February 24, 2025 • 39 mins
Think audits are just paperwork? Think again. They’re the frontline defense against security gaps, data breaches, and unchecked access.
In this episode of The Audit, we break down how Elon Musk’s unexpected access to FEMA’s sensitive data underscores the critical role of audits in organizational security. We reveal how regular audits and third-party reviews expose vulnerabilities, enforce accountability, and strengthen cyber defenses before attackers can exploit them.
Key Topics We Cover:
• How audits uncover hidden cybersecurity risks
• Finland’s cutting-edge approach to cyber resilience
• Why tabletop exercises and real-world drills are game changers
• A shocking social engineering attack at a library—and what it teaches us
Cyber threats evolve fast—don’t wait until you’re the next headline. Whether you're a cybersecurity pro or just getting started, this episode is packed with actionable insights you can’t afford to miss.
Like, share, and subscribe for the latest cybersecurity news and expert analysis!
#Cybersecurity #Auditing #Infosec #SocialEngineering #SecurityNews
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Joshua Schmidt (00:04):
Welcome to the Audit presented by IT Audit Labs
.
I'm Joshua Schmidt, yourproducer and co-host.
We're joined by Eric Brown andNick Mellum.
Today we're going to do a newsepisode, but first we have our
icebreaker question Guys, whatwas your first job?
We've all had a first job.
Probably not the one we're innow.
Nick Mellem (00:21):
Yeah, that's easy.
Two weeks to my 14th birthday,my mom drove me up to Byerly's
Grocery Store in Roseville and Ihad my first interview and I
asked for a job to be a bag boy.
So I worked at Byerly's inRoseville for like, oh man,
eight years or something, doingall kinds of things.
My first job was a bag boythere.
Bag boy, yep, a couple hours anight after work my mom would
(00:46):
drive me up there and a couplehours on the weekends all you
could do.
Joshua Schmidt (00:48):
Do you remember how much you made an hour?
Nick Mellem (00:49):
Oh my gosh, probably like $5.85 or something
, not very much, but hey, youdidn't need much back then when
you were 14 years old.
Joshua Schmidt (00:59):
Nice.
How about you, Eric?
Eric Brown (01:01):
I'm trying to think if it was either paper boy or
snow shoveling.
I lived in Frederick, maryland,at the time and the apartment
house that we were living in itwas like an apartment in a house
.
I was in fourth grade and itsnowed and didn't snow often in
Frederick, but it snowed and Ithink I got 20 bucks for
(01:25):
shoveling the sidewalk in thatapartment house.
But I can't remember if I wasdoing that before I was doing.
I think I was doing that beforeI was doing a paper route.
Joshua Schmidt (01:36):
Nice State bird is the Baltimore Oriole.
Nick Mellem (01:39):
Fun fact what age are you shoveling driveways at?
I have fourth grade, sowhatever that I don't know.
Eric Brown (01:44):
What is that 10.
How about?
Nick Mellem (01:46):
you.
Joshua Schmidt (01:47):
Yeah yeah.
My first job was raking leavesand doing yard work around my
community for $3 an hour.
Uh, my buddy and I split $6 anhour to rake, rake leaves, but
their first actual real job.
So you know I wasentrepreneurial from a young age
.
The first real job was workingat a golf course.
I got to pick the range.
You know, sit in the in thecart with the picker and listen.
(02:10):
Listen to music and pick allthe balls and then let everybody
try to smack, smack.
Nick Mellem (02:15):
You drive by.
Joshua Schmidt (02:16):
Yeah, and we didn't even have a cage.
Oh really.
Nick Mellem (02:19):
They just had you out there.
We were just yeah, did they puta hockey helmet on you or
something Just like?
Joshua Schmidt (02:25):
no, just nothing .
Nick Mellem (02:26):
Went out there, just got it done.
That sounds like an insurancenightmare nowadays.
Joshua Schmidt (02:30):
Yeah Well, the thing that it taught me to do
was, you know, be able toparallel park back up a car at
high speed.
You know, essentially drivingthe golf carts Good introduction
to driving vehicles down theroad.
Nick Mellem (02:44):
That was like.
The most fun thing you could doas a kid, though, is to drive a
golf cart, like if your dadtook you golfing, or something
you were like praying that youcould get to like the second or
third hole quick out of sightfrom the clubhouse and you could
take the reins of that golfcart oh, we had quite a bit of
fun.
Joshua Schmidt (03:00):
We used to drive the uh golf carts to the top of
a huge hill and then put it inneutral so the governor would
turn off.
Eric Brown (03:07):
And then just send it, yeah just send it.
Nick Mellem (03:10):
Yeah, good time, good time.
I've got some stories aboutthat, but we should probably
move along I still like drivingthe golf cart.
Eric Brown (03:18):
You know, I'd rather drive the golf cart than play
golf.
Joshua Schmidt (03:21):
There's always one around the clubhouse that
doesn't have the governor on,and it can just go as fast, as
fast as hell I would think wecould disable the governor too.
Nick Mellem (03:29):
Couldn't you, yeah, can't you?
Could you just lift up the seatand reach your hand in there
and press yeah?
Joshua Schmidt (03:33):
yeah, they got to have those for the rangers so
they can catch up to thedelinquents out there yeah all
us three out there raising hell.
Eric Brown (03:41):
It's fun too, you get.
You get that golf cart out onfirst thing in the morning when
it's all dew on the grass, getgoing downhill, power slide that
thing.
Nick Mellem (03:50):
Yeah, hammer the brakes, get yourself 90 degrees
in no time.
Joshua Schmidt (03:54):
Yeah, you guys are speaking my language.
Eric Brown (03:57):
We we were doing a uh work outing this is years ago
at another company andsometimes at these work events,
people get into the alcohol alittle more than they should.
I don't say and I'm recallingsomebody this wasn't me, but
they tipped over the golf cartand it got somehow it got
(04:19):
submerged into the pond and thepeople couldn't couldn't get it
out because of the the incident.
But yeah, I was like, wow, youknow that people, uh, you can
have a good time with thosethings, especially when you mix
alcohol I want to know what thegolf course does.
Nick Mellem (04:36):
Do they charge the patron that's doing that damages
the vehicle, like, do you needto pay for that?
Well, they charge the company.
The company had to pay for it.
So if we go golfing with it outof labs, we're good.
You're good because we don'thave alcohol, so, yeah, you're
all spread.
Joshua Schmidt (04:51):
Well, I mean, I don't think I need alcohol to
send a golf cart I mean, I canpre-game it at the office if you
want me to put a dent in youruh costco, you know, josh, your
bar's open, Bar's open yeah.
Okay, well, we're going to getinto this news episode today.
This was something that Nickhad brought up and I thought it
(05:12):
was related to auditing.
It's a lot in the news rightnow around Doge and Elon Musk's
attempt to put the reins on thespending and check where the
money's going.
But it kind of brings up thetopic of auditing in general,
the importance of auditing.
Um, and you know some of thoseconcerns that we're hearing a
lot in the news I thought wecould talk about today of um,
(05:34):
whether they're, you know, basedin reality or fact or, you know
, kind of unfounded.
So, um, this article is from thehill.
It's titled Noam Defends Musk'sAccess to Personal Data and it
says here the Department ofHomeland Security Secretary
Kristi Noam defended techbillionaire Elon Musk's access
to sensitive data housed withinthe DHS's Federal Emergency
(05:55):
Management Agency, fema, sayinghe's conducting a necessary
audit of the federal governmentgovernment.
In an interview on CNN's Stateof the Union anchor, dana Bash
asked Noam about reporting thatMusk and his team at the
Department of GovernmentEfficiency have gained access to
FEMA-sensitive disaster data,including personal information
on tens of thousands of people.
And it keeps going on here tokind of describe how Noam
(06:16):
defended that this is necessary,but I wanted to kick it off by
asking the question, you know,why are audits necessary?
Why can't we just ask the guyin charge if everything's gravy,
can't we just get on autopilot?
I mean, the business or thegovernment's been going a
certain way for years.
Why do we even need an audit?
Nick Mellem (06:38):
Yeah, I think for me it's pretty easy, right, it's
checks and balances, makingsure everything is going all
right, things come out that arenew.
We want to make sure that we'reusing best practices A lot of
times, especially the peoplethat are auditing.
They're doing this every daythe people that aren't
specifically auditing or workingin the systems.
Their job is specifically thatdata but they're not auditing or
(07:01):
checking what could be the bestlatest process and procedure.
For example, like in themilitary, one common tactic is a
left seat, right seat system.
If I'm over in a combat zone andI've been there for seven or
eight months, somebody mightride along periodically to make
sure we're following rules andprocedures and then fast forward
to the end of a deploymentsomebody new is coming in.
(07:21):
You will have a left seat seat,right seat system where they
ride passenger for a few daysand then they'll take driver and
then you know the previousdriver will go to the passenger
seat and those are similar toaudits to me, because you're
making sure everybody'sfollowing those rules and
procedures and exit or entry ofa combat zone.
Now, and it's still probablythe most grand scale right,
(07:42):
right, the federal governmentyou know, it's always going to
be necessary to do an audit, soI think, especially me.
I totally agree with Christyhere writing this article
backing Doge and.
Eric Brown (07:54):
Elon.
Nick Mellem (07:55):
I think we need to forget about who's probably
actually doing the audit and whyit's important to do the audit.
In systems from IT toexpenditures at the treasury,
Things can get pretty egregiousquickly Spenditures on anything.
We need to audit systems thatmaybe somebody turned something
off right.
Keeping in simple terms thatshould be on, or maybe we
(08:16):
figured out a better way to dothings.
And I think that's a part ofour offensive mindset is we
might not always know the bestthing in the moment, but with
trial and error we will figureout the best way to run these
systems and make sure they'rehumming along to protect these
organizations, and I thinkthat's why we're so proficient
with auditing and why it's soimportant that organizations
that aren't auditing every dayhave a third party come in to
(08:39):
comb through their system andmake sure that they're running
those systems how they should be.
Joshua Schmidt (08:48):
Great answer.
Thanks for that.
I'm assuming Eric has somethingto say about this.
You've been talking a lot aboutthe Elon Musk book.
I'd love to hear your thoughtson this topic, eric.
Eric Brown (08:53):
Yeah, outside of Elon Musk or whatever agency or
government agency is looking atanother government agency, don't
care too much about that, butthe principle behind it and
unfortunately, in this situation, it's one of those situations
where it's a we'll call it ahostile or an unwelcomed audit
(09:15):
and that's never fun, just likeit's never fun if you go through
an IRS audit right, that's nota fun thing where you're saying,
hey, come in and take a look atmy stuff to make sure that I've
done X, y and Z Inorganizations that we work with.
Most of the time it's afriendly audit where they're
inviting us in and saying, hey,we think we need some help in
(09:36):
this area, can you take a look?
You're really seeking tounderstand and that's what we
try to do when we come into anorganization and do an audit, or
they might have a managedservice provider that they're
working with and they ask us tocome in and is this managed
service provider doingeverything that they say they're
doing contractually?
I think in this case it's justone of those unwelcomed audits
(09:57):
probably necessary.
And I go back to the I was justtrying to find it here.
There was an airline flight andI don't remember which one it
was.
I believe it was an Asianairliner.
There was a cultural norm wherethe co-pilot was not
(10:18):
comfortable questioning thepilot, even though, as Nick said
, they have left seat, rightseat, they have equal set of
responsibilities.
Yes, the captain is ultimatelyresponsible for the aircraft.
However, it's the co-pilot'sresponsibility to make sure that
the items on the checklist areperformed.
The co-pilot will have theirown set of responsibilities.
(10:41):
The captain needs to make surethat are performed.
In this particular case, therewas a problem that the airliner
experienced.
The co-pilot recognized it and,I believe, brought it up to the
captain, but the captain eitherdidn't acknowledge it or the
co-pilot wasn't comfortablebringing it up to the captain
(11:02):
because of that cultural norm,and there was an accident as a
result of that right.
There was a problem and theproblem wasn't addressed.
And that could be the same thingin any organization, regardless
if it's the you know treasurydepartment, fema or whatever it
(11:22):
is right it's.
Could there be practices thatare going on in the organization
that you're not comfortablewith that because of a reporting
structure, you can't take thatup to your manager and say, hey,
you know you're doing thiswrong right.
That probably isn't going to goover well, unless the culture
is really advanced in thatorganization.
Sometimes it takes the thirdparty to come in and really, you
(11:44):
know, take a look right, take apretty thorough look at what's
going on in the organization andpotentially uncover some things
that could be improved.
And maybe they're doingeverything 100% right, which I
hope they are.
Would it hurt to have a secondset of eyes come in and take a
(12:06):
look at their environment?
Probably not.
As a taxpayer do I want to seethis done Absolutely and I
certainly welcome and I don'tknow if the forced audits are
the right way to go or not, butI think some form of third-party
oversight of these places thatare spending lots of taxpayer
(12:27):
dollars is a good thing.
Joshua Schmidt (12:29):
That's a great answer, eric.
That brings up the topic that Iwanted to get into a little bit
more of you know extending thattrust to an auditing team right
, because basically givingsomeone the keys to the kingdom,
right, they can go into theback door, they can see
everything that's going on.
So if you're leading a team todo an audit, what kind of
guardrails do you have in placewithin your team to I don't know
(12:50):
kind of quell any anxiety thatthe organization might have
around you having that access?
Eric Brown (12:58):
So we run into this an organization being
comfortable with giving us,essentially, the keys to the
kingdom.
So what we like to do is come inand really have a clear plan on
here's how we're going toperform this audit.
Here's what we need from aprivilege perspective, and
always operate from the leastprivileged model and make sure
(13:19):
that when we do access theenvironment, we're using MFA and
all the right controls in orderto get access to that
environment, but then onlyaccessing the environment that
we're scoped to test.
So it's upfront making surethat you have a good, clear
scope.
Now, of course, there's somecases where it's an audit of how
(13:40):
the organization's controls areactually put into place.
So, is the organizationchallenging us or are they
asking us to show a badge orwhatever it is, if it's a
physical test?
But if it's a test whereeverything's above board and
everyone's aware of the fullscope, aware of the full scope
(14:10):
then I think that's the way toalleviate some of those concerns
that teams may have.
There's plenty of times wherenot everyone needs to be in the
loop, depending on the type oftests that you're doing, but
again, you can scope that andmake sure that the people who do
need to be aware are aware.
Joshua Schmidt (14:24):
So just to kind of finalize this thought are
there any inherent securityrisks to doing an audit?
Eric Brown (14:31):
I think so Right.
Anytime you're giving somebodyaccess to your environment, I
see two risks that you face.
One is could something happenfrom the security team?
So a member of the securityteam who does have now enhanced
privileges to your environmentcould, could they do something
(14:51):
nefarious, either accidentallyor intentionally?
Right, that is a risk.
And the other risk is do youhave, then, insider behavior
that happens as a result fromnow the lens being more closely
inspecting things internally,like does that kick off other
(15:13):
activity in that environment?
That might be against what thebusiness wants.
Joshua Schmidt (15:20):
Musk is going after waste and fraud.
Have you guys ever uncoveredanything that was beyond what
you might have initially set outto discover in terms of fraud
or abuse?
I know you guys do oftenstumble on some strange things
from time to time.
Eric Brown (15:36):
Fraud and abuse, I think, are interesting terms of
how you define that.
I would define fraud or abusein the scope of an audit or an
examination of an environment'spractices, as someone or an
entity knowingly deceiving anorganization.
(16:00):
So if you had a managed serviceprovider, for instance, that
was supposed to be doing A, b, cand D and they were only doing
A and B but charging for A, b, cand D, then that's fraudulent,
right, that's abuse.
If they were supposed to bedoing A, b, c and D, then that's
, you know, that's fraudulent,right, that's abuse.
If they were supposed to bedoing A, b, c and D and they
were doing it to what theythought was the best of their
(16:21):
ability, but maybe it wasn'twhat you would consider an
industry standard level ofability.
I don't know that I wouldcategorize that as fraud or
abuse other than it was.
Maybe just a lack of knowledgeon the perspective of you know,
that MSP that was engaged, butmaybe they weren't doing it
(16:44):
intentionally.
Should they have had controlsin place in their organization
to examine the work that maybe amore junior person in the
organization was doing?
Well, absolutely.
But that's the purpose of aroutine audit or security review
or whatever you want to call it, just to make sure, because
(17:06):
we're all infallible, I meanwe're all human.
So certainly having thosechecks and balances, like Nick
was saying early on, is a goodthing.
Nick Mellem (17:16):
My big portion was just going to be the
communication.
Right, I think it's importantthat everybody's on board before
you start doing it.
Uh, so that was the point I wasgoing to bring up.
But going back to your otherquestion, I think we do I don't
think it happens very often seethings that we would classify as
right.
You know, wild or crazy oregregious.
You know we might see thosemore like a penetration test
(17:37):
where you'll stumble acrosssomething trying to get in, but
generally in an audit that youknow I'm usually involved in,
it's it's helping organizationsbe compliant in a in a specific
area.
So generally you're not sellingacross anything too crazy.
Maybe super out of datepolicies might freak some people
out, but for the most partwe're pretty good.
Joshua Schmidt (17:58):
All right, we're gonna move on to the next one.
I thought this one wasinteresting.
You know, nick, with yourmilitary background, I'm sure
you kind of found thisinteresting as well.
But Finland is systematicallyaddressing cybersecurity with
national exercises.
So tabletop exercises, right,something we've been talking a
lot about lately.
Last week, many heads and handswithin the Northern Finnish
municipal sector and criticalinfrastructure operators were
(18:21):
trained in dealing with variousthreats in the cyber domain.
This is coming from High NorthNews.
The title is Finland's Strengthin Cybersecurity in the North
with Extensive Exercising.
Yeah, it's pretty cool to see awhole sector of a nation
mobilized to perform a tabletopexercise and kind of run through
some scenarios for securitythat might fortify them in the
(18:44):
future.
So kind of my first question tokick this off was how does this
approach from Finland?
What can we take away and learnfrom this type of posture if
we're applying it to ourorganizations or even our own
personal security?
Nick Mellem (18:57):
When I first started reading this article,
the first thing I thought of washow cool it is that they got a
whole country on board to run anaudit right, and now we don't
know the behind workings.
You know people might be upsetabout it.
Right, some people are on board,some aren't, but on the grand
scheme that they got a wholecountry involved to do this.
I wish we could see this moreoften.
(19:17):
Just in the last article wewere talking about having
communications to get everybodywithin a relatively small
organization on board for anaudit, and we're talking about a
whole country.
If there's an outage of anykind, no matter what system it
is coming back from that ortrying to fail over to something
, it's going to be a little bitclunky right, like there's going
(19:38):
to be some processes thatpeople are relearning or whatnot
.
But you know, maybe, instead ofit being like, you know, very,
very clunky right, 60 to 70 kindof a disaster, right, if people
don't practicing these things,maybe it's 10 to 20 right, where
we're just we're pretty good,we're clicking on all cylinders
and they're failing over andthey're bringing up these
procedures as they need to.
So I think anytime you canpractice something that is not
(20:01):
your day-to-day operations, it'sgoing to set any organization
up for success.
Joshua Schmidt (20:05):
Absolutely, and we work a lot in the sled sector
right With sled, and I actuallyjust had a really interesting
conversation with Trista Eric,who you set me up with, and just
a little teaser she's going tobe a guest in a few weeks and
she takes care of some trashmanagement there in Ramsey
County where they have robotsand AI, you know, going through
trash, and we work a lot in thepublic sector right.
(20:26):
So I thought you might havesome thoughts around how
important this is to kind offortify those public services
and maybe share some insights.
Eric Brown (20:34):
Fortify those public services and maybe share some
insights In the roles that weplay.
For some of the organizationswhere we come in as cyber
leaders or technical leaders,one of the things that I like to
do and I don't necessarilyannounce this within the
organizations, but I like tocontinually drill yes, both
(20:54):
through tabletop Tabletop isgreat but also through live
scenarios where you take aproblem that is happening in the
organization and the peoplethat are working on that problem
share with the rest of the teamthe why behind it, what they're
doing or how they're doing it,so everyone learns.
(21:15):
A recent, for instance, isworking with an organization.
There was a large number ofdevices that had outdated
software on it and, for whateverreason, the organization was
having difficulty removing thesoftware from those devices and
(21:39):
it had been going on for quite awhile.
Sometimes you have to let thesethings play out and see what
happens, and in this particularinstance it seemed to have
played out long enough.
Where action needed to be taken, and that action was the
security organization haddirection to go in and remove
(22:03):
the legacy software that had notbeen, for whatever reason,
updated, and it was aninteresting drill that showcased
okay, if we did need to removesomething quickly.
How would we do it?
What does it look like withinthe organization around?
Who are the players that aregoing to have resistance?
(22:23):
Who's going to help?
What's leadership's take goingto be?
How high up in the organizationis this going to bubble?
Do we have an organizationthat's more security-minded or
more user-minded?
So I don't talk about all ofthese things when I'm in the
organization.
I just said, hey, here's whatwe're going to do.
We're going to do it get thatoff of those machines, and then
(22:45):
let all of these thingsorganically play out.
To see and learn from whathappens.
If this was a real-worldscenario and we need to get
something off of those machinesquickly and the more
disturbances you have in thoseenvironments like removing old
software, forcing patches,forcing reboots, all of these
(23:07):
things that instigateinstability actually help the
organization, because then, whenit's time to do something
drastic, that just becomesanother Tuesday, not an oh my
God.
We got to breathe into a paperbag moment.
Joshua Schmidt (23:25):
And then going through those repetitions really
helps iron things out.
So I find it interesting thatyou said that you kind of get it
started and kind of observewhat's happening and then you
can kind of point out the weakspots or maybe the bottlenecks
in the process.
It also is not lost on me whyyou enjoy game night now.
I had a light bulb moment intalking through this with Tim
Herman, who will also be on theshow, coming up talking more in
(23:48):
depth about tabletop exercisesin a couple of weeks, and one of
the things that I thought wasreally cool that really related
to what was the game we wereplaying.
Eric, was it Death on the Clock?
Eric Brown (23:58):
Oh yeah, Clock Tower .
Joshua Schmidt (24:02):
Blood on the Clock Tower Blood on the Clock
Tower yeah.
Yeah, yeah.
Well, like Blood on the ClockTower where we go through cycles
of day and night, I recentlylearned, you know, in a tabletop
exercise it's not uncommon togo through a cycle and then role
play and then go to okay, thebreach has already happened.
We've done the first round ofmitigation and cleanup.
Now it's the next day and thepress is here, and now what are
(24:25):
we going to do?
And then we can kind of roleplay each stage of it, not just
the initial breach.
So how have you seen thatfortify security in
organizations that you workedwith, when you're not just
working on, necessarily when thebreach happens and what's going
to happen then, but alsoseveral days down the road?
Eric Brown (24:44):
Nick, I know you've got a lot to say on this too,
but I'll just jump in on thisone and kind of tie it into what
I was saying before.
When you do have thoseopportunities to shake the
environment up in a way that is,on the grand scheme of things,
(25:05):
not detrimental to theenvironment, like I knew that
taking this piece of softwareout was at the most going to
cause a few users a minorinconvenience, but at the most
going to cause a few users aminor inconvenience, but at the
end of the day, not a big dealfor most of the organization.
And internally there was a lotof consternation on the help
(25:26):
desk about like oh, we're goingto get all these calls.
No, you're not.
And it turned out that theydidn't get very many calls.
Sure, there was a few thingsthat went bump in the night, but
it was good to see how all ofthat played out.
And I think sometimes, from theLaban's perspective, not seeing
the big picture, just being aplayer at the keyboard,
(25:50):
sometimes they might think I'm abit of a cowboy, right, we're
coming in and just making thesechanges without having thought
through all of this.
But, believe me, I'm playingchess, I'm playing Go.
I've seen this, I know how it'sgoing to work out before I even
talked about it happening.
Just cool to see.
(26:11):
Like, okay, yeah, we're goingto.
And I check myself around oh,did you know?
Did it play out as I thought itwould?
Or were there areas that youknow maybe they didn't work out
so well, so that when the nexttime we do this then we can even
be better at it.
And we love helpingorganizations go through that
maturity curve of, like you know, just showing that it's going
(26:34):
to be okay.
Right, it's, it's going to beall right.
Things are going to continue towork.
Um, and to answer your directquestion around um, how does
this help in organization?
Or what do we do in theaftermath?
And that role-playing tabletopexercise of breach and then
post-breach we're really good atthat breach mitigation.
(27:00):
You want to bring us in whenthe building's on fire.
I myself personally get boredwhen the fire's out, and now
we're sweeping up and doingwhatever it is we need to do.
Nick is great in that role.
Nick is great as a maintainer,a builder, a coacher.
So we work well together inthat scenario of like let's get
(27:24):
it clean, kind of a battlegeneral type of thing.
And then Nick is a goodpeacetime general, and not to
pigeonhole you in that, nick,everybody love everybody.
Joshua Schmidt (27:39):
So, nick, what's your favorite part of the
process and how have you seenthis type of tabletop exercise
play out and help organizationswith their security?
Nick Mellem (27:49):
I don't know if I have a specific favorite part.
I think for me it's all of it,because it's the end goal.
It's having the organizationwalk away at the end and be like
have maybe that aha moment ofwow.
That either wasn't so bad or welearned a lot and we really
weren't as prepared as maybe wethought we were.
For example, this is three orfour years ago.
(28:10):
We did one that I'm justthinking of the top of my head
with an organization well known.
They're first responders andthey need to practice.
You know these outages or whathave you similar to their
version of a tabletop exercise.
Well, they hadn't practiced itmaybe close to 10 years and I
think they they all had a reallygood time doing it right,
(28:30):
because it's their jobs, andthey kind of got to play in the
Super Bowl when they maybe don'tright, for example, a
firefighter, right, they don'tgenerally aren't putting out
fires every day.
They might be responding to acar accident, but in this
tabletop exercise they got tosimulate what it was like to
actually do their job.
So I think a lot of them likedoing that and I think that's
what's cool for us is we get tohelp and coach them through that
(28:52):
, have those moments to becomewhole again or be ready for the
Super Bowl, as we're using foran example.
But yeah, I think a lot oforganizations do want some bit
of a cowboy mentality, as Ericsaid, because maybe they're just
afraid to press the go buttonor enforce these rules.
Get rid of these applications,change up a process.
(29:12):
Right, we're sending out maybea 150 questionnaire to a vendor
for secure to answer securityquestions when maybe we come in
and we can help them meet alltheir compliance with 20
questions.
But when you can get everybodyto kind of hum along and play on
the same sheet of music, youknow, for me, if I had to answer
your question, josh's favoritepart it's maybe the worst answer
(29:36):
I could give, but it's, it's atthe end, when everybody's
high-fiving and happy that youknow it out.
Labs is there to maybe be thatcowboy to push them through, and
now they're ready for uh forlack of better term uh, doomsday
now I know why you guys alsolike wild west hackenfest.
Joshua Schmidt (29:52):
You get to do a little cowboy role-playing.
Nick Mellem (29:55):
Coming in on horses .
You know that.
Joshua Schmidt (29:57):
Six shooter on there.
Nick Mellem (29:59):
Getting everybody in line.
Joshua Schmidt (30:00):
Right on.
Okay, cool.
Well, thanks for that, guys.
We're going to go to the nextone.
This is our final article forthe day.
We've talked a lot about AI andsocial engineering.
I'm just going to read thetitle of the article.
Here's from hacker news aipowered social engineering
ancillary tools and techniques.
It says here the uh socialengineering is advancing fast,
at the speed of generative ai.
(30:21):
This is offering bad actorsmultiple new tools and
techniques for researching,scoping and exploiting
organizations.
In recent communications the fbipointed out as technology
continues to evolve, so do cybercriminal tactics.
And just pointing out, you knowwe've talked about a little bit
about voice cloning andmanipulating people through
phishing techniques and usinglanguage models.
(30:43):
But this even goes a little bitfurther into some things we
haven't really spoken about, andone I wanted to pull out was
this open source intelligenceinvestigation done by AI.
So it seems like there areplatforms out there that bad
actors are using to kind ofperform an awesome technique,
and then they're using AI tokind of gather information
(31:05):
quickly and then makeconnections between potential
other victims that they couldspringboard off of that.
What can you guys do assecurity experts to mitigate
that risk or reduceorganizational risk around the
footprint that everyone'sputting out there?
Do you talk a lot about socialmedia and online hygiene at
(31:26):
companies, or how do you handlethat so?
Eric Brown (31:29):
yes, can I ask a question first, though
Absolutely?
So yes, can I ask a questionfirst, though Absolutely?
Nick said he was getting a newcat.
Do we need to have a namingthing again?
We'll send out a poll after theshow how many cats.
Joshua Schmidt (31:44):
It's like man.
I don't know what's going ondown there.
Well, samuel's cat's namedExploit.
Nick Mellem (31:47):
That's a cool name I found out yesterday.
Eric Brown (31:51):
Maybe call it Austin or something of that nature
yeah on the list uh, so, yes,talk about I like to talk about
social media in um, like justbrown bag lunch sessions with
people in the organization whowant to come and and learn how
(32:11):
to protect their themselves andtheir family and their personal
lives.
You know the same old storyfreeze for credit.
Watch what you do on socialmedia.
Multi-factor authentication,and that multi-factor
authentication piece is probablythe piece that plays most in
the corporate environment.
But having that multi-factor inplace is going to help a lot
(32:36):
and I think that's we've justgot to have multi-factor
everywhere, everywhere.
Nick Mellem (32:42):
It's not an option anymore.
Yubikeys, all the things.
I'm going to jump in here onthis one too, because fairly
recently we had a situation thatI was involved with and one of
the organizations is they have alibrary and there's a patron
using the computer there andthey had asked the librarian if
(33:04):
they could download anapplication, and so our whole
thing is right.
We're not spying on any patronsor anything like that.
But when we get an alert fromCrowdStrike, you know we we
can't ignore that.
So individual download theapplication.
They're simultaneously on thephone with threat actor.
One of our security engineerspicked up on this through
CrowdStrike because bellsstarted to go off, they were
downloading this maliciousapplication and they called the
(33:28):
library and asked the librarianif they could speak to the
individual, because they thinkthere's something nefarious
going on and we want to makesure we protect our patrons,
talked to the individual,stopped it in its tracks, he
realized in that moment he waswrong and potentially saved this
guy a lot of trouble.
So I just wanted to give maybe aworst case right of these
(33:50):
things that are happeningbecause it evolves around social
media.
I believe how it started wasthrough Facebook, um, so you
know it doesn't speak togenerally why it's important to
have MFA, but it's all aroundthe security topic of training
people, right Of these thingshappen, right that these emails
that are coming in we've talkedabout a hundred times phishing
emails and whatnot but just that, that security mindset, that
(34:14):
having MFA on your machine, Ithink, is just one.
That's another step to peoplebeing aware.
Right, if we can create onething, it's awareness and doing
things that we preach all thetime blocking your credits.
Another example setting up MFAeven for social media is
extremely important.
Even for social media isextremely important.
We've all had our grandma, mom,uncle, aunts get hacked on
(34:36):
Facebook.
It's just the best example.
They put a random post outthere, they start friending all
their friends or they change thelanguage in their Facebook and
now they can't figure out what'sup and what's down.
Eric Brown (34:48):
Nick, are you saying that in the library use case
example, there was a patron, amember of the public was using a
library computer, was thesubject of a fraudulent attack
by a threat actor.
The threat actor asked theperson who was using the public
(35:11):
computer to install something.
The person then went to theperson in charge of the library,
librarian, whatever, to getpermission to install this
application, because the threatactor had socially engineered
them into doing that and then,because it was a public machine
(35:32):
that was under greatercybersecurity management, the
threat was detected and stopped.
Sadly, all true, and not apublic machine that had the
protections in place of a largeorganization, it's likely that
(35:55):
that user would have financiallyfallen victim to whatever that
threat actor was doing.
Nick Mellem (36:03):
I would say it's all but 100% Got it.
Joshua Schmidt (36:07):
It seems like maybe there should be some kind
of a public campaign at thelibraries around cybersecurity.
These things tend to happen onthese public computers and I
don't really you know.
I think the schools probablyare a little bit more aware of
this, a little more safeguardsaround the students.
It seems like libraries mightbe one of the the main attack
(36:27):
vectors for something like thislibraries are a whole different
beast because of the DataPrivacy Act items.
Nick Mellem (36:35):
We don't want to infringe on their privacy, but
we want to make sure thatthey're being used appropriately
and users are not going to fallvictim of a crime of this
nature.
So, in effort of being goodstewards of data and helping
anybody out from an organizationto an individual, that's our
duty to make sure that thisdoesn't happen.
Joshua Schmidt (36:57):
All right, well, are we on to cat names.
Then you guys got any good ones.
Nick Mellem (37:06):
I don't give it up to you guys.
I can't come up with a singlegood cat name, but you guys seem
to palm out of your bag oftricks.
Nick, it's too many cats.
I'll just say that we're goingto have to chat about too many
cats.
Joshua Schmidt (37:16):
It's got to be something cool.
It can't be like Marshmallow.
No.
Eric Brown (37:21):
We were talking about doing pet insurance also
as a benefit at IT Auto Labs,but Nick's going to break the
bank on that, so I've got toroll that back.
Nick Mellem (37:34):
You can take break the bank on that, so I got to
roll that back.
Joshua Schmidt (37:35):
But I have to be able to take another insurance
policy.
Yeah Well, I think the you knowthe cybersecurity angle would
be a good one to keep your eyeon there, nick, for if you want
to beat us old Sam over therewith the exploit.
Nick Mellem (37:47):
I'll be hurting cats over here Always.
Joshua Schmidt (37:50):
Yeah, well, that's a great place to leave it
today.
Thanks so much, gents, for yourtime.
It's been a fun conversation.
You've been listening to theAudit presented by IT Audit Labs
.
I'm Joshua Schmidt, yourco-host and producer.
We've been joined by Eric Brownand Nick Mellum of IT Audit
Labs.
Please like, share andsubscribe.
We have episodes every otherweek, lots of shorts, and we're
living on Spotify these dayswith video, and you can also
check us out on LinkedIn.
(38:11):
If you'd like to connect, visititauditlabscom.
Eric Brown (38:14):
We'll see you soon.
You have been listening to theAudit presented by IT Audit Labs
.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact.
Or our security controlassessments rank the level of
(38:38):
maturity relative to the size ofyour organization, Thanks to
our devoted listeners andfollowers, as well as our
producer, Joshua J Schmidt, andour audio video editor, Cameron
Hill.
Cameron Hill, you can stay upto date on the latest
cybersecurity topics by givingus a like and a follow on our
(38:58):
socials and subscribing to thispodcast on Apple, Spotify or
wherever you source yoursecurity content.
Welcome to the Audit presented by IT Audit Labs
.
I'm Joshua Schmidt, yourproducer and co-host.
We're joined by Eric Brown andNick Mellum.
Today we're going to do a newsepisode, but first we have our
icebreaker question Guys, whatwas your first job?
We've all had a first job.
Probably not the one we're innow.
Nick Mellem (00:21):
Yeah, that's easy.
Two weeks to my 14th birthday,my mom drove me up to Byerly's
Grocery Store in Roseville and Ihad my first interview and I
asked for a job to be a bag boy.
So I worked at Byerly's inRoseville for like, oh man,
eight years or something, doingall kinds of things.
My first job was a bag boythere.
Bag boy, yep, a couple hours anight after work my mom would
(00:46):
drive me up there and a couplehours on the weekends all you
could do.
Joshua Schmidt (00:48):
Do you remember how much you made an hour?
Nick Mellem (00:49):
Oh my gosh, probably like $5.85 or something
, not very much, but hey, youdidn't need much back then when
you were 14 years old.
Joshua Schmidt (00:59):
Nice.
How about you, Eric?
Eric Brown (01:01):
I'm trying to think if it was either paper boy or
snow shoveling.
I lived in Frederick, maryland,at the time and the apartment
house that we were living in itwas like an apartment in a house
.
I was in fourth grade and itsnowed and didn't snow often in
Frederick, but it snowed and Ithink I got 20 bucks for
(01:25):
shoveling the sidewalk in thatapartment house.
But I can't remember if I wasdoing that before I was doing.
I think I was doing that beforeI was doing a paper route.
Joshua Schmidt (01:36):
Nice State bird is the Baltimore Oriole.
Nick Mellem (01:39):
Fun fact what age are you shoveling driveways at?
I have fourth grade, sowhatever that I don't know.
Eric Brown (01:44):
What is that 10.
How about?
Nick Mellem (01:46):
you.
Joshua Schmidt (01:47):
Yeah yeah.
My first job was raking leavesand doing yard work around my
community for $3 an hour.
Uh, my buddy and I split $6 anhour to rake, rake leaves, but
their first actual real job.
So you know I wasentrepreneurial from a young age
.
The first real job was workingat a golf course.
I got to pick the range.
You know, sit in the in thecart with the picker and listen.
(02:10):
Listen to music and pick allthe balls and then let everybody
try to smack, smack.
Nick Mellem (02:15):
You drive by.
Joshua Schmidt (02:16):
Yeah, and we didn't even have a cage.
Oh really.
Nick Mellem (02:19):
They just had you out there.
We were just yeah, did they puta hockey helmet on you or
something Just like?
Joshua Schmidt (02:25):
no, just nothing .
Nick Mellem (02:26):
Went out there, just got it done.
That sounds like an insurancenightmare nowadays.
Joshua Schmidt (02:30):
Yeah Well, the thing that it taught me to do
was, you know, be able toparallel park back up a car at
high speed.
You know, essentially drivingthe golf carts Good introduction
to driving vehicles down theroad.
Nick Mellem (02:44):
That was like.
The most fun thing you could doas a kid, though, is to drive a
golf cart, like if your dadtook you golfing, or something
you were like praying that youcould get to like the second or
third hole quick out of sightfrom the clubhouse and you could
take the reins of that golfcart oh, we had quite a bit of
fun.
Joshua Schmidt (03:00):
We used to drive the uh golf carts to the top of
a huge hill and then put it inneutral so the governor would
turn off.
Eric Brown (03:07):
And then just send it, yeah just send it.
Nick Mellem (03:10):
Yeah, good time, good time.
I've got some stories aboutthat, but we should probably
move along I still like drivingthe golf cart.
Eric Brown (03:18):
You know, I'd rather drive the golf cart than play
golf.
Joshua Schmidt (03:21):
There's always one around the clubhouse that
doesn't have the governor on,and it can just go as fast, as
fast as hell I would think wecould disable the governor too.
Nick Mellem (03:29):
Couldn't you, yeah, can't you?
Could you just lift up the seatand reach your hand in there
and press yeah?
Joshua Schmidt (03:33):
yeah, they got to have those for the rangers so
they can catch up to thedelinquents out there yeah all
us three out there raising hell.
Eric Brown (03:41):
It's fun too, you get.
You get that golf cart out onfirst thing in the morning when
it's all dew on the grass, getgoing downhill, power slide that
thing.
Nick Mellem (03:50):
Yeah, hammer the brakes, get yourself 90 degrees
in no time.
Joshua Schmidt (03:54):
Yeah, you guys are speaking my language.
Eric Brown (03:57):
We we were doing a uh work outing this is years ago
at another company andsometimes at these work events,
people get into the alcohol alittle more than they should.
I don't say and I'm recallingsomebody this wasn't me, but
they tipped over the golf cartand it got somehow it got
(04:19):
submerged into the pond and thepeople couldn't couldn't get it
out because of the the incident.
But yeah, I was like, wow, youknow that people, uh, you can
have a good time with thosethings, especially when you mix
alcohol I want to know what thegolf course does.
Nick Mellem (04:36):
Do they charge the patron that's doing that damages
the vehicle, like, do you needto pay for that?
Well, they charge the company.
The company had to pay for it.
So if we go golfing with it outof labs, we're good.
You're good because we don'thave alcohol, so, yeah, you're
all spread.
Joshua Schmidt (04:51):
Well, I mean, I don't think I need alcohol to
send a golf cart I mean, I canpre-game it at the office if you
want me to put a dent in youruh costco, you know, josh, your
bar's open, Bar's open yeah.
Okay, well, we're going to getinto this news episode today.
This was something that Nickhad brought up and I thought it
(05:12):
was related to auditing.
It's a lot in the news rightnow around Doge and Elon Musk's
attempt to put the reins on thespending and check where the
money's going.
But it kind of brings up thetopic of auditing in general,
the importance of auditing.
Um, and you know some of thoseconcerns that we're hearing a
lot in the news I thought wecould talk about today of um,
(05:34):
whether they're, you know, basedin reality or fact or, you know
, kind of unfounded.
So, um, this article is from thehill.
It's titled Noam Defends Musk'sAccess to Personal Data and it
says here the Department ofHomeland Security Secretary
Kristi Noam defended techbillionaire Elon Musk's access
to sensitive data housed withinthe DHS's Federal Emergency
(05:55):
Management Agency, fema, sayinghe's conducting a necessary
audit of the federal governmentgovernment.
In an interview on CNN's Stateof the Union anchor, dana Bash
asked Noam about reporting thatMusk and his team at the
Department of GovernmentEfficiency have gained access to
FEMA-sensitive disaster data,including personal information
on tens of thousands of people.
And it keeps going on here tokind of describe how Noam
(06:16):
defended that this is necessary,but I wanted to kick it off by
asking the question, you know,why are audits necessary?
Why can't we just ask the guyin charge if everything's gravy,
can't we just get on autopilot?
I mean, the business or thegovernment's been going a
certain way for years.
Why do we even need an audit?
Nick Mellem (06:38):
Yeah, I think for me it's pretty easy, right, it's
checks and balances, makingsure everything is going all
right, things come out that arenew.
We want to make sure that we'reusing best practices A lot of
times, especially the peoplethat are auditing.
They're doing this every daythe people that aren't
specifically auditing or workingin the systems.
Their job is specifically thatdata but they're not auditing or
(07:01):
checking what could be the bestlatest process and procedure.
For example, like in themilitary, one common tactic is a
left seat, right seat system.
If I'm over in a combat zone andI've been there for seven or
eight months, somebody mightride along periodically to make
sure we're following rules andprocedures and then fast forward
to the end of a deploymentsomebody new is coming in.
(07:21):
You will have a left seat seat,right seat system where they
ride passenger for a few daysand then they'll take driver and
then you know the previousdriver will go to the passenger
seat and those are similar toaudits to me, because you're
making sure everybody'sfollowing those rules and
procedures and exit or entry ofa combat zone.
Now, and it's still probablythe most grand scale right,
(07:42):
right, the federal governmentyou know, it's always going to
be necessary to do an audit, soI think, especially me.
I totally agree with Christyhere writing this article
backing Doge and.
Eric Brown (07:54):
Elon.
Nick Mellem (07:55):
I think we need to forget about who's probably
actually doing the audit and whyit's important to do the audit.
In systems from IT toexpenditures at the treasury,
Things can get pretty egregiousquickly Spenditures on anything.
We need to audit systems thatmaybe somebody turned something
off right.
Keeping in simple terms thatshould be on, or maybe we
(08:16):
figured out a better way to dothings.
And I think that's a part ofour offensive mindset is we
might not always know the bestthing in the moment, but with
trial and error we will figureout the best way to run these
systems and make sure they'rehumming along to protect these
organizations, and I thinkthat's why we're so proficient
with auditing and why it's soimportant that organizations
that aren't auditing every dayhave a third party come in to
(08:39):
comb through their system andmake sure that they're running
those systems how they should be.
Joshua Schmidt (08:48):
Great answer.
Thanks for that.
I'm assuming Eric has somethingto say about this.
You've been talking a lot aboutthe Elon Musk book.
I'd love to hear your thoughtson this topic, eric.
Eric Brown (08:53):
Yeah, outside of Elon Musk or whatever agency or
government agency is looking atanother government agency, don't
care too much about that, butthe principle behind it and
unfortunately, in this situation, it's one of those situations
where it's a we'll call it ahostile or an unwelcomed audit
(09:15):
and that's never fun, just likeit's never fun if you go through
an IRS audit right, that's nota fun thing where you're saying,
hey, come in and take a look atmy stuff to make sure that I've
done X, y and Z Inorganizations that we work with.
Most of the time it's afriendly audit where they're
inviting us in and saying, hey,we think we need some help in
(09:36):
this area, can you take a look?
You're really seeking tounderstand and that's what we
try to do when we come into anorganization and do an audit, or
they might have a managedservice provider that they're
working with and they ask us tocome in and is this managed
service provider doingeverything that they say they're
doing contractually?
I think in this case it's justone of those unwelcomed audits
(09:57):
probably necessary.
And I go back to the I was justtrying to find it here.
There was an airline flight andI don't remember which one it
was.
I believe it was an Asianairliner.
There was a cultural norm wherethe co-pilot was not
(10:18):
comfortable questioning thepilot, even though, as Nick said
, they have left seat, rightseat, they have equal set of
responsibilities.
Yes, the captain is ultimatelyresponsible for the aircraft.
However, it's the co-pilot'sresponsibility to make sure that
the items on the checklist areperformed.
The co-pilot will have theirown set of responsibilities.
(10:41):
The captain needs to make surethat are performed.
In this particular case, therewas a problem that the airliner
experienced.
The co-pilot recognized it and,I believe, brought it up to the
captain, but the captain eitherdidn't acknowledge it or the
co-pilot wasn't comfortablebringing it up to the captain
(11:02):
because of that cultural norm,and there was an accident as a
result of that right.
There was a problem and theproblem wasn't addressed.
And that could be the same thingin any organization, regardless
if it's the you know treasurydepartment, fema or whatever it
(11:22):
is right it's.
Could there be practices thatare going on in the organization
that you're not comfortablewith that because of a reporting
structure, you can't take thatup to your manager and say, hey,
you know you're doing thiswrong right.
That probably isn't going to goover well, unless the culture
is really advanced in thatorganization.
Sometimes it takes the thirdparty to come in and really, you
(11:44):
know, take a look right, take apretty thorough look at what's
going on in the organization andpotentially uncover some things
that could be improved.
And maybe they're doingeverything 100% right, which I
hope they are.
Would it hurt to have a secondset of eyes come in and take a
(12:06):
look at their environment?
Probably not.
As a taxpayer do I want to seethis done Absolutely and I
certainly welcome and I don'tknow if the forced audits are
the right way to go or not, butI think some form of third-party
oversight of these places thatare spending lots of taxpayer
(12:27):
dollars is a good thing.
Joshua Schmidt (12:29):
That's a great answer, eric.
That brings up the topic that Iwanted to get into a little bit
more of you know extending thattrust to an auditing team right
, because basically givingsomeone the keys to the kingdom,
right, they can go into theback door, they can see
everything that's going on.
So if you're leading a team todo an audit, what kind of
guardrails do you have in placewithin your team to I don't know
(12:50):
kind of quell any anxiety thatthe organization might have
around you having that access?
Eric Brown (12:58):
So we run into this an organization being
comfortable with giving us,essentially, the keys to the
kingdom.
So what we like to do is come inand really have a clear plan on
here's how we're going toperform this audit.
Here's what we need from aprivilege perspective, and
always operate from the leastprivileged model and make sure
(13:19):
that when we do access theenvironment, we're using MFA and
all the right controls in orderto get access to that
environment, but then onlyaccessing the environment that
we're scoped to test.
So it's upfront making surethat you have a good, clear
scope.
Now, of course, there's somecases where it's an audit of how
(13:40):
the organization's controls areactually put into place.
So, is the organizationchallenging us or are they
asking us to show a badge orwhatever it is, if it's a
physical test?
But if it's a test whereeverything's above board and
everyone's aware of the fullscope, aware of the full scope
(14:10):
then I think that's the way toalleviate some of those concerns
that teams may have.
There's plenty of times wherenot everyone needs to be in the
loop, depending on the type oftests that you're doing, but
again, you can scope that andmake sure that the people who do
need to be aware are aware.
Joshua Schmidt (14:24):
So just to kind of finalize this thought are
there any inherent securityrisks to doing an audit?
Eric Brown (14:31):
I think so Right.
Anytime you're giving somebodyaccess to your environment, I
see two risks that you face.
One is could something happenfrom the security team?
So a member of the securityteam who does have now enhanced
privileges to your environmentcould, could they do something
(14:51):
nefarious, either accidentallyor intentionally?
Right, that is a risk.
And the other risk is do youhave, then, insider behavior
that happens as a result fromnow the lens being more closely
inspecting things internally,like does that kick off other
(15:13):
activity in that environment?
That might be against what thebusiness wants.
Joshua Schmidt (15:20):
Musk is going after waste and fraud.
Have you guys ever uncoveredanything that was beyond what
you might have initially set outto discover in terms of fraud
or abuse?
I know you guys do oftenstumble on some strange things
from time to time.
Eric Brown (15:36):
Fraud and abuse, I think, are interesting terms of
how you define that.
I would define fraud or abusein the scope of an audit or an
examination of an environment'spractices, as someone or an
entity knowingly deceiving anorganization.
(16:00):
So if you had a managed serviceprovider, for instance, that
was supposed to be doing A, b, cand D and they were only doing
A and B but charging for A, b, cand D, then that's fraudulent,
right, that's abuse.
If they were supposed to bedoing A, b, c and D, then that's
, you know, that's fraudulent,right, that's abuse.
If they were supposed to bedoing A, b, c and D and they
were doing it to what theythought was the best of their
(16:21):
ability, but maybe it wasn'twhat you would consider an
industry standard level ofability.
I don't know that I wouldcategorize that as fraud or
abuse other than it was.
Maybe just a lack of knowledgeon the perspective of you know,
that MSP that was engaged, butmaybe they weren't doing it
(16:44):
intentionally.
Should they have had controlsin place in their organization
to examine the work that maybe amore junior person in the
organization was doing?
Well, absolutely.
But that's the purpose of aroutine audit or security review
or whatever you want to call it, just to make sure, because
(17:06):
we're all infallible, I meanwe're all human.
So certainly having thosechecks and balances, like Nick
was saying early on, is a goodthing.
Nick Mellem (17:16):
My big portion was just going to be the
communication.
Right, I think it's importantthat everybody's on board before
you start doing it.
Uh, so that was the point I wasgoing to bring up.
But going back to your otherquestion, I think we do I don't
think it happens very often seethings that we would classify as
right.
You know, wild or crazy oregregious.
You know we might see thosemore like a penetration test
(17:37):
where you'll stumble acrosssomething trying to get in, but
generally in an audit that youknow I'm usually involved in,
it's it's helping organizationsbe compliant in a in a specific
area.
So generally you're not sellingacross anything too crazy.
Maybe super out of datepolicies might freak some people
out, but for the most partwe're pretty good.
Joshua Schmidt (17:58):
All right, we're gonna move on to the next one.
I thought this one wasinteresting.
You know, nick, with yourmilitary background, I'm sure
you kind of found thisinteresting as well.
But Finland is systematicallyaddressing cybersecurity with
national exercises.
So tabletop exercises, right,something we've been talking a
lot about lately.
Last week, many heads and handswithin the Northern Finnish
municipal sector and criticalinfrastructure operators were
(18:21):
trained in dealing with variousthreats in the cyber domain.
This is coming from High NorthNews.
The title is Finland's Strengthin Cybersecurity in the North
with Extensive Exercising.
Yeah, it's pretty cool to see awhole sector of a nation
mobilized to perform a tabletopexercise and kind of run through
some scenarios for securitythat might fortify them in the
(18:44):
future.
So kind of my first question tokick this off was how does this
approach from Finland?
What can we take away and learnfrom this type of posture if
we're applying it to ourorganizations or even our own
personal security?
Nick Mellem (18:57):
When I first started reading this article,
the first thing I thought of washow cool it is that they got a
whole country on board to run anaudit right, and now we don't
know the behind workings.
You know people might be upsetabout it.
Right, some people are on board,some aren't, but on the grand
scheme that they got a wholecountry involved to do this.
I wish we could see this moreoften.
(19:17):
Just in the last article wewere talking about having
communications to get everybodywithin a relatively small
organization on board for anaudit, and we're talking about a
whole country.
If there's an outage of anykind, no matter what system it
is coming back from that ortrying to fail over to something
, it's going to be a little bitclunky right, like there's going
(19:38):
to be some processes thatpeople are relearning or whatnot
.
But you know, maybe, instead ofit being like, you know, very,
very clunky right, 60 to 70 kindof a disaster, right, if people
don't practicing these things,maybe it's 10 to 20 right, where
we're just we're pretty good,we're clicking on all cylinders
and they're failing over andthey're bringing up these
procedures as they need to.
So I think anytime you canpractice something that is not
(20:01):
your day-to-day operations, it'sgoing to set any organization
up for success.
Joshua Schmidt (20:05):
Absolutely, and we work a lot in the sled sector
right With sled, and I actuallyjust had a really interesting
conversation with Trista Eric,who you set me up with, and just
a little teaser she's going tobe a guest in a few weeks and
she takes care of some trashmanagement there in Ramsey
County where they have robotsand AI, you know, going through
trash, and we work a lot in thepublic sector right.
(20:26):
So I thought you might havesome thoughts around how
important this is to kind offortify those public services
and maybe share some insights.
Eric Brown (20:34):
Fortify those public services and maybe share some
insights In the roles that weplay.
For some of the organizationswhere we come in as cyber
leaders or technical leaders,one of the things that I like to
do and I don't necessarilyannounce this within the
organizations, but I like tocontinually drill yes, both
(20:54):
through tabletop Tabletop isgreat but also through live
scenarios where you take aproblem that is happening in the
organization and the peoplethat are working on that problem
share with the rest of the teamthe why behind it, what they're
doing or how they're doing it,so everyone learns.
(21:15):
A recent, for instance, isworking with an organization.
There was a large number ofdevices that had outdated
software on it and, for whateverreason, the organization was
having difficulty removing thesoftware from those devices and
(21:39):
it had been going on for quite awhile.
Sometimes you have to let thesethings play out and see what
happens, and in this particularinstance it seemed to have
played out long enough.
Where action needed to be taken, and that action was the
security organization haddirection to go in and remove
(22:03):
the legacy software that had notbeen, for whatever reason,
updated, and it was aninteresting drill that showcased
okay, if we did need to removesomething quickly.
How would we do it?
What does it look like withinthe organization around?
Who are the players that aregoing to have resistance?
(22:23):
Who's going to help?
What's leadership's take goingto be?
How high up in the organizationis this going to bubble?
Do we have an organizationthat's more security-minded or
more user-minded?
So I don't talk about all ofthese things when I'm in the
organization.
I just said, hey, here's whatwe're going to do.
We're going to do it get thatoff of those machines, and then
(22:45):
let all of these thingsorganically play out.
To see and learn from whathappens.
If this was a real-worldscenario and we need to get
something off of those machinesquickly and the more
disturbances you have in thoseenvironments like removing old
software, forcing patches,forcing reboots, all of these
(23:07):
things that instigateinstability actually help the
organization, because then, whenit's time to do something
drastic, that just becomesanother Tuesday, not an oh my
God.
We got to breathe into a paperbag moment.
Joshua Schmidt (23:25):
And then going through those repetitions really
helps iron things out.
So I find it interesting thatyou said that you kind of get it
started and kind of observewhat's happening and then you
can kind of point out the weakspots or maybe the bottlenecks
in the process.
It also is not lost on me whyyou enjoy game night now.
I had a light bulb moment intalking through this with Tim
Herman, who will also be on theshow, coming up talking more in
(23:48):
depth about tabletop exercisesin a couple of weeks, and one of
the things that I thought wasreally cool that really related
to what was the game we wereplaying.
Eric, was it Death on the Clock?
Eric Brown (23:58):
Oh yeah, Clock Tower .
Joshua Schmidt (24:02):
Blood on the Clock Tower Blood on the Clock
Tower yeah.
Yeah, yeah.
Well, like Blood on the ClockTower where we go through cycles
of day and night, I recentlylearned, you know, in a tabletop
exercise it's not uncommon togo through a cycle and then role
play and then go to okay, thebreach has already happened.
We've done the first round ofmitigation and cleanup.
Now it's the next day and thepress is here, and now what are
(24:25):
we going to do?
And then we can kind of roleplay each stage of it, not just
the initial breach.
So how have you seen thatfortify security in
organizations that you workedwith, when you're not just
working on, necessarily when thebreach happens and what's going
to happen then, but alsoseveral days down the road?
Eric Brown (24:44):
Nick, I know you've got a lot to say on this too,
but I'll just jump in on thisone and kind of tie it into what
I was saying before.
When you do have thoseopportunities to shake the
environment up in a way that is,on the grand scheme of things,
(25:05):
not detrimental to theenvironment, like I knew that
taking this piece of softwareout was at the most going to
cause a few users a minorinconvenience, but at the most
going to cause a few users aminor inconvenience, but at the
end of the day, not a big dealfor most of the organization.
And internally there was a lotof consternation on the help
(25:26):
desk about like oh, we're goingto get all these calls.
No, you're not.
And it turned out that theydidn't get very many calls.
Sure, there was a few thingsthat went bump in the night, but
it was good to see how all ofthat played out.
And I think sometimes, from theLaban's perspective, not seeing
the big picture, just being aplayer at the keyboard,
(25:50):
sometimes they might think I'm abit of a cowboy, right, we're
coming in and just making thesechanges without having thought
through all of this.
But, believe me, I'm playingchess, I'm playing Go.
I've seen this, I know how it'sgoing to work out before I even
talked about it happening.
Just cool to see.
(26:11):
Like, okay, yeah, we're goingto.
And I check myself around oh,did you know?
Did it play out as I thought itwould?
Or were there areas that youknow maybe they didn't work out
so well, so that when the nexttime we do this then we can even
be better at it.
And we love helpingorganizations go through that
maturity curve of, like you know, just showing that it's going
(26:34):
to be okay.
Right, it's, it's going to beall right.
Things are going to continue towork.
Um, and to answer your directquestion around um, how does
this help in organization?
Or what do we do in theaftermath?
And that role-playing tabletopexercise of breach and then
post-breach we're really good atthat breach mitigation.
(27:00):
You want to bring us in whenthe building's on fire.
I myself personally get boredwhen the fire's out, and now
we're sweeping up and doingwhatever it is we need to do.
Nick is great in that role.
Nick is great as a maintainer,a builder, a coacher.
So we work well together inthat scenario of like let's get
(27:24):
it clean, kind of a battlegeneral type of thing.
And then Nick is a goodpeacetime general, and not to
pigeonhole you in that, nick,everybody love everybody.
Joshua Schmidt (27:39):
So, nick, what's your favorite part of the
process and how have you seenthis type of tabletop exercise
play out and help organizationswith their security?
Nick Mellem (27:49):
I don't know if I have a specific favorite part.
I think for me it's all of it,because it's the end goal.
It's having the organizationwalk away at the end and be like
have maybe that aha moment ofwow.
That either wasn't so bad or welearned a lot and we really
weren't as prepared as maybe wethought we were.
For example, this is three orfour years ago.
(28:10):
We did one that I'm justthinking of the top of my head
with an organization well known.
They're first responders andthey need to practice.
You know these outages or whathave you similar to their
version of a tabletop exercise.
Well, they hadn't practiced itmaybe close to 10 years and I
think they they all had a reallygood time doing it right,
(28:30):
because it's their jobs, andthey kind of got to play in the
Super Bowl when they maybe don'tright, for example, a
firefighter, right, they don'tgenerally aren't putting out
fires every day.
They might be responding to acar accident, but in this
tabletop exercise they got tosimulate what it was like to
actually do their job.
So I think a lot of them likedoing that and I think that's
what's cool for us is we get tohelp and coach them through that
(28:52):
, have those moments to becomewhole again or be ready for the
Super Bowl, as we're using foran example.
But yeah, I think a lot oforganizations do want some bit
of a cowboy mentality, as Ericsaid, because maybe they're just
afraid to press the go buttonor enforce these rules.
Get rid of these applications,change up a process.
(29:12):
Right, we're sending out maybea 150 questionnaire to a vendor
for secure to answer securityquestions when maybe we come in
and we can help them meet alltheir compliance with 20
questions.
But when you can get everybodyto kind of hum along and play on
the same sheet of music, youknow, for me, if I had to answer
your question, josh's favoritepart it's maybe the worst answer
(29:36):
I could give, but it's, it's atthe end, when everybody's
high-fiving and happy that youknow it out.
Labs is there to maybe be thatcowboy to push them through, and
now they're ready for uh forlack of better term uh, doomsday
now I know why you guys alsolike wild west hackenfest.
Joshua Schmidt (29:52):
You get to do a little cowboy role-playing.
Nick Mellem (29:55):
Coming in on horses .
You know that.
Joshua Schmidt (29:57):
Six shooter on there.
Nick Mellem (29:59):
Getting everybody in line.
Joshua Schmidt (30:00):
Right on.
Okay, cool.
Well, thanks for that, guys.
We're going to go to the nextone.
This is our final article forthe day.
We've talked a lot about AI andsocial engineering.
I'm just going to read thetitle of the article.
Here's from hacker news aipowered social engineering
ancillary tools and techniques.
It says here the uh socialengineering is advancing fast,
at the speed of generative ai.
(30:21):
This is offering bad actorsmultiple new tools and
techniques for researching,scoping and exploiting
organizations.
In recent communications the fbipointed out as technology
continues to evolve, so do cybercriminal tactics.
And just pointing out, you knowwe've talked about a little bit
about voice cloning andmanipulating people through
phishing techniques and usinglanguage models.
(30:43):
But this even goes a little bitfurther into some things we
haven't really spoken about, andone I wanted to pull out was
this open source intelligenceinvestigation done by AI.
So it seems like there areplatforms out there that bad
actors are using to kind ofperform an awesome technique,
and then they're using AI tokind of gather information
(31:05):
quickly and then makeconnections between potential
other victims that they couldspringboard off of that.
What can you guys do assecurity experts to mitigate
that risk or reduceorganizational risk around the
footprint that everyone'sputting out there?
Do you talk a lot about socialmedia and online hygiene at
(31:26):
companies, or how do you handlethat so?
Eric Brown (31:29):
yes, can I ask a question first, though
Absolutely?
So yes, can I ask a questionfirst, though Absolutely?
Nick said he was getting a newcat.
Do we need to have a namingthing again?
We'll send out a poll after theshow how many cats.
Joshua Schmidt (31:44):
It's like man.
I don't know what's going ondown there.
Well, samuel's cat's namedExploit.
Nick Mellem (31:47):
That's a cool name I found out yesterday.
Eric Brown (31:51):
Maybe call it Austin or something of that nature
yeah on the list uh, so, yes,talk about I like to talk about
social media in um, like justbrown bag lunch sessions with
people in the organization whowant to come and and learn how
(32:11):
to protect their themselves andtheir family and their personal
lives.
You know the same old storyfreeze for credit.
Watch what you do on socialmedia.
Multi-factor authentication,and that multi-factor
authentication piece is probablythe piece that plays most in
the corporate environment.
But having that multi-factor inplace is going to help a lot
(32:36):
and I think that's we've justgot to have multi-factor
everywhere, everywhere.
Nick Mellem (32:42):
It's not an option anymore.
Yubikeys, all the things.
I'm going to jump in here onthis one too, because fairly
recently we had a situation thatI was involved with and one of
the organizations is they have alibrary and there's a patron
using the computer there andthey had asked the librarian if
(33:04):
they could download anapplication, and so our whole
thing is right.
We're not spying on any patronsor anything like that.
But when we get an alert fromCrowdStrike, you know we we
can't ignore that.
So individual download theapplication.
They're simultaneously on thephone with threat actor.
One of our security engineerspicked up on this through
CrowdStrike because bellsstarted to go off, they were
downloading this maliciousapplication and they called the
(33:28):
library and asked the librarianif they could speak to the
individual, because they thinkthere's something nefarious
going on and we want to makesure we protect our patrons,
talked to the individual,stopped it in its tracks, he
realized in that moment he waswrong and potentially saved this
guy a lot of trouble.
So I just wanted to give maybe aworst case right of these
(33:50):
things that are happeningbecause it evolves around social
media.
I believe how it started wasthrough Facebook, um, so you
know it doesn't speak togenerally why it's important to
have MFA, but it's all aroundthe security topic of training
people, right Of these thingshappen, right that these emails
that are coming in we've talkedabout a hundred times phishing
emails and whatnot but just that, that security mindset, that
(34:14):
having MFA on your machine, Ithink, is just one.
That's another step to peoplebeing aware.
Right, if we can create onething, it's awareness and doing
things that we preach all thetime blocking your credits.
Another example setting up MFAeven for social media is
extremely important.
Even for social media isextremely important.
We've all had our grandma, mom,uncle, aunts get hacked on
(34:36):
Facebook.
It's just the best example.
They put a random post outthere, they start friending all
their friends or they change thelanguage in their Facebook and
now they can't figure out what'sup and what's down.
Eric Brown (34:48):
Nick, are you saying that in the library use case
example, there was a patron, amember of the public was using a
library computer, was thesubject of a fraudulent attack
by a threat actor.
The threat actor asked theperson who was using the public
(35:11):
computer to install something.
The person then went to theperson in charge of the library,
librarian, whatever, to getpermission to install this
application, because the threatactor had socially engineered
them into doing that and then,because it was a public machine
(35:32):
that was under greatercybersecurity management, the
threat was detected and stopped.
Sadly, all true, and not apublic machine that had the
protections in place of a largeorganization, it's likely that
(35:55):
that user would have financiallyfallen victim to whatever that
threat actor was doing.
Nick Mellem (36:03):
I would say it's all but 100% Got it.
Joshua Schmidt (36:07):
It seems like maybe there should be some kind
of a public campaign at thelibraries around cybersecurity.
These things tend to happen onthese public computers and I
don't really you know.
I think the schools probablyare a little bit more aware of
this, a little more safeguardsaround the students.
It seems like libraries mightbe one of the the main attack
(36:27):
vectors for something like thislibraries are a whole different
beast because of the DataPrivacy Act items.
Nick Mellem (36:35):
We don't want to infringe on their privacy, but
we want to make sure thatthey're being used appropriately
and users are not going to fallvictim of a crime of this
nature.
So, in effort of being goodstewards of data and helping
anybody out from an organizationto an individual, that's our
duty to make sure that thisdoesn't happen.
Joshua Schmidt (36:57):
All right, well, are we on to cat names.
Then you guys got any good ones.
Nick Mellem (37:06):
I don't give it up to you guys.
I can't come up with a singlegood cat name, but you guys seem
to palm out of your bag oftricks.
Nick, it's too many cats.
I'll just say that we're goingto have to chat about too many
cats.
Joshua Schmidt (37:16):
It's got to be something cool.
It can't be like Marshmallow.
No.
Eric Brown (37:21):
We were talking about doing pet insurance also
as a benefit at IT Auto Labs,but Nick's going to break the
bank on that, so I've got toroll that back.
Nick Mellem (37:34):
You can take break the bank on that, so I got to
roll that back.
Joshua Schmidt (37:35):
But I have to be able to take another insurance
policy.
Yeah Well, I think the you knowthe cybersecurity angle would
be a good one to keep your eyeon there, nick, for if you want
to beat us old Sam over therewith the exploit.
Nick Mellem (37:47):
I'll be hurting cats over here Always.
Joshua Schmidt (37:50):
Yeah, well, that's a great place to leave it
today.
Thanks so much, gents, for yourtime.
It's been a fun conversation.
You've been listening to theAudit presented by IT Audit Labs
.
I'm Joshua Schmidt, yourco-host and producer.
We've been joined by Eric Brownand Nick Mellum of IT Audit
Labs.
Please like, share andsubscribe.
We have episodes every otherweek, lots of shorts, and we're
living on Spotify these dayswith video, and you can also
check us out on LinkedIn.
(38:11):
If you'd like to connect, visititauditlabscom.
Eric Brown (38:14):
We'll see you soon.
You have been listening to theAudit presented by IT Audit Labs
.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact.
Or our security controlassessments rank the level of
(38:38):
maturity relative to the size ofyour organization, Thanks to
our devoted listeners andfollowers, as well as our
producer, Joshua J Schmidt, andour audio video editor, Cameron
Hill.
Cameron Hill, you can stay upto date on the latest
cybersecurity topics by givingus a like and a follow on our
(38:58):
socials and subscribing to thispodcast on Apple, Spotify or
wherever you source yoursecurity content.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.