Episode Cover Image

82. What is SOC1 & SOC2… Should I Care?

Dissecting Popular IT Nerds
Dissecting Popular IT Nerds
82. What is SOC1 & SOC2… Should I Care?
Loading
/

Scott Geye

Experienced Security Consultant with a demonstrated history of working in the information technology and services industry at a high level. Skilled in Cloud Security, Payment Card Industry Data Security Standard (PCI DSS), Information Security, Auditing, and SSAE 16. Strong information technology professional with a Master of Science (M.S.) focused in IT Service Management from The University of Dallas.

Disclaimer: The views, thoughts, and opinions expressed by guests on this podcast are solely their own and do not necessarily reflect the views or positions of their employers, affiliates, organizations, or any other entities. The content provided is for informational purposes only and should not be considered professional advice. The podcast hosts and producers are not responsible for any actions taken based on the discussions in the episodes. We encourage listeners to consult with a professional or conduct their own research before making any decisions based on the content of this podcast

What is SOC1 & SOC2… Should I Care?

3 Key Takeaways

Episode Show Notes

Scott Geye, IT Audit Manager and Phil Howard review IT due diligence

 

  • Malware causing iron spills
  • Lost Laptops
  • Storing data on behalf of others
  • Battle scars
  • Multi-factor authentication
  • Pen testing
  • User training
  • Articulating risks specifically

Transcript

Speaker 0 | 00:09.565

All right, welcome everyone back to Dissecting Popular IT Nerds. Today we have Scott Geye. Am I pronouncing this right, Guy? I do this to myself every show. Guy, is that correct?

Speaker 1 | 00:19.170

It’s Guy.

Speaker 0 | 00:20.070

Guy, I’m an idiot. Well, there we go. First faux pas of the show. Anyways, we have Scott Guy on the show IT Audit Manager at Holtzman Partners. And to be honest with you, I just came from the doctors and my brain, again, is really failing me today. I popped my knee pretty badly in jujitsu. So that’s kind of like the first horror story. It wasn’t too bad. I didn’t end up being like a torn ACL or MCL or any of those things. But I kind of wanted to start this show off with horror stories. And as many horror stories as you can.

Speaker 1 | 00:59.624

come up with now but before we do that i kind of want to just let’s just introduce what you do as a living and kind of what you do every day all day um and let’s just start there so in the world of public accounting and it audit um there’s really two parts that um make up the majority of what i’m involved with um one of it’s all primarily around auditing it systems um controls and access and things like that. So that’s normally driven by two main factors, one being controls over financial reporting. So let’s say if you’re a public company, or perhaps in some cases, private equity-backed companies or companies that have backing from commercial lenders are sometimes required to go through kind of like a financial statement audit. And part of that is looking at… the internal controls over the systems that underlie that financial reporting. So let’s say, as an example, if you outsource your payroll process, payroll is pretty much always a financially significant account in most companies. So if you use an outsourced payroll provider, if you’re getting a financial statement audit from that, then you’re going to need to demonstrate that there’s adequate controls over the systems that underlie it. An example of payroll providers, you know, they’re processing important account transactions or creating a file suite for that.

Speaker 0 | 02:30.845

W-2s, things like this, what people get paid, massive amounts of data, massive amounts of data on individual employees and kind of, you know, some stuff that might be a little bit sensitive.

Speaker 1 | 02:44.434

Yeah, or, you know, tax rates in different companies. So, you know, if you’re not managing that internally, then those organizations need to be able to. need to be able to provide what’s called a SOC 1, a system organization control report, covering their internal controls over that process that you as their customer are kind of relying on so that your financial auditors can get comfortable with the controls around that for them to rely on.

Speaker 0 | 03:11.068

Now, for people out there that are familiar with SOC 1, SOC 2, Sarbanes-Oxley, I’m various different reports that they need to get or audits on making sure that they’re checking all the boxes. Let’s see, you know, there’s some other fields that have other types of, I don’t know what, what we would call this audits, maybe a HIPAA guideline, audit, audit, maybe a, what’s wrong with me? Credit cards again. PCI, thank you. Brain failing for the third time today. PCI compliance from, for people that don’t need to get these reports. that aren’t forced by law or severe problems could arise if they don’t do this reporting. What can you offer out there, just real quick, as a benefit for people that don’t have to get this stuff done? Like, what kind of things are you finding that are like, again, let’s maybe just jump into like a horror story or like, what’s the kind of what’s some of the worst things that could happen to people that don’t aren’t, you know, don’t have to follow these compliances and should they?

Speaker 1 | 04:16.672

I mean, you know, in the course of different assessments that I’ve done, we’ve come across, you know, a variety of, you know, pretty bad things, whether it be, you know, basic things on more of an HR side where an organization wasn’t adequately, you know, handling their termination of employees and their benefits and insurance and, you know, payroll systems and ended up paying, you know, millions of dollars to people that didn’t even work for them and having to go back and restate financials as a public company. You know, that’s a pretty serious, you know, thing to happen that can really infect, you know, investor outlook on the company and, you know, really reflects poorly. I’ve seen assessments where, you know, large… service providers that you would expect to be fairly proficient at these things have failed to. The worst case scenario, I saw an organization put up a JBoss server with default credentials exposed to the internet that was definitely accessed by someone not authorized by the company.

Speaker 0 | 05:20.849

And when you say service provider.

Speaker 1 | 05:23.826

It was a software as a service provider, so you can’t get into exactly what they were doing.

Speaker 0 | 05:28.929

No, no, no. It’s all good. I’m just wondering what kind of service provider. I’m assuming there’s a lot of kind of bootstraps or startups or people that grow really fast that miss on a ton of stuff.

Speaker 1 | 05:38.496

And this was a very large scale, large service provider with very large customers. And it was well established. But they had someone access their JBoss server that they had thrown up. And. Ultimately, we found that in the course of the audit. They were unaware of it. And I don’t have full details into what ultimately happened, but I’m pretty sure they didn’t actually investigate that, which is alarming.

Speaker 0 | 06:08.177

Now, how do you think something like that happens? Is it just, we’re just on everyday business? We’re just running, you know, business as usual, like keep running, you know? you know, run into whatever the next number is and not too concerned about security because nothing’s happened yet? Or is there just a general oversight or, you know, what are we doing here? Maybe we can sell security a little bit for all those people that are having a hard time getting the,

Speaker 1 | 06:31.870

I don’t know,

Speaker 0 | 06:33.091

the budget approved.

Speaker 1 | 06:35.032

In that specific organization, they didn’t have someone, you know, to have ownership over security. So seven or eight years ago, it was a little bigger than the game right now. But they didn’t have a security officer. They didn’t have a security department. They didn’t have. anybody really monitoring, you know, security alarms. It’s a security minded individual. So there were lots of things that were wrong there. And then ultimately when it came to, you know, conducting a forensic examination, there’s obviously lots of politics behind wanting to do that, you know, not having cyber liability insurance to cover those sorts of things, maybe, or, you know, not having qualified people internally to perform that investigation on their own. ultimately played into that failure there.

Speaker 0 | 07:21.336

So it was kind of prior to the biggest big financial hacks and history and stuff. It kind of was just back in the day more where some of the stuff, the oversight might have been a little bit easier. How do you feel the environment is nowadays?

Speaker 1 | 07:36.964

It’s still pretty much a very mixed bag. Even on the service provider side, I would say some of the more established software and service providers, they’re kind of… really relying on old code and, you know, having to maintain kind of a legacy architecture, more challenged, whereas some of the more nimble startups are really able to leverage, you know, some of the new stuff we’re seeing with, you know, continuous integration, continuous deployment, containerization, and things that I think allow them to be a little more sophisticated in their approach to security and monitoring their environments.

Speaker 0 | 08:16.741

Gotcha.

Speaker 1 | 08:17.862

uh so horror stories worst ones you can think of other ones that i can think of the things that they kind of are scary i think the first one a lot of people are familiar with is uh like the stuxnet virus um in which uh you know it’s assumed the uh u.s intelligence and israeli intelligence agencies sabotaged one of iranians the iranian nuclear facility um And that was really one of the first real hacks where, you know, a hack had impact on the physical world. And we’ve seen, you know, some subsequent things like that. In 2014, I believe, there was a German spill mill that was attacked. And some of the details haven’t been specifically disclosed due to the improper kind of shutdown of things. A blast furnace was severely damaged. You know, so we saw… real physical damage to a plant due to a cyber attack.

Speaker 0 | 09:20.932

And that was like iron, what was that, like molten iron or something like that spilling over?

Speaker 1 | 09:25.914

They aren’t real specific on what the actual damage was. Obviously, there’s a lot of concern with the details of those sorts of attacks. But it was significant physical damage and it was related to a blast furnace. So you would kind of assume that’s kind of part of it.

Speaker 0 | 09:41.522

But it led me to start going down the road of thinking of the type of things that could happen where you’ve got assembly lines and maybe things that are kind of automated, pouring poisons or molten iron or something like that. And someone just packs in and changes. We’re not going to pour for one minute. We’re going to pour for 30 minutes and just overpour things or something crazy like that. Am I too out there? Am I thinking too out there?

Speaker 1 | 10:06.553

No, no. That’s exactly right. I mean, do you think about all of the systems out there that have industrial control systems, SCADA networks, you know, controlling things like valves, pressure, and, you know, and specifically the Stuxnet instance, you know, that even created false information to report back to the monitoring utilities, you know, so that they couldn’t actually see the negative effects as they were happening is, you know, so it’s not just affecting those things it’s you know they can hide um the fact that it’s even happening through you know reporting back through the monitoring utilities um and we’ve seen you know another instance of this um in ukraine um in late 2015 i believe where um the power grid you know utility provider was was taken over and they started shutting down circuit breakers in the power grid and you know a lot of this has been reserved more to like um state actor you know, intelligence agency type organizations that are highly sophisticated and have the time and budgets to plan and design these sorts of attacks. But, you know, criminal elements are, you know, making tons of money off ransomware and those sorts of things. So the financial incentive is there for them to, you know, continue to develop more sophisticated attacks. And this is certainly an area that, you know, kind of draws a lot of concern, I think, and keeps people up at night that have to deal with these sorts of things. of issues. Now,

Speaker 0 | 11:39.186

one of the things that I get a lot of, I don’t know if I want to call it complaints. If I asked someone what their biggest struggle, concern, battle is kind of internally or in their IT role or technology role, it’s a lack of resources and not investing enough in some of the things that maybe larger companies have the ability or are forced to invest in, that you then go in and do full audits on. Is there, why do you think that is? Is it just a general old school mentality of it’s not going to happen to me?

Speaker 1 | 12:23.046

That certainly does exist. Organizations that, you know, don’t, a lot of times it’s either, a lot of times executives I feel like. maybe don’t adequately understand the risk. And maybe it’s because they don’t have the people around them to really explain that to them.

Speaker 0 | 12:40.744

Let’s explain it. Let’s just explain it right now. Let’s skip right ahead and let’s give IT people out there the best bullet points and the best firepower we can give them to explain, a.k.a. sell to upper management. sell to upper management the reasons as to why we should be investing more in security?

Speaker 1 | 13:06.714

I think the most, the easiest route there really comes to if you have any sort of regulated data, you know, right, credit card numbers, protected health information, that sort of thing where you’ve got, you know, a legal obligation to do certain things.

Speaker 0 | 13:24.348

So first of all, we’re not following the law or we’re not, you know, we could get fined for this. Yeah, especially argument number one.

Speaker 1 | 13:31.530

And let’s say specifically in HIPAA, you know, there’s, while it’s not really, you know, heavily enforced, there is, you know, some negligent terms in there, whereas the executive, if they’re willfully ignoring some of the risks, then they have personal liability for it. That doesn’t exist in all sorts of situations. But, you know, we’re seeing a trend in that direction if you look into some of the court cases where, you know, at the executive level, ignoring. you know, certain warnings and risks and alerts.

Speaker 0 | 14:03.759

I love it. This is like the ultimate fear. This is like real, you know, salespeople always get a bad rap for what is it called? Fear something. And I can’t remember it, but whatever those, whatever those psychological terms are used to like to, you know, convince people, but there’s some good fear factors. Okay. Negligence, personal liability. I mean, Hey, this company might not get sued. You might get sued.

Speaker 1 | 14:26.709

And you know, a big example of this, um,

Speaker 0 | 14:29.190

Fear, uncertainty, desire. Sorry, FUD. Fear, uncertainty, desire. Okay. That’s not what we’re doing here. That’s not what we’re doing. We’re giving actual, we’re using real facts and figures, but keep on, go on.

Speaker 1 | 14:41.673

And one big example of this, you know, people think, people don’t really think about the FEC or the FTC, the Federal Trade Commission, as being, you know, a big player in this, but they’re really kind of like an 800 pound gorilla. The big example of this is WebMD. And I can’t remember the specifics of how this breach happened because it was years and years ago. they were basically heavily pursued by the FTC, by regulatory actions. And the company has been long non-existent. This destroyed the company. Or its lab, I’m sorry. And even after the company was dead, the FTC was still pursuing regulatory actions. So there is instances where failing to do this can destroy the business. Now, if you don’t have those sort of… you know, regulatory legal obligations to do certain things, then it’s much more of looking at, say, you know, what we’re seeing in trends in like insurance claims and what we’re seeing in as far as business loss and business interruption due to lack ransomware. And a big one that we’re seeing right now on the ransomware side, tying back to, you know, organizations not really having the resources, a big place this hits is in municipal governments, you know, school districts, city governments. And, you know, a lot of getting the budgets and things isn’t necessarily that, you know, the people in charge understand it or anything like that, but just the political process of getting funding.

Speaker 0 | 16:16.699

It’s crazy. A lot of times it’s a shared kind of almost like a shared budget. They kind of they all kind of vote and divide things up and it might not be the best way to make decisions on security.

Speaker 1 | 16:28.986

Yeah. And that presents a unique challenge. You know, I’ve audited a number of school districts, you know, city and county governments. And that is a huge challenge on their side. They’re very strapped for budgets and they have very complicated networks with specifically school districts. You’ve got all kinds of smart whiteboards and all kinds of odd technology that’s not generally part of most people’s jobs.

Speaker 0 | 16:55.850

And without making this political, someone should probably go lobby the government for some grant money or something like that for this.

Speaker 1 | 17:01.114

Yeah, I mean, there is some of that out there. But. Probably not enough.

Speaker 0 | 17:07.587

Yeah. Okay. So business, uh, we’ve got, um, uh, regulated data, uh, negligence, personal, personal liability, uh, FTC, uh, general business interruption, uh, through, through ransomware. What, as far as ransomware goes, do we have any numbers on that? Do you have any statistics on that?

Speaker 1 | 17:32.865

Um, I mean, uh, Oh,

Speaker 0 | 17:35.626

here’s a good question. How many people that have experienced a ransomware attack are completely put out of business? Any clue?

Speaker 1 | 17:43.612

I couldn’t tell you off the top of my head. I mean, most people are generally able to recover because really ransomware comes down to having, you know, adequate backups and most organizations, you know, they might lose revenue, they might have downtime, but most organizations have at least decent enough backups that they can recover. and not be destroyed as a business. But there are certainly some that don’t and go completely unfairly. It does happen.

Speaker 0 | 18:13.068

Since the last time we talked, my sister’s hospital had a ransomware attack, shut down Epic for three days. That must have been fun for that IT manager.

Speaker 1 | 18:23.931

Yeah, healthcare is another place where we see a lot of problems with ransomware. A lot of it comes down to… especially in the healthcare providers versus health IT. The lack of resources, in my personal experience, this is my personal opinion, in a lot of the healthcare provider organizations that I’ve worked with, or they’ve got a lot of doctors and things overseeing business operations. I’ve not entirely been impressed with some of their risk-based decision-making around IT. Uh, healthcare also has a unique challenge because kind of like healthcare, they’ve got a lot of weird types of technology, you know, um, that, that are, you know, uh, existing in a lot of other organizations and they’ve got, you know, say different sorts of certification processes involved in those systems that make it difficult to patch things in a timely manner.

Speaker 0 | 19:21.468

Um, yeah, very difficult. I think you, I’m la I laughed because you made me think of my family because everyone in my family is with the exception of a few of us. are doctors, MDs, surgeons, anesthesiologists. They work in healthcare of some way. So when you said doctors overseeing business operations, not making the best decisions, it made me think of my father. So it’s just, it’s really funny. I can see that and I can see the mentality and I can see the way decisions are made, especially in large practices or large private practices where you might have a group of doctors and it’s almost impossible to get all of the smartest people in the room into one room. So how do you get, you know, five people that are all the smartest people in the room to make a decision that would be, you know. cost money, right? And so there’s some stereotypes about doctors I’m allowed to throw around because I come from a family of them. So that’s great. Let me ask you a real blunt and honest question. How exciting is your job or what do you do to make your job exciting?

Speaker 1 | 20:30.336

You know, the day-to-day work of auditing is probably pretty dull. You’re looking at access listings, you know, different types of reports. spreadsheets, screenshots. And the thing that I enjoy is interacting with a client, getting, you know, especially when you’re dealing with a new client, you’ve got to, you know, get in and understand their organization, you know, their environment, their risks. Whenever you can, you know, be more of a collaborative advisor and, you know, actually, you know, help them kind of sort through their problems as they deal with this. That’s the more interesting part of it to me. Um, also kind of, you know, the opportunities to do things like this and, you know, present at certain events and, you know, get a little more involvement in the professional communities and, you know, organizations that, um, are kind of pushed when you’re more of a consulting sort of thing.

Speaker 0 | 21:26.035

As maybe like a short punch list for IT directors out there. And when I say IT directors, I would say the majority of the people that listen to the show, um, are in a IT leadership position of some sort. with anywhere from maybe 200 to 2000 end users with a team of people and a ratio of it director to end user or it staff to end user of like one to a hundred right so you’re like that professor in a large hall trying to get as much done as you can possibly get done what would be maybe five bullet points and it doesn’t even need to be five if it’s three fine the top three whatever it is but what are like five things that they could do that they might not be doing that would be eye-opening for them or eye-opening for executive management. You know, I think we did really good with the, you know, regulated data, negligence, personal liability, FTC, you know, business interruption. What would that cost us if that ever happened? But what are five things that they could look at or measure or do to help improve their organization, especially considering they might not have any reason to go get SOC, be SOC compliant or anything like that?

Speaker 1 | 22:36.618

And the biggest thing, if you, and I always tell me, if you haven’t done it yet, I mean, multi-factor authentication is just huge. That’s one of the biggest, easiest things you can do to make it more difficult to, I mean, stolen passwords. I mean, if you’re still…

Speaker 0 | 22:52.989

Let me ask you honestly, how many people don’t do it? How often do you see it?

Speaker 1 | 22:58.873

It’s much less now, you know, particularly since I’m very focused much more on service providers, they tend to be a little more sophisticated. So most of them, we at least see two-factor authentication for, say, production environments.

Speaker 0 | 23:11.015

Isn’t that kind of like a general, like, shouldn’t everybody be doing that? Even consumers?

Speaker 1 | 23:20.318

Honestly, your banking provider should be doing it. I mean, they do for certain types of customers and some providers do it. But it definitely needs to be more thoroughly distributed. And it still does have its… risk. I mean, you still can do, you know, phishing of, you know, two-factor authentication in certain cases. So it’s not a silver bullet, but it’s one of the easiest, most impactful things that you can do if you haven’t done it already.

Speaker 0 | 23:49.192

And just describe multi-factor authentication in simplicity for anyone that, I don’t know, there might be a CEO listening. There might be a non-IT nerd out there listening. You never know.

Speaker 1 | 23:58.778

So, you know, authentication can be based on something you know, like a password, something you are, like a fingerprint or an iris scan, or something you have, which would be like a token. So when we say two-factor authentication, it’s usually you log in, your username, your password, and then there’s a second authentication factor required. Typically, we see that through like a push notification to your phone, or there’s a code that you have to enter. It could be a physical key that has to be plugged in.

Speaker 0 | 24:34.591

Cell phone, send you an email, something like that.

Speaker 1 | 24:37.133

Something along those lines.

Speaker 0 | 24:37.894

Text message, yeah.

Speaker 1 | 24:39.375

Or just because, you know, your password has been stolen from some website and you’ll reuse that somewhere else. Just because someone knows that password, that’s not enough to log in. They need that other factor that they don’t have access to. And that can, you know, rapidly kill, you know, a way that, you know, is widely still used to get into an organization.

Speaker 0 | 25:00.329

Okay. Multi-factor authentication, number one. Next one.

Speaker 1 | 25:05.526

You know, and… I would say, you know, especially from the IT director’s level, if you haven’t actually done a thorough IT risk assessment and included the business units in that process, because I can’t tell you how many times I’ve been in an organization where once we pull together, like, say, customer contracts, I see things where, you know, IT is completely unaware of things that the organization is committed to doing in a contract as far as security. And they aren’t doing it because no one ever told them that they needed to be doing it.

Speaker 0 | 25:41.240

So basically, shadow IT decisions that were made that might not be totally shadow handed down to IT, but without full transparency.

Speaker 1 | 25:51.648

Yeah. So understanding the commitments that have been made, where and what types of data you have to be stored. And actually articulating the risk that’s associated with that when it comes back to communicating. You know, you… Going to your executive and saying, hey, we might get hacked, you know, we should do something about that is, you know, not going to probably get you very far. But being able to say, hey, on this system we have to, you know, share files with our customers, this vulnerability exists. And there’s a publicly known exploit out there that’s being exploited in the wild. And, you know, we have this many records on that system. Those could be used. exposed. I mean, here’s kind of what binds have been laid out to organizations in a similar situation. So here’s an actual dollar risk that we can put on this. That sort of information will be more likely to drive, you know, actual action.

Speaker 0 | 26:52.487

Risk assessment.

Speaker 1 | 26:53.848

Yeah. And looking at it, you know, there’s, when it comes down to like, say auditing, there’s, there’s two thoughts. There are two parts of this equation. You know, there’s the substantive security. There’s there’s a patch that needs to be applied. There’s a configuration change that needs to be made. But those, you know, you need to fix those to fix the problems. But there’s also the side of those things existed probably because there was a weakness in a process, right? We weren’t adequately, you know, putting a minimum baseline security on that system when it was deployed, or we weren’t adequately maintaining, you know, patches or things in that system once it was deployed. And, you know, just fixing the substantive security issue. If you don’t fix the actual process failure that led to that.

Speaker 0 | 27:38.400

Yeah, it’s like putting a Band-Aid on a paper cut, but paper cuts keep showing up and you don’t know why. And that’s because, I don’t know, there’s your little kid behind you, like, I don’t know, throwing papers at you, whatever. But I guess the point is there’s no checks and balance. There’s no official decision-making process around security.

Speaker 1 | 28:03.626

And, you know, this is something where, depending on the size, sophistication of the organization, and, you know, I’ve done this with very small organizations, so this is not to say you have to be huge. You know, even if you don’t need like a SOX audit, or maybe even better, if you don’t need a SOX audit or a SOC report, because those have, you know, pretty rigid definitions.

Speaker 0 | 28:24.523

Have a policy, something, you know.

Speaker 1 | 28:26.564

Or you could still, I mean, in doing an audit of your security controls is still something that’s worthwhile. so that you have an outside, you know, independent look at, you know, those controls. And you can then take back and say, you know, hey, here’s where we’re getting, you know, death by a thousand paper cuts. And, you know, me as an IT director, I don’t have the authority to change this. But, you know, hey, if we can get the, you know, break down some of the wall, let’s say, between HR and IT and, you know, integrate our processes better. So let’s say, for example. we’re adequately actually terminating users, you know, when they leave or they change, you know, roles. That’s still, you know, a major, you know, area that we see failures in is, you know, let’s say IT not being adequately informed when those sorts of, you know, transitions happen and then they’re not, you know, able to make changes to access levels in a timely manner.

Speaker 0 | 29:24.470

I wish there was a way to do all of this extra work that… is really awesome and saves the business industry from catastrophic failures or problems or lawsuits. And the IT guy still gets some sort of high five or recognition or raise or monetary measurement of value or MBO attached to this. Because I can see Someone doing a lot of extra work, really taking pride in making their organization secure and getting little to no recognition for it.

Speaker 1 | 30:07.122

Yeah. And it just comes down to, you know, like they say, if IT is doing things right, it looks like they’re doing nothing at all. Yeah. If your IT team is constantly swamped, they’re either drastically under-resourced or doing things.

Speaker 0 | 30:20.933

We need to find more ways to, I don’t know, demonstrate value monetarily.

Speaker 1 | 30:28.019

Yeah. And, you know, that probably comes back to kind of the next recommendation I was going to make is really understanding, you know, system. criticality and dependencies and your reliance on different business processes and lines of revenue that are being supported by those systems so that you can quantify the value of the systems and the time spent maintaining and protecting those systems to make that sort of business justification.

Speaker 0 | 31:01.394

We’re just going to make that point number three, quantify your value. quantify your value by time saved, money saved, labor not lost, whatever it is, quantify it and say, hey, look what I did. Put it together in a PowerPoint presentation. If you want to get on dissecting popular IT nerds and talk about it, and then we put it together into a presentation, then you deliver that to the board. I’m happy to help do that. There we go. We just did something. What else do we got? So we’ve got multi-factor authentication. uh, it risk assessment, uh, quantifying your value. Uh, let’s come up with a couple more.

Speaker 1 | 31:41.264

Um, I would say for those organizations that haven’t done it yet, penetration testing, um, is, is very important because like I mentioned, there’s two sides of this. You can audit your processes and control, and you might find that, you know, maybe your user access review process, your patch management processes, maybe as, as a design flaw. But those types of audits don’t really substantively say that a system is secure or not. You’re more likely to find out that sort of information from a vulnerability scanning penetration testing type process. And if the organization hasn’t gone through that effort, it’s past time to get that done.

Speaker 0 | 32:22.584

Okay. Penetration testing. I’m sure there’s a lot of jokes that go around with penetration testing.

Speaker 1 | 32:29.028

Yes. There is, there’s a lot of, I mean, the information security world is terrible to come up with names for things.

Speaker 0 | 32:39.198

I’m going to have fun with bullet point number four. I can tell you that right now. Number five, what do we got?

Speaker 1 | 32:46.742

Last and not least, I would say is investing in user training. You know, most people still say, or, you know, it’s widely believed that, you know, the employee, the user is still kind of the weakest link. You’re going to have the strongest. You know, security controls and security technology in place. But if somebody emails something they’re not supposed to to the wrong person, then that’s potentially a breach.

Speaker 0 | 33:09.676

Absolutely. I can guarantee you that there are numerous. I know it on a daily basis. I can think of just general conversations that I’ve had on the phone that are blatant security breaches and giving at least Sarbanes-Oxley violations and giving away of information. I know it goes on every day. I know. I know in the sales world, I know in the vendor world, people call for favors all the time. And I know those favors are blatant breaches of data and sharing and sharing of probably sharing of valuable company data. It happens all the time. We know it does.

Speaker 1 | 33:47.910

Yeah. And, you know, this is really, really important for your finance and accounting because, you know, we’ve seen a lot. of, you know, if you’re familiar with the business email compromise, where just, you know, being able to email, you know, an invoice with, you know, a routing number changed or, you know, different things like that to convince those people to, you know, approve and process a fraudulent transaction. You know, there’s still a lot of success in that, a lot of, you know, money being stolen from companies in that manner where, you know, they don’t even necessarily need to. gained access or compromised your system. It’s just a matter of tricking a user into doing a transaction for them.

Speaker 0 | 34:33.350

It’s a phone call. I mean, you don’t need to be a sophisticated, you know, hacker, IT person to break into an organization and get valuable information. You really don’t. You just have to be kind of like a shady, tricky individual, I guess, you know, to get on the phone and ask for passwords.

Speaker 1 | 34:52.624

And not even so much that at this point. You know, the dark net, kind of the criminal underworld that participates in a lot of this, I think a lot of people maybe don’t understand this, but there’s a whole criminal marketplace. around creating and selling the tools used to doing this, you know, monetizing and selling the data. And really at this point, you don’t even necessarily need to really know what you’re doing. If you’ve got some Bitcoin, you can go on there, you can buy a tool, you can hire people to do it. You know, you can kind of, the whole process has been.

Speaker 0 | 35:25.271

We’ve gotten so bad that we’ve gotten to a third party. It’s so bad now that we’re to a third party hackers that outsource their hacking.

Speaker 1 | 35:33.798

I mean, there really is an entire fraud as a service marketplace.

Speaker 0 | 35:37.882

There’s some dude that just comes up with an idea like, what was that movie with, oh gosh. It’s just like, I’ve got this great idea. We’re going to hack into some place and then we’re just going to hire someone else to do it.

Speaker 1 | 35:51.611

And it’s sad, but it really is true. I mean, you can outsource pretty much every step of the process.

Speaker 0 | 35:58.316

Confidentiality notices at the bottom of emails. Are they worth anything or is it a complete waste? The information contained in this communication may be confidential or privileged. If you are not intended the recipient of this communication, any disclosure, copying, distribution, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, destroy this communication immediately.

Speaker 1 | 36:16.164

I mean, there’s, you know, obviously there’s lots of ways that they’re not enforceable, but I’m generally a fan of CYA if at all possible. So I would say that you’re not going to get a ton of value out of having them, but there is some.

Speaker 0 | 36:29.128

Okay. So do it. Yeah. Excellent. This has been very beneficial having you on the show. I really appreciate it. And I would, you know, honestly, the iron spilling over due to someone being hacked, terrible. Now, you know, we know that pacemakers have been probably successfully hacked, whether it’s been done, you know, on purpose or not. I don’t know. What do you got? One last piece of advice for anyone listening to the show out there. other people, other security people listening or people to follow, anyone else in your field that’s very useful that people should be following or listening to? What’s that piece of advice?

Speaker 1 | 37:15.783

Really, I would say when it comes to the cybersecurity world, it’s interesting in that it’s very open. The majority of the profession is very willing to talk about battle scars and best practices and share that much more than you would see from a lot of other business units. So I would say if this is something you’re concerned about or that you deal with to become active in the community. I’m a member of DFW ISC squared, which is a cybersecurity professional organization that administers the certified information system security professional, which gives me an opportunity to network with a lot of other local security professionals and share information. And, you know, especially on LinkedIn, Twitter, there’s more cybersecurity experts. experts and great leaders out there sharing information that I could, you know, list in this. So get out there and, you know, get involved in the community. And if you’re in that position, give back, because, you know, we’re all in this together and, you know, that’s really the only way we’re going to overcome this. Awesome.

Speaker 0 | 38:23.431

Scott, thank you so much. Everyone out there listening to the show. I fail to ask this on numerous shows, please. If you liked the show, if you liked the content, please go to It’s iTunes podcast or Apple podcast or whatever. Please review us on the show. It definitely helps. It helps us a lot. And for anyone that wants help, penetration testing. If anyone would like to be penetrated, please. I told you we would go there. You can DM me on LinkedIn. I’ll definitely put you in contact with numerous resources that can help that. Definitely could put you in contact with Scott, especially if you need SOC 1, 2, anything like that. So please reach out and the show is full of resources that we are giving away completely for free. Happy to connect people. Scott, thank you so much for being on the show. Have a great, great rest of your day.

Speaker 1 | 39:13.794

Thanks for having me. You too.

82. What is SOC1 & SOC2… Should I Care?

Speaker 0 | 00:09.565

All right, welcome everyone back to Dissecting Popular IT Nerds. Today we have Scott Geye. Am I pronouncing this right, Guy? I do this to myself every show. Guy, is that correct?

Speaker 1 | 00:19.170

It’s Guy.

Speaker 0 | 00:20.070

Guy, I’m an idiot. Well, there we go. First faux pas of the show. Anyways, we have Scott Guy on the show IT Audit Manager at Holtzman Partners. And to be honest with you, I just came from the doctors and my brain, again, is really failing me today. I popped my knee pretty badly in jujitsu. So that’s kind of like the first horror story. It wasn’t too bad. I didn’t end up being like a torn ACL or MCL or any of those things. But I kind of wanted to start this show off with horror stories. And as many horror stories as you can.

Speaker 1 | 00:59.624

come up with now but before we do that i kind of want to just let’s just introduce what you do as a living and kind of what you do every day all day um and let’s just start there so in the world of public accounting and it audit um there’s really two parts that um make up the majority of what i’m involved with um one of it’s all primarily around auditing it systems um controls and access and things like that. So that’s normally driven by two main factors, one being controls over financial reporting. So let’s say if you’re a public company, or perhaps in some cases, private equity-backed companies or companies that have backing from commercial lenders are sometimes required to go through kind of like a financial statement audit. And part of that is looking at… the internal controls over the systems that underlie that financial reporting. So let’s say, as an example, if you outsource your payroll process, payroll is pretty much always a financially significant account in most companies. So if you use an outsourced payroll provider, if you’re getting a financial statement audit from that, then you’re going to need to demonstrate that there’s adequate controls over the systems that underlie it. An example of payroll providers, you know, they’re processing important account transactions or creating a file suite for that.

Speaker 0 | 02:30.845

W-2s, things like this, what people get paid, massive amounts of data, massive amounts of data on individual employees and kind of, you know, some stuff that might be a little bit sensitive.

Speaker 1 | 02:44.434

Yeah, or, you know, tax rates in different companies. So, you know, if you’re not managing that internally, then those organizations need to be able to. need to be able to provide what’s called a SOC 1, a system organization control report, covering their internal controls over that process that you as their customer are kind of relying on so that your financial auditors can get comfortable with the controls around that for them to rely on.

Speaker 0 | 03:11.068

Now, for people out there that are familiar with SOC 1, SOC 2, Sarbanes-Oxley, I’m various different reports that they need to get or audits on making sure that they’re checking all the boxes. Let’s see, you know, there’s some other fields that have other types of, I don’t know what, what we would call this audits, maybe a HIPAA guideline, audit, audit, maybe a, what’s wrong with me? Credit cards again. PCI, thank you. Brain failing for the third time today. PCI compliance from, for people that don’t need to get these reports. that aren’t forced by law or severe problems could arise if they don’t do this reporting. What can you offer out there, just real quick, as a benefit for people that don’t have to get this stuff done? Like, what kind of things are you finding that are like, again, let’s maybe just jump into like a horror story or like, what’s the kind of what’s some of the worst things that could happen to people that don’t aren’t, you know, don’t have to follow these compliances and should they?

Speaker 1 | 04:16.672

I mean, you know, in the course of different assessments that I’ve done, we’ve come across, you know, a variety of, you know, pretty bad things, whether it be, you know, basic things on more of an HR side where an organization wasn’t adequately, you know, handling their termination of employees and their benefits and insurance and, you know, payroll systems and ended up paying, you know, millions of dollars to people that didn’t even work for them and having to go back and restate financials as a public company. You know, that’s a pretty serious, you know, thing to happen that can really infect, you know, investor outlook on the company and, you know, really reflects poorly. I’ve seen assessments where, you know, large… service providers that you would expect to be fairly proficient at these things have failed to. The worst case scenario, I saw an organization put up a JBoss server with default credentials exposed to the internet that was definitely accessed by someone not authorized by the company.

Speaker 0 | 05:20.849

And when you say service provider.

Speaker 1 | 05:23.826

It was a software as a service provider, so you can’t get into exactly what they were doing.

Speaker 0 | 05:28.929

No, no, no. It’s all good. I’m just wondering what kind of service provider. I’m assuming there’s a lot of kind of bootstraps or startups or people that grow really fast that miss on a ton of stuff.

Speaker 1 | 05:38.496

And this was a very large scale, large service provider with very large customers. And it was well established. But they had someone access their JBoss server that they had thrown up. And. Ultimately, we found that in the course of the audit. They were unaware of it. And I don’t have full details into what ultimately happened, but I’m pretty sure they didn’t actually investigate that, which is alarming.

Speaker 0 | 06:08.177

Now, how do you think something like that happens? Is it just, we’re just on everyday business? We’re just running, you know, business as usual, like keep running, you know? you know, run into whatever the next number is and not too concerned about security because nothing’s happened yet? Or is there just a general oversight or, you know, what are we doing here? Maybe we can sell security a little bit for all those people that are having a hard time getting the,

Speaker 1 | 06:31.870

I don’t know,

Speaker 0 | 06:33.091

the budget approved.

Speaker 1 | 06:35.032

In that specific organization, they didn’t have someone, you know, to have ownership over security. So seven or eight years ago, it was a little bigger than the game right now. But they didn’t have a security officer. They didn’t have a security department. They didn’t have. anybody really monitoring, you know, security alarms. It’s a security minded individual. So there were lots of things that were wrong there. And then ultimately when it came to, you know, conducting a forensic examination, there’s obviously lots of politics behind wanting to do that, you know, not having cyber liability insurance to cover those sorts of things, maybe, or, you know, not having qualified people internally to perform that investigation on their own. ultimately played into that failure there.

Speaker 0 | 07:21.336

So it was kind of prior to the biggest big financial hacks and history and stuff. It kind of was just back in the day more where some of the stuff, the oversight might have been a little bit easier. How do you feel the environment is nowadays?

Speaker 1 | 07:36.964

It’s still pretty much a very mixed bag. Even on the service provider side, I would say some of the more established software and service providers, they’re kind of… really relying on old code and, you know, having to maintain kind of a legacy architecture, more challenged, whereas some of the more nimble startups are really able to leverage, you know, some of the new stuff we’re seeing with, you know, continuous integration, continuous deployment, containerization, and things that I think allow them to be a little more sophisticated in their approach to security and monitoring their environments.

Speaker 0 | 08:16.741

Gotcha.

Speaker 1 | 08:17.862

uh so horror stories worst ones you can think of other ones that i can think of the things that they kind of are scary i think the first one a lot of people are familiar with is uh like the stuxnet virus um in which uh you know it’s assumed the uh u.s intelligence and israeli intelligence agencies sabotaged one of iranians the iranian nuclear facility um And that was really one of the first real hacks where, you know, a hack had impact on the physical world. And we’ve seen, you know, some subsequent things like that. In 2014, I believe, there was a German spill mill that was attacked. And some of the details haven’t been specifically disclosed due to the improper kind of shutdown of things. A blast furnace was severely damaged. You know, so we saw… real physical damage to a plant due to a cyber attack.

Speaker 0 | 09:20.932

And that was like iron, what was that, like molten iron or something like that spilling over?

Speaker 1 | 09:25.914

They aren’t real specific on what the actual damage was. Obviously, there’s a lot of concern with the details of those sorts of attacks. But it was significant physical damage and it was related to a blast furnace. So you would kind of assume that’s kind of part of it.

Speaker 0 | 09:41.522

But it led me to start going down the road of thinking of the type of things that could happen where you’ve got assembly lines and maybe things that are kind of automated, pouring poisons or molten iron or something like that. And someone just packs in and changes. We’re not going to pour for one minute. We’re going to pour for 30 minutes and just overpour things or something crazy like that. Am I too out there? Am I thinking too out there?

Speaker 1 | 10:06.553

No, no. That’s exactly right. I mean, do you think about all of the systems out there that have industrial control systems, SCADA networks, you know, controlling things like valves, pressure, and, you know, and specifically the Stuxnet instance, you know, that even created false information to report back to the monitoring utilities, you know, so that they couldn’t actually see the negative effects as they were happening is, you know, so it’s not just affecting those things it’s you know they can hide um the fact that it’s even happening through you know reporting back through the monitoring utilities um and we’ve seen you know another instance of this um in ukraine um in late 2015 i believe where um the power grid you know utility provider was was taken over and they started shutting down circuit breakers in the power grid and you know a lot of this has been reserved more to like um state actor you know, intelligence agency type organizations that are highly sophisticated and have the time and budgets to plan and design these sorts of attacks. But, you know, criminal elements are, you know, making tons of money off ransomware and those sorts of things. So the financial incentive is there for them to, you know, continue to develop more sophisticated attacks. And this is certainly an area that, you know, kind of draws a lot of concern, I think, and keeps people up at night that have to deal with these sorts of things. of issues. Now,

Speaker 0 | 11:39.186

one of the things that I get a lot of, I don’t know if I want to call it complaints. If I asked someone what their biggest struggle, concern, battle is kind of internally or in their IT role or technology role, it’s a lack of resources and not investing enough in some of the things that maybe larger companies have the ability or are forced to invest in, that you then go in and do full audits on. Is there, why do you think that is? Is it just a general old school mentality of it’s not going to happen to me?

Speaker 1 | 12:23.046

That certainly does exist. Organizations that, you know, don’t, a lot of times it’s either, a lot of times executives I feel like. maybe don’t adequately understand the risk. And maybe it’s because they don’t have the people around them to really explain that to them.

Speaker 0 | 12:40.744

Let’s explain it. Let’s just explain it right now. Let’s skip right ahead and let’s give IT people out there the best bullet points and the best firepower we can give them to explain, a.k.a. sell to upper management. sell to upper management the reasons as to why we should be investing more in security?

Speaker 1 | 13:06.714

I think the most, the easiest route there really comes to if you have any sort of regulated data, you know, right, credit card numbers, protected health information, that sort of thing where you’ve got, you know, a legal obligation to do certain things.

Speaker 0 | 13:24.348

So first of all, we’re not following the law or we’re not, you know, we could get fined for this. Yeah, especially argument number one.

Speaker 1 | 13:31.530

And let’s say specifically in HIPAA, you know, there’s, while it’s not really, you know, heavily enforced, there is, you know, some negligent terms in there, whereas the executive, if they’re willfully ignoring some of the risks, then they have personal liability for it. That doesn’t exist in all sorts of situations. But, you know, we’re seeing a trend in that direction if you look into some of the court cases where, you know, at the executive level, ignoring. you know, certain warnings and risks and alerts.

Speaker 0 | 14:03.759

I love it. This is like the ultimate fear. This is like real, you know, salespeople always get a bad rap for what is it called? Fear something. And I can’t remember it, but whatever those, whatever those psychological terms are used to like to, you know, convince people, but there’s some good fear factors. Okay. Negligence, personal liability. I mean, Hey, this company might not get sued. You might get sued.

Speaker 1 | 14:26.709

And you know, a big example of this, um,

Speaker 0 | 14:29.190

Fear, uncertainty, desire. Sorry, FUD. Fear, uncertainty, desire. Okay. That’s not what we’re doing here. That’s not what we’re doing. We’re giving actual, we’re using real facts and figures, but keep on, go on.

Speaker 1 | 14:41.673

And one big example of this, you know, people think, people don’t really think about the FEC or the FTC, the Federal Trade Commission, as being, you know, a big player in this, but they’re really kind of like an 800 pound gorilla. The big example of this is WebMD. And I can’t remember the specifics of how this breach happened because it was years and years ago. they were basically heavily pursued by the FTC, by regulatory actions. And the company has been long non-existent. This destroyed the company. Or its lab, I’m sorry. And even after the company was dead, the FTC was still pursuing regulatory actions. So there is instances where failing to do this can destroy the business. Now, if you don’t have those sort of… you know, regulatory legal obligations to do certain things, then it’s much more of looking at, say, you know, what we’re seeing in trends in like insurance claims and what we’re seeing in as far as business loss and business interruption due to lack ransomware. And a big one that we’re seeing right now on the ransomware side, tying back to, you know, organizations not really having the resources, a big place this hits is in municipal governments, you know, school districts, city governments. And, you know, a lot of getting the budgets and things isn’t necessarily that, you know, the people in charge understand it or anything like that, but just the political process of getting funding.

Speaker 0 | 16:16.699

It’s crazy. A lot of times it’s a shared kind of almost like a shared budget. They kind of they all kind of vote and divide things up and it might not be the best way to make decisions on security.

Speaker 1 | 16:28.986

Yeah. And that presents a unique challenge. You know, I’ve audited a number of school districts, you know, city and county governments. And that is a huge challenge on their side. They’re very strapped for budgets and they have very complicated networks with specifically school districts. You’ve got all kinds of smart whiteboards and all kinds of odd technology that’s not generally part of most people’s jobs.

Speaker 0 | 16:55.850

And without making this political, someone should probably go lobby the government for some grant money or something like that for this.

Speaker 1 | 17:01.114

Yeah, I mean, there is some of that out there. But. Probably not enough.

Speaker 0 | 17:07.587

Yeah. Okay. So business, uh, we’ve got, um, uh, regulated data, uh, negligence, personal, personal liability, uh, FTC, uh, general business interruption, uh, through, through ransomware. What, as far as ransomware goes, do we have any numbers on that? Do you have any statistics on that?

Speaker 1 | 17:32.865

Um, I mean, uh, Oh,

Speaker 0 | 17:35.626

here’s a good question. How many people that have experienced a ransomware attack are completely put out of business? Any clue?

Speaker 1 | 17:43.612

I couldn’t tell you off the top of my head. I mean, most people are generally able to recover because really ransomware comes down to having, you know, adequate backups and most organizations, you know, they might lose revenue, they might have downtime, but most organizations have at least decent enough backups that they can recover. and not be destroyed as a business. But there are certainly some that don’t and go completely unfairly. It does happen.

Speaker 0 | 18:13.068

Since the last time we talked, my sister’s hospital had a ransomware attack, shut down Epic for three days. That must have been fun for that IT manager.

Speaker 1 | 18:23.931

Yeah, healthcare is another place where we see a lot of problems with ransomware. A lot of it comes down to… especially in the healthcare providers versus health IT. The lack of resources, in my personal experience, this is my personal opinion, in a lot of the healthcare provider organizations that I’ve worked with, or they’ve got a lot of doctors and things overseeing business operations. I’ve not entirely been impressed with some of their risk-based decision-making around IT. Uh, healthcare also has a unique challenge because kind of like healthcare, they’ve got a lot of weird types of technology, you know, um, that, that are, you know, uh, existing in a lot of other organizations and they’ve got, you know, say different sorts of certification processes involved in those systems that make it difficult to patch things in a timely manner.

Speaker 0 | 19:21.468

Um, yeah, very difficult. I think you, I’m la I laughed because you made me think of my family because everyone in my family is with the exception of a few of us. are doctors, MDs, surgeons, anesthesiologists. They work in healthcare of some way. So when you said doctors overseeing business operations, not making the best decisions, it made me think of my father. So it’s just, it’s really funny. I can see that and I can see the mentality and I can see the way decisions are made, especially in large practices or large private practices where you might have a group of doctors and it’s almost impossible to get all of the smartest people in the room into one room. So how do you get, you know, five people that are all the smartest people in the room to make a decision that would be, you know. cost money, right? And so there’s some stereotypes about doctors I’m allowed to throw around because I come from a family of them. So that’s great. Let me ask you a real blunt and honest question. How exciting is your job or what do you do to make your job exciting?

Speaker 1 | 20:30.336

You know, the day-to-day work of auditing is probably pretty dull. You’re looking at access listings, you know, different types of reports. spreadsheets, screenshots. And the thing that I enjoy is interacting with a client, getting, you know, especially when you’re dealing with a new client, you’ve got to, you know, get in and understand their organization, you know, their environment, their risks. Whenever you can, you know, be more of a collaborative advisor and, you know, actually, you know, help them kind of sort through their problems as they deal with this. That’s the more interesting part of it to me. Um, also kind of, you know, the opportunities to do things like this and, you know, present at certain events and, you know, get a little more involvement in the professional communities and, you know, organizations that, um, are kind of pushed when you’re more of a consulting sort of thing.

Speaker 0 | 21:26.035

As maybe like a short punch list for IT directors out there. And when I say IT directors, I would say the majority of the people that listen to the show, um, are in a IT leadership position of some sort. with anywhere from maybe 200 to 2000 end users with a team of people and a ratio of it director to end user or it staff to end user of like one to a hundred right so you’re like that professor in a large hall trying to get as much done as you can possibly get done what would be maybe five bullet points and it doesn’t even need to be five if it’s three fine the top three whatever it is but what are like five things that they could do that they might not be doing that would be eye-opening for them or eye-opening for executive management. You know, I think we did really good with the, you know, regulated data, negligence, personal liability, FTC, you know, business interruption. What would that cost us if that ever happened? But what are five things that they could look at or measure or do to help improve their organization, especially considering they might not have any reason to go get SOC, be SOC compliant or anything like that?

Speaker 1 | 22:36.618

And the biggest thing, if you, and I always tell me, if you haven’t done it yet, I mean, multi-factor authentication is just huge. That’s one of the biggest, easiest things you can do to make it more difficult to, I mean, stolen passwords. I mean, if you’re still…

Speaker 0 | 22:52.989

Let me ask you honestly, how many people don’t do it? How often do you see it?

Speaker 1 | 22:58.873

It’s much less now, you know, particularly since I’m very focused much more on service providers, they tend to be a little more sophisticated. So most of them, we at least see two-factor authentication for, say, production environments.

Speaker 0 | 23:11.015

Isn’t that kind of like a general, like, shouldn’t everybody be doing that? Even consumers?

Speaker 1 | 23:20.318

Honestly, your banking provider should be doing it. I mean, they do for certain types of customers and some providers do it. But it definitely needs to be more thoroughly distributed. And it still does have its… risk. I mean, you still can do, you know, phishing of, you know, two-factor authentication in certain cases. So it’s not a silver bullet, but it’s one of the easiest, most impactful things that you can do if you haven’t done it already.

Speaker 0 | 23:49.192

And just describe multi-factor authentication in simplicity for anyone that, I don’t know, there might be a CEO listening. There might be a non-IT nerd out there listening. You never know.

Speaker 1 | 23:58.778

So, you know, authentication can be based on something you know, like a password, something you are, like a fingerprint or an iris scan, or something you have, which would be like a token. So when we say two-factor authentication, it’s usually you log in, your username, your password, and then there’s a second authentication factor required. Typically, we see that through like a push notification to your phone, or there’s a code that you have to enter. It could be a physical key that has to be plugged in.

Speaker 0 | 24:34.591

Cell phone, send you an email, something like that.

Speaker 1 | 24:37.133

Something along those lines.

Speaker 0 | 24:37.894

Text message, yeah.

Speaker 1 | 24:39.375

Or just because, you know, your password has been stolen from some website and you’ll reuse that somewhere else. Just because someone knows that password, that’s not enough to log in. They need that other factor that they don’t have access to. And that can, you know, rapidly kill, you know, a way that, you know, is widely still used to get into an organization.

Speaker 0 | 25:00.329

Okay. Multi-factor authentication, number one. Next one.

Speaker 1 | 25:05.526

You know, and… I would say, you know, especially from the IT director’s level, if you haven’t actually done a thorough IT risk assessment and included the business units in that process, because I can’t tell you how many times I’ve been in an organization where once we pull together, like, say, customer contracts, I see things where, you know, IT is completely unaware of things that the organization is committed to doing in a contract as far as security. And they aren’t doing it because no one ever told them that they needed to be doing it.

Speaker 0 | 25:41.240

So basically, shadow IT decisions that were made that might not be totally shadow handed down to IT, but without full transparency.

Speaker 1 | 25:51.648

Yeah. So understanding the commitments that have been made, where and what types of data you have to be stored. And actually articulating the risk that’s associated with that when it comes back to communicating. You know, you… Going to your executive and saying, hey, we might get hacked, you know, we should do something about that is, you know, not going to probably get you very far. But being able to say, hey, on this system we have to, you know, share files with our customers, this vulnerability exists. And there’s a publicly known exploit out there that’s being exploited in the wild. And, you know, we have this many records on that system. Those could be used. exposed. I mean, here’s kind of what binds have been laid out to organizations in a similar situation. So here’s an actual dollar risk that we can put on this. That sort of information will be more likely to drive, you know, actual action.

Speaker 0 | 26:52.487

Risk assessment.

Speaker 1 | 26:53.848

Yeah. And looking at it, you know, there’s, when it comes down to like, say auditing, there’s, there’s two thoughts. There are two parts of this equation. You know, there’s the substantive security. There’s there’s a patch that needs to be applied. There’s a configuration change that needs to be made. But those, you know, you need to fix those to fix the problems. But there’s also the side of those things existed probably because there was a weakness in a process, right? We weren’t adequately, you know, putting a minimum baseline security on that system when it was deployed, or we weren’t adequately maintaining, you know, patches or things in that system once it was deployed. And, you know, just fixing the substantive security issue. If you don’t fix the actual process failure that led to that.

Speaker 0 | 27:38.400

Yeah, it’s like putting a Band-Aid on a paper cut, but paper cuts keep showing up and you don’t know why. And that’s because, I don’t know, there’s your little kid behind you, like, I don’t know, throwing papers at you, whatever. But I guess the point is there’s no checks and balance. There’s no official decision-making process around security.

Speaker 1 | 28:03.626

And, you know, this is something where, depending on the size, sophistication of the organization, and, you know, I’ve done this with very small organizations, so this is not to say you have to be huge. You know, even if you don’t need like a SOX audit, or maybe even better, if you don’t need a SOX audit or a SOC report, because those have, you know, pretty rigid definitions.

Speaker 0 | 28:24.523

Have a policy, something, you know.

Speaker 1 | 28:26.564

Or you could still, I mean, in doing an audit of your security controls is still something that’s worthwhile. so that you have an outside, you know, independent look at, you know, those controls. And you can then take back and say, you know, hey, here’s where we’re getting, you know, death by a thousand paper cuts. And, you know, me as an IT director, I don’t have the authority to change this. But, you know, hey, if we can get the, you know, break down some of the wall, let’s say, between HR and IT and, you know, integrate our processes better. So let’s say, for example. we’re adequately actually terminating users, you know, when they leave or they change, you know, roles. That’s still, you know, a major, you know, area that we see failures in is, you know, let’s say IT not being adequately informed when those sorts of, you know, transitions happen and then they’re not, you know, able to make changes to access levels in a timely manner.

Speaker 0 | 29:24.470

I wish there was a way to do all of this extra work that… is really awesome and saves the business industry from catastrophic failures or problems or lawsuits. And the IT guy still gets some sort of high five or recognition or raise or monetary measurement of value or MBO attached to this. Because I can see Someone doing a lot of extra work, really taking pride in making their organization secure and getting little to no recognition for it.

Speaker 1 | 30:07.122

Yeah. And it just comes down to, you know, like they say, if IT is doing things right, it looks like they’re doing nothing at all. Yeah. If your IT team is constantly swamped, they’re either drastically under-resourced or doing things.

Speaker 0 | 30:20.933

We need to find more ways to, I don’t know, demonstrate value monetarily.

Speaker 1 | 30:28.019

Yeah. And, you know, that probably comes back to kind of the next recommendation I was going to make is really understanding, you know, system. criticality and dependencies and your reliance on different business processes and lines of revenue that are being supported by those systems so that you can quantify the value of the systems and the time spent maintaining and protecting those systems to make that sort of business justification.

Speaker 0 | 31:01.394

We’re just going to make that point number three, quantify your value. quantify your value by time saved, money saved, labor not lost, whatever it is, quantify it and say, hey, look what I did. Put it together in a PowerPoint presentation. If you want to get on dissecting popular IT nerds and talk about it, and then we put it together into a presentation, then you deliver that to the board. I’m happy to help do that. There we go. We just did something. What else do we got? So we’ve got multi-factor authentication. uh, it risk assessment, uh, quantifying your value. Uh, let’s come up with a couple more.

Speaker 1 | 31:41.264

Um, I would say for those organizations that haven’t done it yet, penetration testing, um, is, is very important because like I mentioned, there’s two sides of this. You can audit your processes and control, and you might find that, you know, maybe your user access review process, your patch management processes, maybe as, as a design flaw. But those types of audits don’t really substantively say that a system is secure or not. You’re more likely to find out that sort of information from a vulnerability scanning penetration testing type process. And if the organization hasn’t gone through that effort, it’s past time to get that done.

Speaker 0 | 32:22.584

Okay. Penetration testing. I’m sure there’s a lot of jokes that go around with penetration testing.

Speaker 1 | 32:29.028

Yes. There is, there’s a lot of, I mean, the information security world is terrible to come up with names for things.

Speaker 0 | 32:39.198

I’m going to have fun with bullet point number four. I can tell you that right now. Number five, what do we got?

Speaker 1 | 32:46.742

Last and not least, I would say is investing in user training. You know, most people still say, or, you know, it’s widely believed that, you know, the employee, the user is still kind of the weakest link. You’re going to have the strongest. You know, security controls and security technology in place. But if somebody emails something they’re not supposed to to the wrong person, then that’s potentially a breach.

Speaker 0 | 33:09.676

Absolutely. I can guarantee you that there are numerous. I know it on a daily basis. I can think of just general conversations that I’ve had on the phone that are blatant security breaches and giving at least Sarbanes-Oxley violations and giving away of information. I know it goes on every day. I know. I know in the sales world, I know in the vendor world, people call for favors all the time. And I know those favors are blatant breaches of data and sharing and sharing of probably sharing of valuable company data. It happens all the time. We know it does.

Speaker 1 | 33:47.910

Yeah. And, you know, this is really, really important for your finance and accounting because, you know, we’ve seen a lot. of, you know, if you’re familiar with the business email compromise, where just, you know, being able to email, you know, an invoice with, you know, a routing number changed or, you know, different things like that to convince those people to, you know, approve and process a fraudulent transaction. You know, there’s still a lot of success in that, a lot of, you know, money being stolen from companies in that manner where, you know, they don’t even necessarily need to. gained access or compromised your system. It’s just a matter of tricking a user into doing a transaction for them.

Speaker 0 | 34:33.350

It’s a phone call. I mean, you don’t need to be a sophisticated, you know, hacker, IT person to break into an organization and get valuable information. You really don’t. You just have to be kind of like a shady, tricky individual, I guess, you know, to get on the phone and ask for passwords.

Speaker 1 | 34:52.624

And not even so much that at this point. You know, the dark net, kind of the criminal underworld that participates in a lot of this, I think a lot of people maybe don’t understand this, but there’s a whole criminal marketplace. around creating and selling the tools used to doing this, you know, monetizing and selling the data. And really at this point, you don’t even necessarily need to really know what you’re doing. If you’ve got some Bitcoin, you can go on there, you can buy a tool, you can hire people to do it. You know, you can kind of, the whole process has been.

Speaker 0 | 35:25.271

We’ve gotten so bad that we’ve gotten to a third party. It’s so bad now that we’re to a third party hackers that outsource their hacking.

Speaker 1 | 35:33.798

I mean, there really is an entire fraud as a service marketplace.

Speaker 0 | 35:37.882

There’s some dude that just comes up with an idea like, what was that movie with, oh gosh. It’s just like, I’ve got this great idea. We’re going to hack into some place and then we’re just going to hire someone else to do it.

Speaker 1 | 35:51.611

And it’s sad, but it really is true. I mean, you can outsource pretty much every step of the process.

Speaker 0 | 35:58.316

Confidentiality notices at the bottom of emails. Are they worth anything or is it a complete waste? The information contained in this communication may be confidential or privileged. If you are not intended the recipient of this communication, any disclosure, copying, distribution, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, destroy this communication immediately.

Speaker 1 | 36:16.164

I mean, there’s, you know, obviously there’s lots of ways that they’re not enforceable, but I’m generally a fan of CYA if at all possible. So I would say that you’re not going to get a ton of value out of having them, but there is some.

Speaker 0 | 36:29.128

Okay. So do it. Yeah. Excellent. This has been very beneficial having you on the show. I really appreciate it. And I would, you know, honestly, the iron spilling over due to someone being hacked, terrible. Now, you know, we know that pacemakers have been probably successfully hacked, whether it’s been done, you know, on purpose or not. I don’t know. What do you got? One last piece of advice for anyone listening to the show out there. other people, other security people listening or people to follow, anyone else in your field that’s very useful that people should be following or listening to? What’s that piece of advice?

Speaker 1 | 37:15.783

Really, I would say when it comes to the cybersecurity world, it’s interesting in that it’s very open. The majority of the profession is very willing to talk about battle scars and best practices and share that much more than you would see from a lot of other business units. So I would say if this is something you’re concerned about or that you deal with to become active in the community. I’m a member of DFW ISC squared, which is a cybersecurity professional organization that administers the certified information system security professional, which gives me an opportunity to network with a lot of other local security professionals and share information. And, you know, especially on LinkedIn, Twitter, there’s more cybersecurity experts. experts and great leaders out there sharing information that I could, you know, list in this. So get out there and, you know, get involved in the community. And if you’re in that position, give back, because, you know, we’re all in this together and, you know, that’s really the only way we’re going to overcome this. Awesome.

Speaker 0 | 38:23.431

Scott, thank you so much. Everyone out there listening to the show. I fail to ask this on numerous shows, please. If you liked the show, if you liked the content, please go to It’s iTunes podcast or Apple podcast or whatever. Please review us on the show. It definitely helps. It helps us a lot. And for anyone that wants help, penetration testing. If anyone would like to be penetrated, please. I told you we would go there. You can DM me on LinkedIn. I’ll definitely put you in contact with numerous resources that can help that. Definitely could put you in contact with Scott, especially if you need SOC 1, 2, anything like that. So please reach out and the show is full of resources that we are giving away completely for free. Happy to connect people. Scott, thank you so much for being on the show. Have a great, great rest of your day.

Speaker 1 | 39:13.794

Thanks for having me. You too.

Share This Episode On:

HOSTED BY PHIL HOWARD

Dissecting Popular IT Nerds Podcast

Weekly strategic insights from technology executives who understand your challenges

Are You The Nerd We're Looking For?

ATTENTION IT EXECUTIVES: Your advice and unique stories are invaluable to us. Help us by taking this quiz. You’ll gain recognition good for your career and you’ll contribute value to your fellow IT peers.

QR Code