group. And that's why it's so important for organizations to really kind of get their get their act together because it's changing so quick. Right. Well, we have conversations at the office, in the office, on Teams, whatever, about all these different swim lanes in security, how they're being affected by artificial intelligence that, you know, maybe a year or two ago, we might have said, oh, well, that's maybe four, five, six, seven years down the road. But it's now all of a sudden, it's today. It's, it's, it's it's happening live right now. So I think it's just, it's we're at such a critical point with, you know, hopefully new organizations we work with, current organizations we work with, to start having these conversations about what they're currently doing in their environment and how we can think about these things differently, whether that's building, you know, custom applications to help them alert, to, you know, handing out different tools to the group to self-auditing on what they're doing to be looking at these vulnerability things. We go into organizations, and far too often is the conversation about how they don't have a mature vulnerability platform, or they're not having discussion about this. They're they're not focusing on a risk register, right? Or they're cherry-picking ones that are easy to do, right? And Eric already said it. We might have 10 reds and you know, yellow, but maybe some of those yellows are way more important than the red one. So using tools or, you know, a tool that we could generate at IT Auto Labs to show you, hey, this one's much more important to focus on now, and here's why. So it's really about kind of going back to the basics and being educated on what's happening. But this article is really juicy because there's a lot of areas where you could go with why this is so important, but I'll leave it at that
Social Engineering Training Without Punishment
Nick Mellemfor now.
Joshua SchmidtHow about you, Tabitha? Yeah, where have you seen this pop up in your professional career?
Tabitha SentyOh, a ton of places. I mean, phishing emails are like nonstop right now, no matter what you do or where you go. One of the cool pieces is it's education. Eric said it. You you really do have to teach people or train them on how to look at a phishing email and what they're looking for. And that's that's just simple. That's easy education that we can come in and do for any of our clients or for anybody. Um, like this is the email address. If you hover over a link, if you if you look at down below and the attachment looks off, or there are things to look for that would just help just the normal user. Because for people in um maybe even if you're using the the Microsoft world, you do have some filters on there, but a lot of stuff still gets through that people may assume is is right. And I think we should work with clients or anybody really, and we could do tons of education on people to explain this is what a phishing looks like. Even phishing, that's huge right now. That's how a lot of people are getting in or calling and saying, Hey, I'm IT. Um, I need your credentials, and this is your manager. They've called me, you're locked out. Well, how does the person answering the phone truly know it is IT? Have they got the right person? Those kind of things. And so verifying one that you know who you're speaking with or talking to or replying back to. And two, looking at the contents of an email, verifying that this is right, this is right, this is right. And whenever in doubt, pick the phone and call the source.
Nick MellemYeah. And I'll add one more thing, Josh, just because like the social engineering piece of this is so relevant. You know, and I used to do a lot of social engineering, and the pretexting is always the IT manager. I'm contracting with your IT department, and this is what we're doing. I sometimes the easiest method of attack is the most successful here. I I remember doing these years ago, and it takes two seconds to go on LinkedIn, find out who the IT manager is. You call in, hey, I'm working with so-and-so, and this is, you know, these are the tasks I'm working on, right? A little bit more clarity than that, but you get where I'm going. And people immediately, once they hear you're with an IT department, they usually their barrier just drops. And you you can usually get what you want.
Eric BrownWe did a um a podcast with uh Alif Dennis back in uh February, February 10th, 2025. And if I'm recalling correctly, Josh will help me with this, but I think Alif won a black badge at DEF CON for social engineering.
Joshua SchmidtYeah, and she's been you know doing a lot of conference speaking recently. I've been following her on LinkedIn, and yeah, she's been quite the uh thought leader in that space. Yeah, check her out.
Eric BrownAnd and on the for that social engineering contest at at DEF CON, the the final um test, if you will, is done live on stage and you're in a s soundproof booth where the audience can see you, but you're you're actually making a live call to um the the target that you've you're given this um kind of pretext around. And a lot of the um people that are competing the the social engineers that are competing at DEF CON use the help desk as a pretext to um social engineer their way into the organization. Like, you know, oh I'm so-and-so from um the the the help desk. We're seeing XYZ happening on your machine, you know, whatever. And and it because it is kind of a way where you're just really bypassing trust, saying that you're the IT organization.
Nick MellemLast week I was on a call with a with a client and we I was helping them with a specific issue, and there's a couple of us on the call, and the uh user that needed help joined the call. And she needed assistance with a specific product, and we started asking her some questions. I'm not gonna go into detail here, but she asked probably two to three times, are you sure you're with you know the IT department? Um and you know, we went back and forth and we proved to her that we were. But at the end of the call, I, you know, kind of congratulated her and thanked her for doing that, you know, because we we don't see that enough. So I just thanked her for being, you know, very diligent and making sure that she was only going to give this information up to reputable sources that actually work in this environment. Um, so, you know, I guess for people that are listening, you know, go that, take that extra minute and congratulate people that, you know, are actually paying attention instead of just giving up information uh without, you know, maybe blindly giving that up.
Tabitha SentyThe first act I've seen that live was um at DEF CON, Rachel Tobak did it. And it was incredible to watch live and in person. Um so if you haven't followed her, you don't know her, she's incredible to watch and kind of see where she goes in that world. Um, but it's Nick to piggyback on your point. Um fishing training or any sort of training in this world should never be about punishment. It should always be about learning and praising the people who do, and even the ones who don't, um, who do things something they're not supposed to do, they click on that link. We should never punish them for that. We should train them and work with them and and that kind of things because fear in this world doesn't work for in our advantage as a um security provider. We should always teach them and train them.
Joshua SchmidtWell said.
Leaders Must Act On AI Risk
Joshua SchmidtThat brings me to this uh a article. Well, I guess it's more like a more like a memo here from uh American Cyber Defense Agency. So it's from SISA Five Eye Cybersecurity Agency's statement. They came out on June 22nd, so just a few days ago, saying that the AI shift in cyber risk, why leaders must act now. And um, this is a call to action. Uh, while AI will help us improve cyber defense over time, it also accelerates. The speed, scale, and sophistication of cyber threats. Frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years, it's months. So things are speeding up, moving very quickly. And uh, you know, we just saw this with Fable and Mythos. Um Eric, we both picked out this article. What stood out to you? Um, what are you doing to take action on these things right now in your in your professional life?
Eric BrownUh what about my non-professional life?
Joshua SchmidtWell, we can talk about that after the show.
Eric BrownAnd it kind of goes back to what what we were talking about with the first article where the AI is exposing vulnerabilities at an alarmingly fast rate and kind of back to the basics of how do we protect the organization around um identity and access. But you know, it's I don't know. We were in that AI class yesterday, and I it's great that people are starting to use AI, but I was just kind of I I I I've I wrote an a newsletter article last weekend on um really the kind of the foundation behind AI. And I think I'm gonna say 99% of the people don't understand that like really what AI is, and it's just basically a a great word guesser. And it, you know, like I think you say that, but it's like, well, okay, what does that really mean? When you think about what what it really means, and we should probably do a whole podcast on this in and of itself, because it's really interesting when you look under the covers of how AI is really just using all of this this millions of articles and books and whatnot to to pull together how humans speak and um and write and predicting from from pulling together words that have numeric weights in a huge multidimensional space. It's a good article that kind of goes behind the scenes. It's I think it's called um The Numbers Behind the Curtain, a little callback to Wizard of Oz. Um that's out on my LinkedIn newsletter that really goes into it it's meant for non-technical people, but it kind of gets a little bit technical when we start talking about vectors and and how the AI is working behind the scenes to really predict what the next um best word is. And it is so good that it when we are interacting with these AI systems, they sound so human-like. And it's even like they're anticipating what we're saying and they're giving really good feedback. Like you can have a good, thoughtful dialogue with the AI agent, but it really has no idea what it is even saying, or it has really no memory of anything outside of the context or the saved memory from previous conversations.
Joshua SchmidtAaron Powell So to relate that to this, are you saying that like any moron can can can make a problem happen, you know, just by getting on there? Yeah. I I mean, not that there were any morons in the class yesterday. I I would consider myself to be a tech, you know, a noob, but I felt I felt a little advanced there because of the amount of time I've been putting into this. And it did strike me that there were so many different levels in that class. And, you know, being people that work with tech and cybersecurity, I I thought we were probably kind of towards the top of that spectrum where you, you know, and that's that's not to say that that makes us smarter or anything, just more adept at that skill. But there are people on the lower end of that spectrum that are doing the same thing we're doing in the class, making agents, hooking them up to their system, you know.
Eric BrownAnd that's really where we've spent a lot of time here at IT Autolabs really talking about the underneath, like from an iceberg metaphor, like all the stuff under the water on the security aspects of like, yeah, you can willy-nilly hook this shit up and let it go crazy. But what about all of the security implications of that? And and I don't think people are talking about that enough or even thinking about that enough because of the damage that is going to be done to data that they're entrusted with.
Nick MellemYeah.
Joshua SchmidtAnd I'm just gonna toot our own horn here real quick and just say I think that's what differentiates us um getting into this AI world is that we come from a cybersecurity background. So before we even started touching AI and dealing with LLMs, we, you know, the people here already had this extensive experience and background and and cybersecurity and what that looks like from emails to education to like next time, you know, in the military, all those different aspects coming together, converging into like how does this make us think about how we approach AI differently.
Tabitha SentyGoing back to what Eric mentioned earlier, I think what we need to do, because we don't have a lot of time, is we need to work quickly. Lock down your identity, verify that everything is clean, because when you share things across your AI environment, that gets in there becomes a problem. Reduce your attack surface for people that are listening. Don't have 35,000 tools out there that you're not knowing what has access to what. And then kind of watch it better. I always wonder everybody has written down these great plans of what you're gonna do to if you go down. But have you tested your backups? Have you looked at that? Have you paid attention to it? Do they come back up when you need them? So I would say if we're gonna work quickly, like we have to, we want to make sure we watch that identity, reduce your attack surface, and truly look at your visibility.
Nick MellemYeah, I'll just touch on this really quick because Tabitha brought it up and I was thinking about it before and she reignited it just now. I was having a conversation again with uh another client, uh, I think it was yesterday or the day before, sometime this week. And we really started to go deep on their tech debt that people are not thinking about this. It doesn't matter what size your organization is, it could be five people, it could be 5,000 people. But this one was a little odd, a little larger. They were using so many tools, their IT department had no idea about them. They might have had five tools that did the same thing. They might have tools that they're not even using anymore, but they're still sitting out there with active logins, right? So that just creates a big problem in itself. It and Tabitha was just speaking about this, the attack surface, that it just is gets so inflated that you know, we would encourage people to really look at that tech debt, simplify these things. What can you go without? Can you build something? Can you come to IT Labs and build a tool, right? Can we build a tool with you to simplify that to reduce that attack surface? So that that should be a really big conversation that organizations are having.
Post-Quantum Security Versus Basic Hygiene
Nick MellemYeah.
Joshua SchmidtSo speaking of growing attack surfaces, we have this uh thing, large thing looming on the on the horizon here. And this is coming from the president or you know, with the staff. And um, I'm I'm glad to see that they're taking this seriously because this came up, and I can't remember what his name was off the top of my head. Um, we had a guest on, might have been a year and a half ago.
Eric BrownWas it Bill Harris?
Joshua SchmidtIt was Bernie Lang. Oh. And um he was talking about post-quantum encryption. And what seemed like, oh, this was gonna be years off, years off. Now here we are, uh maybe like a year, maybe a year and a half later. And this is coming within probably three years or less now, where they thought it was maybe five to ten. And um, and I've been seeing this pop up a lot more in the news now. So this is saying, you know, um the uh the advent of large-scale quantum computers, particularly in the hands of adversaries, will pose a significant threat to widely used cryptographic security systems. Ongoing cybersecurity, uh ongoing cyber activity against our nation also presents the risk of adversaries collecting United States information now and decrypting it later once large-scale quantum computers are operational. In light of these threats, the United States must take steps and strengthen to strengthen uh cryptographic protections for the nation's sensitive data, critical infrastructure, and digital economy. We have a new guest a new guest coming on in a couple weeks to talk about this even in more depth. But I just thought this was kind of a futuristic thing to think about, but now it's not so futuristic. And um I'm kind of curious if if any of you have been hip to anything that people are doing, because there's this whole like harvest now, decrypt later thing happening where people are just stealing large data sets in hopes that there'll be something valuable in there when they can finally get their hands on a quantum computer and decrypt it. Um do you know what do you know what organizations or maybe the state or local governments or the feds are doing to make sure this is a smooth transition?
Eric BrownI was just on with Palo Alto earlier today, and they were talking about some of the the technologies that they have to um it's called post-quantum security, where where the encryption uh uh is is essentially enhanced or changed to protect entities that have data that would be of interest, so you know maybe FIPS data or CGIS data, things like that. Um and I i i it it gets down to really that the identity piece that that we have been talking about, but also the segmentation piece so that you're not commingling your sensitive data sets with non-sensitive data sets so you could really hone in and focus on post-quantum encryption in the areas that matter most.
Joshua SchmidtSo it looks like there's some kind of um a standardization happening at a government level. It'll be interesting to stay in touch with this, what's happening, and I will certainly bring it up on the podcast when we learn more about it. Uh I just think it's super interesting. Uh and then just, you know, just in my time on this podcast, how this is how this has come to fruition, or rather short order.
Eric BrownWe've got people still running Windows 7. So it's like, oh, it's great to issue these going. But like, okay, let's focus on the basics before we get too crazy about some shit that's you know, theoretically not out there yet.
Joshua SchmidtEric wants to cook on this a little bit. It's like, yeah, you're right. I mean, you've got people, you know, I mean, it's the same with AI too, right? You you have conference rooms full of people learning how to do prompt still, you know. Meanwhile, you got people that are out here, you know, hooking up multiple agents, creating stuff and making when they're sleeping.
Eric BrownTo me, this is like saying, okay, if you have a safe in your house, make sure that you're using more than a four-digit code on the safe in the house. We got people with doors open and windows open. Like maybe we take care of that first before we we focus on this. And I'm not saying that it's not important. I'm not saying there's not sensitive data here, but there's only so many dollars, only so many resources. Where do we focus those dollars and resources?
Joshua SchmidtThat's why we have pros like you all here to uh guide organizations in the right direction, right? And and maybe you can talk a little bit about that too, Nick. It's like, what's the you know, how much weight do should we we put on on these futuristic things versus just the basics? And then how do we leaders like you guys help organizations figure that out?
Nick MellemI think it's always gonna be a give and take. I think it's gonna be a little bit of tug-of-war going uh to both sides, because you know, we have to pay attention to it, right? Or you run the risk of being blockbuster, right? So, you know, we have to, I guess this pertains to or the answer might change to different organizations. Depends if the federal government is always gonna be a lot different than a mom and pop shop in Minneapolis. Um, you know, so having getting into their organization and actually talking to them what matters the most, maybe it makes more sense to focus on some futuristic items if they're you know pretty mature on the back end, good email security vulnerabilities, et cetera. You know, but you know, going to an organization, we just talked about this that maybe hasn't talked much about AI or has a lot of tech debt, right? Or or maybe they're not even using multi-factor authentication. Just I'm using some low-level items here that are easy to digest. That we should be in there having those conversations first to Eric's point. You know, we have to ensure these, you know, low-level items have to get off the table, you know, before we can really start to dream. Because that's what this piece is here, too. We know it's coming. You know, it's gonna come. And it might even come faster than this 2030 mark that I think was talked about. I guarantee that using Windows 10 and 2030. I believe it. Yeah, yeah. Who knows what's gonna happen then, right? The technology we're gonna have, but yeah, with a lot of conversation we need to have before we can talk about this.
Joshua SchmidtSo I'm a I'm a frequent shopper at Guitar Center, or at least a couple times a year I find myself a guitar center just to poke around or let the kids bang on the drums or you know, kill an hour or something. But up until like 15 minutes ago, literally had the green screen, like and then you know, the old keyboards and you do you know, to go to check you out, and they're like radio chef. Yeah, you know, you're like, oh my gosh, like what is going on here? Like and I guess it was more secure, you know, because it was stupid simple, you know. But um anyway, they didn't want to invest in it. But last time I went in there, they had things a little more updated, a little more modern. A little more modern. I'm a hobby lobby girl. They probably yeah, yeah, maybe they're up to Windows 10 now. Yeah.
Tabitha SentyUm so Nick, I'm gonna piggyback really quick. You mentioned uh an attack lyricist and all those things. So if if companies don't know where that lies, where their data lies, what's encrypted, what's unencrypted, it's not gonna even matter, right? We can't help you, we can't protect you if we have no idea because encryption lists lives, should I say, everywhere, and everybody lacks visibility of where it's living. So until you figure out what your tech debt is and you know where your data is and where your visibility is, it's not gonna matter.
Midjourney Ultrasound And Healthcare Data Risk
Joshua SchmidtI just saw this pop up when we were I was surfing Midjourney, the AI image generator is developing a full-body ultrasound scanner.
Tabitha SentySo and it's angry with this. You got me angry with this. You got you guys angry.
Nick MellemI can't wait to hear why.
Tabitha SentyBut if an AI company that comes in and thinks that there are no healthcare and HIPAA regulations and all that piece and starts to develop um equipment, but it's a spa.
Joshua SchmidtIt's a spa.
Tabitha SentyI could care less if it's a spa or not a spa. Um you can hack into an insulin pump on a federal employee right now because that's not protected. But let's do this. Let's throw this up there. All right, I'll be able to do that. What could go wrong, huh? What could go wrong?
Eric BrownThis reminds me of some of the bandwagon jumping. There was a there's a shoe company called All Birds. If you guys are I remember Yeah. You know, I I kind of like their mission and and all of that where they were using different um, you know, maybe uh I don't know what can you say, ethical fibers? And maybe it's not even ethical, but it's like responsible. Responsible. Thank you. They were using responsible fibers, um, eucalyptus, uh, tree sackers and whatnot, right? Stuff that that that doesn't take a lot of water. And I don't know. Anyway, that shoe company then uh I think they they they they grew really fast, opened up a lot of stores, and then imploded for whatever reason, maybe because the shirts they had were they were charging like three times too much for the shirt. Um but aside from that, they imploded, they sold off, and then the company now they they got into the AI space in in that they were buying GPUs and then renting them out. So they completely pivoted. If if you look up Airbirds now, I think they sold off the shoe piece to somebody else. I don't even know if that's still around. Or no, it's not Airbirds, it's all birds. Yep. And so now Allbirds is an AI company. So this to me, I just when I read this, I was like, oh brother. Um trying to stay relevant, man. Yeah. This is just seems like another one of those, but probably even a worse of an idea. Like I think the the Allbirds spinning off into renting out GPUs. So you probably can't really go wrong there because everybody's looking for a GPU. But an ultrasonic scanner where you got to dip yourself in water doesn't really seem like a great idea. I'm gonna I'm gonna push you're not gonna do it, Eric. You're not gonna jump on in.
Joshua SchmidtI'm just gonna push back a little bit on this and say we've seen the outsource because you know the healthcare system is jacked, you know, and it's not you know, there's a lot of great things I could say about it in the United States. We're lucky to have it, we're lucky to have access. Is it expensive? Yes. Is it hard extremely hard to navigate? Yes. So you've seen uh the outsourcing of like lab lab work, right? Or like um, you know, you've seen a lot of the growth in the and the woo-woo stuff, like what I wouldn't call chiropractic woo-woo. I mean, some people do. I think it's legit. I use it. Um, but you've seen the the new age stuff really uh grow. So, you know, the people are looking for answers. And I think it's great to have more more options for people. Um, I guess we'll we'll see if this is a sticking point or this is something that sticks around or is actually valuable. I think if it does have value for people, it will. But um, but I I can see that there's probably a myriad of of cybersecurity issues that could crop up here and regulations and whatnot. Aaron Powell, Jr.
Eric BrownI think Mid-Journey was relevant like a year ago and beyond, you know, two years ago when the general LLMs couldn't generate an image. But now that ChatGPT and you know whatever can generate images, what are they around for? Yeah, it seems like they're taking a pretty hard pivot here. Well, I think they have to, right?
Joshua SchmidtIt's or shut the lights off. Uh-huh. Interesting. Interesting.
Tabitha SentyAnd I read at the bottom of the article that they want to do 50,000 scanners. That's a huge attack surface. That's a huge attack surface. And so I just look at it from a security mindset and I'm like, oh dear. Like, who's watching the identity controls? Where's the security? Where is this gonna go? Who's responsible for the data? Where does it belong? Like, what does the governance look like? And I'm just like, ah. So when you sent it to me, I was like, oh gosh.
Joshua SchmidtNick, you're gonna dip into the spa and get screened.
Eric BrownWe're gonna have to get some shares, Nick, just in case.
Joshua SchmidtHeck no, I'm not getting in there. Some things that you wanna know, right? You know, like the the health partners is always trying to call me to come over to my house, and they're like, Well, you want us to come by for the free. And I'm like, They're like, Well, why don't you want us to come? And it's like, because I don't want a huge, you know, healthcare conglomerate coming to my house to collect data, you know, when I don't need a doctor visit, you know. Um they're they're offering to come to your house for free. To do what? That's what I asked them. They they well, we're a free healthcare visit. You know, we'll come do a checkup. Are you sure this is legit? Yeah, it's it's they won't stop hounding us about it's I think it's since we've had children. I don't know. It's some kind of a I don't know. Don't get me started, Narrick.
Nick MellemI think the technology is cool. I think we can all agree on that. Yeah. The problem is the back end. Where's the data going? Who owns it? The compliance with this, get out. It's gonna be wild. They got to have it under control, that's for sure. Especially to me, it's actually more concerning that's then it's it's more concerning to me that it's at a spa.
Joshua SchmidtIt is a it's kind of a scary pivot. It's like, hey, we're making like you know cartoon images of your cat and you know making them look like an astronaut, and now all of a sudden we're taking health your healthcare into account and scanning your entire body.
Nick MellemJust flossing you. I think that's a good place to leave it, huh, Josh?
Joshua SchmidtI don't know. I think Eric's got something. No, these things are supposed to be a half hour and we're like an hour. Who said that?
Nick MellemWe can let Eric cook a little bit then.
Tabitha SentyWell, he's gonna admit it too.
Joshua SchmidtYou gotta go fry up some soy on the grill. All right,
Wrap-Up And Subscribe
Joshua Schmidtguys. Thank you so much for joining us today. You've been listening to the audit presented by IT Audit Labs. I'm your co-host and producer, Joshua Schmidt. You've been joined by Nick Mellum, Eric Brown, and Tabitha Sentive of IT Audit Labs. Please like, share, and subscribe, and we'll see you in the next one.
Eric BrownYou have been listening to the audit presented by IT Audit Labs. We are experts at assessing risk and compliance while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, or all our security control assessments rank the level of maturity relative to the size of your organization. Thanks to our devoted listeners and followers, as well as our producer, Joshua J. Schmidt, and our audio video editor, Cameron Hill. You can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials, and subscribing to this podcast on Apple, Spotify, or wherever you source your security content.