March 6, 2023 • 52 mins
Digital security breaches continue to dominate headlines, with T-Mobile's recent API vulnerability exposing personal data from 37 million customer accounts marking their eighth major security incident in just five years. What's behind this alarming pattern, and what does it tell us about the state of cybersecurity today?
In this thought-provoking discussion, we're joined by cybersecurity architect Matt Starland, who brings over 20 years of IT operations and security experience to the conversation. Together, we dissect the troubling implications of recurring breaches and uncover the complex challenges organizations face in securing modern technology infrastructure.
The dialogue explores how the rapid evolution of cloud services and API integrations has created an environment where security often becomes an afterthought to convenience and speed of deployment. We examine how least privilege principles frequently get overlooked in the rush to implement new technologies, creating dangerous exposure points for attackers. Matt shares valuable insights from his journey transitioning from IT operations to security architecture, highlighting the critical importance of proper configuration and validation procedures.
Beyond the technical aspects, we tackle the human element of cybersecurity challenges – from potential personnel gaps as security pioneers retire to the limited consequences companies face after major breaches. The conversation takes a candid turn as we discuss what individuals can do to protect themselves in a world where their data is increasingly vulnerable despite corporate safeguards.
Whether you're a security professional looking for perspective on industry trends or someone concerned about protecting your digital footprint, this episode offers valuable insights into the complex intersection of technology, business priorities, and personal data protection. Subscribe, share your thoughts, and join us in exploring how we can collectively build a more secure
digital future.#cybersecurity #theaudit #itauditlabs
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Eric Brown (00:05):
You're listening to the Audit presented by IT Audit
Labs.
Kyle Rosendahl (00:14):
All right, Welcome to the Audit.
I'm here today with Nick Mellomand our guest Matt Starland.
How's everybody doing today?
Nick Mellem (00:24):
Excellent here.
Kyle Rosendahl (00:25):
Really good.
Good Thanks for joining us,matt.
I just want to start off ourrecording here.
Give you a chance to introduceyourself where you're involved
in security, what types ofprojects you've done, and just
tell us a little bit aboutyourself.
Yeah, appreciate it.
Matt Starland (00:41):
Thanks, matt Starland.
Been in the IT industry for alittle over 20 years and maybe
even longer if you includechildhood.
My dad had a computer businessback in the early 90s so he was
kind of teaching me how to workon computers and build and fix
them, so going all the way fromthe old 8088s, 286s, 386s, so
(01:06):
really got a good chance to seekind of the evolution of home
computers and then that kind ofcreated the passion to go into
the IT industry full time.
So been doing.
We'll start off with help deskwent from a help desk to a
sysadmin, primarily working inthe messaging side of the IT
(01:27):
industry.
So Microsoft Exchange, been insome big organizations from
10,000-plus users dealing withtheir email systems, and then
started getting in theconsulting world of divestitures
, acquisitions and mergers,investors, acquisitions and my
(01:51):
mergers, using that skill set ofemail skills and probably
worked for close to 30 or 31different companies, big fortune
500 companies, helping on whatthey're those mergers and
acquisitions and so, granted,I've been on the operations side
for, you know, 20 years.
Security was more of asecondary thing and kind of saw
the writing on the wall herefive, six years ago with the
(02:11):
explosion of everything beinginterconnected and just the
amount of breaches and securityissues going on and decided to
kind of jump ship out of theoperations side of the world and
go full-time into security andso now I'm working as a
full-time cybersecurityarchitect.
(02:33):
So a lot of projects using thatyou know operations side and
implementation side of the worldthat I've been a part of, using
those skill sets in thecybersecurity world to implement
.
You know technologies to helpsecure organizations.
So you know integrating likemulti-factor authentication into
many applications, helping lockdown and secure Active
(02:58):
Directory, azure ActiveDirectory, privileged access
management, a lot of different.
You know identity kind of basetools.
So not so much on the red teamside but more the blue team and
I think that's my passion.
There is more on the blue teamside just because of being in
the operations field for so longand building things.
That's kind of my drive and youknow goal.
(03:20):
But now it's taking thatbuilding things and how do we
use those things to protect andsecure an infrastructure.
Kyle Rosendahl (03:28):
So but yeah.
Matt Starland (03:30):
I would say that's kind of been my
background and I mean forhobbies and interests outside of
, you know, the cybersecurityindustry I would say is probably
the newest thing is 3D printing.
Been doing that for about ayear now and I think that kind
of fills that need again ofbuilding and creating things and
, you know, finding solutions toproblems.
(03:51):
So that's been quite thejourney, learning that and you
know, and also pretty much anyof my you know kids hobbies so
it's become now my hobby.
So that takes up a lot of timenow these days too.
Kids' hobbies so it's becomenow my hobby.
So that takes up a lot of timenow these days too.
So anybody that's listeningthat has kids you can attest to
(04:11):
where you might have been outgolfing a lot or doing a lot of
personal things and so nowthey're out of age where they're
doing those things.
So I've kind of shifted my rolein attending them and also
teaching them new stuff, whetherit's IT or sports.
So yeah, it's kind of my lifein a nutshell here Cool, yeah,
thanks.
Kyle Rosendahl (04:30):
And I mean really, the reason we invited
you on here is because, withyour expertise in kind of the
architecture of cybersecurityand your kind of engineering
experience, right, you kind ofsit in that hybrid role of
developing and building thosetools, also coming up with new
solutions to bring in new items,bring in new technologies,
(04:54):
looking at the broader scale ofinfrastructure.
As an architect, you sit thathybrid role.
Today, nick and myself justwanted to really sit down and
talk about some of the thingsthat we're seeing in the
security space.
You know whether it's modernnews stories that we want to hit
on and just kind of talk about.
(05:14):
You know what we're seeing, howwe react to it, what we think
that kind of means for securityas a whole, and just kind of
bring some of our own technicalknow-how into it.
I would like to start offtalking about a news article
that I saw this morning thatcame out on Bleeping Computer.
I saw it this morning on the20th.
It came out January 19th, so aday before today, 2023.
(05:38):
And it's another article aboutT-Mobile getting hacked and
allowing these hackers to accessand steal personal data of like
37 million accounts.
We'll put the link to thearticle in the show notes.
(05:59):
Here.
Architects and engineers, wetouch on a daily basis and then
has an implication to, I wouldsay, probably most modern
companies that have any sort ofweb presence.
And it's not the first hackthat T-Mobile has been a part of
.
So I'd love to kind of get yourthoughts on.
You know, do you work with APItechnologies?
You know what are some of thekind of modern implications of
(06:22):
that?
And with this being kind oftheir eighth major breach in the
last five years, you know, whatdoes that kind of mean for
policy wise, for these companieswho continually allow for
hackers to kind of get in?
Yeah, love to hear yourthoughts.
Matt Starland (06:40):
Yeah, this is.
You know, this is aninteresting scenario.
You've seen the evolution ofgoing from installing
applications on-premises tomaybe back 15, 20 years ago
where you didn't have well, Imean, cloud's always been around
colo.
(07:00):
You know data centers, wherepeople would have spin up their
own stuff in a somebody else'sdata center and then you create
a vpn tunnel.
I mean, some of that stillexists today.
But now with you know thelandscape of your big major
cloud providers, of google, aws,and you know azure or microsoft
azure a lot of use.
(07:22):
You know now they use thedifferent these types of APIs
that integrates into yourplatforms and then you provide
some form of a security key, atoken, certificates or some
credentials to provide access.
And what I've seen usually whenyou get these documentation from
(07:43):
vendors of here's how weconnect our, you know hosted
environment to your environment.
Their goal is to integrate asquickly and as seamlessly as
possible, and you know.
And so when, when you look atthis documentation, if you're
not looking at it through thelens of, maybe, a cybersecurity
professional, you're looking atit from the lens of maybe a
(08:04):
cybersecurity professional.
You're looking at it from theoperation side of the world and
you've got executives that arebreathing down your neck to get
something implemented by X date.
Sometimes you know thatsecurity mindset starts to you,
know you don't.
You're not viewing things asmuch as through security lens,
as you should be, and you justkind of take the vendor's word
(08:26):
for granted and you justimplement as is.
Well, when seeing these, you gotto really look at what type of
permissions are they asking.
So, for example, let's say it'sa type of technology that
integrates with your emailsystem and it needs to maybe
read calendar data or somehowplug into your mailbox so that
(08:49):
way it can seamlessly sendemails from your you know
exchange mailbox.
A lot of these will justdefault to yeah, give us all
access to all your mailboxes.
And if you don't catch that, Imean think about this.
Now you gave them some sort ofa token security key account,
(09:10):
whatever it is that has fullmailbox rights across your whole
environment, when only maybe aparticular department needed
that application.
It wasn't an organization-wideapplication, and so it's all
about reducing your risk.
So why did we give thisapplication or that API access
(09:35):
to several hundreds of mailboxeswhen it only needed 10?
So now if those credentials areleaked or they weren't fine
tuned to just be a particular IPaddress to make that connection
anywhere in the world oranywhere in the US, as long as
they got that credential, couldin theory access all those
(09:56):
mailboxes when it only neededfive or 10.
So then you get into the aspectof well, those five or 10 might
not have had sensitive data inthem, but maybe the other 500
that it had access to hadsensitive data and yeah, so it
really comes down to what youknow.
One thing that I push all thetime and the organization that I
(10:16):
work at is least privilegedaccess.
Sometimes that's easier saidthan done because you start to
get into a problem of findingthat fine balance between
operations and security.
You know security we look at itas let's lock down, let's lock
down, lock down, but then itchokes the life out of the
organization to maybeeffectively do business, but
(10:39):
then at the same time too, ifyou don't, you leave it too open
, then you run into this kind ofmaybe?
Situation Not saying that thisis exactly how the T-Mobile
breach happened, but typicallyit can help you reduce your
exposure by following that kindof least privileged access.
So you know, the point I'mtrying to get at is it's met
(11:03):
with all these different cloudtechnologies and different apis
connecting in.
You really need to keep a closeeye on one, what type of
permissions the vendor is reallyasking for, you know, and and
take a second look at it andjust see the platform that it's
connecting to, making sure thatit is following you know, that
principle of least privilege.
But two, this goes back to yourkind of um, your procurement
(11:25):
process too, and how you'reevaluating that organization and
what type of security programthey have in place to help
reduce your risk.
So, yeah, you know, when you seethese types of things 37
million current postpaid andprepaid customer accounts it's
really and it happens day in andday out.
You go to bleepingcomputercomor any other major web.
(11:46):
You almost want to, you know,go live off in Alaska and live
off grid sometimes.
But I know this isn't the worldwe live in.
It's becoming moreinterconnected.
So I really find it's all abouthow can you reduce your risk
and, you know, protectingyourself or your organization
that is, you know, followingthat principle of least
(12:06):
privilege.
So, yeah, I that's I would saythat's kind of my thoughts on.
It is just, it's um, I'm notsaying that there wasn't some
other form of you know malicious, uh, activity that they found
maybe a vulnerability, but I'mgonna say, most likely it's.
My two cents is that it couldhave been just an overprivileged
(12:27):
, I don't know.
Nick Mellem (12:28):
What's your thoughts on your kind of take on
it.
Yeah, no, matt, that's awesome.
Great explanation there on yourthoughts.
If we cut the top off of thisissue and we look in to see
what's actually happening, doyou?
Would you, if you had to startpointing fingers?
Would it go back to peoplebeing lackadaisical know-how?
(12:49):
I mean, what are we dealingwith?
An issue of people just notknowing what they're doing?
Lack of you know, initiative ortools, because I think the
tools are getting pretty goodright now.
Right, we've got a lot of stuffthat's really good at hunting
these kind of issues down.
We talked about leastprivileges, which we would agree
with you, obviously, but if we,like I've said, if we take the
(13:09):
top off and look down at theactual problem here, do you have
any thoughts on what iscontributing to this?
Matt Starland (13:18):
Yeah, part of it is.
I think it could be process,you know, maybe sometimes the
organizations become so largethat you know the departments
don't know what the left hand isdoing really well, and put them
in that consulting orleadership position to be able
to educate or help developprocesses for the lower aspect,
(13:53):
because, just granted, it mightcome in a request to have this
API come in at a top level whereyou have your architects
reviewing it and seeing it, andmaybe then an engineer at a
lower level might be doing theimplementation.
Might one not have the same,you know, set of skill sets that
(14:17):
the architect had inimplementing and might have
either missed a permission ormaybe the architect didn't
properly document something inmaking sure that the engineer
clearly knew what to do as well?
So, you know, going back, likeI said, it's a process thing.
(14:39):
So I mean it's you know andalso making sure that your risk
management and, you know,procurement is, you know,
properly vetting these things.
So I think it comes down toreally it's just process, I
believe you know.
So we can get huge, you know, wecan have all sorts of fun tools
(15:01):
and everything, but there'ssome basics that we can always,
we can easily miss from justhaving a foundational approach,
um, you know, making sure wehire qualified individuals, but
and also building in theappropriate process procedures
to make sure that informationfrom the top is, you know,
(15:23):
processed down to those lowerlevels that might be
implementing it.
So because I'll admit, you know,early on in my career you know
if I was at the at the adminlevel and implementing something
, you know I was just kind of a.
You know if I was at the adminlevel and implementing something
, you know I was just kind of a.
You know here's the set ofinstructions, all right, go
ahead and implement, and so ifyou have that, you know a
certain level of architect ortechnical skill set, viewing
(15:45):
that information immediately andthen making sure they
articulate and, you know, giveappropriate information, maybe
to the engineer at that lowerlevel that's implementing it.
So I don't know, I think that'sa key thing there is having
just appropriate processes andprocedures in place.
Kyle Rosendahl (16:03):
Totally, and that makes sense.
And for anyone who hasn't readthe article right, I mean we're
just kind of spitballing onpossible ways that this could
have happened and gotten awaywith.
They didn't actually releaseyet as of today how the API was
exploited, but essentially theattackers exploited an API which
is just a kind of webconnection, typically into
(16:25):
internal data through usuallylike a web request.
Sometimes it's a little bitdifferent, so they're not 100%
sure how, but it sounds likeabout 37 million people were
affected and things that weregathered by the attackers were
people's phone numbers, numberof phone numbers that were on
their account account, emails,you know, possibly the person's
(16:49):
name, their date of birth,billing address, all of those
types of personal identifiableinformation.
That's the stuff that thesethreat actors were able to get a
hold of, which is no smallamount of data.
That's still a major kind ofprivacy breach as far as
individuals go.
But a few of the things that Iwas thinking of while you were
(17:11):
talking is you know, with someof the blue team work that I've
done in the past, could this bea, I guess a misunderstanding?
Are the big two typically, butwith implementing those two or
(17:37):
three different cloud servicesat a person's company, or for a
large company or small company,the way that networking is done,
the way that connections aremade into the cloud, the way
that cloud resources communicatewith one another, is
significantly different than howyour physical networking
infrastructure communicates.
Right, when you're connectingrouters and switches, I mean,
(17:59):
you can see the wires, you canconnect the wires, you know that
the data is going to cross thatcable, whereas sometimes, when
you're working in a cloudenvironment, you set up an
endpoint, you set up anotherendpoint, you think, oh, if they
talk to one another it's justgoing to go right through my
cloud instance, whereas a lot oftimes it's going to go out
through the wide internet andthen back into your cloud
(18:19):
instance and there's extraconfiguration and pieces you
have to do in your cloudplatform to ensure all your data
that you want to stay insidestays inside.
So I don't know maybe this is agood question for both of you
Is it possible that the trainingand the education and the
pieces on how to securelyimplement these types of
(18:41):
platforms just isn't caught upto where the business wants it
to be at this point?
Are we falling behind there?
And then the second questionI'll just pose right away and
feel free to answer one or both.
Typically, when there's a breachlike this, what I like to think
of is you know there's a majorbreach, the safest place to be
(19:03):
is usually with that breachedcompany.
You know, after there's anincident on an airline, airline
security shoots up and thesafest time to fly is typically
right after that happens, right.
Security tends to be the sameway.
Right after there's a majorbreach, airline security shoots
up and the safest time to fly istypically right after that
happens, right.
Security tends to be the sameway Right after there's a major
breach.
Usually there's a lot of moneypoured into security and you get
a lot better tooling anddetection and a safer
environment.
So interesting that T-Mobilehas had so many issues in the
(19:27):
last so many years.
You know eight major breachesin five years and it continues
to happen.
So curious what your thoughtsare, both on kind of the cloud
training side and then also thesinking ship and having issues
so I got a couple of thoughts onthat.
Matt Starland (19:45):
So one you know it's funny that you bring up the
whole you're, oh, I can talkfrom this cloud endpoint to the
other cloud endpoint and I'mgood to go, and it's all said
and done.
You know, there's, I'm good togo, but there's other things
that are going on behind thescenes there.
Why, kind of when you startbuilding out your, your
(20:05):
infrastructure, and in a cloudyou know, cloud environment like
that, it it is gets a littletricky because, like you said
you, you lose sight of that.
I know this physical cabletalks here, this connects here
and this connects over there,and so I know the paths come
through these channels or thisphysical media, but in the cloud
(20:26):
it is like we kind of make thisjoke that is, oh, it's maybe
part of Microsoft's magic sauceor whatever going on behind the
scenes.
How does my VM that I built,talking to this Azure SQL as a
service kind of ordeal or blob,and it's not necessarily using
my VNets and everything that Ispun up?
(20:48):
How is this communicating?
And there's some confusion.
At least I'm not as deep as, uh, some of that networking
technology, some of mycounterparts that I've worked
with with um and everything, butI always like to see that, um,
you know, when it comes down tobuilding some of that
infrastructure, testing andvalidating what can I get to it
(21:10):
from and what can't I andthere's a lot of when these
technologies, when you spin upall these different cloud
technologies that they give you,it's kind of like plug and play
ordeal.
It reminds me of Windows priorto server 2008, or Microsoft,
(21:33):
yeah, like 2003 and 2000,.
When you install thoseoperating systems, they came
fully wide open, everything'sinstalled, all the services are
running, and then finally, in2008, when you installed that
server, it was stripped downLike you had to install IIS.
After that you had to install,you know, do all these extra
(21:54):
things, so those services thatare available.
It was kind of following thatleast privilege model.
And now with the cloud, becauseof how complicated it is and how
quickly these cloud providersare trying to compete with each
other and just boom, spinningnew technologies left and right.
It's hard for people, a lot oftechnologists to keep up in how
(22:20):
these things are configured, soit seems to be that they are
just leaving them wide open outof the gate by default, so that
way you can get your stuff, youknow up and running as quickly
as possible and then all of asudden you realize later on like
wow, this blob storage was wideopen to the internet and I was
(22:40):
using this to store, you know,some protected data or whatever
it might be.
You know, this way, some of theplaces I've seen before and
they didn't know about it andand so there's a lot of now
different tech and they didn'tknow about it and and so there's
a lot of now different tech.
Some or it may have been out,like, for example, Palo Alto's,
that rings a bell is a theirprismacloud.
(23:05):
I think I get prismacloud inwhich that is, you know, designs
, not to give them a particularplug here, or anything like that
.
That's just one example of many.
But they scan for those kind ofknown insecurities that these
cloud providers are creating outof the box so you can quickly
(23:27):
set things up.
That's something to bear inmind with these cloud
technologies and making surethat when you're building,
things go through a validationprocess.
Again, going back to thatprocess procedure, you know,
make sure, can I get to itinternally?
Can I get to it externally?
Do I have a test environment,you know, in the cloud as well,
and if that's not networked, canI get to that other
(23:50):
environment's?
You know cloud resource.
Get to that other environments?
You know cloud resource.
So you know, going through yourvalidation procedures or using
a particular tool that'sdesigned to scan for those
things, make sure they're lockeddown and then move on, but also
having reoccurring scans, sothat way over privileges, you
know something doesn't becomeover privilege during over the
(24:10):
time.
So, going back to how they'veshown what, how many breaches in
the last four years Eight,eight, I think, yeah To me, my
thoughts are is that it comesdown to maybe a company
structure or something.
I mean you've got to havemanagement behind you, so you've
(24:30):
got to have your uppermanagement recognize that this
is something.
We've got an issue here and now.
What do we need to do to fix it?
You know going through thatincident response.
Um, you know best practices of,okay, what are lessons learned?
And now let's throw some moneyat this or time and it and get
(24:51):
these things fixed.
You know, and where was the week?
Where was that?
You know weak chain, the linkit.
You know in the chain, where isthat weak part of it?
And trying to resolve that?
Was it a personnel issue?
Was it a technology issue?
Is it gonna be perfect afteryou know this?
Maybe not, you know.
(25:12):
But maybe it took them sometime and maybe they're taking
time because there is.
It's a money issue.
I wouldn't think so, but again,I think you got to throw
resources at it.
It really comes down to uppermanagement and get everybody in
line and organized.
I don't know.
I think that's kind of mythoughts behind it and some of
(25:35):
all the different organizationsI previously worked at.
Nick Mellem (25:38):
Yeah, I think.
Well, I'll jump in here too andI'll probably take it a step
further, and I don't mean to besuper cutthroat here.
When I'm reading through thearticle, the first thing that
comes to my mind is personnel.
It's know-how, right, I think,one of TMO's potential biggest
issues and potentially a lot ofother organizations around the
country or the world.
We've seen a changing of theguard right.
(26:02):
The pioneers of security arestarting to retire, they're
starting to leave the space, sothe baton is being passed, and
it's not that the younger crowddoesn't know what they're doing.
We've lost that leadership wherewe're picking up the baton.
I'm saying we, because it'sprobably in front of us.
We haven't got to that point,but it is that fundamental
(26:23):
know-how.
We've lost the head that's beendriving this, and now T-Mobile
is left holding the bag.
As far as these tools, theknow-how, the process and
procedures it's reallyeverything.
But from a holistic view, it isa personnel issue.
As far as I'm concerned,without trying to get too
technical and that's kind ofwhere the compliance stuff comes
(26:46):
in as well we can have allthese great tools, but if we
don't have the people tomaintain it on a daily basis,
we've lost our direction is howI think of it.
I think, it's complexity.
Matt Starland (27:04):
It's kind of, I guess, the best example I give.
I remember getting, when I wasgetting involved in the 90s, at
least in the computer industry,and at least the area I grew up
in, was very blue-collared, notvery technical in that IT
industry.
By any means I mean not sayingthat there wasn't people, but it
(27:25):
just wasn't.
That wasn't always one of theprimary you know economical
drivers in the area that I grewup in, one of the primary you
know economical drivers in thearea that I grew up in.
And you know, when somebody Iremember hearing you know like,
oh, you know computers, and theyjust expected you knew web
developing, you know app dev,networking, every, all the all
(27:46):
the above and and maybe that was, you know, maybe because of
some of the smallerorganizations that I'd seen,
that was you know, maybe becauseof some of the smaller
organizations that I'd seen, youknow, maybe some of the larger
ones at the time, companieswasn't the case, but at least
that's what I had seen.
And so when you're looked atthat as, oh, you know IT, you
(28:08):
know there's so many differentareas to specialize in.
You know it's kind of like themedical industry.
It's like, oh yeah, you're anurse.
People start to assume thatbrain surgery and all these in
chiropractic care or all thedifferent specialties that exist
, and it's like, no, I'm notgoing to let the primary care
(28:32):
physician do brain surgery on me.
You know it's there's.
There's a reason why that's inthis IT industry.
It's it's grown to all thesedifferent niches because of how
complex it's getting in andeverything.
And so I believe that part ofthis is it goes again hiring the
right people to do the you knowthe right type of job, and and
(28:54):
part of that is because it'sjust how complex the it industry
is getting.
So, um, you know, findingqualified people to do this
particular cyber security job orthis particular help desk job,
and then it also comes down toyou know training also, um, your
so just not just IT, it's apersonnel thing.
So I don't know that's kind ofhow it seems to be getting with
(29:19):
all these cloud technologies too.
And just technology is growingso fast it's hard to keep up.
I mean, you got your full-timejob, but then it's also maybe a
part-time job outside of yourfull-time job, just reading and
educating yourself and alwayskeeping up to speed on
everything.
And yeah, I think it's just.
(29:40):
Complexity is what's the killerbehind this?
And you know, companies want tomake money and they want to
grow as fast as they can, andsecurity is looked at as a An
afterthought.
Yeah well, but if we do thisit's going to take us six more
months to implement.
So sometimes some of thatleadership makes the decision to
(30:03):
accept the risk, and sometimesis accepting that risk more
costly.
Nick Mellem (30:11):
Yeah, I think one great point that I picked up on,
matt, that you were just sayingis with companies want to make
money, they're so concerned withhiring that one
jack-of-all-trade security guyto come in that can do
everything.
In reality, what they need tobe looking for is three or four
guys some guy that's good atcompliance, some guy that's your
(30:33):
threat threat hunter, somebodythat's your processes and
procedures, your know-how, oryour red team or blue team.
So you have all these differentthings and, instead of thinking
of it, they want the one guythat's okay at everything,
instead of getting studs inevery area, that can really sure
up these potential issues thatwe're seeing now.
Kyle Rosendahl (30:54):
Yeah, agreed, and you mentioned money and you
both just mentioned money andthe company and they're
interested in making money,right?
So here's my biggest kind ofpet peeve with all of this is,
if you've listened to our otherepisodes where we're talking
about data privacy in the modernworld and social media
(31:15):
companies, where you'reproviding them your data and
it's pretty obvious that they'reusing that for benefit.
But with a company like thisand with other companies like
this, when you're giving themyour information, you're giving
them your address, you're givingthem your credit card
information, your billingaddress, your name, social
security, you name it.
(31:35):
They ask for it.
When this many breaches ofpersonal private information
have happened in the last fiveyears to a company that's so
large, it doesn't seem likethey're losing when these things
happen, if that makes sense, sothey're supposed to be there to
(31:59):
protect individual data thatthey collect and hold on to for
business purposes.
When that data gets lost,where's the repercussions back
against the company?
I mean, there's always theargument that free economics
right, you could drop T-Mobile.
But can you afford to dropT-Mobile and go somewhere that's
maybe more expensive or gosomewhere cheaper, right?
(32:19):
And that's the thing is arethey too big and do there need
to be policies and things inplace that hold them to account
when this type of thing happens?
Right, and there's always acivil lawsuit and something that
goes on in a case like this,and if you buy into it and you
fill out the paperwork and youmake your claim, you'll get a
$50 check in the mail.
It's $50, two and a half yearsafter the fact.
(32:43):
Good repercussions for you, whojust had your email address.
Somebody take that and, whetherit was sold online or not,
somebody knows.
Somebody knows that, then,about you and are you
comfortable with that andwhere's kind of the repercussion
come into play?
Does there need to be some sortof a policy that, when it
happens this many times in thisshort of a period and they're
(33:06):
obviously well, maybe they'retaking it seriously, but it
keeps happening, right?
So again, again, we keep sayingthey need manpower, they need
know-how, they need this.
There's ways to shore it up.
Is it just disregard for thecare of their users' data?
Does there need to be something?
I don't want to say government,but there needs to be some sort
(33:28):
of framework out there thatprotects individuals, as more
and more of our data keepsending up at these companies and
then ends up on the dark webbecause these companies keep
losing it, right yeah?
Matt Starland (33:53):
Yeah, I think you know this is part of it.
Like I started to get into mylibertarian views here and
making sure you know, you know,like going back to what you said
, where having government stepin, you know it's like, well,
here come in, discipline thechild.
But then I'm also thinking tomyself well, I also want to be
careful of that slippery slope,of we've probably been down a
slippery slope for a while nowin many and we'll call it, quote
(34:15):
unquote free market in ourcountry for a while, but that's
a different topic for adifferent day that we could go
down that rabbit hole.
But I think I would go back tois um, this is where the media
and or you know the news or youknow personal responsibility
comes into place too.
(34:36):
And when I say media news,making sure that this isn't just
on bleepingcomputercom likewhere's the CNN, where's the Fox
, the Daily Wires, all thesedifferent news outlets.
I know they're focused soheavily on the politics, but
let's also take a look at thecybersecurity aspect, because I
(34:56):
think the more and more youwould get people aware of this,
versus them just getting arandom piece of paper in the
mail that says hey, yourinformation was breached, we're
doing everything we can for it.
Here's your 50 bucks and we'llgive you two years of free
counseling.
You can see a therapist, youcan go to this.
There's a pastor down the road.
Here too you can talk to andmaybe everything will be OK.
Nick Mellem (35:19):
I free Netflix for six months.
Matt Starland (35:23):
Yeah, we'll give you our new T-Mobile package.
We're including Disney+, by theway, so maybe it'll make you
feel better.
I really think it comes down toagain personal responsibility,
but also as a culture type thing, Meaning we need to get more.
Maybe we, as a cybersecurityindustry, got to get more
(35:43):
involved in educating thegeneral public on what's going
on and then, as people see this,you know where do I put my
money Well heck, I don't want to.
I'm not going to, you know, giveT-Mobile my money now.
Verizon hasn't shown anythingat least, or AT&T, so I'm going
to take my money and move itelsewhere, because, again, money
(36:03):
talks.
So if they start losingcustomers, whoa okay, now we're
going to start, you know, maybereally figuring out what's going
on.
Why isn't Verizon and AT&T andother organizations seeing this?
Well, maybe they are, and theyjust don't know it yet either.
You know it goes back to maybethe tool sets they're using.
(36:25):
They aren't identifying thesebreaches in the same nature that
maybe T-Mobile is, but let'ssay they are, are seeing, you
know, they're able to stop thisor have their you know poop in a
group, as we'll say, and theyare preventing this.
So I think that's another,that's another wake up call.
So I think it comes down toeducating the public and then
(36:49):
letting them, you know, taketheir money and invest it in
companies that will maybe takecare of them better with their
information, but then also notwhat that company is going to do
for them, but then also notwhat that company is going to do
for them, going back to, likeJFK, what can you do for your
country, but it's more or less.
What can you do for yourself?
You know what are those thingsthat you can do as an individual
(37:12):
to protect your identity.
You know what are those typesof technologies and process
procedures that you can do tolimit your exposure.
You know making sure you don'tuse password 123456 on all of
(37:36):
your 150 different accounts thatyou have across Disney+,
Netflix, hulu, t-mobile.
You know DirecTV, etc.
And then when that happens, oneof those are breached.
Well, now they also got accessto other, maybe additional
information.
So you know, I think it comes.
It's a kind of education andalso taking personal
(38:00):
responsibility.
I hate to say that personalresponsibility because it wasn't
necessarily the customer'sfault, but that's right.
It goes back to what can weeducate the customer about what
they can do to limit theirexposure, but then also give
them the power to hear yourother organizations that you can
invest your money in and reduceyour risk.
(38:21):
It goes back to my previousstatement risk reduction, as
with it is driving a car.
Why do I wear a seatbelt?
I know I could possibly die inmy car driving down the road,
but I know that wearing aseatbelt is going to reduce that
risk greatly.
That same mindset and put itinto technology for my personal
(38:42):
needs too.
I'm downloading applicationsand purchasing services from
providers like T-Mobile.
They're speechless folks.
They're nodding left and righthere.
If you could see them.
They're nodding, they'regetting wild.
Nick Mellem (38:59):
One thing that comes to my mind, too, is just
that, now that we're moving intoa new age, companies need to be
living in a world of.
It's a matter of time beforeyou get somebody knocking on
your door versus oh, it's nevergoing to happen to me.
And we've talked about this inprevious episodes about what you
can do and I'm mad.
(39:19):
That's a great point.
You really need to startlooking out for yourself what
you can do, and I'm mad.
That's a great point.
Like you really need to startlooking out for yourself.
And it's interesting that youbrought that up, because just
this morning, I went to renew mydriver's license and one of the
questions on the sheet theywanted your full social security
number written out, right, so?
And I didn't do it, right, Ijust left it blank until I got
(39:41):
there, and she's king in theinformation, right, I give her
what she needs instead ofwriting it down.
But I'm drawing the two backtogether because we're being so
out of sight, out of mind.
We're getting in our own way,and that's exactly what's
happening here, matt, everythingyou're explaining.
We keep tripping ourselves.
(40:02):
We're not using these tools inthe way they should be.
We're not training our staff inthe way that we should be
educating, continuing educationto pass that baton.
But just one thing that came tomy mind when you were going
speaking.
There is what I was thinkingabout.
Kyle Rosendahl (40:18):
So, in other words, we're all going to go buy
a big piece of land in Alaska.
Yep, Take all of our data withus and just live off-grid.
Nick Mellem (40:27):
Folks just lock your credit, Just freeze your
credit.
Matt Starland (40:32):
Your new social media in Alaska will be your
furry friends, and it's callednature.
Your instant messaging is ahoming pigeon and smoke signals.
Nick Mellem (40:43):
Yeah and during the next data breach, you can just
tell everybody I don't care, Idon't need it anymore.
Matt Starland (40:48):
But unfortunately , it is funny I don't want to
digress too much, but it isfunny to see some of the
articles and reports things I'vebeen reading too like how that
lifestyle is actually growingquite fast.
But for those who want to havethe niceties of the industrial
(41:13):
slash, technological age, it'shard to get away from having
your data everywhere, and so youneed to protect yourself.
What are those things you cando?
Um?
Kyle Rosendahl (41:24):
so we just again , we need to be better, I think,
in the cyber security umindustry to educate the general
public and just the layman onthat yeah, and I know I've had
this experience when, whentalking with friends who aren't
into security, right, I used tocoach swimming and I'd sit down
with a group of coaches after aswim meet and we'd all be
(41:46):
hanging out and they'd be like,oh, you do cybersecurity.
And it's like, yeah, I do.
And they're like, well, whatcan you tell me?
You know what's interesting?
And it's like, well, you know,everybody uses social media,
everybody does this.
You know that if you're onsocial media, they're tracking
this, they're watching this,they're doing this, right, you
think it's all private, it'scalled a private message, but
they can read those.
(42:07):
You know anyone can grab yourcell phone data, they can watch
your call records, they know whoyou're talking to and they just
kind of sit there and listen toit.
And they're like, yeah, Ididn't want to hear that, like I
just don't want to know.
Don't tell me that, just let mebe the ugly truth.
So it's a hard thing where wekind of have to be the bearers
(42:28):
of bad news with some of thisstuff, where it's like, look,
it's going to happen, yourpersonal data is going to get
out there, you know, freeze yourcredit, so if it does, they
can't steal your money at least.
Right, you know, take thosepreventative measures, you know.
Maybe choose not to use TikTok,maybe choose not to use Twitter
or Facebook, right, you know?
(42:50):
If you want to go into a wholenother topic, twitter had a
massive breach this last week aswell.
So you know, these, theseplatforms are getting breached
and there's so much of yourinformation that you just
provide for free.
So I mean really just thatpersonal responsibility.
Matt Starland (42:59):
Did you guys ever read the book Data and Goliath?
Kyle Rosendahl (43:03):
I did yeah.
Matt Starland (43:04):
I don't remember who that was written by.
I thought I could look it uphere, but that was a for those
who are listening.
Going back to that, you knowwhat Kyle just said.
I didn't want to hear that.
You know what his friends toldhim on being on swimming.
It's kind of one of those typesof books but I think that that,
(43:24):
right, there is one of thosepieces of education.
Even being in the cybersecurityindustry until I, you know, I
always realize you knowinformation.
You know you go through the 900page EULA that you sign for
that free app so you can makeyour life easier.
You know it wasn't until I readthat book and a few others that
I'm like wow, I didn't.
(43:44):
I guess I never really realizedhow much of my data I'm just
giving out for free because ofin tracking, because I want this
piece of software that makes mylife so much easier, makes my
(44:06):
life so much easier.
So not just you know I, youknow not keeping beating down
T-Mobile here with.
You know A, they were thecustomers, but we're doing it to
ourselves too, with all thefree apps that we're downloading
, you know, and giving theminformation, and one of the best
examples I don't know if it wasin that book or not, might've
been a different book that Iread but you know, with all like
the tracking you're going tokyle of the information you're
giving them and allowing, andlocation services and, um,
(44:31):
whatever, it's pretty much nodifferent than the pre, we'll
call it.
I don't know this social mediaage or free app age, I don't't
know what, if there's a term forit, but where it would be like
having you, you signed a pieceof paper and you gave it to this
(44:51):
random individual.
That, uh, we'll just say theyare with a target.
I don't mean to be picking ontarget.
It's just the first thing thatcame to mind.
Um, be picking on target isjust the first thing that came
to mind.
Um, and they send a van to sitoutside your house and to follow
(45:12):
you as you go to best buy of1995, you know, because you
don't go to bestbuycom here nowand buy stuff.
So they'd follow you, they'dwatch what you bought, you know
whether using you know whetherusing you know your cash back
then or whatever.
I know there's charge cards too, but you're right now to check.
Most people now these days usecredit cards.
So this is kind of what I'mgetting at here.
(45:32):
You're purchasing um trackingand then they, they go to the
grocery store, they watch whatyou selected off the shelves and
they go back to your home towatch you get back in your house
what time stamps you're doingas you left, go to work.
You come back to work.
They know your schedule, theyknow what you're eating and so
and we do this not just you knowfor a company like Target or
(45:54):
whatever, but these apps that dothe tracking services and stuff
, and then that data is used tothen advertise to you, used to
then advertise to you.
So the point I'm getting at isthat going back to just this
t-mobile thing, just how muchdata we're actually willingly
giving people and kind of youknow you put your fingers in
yours and go la, la, la, la la,like your friends.
I didn't want to hear thatbecause of the convenience it's
(46:17):
giving in your life and so,moral of the story, either
either go live in Alaska, offgrid, and you know your new
social media is your friendlyfurry friends out in nature Well
, I guess, except for thegrizzly bears, maybe they're the
malicious actors, but you knowit's making sure that.
(46:40):
You know, just again, what canyou do to protect yourself and
limit that exposure?
And that is becoming morepopular.
You know, with like Bravebrowser and you got your Proton
VPNs and Nord VPNs and thosedifferent companies, but even
then I'm starting to seedifferent organizations block
(47:00):
those connections so that waythey can make sure to still
track your data.
So then you go back to thatquick hit.
Oh crap, I gotta turn my vpnoff because I I need to get to
this source of information andgive them my idea, amazon does
that yeah, I, I started uhnoticing that with, uh, my
particular vpn provider.
(47:21):
I used'm like what thiswebsite's blocking me now
because I'm connecting throughand so then, fortunately, if I
go through a different channelof one of their other VPN
servers, then it'll work.
So it's like man this is makingit harder for me even to get to
this data.
So I don't know.
It's this brave new world welive?
in I know we kind of got offfrom our main topic.
(47:43):
Oh, it's great Of how the AIwas used to get breached, but I
think the moral of the story isis that we're seeing so many
data breaches going on thatthere's just it's a slew of
problems and we as a societyglobally are just trying to go
so fast and make life so easythat, going back to what you
(48:06):
said, Nick, security becomes anafterthought.
And is that really maybecosting organizations more money
than what they realize in thedata breaches?
Kyle Rosendahl (48:17):
Totally.
Yeah, and that book was Dataand Goliath.
That's Bruce Schneier.
Yeah, and that book was Dataand Goliath.
That's Bruce Schneier.
If you listen to our DataPrivacy in a Modern Era like the
whole first half of thatpresentation basically sourced
off this book.
So a lot of those stories thatwe tell, a lot of the types of
data, what they're doing with it, the analytics that they're
(48:39):
putting into your big data a lotof it comes from this book, so
super worth a read.
If you haven't read it, we canput a link to that in the show
notes as well.
Matt Starland (48:46):
You know, the only thing it'd be you know it's
going back to the PayPal thing,but I think it's the same
conversation yeah, you know, ina way it's.
You know, the only thing I couldhave thought of is maybe talk
about if there was moretechnology stuff.
I know we started getting moreon the, the yeah, the policy and
(49:07):
morality I don't know how youwant to call it, not morality
but but, um, I guess, policy andbehavior side of the world.
Um, you know, we only I'vemaybe only touched for five, 10
minutes on the whole technologyside of just know, least
privilege and stuff, but that alot of that stuff comes down to
that.
Um, I think that and that isjust key in these breaches and
(49:30):
you know, I think if the, if thearticle is that we would have
talked on, was like, uh,vulnerability or exploit and
things like that, maybe we couldhave gotten geekier on it.
But a lot of these breaches aremost of the time I'm not I
can't say most of the time.
I'm not I can't say most of thetime because I don't I wasn't
at the organization, but fromorganizations I've seen and just
(49:51):
kind of try to dig into.
A lot of it comes down topolicy procedure and least
privileged access.
Kyle Rosendahl (49:57):
And I think it is a least privileged thing.
But it's also a you know.
It says in the article they hadaccess from november 25th and
discovered it on january 5th.
It's crazy I mean they hadalmost a whole month and a half
in the system to pull data viathe api where there was an
ongoing breach that that wasn'tknown about.
(50:18):
That that's a very, very longwindow, right?
So, while, yeah, there'sprobably an issue with how those
tokens were generated for theapi access and and something
either got leaked or bruteforced or stolen somehow for
them to get that access, ormaybe there's a vulnerability
that nobody knows about in thisspecific api platform.
(50:39):
Um, you know, we don't know howthat happened.
But there's also a problem ofdetection here, right?
Because if you see 37 millionrecords being accessed from
somewhere you don't recognize,you know, usually that sets off
alarm bells, especially in thedefender's mind of you know.
(51:03):
If you're doing your job andyou have the detection
capabilities and you're loggingwhat you need to to find these
things, typically you'll atleast get an IP address of where
these things are coming from,where they're going to, regions
you name it and maybe theseattackers were very good and had
(51:23):
a lot of extra information andwere able to blend in to the
environment.
But when it's so many recordslike this over this period of
time, you know you have to thinkthere was a chance to detect it
and, again, we don't know thespecifics.
So I'm just, you know, throwingout ideas as someone who's
worked on the Bully team for afew years now as well.
(51:49):
Well, thank you, matt, forjoining us here today.
It's been a fantasticconversation.
I feel like we hit on a millionand one things and didn't go
nearly deep enough into any ofthem to do them their full
justice, but very muchappreciate having you on here.
I appreciate it.
Yeah, thank you.
If you want to hear more of theaudit, feel free to find us.
Wherever you can find a podcast.
We're on Spotify, apple, even,I think, on Amazon now.
(52:11):
And if you want to learn moreabout IT Audit Labs, what we do,
find our links to our socials,go ahead and head out to
itauditlabscom.
Thanks all.
Nick Mellem (52:21):
Thanks, guyscom.
Kyle Rosendahl (52:22):
Thanks, all Thanks guys, thanks Bye.
Eric Brown (52:26):
A well-designed framework will reduce
organizational risk and improveoverall security posture.
Contact IT Audit Labs and haveus lead your team in outlining a
strategic approach to remediateorganizational risk.
You're listening to the Audit presented by IT Audit
Labs.
Kyle Rosendahl (00:14):
All right, Welcome to the Audit.
I'm here today with Nick Mellomand our guest Matt Starland.
How's everybody doing today?
Nick Mellem (00:24):
Excellent here.
Kyle Rosendahl (00:25):
Really good.
Good Thanks for joining us,matt.
I just want to start off ourrecording here.
Give you a chance to introduceyourself where you're involved
in security, what types ofprojects you've done, and just
tell us a little bit aboutyourself.
Yeah, appreciate it.
Matt Starland (00:41):
Thanks, matt Starland.
Been in the IT industry for alittle over 20 years and maybe
even longer if you includechildhood.
My dad had a computer businessback in the early 90s so he was
kind of teaching me how to workon computers and build and fix
them, so going all the way fromthe old 8088s, 286s, 386s, so
(01:06):
really got a good chance to seekind of the evolution of home
computers and then that kind ofcreated the passion to go into
the IT industry full time.
So been doing.
We'll start off with help deskwent from a help desk to a
sysadmin, primarily working inthe messaging side of the IT
(01:27):
industry.
So Microsoft Exchange, been insome big organizations from
10,000-plus users dealing withtheir email systems, and then
started getting in theconsulting world of divestitures
, acquisitions and mergers,investors, acquisitions and my
(01:51):
mergers, using that skill set ofemail skills and probably
worked for close to 30 or 31different companies, big fortune
500 companies, helping on whatthey're those mergers and
acquisitions and so, granted,I've been on the operations side
for, you know, 20 years.
Security was more of asecondary thing and kind of saw
the writing on the wall herefive, six years ago with the
(02:11):
explosion of everything beinginterconnected and just the
amount of breaches and securityissues going on and decided to
kind of jump ship out of theoperations side of the world and
go full-time into security andso now I'm working as a
full-time cybersecurityarchitect.
(02:33):
So a lot of projects using thatyou know operations side and
implementation side of the worldthat I've been a part of, using
those skill sets in thecybersecurity world to implement
.
You know technologies to helpsecure organizations.
So you know integrating likemulti-factor authentication into
many applications, helping lockdown and secure Active
(02:58):
Directory, azure ActiveDirectory, privileged access
management, a lot of different.
You know identity kind of basetools.
So not so much on the red teamside but more the blue team and
I think that's my passion.
There is more on the blue teamside just because of being in
the operations field for so longand building things.
That's kind of my drive and youknow goal.
(03:20):
But now it's taking thatbuilding things and how do we
use those things to protect andsecure an infrastructure.
Kyle Rosendahl (03:28):
So but yeah.
Matt Starland (03:30):
I would say that's kind of been my
background and I mean forhobbies and interests outside of
, you know, the cybersecurityindustry I would say is probably
the newest thing is 3D printing.
Been doing that for about ayear now and I think that kind
of fills that need again ofbuilding and creating things and
, you know, finding solutions toproblems.
(03:51):
So that's been quite thejourney, learning that and you
know, and also pretty much anyof my you know kids hobbies so
it's become now my hobby.
So that takes up a lot of timenow these days too.
Kids' hobbies so it's becomenow my hobby.
So that takes up a lot of timenow these days too.
So anybody that's listeningthat has kids you can attest to
(04:11):
where you might have been outgolfing a lot or doing a lot of
personal things and so nowthey're out of age where they're
doing those things.
So I've kind of shifted my rolein attending them and also
teaching them new stuff, whetherit's IT or sports.
So yeah, it's kind of my lifein a nutshell here Cool, yeah,
thanks.
Kyle Rosendahl (04:30):
And I mean really, the reason we invited
you on here is because, withyour expertise in kind of the
architecture of cybersecurityand your kind of engineering
experience, right, you kind ofsit in that hybrid role of
developing and building thosetools, also coming up with new
solutions to bring in new items,bring in new technologies,
(04:54):
looking at the broader scale ofinfrastructure.
As an architect, you sit thathybrid role.
Today, nick and myself justwanted to really sit down and
talk about some of the thingsthat we're seeing in the
security space.
You know whether it's modernnews stories that we want to hit
on and just kind of talk about.
(05:14):
You know what we're seeing, howwe react to it, what we think
that kind of means for securityas a whole, and just kind of
bring some of our own technicalknow-how into it.
I would like to start offtalking about a news article
that I saw this morning thatcame out on Bleeping Computer.
I saw it this morning on the20th.
It came out January 19th, so aday before today, 2023.
(05:38):
And it's another article aboutT-Mobile getting hacked and
allowing these hackers to accessand steal personal data of like
37 million accounts.
We'll put the link to thearticle in the show notes.
(05:59):
Here.
Architects and engineers, wetouch on a daily basis and then
has an implication to, I wouldsay, probably most modern
companies that have any sort ofweb presence.
And it's not the first hackthat T-Mobile has been a part of
.
So I'd love to kind of get yourthoughts on.
You know, do you work with APItechnologies?
You know what are some of thekind of modern implications of
(06:22):
that?
And with this being kind oftheir eighth major breach in the
last five years, you know, whatdoes that kind of mean for
policy wise, for these companieswho continually allow for
hackers to kind of get in?
Yeah, love to hear yourthoughts.
Matt Starland (06:40):
Yeah, this is.
You know, this is aninteresting scenario.
You've seen the evolution ofgoing from installing
applications on-premises tomaybe back 15, 20 years ago
where you didn't have well, Imean, cloud's always been around
colo.
(07:00):
You know data centers, wherepeople would have spin up their
own stuff in a somebody else'sdata center and then you create
a vpn tunnel.
I mean, some of that stillexists today.
But now with you know thelandscape of your big major
cloud providers, of google, aws,and you know azure or microsoft
azure a lot of use.
(07:22):
You know now they use thedifferent these types of APIs
that integrates into yourplatforms and then you provide
some form of a security key, atoken, certificates or some
credentials to provide access.
And what I've seen usually whenyou get these documentation from
(07:43):
vendors of here's how weconnect our, you know hosted
environment to your environment.
Their goal is to integrate asquickly and as seamlessly as
possible, and you know.
And so when, when you look atthis documentation, if you're
not looking at it through thelens of, maybe, a cybersecurity
professional, you're looking atit from the lens of maybe a
(08:04):
cybersecurity professional.
You're looking at it from theoperation side of the world and
you've got executives that arebreathing down your neck to get
something implemented by X date.
Sometimes you know thatsecurity mindset starts to you,
know you don't.
You're not viewing things asmuch as through security lens,
as you should be, and you justkind of take the vendor's word
(08:26):
for granted and you justimplement as is.
Well, when seeing these, you gotto really look at what type of
permissions are they asking.
So, for example, let's say it'sa type of technology that
integrates with your emailsystem and it needs to maybe
read calendar data or somehowplug into your mailbox so that
(08:49):
way it can seamlessly sendemails from your you know
exchange mailbox.
A lot of these will justdefault to yeah, give us all
access to all your mailboxes.
And if you don't catch that, Imean think about this.
Now you gave them some sort ofa token security key account,
(09:10):
whatever it is that has fullmailbox rights across your whole
environment, when only maybe aparticular department needed
that application.
It wasn't an organization-wideapplication, and so it's all
about reducing your risk.
So why did we give thisapplication or that API access
(09:35):
to several hundreds of mailboxeswhen it only needed 10?
So now if those credentials areleaked or they weren't fine
tuned to just be a particular IPaddress to make that connection
anywhere in the world oranywhere in the US, as long as
they got that credential, couldin theory access all those
(09:56):
mailboxes when it only neededfive or 10.
So then you get into the aspectof well, those five or 10 might
not have had sensitive data inthem, but maybe the other 500
that it had access to hadsensitive data and yeah, so it
really comes down to what youknow.
One thing that I push all thetime and the organization that I
(10:16):
work at is least privilegedaccess.
Sometimes that's easier saidthan done because you start to
get into a problem of findingthat fine balance between
operations and security.
You know security we look at itas let's lock down, let's lock
down, lock down, but then itchokes the life out of the
organization to maybeeffectively do business, but
(10:39):
then at the same time too, ifyou don't, you leave it too open
, then you run into this kind ofmaybe?
Situation Not saying that thisis exactly how the T-Mobile
breach happened, but typicallyit can help you reduce your
exposure by following that kindof least privileged access.
So you know, the point I'mtrying to get at is it's met
(11:03):
with all these different cloudtechnologies and different apis
connecting in.
You really need to keep a closeeye on one, what type of
permissions the vendor is reallyasking for, you know, and and
take a second look at it andjust see the platform that it's
connecting to, making sure thatit is following you know, that
principle of least privilege.
But two, this goes back to yourkind of um, your procurement
(11:25):
process too, and how you'reevaluating that organization and
what type of security programthey have in place to help
reduce your risk.
So, yeah, you know, when you seethese types of things 37
million current postpaid andprepaid customer accounts it's
really and it happens day in andday out.
You go to bleepingcomputercomor any other major web.
(11:46):
You almost want to, you know,go live off in Alaska and live
off grid sometimes.
But I know this isn't the worldwe live in.
It's becoming moreinterconnected.
So I really find it's all abouthow can you reduce your risk
and, you know, protectingyourself or your organization
that is, you know, followingthat principle of least
(12:06):
privilege.
So, yeah, I that's I would saythat's kind of my thoughts on.
It is just, it's um, I'm notsaying that there wasn't some
other form of you know malicious, uh, activity that they found
maybe a vulnerability, but I'mgonna say, most likely it's.
My two cents is that it couldhave been just an overprivileged
(12:27):
, I don't know.
Nick Mellem (12:28):
What's your thoughts on your kind of take on
it.
Yeah, no, matt, that's awesome.
Great explanation there on yourthoughts.
If we cut the top off of thisissue and we look in to see
what's actually happening, doyou?
Would you, if you had to startpointing fingers?
Would it go back to peoplebeing lackadaisical know-how?
(12:49):
I mean, what are we dealingwith?
An issue of people just notknowing what they're doing?
Lack of you know, initiative ortools, because I think the
tools are getting pretty goodright now.
Right, we've got a lot of stuffthat's really good at hunting
these kind of issues down.
We talked about leastprivileges, which we would agree
with you, obviously, but if we,like I've said, if we take the
(13:09):
top off and look down at theactual problem here, do you have
any thoughts on what iscontributing to this?
Matt Starland (13:18):
Yeah, part of it is.
I think it could be process,you know, maybe sometimes the
organizations become so largethat you know the departments
don't know what the left hand isdoing really well, and put them
in that consulting orleadership position to be able
to educate or help developprocesses for the lower aspect,
(13:53):
because, just granted, it mightcome in a request to have this
API come in at a top level whereyou have your architects
reviewing it and seeing it, andmaybe then an engineer at a
lower level might be doing theimplementation.
Might one not have the same,you know, set of skill sets that
(14:17):
the architect had inimplementing and might have
either missed a permission ormaybe the architect didn't
properly document something inmaking sure that the engineer
clearly knew what to do as well?
So, you know, going back, likeI said, it's a process thing.
(14:39):
So I mean it's you know andalso making sure that your risk
management and, you know,procurement is, you know,
properly vetting these things.
So I think it comes down toreally it's just process, I
believe you know.
So we can get huge, you know, wecan have all sorts of fun tools
(15:01):
and everything, but there'ssome basics that we can always,
we can easily miss from justhaving a foundational approach,
um, you know, making sure wehire qualified individuals, but
and also building in theappropriate process procedures
to make sure that informationfrom the top is, you know,
(15:23):
processed down to those lowerlevels that might be
implementing it.
So because I'll admit, you know,early on in my career you know
if I was at the at the adminlevel and implementing something
, you know I was just kind of a.
You know if I was at the adminlevel and implementing something
, you know I was just kind of a.
You know here's the set ofinstructions, all right, go
ahead and implement, and so ifyou have that, you know a
certain level of architect ortechnical skill set, viewing
(15:45):
that information immediately andthen making sure they
articulate and, you know, giveappropriate information, maybe
to the engineer at that lowerlevel that's implementing it.
So I don't know, I think that'sa key thing there is having
just appropriate processes andprocedures in place.
Kyle Rosendahl (16:03):
Totally, and that makes sense.
And for anyone who hasn't readthe article right, I mean we're
just kind of spitballing onpossible ways that this could
have happened and gotten awaywith.
They didn't actually releaseyet as of today how the API was
exploited, but essentially theattackers exploited an API which
is just a kind of webconnection, typically into
(16:25):
internal data through usuallylike a web request.
Sometimes it's a little bitdifferent, so they're not 100%
sure how, but it sounds likeabout 37 million people were
affected and things that weregathered by the attackers were
people's phone numbers, numberof phone numbers that were on
their account account, emails,you know, possibly the person's
(16:49):
name, their date of birth,billing address, all of those
types of personal identifiableinformation.
That's the stuff that thesethreat actors were able to get a
hold of, which is no smallamount of data.
That's still a major kind ofprivacy breach as far as
individuals go.
But a few of the things that Iwas thinking of while you were
(17:11):
talking is you know, with someof the blue team work that I've
done in the past, could this bea, I guess a misunderstanding?
Are the big two typically, butwith implementing those two or
(17:37):
three different cloud servicesat a person's company, or for a
large company or small company,the way that networking is done,
the way that connections aremade into the cloud, the way
that cloud resources communicatewith one another, is
significantly different than howyour physical networking
infrastructure communicates.
Right, when you're connectingrouters and switches, I mean,
(17:59):
you can see the wires, you canconnect the wires, you know that
the data is going to cross thatcable, whereas sometimes, when
you're working in a cloudenvironment, you set up an
endpoint, you set up anotherendpoint, you think, oh, if they
talk to one another it's justgoing to go right through my
cloud instance, whereas a lot oftimes it's going to go out
through the wide internet andthen back into your cloud
(18:19):
instance and there's extraconfiguration and pieces you
have to do in your cloudplatform to ensure all your data
that you want to stay insidestays inside.
So I don't know maybe this is agood question for both of you
Is it possible that the trainingand the education and the
pieces on how to securelyimplement these types of
(18:41):
platforms just isn't caught upto where the business wants it
to be at this point?
Are we falling behind there?
And then the second questionI'll just pose right away and
feel free to answer one or both.
Typically, when there's a breachlike this, what I like to think
of is you know there's a majorbreach, the safest place to be
(19:03):
is usually with that breachedcompany.
You know, after there's anincident on an airline, airline
security shoots up and thesafest time to fly is typically
right after that happens, right.
Security tends to be the sameway.
Right after there's a majorbreach, airline security shoots
up and the safest time to fly istypically right after that
happens, right.
Security tends to be the sameway Right after there's a major
breach.
Usually there's a lot of moneypoured into security and you get
a lot better tooling anddetection and a safer
environment.
So interesting that T-Mobilehas had so many issues in the
(19:27):
last so many years.
You know eight major breachesin five years and it continues
to happen.
So curious what your thoughtsare, both on kind of the cloud
training side and then also thesinking ship and having issues
so I got a couple of thoughts onthat.
Matt Starland (19:45):
So one you know it's funny that you bring up the
whole you're, oh, I can talkfrom this cloud endpoint to the
other cloud endpoint and I'mgood to go, and it's all said
and done.
You know, there's, I'm good togo, but there's other things
that are going on behind thescenes there.
Why, kind of when you startbuilding out your, your
(20:05):
infrastructure, and in a cloudyou know, cloud environment like
that, it it is gets a littletricky because, like you said
you, you lose sight of that.
I know this physical cabletalks here, this connects here
and this connects over there,and so I know the paths come
through these channels or thisphysical media, but in the cloud
(20:26):
it is like we kind of make thisjoke that is, oh, it's maybe
part of Microsoft's magic sauceor whatever going on behind the
scenes.
How does my VM that I built,talking to this Azure SQL as a
service kind of ordeal or blob,and it's not necessarily using
my VNets and everything that Ispun up?
(20:48):
How is this communicating?
And there's some confusion.
At least I'm not as deep as, uh, some of that networking
technology, some of mycounterparts that I've worked
with with um and everything, butI always like to see that, um,
you know, when it comes down tobuilding some of that
infrastructure, testing andvalidating what can I get to it
(21:10):
from and what can't I andthere's a lot of when these
technologies, when you spin upall these different cloud
technologies that they give you,it's kind of like plug and play
ordeal.
It reminds me of Windows priorto server 2008, or Microsoft,
(21:33):
yeah, like 2003 and 2000,.
When you install thoseoperating systems, they came
fully wide open, everything'sinstalled, all the services are
running, and then finally, in2008, when you installed that
server, it was stripped downLike you had to install IIS.
After that you had to install,you know, do all these extra
(21:54):
things, so those services thatare available.
It was kind of following thatleast privilege model.
And now with the cloud, becauseof how complicated it is and how
quickly these cloud providersare trying to compete with each
other and just boom, spinningnew technologies left and right.
It's hard for people, a lot oftechnologists to keep up in how
(22:20):
these things are configured, soit seems to be that they are
just leaving them wide open outof the gate by default, so that
way you can get your stuff, youknow up and running as quickly
as possible and then all of asudden you realize later on like
wow, this blob storage was wideopen to the internet and I was
(22:40):
using this to store, you know,some protected data or whatever
it might be.
You know, this way, some of theplaces I've seen before and
they didn't know about it andand so there's a lot of now
different tech and they didn'tknow about it and and so there's
a lot of now different tech.
Some or it may have been out,like, for example, Palo Alto's,
that rings a bell is a theirprismacloud.
(23:05):
I think I get prismacloud inwhich that is, you know, designs
, not to give them a particularplug here, or anything like that
.
That's just one example of many.
But they scan for those kind ofknown insecurities that these
cloud providers are creating outof the box so you can quickly
(23:27):
set things up.
That's something to bear inmind with these cloud
technologies and making surethat when you're building,
things go through a validationprocess.
Again, going back to thatprocess procedure, you know,
make sure, can I get to itinternally?
Can I get to it externally?
Do I have a test environment,you know, in the cloud as well,
and if that's not networked, canI get to that other
(23:50):
environment's?
You know cloud resource.
Get to that other environments?
You know cloud resource.
So you know, going through yourvalidation procedures or using
a particular tool that'sdesigned to scan for those
things, make sure they're lockeddown and then move on, but also
having reoccurring scans, sothat way over privileges, you
know something doesn't becomeover privilege during over the
(24:10):
time.
So, going back to how they'veshown what, how many breaches in
the last four years Eight,eight, I think, yeah To me, my
thoughts are is that it comesdown to maybe a company
structure or something.
I mean you've got to havemanagement behind you, so you've
(24:30):
got to have your uppermanagement recognize that this
is something.
We've got an issue here and now.
What do we need to do to fix it?
You know going through thatincident response.
Um, you know best practices of,okay, what are lessons learned?
And now let's throw some moneyat this or time and it and get
(24:51):
these things fixed.
You know, and where was the week?
Where was that?
You know weak chain, the linkit.
You know in the chain, where isthat weak part of it?
And trying to resolve that?
Was it a personnel issue?
Was it a technology issue?
Is it gonna be perfect afteryou know this?
Maybe not, you know.
(25:12):
But maybe it took them sometime and maybe they're taking
time because there is.
It's a money issue.
I wouldn't think so, but again,I think you got to throw
resources at it.
It really comes down to uppermanagement and get everybody in
line and organized.
I don't know.
I think that's kind of mythoughts behind it and some of
(25:35):
all the different organizationsI previously worked at.
Nick Mellem (25:38):
Yeah, I think.
Well, I'll jump in here too andI'll probably take it a step
further, and I don't mean to besuper cutthroat here.
When I'm reading through thearticle, the first thing that
comes to my mind is personnel.
It's know-how, right, I think,one of TMO's potential biggest
issues and potentially a lot ofother organizations around the
country or the world.
We've seen a changing of theguard right.
(26:02):
The pioneers of security arestarting to retire, they're
starting to leave the space, sothe baton is being passed, and
it's not that the younger crowddoesn't know what they're doing.
We've lost that leadership wherewe're picking up the baton.
I'm saying we, because it'sprobably in front of us.
We haven't got to that point,but it is that fundamental
(26:23):
know-how.
We've lost the head that's beendriving this, and now T-Mobile
is left holding the bag.
As far as these tools, theknow-how, the process and
procedures it's reallyeverything.
But from a holistic view, it isa personnel issue.
As far as I'm concerned,without trying to get too
technical and that's kind ofwhere the compliance stuff comes
(26:46):
in as well we can have allthese great tools, but if we
don't have the people tomaintain it on a daily basis,
we've lost our direction is howI think of it.
I think, it's complexity.
Matt Starland (27:04):
It's kind of, I guess, the best example I give.
I remember getting, when I wasgetting involved in the 90s, at
least in the computer industry,and at least the area I grew up
in, was very blue-collared, notvery technical in that IT
industry.
By any means I mean not sayingthat there wasn't people, but it
(27:25):
just wasn't.
That wasn't always one of theprimary you know economical
drivers in the area that I grewup in, one of the primary you
know economical drivers in thearea that I grew up in.
And you know, when somebody Iremember hearing you know like,
oh, you know computers, and theyjust expected you knew web
developing, you know app dev,networking, every, all the all
(27:46):
the above and and maybe that was, you know, maybe because of
some of the smallerorganizations that I'd seen,
that was you know, maybe becauseof some of the smaller
organizations that I'd seen, youknow, maybe some of the larger
ones at the time, companieswasn't the case, but at least
that's what I had seen.
And so when you're looked atthat as, oh, you know IT, you
(28:08):
know there's so many differentareas to specialize in.
You know it's kind of like themedical industry.
It's like, oh yeah, you're anurse.
People start to assume thatbrain surgery and all these in
chiropractic care or all thedifferent specialties that exist
, and it's like, no, I'm notgoing to let the primary care
(28:32):
physician do brain surgery on me.
You know it's there's.
There's a reason why that's inthis IT industry.
It's it's grown to all thesedifferent niches because of how
complex it's getting in andeverything.
And so I believe that part ofthis is it goes again hiring the
right people to do the you knowthe right type of job, and and
(28:54):
part of that is because it'sjust how complex the it industry
is getting.
So, um, you know, findingqualified people to do this
particular cyber security job orthis particular help desk job,
and then it also comes down toyou know training also, um, your
so just not just IT, it's apersonnel thing.
So I don't know that's kind ofhow it seems to be getting with
(29:19):
all these cloud technologies too.
And just technology is growingso fast it's hard to keep up.
I mean, you got your full-timejob, but then it's also maybe a
part-time job outside of yourfull-time job, just reading and
educating yourself and alwayskeeping up to speed on
everything.
And yeah, I think it's just.
(29:40):
Complexity is what's the killerbehind this?
And you know, companies want tomake money and they want to
grow as fast as they can, andsecurity is looked at as a An
afterthought.
Yeah well, but if we do thisit's going to take us six more
months to implement.
So sometimes some of thatleadership makes the decision to
(30:03):
accept the risk, and sometimesis accepting that risk more
costly.
Nick Mellem (30:11):
Yeah, I think one great point that I picked up on,
matt, that you were just sayingis with companies want to make
money, they're so concerned withhiring that one
jack-of-all-trade security guyto come in that can do
everything.
In reality, what they need tobe looking for is three or four
guys some guy that's good atcompliance, some guy that's your
(30:33):
threat threat hunter, somebodythat's your processes and
procedures, your know-how, oryour red team or blue team.
So you have all these differentthings and, instead of thinking
of it, they want the one guythat's okay at everything,
instead of getting studs inevery area, that can really sure
up these potential issues thatwe're seeing now.
Kyle Rosendahl (30:54):
Yeah, agreed, and you mentioned money and you
both just mentioned money andthe company and they're
interested in making money,right?
So here's my biggest kind ofpet peeve with all of this is,
if you've listened to our otherepisodes where we're talking
about data privacy in the modernworld and social media
(31:15):
companies, where you'reproviding them your data and
it's pretty obvious that they'reusing that for benefit.
But with a company like thisand with other companies like
this, when you're giving themyour information, you're giving
them your address, you're givingthem your credit card
information, your billingaddress, your name, social
security, you name it.
(31:35):
They ask for it.
When this many breaches ofpersonal private information
have happened in the last fiveyears to a company that's so
large, it doesn't seem likethey're losing when these things
happen, if that makes sense, sothey're supposed to be there to
(31:59):
protect individual data thatthey collect and hold on to for
business purposes.
When that data gets lost,where's the repercussions back
against the company?
I mean, there's always theargument that free economics
right, you could drop T-Mobile.
But can you afford to dropT-Mobile and go somewhere that's
maybe more expensive or gosomewhere cheaper, right?
(32:19):
And that's the thing is arethey too big and do there need
to be policies and things inplace that hold them to account
when this type of thing happens?
Right, and there's always acivil lawsuit and something that
goes on in a case like this,and if you buy into it and you
fill out the paperwork and youmake your claim, you'll get a
$50 check in the mail.
It's $50, two and a half yearsafter the fact.
(32:43):
Good repercussions for you, whojust had your email address.
Somebody take that and, whetherit was sold online or not,
somebody knows.
Somebody knows that, then,about you and are you
comfortable with that andwhere's kind of the repercussion
come into play?
Does there need to be some sortof a policy that, when it
happens this many times in thisshort of a period and they're
(33:06):
obviously well, maybe they'retaking it seriously, but it
keeps happening, right?
So again, again, we keep sayingthey need manpower, they need
know-how, they need this.
There's ways to shore it up.
Is it just disregard for thecare of their users' data?
Does there need to be something?
I don't want to say government,but there needs to be some sort
(33:28):
of framework out there thatprotects individuals, as more
and more of our data keepsending up at these companies and
then ends up on the dark webbecause these companies keep
losing it, right yeah?
Matt Starland (33:53):
Yeah, I think you know this is part of it.
Like I started to get into mylibertarian views here and
making sure you know, you know,like going back to what you said
, where having government stepin, you know it's like, well,
here come in, discipline thechild.
But then I'm also thinking tomyself well, I also want to be
careful of that slippery slope,of we've probably been down a
slippery slope for a while nowin many and we'll call it, quote
(34:15):
unquote free market in ourcountry for a while, but that's
a different topic for adifferent day that we could go
down that rabbit hole.
But I think I would go back tois um, this is where the media
and or you know the news or youknow personal responsibility
comes into place too.
(34:36):
And when I say media news,making sure that this isn't just
on bleepingcomputercom likewhere's the CNN, where's the Fox
, the Daily Wires, all thesedifferent news outlets.
I know they're focused soheavily on the politics, but
let's also take a look at thecybersecurity aspect, because I
(34:56):
think the more and more youwould get people aware of this,
versus them just getting arandom piece of paper in the
mail that says hey, yourinformation was breached, we're
doing everything we can for it.
Here's your 50 bucks and we'llgive you two years of free
counseling.
You can see a therapist, youcan go to this.
There's a pastor down the road.
Here too you can talk to andmaybe everything will be OK.
Nick Mellem (35:19):
I free Netflix for six months.
Matt Starland (35:23):
Yeah, we'll give you our new T-Mobile package.
We're including Disney+, by theway, so maybe it'll make you
feel better.
I really think it comes down toagain personal responsibility,
but also as a culture type thing, Meaning we need to get more.
Maybe we, as a cybersecurityindustry, got to get more
(35:43):
involved in educating thegeneral public on what's going
on and then, as people see this,you know where do I put my
money Well heck, I don't want to.
I'm not going to, you know, giveT-Mobile my money now.
Verizon hasn't shown anythingat least, or AT&T, so I'm going
to take my money and move itelsewhere, because, again, money
(36:03):
talks.
So if they start losingcustomers, whoa okay, now we're
going to start, you know, maybereally figuring out what's going
on.
Why isn't Verizon and AT&T andother organizations seeing this?
Well, maybe they are, and theyjust don't know it yet either.
You know it goes back to maybethe tool sets they're using.
(36:25):
They aren't identifying thesebreaches in the same nature that
maybe T-Mobile is, but let'ssay they are, are seeing, you
know, they're able to stop thisor have their you know poop in a
group, as we'll say, and theyare preventing this.
So I think that's another,that's another wake up call.
So I think it comes down toeducating the public and then
(36:49):
letting them, you know, taketheir money and invest it in
companies that will maybe takecare of them better with their
information, but then also notwhat that company is going to do
for them, but then also notwhat that company is going to do
for them, going back to, likeJFK, what can you do for your
country, but it's more or less.
What can you do for yourself?
You know what are those thingsthat you can do as an individual
(37:12):
to protect your identity.
You know what are those typesof technologies and process
procedures that you can do tolimit your exposure.
You know making sure you don'tuse password 123456 on all of
(37:36):
your 150 different accounts thatyou have across Disney+,
Netflix, hulu, t-mobile.
You know DirecTV, etc.
And then when that happens, oneof those are breached.
Well, now they also got accessto other, maybe additional
information.
So you know, I think it comes.
It's a kind of education andalso taking personal
(38:00):
responsibility.
I hate to say that personalresponsibility because it wasn't
necessarily the customer'sfault, but that's right.
It goes back to what can weeducate the customer about what
they can do to limit theirexposure, but then also give
them the power to hear yourother organizations that you can
invest your money in and reduceyour risk.
(38:21):
It goes back to my previousstatement risk reduction, as
with it is driving a car.
Why do I wear a seatbelt?
I know I could possibly die inmy car driving down the road,
but I know that wearing aseatbelt is going to reduce that
risk greatly.
That same mindset and put itinto technology for my personal
(38:42):
needs too.
I'm downloading applicationsand purchasing services from
providers like T-Mobile.
They're speechless folks.
They're nodding left and righthere.
If you could see them.
They're nodding, they'regetting wild.
Nick Mellem (38:59):
One thing that comes to my mind, too, is just
that, now that we're moving intoa new age, companies need to be
living in a world of.
It's a matter of time beforeyou get somebody knocking on
your door versus oh, it's nevergoing to happen to me.
And we've talked about this inprevious episodes about what you
can do and I'm mad.
(39:19):
That's a great point.
You really need to startlooking out for yourself what
you can do, and I'm mad.
That's a great point.
Like you really need to startlooking out for yourself.
And it's interesting that youbrought that up, because just
this morning, I went to renew mydriver's license and one of the
questions on the sheet theywanted your full social security
number written out, right, so?
And I didn't do it, right, Ijust left it blank until I got
(39:41):
there, and she's king in theinformation, right, I give her
what she needs instead ofwriting it down.
But I'm drawing the two backtogether because we're being so
out of sight, out of mind.
We're getting in our own way,and that's exactly what's
happening here, matt, everythingyou're explaining.
We keep tripping ourselves.
(40:02):
We're not using these tools inthe way they should be.
We're not training our staff inthe way that we should be
educating, continuing educationto pass that baton.
But just one thing that came tomy mind when you were going
speaking.
There is what I was thinkingabout.
Kyle Rosendahl (40:18):
So, in other words, we're all going to go buy
a big piece of land in Alaska.
Yep, Take all of our data withus and just live off-grid.
Nick Mellem (40:27):
Folks just lock your credit, Just freeze your
credit.
Matt Starland (40:32):
Your new social media in Alaska will be your
furry friends, and it's callednature.
Your instant messaging is ahoming pigeon and smoke signals.
Nick Mellem (40:43):
Yeah and during the next data breach, you can just
tell everybody I don't care, Idon't need it anymore.
Matt Starland (40:48):
But unfortunately , it is funny I don't want to
digress too much, but it isfunny to see some of the
articles and reports things I'vebeen reading too like how that
lifestyle is actually growingquite fast.
But for those who want to havethe niceties of the industrial
(41:13):
slash, technological age, it'shard to get away from having
your data everywhere, and so youneed to protect yourself.
What are those things you cando?
Um?
Kyle Rosendahl (41:24):
so we just again , we need to be better, I think,
in the cyber security umindustry to educate the general
public and just the layman onthat yeah, and I know I've had
this experience when, whentalking with friends who aren't
into security, right, I used tocoach swimming and I'd sit down
with a group of coaches after aswim meet and we'd all be
(41:46):
hanging out and they'd be like,oh, you do cybersecurity.
And it's like, yeah, I do.
And they're like, well, whatcan you tell me?
You know what's interesting?
And it's like, well, you know,everybody uses social media,
everybody does this.
You know that if you're onsocial media, they're tracking
this, they're watching this,they're doing this, right, you
think it's all private, it'scalled a private message, but
they can read those.
(42:07):
You know anyone can grab yourcell phone data, they can watch
your call records, they know whoyou're talking to and they just
kind of sit there and listen toit.
And they're like, yeah, Ididn't want to hear that, like I
just don't want to know.
Don't tell me that, just let mebe the ugly truth.
So it's a hard thing where wekind of have to be the bearers
(42:28):
of bad news with some of thisstuff, where it's like, look,
it's going to happen, yourpersonal data is going to get
out there, you know, freeze yourcredit, so if it does, they
can't steal your money at least.
Right, you know, take thosepreventative measures, you know.
Maybe choose not to use TikTok,maybe choose not to use Twitter
or Facebook, right, you know?
(42:50):
If you want to go into a wholenother topic, twitter had a
massive breach this last week aswell.
So you know, these, theseplatforms are getting breached
and there's so much of yourinformation that you just
provide for free.
So I mean really just thatpersonal responsibility.
Matt Starland (42:59):
Did you guys ever read the book Data and Goliath?
Kyle Rosendahl (43:03):
I did yeah.
Matt Starland (43:04):
I don't remember who that was written by.
I thought I could look it uphere, but that was a for those
who are listening.
Going back to that, you knowwhat Kyle just said.
I didn't want to hear that.
You know what his friends toldhim on being on swimming.
It's kind of one of those typesof books but I think that that,
(43:24):
right, there is one of thosepieces of education.
Even being in the cybersecurityindustry until I, you know, I
always realize you knowinformation.
You know you go through the 900page EULA that you sign for
that free app so you can makeyour life easier.
You know it wasn't until I readthat book and a few others that
I'm like wow, I didn't.
(43:44):
I guess I never really realizedhow much of my data I'm just
giving out for free because ofin tracking, because I want this
piece of software that makes mylife so much easier, makes my
(44:06):
life so much easier.
So not just you know I, youknow not keeping beating down
T-Mobile here with.
You know A, they were thecustomers, but we're doing it to
ourselves too, with all thefree apps that we're downloading
, you know, and giving theminformation, and one of the best
examples I don't know if it wasin that book or not, might've
been a different book that Iread but you know, with all like
the tracking you're going tokyle of the information you're
giving them and allowing, andlocation services and, um,
(44:31):
whatever, it's pretty much nodifferent than the pre, we'll
call it.
I don't know this social mediaage or free app age, I don't't
know what, if there's a term forit, but where it would be like
having you, you signed a pieceof paper and you gave it to this
(44:51):
random individual.
That, uh, we'll just say theyare with a target.
I don't mean to be picking ontarget.
It's just the first thing thatcame to mind.
Um, be picking on target isjust the first thing that came
to mind.
Um, and they send a van to sitoutside your house and to follow
(45:12):
you as you go to best buy of1995, you know, because you
don't go to bestbuycom here nowand buy stuff.
So they'd follow you, they'dwatch what you bought, you know
whether using you know whetherusing you know your cash back
then or whatever.
I know there's charge cards too, but you're right now to check.
Most people now these days usecredit cards.
So this is kind of what I'mgetting at here.
(45:32):
You're purchasing um trackingand then they, they go to the
grocery store, they watch whatyou selected off the shelves and
they go back to your home towatch you get back in your house
what time stamps you're doingas you left, go to work.
You come back to work.
They know your schedule, theyknow what you're eating and so
and we do this not just you knowfor a company like Target or
(45:54):
whatever, but these apps that dothe tracking services and stuff
, and then that data is used tothen advertise to you, used to
then advertise to you.
So the point I'm getting at isthat going back to just this
t-mobile thing, just how muchdata we're actually willingly
giving people and kind of youknow you put your fingers in
yours and go la, la, la, la la,like your friends.
I didn't want to hear thatbecause of the convenience it's
(46:17):
giving in your life and so,moral of the story, either
either go live in Alaska, offgrid, and you know your new
social media is your friendlyfurry friends out in nature Well
, I guess, except for thegrizzly bears, maybe they're the
malicious actors, but you knowit's making sure that.
(46:40):
You know, just again, what canyou do to protect yourself and
limit that exposure?
And that is becoming morepopular.
You know, with like Bravebrowser and you got your Proton
VPNs and Nord VPNs and thosedifferent companies, but even
then I'm starting to seedifferent organizations block
(47:00):
those connections so that waythey can make sure to still
track your data.
So then you go back to thatquick hit.
Oh crap, I gotta turn my vpnoff because I I need to get to
this source of information andgive them my idea, amazon does
that yeah, I, I started uhnoticing that with, uh, my
particular vpn provider.
(47:21):
I used'm like what thiswebsite's blocking me now
because I'm connecting throughand so then, fortunately, if I
go through a different channelof one of their other VPN
servers, then it'll work.
So it's like man this is makingit harder for me even to get to
this data.
So I don't know.
It's this brave new world welive?
in I know we kind of got offfrom our main topic.
(47:43):
Oh, it's great Of how the AIwas used to get breached, but I
think the moral of the story isis that we're seeing so many
data breaches going on thatthere's just it's a slew of
problems and we as a societyglobally are just trying to go
so fast and make life so easythat, going back to what you
(48:06):
said, Nick, security becomes anafterthought.
And is that really maybecosting organizations more money
than what they realize in thedata breaches?
Kyle Rosendahl (48:17):
Totally.
Yeah, and that book was Dataand Goliath.
That's Bruce Schneier.
Yeah, and that book was Dataand Goliath.
That's Bruce Schneier.
If you listen to our DataPrivacy in a Modern Era like the
whole first half of thatpresentation basically sourced
off this book.
So a lot of those stories thatwe tell, a lot of the types of
data, what they're doing with it, the analytics that they're
(48:39):
putting into your big data a lotof it comes from this book, so
super worth a read.
If you haven't read it, we canput a link to that in the show
notes as well.
Matt Starland (48:46):
You know, the only thing it'd be you know it's
going back to the PayPal thing,but I think it's the same
conversation yeah, you know, ina way it's.
You know, the only thing I couldhave thought of is maybe talk
about if there was moretechnology stuff.
I know we started getting moreon the, the yeah, the policy and
(49:07):
morality I don't know how youwant to call it, not morality
but but, um, I guess, policy andbehavior side of the world.
Um, you know, we only I'vemaybe only touched for five, 10
minutes on the whole technologyside of just know, least
privilege and stuff, but that alot of that stuff comes down to
that.
Um, I think that and that isjust key in these breaches and
(49:30):
you know, I think if the, if thearticle is that we would have
talked on, was like, uh,vulnerability or exploit and
things like that, maybe we couldhave gotten geekier on it.
But a lot of these breaches aremost of the time I'm not I
can't say most of the time.
I'm not I can't say most of thetime because I don't I wasn't
at the organization, but fromorganizations I've seen and just
(49:51):
kind of try to dig into.
A lot of it comes down topolicy procedure and least
privileged access.
Kyle Rosendahl (49:57):
And I think it is a least privileged thing.
But it's also a you know.
It says in the article they hadaccess from november 25th and
discovered it on january 5th.
It's crazy I mean they hadalmost a whole month and a half
in the system to pull data viathe api where there was an
ongoing breach that that wasn'tknown about.
(50:18):
That that's a very, very longwindow, right?
So, while, yeah, there'sprobably an issue with how those
tokens were generated for theapi access and and something
either got leaked or bruteforced or stolen somehow for
them to get that access, ormaybe there's a vulnerability
that nobody knows about in thisspecific api platform.
(50:39):
Um, you know, we don't know howthat happened.
But there's also a problem ofdetection here, right?
Because if you see 37 millionrecords being accessed from
somewhere you don't recognize,you know, usually that sets off
alarm bells, especially in thedefender's mind of you know.
(51:03):
If you're doing your job andyou have the detection
capabilities and you're loggingwhat you need to to find these
things, typically you'll atleast get an IP address of where
these things are coming from,where they're going to, regions
you name it and maybe theseattackers were very good and had
(51:23):
a lot of extra information andwere able to blend in to the
environment.
But when it's so many recordslike this over this period of
time, you know you have to thinkthere was a chance to detect it
and, again, we don't know thespecifics.
So I'm just, you know, throwingout ideas as someone who's
worked on the Bully team for afew years now as well.
(51:49):
Well, thank you, matt, forjoining us here today.
It's been a fantasticconversation.
I feel like we hit on a millionand one things and didn't go
nearly deep enough into any ofthem to do them their full
justice, but very muchappreciate having you on here.
I appreciate it.
Yeah, thank you.
If you want to hear more of theaudit, feel free to find us.
Wherever you can find a podcast.
We're on Spotify, apple, even,I think, on Amazon now.
(52:11):
And if you want to learn moreabout IT Audit Labs, what we do,
find our links to our socials,go ahead and head out to
itauditlabscom.
Thanks all.
Nick Mellem (52:21):
Thanks, guyscom.
Kyle Rosendahl (52:22):
Thanks, all Thanks guys, thanks Bye.
Eric Brown (52:26):
A well-designed framework will reduce
organizational risk and improveoverall security posture.
Contact IT Audit Labs and haveus lead your team in outlining a
strategic approach to remediateorganizational risk.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.