Cyber Crime Junkies

The Aftermath. Navigating Reputations and Protecting Your Brand Image

Cyber Crime Junkies-David Mauro Season 5 Episode 25

James Potter, CEO of DSE, joins us in the studio for great conversation and exclusive insight on The Aftermath of Data Breaches: Navigating Reputational Damage and Protecting Your Brand Image. Reputational Harm from Data Breaches, Cybersecurity Reputation Management and Operational Leadership. Find more on DSE here: https://www.dse.team/

 Topics discussed:

•           Target Breach & Surprises most don't know about

•           Data Breach Consequences

•           Reputational Damage Cybersecurity

•           Data Breach Fallout

•           Online Reputation After Data Breach

•           Brand Image After Data Breach



Send us a text

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-446

Get peace of mind. Get Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com  
 
Imagine setting yourself apart from the competition because your organization is always secure, always available, and always ahead of the curve. That’s NetGain Technologies – your total one source for cybersecurity, IT support, and technology planning.

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!


James Potter, CEO of DSE, joins us in the studio for great conversation and exclusive insight on Reputational Harm from Data Breaches, Cybersecurity Reputation Management and Operational Leadership.

Find more on DSE here: https://www.dse.team/

Topics discussed:
•           Target Breach & Surprises most don't know about
•           Data Breach Consequences
•           Reputational Damage Cybersecurity
•           Impact of Data Breaches on Brand Reputation
•           Data Breach Fallout
•           Online Reputation After Data Breach
•           Brand Image After Data Breach
•           Recovery from Data Breach Reputational Damage
•           Managing Reputation Post Data Breach

Tags: Reputational Harm from Data Breaches, Cybersecurity Reputation Management, Operational Leadership, Target Breach, Reputational Damage Cybersecurity, Impact of Data Breaches on Brand Reputation, Online Reputation After Data Breach, Data Breach Fallout, Online Reputation After Data Breach, Brand Image After Data Breach, Recovery from Data Breach Reputational Damage, Managing Reputation Post Data Breach




Dino Mauro (00:02.964)
All right. Well, welcome everybody to Cyber Crime Junkies. I am your host, David Morrow, and we have a really fun episode today. In the studio with us is my always positive, always fantabulous co-host, Mark Mosher. Mark, how are you, sir? Oh, David, I'm doing wonderful. This is going to be a great episode today. We got a full house. Tell us, tell us who else is in the studio with us. Good to, good, good to see you. And yeah, you brought, you brought a friend, didn't you, Mark? So.

Mark Mosher (00:19.565)
Wow, David, I'm doing wonderful. This is gonna be a great episode today. We got a full house. Tell us who else is in the studio with us.

Dino Mauro (00:32.816)
Yeah, so, It's my one and only friend, but yeah, I brought a friend. Sad but true. That makes me feel great, Mark. Sad. Hopefully you'll talk about it. So sad but true. So in the studio also is our special co-host, Logan Potberg. Logan, welcome to the studio, man. Thanks for having me. Hopefully one day I have an intro as good as Mark's. Yeah, it's usually from the insincere things to say to coworkers app that I have here, but it's-

Mark Mosher (00:33.489)
It's my one and only friend, but yeah, I brought a friend.

Logan Pottberg (00:36.864)
That makes me feel great, Mark. Hopefully you're talking.

Mark Mosher (00:38.885)
Ha ha!

Logan Pottberg (00:49.272)
Thanks for having me. Hopefully one day I have an intro as good as Mark's, but we'll get there.

Mark Mosher (01:00.606)
Very effective.

Dino Mauro (01:02.092)
Yeah, it's very effective. No, we're really excited about today's conversation. We have an industry leader in the cybersecurity space. So he's got a really cool story. He's had a really lot of good experiences and some really good insight. It is James Potter, CEO and founder of DSE. James, sir. Welcome to the studio. Hey, happy to be here. I appreciate you all having me on. Now we're really excited about having you. So just a little by way of background.

James Potter (01:22.735)
Hey, happy to be here. I appreciate y'all having me on.

Dino Mauro (01:32.084)
Explain to the ladies and gentlemen your current role and what space DSC operates in. Sure. DSC is a cybersecurity firm and we focus on Active Directory almost entirely. Myself and all of our architects have been using this technology since it's been around 99, 2000 time era. That's phenomenal. So when you got in, what drove you to get into Active Directory originally?

James Potter (01:40.506)
Sure. So DSC is a cybersecurity firm and we focus on Active Directory almost entirely. Myself and all of our architects have been using the technology since it's been around 99, 2000 time era.

James Potter (02:01.278)
Well, before Active Directory, you had NT4.0 and all the other precursors, which were fairly limited in their ability to expand to enterprise. And once AD showed up on the scene, it was a game changer, right? Because suddenly you can have a globally replicating directory with no limits. One single directory, no longer do you have to multiply provision people all over the place. And it was going to be big. And I knew it was going to be big. And, you know, here we are.

Dino Mauro (02:01.496)
Well, before Active Directory, you had NT4.0 and all the other precursors, which were fairly limited in their ability to expand to enterprise. And once AD showed up on the scene, it was a game changer, right? Because suddenly you can have a globally replicating directory with no limits. One single directory, no longer do you have to multiply provision people all over the place. And it was going to be big. And I knew it was going to be big.

and you jumped in right away. 23 years later. Yeah. So, so you, you kind of recognized it jumped in right away. Yeah. I got in while a lot of people were, had already spent like 20 years in the industry. So they're learning AD, you know, in their, their mid forties. Right. And a lot of those folk are starting to retire now. Yeah, that's amazing. So what, what kind of drove you into?

James Potter (02:30.242)
23 years later.

James Potter (02:38.138)
Yeah, yeah, I got in while a lot of people were, had already spent like 20 years in the industry. So they're learning AD, you know, in their mid 40s. And a lot of those folk are starting to retire now.

Dino Mauro (02:57.252)
into technology in the first place? Like what... Yeah, like anything... No, that's interesting. I think it probably boils down to, I just really enjoyed playing with computers from a fairly young age. And I grew up relatively poor in the Detroit area, so full-time college wasn't really an option for me. I'm actually a high school dropout. Really? Well, that's... Yeah.

Mark Mosher (02:59.873)
Was there a compelling event? Was it childhood dream?

James Potter (03:03.826)
No, that's interesting. I think it probably boils down to, I just really enjoyed playing with computers from a fairly young age. And I grew up relatively poor in the Detroit area, so full-time college wasn't really an option for me. I'm actually a high school dropout. So all my education is certificates, basically.

Dino Mauro (03:26.288)
All my education is certificates, basically. Yeah. Well, that's, you've, yeah, you've done quite well for yourself. And- I can't complain. Yeah, and you're in good company too within the technology space. Because, you know, we hear about this all the time, people that want to break into cybersecurity, they want to break into IT, and they always kind of beat themselves up because they don't take the traditional four year route. And-

Mark Mosher (03:29.854)
I lost that bet.

James Potter (03:35.541)
I can't complain.

Dino Mauro (03:55.304)
There's just example after example after example of how that is not needed. Right. So long as the work is needed. The people we talk to that feel like they've got the, what is it, the imposter syndrome. Right. Because they didn't, they didn't go to school for four years. They didn't get a degree. Look where, and that's what we always say to our madam, look where you are now. Look what you've accomplished. Look what you're doing. Look at the impact you're making. Yep.

Mark Mosher (04:00.033)
Well, yeah, how many people would talk to that feel like they've got the, what is it, the imposter syndrome because they didn't, they didn't go to school for four years. They didn't get a degree. Look where, and then that's, we always have to remind them, look where you are now. Look what you've accomplished. Look what you're doing. Look at the impact you're making.

Dino Mauro (04:18.12)
That's exactly right. And we see a lot of that with our juniors as well. They're just getting into the industry. They have like a year of experience or maybe no experience and just a handful of certs. And they're typically very unsure of themselves, but this is where everyone starts. Right. That's exactly right. Well, and I think technology and cybersecurity is one of those spaces that, even if you're coming with a four year degree from a great university, but you don't have any experience, any internships, any home labs,

James Potter (04:18.614)
And we see a lot of that with our juniors as well. They're just getting into the industry. They have like a year of experience or maybe no experience and just a handful of certs. And they're typically very unsure of themselves, but this is where everyone starts.

Dino Mauro (04:47.728)
and he certs, like you're still not at that much of an advantage necessarily, right? Like it's one of those industries that it's really kind of proved to me what you can do. Like would you agree with that? Absolutely. There's a real show me mentality. Yeah. And I think GitHub is kind of interesting because it's a proven ground for that. Like people can point to the repositories and what they've done and how many commits they've done over the years and how active they are and what...

James Potter (05:02.202)
Absolutely. There's a real show me mentality. And I think GitHub's kind of interesting because it's proven ground for that. Like people can point to their repositories and what they've done and how many commits they've done over the years and how active they are in what parts of the industry.

Dino Mauro (05:17.396)
parts of the industry. Yeah, that's a really good point. Yeah. It's like part academia, part art, and part passion, right? You gotta have a big chunk of all three of those, really. Absolutely. So let me walk you through this. Starting your own company is no small feat, though. That's a big step. So you had experience working for some quite large consulting firms.

Mark Mosher (05:19.585)
I think it's like part academia, part art, and part passion. Like you gotta have a big chunk of all three of those, really.

Dino Mauro (05:45.468)
I think you weren't you with PWC, Ernst and Young. Yeah. KPMG. Deloitte's the only one I didn't get to cross off my list. Yeah. I was just going to say you bounced around all of them and then, and then you, and then you went, went off on your own. Are those also the ones just as an aside gets a good on a rabbit hole? Are those also the ones that were all hit by move it by the movement breach? Like, were those the three too? Is that, is that an alignment?

James Potter (05:49.762)
Yeah, KPMG. Deloitte's the only one I didn't get to cross off my list.

Logan Pottberg (05:55.532)
Thank you.

James Potter (06:08.38)
Ha ha!

Mark Mosher (06:09.039)
Ha ha.

James Potter (06:11.722)
Well, once you get to a certain size, you're gonna hit by these larger incidents. It's hard to avoid them.

Dino Mauro (06:13.344)
Once you get to a certain size, you're going to hit by these larger incidents. Oh, yeah. I'm not bashing. Yeah, I wasn't bashing them at all. I was just like, hey, you know what? You hit three of the four. I think so did Moovit. So did Klopp when they hit Moovit. Yeah. And for those that don't know what we're talking about, like for the business owners, other going, what are these geeks talking about? So Moovit is a file transfer program, very popular, used by the federal government, used at large.

Mark Mosher (06:24.189)
We just connected the dots real quick.

Logan Pottberg (06:25.868)
Coincidence, maybe.

Dino Mauro (06:42.496)
hospitals, schools, governments, like across all industries. And there was an exploit there in a famous ransomware gang, well-known ransomware gang. Actually, it isn't even deploying ransom. They're just going in, gathering all the documents that are normally transferred, stealing all that data, and then just extorting their victims. But it's one of the largest breaches of the decade. So that's why. That's kind of one of the new trends we're seeing.

James Potter (07:05.342)
That's kind of one of the new trends we're seeing. Like ransomware is difficult. It's harder to do than it ever has been. So if threat actors can find something compromising that has value, maybe you don't need to ransomware anymore.

Dino Mauro (07:09.46)
difficult. It's harder to do than it ever has been. So the threat actors can find something compromising that has value. Maybe you don't need to ransomware anymore. Yeah. Well, and it gets back to their I mean, that's a really good segue right there, right? Because you have you guys do a lot of threat intel at DSC. Like you have a global threat report that you've shared with us, which is really good, by the way.

and you gather up all this from various sources. But some of the trends that you were seeing and that you're showing in the most recent one is kind of pointing in that direction. Like there, you're seeing a lot of these gangs, like when you think about what, why they do what they do, it's financially motivated in large part for certain gangs, right? And if it's financially motivated and they can get equal amounts, if not more money just by the extortion part, right?

then why do the technical ransom and have to deal with that? Right? Absolutely. The path of least resistance for all the monetarily motivated groups. And then you have the other groups that are more nation state level. Right. More for the- And they don't care about money as much as they care about data. No. And that's, you know, we were just talking to a group. They were asking us-

James Potter (08:11.218)
Absolutely. The path of least resistance for all the monetarily motivated groups. And then you have the other groups that are more nation state level, the CCP size, and they don't care about money as much as they care about data.

Dino Mauro (08:30.176)
What was it, Logan? Somebody asked us kind of, well, what's the biggest, it was a healthcare group and they were like, what's the biggest healthcare breach? And we said, well, one of the biggest ones was Anthem, right? Like the Anthem breach happened right here and X amount of, you know, records were stolen and the street value of those records would be worth like, you know, hundreds of millions of dollars. And then we asked them, so how much do you think it's sold for on the dark web?

And they were like, they were like a billion dollars, 500 million dollars. And we're like zero because it wasn't from a cyber crime gang. Right. Like it was part of espionage. It was years later, the DOJ indicted four people from the Chinese military. Their their cyber core. Right. And they just it was part of the OPM breach, the Starwood hotels with Marriott and then

Equifax breach. So Equifax was a big one. Yeah, that will get everyone up to hey, go patch your patchy servers. Yeah, exactly. Let's talk about that for a second. Wow. Is that okay? Can we talk about that for a second? You in your report, you have a lot of really interesting insight. Some of that you were saying you were talking in that threat intel report, you were you were explaining how like the percentage of the breach and what that was in relation to their gross revenues.

James Potter (09:28.746)
Yeah, Equifax was a big one that woke everyone up to, hey, go patch your Apache servers.

Mark Mosher (09:34.245)
Yeah. Wow. Yep.

Dino Mauro (09:55.984)
and you talk about Equifax, like what were some of your findings there? What was it? So Equifax and Experian both got really nailed to the wall. If you look at their yearly revenue compared to the penalty and cost associated with that breach, it was like two and a half years of their revenue just gone. Oh my God. Like imagine that happened to a larger company like Facebook or Amazon. Like would they be able to survive two and a half years of revenue missing?

James Potter (10:00.022)
Yeah. So Equifax and Experian both got really nailed to the wall. If you look at their yearly revenue compared to the penalty and cost associated with that breach, it was like two and a half years of their revenue just gone. Imagine that happened to a larger company like Facebook or Amazon. Would they be able to survive two and a half years of revenue missing?

Dino Mauro (10:24.756)
There's no way or even go the reverse, the small to midsize business. Right. Oh yeah. Unrecoverable. Yeah. It's unrecoverable. That's why we're seeing. I wonder, do you see it as a trend? Is there, is there like a margin, I guess, of financial impact versus organizational revenue? Do you see the certain percentage amongst all size organizations? Or does it grow exponentially the bigger it gets? What does that look like? Good question.

James Potter (10:30.974)
Oh yeah, unrecoverable.

Mark Mosher (10:34.429)
Do you see it as a trend? Is there like a?

I guess, of financial impact versus organizational revenue? Do you see the certain percentage amongst all size organizations? Does it grow exponentially the bigger it gets? What does that look like?

James Potter (10:53.398)
Well, we have worldwide averages. So the worldwide breach cost is around 5 million. But if you zoom in on the US specifically, you're looking at about nine, nine and a half million on average. And those are for just run of the mill breaches. But when you see the ones that are showing up in the news, your Aquifaxes, your Targets, so on and so forth, those are mega breaches. And you're looking at hundreds of millions of dollars for those.

Dino Mauro (10:53.596)
Well, we have worldwide averages. So the worldwide breach cost is around five million. But if you zoom in on the US specifically, you're looking at about nine, nine and a half million on average. And those are for just run of the mill breaches. But when you see the ones that are showing up in the news, your Aquifaxes, your Targets, so on and so forth, those are mega breaches. And you're looking at hundreds of millions of dollars for those.

James Potter (11:19.49)
There's not as many of them, but whenever one does happen, it turns into a case study pretty fast.

Dino Mauro (11:19.7)
There's not as many of them, but whenever one does happen, it turns into a case study pretty fast. And you can tell why cybercrime keeps growing. Like it's so well funded. Yeah, I mean, there's money to be made there for someone growing up in an environment that doesn't have any other better options. Right. Even a 9 million average, like that's a big average. Yeah, that's nothing to sneeze at. Yep.

James Potter (11:31.518)
Yeah, I mean, there's money to be made there for someone growing up in an environment that doesn't have any other better options.

Mark Mosher (11:39.009)
Well, we've talked to some of those in the community.

Logan Pottberg (11:39.388)
Even a 9 million average, like, that's a big average.

Mark Mosher (11:46.901)
You know, and that's where it really gets me that we talk to some of these small to medium sized business owners and partners and they think, well, you know, we're comfortable with our risk appetite dialed in at this level right now. Because if we get hit, we've got some reserves, you know, we've got some liquidity we can take. No, you probably don't have nine million sitting in the bank. You probably don't know how to run a talks channel and negotiate with Russians to get your information back or to unlock your manufacturing plan.

Dino Mauro (11:47.136)
You know, and that's where it really gets me that we talk to some of these small to medium sized business owners and partners and they think, well, you know, we're comfortable with our risk appetite dialed in at this level right now. Because if we get hit, we've got some reserves, you know, we've got some liquidity we can take. No, you probably don't have nine million sitting in the bank. You don't know how to talk to channel and negotiate with Russians to get your information back or to unlock your

Logan Pottberg (12:07.878)
No.

Dino Mauro (12:15.4)
manufacturing partners who can get back in business. So I don't know, that's why I always amaze me, but that nine million, you're right, that definitely sticks out in my head. Unbelievable. And it's average, but still scary. Yeah. Well, yeah. I mean, even if it's a median point or it's an average, that's still way up there. It's much higher than a lot of organizations imagine. And when they calculate that,

Mark Mosher (12:16.613)
you can get back in business. So I don't know, that's why I always amaze me, but that 9 million, you're right, that really sticks out in my head.

James Potter (12:25.918)
And it's average, but still scary.

Mark Mosher (12:29.158)
Yeah.

Mark Mosher (12:36.056)
Thanks for watching.

Dino Mauro (12:43.38)
James, like how do they calculate those numbers? Like what all goes into those numbers? Cost of reach is a couple things. There's the initial cost of recovery or paying the ransom, repairing whatever the damage is, but then there's also operational loss. So for a lot of orgs, imagine you're down for 10 hours. What is an hour of operations? Think about all the employees. Oh yeah, oh yeah, you're right. Oh yeah, it's huge, isn't it?

Mark Mosher (12:47.745)
I have a good question.

James Potter (12:48.263)
Oh, cost of reach is a couple of things. There's the initial cost of recovery or paying the ransom, repairing whatever the damage is, but then there's also operational loss. So for a lot of orgs, imagine you're down for 10 hours. What is an hour of operations? Now what is an hour of operations during Christmas season? Right? Yeah, if you're retail,

Mark Mosher (13:09.322)
Yeah.

Dino Mauro (13:11.824)
I didn't even think about that. If you're retail, Q4 is where the majority of your money is coming from. It's a big deal. And then beyond all those things, it's also the reputational lost or the point in time lost from having to sell off assets of your company to recover from the event. Yeah. Yeah, this is something I've been digging deep into and that is kind of like quantifying some of this stuff because in no other industry, you know, like...

James Potter (13:15.158)
Q4 is where the majority of your money is coming from. It's a big deal. And then beyond all those things, it's also the reputational lost or the point in time lost from having to sell off assets of your company to recover from the event.

Mark Mosher (13:23.829)
Yeah.

Dino Mauro (13:40.64)
leadership, a board, a CEO, a CFO of a small and mid-sized business, like their sales team is able to forecast things, we're able to look at numbers by quarter, you're able to assess quantitative metrics to everything. And yet in cybersecurity, with all the advancement, all the brilliant minds, like leaders have told me, like literally my cybersecurity guys go medium high low, like that's all they can give them. Like, like what, like we can do better than that.

Right. I know we can. So how do we do that? Like, what what's your what's your insight? I mean, not that you have a cure to it, but I know you have thought to this and nothing else. It's their entire existence. The first thing is trying to figure out your chance of a breach in the year. And if you're a Fortune 100, Fortune 500, it's 90 percent plus. You're going to get breached. It's not something you're going to be able to avoid. And from there, you got to calculate the.

James Potter (14:10.542)
Thank you.

James Potter (14:17.098)
Well, there's several firms that do this and nothing else. It's their entire existence. The first thing is trying to figure out your chance of a breach in a year. And if you're a Fortune 100, Fortune 500, it's 90% plus. You're gonna get breached. It's not something you're gonna be able to avoid. And from there, you got to calculate the cost, the cost of the breach. And once you have the cost of the breach times your chance of breach,

Dino Mauro (14:40.236)
the cost, the cost of the breach. And once you have the cost of the breach times your chance of breach, you can look at a cost over 10 years on average. And if you can do security for less than that, that lowers the chance of the breach enough to get a good ROI, then you have a good investment. Okay. Is there a way to, I'm just thinking out loud, is there a way to apply maybe like an algorithm to garner a metric to the reputational?

James Potter (14:45.746)
You can look at a cost over 10 years on average. And if you can do security for less than that, that lowers the chance of the breach enough to get a good ROI, then you have a good investment.

Mark Mosher (14:58.645)
Is there a way to, I'm just thinking out loud, is there a way to apply maybe like an algorithm to garner a metric to the reputational cost, damage that's done?

Dino Mauro (15:08.384)
cost, damage, it's done? That's a good question. That one is very, very tough because each company is a little different, right? Yeah. Yeah, because we get pushed back. David, remember we had that law firm, it was years ago, here locally to us, that had been in business for like 50 years, like everybody recognized their brand. Oh, yeah, the one that was, they were founded back in the 60s.

James Potter (15:11.35)
That one is very, very tough because each company is a little different, right?

Mark Mosher (15:12.977)
Yeah, that's what I was just saying. Right. Now, and I ask because we had that law firm, David, remember we had that law firm. It was years ago. Um here locally to us that had been in your, they've been in business for like 50 years. Like everybody recognized their branding and their logo, their jingle. Yeah, yeah. Like six months after the breach because nobody wanted to go into business with them anymore because it was such a big public breach.

Dino Mauro (15:33.96)
Yeah, and they shut their doors after a breach. Like six months after the breach because nobody wanted to go into business with them anymore because it was such a big public breach. So, yeah, I understand completely the reputational damage. I was just curious. That would be hard, I guess, to apply something to that to figure out that metric. That's a good point. It would really depend on the industry and the amount of trust that's required. Yeah. Maybe something like Kroger or Fred Myers.

Mark Mosher (15:42.761)
So yeah, I understand completely the reputational damage. I was just curious, so that would be hard, I guess, to apply something to that to figure out that metric. Because you're right, it would be right to have it's different.

James Potter (15:52.554)
It would really depend on the industry and the amount of trust that's required. Maybe something like Kroger or Fred Myers, you're still going to go to the same grocery stores, but a company like maybe Ashley Madison, that's a problem.

Dino Mauro (16:02.056)
You're still going to go to the same grocery stores, but a company like maybe Ashley Madison, that's a problem. Right. That's a good point. That backs up a point we had mentioned earlier about Target. People still shop at Target. They still do pretty well, but everybody's aware that they were breached. But they had some other falling out, didn't they, James? It wasn't just the reputational damage. Yeah. I mean, they got hit so hard they had to sell off their pharmaceutical arm.

Mark Mosher (16:08.545)
Yeah, well, you know that backs up a point we had mentioned earlier about Target. Like, people still shop at Target, you know, they still do pretty well, but everybody's aware that they were breached, but they had some other falling out, didn't they, James? It wasn't just the reputational damage.

Logan Pottberg (16:11.362)
Thank you.

James Potter (16:25.654)
Yeah, I mean, they got hit so hard they had to sell off their pharmaceutical arm. That's no longer a revenue generating piece for them. And that's a permanent damage over time.

Dino Mauro (16:30.204)
but no longer a revenue generating piece for them. And that's a permanent damage over time. Oh, that's why when you go shop at Target, you see like CVS or another pharmacy in there post breach. Yeah, they got a good deal on that one. Yeah, because they're just paying for the rent and they get to collect all that. Was that a profitable asset of Target's? Extremely profitable. And you can see that in all of their filings pre breach.

Mark Mosher (16:36.489)
Yeah, that's it.

James Potter (16:44.39)
Yeah, they got a good deal on that one.

Mark Mosher (16:47.441)
Wow.

James Potter (16:52.775)
extremely profitable.

Mark Mosher (16:54.901)
Wow.

James Potter (16:56.586)
And you can see that in all of their filings pre-breach.

Dino Mauro (17:00.592)
Wow. Oh, yeah. So, yeah. So, when you're doing planning, right, when you're trying to prepare with an organization, large or small, for a breach, one of the things you have to have them consider is like, are you prepared to sell off your most profitable asset? Like, they're not ready for that, for sure. Interesting. That's unbelievable. What else comes in when you think of reputational...

Mark Mosher (17:17.705)
You get one of your biggest revenue streams.

Dino Mauro (17:30.056)
damage from a breach. What all their short term, obviously, you know, the Google searches, the SEO harm, right. But then long term, you have that kind of loss of trust and loss of long term revenue. Is there like a cycle, let's say like they lose 15% of their customers off the bat? Is there something you're seeing in your threat intel about

about like how long it's taking organizations to capture that back? Again, I guess I have to give you the consultant answer. It depends. Very, very organizations. That's the answer we give to people. I want something more from you. You know, it's tough like a, for something that has a pseudo monopoly, probably not as much of an impact. Sure. But if you have options and they're convenient, that's going to be tougher. Yeah, absolutely.

James Potter (18:05.922)
Again, I have to give you the consultant answer. It depends. It's very organization specific. Ha ha.

Mark Mosher (18:13.029)
All right, that's a retail everybody.

James Potter (18:18.914)
You know, it's tough like for something that has a pseudo monopoly, probably not as much of an impact. But if you have options and they're convenient, that's going to be tougher.

Mark Mosher (18:30.625)
Well yeah, if you're a law firm, it could have greater and longer lasting than if you're a Midwest manufacturer of widgets, right?

Dino Mauro (18:30.768)
Well, I think if you're a law firm, right, it could have greater and longer lasting than if you're a Midwest manufacturer of widgets. Yeah. Well, and because lawyers are in the business of trust, right? Like part of it is there's experience, there's skill, but also you trust your person. Right. You trust your lawyer. Right. You're giving them that attorney client privilege. I don't have attorney client privilege with Target. Right. Like I don't.

Mark Mosher (18:43.653)
Oh yeah, good point.

Mark Mosher (18:56.224)
Wow.

Dino Mauro (18:56.708)
I go there for like good, like cheap shoes and back to school stuff, right? So that's a good point. Yeah. It's becoming more of a problem in South America lately. What's going on in South America? What's going on? The law firms are getting hit by activists and ransomware groups. Yeah. Because a lot of these law firms have very sensitive data on their clients. Yep. Clients that may have very strong cash businesses.

James Potter (19:04.518)
It's becoming more of a problem in South America lately. There's lots of law firms that are getting hit. There's lots of law firms that are getting hit by hacktivists and ransomware groups, because a lot of these law firms have very sensitive data on their clients, clients that may have very strong cash businesses. And they don't want that information getting out, because it's more than just a financial penalty for them. It's a their existence penalty. Yeah.

Dino Mauro (19:25.312)
and they don't want that information getting out because it's more than just a financial penalty for them. No, it's a punitive. It's a existence penalty. Yeah, exactly. Yeah. Yeah, absolutely. Well, when you think about too, like some of the larger consultancies, when they get hit or the larger law firms, they have so much information on like mergers and acquisitions and confidential stuff that's coming out that will have ripple effects into things, right?

Mark Mosher (19:53.989)
Yeah.

Dino Mauro (19:55.376)
And when these gangs get control of that, that's brutal. Let me ask you this, James, like in what you see, cause you see a lot of it, and you operate mostly at that enterprise level, are we getting to the point, cause we see so many frigging breaches all the time? Are we getting to the point where, or are we already there? Where we're not looking at whether an organization's been breached?

We have to do business with somebody. Like my whole thing is I want to be able to buy a jacket without like it destroying my FICO score. Right. So if I'm going to do that, like, I'm going to do almost every place I'm going to go has been breached. But I think I'm judging them myself personally. I know this is anecdotal, but I'm judging them by how did they handle that breach? Like if they did OK, but they got hit.

by a third party vendor or whatever and they change their policy. I'm like, I'm still good with doing business with them. Like, it's still fine. I'll give them my credit card. That's still fine. But if it's if they really handled it poorly, when I think of really people that did not handle breaches, well, I always think of Equifax. That's the first thing that comes to mind. It's like the poster child, like the insider trading, all that. Like, oh, I was just bad. It just looked bad anyway, from our perspective. But like.

Mark Mosher (21:07.445)
the poster child did not handle well.

Dino Mauro (21:17.8)
To me, are we getting to the point where there's so many breaches that people are looking at it, like not whether you've been breached, but how you handled it or how well prepared you are? Like, what are you seeing? I think the data is hard to find. It would almost be nice if we had kind of a credit score for these companies. How trustworthy are they from a security standpoint? AAA, BBB, CCC, just like a food rating or better business, right? Yeah. Well, like...

James Potter (21:27.894)
I think the data is hard to find. It would almost be nice if we had kind of a credit score for these companies. So how trustworthy are they from a security standpoint? AAA, BBB, CCC, just like a food rating or better business, right?

Mark Mosher (21:45.903)
totals.

Dino Mauro (21:46.82)
Yeah. And public companies have it. Like you've got the Moody's rating and somebody gets downgraded, right. And they're stocked like all that. Like why? That's really interesting. Do you think we're going to go there eventually? It would inform some of my personal spending decision. Oh yeah. If I jump on a website, that's not one of the major vendors. I'd want to see how credible they are. Absolutely. Well, I mean, we have like,

Mark Mosher (21:50.866)
Mm-hmm.

Mark Mosher (21:58.473)
Yeah, do you think I'd ever get there?

James Potter (22:00.102)
It would inform some of my personal spending decision. If I jump on a website that's not one of the major vendors, I'd want to see how credible they are.

Mark Mosher (22:03.261)
Yeah, I think I could put my hands around it.

Dino Mauro (22:11.616)
There's scam advisors. There's there's things that when you're gonna buy something online and it's the holidays now people are buying online And I want to get that necklace and it's not over here It's not on Amazon whatever like it's not at this jewelry store Whatever and you go and you find some site and you're like, alright, they have good images But I've never heard of these guys like it looks pretty good But thanks they could just have a good designer right like I don't know but I like throw that site into

Mark Mosher (22:32.12)
website looks cool

Dino Mauro (22:38.908)
like one of these scam things and all of a sudden like it lights up like a Christmas tree. And I'm like, well, I better not buy from them. Like, you think we're going to get to that, not just for retail, but for other organizations? What do you, what do you think? I don't see why we wouldn't have that built into browsers, honestly. Oh, that's great. That I think the major, major vendors are probably already looking at. Let's do that. Can somebody put James in charge of that? That's a really good idea. Have it right in the browser, right? Like have it right in your browser.

James Potter (22:51.234)
I don't see why we wouldn't have that built into browsers, honestly. That's going to be something that I think the major vendors are probably already looking at.

Mark Mosher (22:55.361)
Oh, yeah, yeah.

James Potter (23:00.854)
Ha ha

Mark Mosher (23:02.712)
James, you've got a new project, James.

Dino Mauro (23:08.38)
Oh, I like that idea. But then you run, you know, playing devil's advocate. If you're a newer business, now you have to buy into the system. There's extra costs. Oh, yeah. So how do you get that in all the premium features? Oh, if you want to be featured on the browser, it's going to be pay to play then, right. And small businesses will get hit. We just got to make sure it doesn't turn into the Yelp side of things where it's pay to get reviews removed. Yeah, that's a good point. You know, that's a real good point. Yeah, that's brutal. You get a bad Yelp reviews.

James Potter (23:08.994)
But then you run, you know, playing devil's advocate. If you're a newer business, now you have to buy into the system. There's extra costs, you're unknown. So how do you get that initial rating?

Mark Mosher (23:15.737)
One, two.

Mark Mosher (23:23.065)
Right. I could go downhill real quick.

James Potter (23:25.546)
We just got to make sure it doesn't turn into the Yelp side of things, where it's pay to get reviews removed.

Mark Mosher (23:31.633)
Yeah, yep, that's a real good point.

Dino Mauro (23:37.692)
You're doomed. That's amazing. So what are you seeing? So we have a new czar of cybersecurity for the US government. What's your take on that? Yeah, just- I haven't really dug in under them. There was no election. I did not get a vote on this. I did not get a vote. I don't have an opinion. I don't have an opinion on the person.

James Potter (23:52.674)
just elected. Haven't really dug in under them too much, to be honest. Ha ha.

Mark Mosher (24:01.47)
Who were the other candidates? What were the other choices?

James Potter (24:05.038)
Well, it's representative. It's representative. You voted for someone who brought them in.

Dino Mauro (24:06.464)
That's representative. Yeah, OK. Because you voted for someone who brought them in. Who voted. It's like the electoral college thing. Yeah. Yeah, it's pseudo-democracy. Yeah. It's a republic. We're true. I remember this from my political science days. We're not a democracy. We're actually a republic. So we vote for somebody who then votes. OK, that's fair. Fair enough. OK, so what do we? Remember, it's politics and religion, David. No, I know. We don't touch that here.

Mark Mosher (24:07.173)
I guess, you know, prove all that's for them, right, okay, fair enough.

James Potter (24:13.246)
Yeah, it's pseudo democracy.

Mark Mosher (24:15.722)
Yeah.

Mark Mosher (24:28.545)
Remember, we don't do politics or religion, David. You're going down the wrong path.

Just like being in a bar trying to pick up a girl. I'm not gonna talk politics, family, or religion.

Dino Mauro (24:39.499)
So being in a bar trying to pick up a girl, I'm not going to talk politics, family or religion. Don't bring up that topic. So let's edit that out. What are we? So what's your take on this, James? Like, is it what is that role going to do? Apparently, it's the second ever to hold that role. What was who was the first one? And this is I couldn't even tell you. OK, so it's not just me. I felt bad that I didn't know.

James Potter (24:59.31)
I couldn't even tell you, but they are shaping standards in an interesting way. No, they released requests for comment. We actually filled out and submitted one of these about two months ago, I want to say, where they say, hey, what are we doing right? What are we doing wrong? What are we not seeing in industry that people don't want to talk to the government about? And they open these open comments and you could submit data and it helps shape their policy.

Dino Mauro (25:04.312)
I felt bad. I didn't even know the first one. So they released a request for comment. We actually filled out and submitted one of these about two months ago, I want to say where they say, Hey, what are we doing? Right? What are we doing wrong? What are we not seeing an industry that people don't want to talk to the government about? Okay. And they, they open these, these open comments and you could submit data and it helps shape their policy. Sure. So if you're, you're in the business, then you, you see this, you know, spend the time.

James Potter (25:28.982)
So if you're in the business and you see this, spend the time and submit the data because you have outsized influence through these submittals.

Dino Mauro (25:33.752)
and submit the data because you have outsized influence through these submittals. Interesting. And they use that to shape things like the NIST policies, which then help shape CIS benchlines, which then make it into our corporate infrastructure through scanning and compliance.

James Potter (25:42.038)
And they use that to shape things like the NIST policies, which then help shape CIS bench lines, which then make it into our corporate infrastructure through scanning and compliance.

Mark Mosher (25:55.844)
That makes sense.

Dino Mauro (25:57.172)
So the organizations that you guys are serving at DSE, what type of things are you finding that they need or that you're helping them bolster their kind of cyber resiliency? So a lot of time it's kind of the same story. You have an org that's been around for 100 years, 80 years, and they brought in Active Directory in 2000 just like everyone else did.

James Potter (26:12.782)
So a lot of the time it's kind of the same story. You have an org that's been around for a hundred years, 80 years, and they brought in Active Directory in 2000, just like everyone else did. And it's a filing cabinet. And if you don't maintain it well over time, it becomes harder to use, you lose records. Maybe there's records in there that shouldn't be anymore. And maintaining it is a cost, one that's hard to justify.

Dino Mauro (26:25.196)
And it's a filing cabinet. And if you don't maintain it well over time, it becomes harder to use, you lose records. Maybe there's records in there that shouldn't be anymore. And maintaining it is a cost, one that's hard to justify. And it's becoming more and more expensive over time because as we alluded to earlier, a lot of people that know Active Directory very well are rolling off. They're retiring, they're moving to Florida or Arizona and they're calling it good. And new people aren't being trained in Active Directory.

James Potter (26:39.502)
And it's becoming more and more expensive over time because as we alluded to earlier, a lot of people that know Active Directory very well are rolling off, right? They're retiring, they're moving to Florida or Arizona and they're calling it good. And new people aren't being trained in Active Directory. Entra in Azure, sure, but new people don't exist for AD because it's kind of regarded as legacy technology. It's this legacy technology that's...

Dino Mauro (26:55.716)
Why is that? And Azure, sure, but new people don't exist for AD because it's kind of regarded as legacy technology. Is that because so many organizations are migrating to the cloud? I didn't mean to cut you off. I'm sorry. Oh, no, that's fine. Very few large organizations are actually able to successfully do this. Lululemon is a good use case here. They attempted to move 100% to the cloud. They got about 90% there. And then all the gotchas came in.

James Potter (27:08.514)
Oh, no, that's fine. Now, very few large organizations are actually able to successfully do this. Uh, Lululemon is a good use case here. They attempted to move a hundred percent to the cloud. They got about 90% there and then all the gotchas came in and now they're having to face this hybrid environment they weren't planning for, which is an extra cost.

Dino Mauro (27:24.484)
And now they're having to face this hybrid environment they weren't planning for, which is an extra cost. What were some of the gotchas? Like in general, not in front of that. This is all this is all kind of secondhand information. Lulu's not one of our clients. Yeah, and I'm not talking about them specifically, but what are some of the gotchas in the industry that they could have seen is what I generally mean. It's almost always applications. Applications around for five, 10, 15 years that are using legacy auth.

James Potter (27:32.33)
Well, I'm not directly in front of that. This is all, this is all kind of secondhand information. Lulu's not one of our clients.

Mark Mosher (27:42.693)
potential dodging.

James Potter (27:46.99)
It's almost always applications. Applications that have been around for 5, 10, 15 years that are using legacy auth and TLM, for example, and you can't get rid of them because there's no alternatives and they're generating revenue for you.

Mark Mosher (27:49.45)
Really?

Dino Mauro (27:53.9)
NTLM for example, and you can't get rid of them because there's no alternatives and they're generating revenue for you That's so true and it's a lot easier to doubt for NTLM than it is Kerberos So it does also follow the path of least resistance if there's not an active expectation that their code is going to go through security review

Mark Mosher (28:00.616)
Yeah. Yep.

James Potter (28:02.686)
And it's a lot easier to dev for NTLM than it is Kerberos. So it does also follow the path of least resistance if there's not an active expectation that their code is gonna go through security review.

Dino Mauro (28:15.948)
Unbelievable. So, you know, we've had some people that have been involved in like the triage, like the emergency responders to like ransomware breaches and things. And one thing I've taken from all those episodes, all those conversations is like, people keep too much data. Like in general, organizations, they just keep too much friggin data. Are you seeing that? Like you're right there at the center of it. Like

What's your take on it? Again, it depends on the org. Orgs that have been burnt may change some of their policies. Examples might be removing email older than 30 days, not keeping chat logs over a week old. Because the passwords are gonna be there in email, they're gonna be there in your chat logs. If you parse them out quicker, you don't gotta worry about what's in there as much. And it also can help for some aspects of legal discovery.

James Potter (28:45.746)
Yes and no. Again, it depends on the org. Orgs that have been burnt may change some of their policies. Examples might be removing email older than 30 days, not keeping chat logs over a week old. Because the passwords are going to be there in email, they're going to be there in your chat logs. And if you parse them out quicker, you don't got to worry about what's in there as much. And it also can help for some aspects of legal discovery. If data is not there, you don't have to provide it.

Dino Mauro (29:12.964)
If data's not there, you don't have to provide it. Yeah, it's the plausible deniability, right? Like, oh, sorry, we changed our policy last year. RIT guys. It's becoming more and more common, yeah. Yeah, for, oh yeah, I didn't even think about that. That's pretty good. Yeah, you still have the IRS. There's upsides and downsides. Yeah, exactly. Yeah, because in some of the largest lawsuits, it's always that internal memo that kills you, right? From like two years earlier. I'll go back and add on that.

Mark Mosher (29:19.248)
I don't have it.

James Potter (29:22.766)
You're becoming more and more common, you know.

Mark Mosher (29:25.566)
Wow.

James Potter (29:30.41)
And there's upsides and downsides.

James Potter (29:40.866)
Google got nailed on that, yeah.

Mark Mosher (29:40.883)
I'm sorry.

Dino Mauro (29:42.412)
It's always, they always throw that up on the board in front of the jury and you're just like, oh my God. The poor guy is like, I was just venting, man. I was just venting to my buddy. All of a sudden, three years later, it's like the cause of a hundred million dollar runaway jury. You're like, oh my gosh. So, wow. Holy cow. So, some of the, what are we seeing in terms of...

Mark Mosher (29:52.701)
I'm sorry.

Dino Mauro (30:11.228)
We were talking about ransomware and the technical aspects that are involved. And you've got the FBI telling organizations don't pay. And so you've got all that. And some ransomware groups we know of like stopped asking for proofs or stop offering proofs of life because that has been used on the other side, just like as a delay tactic and stuff, but they still need proof. It's if they don't even ransom and they just go, we've got your stuff like we're going to publish it.

it makes it easier. Are we seeing a trend where more and more organizations, like trying to read tea leaves, it's the coming on the new year of 2024 and we haven't released any like predictions other than it's going to get worse. Like it's all I got for everybody. What do you- We've begun our 2024 threat report metrics. Yeah. And so far it's looking around 20 to 25% more attacks than the year previous. Yeah, I'm not surprised with that.

Mark Mosher (30:53.121)
It's gonna be worse.

Logan Pottberg (30:54.324)
Thank you.

James Potter (30:57.082)
Yeah, we've begun our 2024 threat report metrics. And so far it's looking around 20 to 25% more attacks than the year previous. And that's about what everyone kind of is expecting.

Dino Mauro (31:08.456)
That's pretty. That's about what everyone kind of is expecting. I agree. Yeah, absolutely. And, and are they, are the TTPs changing at all or is there any different, and that's like tactics, techniques, procedures that cyber crime gangs use to, to breach. It's their modus operandi. Almost always. Yeah. Let's look at the Ubisoft breach. So the threat actors, after they compromised and user workstation,

James Potter (31:27.966)
Almost, almost always. Let's look at the Ubisoft breach. So the threat actors after they compromised and user workstation, they looked at their jerry and confluence data for months and months and months. They weren't doing anything that'd be detected by EDR, XDR. They were totally under the radar until they understood the network and security space better than the people actually running it. And once they had that data, they were unstoppable.

Dino Mauro (31:38.undefined)
They looked at their gering confluence data for months and months and months. They weren't doing anything that'd be detected by EDR, XDR. They were totally under the radar until they understood the network and security space better than the people actually running it. And once they had that data, they were unstoppable. And which gang was that? Was that Sketch? I don't remember who got Ubisoft off the top of my head. I remember we talked about it, Mark, when it first happened.

James Potter (31:59.183)
I don't remember who got Ubisoft off the top of my head.

Mark Mosher (32:04.737)
Yeah, we've talked about so many since then.

Dino Mauro (32:06.036)
Forgot which one that was. That's OK. That's OK. That's all right. I'm sure some of the researchers that may be listening be like, you idiots. We told you who it was like that night. We sent it to you. We sent you the screenshot, man. I'm sorry. I know. The threat actors are probably listening being bombed. They didn't get credit. Yeah, I know. It's so true. Right. They're going to.

Mark Mosher (32:20.849)
Right. That's what we get most. We get most of our intel from our listener. Those are smart.

James Potter (32:26.454)
Yeah, and the threat actors are probably listening, being bummed they didn't get credit.

Mark Mosher (32:30.673)
Right, right. You're gonna have to repeat that.

Logan Pottberg (32:34.394)
That's why they did it.

Dino Mauro (32:35.82)
Yeah, just don't do just don't do to us what you did to john and damasio, please like Like lockbit actually had his picture on their on their dark website Just don't do those like a don't have like a cybercrime junkies thing on your thing. Like that's bad for business, man I'll never have another i'll never have another law enforcement person on again. If you do that, please don't do that Yeah Come on so

Mark Mosher (32:40.741)
Oh yeah, I'll remember that. That's their avatar. They took his profile pic.

Yeah, that's not a good look for us. That is not a good look for us.

Mark Mosher (32:57.754)
Yeah, sponsors, what?

Dino Mauro (33:02.792)
That's crazy. So what's up? What's next? What's on the horizon for you guys? What are you? What initiatives do you have in the coming year? What's exciting you about your business? On our side, it's tool building. So right now, most of our customers are our enterprise, and we haven't really been able to engage with SMB due to the cost of our consultants. Sure. So we've been trying to develop a methodology that will let us help SMBs.

James Potter (33:16.046)
On our side, it's tool building. So right now, most of our customers are our enterprise and we haven't really been able to engage with SMB due to the cost of our consultants. So we've been trying to develop a methodology that will let us help SMBs while still being profitable enough to keep the lights on.

Dino Mauro (33:30.768)
while still being profitable enough to keep the lights on. Yeah, because if you can scale your expertise, that's what's needed in the SMB space, right? I mean, that's... Exactly. And a lot of our investigative work is very time consuming from a manpower standpoint, especially with larger, more complex environments. For smaller, simpler SMB style environments, we believe it's more automatable. Absolutely, because the environments...

James Potter (33:41.102)
Exactly. And a lot of our investigative work is very time consuming from a manpower standpoint, especially with larger, more complex environments. For smaller, simpler, SMB style environments, we believe it's more automatable.

Dino Mauro (33:58.66)
I mean, we see it all the time because we live in that space, but the environments are pretty much, oh, this is one of them. Like they can be grouped together, right? Like this group has no servers. It's all SaaS. This group has the on-site thing and then backup like a certain thing in Azure or whatever. Like they're very like there's maybe five or six flavors and that's about all we see all the time. So yeah, that's not beyond that.

James Potter (34:23.186)
Beyond that, we're pretty excited about SpectorOps' latest tool release. They have, of course, Bloodhound Enterprise, but they've added an Active Directory Strict Fit Service analysis stack on top of that. Very interesting stuff.

Dino Mauro (34:24.74)
We're pretty excited about SpectorOps' latest tool release. They have, of course, Bloodhound Enterprise, but they've added an Active Directory Strict Fit Service analysis stack on top of that. Okay, so explain in English what that means, because that sounded really cool. So I want to know, like, talk to me like I'm your nephew at the family thing. And I'm like, that's really cool, Uncle James. Tell me, like, what does that mean?

James Potter (34:43.175)
Okay.

Dino Mauro (34:53.332)
Like I want to go be a spy when I'm older. PKI as your secret passwords to get into your friend's cabin, right? Okay. Or hideout or whatever. You know, normally you have a password. They know the password and as long as your password matches up what they have, you can get in. Right. And this is kind of what we're used to, having to type in a password and getting authenticated and all that. But the way this works is with a little key that you carry.

James Potter (34:53.698)
So you can kind of look at PKI as your secret passwords to get into your friend's cabin, right? Or hideout or whatever. Normally you have a password, they know the password and as long as your password matches up what they have, you can get in. And this is kind of what we're used to, having to type in a password and getting authenticated and all that. But the way this works is with a little key that you carry.

And with this key, you can go around and it can open anything that is allowed to open. Now the problem with that in the enterprise environment is often people get keys to open things they don't need access to or keys that open keys that open keys and so on and so forth. So instead of just having access to the hideout in your friend's backyard, suddenly you can get into a nuclear laboratory.

Dino Mauro (35:20.132)
And with this key you can go around and it can open anything that is allowed to open. Now the problem with that in the enterprise environment is often people get keys to open things they don't need access to. Right. Or keys that open keys that open keys. Right. And so on and so forth. So instead of just having access to the hideout in your friend's backyard, suddenly you can get into a nuclear laboratory. Yeah, absolutely. And we all know we don't want somebody like Mark.

having access to a nuclear laboratory, right? It's bad enough he's got access. Yeah, it's bad enough we gave him access to where he's going. Because we're seeing more and more threat actors being stopped by traditional tiered isolation that these enterprises are running. So they're looking for another path of least resistance. And this is almost always certificates. Because they're very poorly understood. It's another realm where it's hard to hire because it's hard to find people. They're expensive.

Mark Mosher (35:49.753)
That's a bad idea. I'm lucky to get the keys to my own car.

Mark Mosher (35:58.305)
Thanks for watching!

James Potter (35:58.51)
because we're seeing more and more threat actors being stopped by traditional tiered isolation that these enterprises are running. So they're looking for another path of least resistance. And this is almost always certificates because they're very poorly understood. It's another realm where it's hard to hire because it's hard to find people. They're expensive and a lot of them are rotating out and new ones aren't learning the technology.

Dino Mauro (36:19.521)
and a lot of them are rotating out and new ones aren't learning the technology.

Dino Mauro (36:26.288)
So CISA's stance and Forrester's research on zero trust, how can that play into all of this? And like, do you think you'll see anything come, because like zero trust, you can't buy zero trust out of a box. There's not like a zero trust thing you can get. Like it's more- The vendors will tell you there is.

James Potter (36:51.191)
The vendors will tell you there is.

Dino Mauro (36:52.964)
Yeah, I know. We know that's what we're talking about. Like, yeah, OK, that's great. And for those listeners, like just please, whatever vendor you choose, always go with a holistic one. Somebody who's going to like listen to you, like find out everything, develop a roadmap for you. Not like this one product is going to solve everything. With some other person here. Yeah. Because, you know, you go to Black Hat or you go to some of these conventions and you like you can.

Mark Mosher (36:53.153)
Yeah, good boy, James, good boy.

Mark Mosher (37:12.545)
bring a box with some old nursing gear and to the first meeting.

Dino Mauro (37:22.888)
count the number of absolute phrases like social engineering solved like all the stuff solved 100 cure i'm like what like come on like really like and then and then you meet guys with serious hacker skills that are like challenge accepted and like two weeks later they're posting like how they got through and like yeah and half the time they get through with like a flipper

James Potter (37:28.558)
100%.

Mark Mosher (37:41.227)
Okay.

Mark Mosher (37:44.753)
We've got to have zero day patches out.

Dino Mauro (37:50.204)
or something like that. It's like some toy. Like it's just like some RF thing that they get and they'll, they'll get right through. So how does Zero Trust play in? Like, can you, can you walk us through cause I'm sure you see this on a regular basis. It's huge and Zero Trust is tough because it's timely and it's expensive. It's not something you can just install and enroll with. And every org is going to have to implement it a little bit differently.

James Potter (38:04.49)
It's huge and zero trust is tough because it's timely and it's expensive. It's not something you can just install and enroll with and every org is going to have to implement it a little bit differently. Now there's some key principles that if you follow will help improve your security dramatically. And that's tiered isolation, which has been around for a while now. So people haven't heard it before. Tier two, you can kind of consider that as your

Dino Mauro (38:17.968)
Now there's some key principles that if you follow will help improve your security dramatically. And that's tiered isolation, which has been around for a while now. So people haven't heard it before. Tier two, you can kind of consider that as your desktop access. Anyone that has admin on a workstation. Then you have tier one access, which is your server admin access, database admins, you know, so on and so forth. And then tier zero are the most critical IDs in your organization.

James Potter (38:32.182)
your desktop access, anyone that has admin on a workstation. Then you have tier one access, which is your server admin access, your database admins, so on and so forth. And then tier zero are the most critical IDs in your organization, your domain admins, your sir admins, and anyone that has the ability to influence those. And that's where this tiered isolation kind of comes into play. Because if you have like a tier two account operator role,

Dino Mauro (38:47.1)
your domain admins, your sir admins, and anyone that has the ability to influence those. And that's where this tiered isolation kind of comes into play. Because if you have like a tier two account operator role that can reset passwords on tier zero, they're tier zero now. So you have to isolate the abilities between those three tiers so they can't cross easily. Yeah. Well, and what you're talking about are...

James Potter (39:00.026)
that can reset passwords on tier 0, they're tier 0 now. So you have to isolate the abilities between those three tiers so they can't cross easily.

Mark Mosher (39:04.602)
Thank you.

Dino Mauro (39:15.164)
when you're at like, let's say the desktop level, right? You have to basically re-authenticate, right? In order to get to the next level. You can't just like, oh, I'm in here. And we've seen so many breaches recently where somebody gains access to this person at this level of the organization, but they're able to escalate privileges all the way to the source code. Like, how is that happening? Like from your perspective?

James Potter (39:42.462)
Well, there's a few different methodologies, but it normally ends and or begins, I should say at a workstation. So you have a workstation that's email access, it has internet access, assume breach. You can't trust that machine. You can't trust anything that happens on that machine. So if you have an administrator, say a server admin or domain admin, using that machine to do their productivity, daily activities.

Dino Mauro (39:43.252)
How does that happen? There's a few different methodologies, but it normally ends and or begins, I should say at a workstation. So you have a workstation that's email access, it has internet access, assume breach. You can't trust that machine. You can't trust anything that happens on that machine. So if you have an administrator, say a server admin or domain admin, using that machine to do their productivity, daily activities, but then also using for their administration stack, that's a huge risk.

James Potter (40:08.93)
but then also using it for the administration stack, that's a huge risk. Because even if their machine's not breached, another tier two machine at that same level can be breached. And once a threat actor does, they go and say, who's the domain admins, who's the server admins, they'll do directory calls for this. And then they'll go correlate to their workstation, compromise their workstation, and then elevate to tier one, or even worst case scenario, directly to tier zero. But if you design your network in a way that tier one and tier zero credentials

Dino Mauro (40:13.3)
Because even if their machine's not breached, another tier two machine at that same level can be breached. And once the threat actor does, they go and say, who's the domain admins? Who's the server admins? So do directory calls for those. So they move laterally at that level. And then they'll go correlate to their workstation, compromise their workstation, and then elevate to tier one, or even worst case scenario, directly to tier zero. But if you design your network in a way that tier one and tier zero credentials can't actually log into those machines,

James Potter (40:38.478)
can't actually log into those machines, you've prevented a threat actor's path to elevation.

Dino Mauro (40:41.712)
you've prevented a threat actor's path to elevation. Right. So how do you design it though where it doesn't interfere with the operations of the organization? That's always the tricky part. Usability versus security, right? Right. That's the whole like, we can all be secure just everybody unplugged from the internet or just everybody unplugged. We're all secure. Here's next quarter's report right here on paper, right? But that's not going to be very efficient in business.

James Potter (40:52.034)
That's always the tricky part, usability versus security, right? And every org is different here.

Mark Mosher (41:00.737)
Ha ha ha.

Dino Mauro (41:11.228)
And so how do we do that? Um, there's a lot of, a lot of different ways to kind of go about it. There's a software solutions like cyber arc, right? Vault off the credentials or someone to do screen recording with PSM dedicated cyber arc run jump boxes that can get expensive for larger enterprises. Right. Very, very expensive and complex for smaller organizations. Right. So one popular approach is either a separate isolated machine for doing your administration.

James Potter (41:13.838)
There's a lot of different ways to kind of go about it. There's a software solutions like CyberArk, right? Vault off the credentials, force everyone to do screen recording with PSM, dedicated CyberArk run jump boxes. That can get expensive for larger enterprises. Very, very expensive and complex for smaller organizations. So one popular approach is either a separate, isolated machine for doing your administration called a SAW or a PAW.

Dino Mauro (41:41.28)
called a saw or a paw, a security access workstation or privilege access workstation. And all the administrative tasks happen there. And in addition to controls at the desktop layer, you layer on network controls as well. So you say, hey, you can only accept RDP for the domain controllers from the tier zero paws or SQL boxes only accept incoming RDP from tier one paws.

James Potter (41:43.538)
security access workstation or privilege access workstation, and all the administrative tasks happen there. In addition to controls at the desktop layer, you layer on network controls as well. You say, hey, you can only accept RDP for the domain controllers from the tier 0 pause, or SQL boxes only accept incoming RDP from tier 1 pause.

and that limits threat actors ability to manipulate those device by compromising these tier two machines.

Dino Mauro (42:09.232)
And that limits threat actors ability to manipulate those device by compromising these tier two machines. Excellent. Yeah. Excellent. That's phenomenal. So when you, um, you know, meant to ask you in the beginning, so like what, what was it like starting your own business? Like when you went from working for one of these larger consultant firms and you started your own business. Um, It was hard.

Mark Mosher (42:16.447)
Yeah, yeah.

James Potter (42:36.299)
It was hard.

Dino Mauro (42:37.54)
Yeah. I mean, were you driven? Did you always want to be your own boss or what drove you to do it? Was it economic necessity or just... I never really thought about it. We incorporated late 2019, so we are rolling into it right during COVID. So everything is remote. And I kind of blame that for some of our success because I was still able to work while running the business at the same time.

Mark Mosher (42:37.633)
I'm sorry.

Logan Pottberg (42:38.7)
Thank you.

James Potter (42:45.258)
You know, I never really thought about it. We incorporated late 2019, so we are rolling into it right during COVID. So everything is remote. And I kind of blame that for some of our success because I was still able to work while running the business at the same time, and that gave me a bit of a leap up.

Dino Mauro (43:06.896)
And that gave me a bit of a leap up without having to do that. Hey, you quit your day job and now do the business and running through all your funding where you're trying to get it started up. I was able to just do 60 to 90 hour weeks, getting everything running. Right. Now I, the downside there is that's a lot of stress. It's a lot of work.

James Potter (43:10.134)
without having to do that, hey, you quit your day job and now do the business and you're running through all your funding while you're trying to get it started up. I was able to just do 60 to 90 hour weeks, getting everything running. Now, the downside there is that's a lot of stress. It's a lot of work and it certainly had physical ramifications on me. Acid problems, stress levels. I had a lot more hair four years ago, but it's...

Dino Mauro (43:26.988)
and it certainly had physical ramifications on me. Oh, absolutely. You know, acid problems, stress levels. I had a lot more hair four years ago. Yeah, it's okay. That's a key metric, right? That's a key metric for a guy, I'll tell you. Yeah, yeah, I finally gave up and decided I'm just gonna be the bald guy with a beard. That's all right. Yeah, it works. It's in, man, it's in. It's in. That's so cool. Well, we will have links to DSC.

Mark Mosher (43:37.207)
That's always a key metric, right?

Yeah.

James Potter (43:42.31)
Yeah, yeah, I finally gave up and decided I'm just gonna be the bald guy for beard.

Mark Mosher (43:46.193)
Yeah, now it works.

Dino Mauro (43:56.288)
and to your LinkedIn as well. Any other exciting things coming up that you wanna share with anybody? Are you speaking anywhere? You got any events or anything going on with the company you wanna share? Well, I have speaking arrangements coming up in Q2 and Q3. Excellent. I was gonna be speaking at FlowCon, but I have some surgery going on December and...

James Potter (44:14.214)
Well, I have speaking arrangements coming up in Q2 and Q3. I was gonna be speaking at FlowCon, but I have some surgery going on December and I'll be on some pretty serious narcotics. So they kind of advised me to not be in front of an audience. Yeah.

Dino Mauro (44:24.372)
I'll be on some pretty serious narcotics. So they kind of advise me to not be in front of an audience. Yeah. Well, I'm sure they appreciate that. Mosher shows up all the time like that. It's OK. We just mute him every now and then. He'll start talking sports or Southern rock, and I'll just mute him real quick. He's eating Percocets like Skittles. Yeah, he's eating Percocets like Skittles. We're looking to have our 2024 threat report.

Mark Mosher (44:29.09)
Probably not.

Mark Mosher (44:37.289)
Right, right, right. That's just the norm.

Mark Mosher (44:44.515)
I'm eating parkasent like skittles.

James Potter (44:50.414)
but we're looking to have our 2024 threat report out around Q2. And we're hoping around Q2, Q3 for our SMB offering from the security side.

Dino Mauro (44:53.748)
out around Q2. Okay, Q2. We're open around Q2, Q3 for our SMB offering from the security side. Well, that's great. When you guys get that, please, it's okay with you. If you're not opposed, we would love to have you back because that is really a space that is near and dear to our heart, but it's also one that is really struggling with security today. Like they don't, you know, limited budgets and they don't need everything. They don't need all the bells and whistles that an enterprise do.

Mark Mosher (45:02.549)
Yeah, yeah.

Mark Mosher (45:06.464)
Yeah.

James Potter (45:07.178)
Yeah, that'd be excellent.

Dino Mauro (45:22.484)
But I think oftentimes we just see them being sold, some solutions sometimes they're like, well, we were sold this and we're like, that doesn't work, right? Like, what can we help you with? Like, what are you gonna do? And it's really a struggle. So we would love to have you back if that's okay. I'd have to be here. Yeah, that's great. Well, thank you everybody.

James Potter (45:42.312)
I'd have to be here.

Dino Mauro (45:48.456)
Really appreciate it. James Potter with DSC. We will have links and everything in the show notes. And we thank everybody for listening and watching. So thank you everybody. And we will see you in our next episode, which will start right now. Thanks everybody for listening to Cyber Crime Junkies.

Mark Mosher (45:58.096)
journeys.


People on this episode