Cyber Crime Junkies

Your Zero Trust Approach Has a Blind Trust Problem?

• Cyber Crime Junkies. Host David Mauro. • Season 8 • Episode 39

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 1:00:19

New Episode🔥The Cybercrime Junkies interviews  cybersecurity expert Chris Griffin offering insights for cybersecurity for beginners and seasoned pros alike. This episode explores the critical role of PCI in network security and emphasizes the importance of compliance to protect against threats. Stay informed and protect yourself from cyber crime.

CHAPTERS
00:00 Meet Chris Griffin: From Help Desk to Penetration Testing Pioneer
08:10 Zero Trust Architecture: The Blind Trust Problem Nobody Talks About
16:30 Why Patching Without Testing Creates Hidden Vulnerabilities
24:15 The Mobius Defense: Rethinking Internal vs External Security
32:00 Chrome Extensions and InfoStealer Dumps: Your Biggest Browser Risks
40:15 AI Security Gaps: Why Vibe Coding Is Destroying Network Security
48:20 Building Your Own Private AI: Protecting Intellectual Property
56:00 Griffin Security Platform Demo and Future of Quantum Testing

Questions? Text our Studio direct. We read these and when helpful we give a special shout out for those to contact us.

Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com  
 

Support the show

🔥New Exclusive Offers for our Listeners! 🔥

Dive Deeper:
🔗 Website: https://cybercrimejunkies.com

📰 Chaos Newsletter: https://open.substack.com/pub/chaosbrief

✅ LinkedIn: https://www.linkedin.com/in/daviddmauro/
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

===========================================================

speaker-0 (00:12.718)
Nike recently got breached. But here's what nobody's talking about. The attackers didn't touch the credit cards, didn't touch the customer database, didn't touch any of the stuff hackers supposedly care about. They walked right past all of that and went straight for Nike's IP, their intellectual property, the designs, the schematics, the stuff that makes Nike Nike. And that's what tells you exactly where the money is today.

Because while everyone is out there patching and checking boxes and rolling out zero trust like it's gospel, organized criminals are three moves ahead. They know what you're protecting. They know what you think you're protecting. And they know the gap between those two is where the real payday lives. Today's guest is Chris Griffin, 22 years contributing to the actual international manual that defines how penetration testing

actually is done properly, the way it's supposed to work. Not the Hollywood version, the methodical, surgical, soprano style version. And he's going to tell you why zero trust has blind trust baked into it. Why the overused phrase defense in depth is a military strategy that does not work in networks. And while physical security is the hole you didn't know you had. Because look,

If a guy with a box of donuts and a smile can walk into your building, load his arms up with your intellectual property and walk out through the stairwell that you propped open for airflow, then your zero trust model and firewall frankly don't matter.

speaker-0 (02:16.046)
Welcome everybody to Cyber Crime Junkies. I am your host David Morrow and in the studio today is Chris Griffin, founder and CEO of Griffin Security here in Indianapolis with global coverage across this big blue marble of a planet. And we're really excited to hear about.

the things he's developed, how he approaches reducing risk for organizations against cybercrime, and all the things in between. Chris, welcome to the studio.

speaker-1 (02:49.166)
Thank you. I've been really enjoyed watching your podcast, so I'm excited to be here.

speaker-0 (02:53.334)
Well, and we didn't even pay you to say that. Like, isn't that cool? That's like fantastic, man. No, I really appreciate it. And fellow Hoosier, like, I can't believe I didn't know you before. So we go to the same places, though we bump into the same people. So tell us about kind of what your approach is, what your platform is. You and I talked obviously ahead of time. It's really interesting. But tell us now.

Griffin cyber is pretty new, right? Like it was, it looks like it was formed in the last year or so. Obviously you've been in cybersecurity for a long time. Talk to us about like what you saw as a void and why you created this.

speaker-1 (03:30.733)
Yeah.

speaker-1 (03:39.224)
Sure. I guess to give little bit of background in the early 2000s, I had been in IT doing a lot of different things from help desk to sock, you name it. And at a company I was at, friend of mine was leaving and he was telling me about it before he left. And I was like, where are you going? He's going, I'm going to go be a junior pen tester in New York city. I was like, what's a pen tester? Right. And he told me, and I was like, that's what I want to do. That's it. You just. Yes.

speaker-0 (04:04.526)
right away.

speaker-1 (04:06.446)
Yeah. So early on in 2004, because I asked him, said, what can I do to get there? Teach me, show me. I'll do whatever.

speaker-0 (04:17.613)
What experience, what tool sets do you need to learn? Like all the trappings.

speaker-1 (04:23.636)
Yeah, the first thing he told me and it really hung with me obviously is you need to go download the awesome the open source security testing methodology manual and learn that and at the time it was version 2 So I went out I downloaded it. I went through it over and over and used it applied it in the company I was in to do the penetration testing and One day they posted version 3s coming out. So I'm didn't work that day. I'm on the website

refreshing like every two minutes and it got removed from the website. No mention of it. So I emailed him and was like, what's going on? You know, I was waiting on this and the guy, Pete Herzog that created it, he was like, we found a control that wasn't really a control and we have to go back and fix things. And he's like, if you want to contribute, I'll get you the latest draft in your hands right now. It's like,

speaker-0 (04:55.288)
Holy cow, I gotta change my...

speaker-0 (05:20.12)
How excellent. What a great opportunity, right? To help contribute to the actual structure and foundation of that industry. That's so cool.

speaker-1 (05:32.75)
Yeah, so in 2004, I started contributing with that. In fact, I think it was March, so 22 years next month. And I tried to take it to companies I go to, and I've seen a lot of companies, in fact, a couple that I worked for that...

speaker-0 (05:40.418)
Yeah. You've been doing it ever since.

speaker-1 (05:52.704)
mentioned it their blogs and whatnot. And I quickly found out, like many other things, it was just a buzzword they put on their website. And I was passionate about it, obviously 22 years later, still here. Yeah.

speaker-0 (06:03.714)
you're contributing to the creation. Like you're like, I don't just follow it. I just don't know what it is. Like these are frameworks. These are like standards steps you're supposed to take to do the right thing, the best practice. And you are literally helping write the best practice.

speaker-1 (06:20.93)
Yeah. And I have learned so much. It's been the most valuable experience for sure. And, you know, it took me several years of being in the pen test mindset of not looking deeper, you know, go in there, smash and grab like we typically do in pen tests. And the more I grew and the more I learned, because, know, back then in the mid 2000s and early 2010s, you know, being a pen tester, sexy, and know, a lot of, a lot of people can say it now it's rampant.

speaker-0 (06:50.05)
So it's cool because and so people that aren't technical like a pen test is actually what a hacker does. Like when people think of that Hollywood image in their mind of the kid in the hoodie, you know, living in the mom's basement, drinking Red Bull, cracking code, right? Like the truth is, is, you know, it's penetration testing with a bad intent generally when it's displayed on TV. Also, you know, most of cybersecurity is built to stop bad actors.

Right. Yeah, but the pen test is organizations that hire people to do to them what a bad actor would do so that way they can see the holes that they otherwise couldn't see and then shore them up.

speaker-1 (07:21.218)
That's the intent, yeah.

speaker-1 (07:35.47)
And I think the biggest differentiator between a hacker and a pen tester is a pen tester has a scope of work to keep them within the lines and a hacker does not. Hacker will do whatever they want to get whatever they want. And over years, you know, I started to.

speaker-1 (07:55.276)
fall less in love, I guess, with pen testing. I mean, it's still fun. love to do it, but you know, the scope confines us and organizations step back and don't pull in the big picture. They focus on whatever little subtopic they wanted to check a box or whatever the case was. mean, I've done tests for companies that wanted to check a box. did a pen test and I've done tests for companies that truly wanted to know where they were and how to better themselves.

speaker-0 (08:24.79)
Right.

speaker-1 (08:25.858)
Those are the ones I prefer, obviously.

speaker-0 (08:27.928)
Because then it's a holistic picture. It's a 360 picture of if we got in on this limited scope, what else is out there and how do we have visibility into it and then take steps to remediate it.

speaker-1 (08:43.69)
Exactly. one thing, so I self admittedly harp on zero trust quite a bit.

speaker-0 (08:49.986)
Yeah, you are you are like the I have so many like so many interesting people I've met through this podcast like I've got Darren Mott former FBI. He's the town crier about TikTok. Right. Like he's like it's it's the Chinese espionage, CCCP, social engineering of the American public. And you are like the town crier of Zero Trust, which is a really interesting approach because so many people are like, well, you know, if you really want to go extreme on your lockdown state and

really want to bolster you you need to get to and move towards zero trust. Let's talk about, let's unpack that a little bit. What, what first of all how are we defining zero trust for the non-technical? Like explain it to us and then what are the issues with it?

speaker-1 (09:37.24)
So to sum it up in a very short phrase is never trust always verify. And what I have come to find out is there's a lot of blind trust and zero trust.

speaker-0 (09:48.174)
So that's an interesting take. There's still too much, too many assumptions along the way that are made. Like explain, yeah, give me an example.

speaker-1 (09:50.7)
Yeah.

speaker-1 (09:58.213)
I'll give you a great... You know, as we see, companies will roll out patches, Microsoft patches, whatever it is. I pick on Microsoft a lot because that's what most people are familiar with.

speaker-0 (10:10.954)
And here at the epicenter of like every friggin break. Yeah, no consequence. Everyone's like, well, can't believe they did that. We'll take 50 more licenses. You know, it's going on. You know, I mean, I'm not saying it's like.

speaker-1 (10:14.936)
I was trying not to go there, but yeah.

speaker-1 (10:25.314)
Yes.

speaker-0 (10:29.922)
You know, and we're a big, we're a big partner with them. Like I get it. Like they're so big and they're integrated into our entire ecosystem. You can't avoid them. But it is shocking to me, like how, how often they are right involved in like everything. And like everyone's like, well, yeah, don't, don't mind them. We need them. Wow. If we did that, we'd be out of business.

speaker-1 (10:54.286)
Thanks.

speaker-1 (10:58.22)
yeah.

speaker-0 (10:58.926)
You know what mean? Like,

speaker-1 (11:01.472)
It is, it's wild. so the most obvious example, which a lot of people don't really cognitively be aware of is there's been many patches, many, many patches and updates that will reset baselines that you used Active Directory to enforce global policies, policies, and typically are unalerted that these policies didn't set back to what they were intended.

So now you can...

speaker-0 (11:31.208)
Zero Trust just says patch immediately, right? Or patch within a certain, a very urgent timeframe. So you do that, but now you've just created a bunch of vulnerabilities and Zero Trust doesn't address that.

speaker-1 (11:44.044)
Very much, yes. Which I think that really directly flies in the face of never trust, always verify. I have in 16 years of pen testing, I've never seen anyone fully lab test patches and updates. Some test to a degree, but it's more of does the system keep running is what it boils down to. And I'm sure there are.

speaker-0 (12:06.734)
Does it obviously break something? Like is it obviously breaking something as opposed to did it create vulnerabilities that aren't being alerted?

speaker-1 (12:19.15)
Exactly. Interesting. Interesting. I I myself pulled up dozens and I didn't even finish. There were more to go and I just, that's enough for my talk I was gonna do. Wow. And typically, like I said, they're not alerted on. No one knows about it until someone stumbles across it or various differences.

speaker-0 (12:40.014)
through it, right? Somebody breaks in through it and they're like, well, I understand, I patched. And we used to have that script down there, but apparently when we patched it, it must have broken.

speaker-1 (12:52.79)
you know, okay. Another example is, there was a Microsoft update early 2000s, think, or late teens and it broke SMB. So companies were having to roll back to allow SMB version one unsigned, which obviously is a whole. Right. And obviously it's not something that's, know, in an internal network is somebody's going to attack it right away. But, know, you get a pen tester in there and finds a SMB version one with signing that required.

That's a valid path to escalate further. Sure. If you don't know that it's there, then you're not looking for the other things that it uses that mechanism for. I will say I used to harp on ZTNA, the network access tunnels. It's probably the smartest thing because it'll limit.

speaker-0 (13:42.504)
ZTNA, let's explain that acronym. That's zero trust network access and that is the actual tunnel that doesn't trust anything outside of its own code.

speaker-1 (13:46.668)
network.

speaker-1 (13:55.918)
Right. Yes. And to a, I mean, to give you kind of a loose idea, like SSH, when you connect to a host the first time you're prompted, do you want to accept this key as legitimate? You say yes. Now you have that authentication between you that's no longer, you don't have to prompt for anything. If you do get a prompt and the key's changed and you know there's an issue.

Now without the policy engine and all the other stuff, it's a similar idea. It's a trusted communication between you and the host that if something breaks, you have some kind of a notification, you know, the key doesn't match whatever it is. So loosely speaking, similar-ish idea. Obviously ZTNA goes much farther with the policy engines, but to step back again a little bit, the IPv6 remote code execution that came out.

It was last year, the year before, and if a system in a network is running IPv6, then you can do a wrote code execution. And that took place before the firewall. So even if you're blocking, if IPv6 is running, but you're blocking it, doesn't matter. You've exploited the box.

speaker-0 (15:09.998)
Okay, so explain that what you just explained. Let's break that down in English for somebody that doesn't know what that means.

speaker-1 (15:16.846)
Yeah. So the traditional internet has always ran on IPv4 and IPv6 was created to circumvent the lack of IPv4 addresses that we're going to hit, which hasn't hit yet. and it's a really long string, hexadecimal string, as opposed to just your four octets for an IP address. I'm a big fan of IPv6 in the sense that it kind of makes it harder to track down hosts. Like it's harder to tell.

Okay, this is host is on the same subnet I am and it just a little bit more convoluted. But if in that instance, if you remote code execution the box, you now have a show or run some kind of remote code on it. It doesn't matter if you have ZTNA. It doesn't matter if you have a firewall on the box. You've got it.

speaker-0 (16:08.566)
And what would that give? So that this is the tool set that an attacker would use or pen tester, obviously for within a scope, but an attacker would use to to breach a business. And. In what context is that? Is that coming in from the outside, being able to find like compromising the actual IP address or how is how does that come into play?

speaker-1 (16:38.146)
You have to have direct access to the box. mean, like if you're coming from the outside, you're not going to touch it on the inside unless you have already built a tunnel hole into the network. But, you know, look at the bad actors that get hired into a company to exploit data maliciously affect whatever their operations are. That's a completely viable option. And the issue is.

newer Windows systems typically come with IPv6 enabled by default and people throw in the network and that also flies in the face of least privilege. using, you have something enabled that you're not using. So if you don't use IPv6, you should shut it off, which obviously would then mitigate that vulnerability.

speaker-0 (17:25.474)
How important is that rule, that control of least privilege? To me, it seems extremely important.

speaker-1 (17:32.374)
It is, and again, that's Microsoft's Achilles heel. They've made the system so usable that it's hard to dial down that attack surface. Because now you're downloading apps, you're running macros, doing all these things and...

speaker-0 (17:54.446)
No alarms are going off.

speaker-1 (17:56.46)
Right. Or typically no alarms, depending on the situation. And that also kind of goes back to defensive depth, which was great for military thinking, because what you're doing in defensive... yeah.

speaker-0 (18:06.382)
It's a nice buzzword, it's a nice phrase. Right, like have lots of layers, defense and depth.

speaker-1 (18:12.022)
Right. And I think that's wrong. makes sense for military troops because what you're doing is you're thinning out the enemy or the enemy's retreating or you're taking out the enemy as they're coming through. But that's not taken into consideration the digital network where your firewall was meant to do that. But if you get a user that clicks on something ridiculous, didn't matter what your firewall was or if you had one.

Now it's packet teleportation basically into the network, bypassing dozens of controls maybe. So what we talk about is the Mobius defense. So everything is considered a Mobius strip. There is no inside outside.

speaker-0 (18:55.0)
Okay, explain what that is. So what is the, what is the Mobius? So how do you spell it? and what is, what is the defense? Okay. L O B I U S.

speaker-1 (19:03.338)
M-O-B-I-B-U-S. Yeah. And so if you take a strip of paper and you cross it over and then flip it, now the entire surface is the same no matter what side. It's all one service at that point. the idea is your PC, your firewall, your network, everything, your servers are all, there's no internal external anymore. It's all one surface. So.

You could armor a host from an external perspective, external of that host, but you could have wildly insecure internal measures. Like, you know, you can have a system firewall, you can shut down ports, you can do all this stuff. But if you don't have the internal controls of the host, your antivirus, EDR, whatever, then that's an entire attack surface wide open. So the idea is to secure it as a whole organ.

organism rather than inside and outside thinking. And we've talked about that since

speaker-0 (20:05.516)
Right, exactly.

speaker-1 (20:10.702)
2005 or six, maybe four, I forget, a long time. And we call it defensive width because the idea is instead of focusing on stacking layers, since everything is, there's no internal external or inside outside. There's no, I'm going to put these controls in place. Then on the inside, we're going to put these controls in place. Everything is combined. If that makes sense.

speaker-0 (20:40.107)
yeah. That makes a lot of sense.

speaker-1 (20:41.326)
So.

So I've been really actually kind of vocalizing that more and more because slightly off topic, but similar topic is, you got your compliance. So you get like CNMC, PCI. They're only focusing on the payment card network or the cloud network. And you can have a very secure cloud network, but you have people inside that have trust into that. So if you can take control of a host that has access to that.

and that's your open hole.

speaker-0 (21:17.87)
Well, CMMC is a good example, right? Because they build these enclaves, right, to access CUI, controlled unclassified information, dealing with the Department of Defense, right? All the designs, all of that. If you are a business that, you know, makes anything that ultimately winds up with the Department of Defense, you've got these new regulations and stuff. And some of them are very burdensome on a smaller business, but they

build this enclave where they physically wall off like a separate room, limit access, build just a dedicated set of machines that will access this data, et cetera. But if there's other tentacles elsewhere, because the rest of the organization sometimes is still operating without eyes on glass. Sometimes they don't even have EDR on that. Like there's so many things that they don't have.

then the whole thing like they could just get in and then get to the Department of Defense.

speaker-1 (22:19.95)
Exactly. And I'll use PCI as an example because I have more experience with it.

speaker-0 (22:24.396)
Yeah, and PCI is just the credit card processing and financial data that's collected, right?

speaker-1 (22:30.636)
Yeah. Yeah. Typically, and this has evolved a little bit over time, but you know, some years ago you had to completely contain your PCI network and the host that contained that process credit card data. Right. But you know, this admin, this admin, this admin, they were whitelisted or had access into those where anyone else on the network didn't. And again, if you compromise that host, now you have the same tunnel into that network they had.

Of course, that's.

speaker-0 (23:00.352)
Or they roll out new PCs for different employees and have admin access built into the PC. And now all of sudden the configuration and stuff and they might not... Those users might not even be aware they could access it. But when they're clicking away, like it's an Olympic sport, right? And they friggin just like, I don't have to worry about this. You know what I mean? And that happens.

speaker-1 (23:07.651)
Yeah.

speaker-0 (23:27.564)
because they're busy, they're distracted, they're tired, whatever. A bad actor knows how to look around and how to navigate.

speaker-1 (23:34.818)
Yeah. Yeah. And sometimes it's a lot of right place at the right time. Yeah. I managed to get access to this box and it just happens to have the whitelist of access into the PCI network. Without that, you have to do a lot of digging and understand who has that PCI need and then target them.

speaker-0 (23:50.124)
can ask, or you can ask Copa, right? Once you get inside to an organization, you just start leveraging their own AI. Like, hey, where's our property cap? I've been looking for this report to the CEO. Let me help you. Mainlines you right there.

speaker-1 (24:08.733)
Okay. And my biggest beef with PCI was up until I think it was early 2004. They were fine with seven character alphanumeric passwords. Now, I think what they intended was, because there's a lot of old devices, old card readers and whatnot out there, and they couldn't handle the more complex passwords.

What should have been done was if you have these older models that can't handle complex passwords, then you have to use complex passwords. Right. Your exception rather than the rule. And I've had that bite me on tests before where, Hey, you know, I easily got your password hash. And I very easily cracked it in like three minutes. And they're like, well, what's PCI say about that? Seven character off of numeric and you had eight character off of numeric. And.

That goes back to the, just trying to a box. We did what they said.

speaker-0 (25:07.17)
right.

Yeah. So, so much of it still goes back to the mentality of the leadership in the organization. I still see it. And to me, there needs to be like, like a vigilant mindset. You know what I mean? Like a mindset of, look, we have to realize like, and it's

I will say it's usually driven by business success, the trajectory of their own careers, what has led them to be successful and sitting in that seat. And they're like, well, look.

I haven't been breached yet, and I know of, let's not. I haven't been breached yet. And so why do I have to invest this? Right. And then you couple that with internal IT people. First of all, business leaders sometimes don't understand the difference between the IT folks and the security folks. Right. And then you couple that sometimes with the struggle of IT leaders, generally speaking.

in communicating effectively the business impact, right? Like it's not just about this technology could do this or would do this. is the business impact here to reduce the risk and measure that risk somehow for this type of risk. Because oftentimes when I'm speaking with business leaders, they have a security concern. They have true anxiety, true worry.

speaker-0 (26:49.966)
but they can't quantify it or they don't know how to solve it. Will it be solved with a thousand dollar investment or will it require a $1.2 million investment? Well, it kind of depends.

speaker-1 (27:01.976)
Well, you touch on something really interesting. As we know, major, large companies have actuaries, right? So they will go through the data and say, okay, the controls to protect us cost a million. But if it does get breached, then we only have to pay out 500,000. So obviously it doesn't make sense from a financial standpoint to protect it.

speaker-0 (27:08.664)
Yeah.

speaker-1 (27:27.582)
And I'm not saying all companies do that obviously, CYA. But, you know, that's a very bad, mean, our insurance does it every day. You know, is your treatment going to cost this much? It's going to cost us this much. So we're going to, you know, not not do it because even if we have to pay out, it costs us less. And one thing.

speaker-0 (27:49.068)
That's so true, right? And that's where it's imperative, I think, for people that care on the inside or the consultants on the outside, whomever, to really focus on what is the actual concern, right? What's the leadership's risk appetite? Is it 40 % risk?

here is a 10 % like the lower the percent of that risk appetite, the more expensive it gets. So like if they're reasonably here, how do we get there within some acceptable budget range where we're investing 500 grand and should we get hit the risk is 800 grand. Let's find that scenario and get that control done first. Right. Because even the actuaries or any consultant or CPA, et cetera, won't question that one.

speaker-1 (28:46.414)
That's one thing I love about the Austin is it measures using scientific math, the risk and trust, which I can talk about that, the trust part later, but the risk, even one, a great example is I tested a company and they had, I think it was, it was six or seven layers of authentication. really? Wildly missing other controls. Yeah. And so essentially what I could do is tell them, okay, look,

speaker-0 (29:09.006)
Really?

speaker-1 (29:15.052)
you're paying for six different identity solutions, but you're missing these entirely. So you can cut back on your identity solution and save a ton of money, which is way more than enough to apply these other controls that you need. And not every control costs money.

speaker-0 (29:33.9)
That's really good advice. That's very good advice that speaks to the business minded.

speaker-1 (29:40.161)
Right. And then I mentioned I'm doing work in Dubai too, and they're really big on security awareness training. So what I'm doing, let's be honest, employees don't care about their work computer. Most of the time they just don't.

speaker-0 (29:57.742)
Exactly. And that's why the best security awareness training like that we do that I run is to focus on the individual because if you focus on the individual and how they protect themselves, how they protect their families, children, elderly relatives, right? You give them real practical ways to do that and explain why that matters. Right. Then all of a sudden that discipline, that new approach, that new

mindset that they have whenever they're using technology, the employer benefit. My traditional security awareness to me is crap. Like it was all done wrong. was done by somebody in a monotone at work that bogged people down, told them like, careful, be aware of juice jacking and all this other stuff. I'm like, nobody's freaking breaching Nike with juice.

speaker-1 (30:32.746)
Exactly.

speaker-1 (30:53.41)
Yeah.

speaker-0 (30:54.35)
Do you know what mean? Like it's not really happening. Like it can happen. I'm not dismissing it. I'm just minimizing that point in the grand scheme of things.

speaker-1 (31:05.454)
point out. So we know the Chrome store has a ton of malicious extensions because it's very easy for an attacker to pay a couple thousand dollars, get their extension in, and it might sit there for a month, it might sit there for three years. Well, typically people, so they can sneak their passwords and bookmarks, are going to sign into Chrome from home and from work. And I tend to phrase it to them, if you load a malicious extension at work,

that's now copying over to home. Now your bank date is at risk, your passwords are at risk, rather than the other way because it kind of still takes away from. Exactly.

speaker-0 (31:42.134)
Because they still don't care about work. They still are like, well, that's my employer's problem.

speaker-1 (31:47.594)
Exactly, which I mean is a horrible mindset obviously

speaker-0 (31:51.662)
That's a really good point. So, let me ask you, what does an organization do about that? What can people do? You know how there's DNS filtering and there's controls that can be placed. Can organizations limit the type of extensions that users can use in their browser settings?

speaker-1 (32:15.182)
There are, I don't know any, I don't know the specifics off the top of my head.

speaker-0 (32:19.328)
It's still kind of hard though. It's not something that is marketed or discussed. Right?

speaker-1 (32:25.836)
Yeah. My, what I say, so Firefox is not vulnerable to this, but it's a lot less of an issue. I hate how everything's you got to download Chrome to use this site or whatever.

speaker-0 (32:35.022)
100%.

speaker-0 (32:43.276)
I know, like it's, the whole world runs on Chrome and like, it's like the most insecure browser, in partly because it's so popular, right? Like it's because it's so popular, attackers have loaded up the Chrome store, right? That web store with a bunch of malicious that people don't know is malicious because it works.

speaker-1 (33:04.543)
yes.

speaker-1 (33:08.524)
Yeah, they're not well vetted either. Like I said, attacker can pay you couple thousand dollars or whatever to get their extension.

speaker-0 (33:15.978)
the Android App Store compared to the Apple App Store. The Apple App Store is much harder to get an app in there.

speaker-1 (33:24.63)
so like I said, Firefox is not invulnerable to it, but it's a lot. So for awhile I had a hobby of collecting info, stealer dumps just to kind of, for one, I was building a password list for pen testing.

speaker-0 (33:38.126)
Some people collect Pokemon cards, like collecting info. See, I was going to say it's like the modern Pokemon in a way. I'll explain that to my kids.

speaker-1 (33:41.678)
too old for that.

speaker-1 (33:46.914)
Yeah. And I don't think people realize how easy it is to obtain those for free. Now, if you want the most updated stuff, yeah, you're paying a group like a hundred dollars for lifetime access, which in this case, lifetime means until they get taken down, but still, but there's a lot of valuable data. Here's a great example. I was tracking one customer and they had a few users show up and breaches or, info stealers, but this one user.

speaker-0 (33:53.25)
yeah.

speaker-1 (34:16.641)
consistently use wife's name and three or four characters every time. So that is super easy to build a fuzz list. You always include the name and then you fuzz the last two or three or three or four numbers. And he would use it for work, for home, for Amazon, for literally everything. I never saw one complex password out of that email address.

And that also goes back to the security awareness, you know, and, you know, we're all guilty of reusing passwords. I am too, but I'm thinking about, know, if it's a site I don't care about, then I will have these other passwords I'll use, but it's something I care about. That's the only site getting that password. I do not store it in a password tool. And we can't expect everyone to think like that because it's an added layer of work too.

But at least arming them with that knowledge is at least a step in the right direction.

speaker-0 (35:19.52)
Absolutely. Well, yeah, because, you know, and, I've, when I've returned to organizations or associations and we're speaking to them about security awareness and best practices, I've had people come up to me like this multiple times and they're like, Hey, I took your advice. I've got a really good password now. I use it on everything. And I'm like, no, like that, that wasn't the advice, man. Like it,

Like because if you're using it on You know ABC site and they have no security and they get breached now your login and your credentials are out there like that great password they can just log into your and K with that your banking etc like in your work

speaker-1 (35:49.58)
Yeah.

speaker-1 (36:10.89)
And people have the faulty mindset of, I'm not big enough of a target for me to worry about. No, there are automated scripts that will take these emails and passwords and just start blasting them around the world. saw a well-known company user was logging into a normal site and a adult site.

And both of them had very complex passwords, would have completely passed any password check, but didn't matter because he had an InfoStealer, he or she, I don't know, had an InfoStealer. So those are out there. And that also touches on, I'm really irritated by this latest recommendation of you only have to cycle your passwords if you think you've been briefed.

speaker-0 (36:56.994)
Right.

speaker-1 (36:58.132)
your info stealer might have data out there for weeks if not months and you have no idea and that means that's that much longer someone has to infiltrate yourself. So I'm

speaker-0 (37:09.422)
But until we speak in terms of what it means to the individual, then it's not going to resonate.

speaker-1 (37:17.398)
No. Which, you know, security awareness is a constant uphill battle, but we can do so much better than what we're doing. I can't remember the last time I had a security awareness training web based, but I didn't just let the video play and I went off to do something else. I come back and you know the answers. Exactly. Because they made it, you know, they made it so where you can't skip the video or

speaker-0 (37:36.344)
Yeah. Let's just get to the quiz.

speaker-1 (37:44.214)
Fast forward it. So you just move it off screen and go about your business and answer the questions. And that's that checkbox mentality, which I think checkbox mentality is probably the biggest attractor in our industry because it's not looking at the hardcore data. It's we have to do this. So let's just make it as easy as easy as possible.

speaker-0 (38:08.748)
Right. Which is a nightmare. As you know. So tell us about your platform that you've built and the work you're doing in Dubai.

speaker-1 (38:18.904)
So I actually have two platforms now. One, I'm looking for VC funding to get it built because while I've got a proof of concept, I am nowhere near the coder to put this into production action.

speaker-0 (38:31.828)
Just log into Claude and have it vibe coded. I'm kidding.

speaker-1 (38:37.167)
I worry about security with everything with Claude. I did use it to build my proof of concept.

speaker-0 (38:41.774)
Well, right. As was just explaining, I use it daily, like to build workflows and stuff. if users haven't tried it, I encourage you to try just for your own personal, right? Make sure you have your settings set so that you're not feeding the LLM. But still, just use it for non...

confidential stuff, but something that you can like, it does a really good job of like building an app for you that automates your own weekly tasks. Like it's, it's phenomenal. Like I'm just, I'm amazed by it, but I'm not trying to like take this app and go to market with it. Right. Where pen testers like you will cut right through it. Like that's not what I'm trying to do. I'm just using it for myself. So.

speaker-1 (39:28.632)
which I do have a story about that in second. so the main app I built is, so what I do is I go out to companies and I will evaluate the network, evaluate the controls. And beyond that, we evaluate the weakness of the controls. So, you know, it kind of comes down to a simple example of if I've got a piece of crap lawnmower in my shed that I really don't care that much about, then I'll buy a $5 padlock for it.

Right. And if it gets stolen, hey, I could do more. if I've got a $5,000 Dixie chopper, then I'm going to put a really good lock on that and I might even put up some cameras. Right. So since no other security is hinged on that, they can't get into my house if they break the lock, it's just for the lawnmower, then that single lock mechanism is sufficient. I just decide how much I want.

speaker-0 (40:22.968)
a lot of controls fail to really differentiate between the two. Yeah, that's a really good point. That's a really good point.

speaker-1 (40:28.033)
Exactly.

speaker-1 (40:33.086)
so it was on Reddit earlier this week. think it was. Right. This guy had built some kind of a media app. think it cataloged your media, if I remember correctly. Cool. And, it used online resources too. people started cutting him down so much that he made the group, you had to apply to be in the group. couldn't see the post.

speaker-0 (40:38.87)
where most of our AI answers come from.

speaker-1 (40:59.694)
took down his GitHub because there was zero security and everyone's like, this is pure vibe code. didn't even double check the work. It worked, but not from a security standpoint. Right. And obviously we're seeing a lot of that in the industry. like, you know, people don't have that security mindset to even think that far ahead into it. Most people.

speaker-0 (41:24.526)
People are downloading OpenClaw at work, right? SMBs don't have, and for those that don't know or haven't seen our other episodes on OpenClaw, please Google it because OpenClaw is an incredible AI assistant, but it is too incredible and it is wide open, right? And so it takes root access over your device and you can get it to do anything, but it also does things

that you have no idea it's doing like join multbook the AI only social media platform like just all these things it does it makes calls like all like it starts to do everything which is really really frightening you know really cool but but you have to have the security controls in place to limit what it's you know if something's gonna basically be alive

speaker-1 (42:12.056)
Yeah.

speaker-0 (42:23.724)
on your system by itself. Don't have that access work in all of your other intellectual property. Have it access. I've heard guys have had really good success getting an old Mac mini or something like that and just downloading it on that. That's pretty cool then. Then you can see all the potential that it can do.

speaker-1 (42:44.046)
to go a step further and put it in some separate network because I don't want it touching my stuff.

speaker-0 (42:48.302)
Correct. I would agree. Totally segmented.

speaker-1 (42:51.502)
But that actually leads into another issue of the shiny object syndrome that people will get and they got to be the first one there. you know, it it's a detriment, because you can't just, you know, like the first model car, you know, that comes out of the new style for whatever company that first and second model year always has issues. yeah. Almost guaranteed. And it's no different.

speaker-0 (43:16.846)
tons of recalls.

speaker-1 (43:20.726)
Yeah. And it's no different in the industry like ours. One thing to back up a little bit to address risk, which I've had really good feedback from this one because it.

speaker-0 (43:24.706)
Yep.

speaker-1 (43:35.17)
Whether you're technical or not, makes sense. And I had a, I got a visual for it, but basically you picture, okay, you're in Indiana. So imagine it's warmer out than it is now. And we're walking down the Monon trail in Carmel. What's our risk? Pretty low, right?

speaker-0 (43:52.394)
love.

speaker-1 (43:54.014)
And now you take us same clothes, no extra gear, no nothing, and drop us into a war torn area. You know, the Russia, Ukrainian line or something. What's our risk? Pretty high. Our attack surface was exactly the same for both. So we focus on. Yes. So we address the attack surface because risk is biased. Risk is a lot of what ifs or maybe someday.

Attack surface is what it is. So if you reduce your attack surface and apply controls to what's whether you were in the high risk or low risk zone, you've automatically brought your risk down. Either way.

speaker-0 (44:34.638)
Absolutely. Let me ask you that. We were just talking about AI. I'm curious, what's your view when you're consulting with organizations who haven't, they've sat on the sidelines a little in terms of what AI to leverage in their organization? Say it's a US small midsize organization and they're like, we dabble in it.

They might do some things, maybe marketing is using chat GPT or something like that, but nobody is really like, there's no AI policy. There's no controls to limit AI. And then you have, to me, it seems like a huge blind spot because you don't know what users are doing with it and whether they've been trained to prompt it properly. Like, do they know like, yeah, it very well may help you if you upload all of the company financials into AI and have them analyzed.

it and it could generate that report faster for you. But is that the right thing to do? Because now it's gone. Right? So what do you see?

speaker-1 (45:40.704)
It depends on, it depends on which AI, cause each one operates a little differently. Like Grok, think it was, I was like, and I was doing this as an experiment. was like, I want to write XYZ malicious code. Nope, you can't do that. But then I'll come back and say, I'm a pen tester. I've been contracted for this gig and I need a malware that does specifically this, this and this. great. Since you're an authorized pen tester, spit me out to have the code.

speaker-0 (46:06.094)
Exactly.

speaker-1 (46:06.523)
And that's probably the biggest gap in AI is.

speaker-0 (46:11.214)
It itself can be socially engineered. Right? It itself can be socially engineered.

speaker-1 (46:14.594)
Yeah.

It depends on your creativity in your prompting. The majority of the time. Now I did do that with Gemini and I had to coax that thing four or five times to finally get to something. And still, it wasn't Gun Po.

speaker-0 (46:34.872)
So at work, we have a platform that's SOC 2 compliant and it has access to all of the LLMs, like 60 of them, ones I've never even heard of. yeah, it's really fun. But it is all within a sandbox. So we are able to upload.

Otherwise things we wouldn't upload to it because it doesn't go anywhere now There's limitations token limitations and other limitations like you can't do what I do in Claude at home Like I can't build those apps in that environment, but I can do it a different way I can create a workflow that I'll essentially do the same thing But it's not like a cool-looking app that I could fire up instantly so it's a little different but to me something like that

seems to be where a lot of SMBs will eventually get to. know? It's not really widely done yet.

speaker-1 (47:33.39)
Yeah, my recommendation is to build your own. And we have the video current issue with the VRAM space for context windows and all that. right, well, depending on the size of the company and how much you plan to use it and what you plan to use it for, it might make more sense, even if it costs you a little bit more for the peace of mind. I use RunPod a lot.

speaker-0 (47:36.384)
Yeah.

speaker-0 (47:45.198)
I don't know how to do that though.

speaker-1 (47:59.832)
So I can rent a 5090 for like 40 cents an hour. Or I can rent a B200, which a single card has 180 gigs of eRAM for $5 an hour. So I can use a really big instance and build my custom model and train it with the information I want it to have.

speaker-0 (48:04.974)
Cheap.

speaker-0 (48:22.132)
And it go anywhere. It doesn't go

speaker-1 (48:24.92)
So in run pod, if you try to run it all day or 24 hours, you're going to incur some costs, but I can then train it and then I can create a Duff model from it, which shrinks down its VRAM requirements. And then you can get by with, depending on the company size, XYZ system to use it for everyone. And your data is not built anywhere. It stays in the machine. It's only trained on what you want it to know.

So if you try to tell it, create this malicious script, I have no idea how to do that. And that's, that's. Yeah. I mean, and it's not perfect. I'm sure it's not flawless, but.

speaker-0 (48:56.643)
Right.

That's pretty safe.

speaker-0 (49:05.774)
No, it's an, you know, there's, there's a lot of stages in AI, right? There's generative AI, then there's agentic, and then there's multi agent, right? And then there's a GI, and then there's like super intelligence. And we're kind of in the just the beginning stages right here. So I think that's your suggestion, or even my suggestion, where you have something that's housed off in sandbox, to me, it seems a lot safer than not doing anything.

and just letting people and just assuming people aren't going to screw you over.

speaker-1 (49:40.238)
So I said I'd bring up the trust metrics. Great example. So if we put a box on site, because you can buy some commercial servers with up to seven or eight video cards in one box, whatever you're choosing.

You can be assured for all intents and purposes that it was trained on what you want to know. The data doesn't go anywhere and you can validate that. And then you've got, you know, something that's not being influenced by other users outside the company, whatnot. But when you go to a commercial AI, Gemini, whatever, I don't want to pick on Gemini because I love them, but you don't know who has access to the data centers. You don't know who has access to the servers, to the data.

speaker-0 (50:18.926)
Right, exactly.

speaker-1 (50:25.912)
to any file shares it's pulling from.

speaker-0 (50:28.11)
They'll set off any alarms if they do access it. Exactly.

speaker-1 (50:30.798)
Yeah. And you know, if it's using like MCP, it just takes one user to drop in a junk file to completely pollute your data. And you may never know because how many times you get, you know, asked a major AI question and it seems pretty competent in the answer, but you know, it's complete crap.

speaker-0 (50:54.178)
Yeah, it's completely wrong. And it's completely, yeah.

speaker-1 (50:58.392)
But it's very confident in its wrongness. So yeah, my recommendation always, and then, know, if you're dealing with a smaller company, you can buy a server to do that because, know, it scales. And then of course, if you have that much bigger of a company, then you can buy two servers. Ultimately, it kind of depends on what market you're into. Like if you're in a pharmaceuticals, you've got a lot of billion dollar IP in there. never.

speaker-0 (51:08.814)
Right, exactly.

speaker-0 (51:26.552)
lot of regulation.

speaker-1 (51:28.674)
I would never ever, no matter how much assurance I had, I would never put that stuff in a commercial AI ever. Because it takes one leak and you might lose $8 million or a billion or whatever it is. And not only that, now, not only have you lost the money, you've lost all that time you put into getting as far as you were.

speaker-0 (51:48.716)
Right. mean, and that is really at the end of the day, what matters more, right? Like we just saw, I was just talking to somebody about the Nike breach, the most recent Nike breach, at least just this is just what I've what my understanding is based on the SEC filings is.

you know, attackers got in and they leapfrogged over what traditional attackers would take, all the user base, all the credit cards, all that. didn't take any of it. They went right to Nike's IP and that's all they took. They took the.

speaker-1 (52:14.092)
Yeah.

speaker-0 (52:24.288)
the schematics, the designs, the things that make Nike Nike. Right. They didn't go after Nike's customers, which they could have. But they did. They were like, we don't even care. We're going after this.

speaker-1 (52:37.23)
You can sell it to someone. They don't have to do any work. They now ship it to China for mass production. you've got the new Nike shoe that Nike can't put out. whatever. I did a physical test for a company and trying to keep it vague enough. They had IP. They would buy an idea.

speaker-0 (52:52.906)
leveled the playing field.

speaker-1 (53:06.798)
per se, and then mass produce it with the original owner's brand. They were just the mass production source. But since it was physical and tangible, I could walk in and walk out with stuff. And I, it was, I don't know, it was a big building and every brand had its own floor. So I could go into brand A's floor and walk off the stuff and brand B and brand C.

I was navigating stairwells because there's no cameras. And it's an old, old building in a very large city that was not built for ventilation. And they would prompt the doors open in the stairwell for airflow. I could walk in and load my.

speaker-0 (53:37.89)
Right.

speaker-0 (53:51.534)
you can tailgate somebody have a box of donuts and be like hey can you let me in I'm here to see Jane what's the odds of there being a Jane in the whole building probably right right or I'm here to see Carol or whatever right and and you're there with donuts like how harmless do you look and somebody will let you in

speaker-1 (54:09.026)
Well, yeah, in context is everything too. Yeah, some places you go into a suit and you're much less likely to get asked any questions. You go in a construction outfit, you know, right? Know your target and it's almost a sure thing. Yeah. And I really harp on physical security too, because in the zero trust aspect.

speaker-0 (54:28.89)
yeah, it's all part of it.

speaker-1 (54:30.572)
Yeah, if I can get into your business, I don't care what, you know, what control bit locker could be bypassed, all these other things. could take a computer. I can put a Dropbox on your network. There's a of things I can do that now have circumvented at least some of your controls.

speaker-0 (54:47.306)
Absolutely. Well, hey, man, this is phenomenal. Before we, as we wrap up, tell us more about what's on the horizon and what you're doing. Dubai sounds exciting. Your platform sounds exciting. tell us. Yeah, just share with us kind of what you're developing for organizations.

speaker-1 (55:04.096)
I'm excited about that.

speaker-1 (55:11.926)
Currently what I do is I will go in and I will run these tests to assess their controls, how well they work, their weaknesses or gaps.

speaker-0 (55:19.778)
absolutely invaluable. Absolutely every organization needs it.

speaker-1 (55:23.97)
But then the tool I'm working on in SAS will make it so that they can upload their own data, which is typically scan results and then prompt it with like, okay, I uploaded the scan from the scope. Every system in the scope has X, Y, control and it would automatically populate the risk and trust metrics. So they can have a dashboard or spin out a report.

and have a good idea where they're standing, so they really only need a manual assessment once a year or whatever, but they can constantly keep track of where they really are. The plan is it's not gonna be terribly expensive because I want security to be better, honestly, and I've seen enough horror stories that, yeah, I wanna pay my bills, but my data not getting leaked is just important to me.

speaker-0 (56:16.126)
Absolutely.

speaker-1 (56:18.136)
The other one I don't want to talk about because it's too new and it's exciting.

speaker-0 (56:21.71)
Well, we'll have you. Yeah, we'll have you back when when it's baked and it's ready and.

speaker-1 (56:28.654)
I've had one CISO tell me, because I pitched the idea to him because I trust him very much. And he's like, build this, we need this now. Okay. On the horizon too, real quick is Austin four. It's in the draft phase now and it deals a lot in quantum. It's still a security testing methodology, but it goes so much wider and deeper that it's, there's going to be a huge learning curve.

speaker-0 (56:36.344)
See that? That's great. I love it.

speaker-0 (56:47.437)
you

speaker-1 (56:58.798)
But every time a new one comes out, there's tons of hype, lots of adoption. And one thing I found odd is I talked to a lot of pen testers in the US. Hey, you're still at the Austin? No, what's that? It's in most security books mentioned in the East, but in Europe. So I worked for a global company at one point, early in my pen test days. None of my coworkers had heard of it, but I would talk with my cohorts in Europe. Every one of them knew about it and has at least read it if they don't actively use it.

So I'm also trying to get myself to where there's leverage to be, look, you guys need to take this seriously because everyone around us is doing this.

speaker-0 (57:31.15)
spread awareness within the.

speaker-0 (57:41.922)
Yeah, that's exactly right. mean, and that goes all the way down from the industry down to individuals, right? Because our European brothers and sisters...

take their privacy much more seriously. And maybe it is cultural because of post-World War II, they saw what, know, people being able to see what your name is in your religious affiliation and stuff and the physical harm that can come with it. But Americans are meanwhile like TikTok in our lives.

like taking pictures with our kids face on it and the kids school right there thinking, we're Americans, no one's going to do anything.

speaker-1 (58:24.782)
Well, what Europe has regulation requirements, compliance and stuff that means, like you said, they have the inherent, for the most part, desire for security. We're here. We've become very checkbox mentality for the most part. And there's always a new compliance standard coming out and this coming out. it's like, let's just perfect what we have instead of stacking something else on that we don't fully understand.

speaker-0 (58:51.18)
Right. Stacking another checkbox, a list of set of checkboxes for us to check is not really going to solve the inherent problem. Right. That's great, man. Well, I love what you do. Keep doing it. Keep us posted. And I mean, it will have you will have you back 100 % and less than all things go. All right, buddy. Thank you so much for your time today. Really appreciate it. Great discussion. Thanks, buddy. See you.

speaker-1 (58:59.084)
Yeah.

speaker-1 (59:11.598)
good to me. Appreciate it. Thanks, man.

speaker-0 (59:21.102)
you


Head Shot

Dean Mauro

Host
Head Shot

Kylie J.

Producer

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.

Breaching the Boardroom Artwork

Breaching the Boardroom

NetGain Technologies, LLC
Detrás de la pantalla Artwork

Detrás de la pantalla

Dr. Sergio E. Sanchez, el Dr. Qubit.