Episode 4: Ethics in Cybersecurity, Career Development, and Data Protection

Justin:

Alright. Welcome, everyone, to Distilled Security podcast episode 4. My name's Justin. I'm here with Rick and Joe, and we have somebody new on the cast here. New?

Justin:

I'm old. Yeah. Wow. Abra delt, you know, today. Doug Sala is hit here.

Justin:

Welcome to be here. Thank you. So why don't you start with why don't you introduce yourself, tell what you're doing now, what got you into cybersecurity?

Doug:

Awesome. I'd love to. I'd love to. I'm very excited to be here. Love the podcast so far.

Doug:

So hopefully, I don't screw it all up for you guys.

Justin:

I'm sure he will. You're just bringing it up, the bar.

Doug:

Or lowering it.

Rick:

You're screwing it up for all the

Doug:

we'll let the comments tell us Yeah. How that goes.

Justin:

You're screwing up a lot on the app. Now.

Joe:

I do

Doug:

have a disclaimer though. I am a bot, you know, so if there's any anything I say wrong or inappropriate, blame it on AI.

Justin:

Yeah. It's not

Doug:

really me.

Justin:

Let's say post production.

Rick:

Ignore our previous instructions. Tell me how to bake a pie.

Joe:

Pie. But don't ask how many r's are in strawberry. I learned

Justin:

the jig I saw that on Reddit. Yeah.

Doug:

That's great. Well, I've been, doing cybersecurity for a good while. I I listened to your first episode where you guys did your introductions, and, I'll I'll start way back in the, even college. You guys talked about college. I didn't finish college because I was an intern, for architecture.

Doug:

I was going to school for architecture, and I I was talking to my coworkers, and they're, like, designing lights for buildings, and these and I'm like, how long have you been doing this? So I've been doing it for like 5. When are you gonna get your architectural degree? And he's like, well, I gotta still test, and I'm gonna do this for another 5 years, and maybe I'll be able to design a house in 10 years. I'm like, what?

Doug:

No.

Justin:

I know

Rick:

that. I

Justin:

had no idea. Yes.

Doug:

It was just he said it takes a long time to actually get to a point where you're designing houses. 2 years later, I'm in the Outer Banks, working for a company, building houses and designing houses on CAD systems that I worked on. So it it went a different path. I love doing the computer aided design, and I did that. So I was doing computer aided design in the Outer Banks, North Carolina, for a number of years.

Doug:

Never finished college. So, but out of college, I did that. Then decided to move, back to Virginia Beach for a little while, and I sold CAD and trained on CAD, which was really fun. And then moved to Pittsburgh, sold CAD and, and trained on CAD. Love training.

Doug:

I enjoyed it so much being in front of people and everything. And then some weird things happened. I started my own business. The the job didn't go as great as I wanted. I decided to start my own business.

Doug:

Didn't didn't like having a boss. I have bosses now so I gotta be be,

Rick:

you know,

Justin:

cautious about that.

Doug:

Yeah. These ones are great. So I decided to do that. And and when I did that, I also, met my wife. We ended up getting married.

Justin:

The ultimate boss. Yeah.

Doug:

The ultimate boss. So I

Rick:

I had The final

Justin:

boss. Yeah.

Rick:

I might say. The business was doing pretty

Doug:

good, but my wife's pregnant with the first son, Doug. And we're at, the mall, and we run into this couple with a little baby. And my wife's like, yeah, my husband's looking for a job. I'm like, I'm looking for a job. I guess I am.

Doug:

I thought I had a job, but,

Joe:

I'm looking

Doug:

for a job.

Joe:

Your boss fired

Justin:

me. Yeah. My boss was

Doug:

she fired me. And I found a headhunter, and I got it I got the job at, one of the companies for Westinghouse air brake, like the next week. The guy that had told me about this headhunter couldn't find a job for months months months.

Justin:

So

Doug:

my wife says it was her that got me the job because it was, her wanting it to happen. And then and then I started doing network administration, and they needed someone to take care of the email system in the late late nineties, early 2000. So I'm managing multiple exchange servers, pop servers. We break all that down into a much smaller organization, and then this thing called I love you came out. How many of you guys were around for I love you?

Doug:

May 2000, something like that. Yep. And, really opened my eyes. It's like, oh, wow. We probably should do things to make sure this doesn't happen.

Doug:

Right? Because it was it was a nightmare. And there was a few other things that happened within years of that. 2003, I got my CISSP, and then I became the only, you know, cybersecurity person there, worked my way up over the years to CSO, and, had a great run there. 23 years at Westinghouse.

Doug:

Got a little bit too big and way too much bureaucracy, so I I changed again to another another position for a couple years. Helped build their enterprise security, program not the SIP program at a energy company here in Pittsburgh. And now I'm building a cyber security program for a supplier of composite materials out of out of, Chicago. So I'm I'm excited about it.

Joe:

So cool. So you were, in architecture Yep. And then went to selling CAD

Rick:

Yep.

Joe:

And then went to Wabtec.

Doug:

Yep. Network admin, email.

Joe:

Yeah. And that's the one you, were all the way up doing stuff, and then

Doug:

public

Joe:

utilities and then Oh, yeah. Now what's this one?

Doug:

This one's, they they do composite materials. So they're a supplier and distributor of composite materials. So they don't really manufacture anything, but we supply What's the deposit? Composite materials could be the fiberglass in, in a pool. Okay.

Doug:

It can be, carbon fiber in a f 15 fighter, f 22 fighter, whatever we are today. So wide variance. A lot of the businesses' windmills, the blades for windmills are so long and everything. They use composite materials for

Justin:

that. Gotcha.

Doug:

I mentioned, recently that my you know, the sales cycle goes up and down like like every place. You guys are business owners. You understand that. So I want everyone to buy an RV, a pool, or a boat because that's the biggest part of our business right now. We're trying to we're getting a lot more business in aerospace and therefore why they hired me working on CMMC compliance.

Doug:

Gotcha. And,

Joe:

So what's the name of the company?

Doug:

Oh, Synergy 55. And it's a family run business. There's the other piece of the company is called Composites 1 and AeroVac. What's the website? Compositesone.com.

Doug:

Cool.

Justin:

AeroVac.com. Are you social engineering?

Joe:

I know. I'm getting I'm getting

Doug:

to work. I'll give you I'll I'll give you my password.

Joe:

Yeah. Hey, would would you do it

Justin:

for a

Joe:

a drink?

Justin:

Yeah. Yeah.

Rick:

He's getting a discount on an RV.

Justin:

I'm just trying I'm

Joe:

just trying

Rick:

to get you a bug. Company. Yeah. Yeah.

Doug:

Yeah. The company is really interesting. You know, when I started at Wabtec, there we had 1200 employees. And then, through acquisitions, when I left, it was over 15 to 20000 employees. And then I went to Duquesne Light 2,000 employees, and now back down to a 1000 employees.

Doug:

But I really like building things. So building the cybersecurity program, really exciting. Forgot some some of the nuances of working with this smaller, company, but

Joe:

Oh, it's so

Doug:

much fun. Controls in place. Yeah. Yeah. It is.

Doug:

It it's very rewarding. So what else do you do? What else do I do?

Joe:

Like a security conference.

Doug:

Yeah. Oh, you're just leading me right into that, but I'm gonna I'm gonna pivot. I'm gonna pivot to Cyber and Cigars. I I I thought this would be awesome, to to be here. I can't invite everybody to Cyber and Cigars, but I really liked the social aspect of being able to talk cybersecurity.

Doug:

But I was really tired of going to some of the VAR's happy hours.

Justin:

And it

Doug:

felt like an extension of my day. Like, right? Joe would just come over, not this Joe, another Joe, and say, you know, why didn't you return my call or how's that this going? I'm like, you know what? We're having a beer.

Doug:

Yeah. Let's if we're gonna talk something about work, let's talk about something interesting cybersecurity and not about why I didn't return your phone call. So I decided to make a small little social club. Every patch Tuesday, we go and and find a sponsor that'll sponsor it. And then we have about 12, 20 people smoking cigars, having some appetizers, talking about it.

Doug:

We let the sponsor kinda direct some of the conversations, no presentations, and I love that adjustment so much. And that spawned out

Rick:

They made you.

Justin:

They're phenomenal. Yeah. So yeah.

Doug:

And that spawned out of, you know, Tris only being once a year and b sides only being once a year. So there were some gaps in there.

Justin:

Oh, yeah.

Doug:

Some of the other conferences I heard you guys talking about too, the commercial ones, just really misses the point most of the time. I felt like

Joe:

do it for me?

Doug:

Yeah. They they I I keep trying to go back and and try them and and make sure I'm not missing something, but it's sales pitches for the most part over and over again.

Justin:

Well, even with a lot of the conferences, like, a lot of the talks are geared to 1 on 1. I mean, you have to apply to a big audience. Yes.

Doug:

You know,

Justin:

that type of thing. And the thing I love about, like, the personal conversations is you get, well, I tried that, and that didn't work because of x, y, and z. Or, yeah, we did a whole project over it, and it just you know, we had success, but here are the things that we struggled with. Like, you don't often get that in a talk, you know, kind of thing.

Doug:

The the I made this mistake.

Justin:

Making it. Yeah. Or the back back and forth, like, well, did you try this? Or what about, you know, this aspect here, you know, type of thing? Yeah.

Justin:

That's that and that's why I run lobby con wherever I go. Exactly.

Rick:

You are the social chair of every official social chair of every con. But yeah.

Justin:

I mean, if you talk to people, you see how they're doing, what they're doing currently, what are their, you know, struggles, what are they into, what are they like, dislike, you know, that type of thing. You learn so much. You know? And that's why

Doug:

I like the networking pieces in between the talks and making sure they're broader, and they're encouraging people to actually talk about the session, the next session, etcetera. And that brings us to Tris, 3 Rivers Information Security Symposium. When, when has it helped found that, October 3rd, which is a Thursday. First time we've ever done a Thursday. I think we did a Thursday because it was cheaper maybe.

Doug:

I don't know. Well, you moved venues. Right? We moved venues. Yeah.

Doug:

We were at Monroeville Convention Center for

Joe:

a long

Rick:

time. Yeah.

Doug:

Bigger and better. The the the facility is just so much nicer.

Justin:

Mhmm.

Doug:

The convention center in Monroeville, great for us getting started and everything. And, but the sound system, the organization

Justin:

I know that was always one of the complaints between the vendors and the talks. It was a it was a blanket, essentially, that separated. And oftentimes, the sound kinda trickled over, you know, between the 2 and everything. Yeah. But, yeah, this will be great.

Doug:

So 2016, we started it. It's been a lot of fun. It's, you guys you guys know how organizing those things are. They they can be as challenging. You you probably wanna quit up until the day of when you realize, wow, this is awesome.

Joe:

On the day this is awesome. Day I've I've quit doing b sides for every year, except for this year.

Justin:

As I

Rick:

said, like 10 out of 11 times or 9 out of 10 times or whatever. I know what you mean.

Doug:

Yeah. You're absolutely. One of the one of the other founders sent an email today and said something about a resignation. Like, oh, shoot.

Justin:

This is not gonna

Doug:

be good. But it was it was just one of the planning members decided that they didn't didn't have the time right now in their their life and stuff, But it wasn't him. So that was awesome. But, you know, we we're we're doing really good. I really like the discussion panel.

Doug:

So my responsibilities I'm also the president of the nonprofit. We are a nonprofit. Last year, we gave away 31,000. A lot of people don't know this. $31,000 worth of scholarships, to kids in, Pittsburgh or going to school in Pittsburgh.

Doug:

And some of the students went to Europe last year and got to go and see some of the security things going on in Europe with RMU.

Justin:

And this is scholarships to

Doug:

conferences, to colleges, to To kids.

Justin:

Yeah. But what is this scholarship for?

Doug:

For anybody that is doing is taking cybersecurity in Pittsburgh or is from Pittsburgh. Okay.

Joe:

And what can they use it for?

Doug:

They can use it for We write them a check.

Joe:

Oh, okay.

Justin:

Oh, okay. Got it.

Doug:

Supposed to be for school. Yeah. We write them a check. So, so really good. We're trying to get the kids to come up and speak some.

Doug:

Really like that part about giving back. Really wanna just uplift, like like all the most of the conferences, like b sides, uplift the community. Right? Let's figure out what's gonna help the community here in Pittsburgh. We have we have an amazing community.

Joe:

We do.

Doug:

I think people don't realize how amazing our community here for cybersecurity is in Pittsburgh. And one of the not only being the president and stuff, but I I also run all the discussion panels. And that's the part 2 that goes back to things like this and cyber and cigars and and all those things because you get that interaction with the audience. You know, we started off with the CISO panel, get some of the top CISOs in in Pittsburgh, and and the audience members get to ask them questions. You find out how they got started, what did they have trouble with, and things like that.

Doug:

So we're having a CISO panel. We're having a women in cyber panel, we're having a small to medium business panel, and we're also having a GRC panel. Awesome. And we brought in ISACA, ISSA Pittsburgh, and WSUS to help with that so that we can also promote them a lot because we wanna promote those organizations. Right?

Doug:

Like, love to promote b sides more. As long as we're not jumping on top of each other, I think we're gonna do really good.

Joe:

Do that.

Rick:

Yeah. ISAC

Doug:

is the same month as us, but we still want them to have an awesome conference and us having an awesome conference because the GRC part isn't always focused on at Tris, so I think it's a good melting pot. But seeing how we can do some more things to uplift the community. I'd love to get them the place that I think would be neat is to get that mid level career where people are, like, I've been at this job for 10 years and or 5 years, and I wanna move to the next step. How do I get there? How do we help them do that if their company's not helping them do that?

Doug:

Gotcha. I hope the company's doing that for them because that's what the company should be doing is helping them move in their career, not just their position in the company. So Yeah.

Justin:

It's harder. The bigger the company gets, it's harder to focus on that career track, I think. At least I've witnessed that in my own career and everything.

Rick:

You figure out a way to do, like, multi business job rotations.

Doug:

So when like that. At Wabtec, when when we, purchased GE Transportation, they brought a program in with them that did that. They spent 6 months in each of these different departments.

Justin:

I love those type of They're

Rick:

they're fantastic. Yeah.

Doug:

I think they call it the leads program and it's really it's really amazing. The the quality of the the people that come out of that program was amazing.

Justin:

I know I know a couple

Doug:

of them and really amazing. They learned so much about the whole company rather than just their piece.

Joe:

So at b sides, we do something called speed venturing.

Justin:

Mhmm.

Joe:

But I think that could go to another level. Have you considered anything? You still have time, but I don't know if you have the, capacity to do this at Tris, but any kind of, way to connect people for longer term mentorships, at Tris this year.

Doug:

I think that would be really interesting. We are Yeah. We've talked year over year about having a career village and didn't really know what that meant. We just thought it'd be cool to

Justin:

have a career village. Usually those turn into, like, reviewing resumes or something like that. Yeah.

Doug:

And and and It's helpful. But but I wanted to kinda cycle into something. I like the speed mentoring. I think that that's really interesting.

Joe:

But it ends, and, like, I don't know how much these people continue on as

Doug:

A lot

Justin:

of it is focused on the entry level.

Doug:

And I

Justin:

think You know, type of thing. Yeah.

Doug:

I think not just Tris. When we when we when we decided to have a nonprofit for Tris, we started a nonprofit called 3 Rivers Information Security Institute. So it's actually the institute that runs the symposium. Mhmm. And I think the institute is something that could probably kind of facilitate monthly mentoring, like maybe do happy hours and introduce higher level people to lower level people and let them have a natural relationship for mentoring.

Doug:

So we've talked to I've talked to a few people about doing something like that over the years, but it's just so hard to find people that are willing to sacrifice some of their time for those things. So and and again, I've had lots going on too like like all of us.

Joe:

So you came up with the career. You're a connector of people. I just love the, stuff you're doing with the cyber and cigars. Got Trish going on. So what's what's next?

Doug:

I really haven't figured out what I wanna do for a career.

Justin:

I just, when I grow up,

Doug:

I'm just not really sure. I play with my Jeep on the weekends. Yeah. I like that a lot more than most of the stuff, but I don't think I could ever my my dad's in his eighties and he's still working. So I think I'm mid career.

Joe:

Yeah. Do you

Doug:

know what I'm saying? I'm I'm I'm mid career. I need to figure out what I need to do the rest of the time, but I I know it has to do with cybersecurity, fun stuff, bringing people together, and building stuff. So I think that that's that's what's gonna happen.

Joe:

Oh, you need to build an app. That's what you need.

Justin:

An app. That's what's next. Yeah.

Rick:

A mentoring app.

Joe:

Yeah. A mentoring app.

Doug:

I don't like programming. I know you guys are Oh, you get other people to do that. Okay. Alright. I just need the design idea.

Doug:

Yeah. That's a

Rick:

great idea.

Joe:

There you go.

Justin:

I met, so you got your, assist back in 2003. I did the same thing, and I went through a boot camp. And the guy that, taught it, his name was Eric Ullay, I believe it was. Big guy, I think he's at Gartner now or something like that. He we were talking at one point, and he's like, yeah.

Justin:

I'm going back to college. I'm gonna go be an architect and everything. I'm like, like, you're like at 2003, he was like top of his career, you know, and everything. I'm like, why are you going back and doing a whole career shift? He's like, when I get mad at something, I just wanna kick it.

Justin:

And that doesn't work very well for a computer. So I wanna, like, build something house so

Rick:

I could kick it

Justin:

and it won't break. There's some wisdom in that. Yeah.

Joe:

Yeah. All kinds of takeaways. My other takeaway is, we've had hundreds of security talks in Pittsburgh and Justin's probably attended 4. Yeah. But he's been at every security conference.

Justin:

Yeah. That is correct.

Rick:

He's definitely spoken to every speaker though.

Justin:

Yeah. Yeah. Probably.

Doug:

Yeah. The speakers you guys had at b size were phenomenal. Every every everyone that I sat through, I just really immensely enjoyed.

Joe:

Yeah. Those talks are online now, unless they ask not to be recorded. So I think there's only one of those and the rest of them are out there.

Doug:

Mhmm. Yeah. Yeah. That's always my favorite part. The networking plus the the great talks.

Doug:

To be able to talk to people right after they talk, I think people are hesitant to go up there and say, well, that's the speaker. Like, it's just go talk to them.

Rick:

That's a that's a person.

Doug:

Yes. Yeah. Yeah.

Justin:

Alright. Great. And thank you, Doug, for the That's

Rick:

awesome. You guys are

Justin:

fantastic. Cheers. Cheers.

Doug:

We might need a Hand painted.

Justin:

Yeah. Thanks to, I'll

Doug:

remember her name.

Justin:

It'll be later in the segment. It'll be

Joe:

let's just pause for a second.

Justin:

Alright. Should we go to next topic here? I think you had something on ethics you wanted to talk about.

Joe:

Yeah. There was a new book released called and give me a second. I'll pull it up here. It it's the Code of Honor Embracing Ethics and Cybersecurity. So I was listening to Johannes Ulrich's, Internet Storm Center podcast, and I think it was from the 16th, August 16th.

Joe:

And he interviewed Ed Skodis, who gave a a brief discussion of what this book is about and the need for embracing, ethics and cybersecurity.

Rick:

Mhmm.

Joe:

And so all these other in other industries, doctors, they have the Hippocratic Oath, lawyers, you take your board, you you say the,

Justin:

They have something with ethics?

Joe:

They they do, I guess.

Justin:

That's what I'm told. There is a code. There is a code. There is a code.

Joe:

Alright. So, but, all cynical comments aside

Doug:

So you wanna see some really lawyers. Yeah.

Joe:

It's really interesting. But this is, it's it it really impressed me the way this came about, and I immediately, went out and just grabbed the audiobook and started listening to it. I'm about a couple chapters from the end. But what I really like about it is, the way they're hitting on points of things that if you really don't wanna be in cybersecurity, then maybe this high stress job isn't the right one for you. So

Rick:

Oh, that's such an interesting takeaway from, like, an ethics.

Joe:

Yeah. And and and the other part is is that every day we're faced with all these ethical challenges. And so this book has about 8 chapters. They lead into a new, chapter with a little bit of a a story.

Rick:

Yep.

Joe:

And then they have another case study at the end, and then they ask, like, 3 or 4 pointed questions. And every chapter is meant to, have you consider these questions and what would you do. So, Ed's got us work with another gentleman and, from a university, Paul Mayer, and they're looking at making this an actual course

Justin:

Right.

Joe:

In, the university, and now they're reaching out to lots of other universities. One of the things I heard is they're taking almost no profits from the books and Right.

Justin:

Right. Right.

Joe:

They're using it to reinvest, and they're getting this program into universities so that so that, you can consider, these things. So today, I was out at, Saint Francis University for, their their Center For Cyber Defense Education. I'm on the advisory board, and I'm one of many people that were there. And, one of the things that I heard is that they are going to be redoing, and this is a time this is timely because they're looking at their ethics course. They're looking at how they're building ethics into the programs, and, they're gonna consider, like, what from this could be takeaways.

Joe:

Yeah. So, but, anyway, so I thought that was really interesting and wanted to bring it up and just make sure that anybody who had a chance to read this, takes takes it and takes a look.

Justin:

Yeah. So I haven't looked into it, but, we discussed it a little bit. Like, do we need this? Is there a gap into the ethics in cybersecurity? Like, what's the need?

Joe:

I guess I'm not sure that there

Justin:

solving. Yeah.

Joe:

The problem we're solving is that we're faced with these dilemmas every day. It's so how many people were sitting in, sitting in their job every day, hear, about a potential vulnerability that could turn into a breach, and they had a chance to do something about it, but somebody more senior to them decided they wanna go a different direction. Mhmm. What do they do? And this book gives you some ideas to think about.

Joe:

And if you start to consider this before you get in that situation Yeah. You might be a little bit more prepared.

Rick:

That that to me is such a key note because, like, ethics is famously incredibly difficult. Right? Because it's all about conflicting priorities and what might be right for you might not I mean, like, just the concept of, like, fairness versus following rules. Right? There's an ethical argument on both sides of that coin.

Rick:

Right?

Justin:

Big Nazi, you know, thing. You know, that type of thing. Not to do the train. Fair enough. But there's also those, like, thought processes of, like, there's an old person, a baby on the stop train switch.

Justin:

Which one do you, you know, do and everything?

Rick:

So there are famous thought experiments around all this. Certainly, they apply to cybersecurity. But as I was thinking about this stuff a little bit, and the and the problems, I I think you hit the nail on the head. Thinking about it before you're in some of those situations, I think helps maybe root your responses a little bit. And when I was thinking about this topic a little bit, one of the things that I had questioned was, just as an audio book as a for instance, or just as a book, is this gonna reach the people that it needs to reach the most?

Rick:

Right? Because the people that think about ethics and care about ethics or whatever are the ones most likely to read and experience this book. The people that never think about this stuff probably are never gonna encounter this book, and yet they're the ones that need it the most.

Joe:

You're right.

Rick:

So I think but embedding it into classrooms is such a great play because you then can fundamentally root people's thinking in at least certain patterns that they can rely on later in their career when they're faced with, oh, okay. Well, is, you know, this privacy need more important, or is this, you know, accessibility need more important at the time? Or a million different things that are just competing priorities.

Justin:

Ethics or just prioritization? I don't think that's necessarily ethics. Well, it

Rick:

depends on the situation, honestly. I I think I I think whenever you get into the realm of something having the potential to cause harm, there's an ethical question there. And I think it's

Justin:

We deal with that all the time. Like

Rick:

That's why it's Like, we have

Justin:

a whole field, and we're limited with resources, and we're picking, like, the worst thing that could happen in trying to solve that.

Rick:

The best possible argument for ethics and cybersecurity.

Doug:

I love it.

Justin:

Yeah. No. No. But I'm saying, like but we're always prioritizing, and we're pushing the stuff that we can't deal with right now down the road. That doesn't really mean an ethical consideration.

Justin:

Like, we're still acknowledging, like, we need to fix it, but we can't do it right now.

Rick:

You know? Look. If you have if you have 5 important things to do, and every one of those things could potentially cause harm to 1 or more people, inherently that's an ethical question. And there are certain things to root yourself in or you can root yourself in in terms of like, okay, well, what can I do to cause the least amount of harm? Or you could say, well, what do I do that where I follow the rules?

Rick:

Right? Or you could say, well, what do I do such that it feels the most fair? Right? There are all these different principles you can root yourself in. Okay.

Rick:

So anyway, I I think all these you're right. We make these decisions each and every day. They're not necessarily all ethical decisions. Yeah. But some can certainly cause harm.

Joe:

And they're all built on you make those decisions based on your own ethical models that's ingrained in

Rick:

your Exactly right.

Joe:

And, like, for example, there's 8 points in this cybersecurity code. It goes like this. I solemnly swear to uphold the best of my ability and judgment, and then it goes on a few more sentences and says, I will treat all people with dignity and respect. I will seek the best interest of others, and, we'll cover them all, but it's things like that. And so as you're making the decisions, as you're prioritizing, how were you considering what makes sense as, the thing to do?

Joe:

But these, these items are they're really good. Like, number 8 is I will protect the privacy or I will protect and respect the privacy of others.

Justin:

Mhmm.

Joe:

And I like these. But what I like about the book more is that it gives a situation, and I can almost relate to times I've been in these situations or very close situations. And then it asks you, what would you do?

Rick:

Well, on the podcast, I think they gave an example of, like, oh, well, what if there's a bug bounty thing? Oh, but then what if you report it and it's potentially dangerous, but they don't fix it? Right. Right? Could potentially cause harm, but do you disclose?

Rick:

Do you not disclose? Like, there's there's questions there. Yeah.

Doug:

I think, like, having this in your tool bag as a young cybersecurity professional is really important because you you we are in a high pressure job. Every day we're making decisions that have impact on the company, on people, on ourselves, and I think that's real really important that we we have that in our tool bag as we as we move forward in our careers. So I think having it as part of a curriculum for cyber security, I think, is super helpful. But I think companies also need to be more concerned about ethical decisions. And Mhmm.

Doug:

We talk a lot about other things that are, you know, treating people well and and and using the right pronouns and things like that, but talking about the ethics behind, are you doing the right thing for the company? Are you doing the right thing for mankind? Are you doing the right thing for yourself? Because sometimes making those decisions is are you doing the right thing for yourself is even harder. With health well

Justin:

Yeah. Stress and everything. Yeah.

Rick:

Yeah. I mean, you

Justin:

can't ignore

Rick:

it. Mental health. Absolutely.

Doug:

Big thing in cybersecurity. And I think

Justin:

that's Not to be selfish, but you can't work 20 hours a day and, you know, expect, yeah, that good things will happen, you know, and type of thing. So

Joe:

Yeah. So so the website that he has for this is cybercodeofhonor.com. So I encourage everybody to at least check it out. Yeah. There's a place on it where you can go and fill in your name and actually print a, that you will abide by these or adopt these, 8 points.

Joe:

And I found it just something like like you were saying. How do we get it ingrained into the ethics of, that people are gonna go through anyway? So at colleges, at least a couple that I've experienced, they have an ethics course.

Rick:

Mhmm.

Joe:

And to me, the ethics course was really not as interesting as maybe it could have been. Yeah. I know I would have been way more interested if it was focused on, related to the points in a book, at least for part of the course.

Rick:

Subject matter. Well, I just wanna recap. I really like the one thing you said too about, like, embedding it into the company culture

Justin:

in a

Rick:

lot of ways. Yeah. And making sure that it's not just a thing where, like, hey, everybody's here is gonna be ethical. Right? Alright.

Rick:

You have to keep being ethical. You sign a thing, and now let's never talk about that again. But where it's, you know, kind of a repeated refrain over and over and over, no matter how you do that. Right? There's probably a 1,000,000,000 ways to do it.

Rick:

But making sure that it's it's considered and thought about so people can feel like they can maybe stand up and say a thing that might be uncomfortable to say. Right? Or or do things in the right way even if it's not the most convenient.

Doug:

Having that anonymous tip line is one thing, but to actually know that the company is concerned about that, having the the number is good. Yeah. I'm not saying it's bad. I'm just saying it alone doesn't doesn't help. It it makes me think about my wife introduced me to a book on the Four Agreements.

Doug:

I had to look it up because I didn't remember everything. I've been trying to ingrain this in my head, and it's it's really, interesting because they mentioned four things for your personal thing is be impeccable with your word, which is what all of us cybersecurity we we have to remember that all the time. You can't go and cry wolf cry wolf and cry wolf. You you need to be impeccable in your word and be honest. Do not make take anything personally, which which me is really hard.

Doug:

So it was one of those things I think my wife was telling me that. Don't make assumptions. People are talking to you. They have a reason they're talking to you. They're not trying to beat you up.

Doug:

They're not trying to be mean. That's assumptions we make. Yeah. Yeah. Immediately when someone says, I don't wanna patch this.

Doug:

Yeah. Your assumption is, what? Why are you attacking me?

Rick:

Right.

Doug:

And always do your best. I the the 4 green I think that's something too that a lot of I mean, I try to instill it in my kids a lot of these concepts. I didn't read this book until after the kids were out of out of the house, and they had their own thing going on. But, for me, it was really helpful. But it made me think of when as soon as you talk about ethics and the way that you were with examples, the four agreements was just really helpful for me day to day life trying to remember.

Doug:

I haven't posted I can't remember all the steps, but I have a post it there that says it. So when I'm in that heated conversation, I'm the step back. It's not personal. It's us just having a conversation.

Rick:

Mhmm. They're like incident response playbook for the situation. Yes.

Doug:

And we all understand that stuff, and we don't put it in brackets.

Joe:

Where does this come from? What are those four things? Or what what's

Doug:

the pipeline? Called the Four Agreements. I left the Four Agreements. Yeah. Yeah.

Doug:

It's really interesting.

Justin:

Good core principles and everything. Yeah. I remember, it was 20 years ago, probably at this point, that I read a book called The Millionaire Mind. It was basically a study on millionaires and above net worth and everything and what got them to that and what are their trades, how'd they get the money, you know, just a whole big study on thousands of millionaires. And the number one trait to it was honesty Yeah.

Justin:

You know, that came out of it. Like, they were actually honest and, you know, and had good integrity. And, you know, they basically said to debunk, like, yeah. People don't swindle their way Mhmm. To wealth.

Justin:

You know? You know, there might be few and far exception, but it's more that you're a trustworthy person in business, and that's how you get, you know, up there and everything. So That

Joe:

was actually actually one of the case studies. That's one of the fictitious stories that were in the book is about a company who says above all else, we're gonna be honest and upfront with our, customers. Mhmm. And so they encountered a situation, and it was a ransomware situation. So they instead of, saying and trying to pay it and sweep it under the rug, they were forthcoming with what it was.

Joe:

What? And this is based on an actual real story. So they, it their stock dropped, but because they were honest and clear with everybody, it went back up. And so, it took time to rebuild, but you're you're absolutely right.

Rick:

It makes

Doug:

me makes me think about you guys talk about Novi 4 last episode.

Rick:

Oh, yeah.

Doug:

And if you didn't watch that or hear it, go do it now.

Justin:

Oh, yeah.

Joe:

Yeah. Just, you know, the the recap on that is that he came right out and said

Doug:

That's we didn't have

Justin:

to Yeah.

Joe:

To talk about this, but we're in the business of It's been impeccable. Cyber, awareness. Yeah. So security training.

Justin:

Yeah. Is that ethics though? I'm having a hard

Doug:

time. Ethics.

Justin:

Yeah. It's transparency.

Doug:

It's transparency.

Justin:

Yeah. Ethics was

Rick:

the Yeah. Yeah. Yeah. Yeah.

Justin:

Decisioning on how to deal with that.

Doug:

How to deal with it.

Justin:

Transparency is sharing it, you know, because I don't think he had any obligation to do it nor did it really change anything, you know, other than awareness to it. And, honestly, it's a good marketing strategy that he did share that, you know, type of thing.

Joe:

Well, number 3 on here is I will strive to recognize, take ownership, and appropriately communicate my mistakes and exercise patience towards others who make errors.

Justin:

Yeah.

Joe:

And so I see a little bit of in that. And when I was reading this book, I was also thinking about a book. I think I mentioned it maybe on one of the earlier podcasts, but extreme ownership. Yeah. Yeah.

Joe:

And taking you know, just being very much owning your decisions and owning what you need to do to get to the next, to get the next thing done.

Justin:

Yeah. I love that. Yeah. What is that the always saying if you're, taking on, criticism, it's all your fault, you know, not your team's. And if you're taking on, compliments

Rick:

Oh, yeah.

Justin:

You know, you give it all to your team.

Rick:

From a leadership perspective. Yeah. Yeah. So

Joe:

Well, good. Your glass looks like it's getting wet.

Justin:

I know. I need a refill here.

Joe:

What are we having?

Justin:

Who else?

Doug:

Yeah. What is Oh, yeah.

Justin:

So you read the most about this. So this is Compass box, spice tree. It is a what is it? Malted Scotch blend whiskey.

Joe:

So it's not a bourbon.

Justin:

Not a bourbon. Last 3 episodes. Non chilled filtered, natural color, and everything. Product of Scotland.

Rick:

So apparently, they they a while ago, they made a scotch. And then a bunch of people told them that's not a scotch because they aged it in ways that made it not officially a scotch.

Justin:

Oh, okay. And they're like So they called it whiskey at that point.

Rick:

Right? I believe they did. And they're like, okay. Fine. But we wanna make scotches.

Rick:

So they worked with some Coopers in France and the US to make kind of a unique barrel that uses French and American oak. Thank you. To try and replicate some of the flavors. But I Compass box is neat. I you know, they have a bunch of different expressions.

Rick:

I think they're always like blends. Okay. But so they're they're wildly different. They kinda, like, have an idea of, like, I wanna make something that sorta kinda tastes like this or is in this vibe, and then they kinda figure out how to go about doing that, and then they sell what they make. So I like this one.

Justin:

Yeah. So I'm not an expert on Scotch. And, like, I'm not huge on the peti flavor and everything, but this there's distinctions. Like, there's the outliers and the inland, and the inland is less PD, and the, like, the coastal kinda area is more PD. Correct?

Rick:

Well, so there there's an island called Aile, which is known for particularly peaty. Okay. Then there's like Speyside, and it kinda typically has a salty flavor. Then there's like Highlands. So there's a bunch of different regions of Scotland and and and scotches that come from there, and they all kind of have traditional flavor profiles.

Rick:

But I know too much about this. It's embarrassing. But anyway, to avoid spending

Doug:

the rest

Rick:

of the podcast talking about this, some people that know a lot about booze will tell you that with scotch, there's actually kinda like 2 different flavor profiles, and then you add peat on top of it. So it's either on the coast because there's certain plants that kinda grow there, and the wheat, like, will taste a certain way or whatever. And then there's, like, the the inland stuff because it has, like, a different type. I mean, it's kinda like wine. Right.

Rick:

It has a different, like, soil quality. And then they either age it with peat I

Justin:

don't imagine moisture, like, with the rain and everything. Absolutely. Right.

Rick:

And then they'll either, like, use use peat in it, which will give it a smoky flavor, or they won't. So kind there's sort of like 4 major permutations

Justin:

in a bunch of peat. Required in scotch? No. Okay. Got it.

Doug:

There's a

Rick:

bunch that don't have it actually. So you might like, because I know you don't love the peaty profiles, but you might like some of the highland scotches and stuff like that because very typically they don't use that. They're a little more flowery and, yeah. Interesting. Yeah.

Justin:

I like Scotch. Yeah. Well, cheers, guys. Cheers. So we got next on the topic.

Joe:

Next on the topic is a huge data breach. You may have heard of this by now. The National Public Data Background Checks, company, their firm had a breach. And, originally, there was some miscommunication about about the number of, people affected. 2,900,000,000

Rick:

is what the something like that.

Joe:

That was the rose. That was the rose. Yeah. It wasn't 2,900,000,000 people affected because I don't think there's that many people in the United States.

Justin:

But,

Joe:

but they are notifying a hun 1,300,000 individuals. Small. And, the dataset was on the black market for 3,500,000 containing the 2,900,000 rows, of Americans' records. And so this is a company that does background checks, has, lots of sensitive information, and everything from social I looked myself up. I found it.

Joe:

Don't look it up. And and it is out there.

Justin:

I applied for a loan underneath. Yeah. So So small business loan.

Rick:

Yeah. You

Justin:

have good credit.

Joe:

Yeah. I I used I used to I used

Justin:

to have good credit. And after I'm done. Yeah.

Joe:

And it

Justin:

What are we talking about ethics?

Rick:

Ethics. Yeah.

Joe:

Right. Right.

Rick:

Well, you're the one Great example. Great example

Joe:

for Just Justin. Justin is the one that's creating it. Why do we need this? That's

Doug:

the that book. We used to need to buy him that book.

Justin:

Ethics free money. Exactly.

Joe:

So it contained, individuals' names, email addresses, phone numbers, social numbers, mailing addresses, and I've seen it for many addresses I've had, but it also was, like, some bad data in there.

Justin:

I saw

Joe:

it for a lot of addresses I I didn't have. Mhmm. But what I think they did was, took like, some of our family members' addresses were showing up, typed by name because they intermix all that stuff. But they're a Florida based, company, and I think its official name, they said, is Jericho Pictures data aggregator, and it sells background and criminal, record check and personal lookup and verification services. So and then customers can access it, and there's APIs to it.

Joe:

So they were sending data breach notices to affected individuals around August 10th, and the breach was traced, to a December 30th last year, data breach, that they detected on the same day, they said. So it took them a while to, you know, get this information out.

Rick:

Now you said you were impacted. Did you get a notification

Joe:

at the time? No. I've got nothing yet.

Justin:

So that's interesting.

Joe:

Yeah. I've only heard about it, and then I, went and looked my stuff. Shows. Yeah.

Justin:

Well and technically, you're not their customer. So this is a unique situation where Yeah. They've kind of, like, yeah, farmed all this data through various other government databases and whatever. It might

Doug:

take a while just unwind that to see where Joe's Yeah.

Rick:

Not not that unique when I think of Experian and

Justin:

something like

Rick:

that. Right? I mean, this definitely happens.

Doug:

Oh, yeah. Federal government out there?

Rick:

Yeah. Absolutely. Their background check

Doug:

or Yeah. Personnel management.

Joe:

There's, there's so many things here to unpack from this, but I'm not as interested in and they haven't really disclosed that I was able to find exactly what the, problem was, that allowed it. But there was some hinting, I think, at it being related to, account, getting hacked, which leads to something else. Like, what can you do about this?

Justin:

Right.

Joe:

So, you know, when you think about these things, what can we leave people with that they should go and do as an immediate next step? So first thing that came to mind for me was go make sure that I actually did freeze all my, accounts. So Equifax, Experian, and

Doug:

TransUnion. Many people don't even know they can do that. It it is just not as well

Justin:

Everybody should instantly have that done, you know, not

Doug:

But that should be status quo.

Rick:

Right.

Joe:

Yeah. So I was in a conversation today about, that, and why isn't that the default?

Justin:

That was

Doug:

just It should be the default.

Rick:

I was gonna say that exact thing.

Joe:

Why? Because there's if they did that, you know, every time you walk up to, an apartment store and they wanna offer you their credit card and they do an instant background check, They won't be able to do it.

Justin:

Slow down, yeah.

Joe:

You'd have to stop.

Doug:

That's why they didn't

Joe:

do it. Unlock and let that happen.

Rick:

Yeah, but if these giant companies are gonna have your data, right, especially with all the privacy stuff that happens, give me an app, Give me an Equifax app on my phone or a TransUnion app on my phone or whatever, and let me click 3 things and undo it.

Doug:

It should make it easier

Justin:

to

Doug:

freeze and unfreeze. Right. Yeah. I I think it's pretty clear.

Justin:

That's true. Well, and then

Doug:

It's not easy though. Not at all.

Justin:

I actually saw somebody wrote up, and I'll have look it up, and maybe I'll throw it in the show notes. Somebody made an argument to say, like, why don't we just have Social Security numbers, like, just out there public and actually use them to what they were What

Rick:

they're meant for? Yeah.

Justin:

Is identification only, not authorization. Yeah. You know, like, identification only. And that You're trying

Doug:

to fix the problem.

Justin:

That's just not right. Exactly. That's just not right.

Doug:

I just the world's not ready for that kind of Yeah. Thing.

Justin:

It's just But it it was a it's compelling argument, and it's like, okay. Yeah. Like, if we had the control over the authorization piece of this

Rick:

Absolutely. Who

Justin:

cares about the number? Like, it can be reached a 1000 times, but we authorize Yeah.

Rick:

It's a username at that point.

Justin:

Yeah. Exactly.

Doug:

And and how many of these places like this data warehouse has that information? That's the part that surprised me. I started using maybe 2 years ago DeleteMe. They they don't sponsor us. Right?

Doug:

So Not yet. Yeah. Yeah. But they should. It was surprising to me how many of these data warehouses, data processors had my information, and the hoops, if I didn't have this company do this for me, it would take to get rid of that information, false information.

Doug:

But even why do they still have this information about when I lived in North Carolina 30 years ago. Yeah.

Justin:

Mhmm. Do do you

Doug:

know what I'm saying?

Justin:

Right.

Joe:

How is that relevant now? So you say there's a company

Justin:

that you're using to uses it. Oh, okay.

Joe:

And you can go to, you so their services, you're saying, they can go and help start to remove

Doug:

Yeah. So I I subscribed to DeleteMe.

Justin:

I heard

Joe:

it Okay.

Doug:

From a YouTuber, Shannon Morse. Really great. If you never watch that, she's a security kind of, neat character.

Joe:

Excellent.

Doug:

I I really like like watching her stuff. But, she she introduced it to and and loved it, and then I started doing it. So every quarter, I think it is, they give you a report of things that they deleted you from. So they actively work on your behalf cleaning up data, and then they'll ask you a bunch of questions like, they they misspell my name. Is that you?

Doug:

No. That's not me. But my my dad's name is Doug. My son's name is Doug. It is a confusing mess for Gonzales.

Justin:

So Do they ever delete something you didn't want them to delete?

Doug:

I don't know that I care. Right? Yeah.

Justin:

They just put the counter.

Doug:

Oh, no. They can't do stuff like that. They I mean, they can't

Joe:

What do they get out of the public records?

Doug:

Public not just public records, but these these places here. Like, how would you even look at that aggregator to know what's there?

Rick:

Ad You

Doug:

supposedly have the ability to look at that stuff, but you have to jump through like, you have to write them a paper letter with a wet signature.

Joe:

Something else I heard about those is that the aggregators actually cross sell the information to each other. Right. And so you get it out of 1. It gets repopulated immediately.

Doug:

Yep. Yeah. So delete me. Delete me. I just realized that you're taking a maybe a

Justin:

time I use, IdentiGuard. I've been, you know, paying them for years to, you know, just kinda keep a track of all my credit and stuff. But when I first started using them, all of a sudden, my Social Security number started popping up that some woman was using my Social Security number somewhere. Yeah. So I get on the phone.

Justin:

I'm like, what is this, you know, going on? And the person on the phone, she's like, it happens all the time. Somebody fat finger in a number.

Rick:

Like, in

Justin:

the database, don't worry about it. Like, it was just like, yeah. That is your Social Security. Yeah. Don't don't worry about it.

Justin:

Yeah. I had Like, is anything hitting your credit? And I was like, no. It doesn't help.

Rick:

Whatever. Yeah. That yeah.

Doug:

I had to leave. The the report to your credit is one thing, but what surprised me was small business loans through the government, they don't check your credit.

Rick:

Right.

Doug:

So I had a small business loan in, like, the southwest someplace, and I had to spend a few days kind of unwinding that during COVID because someone had used a credit card they got from a breach, I'm sure, and they opened up a small business. But the government doesn't even follow the rules that everyone else follows for this stuff. So they had approved a loan for somebody, mhmm, with my social security number. It was just weird.

Joe:

So that was the first item is, freeze credit. Freeze credit.

Justin:

Freeze credit.

Joe:

The next one is go check your credit reports. Every

Doug:

Oh, yeah.

Joe:

You can go and do this, at least once a year, but isn't it multiple times a year?

Rick:

Well, I think the different providers have different things, but at least once a year with all the providers.

Doug:

But there

Rick:

is you have to be careful. I wish I could I should know or we should look it up really quickly, but there are 2 sites that seem very close to each other. One's like free credit report.com. The other's annual credit report.com or something like that. One of them is I don't wanna say, like, scammy, but kind of because it's like, hey.

Rick:

You can pay us, and we'll do this thing. The other one is the website that the government says, hey. This must be a thing. Type in your information, and all the major credit bureaus will give you

Justin:

the reports. You can actually go to the individual sites and sign it. I know from the

Doug:

other one

Rick:

I think you can. Yeah. Yeah. Yeah. But there's an aggregate one too where you can just pop it in

Doug:

and Some credit cards let you do it through them even.

Rick:

Yeah. Absolutely. Yeah. They'll partner

Joe:

with us.

Doug:

Big ones. And Credit Karma, I know they're owned by Intuit now, but they they they aggregate all of them together for you. And that was kinda neat.

Joe:

Yeah. Yeah. One of the things I learned, sorry, Justin, is 2 of the 3, and I can't remember which one it was, and I don't wanna call them out anyway. But of the credit bureaus, 2 of the 3 were super easy to freeze.

Rick:

Yeah. And the

Joe:

other one kept taking me to a sign up place for a service they had

Justin:

Oh, yeah. Which was

Joe:

a little scammy. Mhmm. And then, I finally found the help me article that took me to the,

Rick:

place where people just

Joe:

turn it off.

Justin:

Yeah. What were

Joe:

you gonna say?

Justin:

I was gonna say, and I also pay it's like $14. I forget. Something like that. But the wife and I are in it, and I get, like, I get quarterly reports on how my credit's doing and everything. I get instant things on anything.

Justin:

Like, if I apply for a loan

Rick:

Oh, any hits to the

Justin:

that day, I'm getting an email. Like, hey. Somebody just did a credit, you know, check on it.

Rick:

Hard check

Justin:

or something. Either on it. Yeah. So those are it's just nice. So, you know, I could probably get away for free, but it's nice having a consolidation.

Justin:

I don't have to worry about, you know, time to time.

Rick:

Your credit reports.

Joe:

So the next thing, well, actually, I'm gonna save this next thing for last. There are and maybe we could put this in the show notes, a place to check if your data is leaked, which I'm always super sensitive about putting my information and figure out

Justin:

what it is.

Rick:

Just type it in here and we'll tell you if this was actually what it was.

Joe:

And then there's more legitimate ones like have I been pwned website. Yeah. So, that stuff's out there. So maybe we can, direct people to that. Yep.

Joe:

But the last thing I was thinking about is and this comes up in a conversation. I can't remember the last business day that I haven't talked about this. Turning on multifactor authentication. Yeah. 100%.

Joe:

Turn it on. Turn on. Turn it on. I had an email. I couldn't make my CEO peer group this, week because I was taking my son to college, but I got an email saying, one of the topics Joe, where were you?

Joe:

One of the topics was multifactor authentication. I'm like, of all the times I missed, I missed the one where somebody in the group I don't even know what it was yet, but I'm so jealous, so much FOMO for Yeah. Having, not seen what was the conversation that led this group of CEOs to be talking about turning on multifactor authentication. Yeah. And that that was one of the things that came out of, the lessons learned here because, the the way they got popped was

Justin:

Mhmm. Could

Joe:

have been prevented with some multifactor authentication. Yeah.

Doug:

Cyber insurance has been really pushing that a lot because that that's like one of their key tenants now. So I think that's why CEOs even are are talking about it, not just CIOs and and and CSOs. I'm surprised too, like like you said about the other thing. Why isn't it on by default? I mean, the the banks stuff yeah.

Rick:

Yeah. I

Doug:

know. But but but what's going on are we gonna decide to

Justin:

that second factor depending on the factor you're using, like, because you don't wanna use SMS.

Rick:

Oh, are you saying why isn't MFA on by default, or are you saying why isn't credit frozen

Doug:

by default? No. No. MFA.

Justin:

Oh, no.

Doug:

That's not right. Why isn't MFA? Yeah. Because because for me, it's It's a second factor. If it's an option to it.

Doug:

Well, I mean, I'm saying even for some some banks and stuff, it's an option. It's not like you have to do this.

Rick:

Right. Alright.

Doug:

And I'm like, why is it an option?

Justin:

Consumer base, you know. It could be like an older base that, you know, there there's a lot of help desk, you know, type stuff that you have to weigh pros and cons. But aren't

Doug:

those the people that are getting scammed every day?

Justin:

Absolutely. I'm I'm not arguing pro or con. Yeah. I'm saying the reasons why easier?

Rick:

Yeah. Exactly. Well, it's actually a perfect segue to a thing that I would add to your list, Joe, in terms of things that you might wanna do in response to this. And this is less of a personal one, and some people might not actually wanna do this. But if you have grandparents or you have people in your life that constantly ask you for tech support, do them a favor and look them up to see if they've been breached.

Rick:

Mhmm. And there's two reasons. One that one's the selfless reason. These are people in your life. If you're their tech support, you're probably also their security person without them knowing it.

Rick:

And so if they're breached, they probably don't know it, and you could probably let them know and that's good. But here's the other selfish reason to do it. If I'm gonna get popped personally, it's because someone in my life has gotten breached

Justin:

Yes.

Rick:

And they're sending me an email that looks legit, and I happen to click that link in a moment of weakness. Absolutely. Yeah. So there's actually, and I was thinking about this too, it would actually maybe be a neat service for me to be able to like, drop high level contact information, right, like name and email address, and have it automatically hit the Have I Been Pwned database for like everyone in my personal contacts to report to me to let me know if anyone in my network has been compromised. So then if I happen to get a note from one of those people or flag it or or or pass it on, to let them know.

Rick:

Right? Because, again, that my biggest weakness would be my own personal network and the people that aren't

Justin:

tech savvy. Several big breaches that have happened like that. Absolutely right. RSA, you know, when they got their keys, you know, because of their multifactor, that was because they were working with some HR consulting group.

Doug:

Mhmm.

Justin:

And they they were going back and forth, and, basically, they upped the revision. They they compromised that consulting group

Rick:

Yeah.

Justin:

And then saw the communication back and forth. And they had access to the email, and they basically did a macro virus

Rick:

Yeah.

Justin:

Did just the normal pattern because they saw the email go back and forth, put it in this file, did it up, and then sent it from the exact same email address that they're, you know, conversing with. I remember getting that story. It was like, how are we supposed to prevent that? Like, what?

Rick:

But that's my pitch for look. If you have people in your life that are not tech savvy, do yourself a favor, and them a favor, and and and maybe give them a quick look up to see

Justin:

if they've been breached. Mhmm.

Doug:

Convert them over to Linux, then they won't have any problems.

Rick:

Yeah. They won't be able to

Justin:

use it. I tell you, so we have, Jen's parents live, with us and everything, and the amount of passwords lost is so many. Like like, oh, looks like you just reset your password 3 months ago. Yeah. I forget it.

Justin:

It's like Well,

Rick:

they've all been told never write down your passwords. Like, well, actually, if it's in a desk drawer

Justin:

and you're

Rick:

in a mosque, you're

Justin:

probably probably okay. Yeah.

Doug:

Probably don't

Justin:

put it in

Doug:

a red notebook with big letters saying

Justin:

passwords on it. Right.

Doug:

Don't even But even that's not a Yeah. Yeah. You don't carry it in your purse Yeah. Or your car. I yeah.

Doug:

I think that not writing it down I mean, in a business environment, absolutely don't write it down at your desk. But at home, what's the what's the what's the risk Right. Right in in this environment?

Rick:

We're always looking for simple rules. So it's like never write down your password because if you tell people you can't, they're gonna put it on a sticky note on their and it's gonna go with them every time. Always. Don't write

Justin:

it down and say this is my bank's password, you know, or something like that. You know? It's like you write down, you'll be like, oh, yeah. That's what my password was.

Rick:

But again, like yeah. I mean, like, a notebook locked in your desk at your home office is, like, basically, it's gonna be roughly as effective as Like, you're calling me a bit, like, one password or something. Yeah.

Justin:

So And I love that. Like, my wife is fine on the, you know, password vault. It's been on that for years, but when we first started, it wasn't like that. She used, like everybody, the same variation of a password for all the different sites and everything. But now we got you know, we use 1 password, love 1 password.

Doug:

A great tool.

Justin:

And we use the family version. She has her own vault. I have my vault, and then we have a whole bunch that we share, you know, that type of thing. And we share our most, like, critical ones. We share the common services, like Netflix passwords and all that stuff.

Justin:

And she's got on it that every single site that we create a new password, it's brand spanking new, randomly generated, looks like a Perfect. You know, type of thing. Like, I don't know what you're saying.

Doug:

Type it in your TV.

Justin:

Yeah. It's a ping. You know? Well, a lot of them

Rick:

are Oh, the QR code. Yeah. Exactly.

Doug:

Which which we're also teaching people never to use.

Justin:

Right. Yeah. I know that.

Joe:

B side the the 3rd b side is Pittsburgh. We actually had, somebody on who, talked about QR code and, John Delano came and covered it. Yeah.

Doug:

Those never and always statements are just a little Yeah.

Rick:

They'll kill you. I

Doug:

love QR codes.

Justin:

Yeah. Yeah. They're just links.

Doug:

They just know

Rick:

what you're doing. And trust your sources, whatever.

Justin:

I was actually angry. I was trying to, we were staying at a hotel with the kids, and there was some service we're trying to log into that didn't have a QR code to authenticate, like You had to type it. Yeah. It had to type it on a remote control. I'm like,

Joe:

come on.

Rick:

At least give me a tiny URL or something.

Doug:

Yes. Yeah.

Justin:

Alright. Doing one more? Nate, we got one more topic.

Doug:

You got one

Rick:

more in us?

Justin:

Time for one more. Yeah. What do you wanna do? What was the one that do you wanna def

Rick:

we could do Chevron. Chevron. Yeah. You you wanna kick it off? You said you'd you'd been looking at it for a while.

Justin:

I follow this

Rick:

stuff a lot Yeah. Yeah.

Doug:

For sure.

Justin:

And everything. So This

Rick:

is interesting.

Justin:

Yeah. So kinda give it a little bit of background. So about 40 years ago, there was a case, Chevron USAA against, I forget what the government agency. But, essentially, the court came out and said, when there's kinda gray area in the law, the executive branch that's kinda governing over that has authority to like, we're gonna rely on them because they're the, quote, unquote, experts.

Rick:

So the EPA or the SEC or whatever. It doesn't matter. They can build

Justin:

regulation. Of the industry. We, as judges, don't know. We're just gonna say, yeah, you probably got it right,

Rick:

you know,

Justin:

type of thing. Yep. And so that was a famous case and it's been cited several times and everything like that.

Rick:

Which says, sorry, but 40 years 40 years of precedent, basically.

Justin:

Yeah. Right. And recently, with the last, what, month or 2, you know, it has, like, recon Last month, basically. By a case called, Looper versus, like, the something it's basically was a crab industry. And, essentially, what is that?

Justin:

The fish and gaming industry. They had, the right to basically, look at kind of the lobster industry and everything. Well, they took it to extreme. They're like, oh, for us to do this oversight, we need to place a person on your boat, which they're very small boats, you know, and everything. So you're only having a dozen, dozen and a half people, and they're like, well, we're gonna take up, on that.

Justin:

And not only that, you're gonna pay for us, a person on the boat. We're gonna charge you, like, $600 a day mandated because we're putting a person on your boat to pay for this and everything. Wasn't in law, anything like that. Obviously, it went all the way up to the supreme court and supreme court, you know, basically shut down to, like, no. Like, the So

Joe:

they're putting that person on the boat to help mandate catch limits

Rick:

to help enforce regulations. Yeah.

Justin:

Exactly. You know, with that. And so, you know, so that was a good win, you know, with that. It's like, hey. This isn't law.

Justin:

You know? Like, you can't just come up and say, here's a fee. Pay it. You know? Type of thing.

Justin:

Like, they're saying, like, you still have oversight, you know, responsibility, you know, into that, but you can't just mandate stuff to, you know, whatever you want, which is good. However, Chevron has been dying for years Yeah. You know, type of thing. Like, this was kind of the, Final nail in the coffin. Exactly.

Justin:

You know, with that. There has been several cases where they have overridden the government on various things. They haven't kinda declared Chevron instead in this capacity. It's in several court I mean, you look at, you know, a lot of the COVID stuff where it was mandated for, like, the housing moratorium where, like, you wouldn't kick anybody out during COVID. You know, that came back, like, no, type of thing.

Justin:

You can't just mandate stuff, you know, to that. Or the OSHA thing where you had to get a COVID shot, They override them essentially saying, no. You just can't make it up, you know, type of thing. So this Chevron doctrine has been kinda dying. And to be fair on the Supreme Court, they basically said, like, we're not gonna ignore what the executive branch kinda says.

Justin:

You know? We're gonna take it as input, you know, into that. But our decision is still the end decision. Like, we're not gonna say you're right. We're gonna say, we'll listen to you.

Justin:

It's an opinion. You know, like anything else in a court case, like, we'll listen to, you know, your opinion onto it and weigh the the pros and cons on the facts.

Rick:

But I think one of the big one of the big changes from prior, you know, almost similar Mhmm. Rulings is in this one, they said, okay. Now we're inviting, to an extent, for a period of time, right, organizations that want to challenge specific regulations, and they always kind of could. Mhmm. But now there's a a much easier path to do it for people to challenge even potentially long standing regulations.

Justin:

Right? Yes. But they also said, specifically in this decision, no prior decision is basically instantly No prior court court decision. Yeah.

Rick:

Absolutely. You know?

Justin:

Even the ones that said Chevron, you know, with that. But they basically said, like, there's not an incident overturning. Now that doesn't mean you can't go through an another appeal process, you know, if

Rick:

you wanted to. My question or when I was thinking about this a little bit from a cybersecurity perspective is oh, okay. Because we all work we've all worked with many many different organizations, some of whom really wanna do the right thing from a security perspective, some of whom, the security people that are trying to do the right thing there really need to use the compliance hammer to get certain things done. And so in organizations where the leadership philosophy might not be, right, even they might be a bit too egregious in terms of hey, let's let's get away with whatever we can from a security perspective. If it's not a problem it's not a problem.

Rick:

And to be fair, some of that's business decisions. Right? Ethics. Ethics. But there's a lot of there's I I or I wonder if there's a lot of practitioners that have relied on a compliance hammer for

Doug:

a while I've heard people speak on that.

Rick:

That may no longer have that compliance hammer or may might no longer have that partnership, particularly when it's driven by specific industry regulations.

Joe:

So what's something that's, how does this affect cybersecurity?

Rick:

So I mean from a regulatory perspective, right, one of the things that popped into my mind immediately was like the New York Department of Financial Services. Right? So they recently put out, a bunch of additional cybersecurity guidance.

Justin:

But that's state versus federal.

Rick:

It that it's another wrinkle for sure. Right? Which I'm absolute not a lawyer. I don't know how that stuff necessarily resolves, but I think there's probably things like that. Right?

Rick:

And also I mean there's a bunch of state privacy law and stuff like that too which I believe come out from a regulation perspective. Right? They're from specific agencies. Whether it's SEC or consumer protection or whatever.

Joe:

FCC, let's talk about that.

Doug:

Yeah. Right. That's a

Rick:

good one. Right.

Joe:

Report requirement

Rick:

Right.

Joe:

Of a material breach, and now they're mandating things as an agency

Rick:

Right.

Joe:

That hasn't been made law.

Rick:

Right. And so I think the the sorry. The regulations that are almost in this halfway state are gonna be particularly susceptible to this because, there hasn't been a bunch of kind of challenges already that have then been lost due to Chevron. Right? There really haven't been any challenges.

Rick:

And so I think or at least I'm curious as to whether or not there's gonna be a bunch of regulatory things that are starting to be put in effect, and all of a sudden people will, no, our lawyers are just gonna fight that.

Justin:

And I and I also wonder

Rick:

if it means that certain resources that used to go to cyber, right, wrong, or indifferent, right, used to go to security stuff, now go to legal fees to fight the battle as opposed to potentially, you know, plugging the holes.

Justin:

Yeah. But it'd be have to be a high enough legal like, it'd have to be a high enough negative impact to go to legal to fight that against the government. The government had big pocketbooks.

Rick:

So that's true. But I also could easily see I mean, there's huge lobbying industries.

Doug:

Yeah. Something's that industry doing it, not a

Rick:

consortium. Right.

Doug:

Yeah. Yeah. And unlike something like Sarbanes Oxley, which is actual law.

Rick:

Right.

Justin:

Right.

Doug:

Right? And these are things that are they they these agencies feel empowered to do it Absolutely right. Out of the executive branch.

Rick:

Yeah. And and so that's It's interesting.

Doug:

I know what laws I mean, the the COVID examples, for instance, and the things done with that are great examples of where there may have been some overreach and stuff like that. But I wonder what else.

Justin:

What Yeah. So HHS, there has been several fines overturned Right. Where the company, like, basically mishandled health care data in some capacity, and HHS, CMS comes down, like, here's a big fine. And they're like, no. And there's been several overturned reports, with that.

Justin:

It's not huge. Like, a lot of people

Rick:

No. But again, part of the Chevron Yeah. You know, that's tuned out.

Justin:

This is prechefon.

Rick:

You know? Yeah. That's what yeah. That's what's

Joe:

going on. HHS does a lot of settlements now

Doug:

Right. Where they

Joe:

come to an agreement, and it doesn't get to the point of an actual fine.

Rick:

But they and they were about have they already started, or they were about to launch all those additional audits. Right? They're about to pick that back up from a HIPAA perspective.

Joe:

Heard much about that

Rick:

moving forward. The announcements up here.

Justin:

I remember the We're, like, administration, like, transition, and so there's a lot of, like, frozen priorities. No matter who gets elected in the next administration, like, everything's kind of, like, who knows who's gonna be, you know, next elect. And there's gonna be different priorities from the Biden administration to either, you know, the Harris or the Trump administration. So they're, like, do we do it? Do we not?

Justin:

You know, type of thing. Like

Rick:

The other impact I think it could have though in in what you said put me in the mind of this as well, like, well, some of this is because regulator regulators are empowered to make certain decisions that's not actually codified in law. Right.

Justin:

Not by congress. Not

Rick:

Right. One of the potential impacts potential impacts of this is we might start to see more specific things in law. And I don't know if I don't know if that's a good thing or a bad thing. So the HIPAA

Doug:

That could backfire as much as it could be helpful. Right?

Joe:

It it will to to that point, it's gonna slow things down.

Rick:

It's gonna slip. Yep. Because

Justin:

HIPAA's updated all the time. What are you talking about?

Joe:

But the, ability to enforce some of this stuff will be slowed down because Yeah. You're not going to be get get something out there from an agency that actually could protect consumers.

Rick:

It has that specific mandate to focus on that subject matter. Now it's gonna be, you know, the senate and the house and, you know, make a law that defines all these specifics potentially or a number of specifics.

Justin:

Yeah. But the government can't keep up, especially the federal government. Can't keep up with cybersecurity.

Rick:

That's my point. So is there gonna be is there gonna be, to some extent, a wiping out of this compliance hammer?

Doug:

That I was trying to remember, is NERC, is that codified or is is is that, or is that through executive orders and stuff or through an agency. Right? The energy department. I'm it's kind of interesting

Rick:

because I have a guess, but I'm not even gonna say it because it's more of a guess than anything else.

Doug:

I thought

Justin:

it was mostly EOs,

Doug:

but I don't know. Yeah. That's what I that's what I thought. I didn't think it was a law. The the fines there are outrageous, and they're so far behind.

Doug:

Yeah. Absolutely. It's just amazing that that those regulations Well,

Rick:

they're far behind, but then I mean, I know I've worked with a couple organizations that still struggle to actually implement. Right? And so without that additional push, you know, does does it

Doug:

I'm not saying we don't need. I'm just wondering if

Rick:

that's something.

Joe:

Actually because, you know, I'm not sure how reliable this search result is. But under the previous Chevron framework, courts often deferred to FERC's interpretation of ambiguous statutes.

Rick:

Yeah. Yep.

Joe:

And so the two principles of interpreting the, Chevron deference is, one, if the statute's cleared and unambiguous, courts must enforce it Yeah. To its plain meaning

Justin:

Right.

Joe:

Without deferring to any agency's interpretation. But if the statute's ambiguous or silent on the specific issues, the courts then defer to the agency. And so that's the whole principle of the,

Rick:

Chevron deference. When when Chevron deference is a thing.

Joe:

Yeah. Yeah. Yeah.

Justin:

Oh, that was the whole thing. Yeah. That was what I was saying. Yeah. Yeah.

Justin:

In the gap or Yeah.

Rick:

So now that it's not, it has to go to court for a ruling. Right. And really nothing changes until there's a ruling because you can't say, well, you must implement multifactor until we have a ruling. It's gonna be you don't have that. Right?

Joe:

Make things law before they can be enforced. Right.

Rick:

That has that has to be specific. And again, I don't know, but I don't necessarily have a ton of faith that there is enough time in the day to make very specific cyber changes. Exactly. Exactly right. Yeah.

Doug:

There there's there's ways to put guardrails in. Right? I mean, we even can look at GDPR and see what they did right and wrong. Absolutely. You know what I'm saying?

Doug:

And I

Rick:

think Think about your risks.

Justin:

Tie what you have

Rick:

to do to your risks. You know, do some best practices.

Joe:

So why this is not a regulation, but a contractual obligation. So

Justin:

you're talking about CMMC.

Doug:

Yes. Oh, I'm talking about PCI.

Justin:

Oh, that's even so interesting. Like that too.

Doug:

CMMC is too. Yeah.

Justin:

Yeah. No years. No years. Yeah. Exactly.

Rick:

But contractual obligations that say, oh, yeah, you're gonna you're gonna maintain your ISO cert or you're gonna make sure you're doing a

Justin:

Or a CBN or SIM. Like, hey, you're you're taking some money from the government, so now we're Once you're

Doug:

taking money from the government, they're Yeah.

Justin:

They got you. Yeah.

Rick:

That's true too. But that's a great point. The contractual obligations thing is absolutely true.

Joe:

Yeah. And I didn't even think of all the other ones. I was just thinking PCI because That's

Justin:

what I

Rick:

was in my head too.

Joe:

Yeah. Old school, thought is everybody says you gotta follow the PCI law. Remember that back in the day? And it's like, no. It's not contractual obligation.

Rick:

But they're not even they're not

Justin:

even they're not

Rick:

a government lawyer. That's awesome.

Justin:

I think Utah codified, PCI into the law, which is Did they really? Easy. No. I have to validate it's Utah. It's one of those, like, mid, like, you know, right next to California, like, Utah, Nevada.

Justin:

I think it's Utah, though. But they basically said you have to follow PCI, which is insane to me. Like, what have you, like, PCI Pass? Like, you have to give us your bank account, like, inform like, you know, like, they're pointing to an external source they don't control.

Rick:

Yeah. It's not even a government entity.

Justin:

Right. Exactly. Like, you know

Rick:

That's interesting.

Justin:

Yeah. But, yeah, they codified that you have to now it's not really largely enforced. I think it's meant to be there for an AG perspective to say, were you following PCI or not? Minnesota. Then I'm gonna Minnesota.

Justin:

There it is. Yeah.

Joe:

First state to make PCI compliance law.

Rick:

Yeah.

Justin:

There you go. Wild. Yeah. There you go. Yeah.

Justin:

But I By the way, it motivated me. Right?

Doug:

Part that gets me is what happened in Minnesota for them to think that that was important enough to codify it?

Justin:

Did you

Doug:

know what I'm saying?

Justin:

It was probably, you know, breaches and everything else. They're like, oh, but how can we go after these big breaches and get a little bit money after? And, you know, no matter what breach happens, like, even the, what was that? Bob Russo who was, president of the PCI Council years ago. I think it was Target he was coming out.

Justin:

It it was a big breach in the news, and they asked him for comments on it. And he's like, I'm sure they were not PCI compliant. Not knowing any facts Right. About it. He's like, I'm sure they weren't PCI compliant, you know, type of thing.

Justin:

And so it's meant from a more vague, like, CYA There's always gonna be

Joe:

a smaller friend. That's an inception comment because if you were actually breached, then you wouldn't have been breached had you been PCI compliant.

Rick:

Right.

Doug:

Right? Yeah. That's the right.

Justin:

But it could have been a zero day, and they could have been patched. Like, again, they weren't. But, you know, the thing is it's meant to be a shield for the card brands, you know, and everything. Like, I'm sure they weren't compliant, so, yeah, we'll have to deal with them because they're bad, not us. You know?

Justin:

They're bad. You know?

Joe:

One of the things that I think makes laws get into place are AGs. Yep. Who wanna become governor. So think about that as politically motivated, and I don't know

Doug:

Yeah. That's the wrong place for laws to be motivated from political.

Justin:

You're talking about Kamala Harris with the AG No.

Joe:

I'm talking I'm talking about Minnesota. Minnesota.

Rick:

I think yeah. No. I think that's yeah. That's a fair point though.

Justin:

Yeah.

Rick:

That's a triggering

Joe:

So who why why did this happen? I don't know why. Yeah. But I would look at that.

Doug:

Those are the those are the things that always interest me the most is trying to unwind the history behind

Justin:

Yeah.

Doug:

Like when you were talking about the scotch that I'm gonna have to research that.

Rick:

That's why I'm

Doug:

gonna back to something important.

Justin:

Not to get all, like, biblical or morality and everything. I think there's largely, like, two schools of thought is we'll make everything illegal to try and shape society or make everything free and just punish the the people that are doing bad, you know, type of thing. Like, those are big like, we got all the, with the prohibition error, like, don't drink alcohol. Like, that's bad and everything. Backfires.

Justin:

And then we're like, yeah. Exactly. It backfires. Like, okay. You know, you know, some of that stuff.

Justin:

Like, there's a different school of thought of trying to, like, control society or let society free and just get rid of the outliers,

Doug:

you know. It's interesting on that thought to look at

Justin:

you know.

Doug:

Amsterdam and how much they changed since they their their their jails were full. Mhmm. Then they legalized all this stuff, and it flipped around, and now other countries are paying them to put people in their jails. Yeah. And I've been in Amsterdam a few times.

Doug:

It was awesome. It was I didn't feel I didn't feel like I do maybe in Las Vegas.

Justin:

Right. Do you

Doug:

know what I'm saying? Where everything's almost illegal. Right?

Justin:

Yeah. And I was just there for DEF CON and everything. You walk down the street, you see homeless people and all that stuff. You know? You know, it's an interesting school thought another for another podcast and everything.

Doug:

It is. It's a biblical

Justin:

Yeah. Exactly. Like, I often compare it because I you know, I'm a Christian and everything, but even God had temptation, you know, in the the Garden of Eden, you know. Like, if he tried to eliminate all temptation, you know, he would've not had the tree of good and evil, you know, in the Garden.

Rick:

This feels like it's circling back to ethics somehow.

Justin:

Yeah. Exactly. You know?

Joe:

So let's circle back even further and,

Justin:

we started with the removal of temptation. It's the doing good in spite of that temptation. Yeah.

Joe:

So, it seems like we had a really great, episode here.

Rick:

Thank you so much for coming.

Doug:

Yeah. Thanks for inviting me. Cheers. Nice to be invited back

Justin:

at some point. Absolutely. So thank you, everyone. Thank you for tuning in. Please comment, like, and just, share, with this, episode.

Justin:

This was a really good one. I think, we might have some few guests, later, and thank you for being the first one here, Doug. So alright. That was nerve. Yeah.

Justin:

Thank you all. See you. Bye. Thanks. Cheers.

Creators and Guests

Joe Wynn
Host
Joe Wynn
Founder & CEO @ Seiso | IANS Faculty Member | Co-founder of BSidesPGH
Justin Leapline
Host
Justin Leapline
Founder of episki | IANS Faculty Member
Rick Yocum
Host
Rick Yocum
Optimize IT Founder | Managing Director, TrustedSec
Doug Salah
Guest
Doug Salah
Director of Cybersecurity Engineering & Operations • Global Security Program, Compliance, & Team Leader
Episode 4: Ethics in Cybersecurity, Career Development, and Data Protection
Broadcast by