October 7, 2024 • 38 mins
In this episode of The Audit by IT Audit Labs, we sit down for an in-depth conversation with Eric Brown to explore the crucial topic of personal information security.
Eric breaks down essential strategies for protecting your data, starting with freezing your credit, leveraging password managers, and implementing multi-factor authentication. He also dives into how these personal security measures directly tie into a broader corporate security posture.
In this episode, we cover:
- Credit freezes and why they’re your first line of defense
- How email breaches occur and what to do when your account is compromised
- Why password managers and passphrases are game changers for security
- The role of multi-factor authentication in thwarting attackers
- Tips for maintaining privacy in an era of data mining and social engineering
Stay tuned as we dive into the details and explore how securing your personal data can help protect your organization from threats.
Make sure to subscribe to The Audit on your preferred podcast platform to stay up to date on the latest insights from IT Audit Labs!
#cybersecurity #datasecurity #personalinformationsecurity #informationsecurity
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Joshua Schmidt (00:03):
Hello, welcome to the Audit presented by IT
Audit Labs.
We're joined today by our CISO,eric Brown, and I'm Joshua
Schmidt, as always, yourproducer and co-host.
Today we're sitting down withEric to have a fireside chat,
without the fire, about whatEric does day to day, how IT
Audit Labs helps organizationsshore up their personal and data
info security, and kind of getinto the nitty gritty details
(00:25):
and get a really good insightinto how Eric views security
from a high level and from apersonal level as well.
So, without further ado, we'regoing to turn it over to Eric
Brown.
We're going to talk in depthtoday about personal information
security.
Eric Brown (00:39):
Hello, you're listening to the Audit.
My name is Eric Brown and I'mthe Managing Director of IT
Audit Labs, and today I want totalk about personal information
security.
This is something that we getasked a lot about by our
customers and we've done a fewpodcasts on this in the past,
but I want to refresh thecontent for 2024.
We're coming up onCybersecurity Awareness Month
(01:01):
and consolidate it down what wehave into a quick, consolidated
format that can be usedthroughout the year.
As I said, we get asked a lotabout personal information
security and how that bridgesthe gap between personal
security and then corporatesecurity, and the two are linked
, and we often come intoorganizations we'll present at
the board level or seniorleadership level to essentially
(01:25):
showcase that team theimportance of information
security and how it's relevantto those people.
So I'll start by saying that allof us most likely all of us who
are listening to this have beeninvolved in a breach personally
at some point or other in ourlives and you get that breach
notification email that saysyour data might be your social
(01:48):
security number, might be someother personal information about
you has been involved in abreach and it's not your fault.
It happens because somebodythat you trusted your data with
had poor data security practicesand that information was
compromised.
Now what can you do about it?
There's quite a few things thatyou can do about it, but first
(02:11):
it's just understand that if ithasn't happened yet, it's likely
that it's going to happen, andit can go from something that is
a major annoyance and takes alot of your time to resolve to
something that is just like ohokay, that's a Tuesday, it
happened, not that concernedabout it.
So, number one, then I'm goingto start with.
The first thing that you wantto do is freeze your credit.
(02:34):
So there are really threereporting bureaus Experian,
equifax and TransUnion.
Those are the consumer bureaus,and there's a fourth bureau
that not a lot of people haveheard of.
It's called InovisI-N-N-O-V-I-S.
Joshua Schmidt (02:49):
And.
Eric Brown (02:49):
Inovis is responsible for those credit
approval letters that you mightget saying you've been
pre-approved for a loan orwhatever it is.
But Inovis is using yourinformation to produce a
generalized credit worthinessabout you.
So you want to freeze yourcredit with all of each of those
bureaus TransUnion, equifax,inovus and Experian.
Joshua Schmidt (03:15):
And you can do it.
Eric Brown (03:15):
It's free to freeze your credit with each of those
bureaus.
By default, our credit, by thetime we get a social security
number, is open.
It's a flaw in the system, butit is what it is.
Unless you freeze your credit,it's going to be open and credit
can be taken out in your name,causing long-term downstream
(03:39):
impacts that are not good.
If someone opens up credit inyour name and is abusing that
credit, it could have identitytheft implications down the road
, which getting your socialsecurity number back or getting
a new social security numberissued is quite a lengthy and
time-consuming and oftenexpensive process.
(03:59):
If you do need to open upcredit for a loan, you can
specify the window of time bywhich you want that credit
opened, and typically what Ilike to do is, if I'm going for
credit, I will ask theorganization that I'm working
with say it's a car dealershipor a mortgage broker which
reporting agency they use andthen unfreezing the credit
(04:24):
specifically with thatorganization that's going to
report credit on me.
The next thing you can do ismake sure that there isn't any
credit opened up in your name,and that's.
Everyone is entitled to a freecredit report.
So you can go on and get thatannual free credit report and
that will tell you what creditis open in your name, and by
watching that freezing yourcredit, you're doing a pretty
(04:46):
good job of making sure thatyour social security number
can't be used maliciously.
All right, so we talked aboutcredit.
That's probably the number oneway to protect yourself, and if
you're not going to do anythingelse, I would start there.
So then, secondly, where we seemost breaches start is in email
(05:11):
.
So, using your email address asan identifier to who you are,
typically we'll sign up for areward service or whatever
service we need, and email istypically an identifier for that
service.
So there is a website.
You can go to it's have I beenpwned?
And Troy Hunt maintains thatwebsite.
(05:32):
He's a security researcher, andTroy has collated millions, if
not billions by now, ofcompromised accounts, and we'll
let you look up at no cost tosee if your email account has
been involved in a breach.
So you can go to have I beenpwned, enter as many email
(05:55):
addresses as you want, and thatwill tell you or show you if
that email account has beeninvolved in a breach.
It's likely there's going to besomething.
If you've had that emailaddress for a while, it's going
to have been involved in abreach or two, maybe more.
Again, not the end of the world.
There's things that you can doabout that.
What you're looking for here iswhat breach it was involved in
(06:19):
and then where you are reusingthat login and password.
So if your account was, say,caught up in an Adobe breach and
then also in the Ford breach,if your username which will
probably be your email addressand password were different,
(06:39):
then that's great.
You just have to change yourpassword for whichever one was
breached.
If you're reusing the samepassword, that's where we get
into an area where the threatactors love it, because they're
able to get to multiple sitesusing the same login and
password, and all of this isprogrammatically done.
Nobody's sitting in theirbasement of their mom's house
(07:01):
banging away on a keyboardtrying your username and
password.
These are done thousands oftimes a minute by threat actors
that have programs that are justgoing out and trying to log
into a variety of sites usingthis database of stolen
credentials.
So what we like to recommend isusing two things One is
(07:23):
password manager and the secondis multi-factor authentication.
So, NIST, which is anorganization that's put out
guidance around passwords andpassword complexity.
They're recommending changingthe password only if the
password has been involved in abreach or once a year, and
they're recommending using apassphrase and coming up with a
(07:46):
phrase that's meaningful to youbut not meaningful to anyone
else.
So the first day of the week isWednesday would be an
interesting passphrase, maybe alittle long for some sites that
haven't adopted the longerphrase passwords, but most sites
will take up to 20 characters.
(08:06):
So coming up with a passphraseagain that's meaningful to you,
that is a passphrase, would be agood idea to do, and storing
that in a password managerbecause a password manager is
essentially an online databasecould be offline as well, but
recommend an online databasethat would contain all of your
(08:28):
passwords.
If you're like me, I probablyhave logins to 250 plus sites.
I can't remember more thanmaybe five or six passwords, so
I store all of those passwordsin a password manager and then
I'm able to just copy paste fromthat password manager into the
site that I'm trying to go to,and most password managers will
(08:50):
use the HavaPhone app as well asa plug into a browser.
Speaking of browsers, we don'trecommend that you store your
password in a browser.
The browser's job is to giveyou a portal to the internet.
It's not to secure yourpasswords.
They don't do a good job withit.
So, rather than using yourfavorite browser as a password
(09:13):
manager, select one.
There's quite a few out therethat are some good choices.
And then the other piece wasmulti-factor authentication or
MFA.
So MFA is something that youare.
So think of it as a fingerprint.
Right, that's something thatyou are.
You might use a YubiKey or someother form of a token,
(09:35):
something you have, and thensomething you know which is a
PIN or a password.
So two of those things formmulti-factor authentication.
Most of us are using thatalready in our daily lives.
Think of facial recognition onyour phone.
It used to be fingerprintrecognition on your mobile
device to get into the device,six digit pen or something like
(10:07):
that.
For that multi-factorauthentication, the phone also
serves as something you have.
So you've got something youhave.
You've got that something.
You are that facial recognition.
There's two forms ofauthentication and a lot of our
corporate environments arebringing in the personal device.
(10:30):
So you're setting up anauthenticator a Google
authenticator, a Microsoftauthenticator, there's other
third-party authenticators onyour mobile device and you're
logging into that device,logging into that authenticator,
and then it's displaying anumber on your computer screen
that you're typing into theauthenticator or the
authenticator is producing anumber that changes every minute
or every 30 seconds, and thenyou're typing that into the
(10:53):
application that you're tryingto access.
SMS or text-based authenticationis another method that you've
probably seen for another anumber of years, where you're
logging into your bank and thenthey send you a text and you
enter that number that was inthe text field into the website
to get into your bank, movingaway from SMS space because it
(11:16):
is more prone to be infiltratedby a threat actor.
Threat actors, especially inour corporate environment, will
create lookalike websites sothey'll send a phishing email
that bypasses the email filtersthat corporations may have and
(11:39):
probably another podcast on howall of that works but they'll
bypass the filtering.
The user will click on the link.
It'll pop up a page that looksa lot like a Microsoft login
page or a Google login page.
The user will enter credentialsand then it will ask for that
SMS-based authentication and theuser types that information in.
(12:03):
It's more of a socialengineering attack.
It's easier to be stolen if athreat actor has access to your
cellular carrier's network and avariety of attacks that happen
on that.
That's probably another podcastas well.
Just know that SMS-basedauthentication is less secure
(12:23):
than authenticator-basedmulti-factor authentication.
So you want to set that up onyour tier one accounts, like
your bank accounts.
Your password manager set thoseup on there and then eventually
filter your way through yourtier two or your less important
accounts if they have thatability to do multi-factor
authentication, which more andmore are.
(12:46):
So next I'm going to get intoemail security.
So on the email security side,we do a lot of business over
email.
Just as a society, we'reinteracting over email.
We're interacting overmessaging.
On the email side, there are afew free email carriers out
there, namely Google, microsoftwith Hotmail, aol, yahoo maybe
(13:10):
AOL a little bit less so now,but there are some major free
providers of email and a lot ofus have those email addresses.
The email addresses are freebecause those services are
mining the data in your emailaccounts not just yours, but
hundreds of thousands of peoplewho use those services in order
(13:33):
to create personas and sell moreadvertising to us collectively
as a society.
So whether or not you want toparticipate in that
unintentional informationdisclosure is up to you.
But to give you an alternativeto that, I think those email
addresses are great for specificand discrete purposes, like
(13:57):
signing up for email where youknow you have to interact with a
third party.
They're going to subscribe youto a mailing list and you're
going to get a bunch of junkmail.
That's great.
That's a great use for a Gmailaddress, but for personal
information that might be moreprivate to you as an individual,
using an email service like a.
Protonmail is a service that isgoing to hold your information
(14:22):
private and not disclose thatinformation and use that
information to mine data aboutyou.
The downside is there could bea little bit of a cost to them,
depending on how much mail ordata you have in their service.
Protonmail takes it a stepfurther.
Where the email is hosted inSwitzerland, there's no data
(14:48):
extradition laws and all of thedata is encrypted, and you can
even hold the keys to thatencryption if you so desire.
Protonmail also has VPN service, as well as a data storage and
calendaring service.
I like them as a mail companybecause of their integrity
behind what they do and how theycare for mail that you choose
(15:08):
to host with them or data thatyou choose to host with them,
and then, moving from there intoSMS or phone call or phone
numbermanagement, I should say.
Since many of us keep the samephone number for years, there is
a possibility that you're goingto end up on some form of a
(15:31):
spam notification list on youremail and you're going to get
those phone calls at dinnertimetrying to sell you services, or
nowadays it's spamming us withpolitical messaging to get some
form of polling from you.
A couple things you can do toavoid that is to have a few
(15:52):
different phone numbers.
So again, one that maybe you'regoing to give out more publicly
for signing up for services,and then maybe one that's more
private, that you really onlykeep for close friends, family.
What have you, family?
What have you?
On the maybe less personal sidethere, google has a voice
(16:12):
service, a VoIP, v-o-i-p orvoice over IP VoIP service where
you can sign up for a Googlephone number.
I think this is a great one forthose commercial services,
because Google's in the businessof mining our data, so let's
give them some more spam to runthrough their engines is the way
I think about it.
But you could get one of thosenumbers and you can receive
(16:33):
phone calls and texts to it.
There are others, and that's afree service.
There are other services thatyou might pay a little bit of
money for that you could do thesame thing.
One of them is called Burner,and that'll give you quote
unquote a virtual burner numberthat you can use and you can
(16:56):
choose how long you keep thenumber.
And that number might be goodfor maybe some more discrete
purposes.
You know online dating,something like that, where maybe
you really don't want to giveout your, your personal number,
or even a number that you'regoing to keep for a long time,
like a Google number, and thatway, if the interaction is not
going well, you can just deletethat number, get a new one and
move on from that point.
(17:17):
And then, from an offlineperspective, one of the things
that we could talk about is justthinking more purposefully
about what you're doing withyour online slash offline
content.
So are you taking selfies infront of your house with the
(17:40):
house number exposed.
And then that's making its wayonline to social media.
Are you posting about yourupcoming trip and when you're
going to be on vacation and youhave lots of stories or what
have you that might havepersonal information about your
residence?
Now people know that you arenot at home and that could
(18:03):
subject you to maybe someoffline malicious activity, so
be mindful of that.
And then, when you are drivingaround town, pick up the mail,
what have you.
Are you protecting yourpersonal information from
third-party viewership?
So making sure that letters andother things that might be
(18:25):
addressed to you aren't face upon the car seat next to you or
in the back seat right?
Just having a little, justbeing somewhat mindful of the
information that you are givingoff without necessarily maybe
meaning to do so, as long asyou're aware of it, that's half
the battle.
And then the last thing I'll sayon that topic is when you are
(18:49):
discarding prescription drugs.
A lot of that information is onthe bottle Might be something
you don't want to throw in thetrash or the recycling without
taking off the label.
Or a lot of the places whereyou can pick up prescriptions
have a medicine.
It's a locked medicinecontainer, drop box where you
(19:12):
can take unused medications andput them in that drop box.
You can do the same thing withempty prescription bottles,
where then they responsiblydiscard the private information
on that label.
So I think that's it, certainlyopen to dialogue on any of
these topics.
We love coming intoorganizations and just starting
(19:33):
the conversation around personalinformation security and then
relating that to what happens onthe inside of an organization.
So going through that emailflow of how a threat actor will
do some OSINT or open sourceintelligence gathering and we've
got a couple of great podcastson that but spinning from open
(19:56):
source intelligence gatheringabout a person or a group of
people and then sending targetedcontent to those people in an
organization and then enticing,sending enticing emails so that
those people or person clicks ona malicious link and then
enters their password andpotentially bypasses MFA
(20:19):
protections that are in placeand then the threat actor gains
a foothold in the organizationand starts to pivot and move
laterally, et cetera.
But we come in and we'll dosome pretty deep dives on how
those flows happen and show somereal world examples that we've
been involved in to just educatethe leadership and anyone that
(20:41):
might be relevant for how thesethings happen so the
organization can takeprecautions to prevent that from
happening.
Joshua Schmidt (20:48):
So you mentioned a lot there.
We talked about freezing credit, checking your credit report,
filing your taxes early, talkedabout email breaches and some
tools and some techniques andsome common attack vectors.
What are the impacts thosethreats can have on an
organization?
You know there's the obviousstuff, you know having your
credit or someone credit takenout in your name, having your
(21:10):
identity stolen, but how doesthat impact an organization?
You know there's the obviousstuff, you know having your
credit or someone credit takenout in your name, having your
identity stolen, but how doesthat impact an organization?
Eric Brown (21:14):
A couple of ways to answer a good question.
So on the individual side,breaches most of the time start
with an individual, so a threatactor could potentially gather
more information about thatindividual to send them targeted
communications.
So that's going to be enticingfor them to click on If the
organization is one that thethreat actor is interested in
(21:40):
gaining a foothold in.
Most of the phishing emailsthat we see are less targeted.
It's kind of automated sprayand pray, if you will, where
mass communications, hundreds ofthousands of emails, are sent
and then the victim, so to speak, clicks on that link.
An automated response is comingfrom the threat actor's
(22:02):
environment and they're justmoving down that chain, if you
will, of infection.
And rarely is it somethingwhere you have a human to human
interaction, where a human iscrafting a targeted message and
then specifically going afterone individual and socially
(22:24):
engineering them like we wouldsee in the spy movies.
Not to say that it doesn'thappen, but 99% of the emails
are all automated and theresponses are all automated with
the intent of that threat actoreither sending out additional
communications to contact listsor getting a foothold in that
(22:46):
organization and movinglaterally.
So the impact to theorganization is certainly could
be reputational damage.
It could be a pivot point wherethe threat actor is able to
access an account and gain afoothold.
We see organizations that maybedon't have the controls in
(23:08):
place where you would separateout someone that would have
local administrator access.
Some organizations alloweveryone to have local
administrator access and installwhatever they want on their
computers.
It's much easier for the threatactor to bypass the malware
controls if there are any inplace when that happens.
(23:30):
So if an organization maybe isless mature, the impact of
phishing could be greater.
In addition to the reputationaldamage, it's the individual
damage that can occur if youknow.
Unfortunately, your socialsecurity number is compromised
(23:52):
and the threat actor is able toopen up credit in your name or
potentially use information thatthey've gleaned about you in
order to compromise anothervictim.
So if someone knew some personalinformation about someone, they
could pivot that informationand make it into much more of a
(24:17):
compelling story to furthercompromise someone else.
So we think of the grandmotherscenario where little Timmy's on
a trip to Mexico and thengrandma gets an email or a phone
call that little Timmy is nowhostage in Mexico and you know
(24:38):
$2,000 of ransom is needed toget little Timmy freed.
And nowadays, with voicecloning technology that's
available for free or at anominal fee, it's really easy to
clone little Timmy's voice andmake that much more of an
enticing scenario.
So along those lines, werecommend families get together
(25:00):
and at least have a conversationabout, if there is an event
that takes place, what are wegoing to do?
Right, if we're, if we're onvacation and we can't get back
home, are we going to have ameeting spot?
What are maybe some code wordsisn't the right word to use per
se, but what are some of, whatare some of the language we can
(25:23):
use in order to make it muchharder to be in that, in that
kidnap ransom scenario, becauseif you ask little Timmy what his
dog's name is and thatinformation was available on
social media that's not really agreat question.
But if you ask little Timmy aquestion that only he might know
that's never been posted onsocial media much easier to tell
(25:47):
if the kidnapping is real ornot.
Certainly if it is real youwant to get the FBI involved
right away.
So that's a whole differentscenario.
But the likelihood of thathappening and the kidnapper
reaching out to you because yourfamily is on vacation in Mexico
is pretty high.
Joshua Schmidt (26:08):
You mentioned phishing attempts there.
What are some of the bestpractices for training employees
within an organization torecognize those threats and how
do you approach training a groupof people or affecting the
culture of an organization tomitigate those risks?
Eric Brown (26:23):
Yeah.
So a couple things you can dothere.
We recommend the regularphishing exercises where you're
sending out a simulated phishingattack.
That's somewhat relevant to thetime of year, so kind of this
time of year going into theholiday season loaded to some of
the education around the UPS orFedEx or whatever package
(26:46):
notifications right, the UPS orFedEx or whatever package
notifications right, the postalservice is not going to send you
an email that says that youneed to click on this link and
pay a fee in order to get apackage.
Right, it's just not going tohappen.
But doing some of thateducation to the user so that
they can see these phishingemails in situ and why they're
phishing emails, is reallyhelpful.
(27:07):
Creating awareness CybersecurityAwareness Month, october it's a
great time of year to justraise that general awareness
about phishing and emailsecurity.
And then, on top of that, it'sreally having the right tools
and technology in place andtuned in order to prevent those
phishing emails from coming in.
(27:28):
No tool is infallible, butthere are tools that are better
than others and there's a way totune those tools to get the
most bang for the buck, so tospeak.
Right, you can.
You can, of course, blockeverything and and then nothing
would get in but you'd miss outon business emails.
But so you want to tune theemails appropriately.
(27:49):
Generally they're going to lookfor things like was the domain
recently created?
Pretty likely that a newlycreated domain is more of a
phishing or domain used forphishing.
If the domain is a really longstring of characters and numbers
that isn't a dictionary wordmore of a chance that it's a
(28:10):
phishing domain.
And then you could look at theorigin of where these emails are
coming from.
Some of the tools these daysare getting into looking at the
content of the email and lookingfor CEO type of fraud, where
the CEO is on an airplane andsending out an email saying that
they need 20 gift cards by oneo'clock and you need to run out
(28:32):
and get them, scratch the backoff and give them the number.
That sort of stuff can be foundthrough analyzing the content.
So it's a multi-phased processbut at the individual level I
think awareness, training andjust discussion with team
members of you know that this ishappening and sharing, where
(28:53):
maybe somebody on the financeteam, who is a frequent target,
gets these emails and then issocializing it with other people
on the team phishing emailwhere somebody was trying to
change their bank routinginformation and having plans in
place of what happens.
If somebody does want to changetheir bank routing information,
(29:14):
do we do that all online or dowe require that phone call
validation?
Or how are we authenticatingthe person as who they are,
who's requesting that change?
So that's another thing that wedo.
Josh is going intoorganizations and just having
these higher level tabletop kindof conversations that maybe
(29:38):
they're not having on a regularbasis.
Joshua Schmidt (29:42):
Yeah, that's great and you know with your
wealth of experience.
What kind of impact do you seethat having on an organization
when it's done well versus whenit's been neglected?
Eric Brown (29:52):
One of the things I love to do is you go in and do
that initial phishing assessmentand then you come back six
months or a year later afterthey've had training and
conversations and put somepractices and controls in place.
Conversations and put somepractices and controls in place,
and just watching that numberdecrease month over month as
people become more aware.
(30:13):
Our report phishing messagesand report phishing and then are
just getting more attuned ofwhat's happening in the
organization.
I really love going in andstarting with a baseline
assessment that's not too hardbut seeing how many people are
clicking on the link, how manypeople are entering information
(30:34):
when they get into the linkmessages, making them harder and
harder and more and morerealistic, and then watching
those numbers still continue todecrease because people are more
trained and more aware thatthis is happening.
(30:55):
And then you can also watchfrom a tooling perspective when
you do put proper tools in theenvironment that's going to
catch phishing and grayware spam.
What have you?
Just watching the amount ofemail traffic decrease for an
organization is pretty cool tosee One of the groups that we
(31:18):
put this in for.
Maybe about nine months or soago I was in a meeting with them
and one of the leaders said Ireally get a lot less, or even
no spam emails anymore andthat's just kind of cool to hear
because the stuff is actuallyworking and they're really able
to see a difference in how cleantheir inbox is.
(31:42):
And, as a contrast, if you openup your inbox and there's a
bunch of spam in there andthere's phishing emails in there
advertising emails yourorganization is probably not
doing a great job in keepingyour inbox clean and you
probably need to talk tosomebody to come in and help
craft that, because you can getit to where there are no or very
(32:06):
few non-legitimate businessemails in that inbox and then it
makes it.
When one does slip through,that's a malicious email, that's
a really well crafted phishingemail and that slips through.
It stands out like a sore thumbbecause the users are not
seeing those non-businessrelated emails.
And then when something comesin that looks off, it just
(32:29):
stands out.
Joshua Schmidt (32:29):
And then how does that, from a high level,
impact the larger operation ofthe organization in terms of
meeting their goals as a team?
Or have you seen that kind oftrickle down into or trickle up
into other facets of anorganization?
Eric Brown (32:45):
Generally, josh, as the organization is spending
time, money and efforts on arobust email program.
We're seeing advancements intheir cyber program across the
board.
So we're seeing thatorganization's maturity level
increase and some of theoutcomes of that, of course,
(33:07):
will be less likelihood of animpact of a breach, better
general controls aroundinformation security,
authentication, having apassword management system in
place, having an identitygovernance system in place where
(33:31):
you're getting into role-basedaccess.
So generally, we're seeing themovement up that maturity curve
when the organization recognizesthat information security is
really an important part, notonly as a business
differentiator, but somethingthat their clients are asking
for as well.
(33:51):
You're taking my data.
How are you protecting thatdata?
How are you ensuring that mydata isn't going to end up on
Troy Hunt's have I Been Pwnedsite?
Joshua Schmidt (34:03):
And that affects the brand of the whole
organization and the credibilityand most likely the pocketbook
too, because if they're notspending time on cleaning up
mistakes or breaches, they canbe more focused on their
day-to-day operations andmeeting financial goals and
whatnot, I'd assume yeahabsolutely Breach remediation.
Eric Brown (34:26):
it's a huge time and money sink.
For anybody that's been throughit, you know, knows this but it
really is a distraction.
It's cumbersome, it's a lot ofwork to go through and do that
post-remediation investigationand cleanup work it's one of the
things that we do with ourcustomers, but you know,
(34:47):
nobody's in the room high-fivingat that time.
It's not a celebratory meeting,it's.
You know they're pretty intenseand can be emotional meetings
because you have this set ofdata that you were entrusted to
protect.
That is now unprotected.
Joshua Schmidt (35:04):
And just to kind of wrap things up, all of these
techniques and tools andeducational aspects that you've
talked about do those kind of gohand in hand with helping
businesses protect their dataprivacy and comply with
regulations like HIPAA laws orCCPA or GDPR?
Does that go hand in hand, orhow do you help organizations
(35:27):
navigate that task?
Eric Brown (35:29):
So, from a compliance perspective, email
security is one of the thingsthat is scrutinized.
There's others just around datasovereignty and movement of data
, who has access to data but, atthe end of the day, what you're
trying to regulate is the rightaccess to the right data at the
(35:52):
right time.
So, talking to organizationsabout where they're storing this
confidential informationregardless of the regulation,
there's going to be some subsetsof protected information, be it
a social security number or amedical record number or private
information about thatindividual that's being
(36:13):
protected.
Storing that in the appropriateplace, which is not email, is
one of the conversations thatcan be had, and it's really
tough to do, because email is abusiness communication medium
and we're moving files back andforth.
There's other ways to move thatcontent and get that content to
the right people, but it startswith a conversation and making
(36:37):
people, or helping people becomeaware of how that data is being
accessed, who accesses it andhow that data is treated.
What your email retentionpolicy is.
Are you sitting on 10 yearsworth of data that, if a threat
actor gets into that emailaccount now, they have 10 years
(36:57):
worth of data that potentiallycould be discoverable, or is it
six months worth?
of data if you have a retentionpolicy that would limit the
scope of the information stored,say in an email server
Excellent.
Joshua Schmidt (37:11):
Wow, we covered a lot of ground today, but I'm
glad we did this.
It gives us a really greatinsight to your day-to-day
thoughts and perspective from aCISO and from someone who's on
the ground level, helping peopleand organizations shore up
their security posture so thatthey can focus on the things
that are most important to theirbusiness.
Yeah, good job.
Eric Brown (37:32):
You have been listening to the Audit presented
by IT Audit Labs.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact.
Where all our security controlassessments rank the level of
(37:53):
maturity relative to the size ofyour organization.
Thanks to our devoted listenersand followers, as well as our
producer, joshua J Schmidt, andour audio video editor, cameron
Hill, you can stay up to date onthe latest cybersecurity topics
by giving us a like and afollow on our socials and
subscribing to this podcast onApple, spotify or wherever you
(38:15):
source your security content.
Hello, welcome to the Audit presented by IT
Audit Labs.
We're joined today by our CISO,eric Brown, and I'm Joshua
Schmidt, as always, yourproducer and co-host.
Today we're sitting down withEric to have a fireside chat,
without the fire, about whatEric does day to day, how IT
Audit Labs helps organizationsshore up their personal and data
info security, and kind of getinto the nitty gritty details
(00:25):
and get a really good insightinto how Eric views security
from a high level and from apersonal level as well.
So, without further ado, we'regoing to turn it over to Eric
Brown.
We're going to talk in depthtoday about personal information
security.
Eric Brown (00:39):
Hello, you're listening to the Audit.
My name is Eric Brown and I'mthe Managing Director of IT
Audit Labs, and today I want totalk about personal information
security.
This is something that we getasked a lot about by our
customers and we've done a fewpodcasts on this in the past,
but I want to refresh thecontent for 2024.
We're coming up onCybersecurity Awareness Month
(01:01):
and consolidate it down what wehave into a quick, consolidated
format that can be usedthroughout the year.
As I said, we get asked a lotabout personal information
security and how that bridgesthe gap between personal
security and then corporatesecurity, and the two are linked
, and we often come intoorganizations we'll present at
the board level or seniorleadership level to essentially
(01:25):
showcase that team theimportance of information
security and how it's relevantto those people.
So I'll start by saying that allof us most likely all of us who
are listening to this have beeninvolved in a breach personally
at some point or other in ourlives and you get that breach
notification email that saysyour data might be your social
(01:48):
security number, might be someother personal information about
you has been involved in abreach and it's not your fault.
It happens because somebodythat you trusted your data with
had poor data security practicesand that information was
compromised.
Now what can you do about it?
There's quite a few things thatyou can do about it, but first
(02:11):
it's just understand that if ithasn't happened yet, it's likely
that it's going to happen, andit can go from something that is
a major annoyance and takes alot of your time to resolve to
something that is just like ohokay, that's a Tuesday, it
happened, not that concernedabout it.
So, number one, then I'm goingto start with.
The first thing that you wantto do is freeze your credit.
(02:34):
So there are really threereporting bureaus Experian,
equifax and TransUnion.
Those are the consumer bureaus,and there's a fourth bureau
that not a lot of people haveheard of.
It's called InovisI-N-N-O-V-I-S.
Joshua Schmidt (02:49):
And.
Eric Brown (02:49):
Inovis is responsible for those credit
approval letters that you mightget saying you've been
pre-approved for a loan orwhatever it is.
But Inovis is using yourinformation to produce a
generalized credit worthinessabout you.
So you want to freeze yourcredit with all of each of those
bureaus TransUnion, equifax,inovus and Experian.
Joshua Schmidt (03:15):
And you can do it.
Eric Brown (03:15):
It's free to freeze your credit with each of those
bureaus.
By default, our credit, by thetime we get a social security
number, is open.
It's a flaw in the system, butit is what it is.
Unless you freeze your credit,it's going to be open and credit
can be taken out in your name,causing long-term downstream
(03:39):
impacts that are not good.
If someone opens up credit inyour name and is abusing that
credit, it could have identitytheft implications down the road
, which getting your socialsecurity number back or getting
a new social security numberissued is quite a lengthy and
time-consuming and oftenexpensive process.
(03:59):
If you do need to open upcredit for a loan, you can
specify the window of time bywhich you want that credit
opened, and typically what Ilike to do is, if I'm going for
credit, I will ask theorganization that I'm working
with say it's a car dealershipor a mortgage broker which
reporting agency they use andthen unfreezing the credit
(04:24):
specifically with thatorganization that's going to
report credit on me.
The next thing you can do ismake sure that there isn't any
credit opened up in your name,and that's.
Everyone is entitled to a freecredit report.
So you can go on and get thatannual free credit report and
that will tell you what creditis open in your name, and by
watching that freezing yourcredit, you're doing a pretty
(04:46):
good job of making sure thatyour social security number
can't be used maliciously.
All right, so we talked aboutcredit.
That's probably the number oneway to protect yourself, and if
you're not going to do anythingelse, I would start there.
So then, secondly, where we seemost breaches start is in email
(05:11):
.
So, using your email address asan identifier to who you are,
typically we'll sign up for areward service or whatever
service we need, and email istypically an identifier for that
service.
So there is a website.
You can go to it's have I beenpwned?
And Troy Hunt maintains thatwebsite.
(05:32):
He's a security researcher, andTroy has collated millions, if
not billions by now, ofcompromised accounts, and we'll
let you look up at no cost tosee if your email account has
been involved in a breach.
So you can go to have I beenpwned, enter as many email
(05:55):
addresses as you want, and thatwill tell you or show you if
that email account has beeninvolved in a breach.
It's likely there's going to besomething.
If you've had that emailaddress for a while, it's going
to have been involved in abreach or two, maybe more.
Again, not the end of the world.
There's things that you can doabout that.
What you're looking for here iswhat breach it was involved in
(06:19):
and then where you are reusingthat login and password.
So if your account was, say,caught up in an Adobe breach and
then also in the Ford breach,if your username which will
probably be your email addressand password were different,
(06:39):
then that's great.
You just have to change yourpassword for whichever one was
breached.
If you're reusing the samepassword, that's where we get
into an area where the threatactors love it, because they're
able to get to multiple sitesusing the same login and
password, and all of this isprogrammatically done.
Nobody's sitting in theirbasement of their mom's house
(07:01):
banging away on a keyboardtrying your username and
password.
These are done thousands oftimes a minute by threat actors
that have programs that are justgoing out and trying to log
into a variety of sites usingthis database of stolen
credentials.
So what we like to recommend isusing two things One is
(07:23):
password manager and the secondis multi-factor authentication.
So, NIST, which is anorganization that's put out
guidance around passwords andpassword complexity.
They're recommending changingthe password only if the
password has been involved in abreach or once a year, and
they're recommending using apassphrase and coming up with a
(07:46):
phrase that's meaningful to youbut not meaningful to anyone
else.
So the first day of the week isWednesday would be an
interesting passphrase, maybe alittle long for some sites that
haven't adopted the longerphrase passwords, but most sites
will take up to 20 characters.
(08:06):
So coming up with a passphraseagain that's meaningful to you,
that is a passphrase, would be agood idea to do, and storing
that in a password managerbecause a password manager is
essentially an online databasecould be offline as well, but
recommend an online databasethat would contain all of your
(08:28):
passwords.
If you're like me, I probablyhave logins to 250 plus sites.
I can't remember more thanmaybe five or six passwords, so
I store all of those passwordsin a password manager and then
I'm able to just copy paste fromthat password manager into the
site that I'm trying to go to,and most password managers will
(08:50):
use the HavaPhone app as well asa plug into a browser.
Speaking of browsers, we don'trecommend that you store your
password in a browser.
The browser's job is to giveyou a portal to the internet.
It's not to secure yourpasswords.
They don't do a good job withit.
So, rather than using yourfavorite browser as a password
(09:13):
manager, select one.
There's quite a few out therethat are some good choices.
And then the other piece wasmulti-factor authentication or
MFA.
So MFA is something that youare.
So think of it as a fingerprint.
Right, that's something thatyou are.
You might use a YubiKey or someother form of a token,
(09:35):
something you have, and thensomething you know which is a
PIN or a password.
So two of those things formmulti-factor authentication.
Most of us are using thatalready in our daily lives.
Think of facial recognition onyour phone.
It used to be fingerprintrecognition on your mobile
device to get into the device,six digit pen or something like
(10:07):
that.
For that multi-factorauthentication, the phone also
serves as something you have.
So you've got something youhave.
You've got that something.
You are that facial recognition.
There's two forms ofauthentication and a lot of our
corporate environments arebringing in the personal device.
(10:30):
So you're setting up anauthenticator a Google
authenticator, a Microsoftauthenticator, there's other
third-party authenticators onyour mobile device and you're
logging into that device,logging into that authenticator,
and then it's displaying anumber on your computer screen
that you're typing into theauthenticator or the
authenticator is producing anumber that changes every minute
or every 30 seconds, and thenyou're typing that into the
(10:53):
application that you're tryingto access.
SMS or text-based authenticationis another method that you've
probably seen for another anumber of years, where you're
logging into your bank and thenthey send you a text and you
enter that number that was inthe text field into the website
to get into your bank, movingaway from SMS space because it
(11:16):
is more prone to be infiltratedby a threat actor.
Threat actors, especially inour corporate environment, will
create lookalike websites sothey'll send a phishing email
that bypasses the email filtersthat corporations may have and
(11:39):
probably another podcast on howall of that works but they'll
bypass the filtering.
The user will click on the link.
It'll pop up a page that looksa lot like a Microsoft login
page or a Google login page.
The user will enter credentialsand then it will ask for that
SMS-based authentication and theuser types that information in.
(12:03):
It's more of a socialengineering attack.
It's easier to be stolen if athreat actor has access to your
cellular carrier's network and avariety of attacks that happen
on that.
That's probably another podcastas well.
Just know that SMS-basedauthentication is less secure
(12:23):
than authenticator-basedmulti-factor authentication.
So you want to set that up onyour tier one accounts, like
your bank accounts.
Your password manager set thoseup on there and then eventually
filter your way through yourtier two or your less important
accounts if they have thatability to do multi-factor
authentication, which more andmore are.
(12:46):
So next I'm going to get intoemail security.
So on the email security side,we do a lot of business over
email.
Just as a society, we'reinteracting over email.
We're interacting overmessaging.
On the email side, there are afew free email carriers out
there, namely Google, microsoftwith Hotmail, aol, yahoo maybe
(13:10):
AOL a little bit less so now,but there are some major free
providers of email and a lot ofus have those email addresses.
The email addresses are freebecause those services are
mining the data in your emailaccounts not just yours, but
hundreds of thousands of peoplewho use those services in order
(13:33):
to create personas and sell moreadvertising to us collectively
as a society.
So whether or not you want toparticipate in that
unintentional informationdisclosure is up to you.
But to give you an alternativeto that, I think those email
addresses are great for specificand discrete purposes, like
(13:57):
signing up for email where youknow you have to interact with a
third party.
They're going to subscribe youto a mailing list and you're
going to get a bunch of junkmail.
That's great.
That's a great use for a Gmailaddress, but for personal
information that might be moreprivate to you as an individual,
using an email service like a.
Protonmail is a service that isgoing to hold your information
(14:22):
private and not disclose thatinformation and use that
information to mine data aboutyou.
The downside is there could bea little bit of a cost to them,
depending on how much mail ordata you have in their service.
Protonmail takes it a stepfurther.
Where the email is hosted inSwitzerland, there's no data
(14:48):
extradition laws and all of thedata is encrypted, and you can
even hold the keys to thatencryption if you so desire.
Protonmail also has VPN service, as well as a data storage and
calendaring service.
I like them as a mail companybecause of their integrity
behind what they do and how theycare for mail that you choose
(15:08):
to host with them or data thatyou choose to host with them,
and then, moving from there intoSMS or phone call or phone
numbermanagement, I should say.
Since many of us keep the samephone number for years, there is
a possibility that you're goingto end up on some form of a
(15:31):
spam notification list on youremail and you're going to get
those phone calls at dinnertimetrying to sell you services, or
nowadays it's spamming us withpolitical messaging to get some
form of polling from you.
A couple things you can do toavoid that is to have a few
(15:52):
different phone numbers.
So again, one that maybe you'regoing to give out more publicly
for signing up for services,and then maybe one that's more
private, that you really onlykeep for close friends, family.
What have you, family?
What have you?
On the maybe less personal sidethere, google has a voice
(16:12):
service, a VoIP, v-o-i-p orvoice over IP VoIP service where
you can sign up for a Googlephone number.
I think this is a great one forthose commercial services,
because Google's in the businessof mining our data, so let's
give them some more spam to runthrough their engines is the way
I think about it.
But you could get one of thosenumbers and you can receive
(16:33):
phone calls and texts to it.
There are others, and that's afree service.
There are other services thatyou might pay a little bit of
money for that you could do thesame thing.
One of them is called Burner,and that'll give you quote
unquote a virtual burner numberthat you can use and you can
(16:56):
choose how long you keep thenumber.
And that number might be goodfor maybe some more discrete
purposes.
You know online dating,something like that, where maybe
you really don't want to giveout your, your personal number,
or even a number that you'regoing to keep for a long time,
like a Google number, and thatway, if the interaction is not
going well, you can just deletethat number, get a new one and
move on from that point.
(17:17):
And then, from an offlineperspective, one of the things
that we could talk about is justthinking more purposefully
about what you're doing withyour online slash offline
content.
So are you taking selfies infront of your house with the
(17:40):
house number exposed.
And then that's making its wayonline to social media.
Are you posting about yourupcoming trip and when you're
going to be on vacation and youhave lots of stories or what
have you that might havepersonal information about your
residence?
Now people know that you arenot at home and that could
(18:03):
subject you to maybe someoffline malicious activity, so
be mindful of that.
And then, when you are drivingaround town, pick up the mail,
what have you.
Are you protecting yourpersonal information from
third-party viewership?
So making sure that letters andother things that might be
(18:25):
addressed to you aren't face upon the car seat next to you or
in the back seat right?
Just having a little, justbeing somewhat mindful of the
information that you are givingoff without necessarily maybe
meaning to do so, as long asyou're aware of it, that's half
the battle.
And then the last thing I'll sayon that topic is when you are
(18:49):
discarding prescription drugs.
A lot of that information is onthe bottle Might be something
you don't want to throw in thetrash or the recycling without
taking off the label.
Or a lot of the places whereyou can pick up prescriptions
have a medicine.
It's a locked medicinecontainer, drop box where you
(19:12):
can take unused medications andput them in that drop box.
You can do the same thing withempty prescription bottles,
where then they responsiblydiscard the private information
on that label.
So I think that's it, certainlyopen to dialogue on any of
these topics.
We love coming intoorganizations and just starting
(19:33):
the conversation around personalinformation security and then
relating that to what happens onthe inside of an organization.
So going through that emailflow of how a threat actor will
do some OSINT or open sourceintelligence gathering and we've
got a couple of great podcastson that but spinning from open
(19:56):
source intelligence gatheringabout a person or a group of
people and then sending targetedcontent to those people in an
organization and then enticing,sending enticing emails so that
those people or person clicks ona malicious link and then
enters their password andpotentially bypasses MFA
(20:19):
protections that are in placeand then the threat actor gains
a foothold in the organizationand starts to pivot and move
laterally, et cetera.
But we come in and we'll dosome pretty deep dives on how
those flows happen and show somereal world examples that we've
been involved in to just educatethe leadership and anyone that
(20:41):
might be relevant for how thesethings happen so the
organization can takeprecautions to prevent that from
happening.
Joshua Schmidt (20:48):
So you mentioned a lot there.
We talked about freezing credit, checking your credit report,
filing your taxes early, talkedabout email breaches and some
tools and some techniques andsome common attack vectors.
What are the impacts thosethreats can have on an
organization?
You know there's the obviousstuff, you know having your
credit or someone credit takenout in your name, having your
(21:10):
identity stolen, but how doesthat impact an organization?
You know there's the obviousstuff, you know having your
credit or someone credit takenout in your name, having your
identity stolen, but how doesthat impact an organization?
Eric Brown (21:14):
A couple of ways to answer a good question.
So on the individual side,breaches most of the time start
with an individual, so a threatactor could potentially gather
more information about thatindividual to send them targeted
communications.
So that's going to be enticingfor them to click on If the
organization is one that thethreat actor is interested in
(21:40):
gaining a foothold in.
Most of the phishing emailsthat we see are less targeted.
It's kind of automated sprayand pray, if you will, where
mass communications, hundreds ofthousands of emails, are sent
and then the victim, so to speak, clicks on that link.
An automated response is comingfrom the threat actor's
(22:02):
environment and they're justmoving down that chain, if you
will, of infection.
And rarely is it somethingwhere you have a human to human
interaction, where a human iscrafting a targeted message and
then specifically going afterone individual and socially
(22:24):
engineering them like we wouldsee in the spy movies.
Not to say that it doesn'thappen, but 99% of the emails
are all automated and theresponses are all automated with
the intent of that threat actoreither sending out additional
communications to contact listsor getting a foothold in that
(22:46):
organization and movinglaterally.
So the impact to theorganization is certainly could
be reputational damage.
It could be a pivot point wherethe threat actor is able to
access an account and gain afoothold.
We see organizations that maybedon't have the controls in
(23:08):
place where you would separateout someone that would have
local administrator access.
Some organizations alloweveryone to have local
administrator access and installwhatever they want on their
computers.
It's much easier for the threatactor to bypass the malware
controls if there are any inplace when that happens.
(23:30):
So if an organization maybe isless mature, the impact of
phishing could be greater.
In addition to the reputationaldamage, it's the individual
damage that can occur if youknow.
Unfortunately, your socialsecurity number is compromised
(23:52):
and the threat actor is able toopen up credit in your name or
potentially use information thatthey've gleaned about you in
order to compromise anothervictim.
So if someone knew some personalinformation about someone, they
could pivot that informationand make it into much more of a
(24:17):
compelling story to furthercompromise someone else.
So we think of the grandmotherscenario where little Timmy's on
a trip to Mexico and thengrandma gets an email or a phone
call that little Timmy is nowhostage in Mexico and you know
(24:38):
$2,000 of ransom is needed toget little Timmy freed.
And nowadays, with voicecloning technology that's
available for free or at anominal fee, it's really easy to
clone little Timmy's voice andmake that much more of an
enticing scenario.
So along those lines, werecommend families get together
(25:00):
and at least have a conversationabout, if there is an event
that takes place, what are wegoing to do?
Right, if we're, if we're onvacation and we can't get back
home, are we going to have ameeting spot?
What are maybe some code wordsisn't the right word to use per
se, but what are some of, whatare some of the language we can
(25:23):
use in order to make it muchharder to be in that, in that
kidnap ransom scenario, becauseif you ask little Timmy what his
dog's name is and thatinformation was available on
social media that's not really agreat question.
But if you ask little Timmy aquestion that only he might know
that's never been posted onsocial media much easier to tell
(25:47):
if the kidnapping is real ornot.
Certainly if it is real youwant to get the FBI involved
right away.
So that's a whole differentscenario.
But the likelihood of thathappening and the kidnapper
reaching out to you because yourfamily is on vacation in Mexico
is pretty high.
Joshua Schmidt (26:08):
You mentioned phishing attempts there.
What are some of the bestpractices for training employees
within an organization torecognize those threats and how
do you approach training a groupof people or affecting the
culture of an organization tomitigate those risks?
Eric Brown (26:23):
Yeah.
So a couple things you can dothere.
We recommend the regularphishing exercises where you're
sending out a simulated phishingattack.
That's somewhat relevant to thetime of year, so kind of this
time of year going into theholiday season loaded to some of
the education around the UPS orFedEx or whatever package
(26:46):
notifications right, the UPS orFedEx or whatever package
notifications right, the postalservice is not going to send you
an email that says that youneed to click on this link and
pay a fee in order to get apackage.
Right, it's just not going tohappen.
But doing some of thateducation to the user so that
they can see these phishingemails in situ and why they're
phishing emails, is reallyhelpful.
(27:07):
Creating awareness CybersecurityAwareness Month, october it's a
great time of year to justraise that general awareness
about phishing and emailsecurity.
And then, on top of that, it'sreally having the right tools
and technology in place andtuned in order to prevent those
phishing emails from coming in.
(27:28):
No tool is infallible, butthere are tools that are better
than others and there's a way totune those tools to get the
most bang for the buck, so tospeak.
Right, you can.
You can, of course, blockeverything and and then nothing
would get in but you'd miss outon business emails.
But so you want to tune theemails appropriately.
(27:49):
Generally they're going to lookfor things like was the domain
recently created?
Pretty likely that a newlycreated domain is more of a
phishing or domain used forphishing.
If the domain is a really longstring of characters and numbers
that isn't a dictionary wordmore of a chance that it's a
(28:10):
phishing domain.
And then you could look at theorigin of where these emails are
coming from.
Some of the tools these daysare getting into looking at the
content of the email and lookingfor CEO type of fraud, where
the CEO is on an airplane andsending out an email saying that
they need 20 gift cards by oneo'clock and you need to run out
(28:32):
and get them, scratch the backoff and give them the number.
That sort of stuff can be foundthrough analyzing the content.
So it's a multi-phased processbut at the individual level I
think awareness, training andjust discussion with team
members of you know that this ishappening and sharing, where
(28:53):
maybe somebody on the financeteam, who is a frequent target,
gets these emails and then issocializing it with other people
on the team phishing emailwhere somebody was trying to
change their bank routinginformation and having plans in
place of what happens.
If somebody does want to changetheir bank routing information,
(29:14):
do we do that all online or dowe require that phone call
validation?
Or how are we authenticatingthe person as who they are,
who's requesting that change?
So that's another thing that wedo.
Josh is going intoorganizations and just having
these higher level tabletop kindof conversations that maybe
(29:38):
they're not having on a regularbasis.
Joshua Schmidt (29:42):
Yeah, that's great and you know with your
wealth of experience.
What kind of impact do you seethat having on an organization
when it's done well versus whenit's been neglected?
Eric Brown (29:52):
One of the things I love to do is you go in and do
that initial phishing assessmentand then you come back six
months or a year later afterthey've had training and
conversations and put somepractices and controls in place.
Conversations and put somepractices and controls in place,
and just watching that numberdecrease month over month as
people become more aware.
(30:13):
Our report phishing messagesand report phishing and then are
just getting more attuned ofwhat's happening in the
organization.
I really love going in andstarting with a baseline
assessment that's not too hardbut seeing how many people are
clicking on the link, how manypeople are entering information
(30:34):
when they get into the linkmessages, making them harder and
harder and more and morerealistic, and then watching
those numbers still continue todecrease because people are more
trained and more aware thatthis is happening.
(30:55):
And then you can also watchfrom a tooling perspective when
you do put proper tools in theenvironment that's going to
catch phishing and grayware spam.
What have you?
Just watching the amount ofemail traffic decrease for an
organization is pretty cool tosee One of the groups that we
(31:18):
put this in for.
Maybe about nine months or soago I was in a meeting with them
and one of the leaders said Ireally get a lot less, or even
no spam emails anymore andthat's just kind of cool to hear
because the stuff is actuallyworking and they're really able
to see a difference in how cleantheir inbox is.
(31:42):
And, as a contrast, if you openup your inbox and there's a
bunch of spam in there andthere's phishing emails in there
advertising emails yourorganization is probably not
doing a great job in keepingyour inbox clean and you
probably need to talk tosomebody to come in and help
craft that, because you can getit to where there are no or very
(32:06):
few non-legitimate businessemails in that inbox and then it
makes it.
When one does slip through,that's a malicious email, that's
a really well crafted phishingemail and that slips through.
It stands out like a sore thumbbecause the users are not
seeing those non-businessrelated emails.
And then when something comesin that looks off, it just
(32:29):
stands out.
Joshua Schmidt (32:29):
And then how does that, from a high level,
impact the larger operation ofthe organization in terms of
meeting their goals as a team?
Or have you seen that kind oftrickle down into or trickle up
into other facets of anorganization?
Eric Brown (32:45):
Generally, josh, as the organization is spending
time, money and efforts on arobust email program.
We're seeing advancements intheir cyber program across the
board.
So we're seeing thatorganization's maturity level
increase and some of theoutcomes of that, of course,
(33:07):
will be less likelihood of animpact of a breach, better
general controls aroundinformation security,
authentication, having apassword management system in
place, having an identitygovernance system in place where
(33:31):
you're getting into role-basedaccess.
So generally, we're seeing themovement up that maturity curve
when the organization recognizesthat information security is
really an important part, notonly as a business
differentiator, but somethingthat their clients are asking
for as well.
(33:51):
You're taking my data.
How are you protecting thatdata?
How are you ensuring that mydata isn't going to end up on
Troy Hunt's have I Been Pwnedsite?
Joshua Schmidt (34:03):
And that affects the brand of the whole
organization and the credibilityand most likely the pocketbook
too, because if they're notspending time on cleaning up
mistakes or breaches, they canbe more focused on their
day-to-day operations andmeeting financial goals and
whatnot, I'd assume yeahabsolutely Breach remediation.
Eric Brown (34:26):
it's a huge time and money sink.
For anybody that's been throughit, you know, knows this but it
really is a distraction.
It's cumbersome, it's a lot ofwork to go through and do that
post-remediation investigationand cleanup work it's one of the
things that we do with ourcustomers, but you know,
(34:47):
nobody's in the room high-fivingat that time.
It's not a celebratory meeting,it's.
You know they're pretty intenseand can be emotional meetings
because you have this set ofdata that you were entrusted to
protect.
That is now unprotected.
Joshua Schmidt (35:04):
And just to kind of wrap things up, all of these
techniques and tools andeducational aspects that you've
talked about do those kind of gohand in hand with helping
businesses protect their dataprivacy and comply with
regulations like HIPAA laws orCCPA or GDPR?
Does that go hand in hand, orhow do you help organizations
(35:27):
navigate that task?
Eric Brown (35:29):
So, from a compliance perspective, email
security is one of the thingsthat is scrutinized.
There's others just around datasovereignty and movement of data
, who has access to data but, atthe end of the day, what you're
trying to regulate is the rightaccess to the right data at the
(35:52):
right time.
So, talking to organizationsabout where they're storing this
confidential informationregardless of the regulation,
there's going to be some subsetsof protected information, be it
a social security number or amedical record number or private
information about thatindividual that's being
(36:13):
protected.
Storing that in the appropriateplace, which is not email, is
one of the conversations thatcan be had, and it's really
tough to do, because email is abusiness communication medium
and we're moving files back andforth.
There's other ways to move thatcontent and get that content to
the right people, but it startswith a conversation and making
(36:37):
people, or helping people becomeaware of how that data is being
accessed, who accesses it andhow that data is treated.
What your email retentionpolicy is.
Are you sitting on 10 yearsworth of data that, if a threat
actor gets into that emailaccount now, they have 10 years
(36:57):
worth of data that potentiallycould be discoverable, or is it
six months worth?
of data if you have a retentionpolicy that would limit the
scope of the information stored,say in an email server
Excellent.
Joshua Schmidt (37:11):
Wow, we covered a lot of ground today, but I'm
glad we did this.
It gives us a really greatinsight to your day-to-day
thoughts and perspective from aCISO and from someone who's on
the ground level, helping peopleand organizations shore up
their security posture so thatthey can focus on the things
that are most important to theirbusiness.
Yeah, good job.
Eric Brown (37:32):
You have been listening to the Audit presented
by IT Audit Labs.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact.
Where all our security controlassessments rank the level of
(37:53):
maturity relative to the size ofyour organization.
Thanks to our devoted listenersand followers, as well as our
producer, joshua J Schmidt, andour audio video editor, cameron
Hill, you can stay up to date onthe latest cybersecurity topics
by giving us a like and afollow on our socials and
subscribing to this podcast onApple, spotify or wherever you
(38:15):
source your security content.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.