Dissecting Popular IT Nerds

Episode Cover Image

<img src="https://dissectingpopularitnerds.com/wp-content/uploads/2022/05/ErikH.png" />

151. Dr. Erik J. Huffman Explains Our Biological IT Weaknesses

Dissecting Popular IT Nerds
Dissecting Popular IT Nerds
151. Dr. Erik J. Huffman Explains Our Biological IT Weaknesses
Loading
/

Dr. Erik J. Huffman

Dr. Erik J. Huffman is a cybersecurity researcher, cyberpsychologist, TedX speaker, and award-winning entrepreneur. Currently, he teaches as an adjunct professor at Westcliff University, while also being Director of IT at BombBomb, Founder of Handshake Leadership, and mentor at Mesa Ridge High School. He has also served as a board member for the Board on Army RDT&E, Systems Acquisition, and Logistics, been a dean of studies, and worked at Walgreens.  Dr. Huffman has a Bachelor of Science in Computer Science, a Master of Project Management in Information Technology, and a Ph.D. in Philosophy.

Dr. Erik J. Huffman Explains Our Biological IT Weaknesses

Dr. Huffman’s vast experience provides so much insight for us. We’ll discuss how scammers exploit our biological weaknesses in the digital space, why cybersecurity is everyone’s responsibility, and why 100% security doesn’t exist.

Disclaimer: The views, thoughts, and opinions expressed by guests on this podcast are solely their own and do not necessarily reflect the views or positions of their employers, affiliates, organizations, or any other entities. The content provided is for informational purposes only and should not be considered professional advice. The podcast hosts and producers are not responsible for any actions taken based on the discussions in the episodes. We encourage listeners to consult with a professional or conduct their own research before making any decisions based on the content of this podcast

Dr. Erik J. Huffman Explains Our Biological IT Weaknesses

3 Key Takeaways

  • Cybersecurity should be a collaborative effort between the whole organization.
  • Personal situational awareness is key in preventing attacks.
  • Security doesn’t exist, only levels of insecurity.

Episode Show Notes

[02:35] Have you found there to be any arrogance in the Ph.D. sector?

When you are writing your dissertation, your research has to pertain to something new. Your dissertation committee may not have researched the specific area you are presenting, so there is a level of disparity there. For that reason, there has to be alignment between you and your committee.

[07:40] Do you see the correlation between that branch of academia and IT leadership?

If you are a leader and you don’t align with the needs of the business or the execs, good luck! You’re going to be frustrated because there are very few ways to have a direct impact on revenue. IT and cybersecurity are about investment and nothing happening. Cybersecurity is a unique industry because we are constantly working to put ourselves out of a job. If you are good at your job then there won’t be any attacks.

[11:00] Please plug your podcast.

My podcast is The MiC Club, minorities in cybersecurity, and it’s a video podcast so you can find it on YouTube.

[11:15] Would you say cybersecurity shouldn’t be a job in itself, it should be a part of other positions?

I agree that we need cyber-aware nurses, doctors, shopkeepers, etc. Saying these people don’t need to know these things because they have a cybersecurity team or person is ignorant and suggests that small businesses don’t run the country. To say only the team dictates security for everyone in a company is wrong. Everyone should have a say and some knowledge. On the flip side, there are some places where there should be a role for security individuals, like red teaming, blue teaming, and threat hunting.

[18:00] It’s not hard to put a human on the phone and start a scam.

I think that’s true because we don’t focus on the humanity of cybersecurity and the humanity of the digital environment we’ve created. The biological sensors that we have for fight and flight don’t kick in the same as they do when it’s a physical environment. If you’ve ever read a book and liked the book but then hated the movie, that’s why. It alienates the view you have of it. When you look at data breaches, between 90 and 94% of it is our fault.

[25:50] How do we stop people from becoming too comfortable? What are some of the rules you communicate?

It starts with knowing yourself and how you are susceptible. It’s about situational awareness and understanding how someone is looking to exploit you. How you feel is based on your emotional state, which is based on what is going on in the world. Hackers have gotten a lot smarter.

[28:00] What’s the craziest story you’ve heard recently?

I conduct a lot of phishing campaigns myself in three tiers. The first is “no one is going to click on this,” the second is “you would have to do some research to figure this out,” and the third is “I am cheating and you are almost certainly going to click on this.” I had an instance where someone in one of the organizations I was working with clicked on a first-tier message I sent out.

So, I continued the play to see how far it would go. He gave me all his info. We brought him in and explained that he had failed, and it came down to a real-life situation he was experiencing. Technology can’t patch that, and that is why you need situational awareness. In one instance when I worked with a company during the pandemic, they failed miserably. It was because people were scared of losing their jobs.

[35:25] To me, that is one way that cybersecurity makes the company money and how it’s demonstrated.

You’re right. Poor leadership is a vulnerability. If your name sparks fear, then people are more likely to fall for a scam.

[41:30] If there was one piece of advice that you could give, what would it be?

Security doesn’t exist, only levels of insecurity and what is accepted. Look at your job from that perspective.

Transcript

Speaker 0 | 00:09.564

All right, welcome everyone back to Dissecting Popular IT Nerds. Today, we have Dr. Eric Huffman on the show. Doctor, so that must mean something. I mean, it must mean you did a lot of school or something like that. What are we at, PhD or how are you, doctor?

Speaker 1 | 00:29.204

Yeah, PhD. It’s definitely a lot of school. A lot of school, a lot of research, a lot of writing.

Speaker 0 | 00:35.528

I have a friend, my friends here from, actually, it’s my son-in-law’s brother who has an amazing, amazing story because both of them came over from Yemen years ago and come from, they wouldn’t call their family poor. They’re like, we’re rich because they’re… family that’s together and they’ve always been together and they’ve always had everything done everything together so they’re like rich from that standpoint from any american standpoint you’re like no that is dirt poor that’s poorer than the poorest in america and just how they actually got over here is and and how hard they studied and how their father always like pushed them to study and study is just amazing and anyways he’s his brother came from arizona to visit and he’s he’s finishing up a PhD and when he’s how much longer do you got? You got a year? He’s like it’s not like that. He’s like it’s like a year and a half maybe two and a half years it all depends on you know how fast you can do this and whether other people approve this and you know defense something and all that type of stuff so it’s definitely difficult so I guess congratulations on getting through that and a lot of respect there for that

Speaker 1 | 01:51.987

I appreciate it yeah it is It is not a clear timeline at all. Like, so you may, you may graduate one month from when you thought you would, or you may go, it may take another three years after that. Cause, uh, you know, the dissertation writing process is not clear. It is not clear. And it’s, it’s all up to how fast you can get it done, how well you can write, how well you can articulate. And maybe. Maybe they’ll like you enough to let you get through. Maybe.

Speaker 0 | 02:28.557

And, yeah, I guess there is kind of a lot of liking going on. Would you find there’s any arrogance in the university sector in getting a PhD and getting people to like you and all that? Is there any kind of like, hey, this kid might be smarter than me. I don’t know if I can give him his PhD.

Speaker 1 | 02:47.162

I don’t know if there’s that. I wouldn’t say there’s that, but there is. there is a level of, well, let me put it this way. So as you’re writing your PhD, as you’re writing your dissertation and you’re doing your research, you have to do your research on something that is new, something that’s kind of innovative. It’s adding to the overarching body of knowledge. You’re contributing to the amount of research, scholarly practitioner research that’s out there. And your dissertation chair, your dissertation committee may not have researched the same things you have because you’re taking it and you’re kind of flipping it. You’re doing your own thing. And so there is a level of I don’t know if you know what I’m trying to do or not, because you are the subject matter expert and you’re being led by other subject matter experts. But they may not be subject matter experts in your. field and what you’re attempting to do. So for that reason, there has to be good alignment. So like if there’s a word of advice I have for anyone that’s striving to get a doctorate, there has to be alignment between you, your committee, your dissertation chair, your dissertation mentor, all that. That has to be aligned because there are people way smarter than me, worked way harder than me, was way more innovative and stop provoking dissertation and research studies that I’ve ever had. And they’ve never graduated because if your dissertation chair, your committee doesn’t like what you’re doing, how you’re doing it, the method that you’re using to, to, to do it, you will not graduate. Like that’s just plain and simple. You will not graduate. And so there’s people I started with that were absolutely phenomenal and they never graduated. And somehow I did. Uh, it’s, it’s not. It’s not like a one-to-one thing, like everyone’s going through the same thing, because you have different dissertation chairs, different mentors, different committees, and hopefully they know what you’re doing and they like the way that you’re doing it. And you won’t get to the end. And they say like, you know what? We don’t like that method. You should change that. And you’re like, what the hell, dude? That’s like three years of work after all.

Speaker 0 | 05:10.626

Back to the drawing board. That’s got to be one of the most frustrating things. My son experienced it the other day when he was writing a paper. And I was like, that makes absolutely no sense. You need to trash that. And you’d been working on it all day. Your correlations make no sense. Your arguments make no sense. Your topic is… way too broad. It was like, you know, why the television internet and a cell phone like is addictive. I was like, no, I was like, pick social media. Why social media is addictive. I was like, pick one thing. I was like, you know, I mean, because, or pick dopamine receptor and like how each three of these things, you know, I was like, you can’t do that. You’re like, there’s no, they’re going to, you’re going to get laughed at. You’re going to get, you know. That’s very difficult. You must be a good IT manager or you must be a good whatever you do, because there’s a very important lesson in there. And this being an IT show, IT directors, IT leaders have to deal with basically that scenario, which is, I see a problem in the company. Am I aligned with the company’s vision and what we’re trying to accomplish well enough that… whatever I bring as an argument that I need money for to upper management, are they going to buy into this? And you’re dealing with people that are probably smarter than you, have been more successful in business than you, have a goal and something that they’re trying to accomplish, i.e. make money, sell the company for a profit, whatever it is, that you should… absolutely be well aligned with, which is kind of like, do I know my professors? Do I know if they’re going to laugh at me? Are they going to like this? Are they going to hate this? So there’s a lot of dynamics going on there that take place in IT. And I’m not saying that education is not the real world, but we all, you know, there’s people that become career professors, you know, but there’s a strong correlation there. And So again, you know, congratulations because you got through it and there’s got, there’s, there’s probably a lot of frustrated IT managers in the world or people that, or even in cybersecurity or people in cybersecurity that are having a very hard time getting buy-in from executive management. Do you see the correlation there?

Speaker 1 | 07:39.892

Oh yeah. There’s a, there’s a direct correlation there. Um, if you. As an IT cybersecurity manager, if you do not align with the business, good luck. If you do not align, if you don’t understand the business, good luck. If you’re going to be so frustrated, you’re going to leave the industry. Because cybersecurity or IT even, it’s not, there are very few ways to have a direct one-to-one impact on revenue. It’s not a sales job where you have this one sales professional here. He sold 10 widgets and due to the profit margin, the company makes, you know, $2,000 or something along the lines of that. IT and cybersecurity is kind of it’s like, well, we’ve been we’ve invested in security. We hire five new cybersecurity professionals. We bought a new firewall and nothing has happened. And like that’s a benefit. That nothing has happened. And so you’re trying to show value and trying to align with the organization so you can continue to get buy-in because the better you are at your job, the harder it is going to be harder to get buy-in. Cyber security is a unique industry in that we are actively working to try to put ourselves out of a job. Because if you’re… where absolutely incredible and amazing security professionals, there will be no cyber attack. If there’s no cyber attack, there’s no need for the cyber professional. There’s no need for the cyber professional. What the hell are you doing?

Speaker 0 | 09:20.174

I think you just described the problem. I think you just described the paradigm shift that cybersecurity professionals need to make and I think are unwilling to make and are going to fight tooth and nail and are going to, like, I’m going to just upset a lot of people here right now and just say cybersecurity is not a job.

Speaker 1 | 09:35.906

Oh, man.

Speaker 0 | 09:36.647

I’m going to say it’s not a job. You know what I mean? It’s not a job. It’s an aspect of a job. It’s a bullet point. It’s something that the IT director needs to be responsible for or the CEO or the CTO needs to be responsible. Just erase CISO. Please cancel all the CISO podcasts right now. They’re worthless. By the way, you have a podcast. By the way, what’s your podcast? Please plug your podcast right here. And I know, you know, I’m joking. Just so everyone knows, I’m being sarcastic. Sarcasm is a behavioral derailer on page 59 of the company, some kind of company handbook where we decide whether you get a raise next year or not. But I am being sarcastic, but I am being serious about. maybe it’s not a job. It might be an aspect of a job. And that might be a paradigm shift because everyone loves cybersecurity or the people that get into it, they’re so passionate about it. I’m going to make my career about it. And then you got half the people I talked to, they’re like, yeah, I was in cybersecurity, but I quit. Now I’m doing this. So, and I have C-level directors that are saying, no, cybersecurity is not, it’s not a job. It’s an aspect of the CTO or the CIO’s job. But then you’re going to say, well, no, then we don’t have… we don’t have separation. We don’t have a separation between it department and security, and there’s gotta be checks and balances in place. And you gotta have, you know what I mean? So there is a very clear argument there and people are laughing at me for even saying that, but I’m throwing it out there to say, I don’t know. What do you, what do you have to say about that? And plug your podcast, please plug your podcast.

Speaker 1 | 11:06.725

Oh, I appreciate it. So my podcast is the Mike club, uh, M I C it’s minorities in cyber. Uh, and it’s, It’s pretty dope. Check it out. It’s a video podcast, so it’s on YouTube. But I agree to a point. I really do, because to say cybersecurity is a job and cybersecurity only comes from one place is inaccurate. Meaning we need cyber-aware nurses, we need cyber-aware doctors, we need cyber-aware chiropractors. And to say those people don’t need to understand. stand security because they’re going to have a security team that does it. That is ignorant and completely negates the fact that small businesses run America. You know, there’s plenty of people that have to be cyber aware, that have to take on the role of a cyber security or security professional because they do not have a team. And to say only the team dictates and directs security for every organization, like you need a security professional because that’s. just that job. No, we need every, it’s a team sport. Everyone needs to be cyber aware. But what I do think it is, I do think to a degree there is a part where there’s, where there is, where there are roles for security professionals, like red teaming, blue teaming to a point where you are a network administrator, but you’re definitely a security professional. you’re doing threat hunting, that’s definitely a security role per se. But I agree with the premise of what you’re saying, saying that it’s not a job because everyone should contribute to it. I think that’s part of the problem where some people are thinking that, well, you know what, the IT team, security team got me, so they have our back. They’re the security professionals, so I’m going to just go ahead.

Speaker 0 | 13:11.825

click this link one time. Yeah. Yeah. It might not even be a link. The easiest way to hack someone that I could do it, but I don’t need it. I don’t need any crazy hacking skills. I don’t need anything. I just caught my dad. Same thing. It really, it kind of rang home. Like with what happened, like your email from your mom, kind of the psychological behind it, by the way, uh, for everyone out there listening, um, uh, Dr. Eric Huffman has a, um, he has a, how long ago did you do the, um, the Ted talk? Was that a while ago?

Speaker 1 | 13:40.129

Oh, man, I think it was like three years ago.

Speaker 0 | 13:43.050

Okay. See, so he has a TED Talk that was relevant three years ago that’s still relevant today. So that just goes to interest around kind of like how people, how hackers can psychologically get in the mind of people and make them do things without even, you know, without thinking, you know, fast enough, I guess. So same thing happened to me, kind of, so to speak, with my dad, whereas what happened to him. And I still got this guy recorded. He’s still, I still get stringing this guy along. I’m still trying to do like a, like some kind of a, like a, like some kind of a, you know, reverse, reverse, like, you know, attack on him. Cause he’s, he’s got me. Yeah. I’ve got him. He’s a believer right now. He’s a believer. So, um, dude from India, I’ve tracked him down. He is from India. So I’m not trying to like, you know, anyways, dude from India calls my dad via Texas via a, D.I.D. through Vonage or whatever group of D.I.D.s he bought, whatever, and describes himself as working for Microsoft, and I will help you clean up your slow computer, and I’ve noticed that on your computer you’ve got all kinds of illegal stuff that you shouldn’t have on your computer. Just scare tactic, I’m like, Dad, do you have this stuff on your computer? He’s like, no, no, no. I’m like, then what do you care? Stop. I was like, Steve from Microsoft, actually it’s Dominic. Dominic from Microsoft. Is not going to call you. Microsoft is not going to call you and you don’t need to pay him $600 to. clean up your computer. I don’t even know what the guy did. It was like spyware sweep or something free that comes on Windows or something. Then he puts his number on the bottom right-hand corner of my dad’s computer. My dad’s got some old XP box or something that he has to have. He cannot upgrade because he will not know how to use any. I tried putting a new computer on his desk once. Get this thing out of here. Get my old computer back on. I don’t care if I have to wait 45 minutes for the thing to turn on. And all he uses it for is the family calendar. I’m like, dad, eventually I just, you know, anyways, guy puts his number on the bottom of my corner. Long story short, he’s been milking my dad. No matter how many times I tell my dad, we’ve changed his phone number. We have done everything. He, and this was the final straw too. He’s, he must’ve milked at least four grand out of my dad. And I’m, I’m doing everything I can literally. everything I can to stop my dad from talking to this guy. And I don’t know how he continues to keep saying yes to it. The last thing he did was the last old person that died. That’s been filtering money for him from a bank account over to India. He now got my dad to do it. So check this out, Mr. Howard. Um, I want to pay you $500 a month for what? Uh, I need you to go down the street, open up a bank account for me under this name. I need you to give me the routing number. I need you to give me this. And what I’m going to use, we’re going to go into business together. You’re going to be my business partner. I sell products online. I looked at this guy’s website. It’s such a joke. He’s selling like, you know, four gig like memory sticks for like 80 bucks. You know, like that’s the only shopping cart website. And I’m going to send you $500 every month just for you to open up a bank account for me. And when I ask you to, I need you to wire the money here. This guy has been using… elderly people to launder money to India and use them as a PO box as an actual business address with a legit LLC established in the United States that he can continue to use. And I tracked him all the way down to, but first he lived in Texas. Then he lived here. Then he lived there all the way down to finally one day I was like, yeah. yeah, I heard you’re going into business with my dad. This is great. Like, you know, awesome. Like, you know, maybe I can help you out because what are you, a call center? Like, where are you located? He goes, yeah, I’m in India. I’m like, okay, great. Like, are you having problems with like spoofing and like, you know, DID problem? Yeah, yeah, I need issue. I need help with like, oh yeah, cool. Like, let me help you out. I’ll get, we’ll get some, you know, international DID set up for you this. And then, I mean, we literally had to change my dad’s phone number, change everything and erase. basically erase anything on the computer somehow, but what happens is my dad’s flipping through some old mail or something and he eventually finds computer doctor 1-800, he’ll find it that he wrote it the problem is my dad wrote the number down somewhere, and we don’t know unless I burn every piece of paper in my father’s house but there’s, I don’t know, the point of the story is it’s not hard to put a human on a phone … and get them to get elderly people or anyone to send people money. It’s pretty sad.

Speaker 1 | 18:29.003

Yeah, that’s true. It’s very sad because I think we’ve lost, well, we don’t focus on the humanity of security and the humanity of this digital environment that we’ve created. So if you think about what we’ve done, we created… You know, like the iPhone, Android, your Mac, your PC, your laptop, Zoom conferences. These are these are things we created, whether you’re creationist, evolutionist, whatever, you know, it’s nothing that we were built for or created for us. And so that the biological sensors that we have in us that say, hey, fight or flight, you know, things like that that occur, they don’t function the same way in the digital environment. So I imagine if I walk up to your dad and I ask him, hey, can I get your bank account and your routing number? He’s going to say no every time. But the fact that where the person is not physically there, the person is communicating using different means, whether it’s email, whether it’s phone. They can’t see, you know, the creepy dude sitting in their basement, you know, with just like Mountain Dew cans spread out everywhere. They don’t see that. And so they end up picturing whatever they want. Like an analogy I use to help people understand what I’m saying is, if you’ve ever read a book and you enjoy the book, and then you watch the movie and you hate the movie, that’s why. Because when you’re reading the book, you’re either reading it in your own voice or you’re creating characters in your head. And when you watch the movie, you’re like, that’s not how they look. That’s not how they sound like. And it kind of alienates the narrative that you’ve created in your head and how you envision some of these things happening versus what you read and you digest. The same thing happens with email. Like if I communicate with someone via email, you’re going to read that email in your own voice. You don’t know my voice. You’re going to read it in your own voice. And because you’re reading it in your own voice, which is a trusted voice, I’m going to sound nicer than what you think I actually sound. I’m not going to sound like some creepy dude, you know, with some deep, dark Vader voice or anything like that. I’m not going to sound like that. You don’t, the default person doesn’t read in that voice. However, the time when it changes is when you start spoofing. Um, so if I sent you an email. spoofing your dad’s name, you’re going to start reading that in your dad’s voice. That’s typically what rose because you know their tone, you know their cadence. Unless I start using like slang and lingo, then you’re like, hold up, this doesn’t read well at all because this is not how this person writes. That’s how a lot of people are getting full, like a lot of smart, intelligent people are getting full because those biological barriers that we have, they don’t work the same way. We’re in a… entirely new frontier in methods of communication. Like back in the day, my teachers said, hey, you will never have a calculator in your pocket. You’re going to need to learn how to do this long division. Kind of like jokes on you. I got a calculator in my pocket every single day. We haven’t seen like the technology progress and we’re just learning how to interact in this environment. The psychological barriers, the humanity of security, the humanity of breaches and cyber attacks, for the most part, I would say for about a good 90, by what research is going, like a 90 to 94% is our fault when we start looking at data breaches. A lot of it is our fault. The ones we hear on the news, the ones that are reported, you know, some of those people are going crazy plugging into the matrix and hacking, but the everyday attacks. The everyday attack that you were talking about with your father, there’s a lot of people going through the same thing. The everyday attack is a lot less technically impressive because it’s a lot more psychological than it is technological.

Speaker 0 | 22:52.669

It’s just easier for people, too, and there’s less on the line. It’s easier for them to, I don’t know, steal $600 from 100 people.

Speaker 1 | 23:02.931

Oh, definitely.

Speaker 0 | 23:03.792

Then it is to go for the big kill.

Speaker 1 | 23:05.693

Definitely the fastest way to do it.

Speaker 0 | 23:06.894

Yeah. And yeah, there’s not much to be said about the scumbags of the world. I think they’re just always going to be there.

Speaker 1 | 23:14.938

Oh, true.

Speaker 0 | 23:15.298

Yeah. It’s just going to be like, it’s just, so we’ve just, there’s just more ways for people to rob people now, I guess is really what the summary is at the end of the day. And how do we teach people to be careful? Is there a metaphor to, did you grow up in Colorado? Yes, I did. Okay. I’m thinking I sit on the board of some nonprofits and stuff, and an email came through last night about security. And I sit on the board for a mosque in Hartford, Connecticut, and it is in the poorest, poorest, poorest section of Connecticut. I mean, we’re picking people up off of… Angel dust off the street, putting them in ambulances. People are getting shot. It’s not a safe place. And we were just talking about, like, hey, don’t get too comfortable. People are always watching us. People are always casing things out. People are, you know, things this and that. Just because we’re the good guys in the street doesn’t mean that you’re not going to get robbed or you’re not going to get this. And I remember we were just talking just in general physical security. people that can carry, should carry, you know, stuff like this. And your conversation, I mean, what you just said, just in general about, you know, hey, it’s, you know, there’s, they don’t see the creepy dude in the basement with the, you know, the Mountain Dew cans. Why Mountain Dew? I guess it’s just Mountain Dew. I’m just, you know, something about Mountain Dew. The… I wonder how much of a correlation there is between that and still just, you know, just feet on the street. You know what I mean? It’s almost like… Uh, there, it’s, it’s the same thing. There’s, there’s something to be said about, uh, criminals and you, you really, I think most people that are, I think the majority of people I would like to think have good intentions or the average people have good intentions. And then the, the really, you know, good people, um, like you mentioned, um, like some other people that are more apt to, I think you mentioned a pastor or someone on your, in your Ted talk or something like that, you know, how he was susceptible. Right. I think there is the, Something to be said, how do we communicate to that group of people? Like, Hey, don’t get too comfortable. Like, don’t just, you know, like what are some of the rules for, what are some of the rules that you communicate to people on what to look out for or what to be careful of?

Speaker 1 | 25:59.203

Definitely. It starts with, it’s gotta be cliche. It starts with knowing, knowing yourself and how you’re susceptible. Knowing that. Everyone can be had. So you need to have the situational awareness to know what kind of person you are, how is this person communicating with you, how are they looking to psychologically exploit you if possible. For example, I was born and raised in Colorado, but my family’s from the South. My mom and my dad, they’re both from the South. I was raised to hold the door open for everybody and especially a woman. And security. Yeah, it is very hard for me to let that door close, you know I’m supposed to let that door close But everything in me says hold that door open. Yeah, you know because they have they may be it may be raining They may be running late. They may be running towards the door, but yeah, but you have to let that door That is extremely hard for me and you know that how like your situation like psychologically how you feel is based off your emotional state your emotional state is based off of kind of what’s going out there in the world so if you’re getting contacted uh from someone that’s trying to uh exploit to give you money or something like that send you money ask you some of it’s that basic some of it’s not uh but if so you know under have that situational awareness to know hey this is where i’m vulnerable right now i probably need i probably need to think twice um It’s difficult because it’s not really going to stop. The attacker has gotten a lot smarter. Most people still think the Nigerian prince is the only hack that’s out there, the only digital social engineering attempt that’s out there. No, it’s not.

Speaker 0 | 27:54.356

Let’s just tell some stories. Let’s tell some crazy stories then. What’s the craziest story you’ve had as of recent?

Speaker 1 | 28:02.138

I do a lot of research. I do a lot of research. And I’ll… A lot of my research is based off of cyber psychology, which is like a field that I’m trying to help sign, where I particularly focus on digital social engineering attempts. So I work with a lot of organizations. I send out, I conduct a lot of phishing campaigns myself. And one instance that comes up, I typically, I send phishing attempts out in three categories. Kind of number one is like, ain’t nobody going to fall for this. Like I’m just throwing stuff out there to see who’s going to click on what, you know, obviously it’s contracted with the organization. They know I’m coming, whatever. If I’m like, Hey, I’m gonna go ahead and just send, send like, just whatever I say, ain’t nobody going to click on this. The middle is kind of like, it’s pretty good, but you’re going to have to do, you have to look to find out like you have to be pretty aware to find this out. And then kind of the last category is I’m cheating. Like you’re. probably going to click on. This is really, really, really good. I’m cheap. I’m using all kinds of attack methods and all kinds of technology involved to make sure this clicks well. There was an instance where there was an organization I worked with. There was a gentleman that clicked on one of the ain’t nobody going to click on it. It was very evident, very obvious to me. It was the cliche, hey, we hacked your camera. We saw you looking at adult websites. If you do not send us like three Bitcoin, which is like $11 billion, like we’re going to send this to all your contacts because we have access to all your email contacts. You know, the very, very classic. I’m like, nobody’s going to click on this. Nobody’s going to even respond to it. I got a response. And I’m like, huh, there ain’t no way. And so I respond back. Like, all right, like, so, like, kind of game on. Like, I respond back. Maybe this person’s just trying to mess with me. I’m down with it. Let’s have a little fun. So I respond back. And I’m like, okay, like, like, thanks for, thanks for your prompt response. Go to this, click on this link, go to this website, fill out your contact information so we can, we can help process the payment. So I’m like, all right, this is where it’s going to stop. This, this, this is where it’s going to stop. No, he clicked, he clicked the link, filled out all the contact information, sent it back. At this point, then I’m like, all right, go to this link. Give us some PII, like definite PII, send it back. He does it. And I’m like, okay, timeout. Like, I’m not hacking. Like, you know, I’m here for research. I’m not hacking. Like, timeout. Every time we conduct a research study, part of my team, we do semi-circuit interviews. So, brought him in, and I was like, hey, Mr. Doe, John Doe. Um, you, we, we conducted a phishing campaign based off of this research study, uh, approved by your company. You failed based on this, but you failed in this way. What’s going on? And so what kind of hit, what clicked, what hit home to me was that semi-structured interview turned fat. You know, he started bawling, started crying because he and his wife were arguing about something very similar. He viewed that his watching adult videos was cheating and he wanted it to go away. He thought someone caught him and was going to let her know. And so he wanted to go away so he could save his marriage. And I’m like, oh, my God. Makes sense. Yeah. Yeah. Some of the things like that, when I heard that, kind of like technology can’t patch that. And so, like, you need to do some self-awareness. Like, you need to talk to whomever you need to because technology can’t patch that. There was other instances during COVID when everything, everyone was locked down. Everyone’s locked down and bored. I went into full research mode. And so I started going, I was working with another organization and I spoofed out the CEO. I’m not, took the gloves off, playing hardball, you know, using the pandemic and the unknowns of the pandemic against people. And so I’m sending out, sending out phishing emails, digital social engineering attempts. And the company failed miserably. miserably.

Speaker 0 | 33:08.552

Do you need people to do this? Because I’m like real good at this stuff. I can send out emails. This sounds like fun, man. This is great. I’ll pay to do this and you don’t even need to pay me. I’ll pay to do this. Anyways, go ahead. Go ahead.

Speaker 1 | 33:21.701

I’ll be, I’ll be in contact because we can certainly use that. Like this, the, the company fell miserably. And because the company fell miserably, we followed up with, with a lot of people that felt, and they were scared for their job. It’s like, hey, we thought we’re going to get laid off. People are losing jobs during the pandemic. And so I spoke with the CEO, like, hey, you’re going to have to put out a press release. You’re going to have to talk to your company because anyone that spoofs you right now is probably going to get through. And a lot of people know who you are. It’s a very large company, an extremely large company. And so, hey, people know who you are and they’re scared. they thought they think you’re going to lay them off and so unless you do something about that anyone that spoofs you most likely is going to get a response because they’re scared they’re scared for their job so if you think of like the old i want to say cliche it’s not cliche some people live by it some people absolutely love it you know like mazel’s hierarchy of meat they end up they’re down there like hey i just need to survive like we need food shelter all this stuff and I’m going to lose my job, which means I’m going to lose that. So there are countless amount of stories I could share just working with different companies, working with different organizations and helping them understand the humanity that they’re dealing with.

Speaker 0 | 34:53.871

I think we need to stop there just because and say, make a very key point when training. other cybersecurity professionals or people to get into the field because they believe. it’s going to be fun or this is exciting and this is what I want to do. It’s all very selfish, all very inward. This is what I want to do for a career, blah, blah, blah. I’m not saying that that’s a negative thing. I’m just saying it is from that standpoint. You need to learn to sell yourself. You need to learn to be able to translate why your department is so important. You need to be able to say, again, well, I’m always looking for ways that cybersecurity can actually make the company money. right? Or save the company. And this is one, this is very key right here. This is where like, you can actually translate how a cybersecurity rule has translated into what the hell’s going on in my company? What do the people think about? What do they think about me? What do they think about this? That’s valuable data. That’s very valuable data. So I think. I don’t know. I would put that at the top of the list of top five things that cybersecurity professionals do to help make the company money. I just thought of that off the top of my head. I mean, we should write that article. That should be the top five ways cybersecurity professionals make the company money. Because that’s going to be a tough one. We need to come up with four more.

Speaker 1 | 36:23.702

You’re right. The fact that… Organizations don’t look inward. And one thing I did note in my latest study, no, it was a study before that, was poor leadership is a vulnerability. But if you lead by fear, it’s a vulnerability. Because I’m a spoof Mr. Mr. CEO, Mr. CEO, Mr. CCO, and that name that they see, they see that person’s name, it’s going to spark… fear and when it sparks fear that person is going to be more prone to react you know that uh i need you to all the way to some basics that some people fall for a lot of people don’t though like the amazon gift cards the itunes gift cards thing why people act why people like why do they go buy the gift card scratch off the back and sit on that stupid yo like why do people do it they do that because they feel they’re either have a poor relationship with the person that they’re being spoofed by, or they’re just scared for their job. Like if I’m scared for my job, I’m more prone to just like, hey, I got to make this person go away.

Speaker 0 | 37:44.005

That’s another one that happened to my dad. He’s had everyone happen to him. And I think it’s, it just tells me that like someone hacked my dad’s email, probably the same dude and sent out and messaged to everybody that’s like, my granddaughter’s sick. She’s. she broke her leg or she’s in the hospital or something like that and I’m just trying to buy her some Google Play gift cards and I’m at Walmart and for whatever reason this this so I need you to go please go down to Walmart buy her some gift cards and give me a call and then like literally like can you scratch off the thing I was like you gotta be kidding I was laughing like no one’s falling for this there’s no way one guy in town did one guy in town did the selectman the head of the town selectman oh man the town selectman just because he has friends and my dad and like you know I mean like so anyways number one the top five ways cybersecurity professionals can make the company money what are your employees thinking about you and how can you increase morale and there has got to be some sort of ROI there’s got to be some sort of numbers around increasing employee morale increases you know I don’t know we can find out who to fire. And now we just saved on labor costs.

Speaker 1 | 38:59.016

There’s gotta be,

Speaker 0 | 39:02.979

there’s a no who to fire and how to increase morale, who to fire, how to increase morale. This is getting better. That,

Speaker 1 | 39:09.044

that study got to be out there somewhere. Someone did a study on morale and ROI. I’m confident that’s out there somewhere.

Speaker 0 | 39:18.492

Oh, for sure. For sure. So, and we could just say that, and you know, in the article, you don’t even need to like cite or cite it. People would just believe it. I mean, that’s what we do. People are just going to believe you because you say, because they got the email from bankofarnarica.com. Remember that one? Oh,

Speaker 1 | 39:33.512

yeah. Yeah, the amount of disinformation and how we digest disinformation is insane.

Speaker 0 | 39:40.156

We should have the, you know, I think we have, I just thought of a new section that I should put on this show, and it should be conspiracy theories. We should have a conspiracy theory section of the show, and we could talk about now. This fits so. perfectly into what we’re doing because think of how much info that we’re fed on a daily basis and how much of it is complete garbage i mean it’s just as long as we say it they’ll believe it as long as we say um you know i am who i am you’re gonna send me money

Speaker 1 | 40:09.944

Oh, for sure. For sure. People are more prone to trust the messenger before they trust the message. That’s pretty sad. If your best friend posts up like, hey, this thing is real. And you’re like, okay, I believe that. It came from my best friend. It came from my best messenger, so I’m more prone to trust the message. And it… What tells you that’s wrong? They’re not saying that the information is wrong. You’re internalizing that. A lot of people internalize that as you’re calling my best friend wrong or you’re calling my mom wrong. Like, it’s kind of like the mama’s boy. Like, mama’s wrong again. You’re like, no, mama’s never wrong. And so you’re not really arguing the message. You’re arguing for the messenger. It’s sad. It’s unfortunate. It’s very unfortunate what’s going on.

Speaker 0 | 41:10.901

So I don’t know if there was even a theme to the show, but it’s been a ton of fun. It’s been a lot of fun. If there was just maybe in general, if there was one piece of advice that you could offer to the listeners out there, and the majority of the listeners are… IT directors, IT managers, CTOs, you know, that type of thing. People that would say cybersecurity is not a job. People would say that it’s a responsibility that falls underneath mine. If there was one piece of advice that you have that you’ve seen, learned, like one kind of weird, I don’t want to say weird, but just something that’s maybe unique to you that you’ve noticed, a piece of advice, tip, trick, or whatever, to maybe selling cybersecurity or whatever it is, what would that piece of advice be?

Speaker 1 | 42:00.212

Yeah, probably the number one thing I would say is that security doesn’t exist at all. Only certain levels of insecurity exist. And so don’t think of how secure are we. Think about what levels of insecurity have we accepted? What levels of risk have we accepted? And if you look at your job from that perspective, It makes it a little bit easier rather than, hey, is everything locked down? Well, just look at what have we allowed, what is open? Because if you want to think, all right, we’re secure, then no, you’ve missed it. You’re not secure. You’re insecure to what degree? And if you know you’re not secure and you understand the degrees in which you’re not secure, it makes it a little bit easier. a little bit easier to digest, makes it a lot more realistic for you to do your job and lead the organization and lead the company versus we need five new firewalls because we need to lock down all these things. Put that in perspective of, well, we have these insecurities that we’ve accepted or that we haven’t accepted that we need to mitigate unless and let’s patch those up so we can move forward. We need to do A, B, and C to patch up these vulnerabilities, these risks, because the level of insecurity in which we are at is outside of our acceptable range, rather than let’s suit for 100% secure, which doesn’t exist, unless it’s pen and paper. And this is probably going to age very poorly because at some point in time, someone’s going to hack pen and paper. Then we’re going to be like, how the hell did they do that? But that’s my number one word of advice is don’t chase the unicorn. Don’t chase 100% secure. Don’t chase lockdown secure because it doesn’t exist. Figure out what you have open, patch that up, get to an acceptable level of insecurity versus let’s get secure. Because if you’re getting secure, you’re just not going to happen. Don’t plug it, turn it off. Rip out the battery, then it’s secure.

Speaker 0 | 44:30.226

That’s beautiful. Yeah, anything that’s always going to help us step out of our comfort zone and sell security or sell IT to upper management, I think just starting off with accepting that. We’re not secure. We are not secure. I just want to let everyone in this room know I am head of cybersecurity and we are not secure. And as long as I am employed here, we will not be secure. Does everyone get it? Everyone will be like, what? What are you talking about? Stop chasing the unicorn. Just start saying, what? This guy’s crazy. No, for real. No, we’re not secure. I think that’s great. We are not secure. And then send it to him via email and then text him that and then put it up on social media on the website and then put, well, not on the website, but somehow send it to him through social media that we are not secure.

Speaker 1 | 45:29.224

If that happened, that would remind me of the old Dave Chappelle skit where keeping it real goes wrong.

Speaker 0 | 45:38.247

So-and-so decided to keep it real. What did we have with Dave Chappelle the other day? Something came up. I’m trying to remember. Anyways, hilarious. I’m keeping it real. I think it was something about, you know, I think it was something about, like, you know, you can raise a kid. Well, I know, I remember Chris Rock saying, you know, you can raise a kid on your own. That doesn’t mean it’s a good idea. Doesn’t mean it’s a good idea either. And Dave Chappelle had some version of it as well that was like, anyways, thank you. so much for being on Dissecting Popular IT Nerds. It has been an absolute pleasure.

Speaker 1 | 46:13.074

Thank you so much for having me.

151. Dr. Erik J. Huffman Explains Our Biological IT Weaknesses

Speaker 0 | 00:09.564

All right, welcome everyone back to Dissecting Popular IT Nerds. Today, we have Dr. Eric Huffman on the show. Doctor, so that must mean something. I mean, it must mean you did a lot of school or something like that. What are we at, PhD or how are you, doctor?

Speaker 1 | 00:29.204

Yeah, PhD. It’s definitely a lot of school. A lot of school, a lot of research, a lot of writing.

Speaker 0 | 00:35.528

I have a friend, my friends here from, actually, it’s my son-in-law’s brother who has an amazing, amazing story because both of them came over from Yemen years ago and come from, they wouldn’t call their family poor. They’re like, we’re rich because they’re… family that’s together and they’ve always been together and they’ve always had everything done everything together so they’re like rich from that standpoint from any american standpoint you’re like no that is dirt poor that’s poorer than the poorest in america and just how they actually got over here is and and how hard they studied and how their father always like pushed them to study and study is just amazing and anyways he’s his brother came from arizona to visit and he’s he’s finishing up a PhD and when he’s how much longer do you got? You got a year? He’s like it’s not like that. He’s like it’s like a year and a half maybe two and a half years it all depends on you know how fast you can do this and whether other people approve this and you know defense something and all that type of stuff so it’s definitely difficult so I guess congratulations on getting through that and a lot of respect there for that

Speaker 1 | 01:51.987

I appreciate it yeah it is It is not a clear timeline at all. Like, so you may, you may graduate one month from when you thought you would, or you may go, it may take another three years after that. Cause, uh, you know, the dissertation writing process is not clear. It is not clear. And it’s, it’s all up to how fast you can get it done, how well you can write, how well you can articulate. And maybe. Maybe they’ll like you enough to let you get through. Maybe.

Speaker 0 | 02:28.557

And, yeah, I guess there is kind of a lot of liking going on. Would you find there’s any arrogance in the university sector in getting a PhD and getting people to like you and all that? Is there any kind of like, hey, this kid might be smarter than me. I don’t know if I can give him his PhD.

Speaker 1 | 02:47.162

I don’t know if there’s that. I wouldn’t say there’s that, but there is. there is a level of, well, let me put it this way. So as you’re writing your PhD, as you’re writing your dissertation and you’re doing your research, you have to do your research on something that is new, something that’s kind of innovative. It’s adding to the overarching body of knowledge. You’re contributing to the amount of research, scholarly practitioner research that’s out there. And your dissertation chair, your dissertation committee may not have researched the same things you have because you’re taking it and you’re kind of flipping it. You’re doing your own thing. And so there is a level of I don’t know if you know what I’m trying to do or not, because you are the subject matter expert and you’re being led by other subject matter experts. But they may not be subject matter experts in your. field and what you’re attempting to do. So for that reason, there has to be good alignment. So like if there’s a word of advice I have for anyone that’s striving to get a doctorate, there has to be alignment between you, your committee, your dissertation chair, your dissertation mentor, all that. That has to be aligned because there are people way smarter than me, worked way harder than me, was way more innovative and stop provoking dissertation and research studies that I’ve ever had. And they’ve never graduated because if your dissertation chair, your committee doesn’t like what you’re doing, how you’re doing it, the method that you’re using to, to, to do it, you will not graduate. Like that’s just plain and simple. You will not graduate. And so there’s people I started with that were absolutely phenomenal and they never graduated. And somehow I did. Uh, it’s, it’s not. It’s not like a one-to-one thing, like everyone’s going through the same thing, because you have different dissertation chairs, different mentors, different committees, and hopefully they know what you’re doing and they like the way that you’re doing it. And you won’t get to the end. And they say like, you know what? We don’t like that method. You should change that. And you’re like, what the hell, dude? That’s like three years of work after all.

Speaker 0 | 05:10.626

Back to the drawing board. That’s got to be one of the most frustrating things. My son experienced it the other day when he was writing a paper. And I was like, that makes absolutely no sense. You need to trash that. And you’d been working on it all day. Your correlations make no sense. Your arguments make no sense. Your topic is… way too broad. It was like, you know, why the television internet and a cell phone like is addictive. I was like, no, I was like, pick social media. Why social media is addictive. I was like, pick one thing. I was like, you know, I mean, because, or pick dopamine receptor and like how each three of these things, you know, I was like, you can’t do that. You’re like, there’s no, they’re going to, you’re going to get laughed at. You’re going to get, you know. That’s very difficult. You must be a good IT manager or you must be a good whatever you do, because there’s a very important lesson in there. And this being an IT show, IT directors, IT leaders have to deal with basically that scenario, which is, I see a problem in the company. Am I aligned with the company’s vision and what we’re trying to accomplish well enough that… whatever I bring as an argument that I need money for to upper management, are they going to buy into this? And you’re dealing with people that are probably smarter than you, have been more successful in business than you, have a goal and something that they’re trying to accomplish, i.e. make money, sell the company for a profit, whatever it is, that you should… absolutely be well aligned with, which is kind of like, do I know my professors? Do I know if they’re going to laugh at me? Are they going to like this? Are they going to hate this? So there’s a lot of dynamics going on there that take place in IT. And I’m not saying that education is not the real world, but we all, you know, there’s people that become career professors, you know, but there’s a strong correlation there. And So again, you know, congratulations because you got through it and there’s got, there’s, there’s probably a lot of frustrated IT managers in the world or people that, or even in cybersecurity or people in cybersecurity that are having a very hard time getting buy-in from executive management. Do you see the correlation there?

Speaker 1 | 07:39.892

Oh yeah. There’s a, there’s a direct correlation there. Um, if you. As an IT cybersecurity manager, if you do not align with the business, good luck. If you do not align, if you don’t understand the business, good luck. If you’re going to be so frustrated, you’re going to leave the industry. Because cybersecurity or IT even, it’s not, there are very few ways to have a direct one-to-one impact on revenue. It’s not a sales job where you have this one sales professional here. He sold 10 widgets and due to the profit margin, the company makes, you know, $2,000 or something along the lines of that. IT and cybersecurity is kind of it’s like, well, we’ve been we’ve invested in security. We hire five new cybersecurity professionals. We bought a new firewall and nothing has happened. And like that’s a benefit. That nothing has happened. And so you’re trying to show value and trying to align with the organization so you can continue to get buy-in because the better you are at your job, the harder it is going to be harder to get buy-in. Cyber security is a unique industry in that we are actively working to try to put ourselves out of a job. Because if you’re… where absolutely incredible and amazing security professionals, there will be no cyber attack. If there’s no cyber attack, there’s no need for the cyber professional. There’s no need for the cyber professional. What the hell are you doing?

Speaker 0 | 09:20.174

I think you just described the problem. I think you just described the paradigm shift that cybersecurity professionals need to make and I think are unwilling to make and are going to fight tooth and nail and are going to, like, I’m going to just upset a lot of people here right now and just say cybersecurity is not a job.

Speaker 1 | 09:35.906

Oh, man.

Speaker 0 | 09:36.647

I’m going to say it’s not a job. You know what I mean? It’s not a job. It’s an aspect of a job. It’s a bullet point. It’s something that the IT director needs to be responsible for or the CEO or the CTO needs to be responsible. Just erase CISO. Please cancel all the CISO podcasts right now. They’re worthless. By the way, you have a podcast. By the way, what’s your podcast? Please plug your podcast right here. And I know, you know, I’m joking. Just so everyone knows, I’m being sarcastic. Sarcasm is a behavioral derailer on page 59 of the company, some kind of company handbook where we decide whether you get a raise next year or not. But I am being sarcastic, but I am being serious about. maybe it’s not a job. It might be an aspect of a job. And that might be a paradigm shift because everyone loves cybersecurity or the people that get into it, they’re so passionate about it. I’m going to make my career about it. And then you got half the people I talked to, they’re like, yeah, I was in cybersecurity, but I quit. Now I’m doing this. So, and I have C-level directors that are saying, no, cybersecurity is not, it’s not a job. It’s an aspect of the CTO or the CIO’s job. But then you’re going to say, well, no, then we don’t have… we don’t have separation. We don’t have a separation between it department and security, and there’s gotta be checks and balances in place. And you gotta have, you know what I mean? So there is a very clear argument there and people are laughing at me for even saying that, but I’m throwing it out there to say, I don’t know. What do you, what do you have to say about that? And plug your podcast, please plug your podcast.

Speaker 1 | 11:06.725

Oh, I appreciate it. So my podcast is the Mike club, uh, M I C it’s minorities in cyber. Uh, and it’s, It’s pretty dope. Check it out. It’s a video podcast, so it’s on YouTube. But I agree to a point. I really do, because to say cybersecurity is a job and cybersecurity only comes from one place is inaccurate. Meaning we need cyber-aware nurses, we need cyber-aware doctors, we need cyber-aware chiropractors. And to say those people don’t need to understand. stand security because they’re going to have a security team that does it. That is ignorant and completely negates the fact that small businesses run America. You know, there’s plenty of people that have to be cyber aware, that have to take on the role of a cyber security or security professional because they do not have a team. And to say only the team dictates and directs security for every organization, like you need a security professional because that’s. just that job. No, we need every, it’s a team sport. Everyone needs to be cyber aware. But what I do think it is, I do think to a degree there is a part where there’s, where there is, where there are roles for security professionals, like red teaming, blue teaming to a point where you are a network administrator, but you’re definitely a security professional. you’re doing threat hunting, that’s definitely a security role per se. But I agree with the premise of what you’re saying, saying that it’s not a job because everyone should contribute to it. I think that’s part of the problem where some people are thinking that, well, you know what, the IT team, security team got me, so they have our back. They’re the security professionals, so I’m going to just go ahead.

Speaker 0 | 13:11.825

click this link one time. Yeah. Yeah. It might not even be a link. The easiest way to hack someone that I could do it, but I don’t need it. I don’t need any crazy hacking skills. I don’t need anything. I just caught my dad. Same thing. It really, it kind of rang home. Like with what happened, like your email from your mom, kind of the psychological behind it, by the way, uh, for everyone out there listening, um, uh, Dr. Eric Huffman has a, um, he has a, how long ago did you do the, um, the Ted talk? Was that a while ago?

Speaker 1 | 13:40.129

Oh, man, I think it was like three years ago.

Speaker 0 | 13:43.050

Okay. See, so he has a TED Talk that was relevant three years ago that’s still relevant today. So that just goes to interest around kind of like how people, how hackers can psychologically get in the mind of people and make them do things without even, you know, without thinking, you know, fast enough, I guess. So same thing happened to me, kind of, so to speak, with my dad, whereas what happened to him. And I still got this guy recorded. He’s still, I still get stringing this guy along. I’m still trying to do like a, like some kind of a, like a, like some kind of a, you know, reverse, reverse, like, you know, attack on him. Cause he’s, he’s got me. Yeah. I’ve got him. He’s a believer right now. He’s a believer. So, um, dude from India, I’ve tracked him down. He is from India. So I’m not trying to like, you know, anyways, dude from India calls my dad via Texas via a, D.I.D. through Vonage or whatever group of D.I.D.s he bought, whatever, and describes himself as working for Microsoft, and I will help you clean up your slow computer, and I’ve noticed that on your computer you’ve got all kinds of illegal stuff that you shouldn’t have on your computer. Just scare tactic, I’m like, Dad, do you have this stuff on your computer? He’s like, no, no, no. I’m like, then what do you care? Stop. I was like, Steve from Microsoft, actually it’s Dominic. Dominic from Microsoft. Is not going to call you. Microsoft is not going to call you and you don’t need to pay him $600 to. clean up your computer. I don’t even know what the guy did. It was like spyware sweep or something free that comes on Windows or something. Then he puts his number on the bottom right-hand corner of my dad’s computer. My dad’s got some old XP box or something that he has to have. He cannot upgrade because he will not know how to use any. I tried putting a new computer on his desk once. Get this thing out of here. Get my old computer back on. I don’t care if I have to wait 45 minutes for the thing to turn on. And all he uses it for is the family calendar. I’m like, dad, eventually I just, you know, anyways, guy puts his number on the bottom of my corner. Long story short, he’s been milking my dad. No matter how many times I tell my dad, we’ve changed his phone number. We have done everything. He, and this was the final straw too. He’s, he must’ve milked at least four grand out of my dad. And I’m, I’m doing everything I can literally. everything I can to stop my dad from talking to this guy. And I don’t know how he continues to keep saying yes to it. The last thing he did was the last old person that died. That’s been filtering money for him from a bank account over to India. He now got my dad to do it. So check this out, Mr. Howard. Um, I want to pay you $500 a month for what? Uh, I need you to go down the street, open up a bank account for me under this name. I need you to give me the routing number. I need you to give me this. And what I’m going to use, we’re going to go into business together. You’re going to be my business partner. I sell products online. I looked at this guy’s website. It’s such a joke. He’s selling like, you know, four gig like memory sticks for like 80 bucks. You know, like that’s the only shopping cart website. And I’m going to send you $500 every month just for you to open up a bank account for me. And when I ask you to, I need you to wire the money here. This guy has been using… elderly people to launder money to India and use them as a PO box as an actual business address with a legit LLC established in the United States that he can continue to use. And I tracked him all the way down to, but first he lived in Texas. Then he lived here. Then he lived there all the way down to finally one day I was like, yeah. yeah, I heard you’re going into business with my dad. This is great. Like, you know, awesome. Like, you know, maybe I can help you out because what are you, a call center? Like, where are you located? He goes, yeah, I’m in India. I’m like, okay, great. Like, are you having problems with like spoofing and like, you know, DID problem? Yeah, yeah, I need issue. I need help with like, oh yeah, cool. Like, let me help you out. I’ll get, we’ll get some, you know, international DID set up for you this. And then, I mean, we literally had to change my dad’s phone number, change everything and erase. basically erase anything on the computer somehow, but what happens is my dad’s flipping through some old mail or something and he eventually finds computer doctor 1-800, he’ll find it that he wrote it the problem is my dad wrote the number down somewhere, and we don’t know unless I burn every piece of paper in my father’s house but there’s, I don’t know, the point of the story is it’s not hard to put a human on a phone … and get them to get elderly people or anyone to send people money. It’s pretty sad.

Speaker 1 | 18:29.003

Yeah, that’s true. It’s very sad because I think we’ve lost, well, we don’t focus on the humanity of security and the humanity of this digital environment that we’ve created. So if you think about what we’ve done, we created… You know, like the iPhone, Android, your Mac, your PC, your laptop, Zoom conferences. These are these are things we created, whether you’re creationist, evolutionist, whatever, you know, it’s nothing that we were built for or created for us. And so that the biological sensors that we have in us that say, hey, fight or flight, you know, things like that that occur, they don’t function the same way in the digital environment. So I imagine if I walk up to your dad and I ask him, hey, can I get your bank account and your routing number? He’s going to say no every time. But the fact that where the person is not physically there, the person is communicating using different means, whether it’s email, whether it’s phone. They can’t see, you know, the creepy dude sitting in their basement, you know, with just like Mountain Dew cans spread out everywhere. They don’t see that. And so they end up picturing whatever they want. Like an analogy I use to help people understand what I’m saying is, if you’ve ever read a book and you enjoy the book, and then you watch the movie and you hate the movie, that’s why. Because when you’re reading the book, you’re either reading it in your own voice or you’re creating characters in your head. And when you watch the movie, you’re like, that’s not how they look. That’s not how they sound like. And it kind of alienates the narrative that you’ve created in your head and how you envision some of these things happening versus what you read and you digest. The same thing happens with email. Like if I communicate with someone via email, you’re going to read that email in your own voice. You don’t know my voice. You’re going to read it in your own voice. And because you’re reading it in your own voice, which is a trusted voice, I’m going to sound nicer than what you think I actually sound. I’m not going to sound like some creepy dude, you know, with some deep, dark Vader voice or anything like that. I’m not going to sound like that. You don’t, the default person doesn’t read in that voice. However, the time when it changes is when you start spoofing. Um, so if I sent you an email. spoofing your dad’s name, you’re going to start reading that in your dad’s voice. That’s typically what rose because you know their tone, you know their cadence. Unless I start using like slang and lingo, then you’re like, hold up, this doesn’t read well at all because this is not how this person writes. That’s how a lot of people are getting full, like a lot of smart, intelligent people are getting full because those biological barriers that we have, they don’t work the same way. We’re in a… entirely new frontier in methods of communication. Like back in the day, my teachers said, hey, you will never have a calculator in your pocket. You’re going to need to learn how to do this long division. Kind of like jokes on you. I got a calculator in my pocket every single day. We haven’t seen like the technology progress and we’re just learning how to interact in this environment. The psychological barriers, the humanity of security, the humanity of breaches and cyber attacks, for the most part, I would say for about a good 90, by what research is going, like a 90 to 94% is our fault when we start looking at data breaches. A lot of it is our fault. The ones we hear on the news, the ones that are reported, you know, some of those people are going crazy plugging into the matrix and hacking, but the everyday attacks. The everyday attack that you were talking about with your father, there’s a lot of people going through the same thing. The everyday attack is a lot less technically impressive because it’s a lot more psychological than it is technological.

Speaker 0 | 22:52.669

It’s just easier for people, too, and there’s less on the line. It’s easier for them to, I don’t know, steal $600 from 100 people.

Speaker 1 | 23:02.931

Oh, definitely.

Speaker 0 | 23:03.792

Then it is to go for the big kill.

Speaker 1 | 23:05.693

Definitely the fastest way to do it.

Speaker 0 | 23:06.894

Yeah. And yeah, there’s not much to be said about the scumbags of the world. I think they’re just always going to be there.

Speaker 1 | 23:14.938

Oh, true.

Speaker 0 | 23:15.298

Yeah. It’s just going to be like, it’s just, so we’ve just, there’s just more ways for people to rob people now, I guess is really what the summary is at the end of the day. And how do we teach people to be careful? Is there a metaphor to, did you grow up in Colorado? Yes, I did. Okay. I’m thinking I sit on the board of some nonprofits and stuff, and an email came through last night about security. And I sit on the board for a mosque in Hartford, Connecticut, and it is in the poorest, poorest, poorest section of Connecticut. I mean, we’re picking people up off of… Angel dust off the street, putting them in ambulances. People are getting shot. It’s not a safe place. And we were just talking about, like, hey, don’t get too comfortable. People are always watching us. People are always casing things out. People are, you know, things this and that. Just because we’re the good guys in the street doesn’t mean that you’re not going to get robbed or you’re not going to get this. And I remember we were just talking just in general physical security. people that can carry, should carry, you know, stuff like this. And your conversation, I mean, what you just said, just in general about, you know, hey, it’s, you know, there’s, they don’t see the creepy dude in the basement with the, you know, the Mountain Dew cans. Why Mountain Dew? I guess it’s just Mountain Dew. I’m just, you know, something about Mountain Dew. The… I wonder how much of a correlation there is between that and still just, you know, just feet on the street. You know what I mean? It’s almost like… Uh, there, it’s, it’s the same thing. There’s, there’s something to be said about, uh, criminals and you, you really, I think most people that are, I think the majority of people I would like to think have good intentions or the average people have good intentions. And then the, the really, you know, good people, um, like you mentioned, um, like some other people that are more apt to, I think you mentioned a pastor or someone on your, in your Ted talk or something like that, you know, how he was susceptible. Right. I think there is the, Something to be said, how do we communicate to that group of people? Like, Hey, don’t get too comfortable. Like, don’t just, you know, like what are some of the rules for, what are some of the rules that you communicate to people on what to look out for or what to be careful of?

Speaker 1 | 25:59.203

Definitely. It starts with, it’s gotta be cliche. It starts with knowing, knowing yourself and how you’re susceptible. Knowing that. Everyone can be had. So you need to have the situational awareness to know what kind of person you are, how is this person communicating with you, how are they looking to psychologically exploit you if possible. For example, I was born and raised in Colorado, but my family’s from the South. My mom and my dad, they’re both from the South. I was raised to hold the door open for everybody and especially a woman. And security. Yeah, it is very hard for me to let that door close, you know I’m supposed to let that door close But everything in me says hold that door open. Yeah, you know because they have they may be it may be raining They may be running late. They may be running towards the door, but yeah, but you have to let that door That is extremely hard for me and you know that how like your situation like psychologically how you feel is based off your emotional state your emotional state is based off of kind of what’s going out there in the world so if you’re getting contacted uh from someone that’s trying to uh exploit to give you money or something like that send you money ask you some of it’s that basic some of it’s not uh but if so you know under have that situational awareness to know hey this is where i’m vulnerable right now i probably need i probably need to think twice um It’s difficult because it’s not really going to stop. The attacker has gotten a lot smarter. Most people still think the Nigerian prince is the only hack that’s out there, the only digital social engineering attempt that’s out there. No, it’s not.

Speaker 0 | 27:54.356

Let’s just tell some stories. Let’s tell some crazy stories then. What’s the craziest story you’ve had as of recent?

Speaker 1 | 28:02.138

I do a lot of research. I do a lot of research. And I’ll… A lot of my research is based off of cyber psychology, which is like a field that I’m trying to help sign, where I particularly focus on digital social engineering attempts. So I work with a lot of organizations. I send out, I conduct a lot of phishing campaigns myself. And one instance that comes up, I typically, I send phishing attempts out in three categories. Kind of number one is like, ain’t nobody going to fall for this. Like I’m just throwing stuff out there to see who’s going to click on what, you know, obviously it’s contracted with the organization. They know I’m coming, whatever. If I’m like, Hey, I’m gonna go ahead and just send, send like, just whatever I say, ain’t nobody going to click on this. The middle is kind of like, it’s pretty good, but you’re going to have to do, you have to look to find out like you have to be pretty aware to find this out. And then kind of the last category is I’m cheating. Like you’re. probably going to click on. This is really, really, really good. I’m cheap. I’m using all kinds of attack methods and all kinds of technology involved to make sure this clicks well. There was an instance where there was an organization I worked with. There was a gentleman that clicked on one of the ain’t nobody going to click on it. It was very evident, very obvious to me. It was the cliche, hey, we hacked your camera. We saw you looking at adult websites. If you do not send us like three Bitcoin, which is like $11 billion, like we’re going to send this to all your contacts because we have access to all your email contacts. You know, the very, very classic. I’m like, nobody’s going to click on this. Nobody’s going to even respond to it. I got a response. And I’m like, huh, there ain’t no way. And so I respond back. Like, all right, like, so, like, kind of game on. Like, I respond back. Maybe this person’s just trying to mess with me. I’m down with it. Let’s have a little fun. So I respond back. And I’m like, okay, like, like, thanks for, thanks for your prompt response. Go to this, click on this link, go to this website, fill out your contact information so we can, we can help process the payment. So I’m like, all right, this is where it’s going to stop. This, this, this is where it’s going to stop. No, he clicked, he clicked the link, filled out all the contact information, sent it back. At this point, then I’m like, all right, go to this link. Give us some PII, like definite PII, send it back. He does it. And I’m like, okay, timeout. Like, I’m not hacking. Like, you know, I’m here for research. I’m not hacking. Like, timeout. Every time we conduct a research study, part of my team, we do semi-circuit interviews. So, brought him in, and I was like, hey, Mr. Doe, John Doe. Um, you, we, we conducted a phishing campaign based off of this research study, uh, approved by your company. You failed based on this, but you failed in this way. What’s going on? And so what kind of hit, what clicked, what hit home to me was that semi-structured interview turned fat. You know, he started bawling, started crying because he and his wife were arguing about something very similar. He viewed that his watching adult videos was cheating and he wanted it to go away. He thought someone caught him and was going to let her know. And so he wanted to go away so he could save his marriage. And I’m like, oh, my God. Makes sense. Yeah. Yeah. Some of the things like that, when I heard that, kind of like technology can’t patch that. And so, like, you need to do some self-awareness. Like, you need to talk to whomever you need to because technology can’t patch that. There was other instances during COVID when everything, everyone was locked down. Everyone’s locked down and bored. I went into full research mode. And so I started going, I was working with another organization and I spoofed out the CEO. I’m not, took the gloves off, playing hardball, you know, using the pandemic and the unknowns of the pandemic against people. And so I’m sending out, sending out phishing emails, digital social engineering attempts. And the company failed miserably. miserably.

Speaker 0 | 33:08.552

Do you need people to do this? Because I’m like real good at this stuff. I can send out emails. This sounds like fun, man. This is great. I’ll pay to do this and you don’t even need to pay me. I’ll pay to do this. Anyways, go ahead. Go ahead.

Speaker 1 | 33:21.701

I’ll be, I’ll be in contact because we can certainly use that. Like this, the, the company fell miserably. And because the company fell miserably, we followed up with, with a lot of people that felt, and they were scared for their job. It’s like, hey, we thought we’re going to get laid off. People are losing jobs during the pandemic. And so I spoke with the CEO, like, hey, you’re going to have to put out a press release. You’re going to have to talk to your company because anyone that spoofs you right now is probably going to get through. And a lot of people know who you are. It’s a very large company, an extremely large company. And so, hey, people know who you are and they’re scared. they thought they think you’re going to lay them off and so unless you do something about that anyone that spoofs you most likely is going to get a response because they’re scared they’re scared for their job so if you think of like the old i want to say cliche it’s not cliche some people live by it some people absolutely love it you know like mazel’s hierarchy of meat they end up they’re down there like hey i just need to survive like we need food shelter all this stuff and I’m going to lose my job, which means I’m going to lose that. So there are countless amount of stories I could share just working with different companies, working with different organizations and helping them understand the humanity that they’re dealing with.

Speaker 0 | 34:53.871

I think we need to stop there just because and say, make a very key point when training. other cybersecurity professionals or people to get into the field because they believe. it’s going to be fun or this is exciting and this is what I want to do. It’s all very selfish, all very inward. This is what I want to do for a career, blah, blah, blah. I’m not saying that that’s a negative thing. I’m just saying it is from that standpoint. You need to learn to sell yourself. You need to learn to be able to translate why your department is so important. You need to be able to say, again, well, I’m always looking for ways that cybersecurity can actually make the company money. right? Or save the company. And this is one, this is very key right here. This is where like, you can actually translate how a cybersecurity rule has translated into what the hell’s going on in my company? What do the people think about? What do they think about me? What do they think about this? That’s valuable data. That’s very valuable data. So I think. I don’t know. I would put that at the top of the list of top five things that cybersecurity professionals do to help make the company money. I just thought of that off the top of my head. I mean, we should write that article. That should be the top five ways cybersecurity professionals make the company money. Because that’s going to be a tough one. We need to come up with four more.

Speaker 1 | 36:23.702

You’re right. The fact that… Organizations don’t look inward. And one thing I did note in my latest study, no, it was a study before that, was poor leadership is a vulnerability. But if you lead by fear, it’s a vulnerability. Because I’m a spoof Mr. Mr. CEO, Mr. CEO, Mr. CCO, and that name that they see, they see that person’s name, it’s going to spark… fear and when it sparks fear that person is going to be more prone to react you know that uh i need you to all the way to some basics that some people fall for a lot of people don’t though like the amazon gift cards the itunes gift cards thing why people act why people like why do they go buy the gift card scratch off the back and sit on that stupid yo like why do people do it they do that because they feel they’re either have a poor relationship with the person that they’re being spoofed by, or they’re just scared for their job. Like if I’m scared for my job, I’m more prone to just like, hey, I got to make this person go away.

Speaker 0 | 37:44.005

That’s another one that happened to my dad. He’s had everyone happen to him. And I think it’s, it just tells me that like someone hacked my dad’s email, probably the same dude and sent out and messaged to everybody that’s like, my granddaughter’s sick. She’s. she broke her leg or she’s in the hospital or something like that and I’m just trying to buy her some Google Play gift cards and I’m at Walmart and for whatever reason this this so I need you to go please go down to Walmart buy her some gift cards and give me a call and then like literally like can you scratch off the thing I was like you gotta be kidding I was laughing like no one’s falling for this there’s no way one guy in town did one guy in town did the selectman the head of the town selectman oh man the town selectman just because he has friends and my dad and like you know I mean like so anyways number one the top five ways cybersecurity professionals can make the company money what are your employees thinking about you and how can you increase morale and there has got to be some sort of ROI there’s got to be some sort of numbers around increasing employee morale increases you know I don’t know we can find out who to fire. And now we just saved on labor costs.

Speaker 1 | 38:59.016

There’s gotta be,

Speaker 0 | 39:02.979

there’s a no who to fire and how to increase morale, who to fire, how to increase morale. This is getting better. That,

Speaker 1 | 39:09.044

that study got to be out there somewhere. Someone did a study on morale and ROI. I’m confident that’s out there somewhere.

Speaker 0 | 39:18.492

Oh, for sure. For sure. So, and we could just say that, and you know, in the article, you don’t even need to like cite or cite it. People would just believe it. I mean, that’s what we do. People are just going to believe you because you say, because they got the email from bankofarnarica.com. Remember that one? Oh,

Speaker 1 | 39:33.512

yeah. Yeah, the amount of disinformation and how we digest disinformation is insane.

Speaker 0 | 39:40.156

We should have the, you know, I think we have, I just thought of a new section that I should put on this show, and it should be conspiracy theories. We should have a conspiracy theory section of the show, and we could talk about now. This fits so. perfectly into what we’re doing because think of how much info that we’re fed on a daily basis and how much of it is complete garbage i mean it’s just as long as we say it they’ll believe it as long as we say um you know i am who i am you’re gonna send me money

Speaker 1 | 40:09.944

Oh, for sure. For sure. People are more prone to trust the messenger before they trust the message. That’s pretty sad. If your best friend posts up like, hey, this thing is real. And you’re like, okay, I believe that. It came from my best friend. It came from my best messenger, so I’m more prone to trust the message. And it… What tells you that’s wrong? They’re not saying that the information is wrong. You’re internalizing that. A lot of people internalize that as you’re calling my best friend wrong or you’re calling my mom wrong. Like, it’s kind of like the mama’s boy. Like, mama’s wrong again. You’re like, no, mama’s never wrong. And so you’re not really arguing the message. You’re arguing for the messenger. It’s sad. It’s unfortunate. It’s very unfortunate what’s going on.

Speaker 0 | 41:10.901

So I don’t know if there was even a theme to the show, but it’s been a ton of fun. It’s been a lot of fun. If there was just maybe in general, if there was one piece of advice that you could offer to the listeners out there, and the majority of the listeners are… IT directors, IT managers, CTOs, you know, that type of thing. People that would say cybersecurity is not a job. People would say that it’s a responsibility that falls underneath mine. If there was one piece of advice that you have that you’ve seen, learned, like one kind of weird, I don’t want to say weird, but just something that’s maybe unique to you that you’ve noticed, a piece of advice, tip, trick, or whatever, to maybe selling cybersecurity or whatever it is, what would that piece of advice be?

Speaker 1 | 42:00.212

Yeah, probably the number one thing I would say is that security doesn’t exist at all. Only certain levels of insecurity exist. And so don’t think of how secure are we. Think about what levels of insecurity have we accepted? What levels of risk have we accepted? And if you look at your job from that perspective, It makes it a little bit easier rather than, hey, is everything locked down? Well, just look at what have we allowed, what is open? Because if you want to think, all right, we’re secure, then no, you’ve missed it. You’re not secure. You’re insecure to what degree? And if you know you’re not secure and you understand the degrees in which you’re not secure, it makes it a little bit easier. a little bit easier to digest, makes it a lot more realistic for you to do your job and lead the organization and lead the company versus we need five new firewalls because we need to lock down all these things. Put that in perspective of, well, we have these insecurities that we’ve accepted or that we haven’t accepted that we need to mitigate unless and let’s patch those up so we can move forward. We need to do A, B, and C to patch up these vulnerabilities, these risks, because the level of insecurity in which we are at is outside of our acceptable range, rather than let’s suit for 100% secure, which doesn’t exist, unless it’s pen and paper. And this is probably going to age very poorly because at some point in time, someone’s going to hack pen and paper. Then we’re going to be like, how the hell did they do that? But that’s my number one word of advice is don’t chase the unicorn. Don’t chase 100% secure. Don’t chase lockdown secure because it doesn’t exist. Figure out what you have open, patch that up, get to an acceptable level of insecurity versus let’s get secure. Because if you’re getting secure, you’re just not going to happen. Don’t plug it, turn it off. Rip out the battery, then it’s secure.

Speaker 0 | 44:30.226

That’s beautiful. Yeah, anything that’s always going to help us step out of our comfort zone and sell security or sell IT to upper management, I think just starting off with accepting that. We’re not secure. We are not secure. I just want to let everyone in this room know I am head of cybersecurity and we are not secure. And as long as I am employed here, we will not be secure. Does everyone get it? Everyone will be like, what? What are you talking about? Stop chasing the unicorn. Just start saying, what? This guy’s crazy. No, for real. No, we’re not secure. I think that’s great. We are not secure. And then send it to him via email and then text him that and then put it up on social media on the website and then put, well, not on the website, but somehow send it to him through social media that we are not secure.

Speaker 1 | 45:29.224

If that happened, that would remind me of the old Dave Chappelle skit where keeping it real goes wrong.

Speaker 0 | 45:38.247

So-and-so decided to keep it real. What did we have with Dave Chappelle the other day? Something came up. I’m trying to remember. Anyways, hilarious. I’m keeping it real. I think it was something about, you know, I think it was something about, like, you know, you can raise a kid. Well, I know, I remember Chris Rock saying, you know, you can raise a kid on your own. That doesn’t mean it’s a good idea. Doesn’t mean it’s a good idea either. And Dave Chappelle had some version of it as well that was like, anyways, thank you. so much for being on Dissecting Popular IT Nerds. It has been an absolute pleasure.

Speaker 1 | 46:13.074

Thank you so much for having me.

Share This Episode On:

HOSTED BY PHIL HOWARD

Dissecting Popular IT Nerds Podcast

Weekly strategic insights from technology executives who understand your challenges

Apple Podcasts
Amazon
Pandora
Spotify
Tuneln

Are You The Nerd We're Looking For?

ATTENTION IT EXECUTIVES: Your advice and unique stories are invaluable to us. Help us by taking this quiz. You’ll gain recognition good for your career and you’ll contribute value to your fellow IT peers.

Apply

The IT Leadership Podcast

The IT Leadership Podcast

Hosted by IT Leaders... for IT Leaders

Linkedin Rss Instagram Youtube

Resources

Recent Episodes

Company

© Dissecting Popular IT Nerds INC

All Rights Reserved | Terms and Conditions | Privacy Policy

QR Code