Mishaal Khan, Best-selling Author of The Phantom CISO, Founder of Operation Privacy, and vCISO at Mindsight, joins David Mauro to discuss: how to keep your digital footprint safe, how to improve your digital hygiene, and how everyone is responsible for cyber security.

https://www.phantomciso.com/

https://www.operationprivacy.com/

Send us a text

Get peace of mind. Get Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com

Imagine setting yourself apart from the competition because your organization is always secure, always available, and always ahead of the curve. That’s NetGain Technologies – your total one source for cybersecurity, IT support, and technology planning.

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466.

A word from our Sponsor-Kiteworks. Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with Kiteworks' universal, secure file sharing platform made for every organization, and helpful to defense contractors.

Visit kiteworks.com to get started.

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Listen on

Apple Podcasts Spotify Amazon Music Podcast Index Overcast YouTube +

Share Episode

Share on Facebook Share on Twitter Share on LinkedIn

https://www.phantomciso.com/

https://www.operationprivacy.com/

Send us a text

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466.

Video Episode: https://youtu.be/nDz7t0wv968

Audio (available everywhere there are podcasts): https://www.buzzsprout.com/2014652/15311196

https://www.phantomciso.com/

https://www.operationprivacy.com/

How Everyone Is Responsible For Cyber Security

Sound Bites

"Open source intelligence (OSINT) is digging deeper into information gathering and getting data, primarily online data."

"Geospatial intelligence (GeoINT) involves identifying the location of an image or video without relying on metadata."

"Give a false name. No one's checking your name. No one knocks on your door and says I need your ID before I give you this package."

"Out of office messages... people are disclosing way too much there."

Chapters

00:00 Introduction and Background

03:01 Exploring Open Source Intelligence (OSINT)

09:29 The Subfields of OSINT: GeoINT and SOCMINT

16:20 The Impact of Data Brokers on Privacy

23:06 Taking Control of Privacy with Operation Privacy

28:10 Enhancing Privacy and Security with Unique Passwords

35:19 The Threat of Social Engineering and Deepfakes

46:40 The Role of a Field CISO in Implementing Security Initiatives

49:08 The Phantom CISO: Empowering Security Leaders

TAGS: how everyone is responsible for cyber security, Mishaal Khan, Cyber crime junkies, how to keep your digital footprint safe, how to improve your digital hygiene, New DEEPFAKE DANGERS You Never Knew About, how everyone is responsible for online privacy, OSINT, social media intelligence examples, open source intelligence techniques, new ways to reduce your digital footprint, top ways to reduce your digital footprint, how to see your digital footprint, how everyone is in charge of cyber security, importance of deleting personal information from the internet, how to remove personal information from internet, how to remove all your personal information from the internet, how to protect your digital footprint, how to delete personal information from the internet, how to restrict personal information online, how to restrict personal information online, new approach to cyber security awareness training, the importance of open source intelligence explained, importance of open source intelligence explained, open source intelligence explained, how to restrict personal information on social media, dangers of sharing personal information online, dangers of sharing personal information on social media, geospatial intelligence (GeoINT) and social media intelligence (SOCMINT), open source intelligence (OSINT) and the importance of privacy cybersecurity, privacy, open source intelligence, OSINT, geospatial intelligence, GeoINT, social media intelligence, SOCMINT, data brokers, Operation Privacy, privacy, social engineering, deepfakes, CISO, digital hygiene, field CISO

D. Mauro (00:02.67)

Welcome everybody to Cyber Crime Junkies. I am your host, David Moro. And in the studio today, I am joined by a well -known expert in cybersecurity and privacy. I'm honored to have him on. Michel Kahn, sir, welcome to the studio.

Mishaal Khan (00:22.626)

Hey David, how's it going?

D. Mauro (00:24.078)

Good, very good. So he is the VC. So at Mindsight, as well as a bestselling author of a book that I have right up there. it's actually off camera, but I will expand out later. The Phantom See, so that we're going to talk about today, as well as some other key trending topics in cybersecurity. Fantastic book, by the way. And congratulations on the release. Yeah, so.

Mishaal Khan (00:50.082)

Thank you.

D. Mauro (00:52.974)

Tell us a little bit, you know, what I love is your brilliance in OSINT and the way that you've approached it, your approach to operation privacy and your expertise dating back a long time in social engineering and being certified through Chris Hannegy's group. Very, very...

just like layers and layers and layers of expertise. So what can you share with us about what drove you into being so passionate about this?

Mishaal Khan (01:35.746)

Well, I was always curious about technology, how things work from a very young age. I think my curiosity initially sparked when I was in middle school and my dad had all these new computers around. He worked in a computer store repairing computers and stuff. So I had all these random parts of motherboards, hard drives, monitors. So I used to put things together like the old

not even Pentiums before that, like the 486s and the 386s. So I used to work on those. So I had a very good foundation on how things work, how to put things together, and then the software that goes on top of that, and then the initial games that were there, that were easy to crack and, you know, change a little bit of their code in a text file and you could skip a level. All those things fascinated me how this...

D. Mauro (02:08.366)

Yeah.

Mishaal Khan (02:31.042)

new age internet was coming together and how websites were so easily bypassed and HTML code and all that stuff. So that was the start of things even before I entered like high school and then university. And then things just suddenly became easier because I was surrounded by technology, so to speak. And then the curiosity of cyber side of things which didn't really exist back then. There was no field of cybersecurity. There's only either software or hardware.

you know, engineering. And then those are the paths that I took. And OSINT was always a passion of mine since the start, digging deeper into information. How can I get something, you know, behind this website or behind whatever, you know, an image, what does it contain, the metadata and all those things. Curiosity sparked my interest and that's the direction I took. And over the years, as you've mentioned, I dabbled into OSINT and then

a lot of it into the tech side of things, cybersecurity. And then I'm like, all right, how can I reach humans? And that led me into social engineering. And then to wrap all of those things up, I'm like, huh, if I could do this to others, what about myself? So privacy then became a very important thing towards the end. So all these things tied together.

D. Mauro (03:53.07)

Very natural progression actually when you say it that way to me, it sounds very natural because as you dive into how the hardware and software works and then the layers and how easily penetrable it is, and then you wanna, as you're digging and you're investigating, right, it seems like human curiosity. And then when you're able to do that to people and to systems, you naturally start to...

raise an awareness that, well, people can do that to me. So I need to help people remain private, because it's a delicate balance, isn't it? Well, you know, here we are, especially in the United States, we curate our lives on social media, but we want to do it safely. Right. And many people are unintentionally giving away too much information. So for the people that are listening that aren't

technical or in the cybersecurity space because we do have those. You know, what is OSINT? I hate to ask you that, but could you just explain kind of generally what does it's OSINT? It means like open source intelligence. What does it mean?

Mishaal Khan (05:07.042)

it in short, it's basically digging deeper into information gathering and getting data, primarily online data, there's an off offline aspect to it too. But digging deeper into a person's background, they're, you know, getting into a phone number, you start with one piece of information, and then you pivot off of it to others. And then eventually, you build a large repository of data behind a person. And then that data leads into

intelligence. So data gathering like phone number, from the phone number, I can get an email address, because it's probably tied online somewhere. And then from that, I can get to a social media profile from one social media profile, I can jump on to another one, because they're linked maybe in some way online, through a name or through a friend. And maybe from there, I can jump into right. Yeah. Right. And that's the beauty of it, because every

D. Mauro (05:57.902)

or through link tree. Like some people just put one link up there and they have everything right there. Yeah.

Mishaal Khan (06:05.41)

Target quote unquote is unique and they pose a unique set of challenges on how I investigate. And you know, these, I call them targets, but they could be, you know, perpetrators, they could be bad guys, or they could be, you know, someone good. They could be myself. I want to research on myself on what is my footprint online look like. So all of that data collection and gathering and connecting the dots together is collectively called OSINT and open.

D. Mauro (06:08.59)

Right.

Mishaal Khan (06:33.762)

in the open source intelligence primarily means it's open to the public, anyone can access it. I don't need law enforcement, I don't need the FBI to, you know, issue subpoenas, right? Right? Or a search warrant or anything. So anyone can dig through it if they know where to find it. For example, I can get you know, your speeding ticket violations because in most states that is open data.

D. Mauro (06:42.51)

Right, you don't need a subpoena. You don't need a court order, right? Exactly.

D. Mauro (06:54.894)

Let's not talk about those. I'm sure you looked me up. So let's not, I got a lot out there. So let's not go into those. Let's leave that alone. Yeah, that's right. Doesn't matter. Yeah.

Mishaal Khan (07:04.354)

A lot of government records, your voting records are online and in most cases they're public. And that data on its own may not be significant, but collecting a lot of pieces together tells a story that who do you vote for? Which state do you live in? What does your social security number look like? Because it's out there for everyone at this point. What does your breached data look like? What type of passwords did you use in the past? Maybe today you're...

D. Mauro (07:31.821)

Right.

Mishaal Khan (07:32.674)

using a password manager and multi -factor authentication and all that good stuff. But I don't care about those things. I'm not hacking you with this information. I'm trying to know more about you, your inner self, based on all these scattered pieces of data that's out there. So it could be metadata, it could be actual data, but when I put everything together, I get a bigger picture of the person about my target. And now that's intelligence. Now based on that intelligence, a company could make better decisions.

We could catch criminals based on their online habits, even from the way they write stuff, the spelling mistakes they make, or the friends or the things they like in their interests shows a lot about a person. So collectively, all of that is open source intelligence. And it's an interesting field because it can be used for so many things. Background checks, reporters, journalists use it all the time, missing persons.

missing loved ones or tracking down objects, things, information, false information, you know, you could prove some things incorrect or misinformation. So there's a lot of avenues with this skill. I call it a superpower because it's like you start digging deeper and suddenly you unlock some big mystery or some big thing that on the surface wasn't obvious. But when you put it together, you're like, that's pretty easy. That data was out there. Yeah.

D. Mauro (08:52.142)

Right.

Mishaal Khan (08:58.882)

It was.

D. Mauro (09:00.75)

Let's talk about that. And within within OSINT, there's a lot of sub subsections, right? There's there's a lot of sub specialties, aren't there? There's like, GeoSint and, and, and, or GeoInt and SockInt. And can you can you walk us through what what those are? So so GeoInt is, as I understand it, is the ability to identify location of either a person today or

Mishaal Khan (09:09.634)

Yep, geo end.

D. Mauro (09:29.742)

where they were at the time when a picture was taken and they posted it online.

Mishaal Khan (09:34.978)

Yes, a geo and or geospatial intelligence is one of the most interesting sub fields within OSINT. And that involves, like you said, identifying an image, a picture, a video, and the elements within it, without really knowing where it is without analyzing the metadata. So a lot of the images when you take a photo of something with your iPhone, let's say it embeds GPS information in it. So that's one way to figure things out. But in

99 .9 % of the cases right now, if you upload a picture anywhere online, WhatsApp, or even Signal or Facebook, Twitter, whatever, they remove that information from it, the metadata is stripped out. So now geo int comes in saying, or what else can I look at this picture to identify where it was taken when it was taken.

and where the person was potentially. And this is based on the background. Maybe I see some buildings and I can identify a building or an interior. Right, even that, right, based on the shadow, the length of the shadow, the direction of the shadow, I can tell where they are in the world, because the sun's angle changes depending on the hemispheres you're in and the time of day. I can tell, you know, based on the shadow up to, you know,

D. Mauro (10:31.95)

the trajectory of the sun, right? Like you can tell what time of day it was.

Mishaal Khan (10:52.77)

a 10 minute window on when this picture was potentially taken. And there are hints. Yeah.

D. Mauro (10:57.23)

That's remarkable. That's remarkable. And yeah, and also like there are groups that in and I believe you've been involved in some that go very deep, right? That probably surprised a lot of people. And that is like, they'll look at the type of soil that is in the image, right? And yeah.

Mishaal Khan (11:15.298)

Yeah, trees, soil, the color of the soil, because that changes. If you start looking into these things, you're like, yeah, that's common sense. Like if I see a palm tree, I can only be in so many places within the US. If I see, you know, tall trees, which are 30 feet high, that's again, very specific to a certain geography of a country or a state. And so,

D. Mauro (11:22.286)

Mm -hmm.

Right. Right. Exactly.

Mishaal Khan (11:40.418)

The more you do geo and you realize you need a lot of background information on geography. First of all, you need to be good in geography. A lot of people are not. That's why this field is considered like, wow, you're right. And especially when it comes to international. And when you go international, you lose a lot of people is like, what is that license plate? It has an orange in the center. It must be Florida. All right.

D. Mauro (11:44.43)

Mm -hmm.

D. Mauro (11:48.686)

A lot of Americans are not in particular. We're like, if it didn't happen in Ohio, we don't know about it. Right? That's pretty much it.

D. Mauro (12:05.518)

Lord.

Mishaal Khan (12:07.106)

But what if it's like elongated and thin and it has a little something blue on the side? That's that's Europe. But where in Europe like so there's different things you can see within an image like a car or even the wall socket the the outlet of the wall as you know, it could be three pronged, two pronged, you know, circular or whatever different shapes and that's specific to, you know, a country. I play this game with my with my family often when they're watching YouTube videos and stuff. I'm like,

D. Mauro (12:11.086)

Right. Right.

D. Mauro (12:21.198)

Mm -hmm.

Absolutely.

Mishaal Khan (12:35.842)

let's try to guess, let's see who can guess where this person is, like what country, what region, like if it's like a children's show or whatever, or a sitcom or like, yeah, based on the background, I feel this is this country or based on the cars that went past the license plate was like thin, this must be Europe or whatever.

D. Mauro (12:38.19)

Yeah, well, yeah.

D. Mauro (12:51.054)

That's so interesting.

Right.

Mishaal Khan (12:57.09)

So it's fun playing these games because now the kids learn a bit of geography and the interesting side of geography, not just memorizing, you know, capitals and names and stuff. Right. But saying, hey, that tree looks like a tropical tree. You think it's closer to a body of water or this looks like, you know, desert, that tumbleweed or whatever went by it must be on southern states or whatever. So it's fun doing this for education and tracking things down.

D. Mauro (13:06.318)

Right. Not just for a test. Right. Exactly.

Mishaal Khan (13:26.466)

And then you sort of realize that all these YouTubers and stuff who are taking pictures in front of their homes and thinking that we can't be geo located or it's harmless. Then someone like me comes up and says, that brick structure looks like something in the Midwest, or that looks like a California style house. It must be on either this coast or that coast. We start narrowing it down and I see a home number. It starts with this. How many homes start with that? There are databases out there that you can.

D. Mauro (13:43.726)

Mm -hmm.

Mishaal Khan (13:56.482)

cross reference and say, give me all houses in the US that start with a 175 to and it's, you know, in this area. And now you have suddenly narrowed it down to like five possible locations. And then they go out and you see a potential license plate and you recognize the state you're like, you know what, I figured out exactly where he lives. This is the street, go on Google Street View. That's his house. And then if it's someone of evil intention, they will take that information and docks the person swat the person.

D. Mauro (14:21.838)

Right.

Mishaal Khan (14:24.802)

called the SWAT team on their house and a lot of evil can happen because of this.

D. Mauro (14:29.454)

Yeah, we had some we had some episodes earlier on in our show about swatting and swatting dangers and people don't even realize it, but it really stemmed from the gaming community, right? Like people get so intense in the game, especially the first person shooter games and yeah, yeah. And then they'll they'll like organize swatting. And there was actually even a death outside of Wichita, Kansas when when the SWAT team came in.

Mishaal Khan (14:44.322)

Yeah, Call of Duty style, yeah.

Mishaal Khan (14:53.57)

Mm -hmm. All right.

D. Mauro (14:58.894)

and went to somebody in, yeah, they got the wrong person. It's just such a shame among many other things. So part of the problem here, right, is people, it's almost like a fundamental expectation of privacy, right? Yes, we're posting something online or yes, we're going to a website, but we're not really aware of how much

Mishaal Khan (14:59.042)

Right, and they got the wrong person.

D. Mauro (15:24.91)

data is being sold and used by people that we don't even know or we didn't even intend. Right. So what is the impact of these data brokers that are out there based on your experience that people might not realize? It seems like a lot of data is being sold about us. Everything, not just about the products that we're buying, but everything else, our medical, our psychological, a lot of things that we may not know.

Mishaal Khan (15:42.658)

Yeah.

D. Mauro (15:55.182)

are really out there.

Mishaal Khan (15:58.562)

Yeah, what's fascinating is almost every company is in that business of selling and reselling your data, harvesting your data, and you may not realize like, even the governments don't have your back. Like, I read a report the other day that the California DMV, the Department of Motor Vehicles makes about $5 million a year by selling your data. What data? Your home address, essentially. So it's a confirmed home address because you can't lie to the government on your driver's license.

D. Mauro (16:20.046)

Mm -hmm.

D. Mauro (16:27.054)

Right, and get a license. Right, yeah.

Mishaal Khan (16:28.674)

Right. And in California is one of the few states that you can actually mask your home address and you can put a PO box on your driver's license. So on the surface, anyone looking at it doesn't know your home address, but the DMV has it and they're actually reselling your actual home address to data brokers. Now, if you do a background check with one of these premium services like LexisNexis or whatever, now they have your actual home address confirmed by the DMV. I'm like, that's how they get such accurate data because everyone's selling it.

D. Mauro (16:57.07)

Unbelievable. And no one would expect that. Like the average American doesn't expect that when they're getting their driver's license that their data is going to be sold.

Mishaal Khan (16:58.626)

And if you ever do a FOIA, yeah.

Mishaal Khan (17:07.17)

Yeah, I would recommend everyone to do a FOIA request on yourself. So Freedom of Information Act. So if you're in the US, you can go to your own local county or village or city and look up where you can do a FOIA request and do a FOIA request on your home and see what information the local government has about you. And you can see on their public portal, anyone else who has requested a FOIA request on either you or your home. And what you'll notice is,

Almost on a monthly basis, these big companies like LexisNexis or Experian or Equifax are pulling reports on everyone's homes, on who lives here, what other data can I have, like the names of those people, any other thing that you've put in that form, in your county form, like a phone number, an email address. They get all of that data, they suck it in into their databases, and now they have accurate data. I'm like, wow, I didn't know the data I provide to the government is being sold to these private entities which make...

millions or billions of dollars out of it and make a service out of it. Like, I wish I knew about this because I wouldn't allow it or give maybe fake data or if it's an optional field, not give it at all. Most organizations only need maybe a name and an address and that's it. And then the whole bunch of other fields are optional, but people fill it out anyways. And little do they realize someone else is making a lot of money out of that and potentially abusing that data.

D. Mauro (18:17.518)

Right.

D. Mauro (18:33.23)

Yeah, and the data brokers in this process of selling data, there's really no, and I'm not a big government guy. I don't like I don't personally believe like I'm from the government. I'm here to help you. Not really. Like you're fine. Stay away. Okay. Like I'm like I'm patriotic personally, very, but not like pro big government. I just don't see that like, there's just a lot of inefficiencies.

Mishaal Khan (18:50.722)

right.

D. Mauro (19:01.806)

and a lot of other issues. But it's just disclosing a little of I'm sure you know that about me anyway, before this. But here's my question, though, is there is, though, it seems to me, a logical need for additional regulation here in this space. And there really doesn't seem like there's any. It's like the Wild West right now. Yeah.

Mishaal Khan (19:23.65)

Absolutely. Yeah. Yeah. So I never wait for regulation. I never rely on the government for anything that they're going to do anything that's in your best interest or even good for you for that matter in terms of data privacy. They're only looking out for themselves. It's pretty obvious the more you dig into these news articles, how they're making money off of you. It's disgusting to a point that they're basically taking advantage of the data.

D. Mauro (19:28.27)

Now...

D. Mauro (19:37.454)

Right.

Mishaal Khan (19:52.706)

and the access and the ignorance of people and their... Right.

D. Mauro (19:56.462)

It's because the devil's always in the details and people don't read them. Like I saw one stat that if you actually had to read all of the terms and conditions of everything you've already agreed to, like it would take like 18 years or something like that. Like it's ridiculous. You have to quit your job and just sit there and read, write all of these terms and conditions. And it's, and it's crazy. I used to be one of the people that wrote those things. So like it's, it's, we did, we did it on purpose.

Mishaal Khan (20:10.498)

Alright.

Mishaal Khan (20:18.434)

Yeah.

Mishaal Khan (20:24.962)

Yeah.

D. Mauro (20:25.326)

But it's terrible, right? Because there's an expectation. People believe there is a certain agreement, a certain social contract in place, when in reality, there's not, right?

Mishaal Khan (20:37.922)

Yeah, and I feel it has to come from the other end. So since we can't rely on the government for having the, you know, our, our interests, yeah, we need to do it ourselves. And that's why I do a lot of public speaking, I spread awareness through OSINT through the art of OSINT showing people, look, it takes me five minutes to know a lot about you and give me 10 minutes, give me one hour, give me one day, and I'll find even more information. And a point comes where I usually find

D. Mauro (20:43.726)

We need to take it into our own hands.

D. Mauro (20:48.846)

Mm -hmm.

Mishaal Khan (21:05.986)

more information than the person themselves know about themselves. They're like, well, we didn't know we had, you know, data in these certain places. And this entity was collecting data or how did you extract my, you know, records, my speeding records from, you know, 20 years ago, I didn't even know I had, you know, information like this. I'm like, yeah, well, this is all out there. And the more time you give me, the more I can extract. It's like literally never ending at some point.

D. Mauro (21:14.542)

Right.

Mishaal Khan (21:32.29)

And then you talked about GeoAnt and then you analyze their pictures. I'm like, I know your exact date of birth. There was a person, a high profile figure. They're like, yeah, you will never guess my date of birth and stuff like that. I'm very private. I'm like, sure, none of your data was out there, but your wife posted an image on her social media saying happy birthday to you and you had no social media presence, but now I know your day of birth. Other...

the aspects like a data breach or something gave me your year of birth and I know your month because of what that posting was. I'm like, I know your exact date of birth because of something that was you didn't even post. So I'm like, all these things connect to each other. There's social media intelligence, like you mentioned. So sock mint, there's this, which is a geoint.

D. Mauro (22:01.102)

Mm -hmm.

Mishaal Khan (22:19.778)

Then there's network -based intelligence, there's business intelligence, there's human intelligence. If I can't find anything online, I'll ask humans, social engineering. I'll call up someone you know or yourself and act like a marketing person or someone else who's here to do service and maybe got the wrong address. Right.

D. Mauro (22:37.07)

and just gather a data point to be used later, right?

Mishaal Khan (22:40.354)

I don't know five things about you. I need to know the six things. So you'll believe me because I know so much about you, but that one piece of information that I didn't have about you, I'll unlock that. And that's the art of social engineering. So there's so many ways to get accurate information. And then it becomes so dangerous suddenly when you realize that this can be misused very quickly. And that's what I kind of do. I kind of spread awareness. My goal is to kind of...

D. Mauro (23:02.286)

Mm -hmm.

Mishaal Khan (23:06.05)

shock people a little bit and wake them up and say, Hey, this is out there about you. What do you do next? And that's the question that gets asked. I'm like, well, you need to take care of your privacy yourself. No one else is going to take care of it for you, especially not these large entities who are their whole business model is getting that data out there. They're not going to scrub it for you. You have to do it yourself. And that's why I created operationprivacy .com a DIY portal.

D. Mauro (23:17.102)

Right.

D. Mauro (23:31.694)

Yeah. And for the listeners and viewers, we have a link down in the show notes. Please go check that out. Right. It is so interesting. So can you walk people through what operation privacy is and what you have? It's very similar to some of the stuff that Mr. Mizzal does for the high profile celebrities. Right. Yeah. I'm sorry. I just misspoke. Michael, Michael, Michael.

Mishaal Khan (23:55.97)

Yeah, Michael Basil. Right. Yes, a lot of the right. Right. So I've taken training.

D. Mauro (24:01.486)

Basil. Yeah, I apologize. Let me edit that out. Hey, this is very similar to what Michael Basil does. I'll go back and edit that.

Mishaal Khan (24:08.29)

Yes. Yeah, absolutely. So a lot of the resources in that portal for opt -outs for people search websites have been taken from his resources. He makes those resources public as well. So it's a collection of very different forms of privacy. So there's the obvious people search websites where anyone can...

D. Mauro (24:33.71)

Right.

Mishaal Khan (24:33.89)

go on these like fastpeoplesearch .com or spokeyou .com and stuff like that and look up anyone's name and date of birth and relatives and a lot of stuff can be revealed.

D. Mauro (24:44.526)

And there's issues with those, aren't there? Like I know Krebs on Security was writing about those. Some of those companies tend to be owned by people not within the United States. And then also when they go and they try and delete or they make a request to delete, they have to give more personal information to prove that you're you. And then they wind up keeping that information anyway and selling it. That's what there's some allegations about.

Mishaal Khan (25:06.626)

right.

Mishaal Khan (25:10.242)

Yeah, it's a vicious cycle. Yeah, so I have a lot of tips in my portal on how to delete as well. It's not just here's the opt out link and that's a challenge in itself. So if you go to website domain name .com slash opt out tomorrow, they'll change it to slash opt dash out and then slash remove. So they keep changing the opt out links as well. So I kind of keep track of those things and I update those.

D. Mauro (25:16.622)

Yeah.

Mm -hmm.

D. Mauro (25:28.078)

Mm -hmm.

D. Mauro (25:33.902)

That's good.

Mishaal Khan (25:35.17)

because they don't want you to opt out. Imagine everyone opts out and the website is useless now. So I have tips on how to opt out. Don't give real information on this or that. So first search yourself, only give them information they already have about you. If they're asking for something that they don't have like a phone number, give a burner phone number. And I walk through steps on how to get these temporary phone numbers, temporary email addresses that you can just use a few times and just forget about them. So it's a holistic approach.

D. Mauro (25:37.166)

Right.

Mishaal Khan (26:04.93)

it's going to take, to be honest, six months for someone to really take care of their privacy to have some control. So opt -outs is one section. Yeah, it's because the opt -outs is just one subset of overall privacy. There's credit freezes, there's home privacy, there's device privacy, what are you doing on your phones? What are you doing for your home? Google Street View.

D. Mauro (26:11.854)

It takes that long. Wow.

D. Mauro (26:21.518)

Right. Yeah.

Mishaal Khan (26:29.122)

A lot of people, you know, I've come to me, they're like, all right, I wiped myself from Google Street View. No one can see the front of my house because it's a physical security risk. I should be good. And I'm like, well, this is what the front of your house looks like. They're like, how'd you get it? I blurred it on Google Street View. I'm like, well, there's Bing Maps, there's Apple Maps, and there's a whole bunch of other third party mapping software. You forgot all of those. They're like, wow, how do I keep track of all these different sources of information for the exact same thing? I'm like, well, operationprivacy .com I highlight.

D. Mauro (26:44.654)

Right.

Mishaal Khan (26:58.754)

these things in different categories and subcategories. So once you're doing home privacy, there's all those things. Once you're doing device privacy, a lot of the other things, OPSAC, which is operational security, how to really start with password managers and MFA, and because you're going to be in a lot of breaches, how do you prevent the next breach or at least muddy the waters?

D. Mauro (27:19.758)

Yeah, let's touch on that because that relates to things that we train on and security awareness as well as freezing the credit. But the password managers, we get asked all the time and it's really not an exciting topic. But so many people have come to realize it's important to have good passwords. So, so many people oftentimes will have a great password. They're like, I put this in.

you know, how strong is my password and it's going to take a billion years for, for, for this one to crack. So I'm using it on everything. And I'm like, and I just shake my head. I'm like, and then it gets breached because they sold that to somebody you don't even know about. And then they get breached or whatever. And then now we have that great password and now we know that you're using it. So we're going to use it on everything.

Mishaal Khan (27:58.082)

Then it gets breached.

Mishaal Khan (28:04.962)

Right.

Mishaal Khan (28:09.602)

I'm actually waiting for the next breach when one of my passwords shows up in one of these dummy websites which is 100 characters long and it's gonna stand out with some dummy email address. I'm like, that's my password. And...

D. Mauro (28:14.99)

yeah.

D. Mauro (28:19.694)

Yes.

Mishaal Khan (28:23.074)

you know, I haven't reused it anywhere. And it's a unique password for everything. Like I take it to the extreme where every email address I use is also unique. So even if my password was breached, and I'm not sharing or reusing those passwords, you won't be able to tie my email address to some other account because all my email addresses are unique. So it's, I take obscurity to a different level. And so as you've

D. Mauro (28:25.422)

Right.

D. Mauro (28:41.23)

that's fantastic. That's brilliant.

D. Mauro (28:48.174)

Well, I'd hope so. You're the you're the doctor of it. So like, you know, when I want to diagnose this, I want somebody from that actually knows that does what what they're what they're telling us to do.

Mishaal Khan (28:51.458)

But...

And there's steps to this. Right.

And the reason I said it takes six months is because it's a phased approach. You start with the surface. You start with something that a normal person can Google you with. You Google yourself and you see, all right, that's the surface level. I've done that. Now you go a little bit deeper into stuff that an awesome professional can find out about you. All right, now I remove those things that they're a little bit harder to remove. And then you're like, all right, if someone even stronger than that, you know, tries to look me up, an investigator, you know, the FBI, CIA, whatever.

D. Mauro (29:01.806)

it really does. Yeah.

Mm -hmm.

Mishaal Khan (29:28.258)

you know, how do I kind of scrub some of the data from there? A point comes where you can't scrub any more data, maybe some certain government records or certain things that just you can't remove or don't want to remove. That's the point where you start doing some disinformation or misinformation about yourself. So you spread false information, you give your real name to let's say a website, but a fake address, or you give a real address to let's say, Amazon every

D. Mauro (29:46.414)

Right.

D. Mauro (29:52.782)

Mm -hmm.

Mishaal Khan (29:55.49)

You know, I can't get away from Amazon, I have to order packages from through Amazon. It's like the lifestyle we live here, or any place else you order packages to your home. I'm not saying never order anything at your home, order it but give a false name. No one's checking your name. No one knocks on your door and says I need your ID before I give you this package. At most they'll ask you to sign something. Yeah, put a fake signature on it.

D. Mauro (30:00.462)

Right.

D. Mauro (30:14.638)

Right.

Mishaal Khan (30:18.434)

There's no such thing as a fake signature. If you sign it, that is your new signature. So, but just give a false name because that data from UPS or FedEx or whoever is going in some database. Be sure that they are storing it somewhere and one day that's going to get breached and it'll say, this home address belonged to a John Doe or whatever, because you gave a false address. So now you're safe. So that's the level of disinformation. And then privacy habits is what the ultimate goal is. So once you're done with all these,

D. Mauro (30:22.03)

Right.

D. Mauro (30:28.558)

Mm -hmm.

D. Mauro (30:37.55)

Right.

Mishaal Khan (30:46.626)

tasks, I call them privacy based tasks. Eventually, what should come out of this is privacy habits, better, yeah, better habits that like digital hygiene, so that you don't repeat it because the next time you give the same information somewhere else, you're back in the same boat. So you have to start changing the way you give out information. It's know that it's valuable, maybe not to you, but to someone else and know that it

D. Mauro (30:52.686)

Good habits, right? Digital hygiene, right? Better digital hygiene.

Mishaal Khan (31:13.378)

can and will be abused by someone at some point in your life. That's basically my goal.

D. Mauro (31:17.934)

Yeah. Yeah. And it's, it's really, it's, it's a, it's a tragedy when that happens. I mean, there's so many people that have had identity theft and it takes, it costs a lot more than people think. And, you know, it, it takes a lot longer to, to repair that stuff. And, you know, and, and there's, there's little tweaks. You don't, you have a, a lot of writings out there. And one I saw that was,

brilliant was the out of office messages. So many people leave out of office messages. And what you have to realize is when social engineers or threat actors are sending phishing emails, et cetera, they will receive your out of office, you know, your out of office, your OOO message, as well as your coworkers and your clients or your family members. And so often they will use, like people are disclosing way too much there. So you hit some really good points there.

about, you know, like just saying, I'm going to be unavailable, please expect a delay. Be very vague.

Mishaal Khan (32:26.018)

You know how I discovered this? I do a lot of pen tests as well. So there's a company that hired me to do a pen test on let's say 500 email addresses that they have. So they gave me the email addresses and I sent, you know, 500 emails, a phishing email to them and to see who clicks on it. They're pretty strong in their defenses. A few people click maybe, but nobody gave me credentials. But about 50 of those emails had an out of office reply. So I got 50 emails saying,

I'm out of office, I'll be in Florida on a boat or whatever having fun and I'll be back in a week. And here's my cell phone number, here's my manager's number. Someone else was like, I'm out sick or this, right? Or at my birthday party or I'm at my son's graduation and I'll be out for two days and enjoying blah, blah, blah. A lot of personal information was being revealed about the person. I'm like, you know what? I can take this to phase two and now...

D. Mauro (32:58.638)

Right.

D. Mauro (33:05.102)

Right. So you understand the corporate hierarchy you under the giving.

Mishaal Khan (33:20.706)

target their boss saying I'm this person, I'm on a boat so you can't reach me. So I have this little window of social engineering hacking that I could do to practically anyone at this point. And now they're leaving personal cell phone numbers that I didn't have initially. So I can pivot off of that and call the other person spoofing their number. And I know that they can defend themselves because they're out of office. So I'm like, man, this is a lot of personal stuff that can...

D. Mauro (33:30.83)

Right.

Mishaal Khan (33:49.858)

be misused and you know, my, my engagement stopped there, but why I told the client that I could have taken this to phase two very easily. But my scope of work stops here and they're like, wow, yeah, this is a big discovery and we should change how we do out of offices, replies. So I gave them a small template, which I think is also in that article. you saw keep it generic.

D. Mauro (34:09.742)

Yeah, it says, I'm currently out of the office. Please expect a delay in my responses, which is great, right? It doesn't disclose anything. Yeah, really interesting. Like it's those little things. It's very subtle, right? Unbelievable. Unbelievable.

Mishaal Khan (34:14.658)

That's it, yeah. Yeah. Right. So minimum information.

Right. And that's the mind of a hacker. That's what I always say. Think like a hacker, no matter which phase you're in, whether it's ethical hacking, think like a hacker, whether it's privacy, think like what a malicious hacker would do to breach your privacy. Whether it's acting as a virtual CSO or a CSO to someone, you're doing your defenses, but think like a hacker again to see how should I prioritize my defenses, either personal or corporate, and that's when you will achieve faster results.

D. Mauro (34:29.806)

Mm -hmm.

D. Mauro (34:53.838)

That's fantastic, Michelle. So let me ask you, AI is kind of a thing, kind of popular. People are using it a lot, generative AI. And so with that has come a great advancement in social engineering. What are some of the things that you're seeing? I mean, obviously deepfakes have been in the news. Deepfakes are very concerning because...

in scenarios I'm aware of, people will receive either a business email, compromise email, like an attempt for that, or a social engineering attempt, and they'll say, don't worry about it, let's jump on a Teams meeting or a Zoom meeting. And they'll get on just like we're doing now, but we're not us. And it's generative AI doing an actual deep fake. What can people do to defend themselves, to identify those? How has technology advanced?

Mishaal Khan (35:35.874)

Right.

D. Mauro (35:49.101)

to detect that. I saw that. I believe NIST is creating a platform that they're trying to build resources, public -private collaboration to establish better detection mechanism from a technological sense. What are you seeing?

Mishaal Khan (36:10.114)

Yeah. So as a hacker by heart, I've done a lot of ethical hacking, pen testing and stuff. I would say it's very hard to detect and defend against these things using the current tools that we have and current mindset that we have. So in the last two years that, you know, all this chat GPT and AI and stuff has exploded and access has been given to free to the good and the bad.

Things like emails are harder to detect because they're being generated using chat GPT. So no more spelling mistakes, grammar mistakes. They're very perfect in terms of business relevance and they're phishing emails. So that detection is poor now, you know, looking at the content. Voice can be cloned.

Perfectly well, we've all seen it, you know, a lot of websites that do a very good job at this I do it in almost all of my presentations I clone someone's voice have a conversation with them and show how easy it is to fool someone with spoofing a phone number another technology that's been out there for decades Combine multiple things together Impossible to detect a spoofed call. I actually had a vendor

And since I work in the corporate side as well, a lot of vendors pitch me their solutions and they're like, we can detect spoofed calls and cloned voices and stuff. I'm like, all right, can I test it right now? They're like, what do you mean right now? This is like just a demo environment. my God, can I call into your demo environment, which I see a little call center that you have? They're like, yeah, sure. We can set up another call for that. I'm like, no, no, like right now, give me 30 seconds and I'll set up. They're like, shit, okay.

D. Mauro (37:48.686)

Mm -hmm.

Mishaal Khan (37:52.098)

So I gave him a call. I turned up my software and I spoofed one of their cell phone numbers. I'm like, this is one of your personal cell phone numbers. They're like, how'd you get that? I'm like, well, while you were doing your slideshow presentation, I was doing OSINT on one of those folks and I got their personal cell phone number. I'm like, you're going to get a call right now. They got a call from one of themselves and it was a cloned message that I had a voice message. I'm like, what do you see about this call? They're like, well, you got like a...

A minus or something in their rating system and we let the call through and it was basically almost perfect. And the reason it got an A minus was because it was being spoofed or whatever. I'm like, it should have been like a C or something because everything was wrong about this call. They're like, yeah, well, that phone number wasn't really in a database of known bad numbers like spam or spammy numbers. So I'm like, so this is not AI. The whole thing was like, we're using AI to detect AI. I'm like,

D. Mauro (38:26.99)

Yeah.

Mishaal Khan (38:48.066)

but you're using a database to run queries against. Right. Yeah. Yeah. And they're like, no, we have some AI detection. I'm like, hold on, let me prove that to you. I'm like, let's Google known scammy numbers. So I picked up a number that was on some website saying this is spam and if you get a call from this and I cloned that number and their system gave it like an F or something. I'm like, see, there you go. I just proved, I just changed the number and.

D. Mauro (38:49.55)

Yeah, you're using a stale, yeah, static database that they have to that they have to update.

Mishaal Khan (39:17.73)

So that's how detection is working right now. They're not using AI detect. Right. And so I'm like, attackers have the upper hand right now. And then take it one notch up from text to audio to now video. Same thing. You're fooling humans with video. You're not fooling any other technology. Technology is not going to detect it as quick. And when it does, hackers are going to up their game and make something better, more believable.

D. Mauro (39:20.878)

It's behind the time. It's not. It's not keeping up. Right.

D. Mauro (39:27.31)

Mm -hmm.

D. Mauro (39:45.518)

What I'm surprised, my personal observation on the video deepfakes is just in the last four to six months, they have gotten virtually undetectable, at least by me. Like before I used to be able to tell either the voice or the lip syncing or the head movement. And now people are on there. They're moving around. They're talking. The inflection of the voice, the lip syncing, it's undetectable.

Mishaal Khan (39:57.538)

Yeah. Yeah.

Mishaal Khan (40:03.394)

Right.

Mishaal Khan (40:11.074)

Right.

D. Mauro (40:14.958)

Like, it's unbelievable.

Mishaal Khan (40:15.17)

So I'll tell you a scenario like a couple of months ago when it wasn't that great where you could tell how this is a fake video I can see some pixelation or jerkiness on their face and stuff. It's not sinking, right? I took that crappy video of someone I said, let me clone it and I'll still fool you into believing this is real and this is how a hacker mindset works.

D. Mauro (40:23.31)

Hmm?

Right.

Mishaal Khan (40:38.018)

So I took that video, I'm like, I played the original. I'm like, they're like, yeah, this is pretty fake. I can tell this is a fake video. It looks like me, but it's not me. It's obvious it's fake. I'm like, obvious, right? I took some software, some basic free video editing tools, and I chopped up the video into many pieces, put some black frames in between, made it pixelated and stuff. And I took the audio and I cut it up into pieces as if the connection was very weak. And then I replayed the video.

D. Mauro (40:38.35)

Right.

D. Mauro (40:45.358)

Mm -hmm.

D. Mauro (41:03.534)

Mm -hmm.

Mishaal Khan (41:04.642)

And I'm like, yeah, it's so bad. The video quality is terrible. I'm like, but you can tell there's a guy in there that kind of looks like you, but it's so choppy. It's like they're having a bad internet connection. And then I shut the video off. I just put a black screen and I just played the audio. I'm like, imagine this was a conversation with you over zoom. And you're like, yeah, I saw the person a few, you know, a few glitches of his video. So that's him. But now the audio is perfect. So I believe the audio, I believe the caller ID, everything else is believable. And the video is questionable, but you know what?

D. Mauro (41:24.494)

Right.

D. Mauro (41:29.87)

Right.

Mishaal Khan (41:34.306)

I'll let that go. And the whole call suddenly seemed very legit. So I'm like, this is how a hacker mindset works. If technology is not with them, we'll do something else.

D. Mauro (41:42.414)

Well, yeah, and you have to realize is that the name that they're going to use is somebody that actually works at the company, right? And the phone number that they're going to use is actually tied to the person, right? And they're going to have the OSINT done. So any questions that you're going to ask, they're going to be able to answer. And so that's really the scary part.

Mishaal Khan (41:49.538)

Great.

Mishaal Khan (42:00.898)

Yeah.

Yeah. And I think what the solution to all of this is not more technology to beat technology. It's a change in process. Like I told a company, a bank wants that if this is happening to you and we saw the another bank in Hong Kong was that someone transferred was about 35 million or something over a video call 25 million or the CFO told them to and the video was like, I'm like, for scenarios like that, you need a proper

D. Mauro (42:11.63)

Mm -hmm.

D. Mauro (42:19.47)

Yep.

It was 25 million, yeah.

Mishaal Khan (42:30.05)

protocol in place saying if it's an emergency situation, you need to transfer that much money, stop thinking your protocol should say we should take at least two days, verify call the person using out of band communication, a second form of communication. And, and if you're bypassing all of these, and your CEO CFO saying something like, no, we need to bypass all this to do it now. Well, that's a red flag, don't do it. In fact, companies should take proactive measures in doing pen tests, which kind of reveal these things and say,

D. Mauro (42:31.533)

Right.

D. Mauro (42:42.478)

Exactly, go outside the band.

D. Mauro (42:53.166)

Mm -hmm.

Mishaal Khan (42:59.714)

I'm going to try to bypass your protocols. I'm going to hack your protocols, not technology and your processes. So now what I started doing is I hack processes. I say, your technology is pretty good, but let me hack the process and let me bypass, you know, BEC, business email compromise and stuff. Let me social engineer you into bypassing some of the hard and fast rules that you've set and see how well people respond to that. And if that breaks, well, that's your gap right there. So I think if you...

D. Mauro (43:04.366)

Mm -hmm.

D. Mauro (43:28.334)

Well, we've seen that in some of the largest breaches too, haven't we, Michelle? Like we've seen that. And when you think of like MGM breach, you know, they're, they're, they're calling help desk. I mean, it's in the name. It's in the, yeah, but it's in the name. Like they're there to help, right? Like they literally are there and, and they do so much OSINT upfront that they're able to answer any questions that they're going to ask. Right. So it's really about.

Mishaal Khan (43:28.93)

control that better. Yeah.

Mishaal Khan (43:35.586)

MMMM

Mishaal Khan (43:39.97)

reset passwords. Yeah.

Mishaal Khan (43:44.93)

haha

D. Mauro (43:54.99)

staying within band and some of the other breaches that happened in the last year or two, you hear about, you know, somebody constantly sending multifactor notifications, right? Until then they get on WhatsApp, right? Or they go like off band and they go, Hey, this is your IT team. Could you please approve that prompt? And they go, sure. Right? Like, wait a minute. Like your IT group is not going to ping you on WhatsApp. Right? Like just that.

Mishaal Khan (44:04.93)

Yeah, fatigue.

Mishaal Khan (44:14.05)

Right.

Mishaal Khan (44:20.258)

Okay.

And I don't blame them every time because if they've never been exposed to this process or a breach of process, they're going to fall for it. And every time an executive, right. And I've been told like the blame game happens a lot. They're like, our employees are stupid or they fell for this or they should be penalized with more training. Yeah. And to that, I always say that if you feel that that's the case, then

D. Mauro (44:25.422)

no. Right.

But it's about establishing the process, isn't it? Like, yeah, the policies and the practices.

D. Mauro (44:40.302)

No, anybody would have.

Mishaal Khan (44:47.01)

you're going to be my next target. I'll do a pen test and I'll pick on only the CEO and give me like five attempts. I will get through eventually and I will make you feel silly if you think your employees are silly, not following protocol. Everyone will eventually fall for it. It's a matter of testing and awareness. If you're not investing enough in testing, they're not being exposed to something that will eventually happen and spread awareness. Half the time when I do these stocks, that is half the battle.

D. Mauro (44:49.87)

Right.

D. Mauro (44:57.934)

Mm -hmm.

Mishaal Khan (45:13.794)

I've kind of defended them enough because now people know that it's possible. They're like, we'd never knew voice cloning was at that level. You and I as tech people, we laugh about it. We're like, yeah, I'll go to this website, pay $1 and I have an account where I can do perfect voice cloning and stuff. But other users who are not in tech don't know about this. They're like, yeah, we heard about it, but hey, let me show it to you. When you show it to someone and involve them by cloning their own voice or their boss's voice, their jaws drop.

D. Mauro (45:19.054)

Right.

D. Mauro (45:38.222)

Mm -hmm.

D. Mauro (45:41.838)

Yes.

Mishaal Khan (45:43.65)

they will never forget it. And next time when something similar happens, their guardrails will be up there, but I don't know if this is really my boss or not. You want, let me hang up the phone and call you back because that's what I heard Michelle say in a presentation that, you know, you can spoof an incoming call, but when you're, it's an outgoing call, you know, you can't spoof that. And I know I'm calling the right destination. So just hang up and call them back. And now, you know, it's the right person. So little things like that resonate a lot with the audience, with the users.

D. Mauro (45:55.822)

Right.

D. Mauro (46:08.302)

Absolutely.

Mishaal Khan (46:13.378)

And I feel that is a better form of defense than spending an endless amount of money on more technology. It's very simple in a lot of cases.

D. Mauro (46:23.694)

I completely agree. Yeah, that's that's great insight. So let's segue to the book that you just wrote, the Phantom See -Sow, Time to Step Out of the Shadow. What got you to write the book in the first place? It was a great book.

Mishaal Khan (46:39.298)

You know, thanks. We, my co -author and I, we saw this gap in the industry, where you see a lot of CISOs in place there. It's a position of power. But I saw a lot of incompetent CISOs. I'm sorry to say, but most people in that position were what I call the accidental CISO. They were there because maybe they were in another position and that area was vacant and they kind of slid into that.

D. Mauro (46:42.702)

Hmm?

Mishaal Khan (47:08.514)

position, but they weren't causing change in that. And there were a lot of competent folks underneath, maybe an IT director, or maybe some project manager, whatever that they were taking charge of the security initiatives of the company, yet they didn't have the title of a CISO. And hence they didn't have the power of a CISO to make change.

D. Mauro (47:27.854)

And that was really enlightening. That was really the target of the book, right? Is you are a phantom see -saw whether you have that title or not.

Mishaal Khan (47:36.706)

Exactly. Yeah. So that's basically the new definition that's out there. A fandom CSO is a person who works as a CSO has a lot of the responsibilities of a CSO, but hasn't been assigned that role or the title. And yet now they don't have that power to make change. And in technology, we always argue about all the products and services and stuff we put into place, but it's a top -down approach.

If the CFO CEO board of directors are not on board with security initiatives, nothing's going to happen. Nothing's going to change. You can invest everything in MFA and all that stuff. But if you're no one's adopting it because the policy doesn't dictate so you're not going to see any change. So see. So is that position, you know, the top of the pyramid for a cybersecurity in the cybersecurity realm that has the power to make that change.

D. Mauro (48:03.758)

Hmm.

Mishaal Khan (48:30.05)

So this book is about empowering people who have an inclination towards security leadership to become that security leader and to do your own gap analysis. Just like we do in a CIS assessment or NIS assessment, we do a gap analysis. This is your own personal gap analysis into, do I have the right soft skills? Do I have the right technical skills? And what other things do I need to be in that position that I may not have? So both myself and my co -author, we had our own different set of skills and our gaps.

So we put all that together in a nice concise little book. It's sort of like the formula to be an effective seesaw.

D. Mauro (49:08.814)

Yeah, no, it really is. And in there, you have a couple stories and highlights. You talk about email security with DLP policies. You talk about data loss prevention. And can you walk us through a little bit about that? Could you elaborate on that? Because I thought that was really interesting, as well as the field CSO, the role of a field CSO.

Mishaal Khan (49:33.954)

Yeah. So I was, I've been a very technical see so in my career. And there's a lot of things you can do on something as simple as, as email. So email security is a lot more complicated than people implemented. They'll just implemented with default settings. I'm like, no, have some DLP. So data loss prevention features in it. So as emails are going across the organization, see what's in there in terms of sensitive data are.

people exchanging, you know, invoices with routing numbers in them or social security numbers in them, because if they are, that's clear text, it's gonna get breached, it's in your inbox. So in my own company, our HR had, was emailing back and forth insurance forms and stuff, and those forms had social security numbers in them, and our DLP kind of caught that. And we're like, you know, when the organization gets breached, and especially you,

HR when your account gets breached in your sent items folder, you have everything for everyone. That's a lot of sensitive info. So we kind of changed the dynamics that we're like, all right, from now on, the policy is you can't attach things like this, and you'll get a warning. So the DLP solution will initially just give you a warning saying, you know, there was some sensitive information. Here's the link to our policy, attach it using, you know, one driver Google's attachment feature and just send a link.

D. Mauro (50:39.63)

Right.

Mishaal Khan (51:02.626)

to that attachment because you can revoke access to a link later. And if someone breaches your inbox, you know, two years down the line or two months down the line, that link won't be valid anymore. So they don't really get any data. So we're thinking forward on when the next breach happens, what are they going to get? Practically nothing. And that's the goal that you have to be forward thinking. Don't just think in the moment right now. Think of how one solution can feed off to the other one and they're all complementary to each other.

D. Mauro (51:13.902)

Right.

D. Mauro (51:33.422)

That's a great point, right? Like having links there that expire, right? That's, that's right.

Mishaal Khan (51:37.986)

And also not stop the flow. Like I think one of the other things I mentioned there was do it in phases. Don't just say, I'm going to block that email because it had sensitive info. Now you're going to cause disruption in the organization.

D. Mauro (51:44.366)

Mm -hmm.

D. Mauro (51:48.43)

Right, because then that's the balance between cybersecurity and convenience and interrupting business operations, which we always get in trouble for. So we don't want that to happen. Right. Right.

Mishaal Khan (51:53.122)

Right. Right.

Right, so educate first, spread awareness first, whether it takes two months, three months, whatever, sure, you're vulnerable during those few months. But then when you actually make the switch over the change, it's easier, there's less friction, people already know the value of why you're putting this additional control on top, whether it's MFA, whether it's something else. Now they're much easier and more accepting to that change. It makes your life as a security practitioner much easier to implement something.

D. Mauro (52:09.934)

Mm -hmm.

D. Mauro (52:25.646)

Absolutely. And then you talk about the role of a field seesaw. So walk us through that. What do you mean by a field seesaw?

Mishaal Khan (52:32.994)

Yeah, I mean, there's a lot of different types of CISOs that we mentioned there, which is a field CISO. Field CISO is more involved in the day -to -day operations of...

D. Mauro (52:45.294)

like client facing meetings, sales, marketing, all of that stuff, right?

Mishaal Khan (52:48.802)

Right, exactly. So they see how technology is going to be implemented, the sales cycle, the product life cycle, and they're involved with, you know, parts of everything. So they're not a project manager, but they'll work closely with the project manager. They're not an implementation engineer, but they'll know exactly how the engineers are implementing a product and their vision. They make sure that their vision is being, you know, rolled out properly.

because a lot of the times the CISO will have something in their vision saying we need like password managers for this and here's the phases that it should roll out and here's the end result that we want to see. But then the engineering team has no idea of that. They're like, we just need to roll out this technology and they do it. There's hundreds of ways to do it. So field engineers are more involved. They take a personal interest in the entire life cycle and they need a lot of different skill sets. It's a very hard position to be in. You just don't need to be a managerial.

You don't have to necessarily have those skills, soft skills, but a lot of technical skills as well. So everyone's made to be a different type of CSO. It's not saying that one is better than the other. It's identifying your own strengths and playing towards those strengths and at the same time building some of the places where you may be weak. But that's where there's like 20 different types of CSOs that are available for different types of organization as well.

D. Mauro (54:12.334)

Fantastic. Well, we will have links to the book in the show notes. It's great book. I encourage people to get it. I mean, it was really good. I loved all the different scenarios and it's very, I hope you don't mind me saying this, but it's very Simon Sinekash, meaning it is very like, you can be a leader without the title, right? And he talks about that and how all of us play a role in leadership.

within various scenarios. And you're really kind of saying, and we can all play the role of CISO in various scenarios, right? And it doesn't mean you have to like go by expensive technology. It's about policies. It's about thinking it through, finding things, educating, and then making changes incrementally so that they resonate. And it was just fantastic. I thought it was brilliant. So.

Mishaal Khan (55:04.162)

Yeah, I always tell my clients that I have very low patience and I need to make changes quickly. I don't have a lot of time left in this world. None of us do, if you think about it. And I need changes rapidly. I need the most effective route to success. And I can't bear...

D. Mauro (55:12.91)

No. Yep.

Mishaal Khan (55:21.634)

you know, internal politics or delays in something. So I have an answer for everything. If somebody said, we don't have budget. Well, you spend so much on coffee or fax paper, get rid of that. And then you'll create the budget for MFA or whatever. And they're like, man, you have an answer for everything. I'm like, yeah, I'm, I'm here to make changes. You hired me to make you more secure, not to sit around and drink coffee and just, you know, waste everyone's time. Time is limited. It's the most expensive asset, in my opinion. And let's make change.

D. Mauro (55:37.518)

Right.

D. Mauro (55:50.318)

That's correct.

Mishaal Khan (55:51.394)

today. And that's the whole premise you see in the book as well, the shortest path to something to change. And I give practical timelines to that. And I give examples. So people resonate better with examples. Almost every point I make in the book, there's a personal example attached to it, which I learned from. And I want people to have those, quote unquote, shortcuts to success, even though there's no shortcuts to success, you got to put in the hours, but

D. Mauro (56:17.742)

Yes.

Mishaal Khan (56:18.498)

Maybe you can learn from some of my mistakes or my experiences and avoid some of those things and reach your end goals faster.

D. Mauro (56:26.574)

Right. Well, thank you so much, not only for this episode, but for what you're doing for people, individuals, as well as the cybersecurity community. Keep it up. We will watch you. What do you have on the horizon? Are you speaking somewhere soon? What's coming up for you personally?

Mishaal Khan (56:47.842)

Yeah, I have a lot of things coming up soon. So a lot of trainings, I'll be doing a different cybersecurity conferences, OSINT training mostly, and a lot of talks on the horizon, cybersecurity based keynote talks. But by the time this comes out, I will most likely have a podcast as well. So you're probably the first one to know. So that's my next exciting thing.

D. Mauro (56:53.166)

Hmm.

D. Mauro (57:09.774)

well, that's great. Exciting. that's great. Well, when you when we get it, when we release it, if we release it, if there's enough delay, then we'll have links to your podcast in our show notes. For sure. That's great, man. Cool. Well, Michelle Khan, thank you so much. Great. Keep up the work and we will watch for more from you. So thank you so much. Have a great weekend, my friend.

Mishaal Khan (57:24.93)

Appreciate it.

Mishaal Khan (57:36.162)

It was my pleasure. Thank you for having me. Yeah, you too.

D. Mauro (57:39.342)

Thanks. Okay, bye.

Cyber Crime Junkies

How Everyone Is Responsible For Cyber Security. Phantom CISO.

Listen to this podcast on