Innovative approaches to cyber security awareness training with Craig Taylor

Secure Talk - Craig Taylor

Justin Beals: Hello everyone and welcome to Secure Talk. This is your host, Justin Beals. I'm the CEO and founder of Strike Graph.. Today we're going to be talking about security awareness training. Security awareness training has been around for quite some time. It's especially emerged as a prominent issue as we saw a rise in phishing.

Where essentially our staff and teams, as they gain more access to critical systems, became a target for hackers in pursuit of a major data breach. One of the most commonly executed forms of awareness training is quite simply that all hands once a year when your security leader comes on and provides a PowerPoint presentation, usually covering major important topics like what types of assets are we collecting, how do we keep them safe, and what to look out for where a hacker may be trying to engineer an outcome such as a data breach.

Of course, we usually leave these particular training sessions with a mix of apathy and angst and try to get back to our day to day lives of doing the work that we need to accomplish. But what we know is that this form of security practice by all of our teams and all of our staff is actually critical to mitigating threats.

98%  of common data breaches include some form of social engineering in executing the breach, and so it is an incredibly common theme and an incredibly easy target for hackers. Because we humans are just as programmable as some of the machines that we work with.

 Today we're going to be meeting with Craig Taylor. Craig is the CEO and co-founder of CyberHoot, a SaaS platform dedicated to promoting cyber literacy in a positive educational setting. The company primarily focuses on supporting managed services providers and the small to medium-business market. Craig has served as a virtual chief information security officer for several years and was the lead information risk manager for Computer Sciences Corporation during the development of their cloud hosting division. 

He has held the Certified Information System Security Professional Certification since 2001. Craig possesses a deep understanding of cybersecurity awareness and has been a leader in helping teams operate within a security-conscious environment.

Please join me in welcoming Craig to the podcast today. Craig, thanks for joining us today on Secure Talk. We're really grateful to have you and your expertise with us. 

Craig Taylor: Thanks, Justin. I'm really excited to be here. 

Justin Beals: Well, we always love a really good origin story here at Secure Talk, and it's a great way to learn a little bit about,  where you come from and what you're working on.

So, tell us, how'd you get interested in computing, and then we always are curious how you found the opportunity to make it a career. 

Craig Taylor: Well, you're going to date me if I answer that question from the beginning. I had an Apple IIe back in the mid 80s, and that was a really brand new computer, and people were just trying to figure out what is this thing.

So I kind of played around with that, but you know, I have a real love of learning and teaching and coaching and education. And I went into school, and I studied psychology, of all things, learning how, what motivates people to learn, how do they learn different learning styles. And while I was there doing my you know, undergraduate degree in psychology.

I worked in the computer science lab, and I quickly realized that I wasn't going to go for a PhD or a master's and there's a limited number of jobs you can get with an undergraduate in psychology. So I was trolling something called the news protocol. There's an old, old, old protocol where you could look for jobs on a news protocol.

Anyways, I found a job for a firewall vendor. And I had limited experience with the internet at that point, having worked in the computer science lab in 1992 when it was text-based email, and you could type faster than the terminals kept up and all that good stuff. So, I knew some rudimentary protocols of the early internet and they hired me for almost no salary. That was probably the bigger thing was I didn't cost very much not having a psychology degree, and I got into cyber security. I've been in there ever since probably 32 years now. If you go all the way back to the time in university, it's been a beautiful, wonderful journey. I've really been able to marry my love of learning and my teaching and cyber security all together into my current company, CyberHoot. 

Justin Beals: Yeah, I just resonates with me. I have my old Apple basic book somewhere laying around from when I used to work on the computers in the computer lab a long time ago. I find this touch point around learning true for me as well in computing. I think both you and I grew up as we went from, you know, computers as standalone devices to network devices.

And it was so much to invent and learn how it worked that I never feel like I always feel like I'm playing catch up and that's exciting in a way. Yeah. 

Craig Taylor: Absolutely true. I'm often trying to think of how does technology exceed our capacity to cope with it? It seems like the world is advancing faster than the social norms, and the best practices can be discovered and followed and documented and understood and accepted.

You know, It’s a real catch 22 where we're faced with. 

Justin Beals: Yeah, it is moving very quickly. I've been, you know, for example, I've been trying to catch up with shared ledger technology lately. I think it passed me by and died before I had a chance to read a good book about it and kind of understand it at a code level. And I think also what's a little terrifying is that we're all using this technology before we really understand it.

Craig Taylor: Yeah. I made it a personal goal to use the early AI solutions out there. Chat GPT when it was at the very beginning, probably 24 months ago, because I knew from what I had read. I mean, three years ago, we heard from really bright people that AI was going to be the next big thing and how big it could be.

If you believe Bill Gates, he said AI will be more revolutionary than all of the technology changes that the world has experienced to date, right? And now, if it has to be believed, you should get on board and figure it out. So, I've been using it and trying to understand what are the benefits. What are the negatives, and how do we cope with everything in between?

Justin Beals: Yeah. It's tough. I, I also sometimes rail against like the technology hype cycle. It's hard to know. I'm a little jaundiced in that. I've been burned a couple of times by like, Oh, you know, Java. It's you're gonna write once run anywhere. It's gonna be the code to rule them all. And, of course, it never comes true.

You're like, God, I have to drink this for this other environment. Although I did, I have worked in data science for a while now, starting with some work in education, and I do find it Intriguing, but I'm not sure I see the leaps that we talk about. Like I see a continuous improvement, but I do think people are catching on to what's powerful about it and what it can do.

You know, are you, are you still using chat GPT in your day to day work? Is it, is it a part of 

Craig Taylor: every day? I have a tab open now. I use it to find out more about Strike Graph and what your company does. I use it when I'm going on a pre-sales call to understand in a single paragraph what the company does and is and what their cybersecurity concerns might be when I'm talking to them.

Our background, we're producing AI videos with scripts that I write through chat GPT and then AI builds the video actually afterwards. And they're incredibly good today. I mean, nine, nine, 10 months ago, it was laughable. The face and the voice were out of sync. It was not good. But today the videos we could produce to teach cyber literacy skills are Almost indistinguishable from reality from video videographers producing the videos.

There are some telltale signs like you can, for some reason, AI can't spell. You have an image with a word in the background. It's going to be like in my screen, it says behind every good student is a great dad. It would have just garbly gook in that space, right? It wouldn't have anything meaningful there.

So there's still telltale signs of it, but it is incredibly helpful. One of my favorite tips, you know, In trying to figure out what AI can and can't do, I feed it EULAs of AI digital assistants, like one that might listen in on a Zoom call, Fireflies and some others. And if you ask it, what are the concerns from a data privacy perspective in this EULA?

In two seconds, it'll tell you, well, they mean to sell and market your data, or they, profess to protect it and secure it. Okay, now I know whether I can use that AI agent or not. So there's some really very painful things that I used to have to do as a SISO that I can just automate now in a few seconds and, you know, if you know what you're looking for and you can edit and modify the outcome of an AI output, you're staying a pretty good chance of getting a good, good result.

It still requires a certain amount of oversight and guidance and good prompts and all of that stuff, but it's been very, very useful in my business. I'll be honest. 

Justin Beals: Craig,I want to come back around. I'm really curious about developing curriculums utilizing AI tools, but also you had something in your background that really intrigued me.

You were a lead information risk manager at CSC, a big company, and I think you helped from a security perspective in their cloud solution. You know, as they were developing a cloud-based platform. Love to hear a little bit about that experience. 

Craig Taylor: Well, that's going back at least 24 years because in 1999, Computer Sciences Corporation was a large international managed service provider.

And they had clients that had, you know, footprints all over the world. And they decided that the internet was really going to be the next big thing. And they didn't want to maybe the website developers or things of that nature. What they wanted to do was host the infrastructure and allow other people to put their websites in our data centers.

And I say ours, it was CSE at the time. They tapped me on the shoulder because I had a fair amount of broad-based experience in Internet, firewalls, cybersecurity,  and we set about to trying to build this thing. And the first revision, I'll be honest, was so overbuilt with different firewalls at different layers of the architecture.

So imagine a website today, a high-functioning website will have a web layer. It'll have load balancers to balance across multiple websites. There'll be an application layer that sits below the web browser to broker communication to the database. Well, each of those are layers. And we decided let's put a gauntlet firewall in the middle, let's put checkpoints on the outside. Let's put checkpoints on the inside and, and then an administrative layer on the left that will talk into these different things on admin ports. And we overbuilt this thing massively.

 And it, while it worked, it was enormously difficult to support. And so we went through a few iterations and we pulled different thread threads and things out and kept other things.

And we put in IDS intrusion detection systems, intrusion prevention systems, and monitoring real-time and all sorts of different things. So we're really early internet examples of best practices. And I'm pretty proud of what we accomplished. We had some pretty big-name brands. I won't tell you who they were, but there were big multinational companies.

We had a data center in Newark, Delaware, Copenhagen, Sydney, Australia, to with this idea of follow the sun. Like if we could just put people in each of those locations for eight-hour shifts, we wouldn't pay overtime, but we'd cover a phone call at any time of day or night for many of these companies.

Now in practice, It never worked out that way. Our U.S companies only wanted to be in the U.S our European companies had, you know, pre GDPR. So they had, you know, they had different, they had their own flavor of data protection back then. This was 2000, 2005 AWS didn't exist, right. There was no such thing yet. Yeah, we built it.

And, uh, a lot of sleepless nights trying to figure stuff. I, in fact, to this point, I always tell this story, if you look at my keyboard, it lights up. And this is probably 10 years old, 15 years old. Now, I used to get woken up in the middle of the night. And if I could just type in my password without having to turn the light on, I could probably go back to sleep because it was going to be a false positive IDS IPS alert that I could not have to really deal with until the morning.

I got these once every week pretty much. So, the keyboard lighting up allowed me to log in remotely, check the thing. Oh yeah, we've seen this before. Everybody stand down, go back to bed. And I wouldn't have the full white light effect and wake up and be staring at the ceiling for the rest of the night. 

Justin Beals:Yeah, that's painful, but I mean, I certainly remember a lot of my computing experience where we had colo facilities or infrastructure or an application where it's like, uh, yeah, you woke up in the middle of the night to keep the hamsters running.

Yeah. I also just find it intriguing that CSC was building cloud computing resources so early on. It is fairly visionary, but you have a tendency to over-scope the product. You know, there's, there's a model. Yeah. 

Craig Taylor: Well, there was no idea that said, Oh, this is enough. How much security is enough? Well, everything was first generation first, you know, brand new.

And so we applied, you know, I was a CISSP in 2001. So, as I started into this journey, I had secured that I studied the best practices and encryption, you know, encryption of data at rest. You had a, there was not a lot of tools out there that gave you that. And then, you know, My original argument with one of the IT folks was Triple Des doesn't, is not enough.

We need to get to this new thing called AES. And you know, if the government's okay with Triple Des and we're okay with it, but they're not, they're changing it. Okay. So, you know, that was part of the backups and the data at rest and all of those good things. 

Justin Beals: Yeah, you've been a VCiso. So, providing advisement around security for many years, a deep expert, you formed some communities around it.

We partnered with a number of them and our work at Strike Graph. And I certainly met some over the years and, and, you know, Very smart folks. But I'm always curious. I'm curious your opinion. You know, really, if I were a buyer, why would I hire a VCiso? So what should I look for them to help support me and my company?

What's the best way to be a smart buyer of VCiso’s services? 

Craig Taylor: Well, let's first sort of justify the existence briefly. We all use a doctor. We don't hire a doctor full time, not in a company, very rarely in a company. Same for a lawyer, same for an electrician, a plumber. Why did we, for 20 years, think we had to hire a full-time security person?

It was a disservice to the companies doing it because that security person became an island, and they only talked to their own IT team. And, you know, maybe they go to a few conferences to learn some best practices, read a few books, listen to podcasts like this one, but their exposure to the best way to do things and the challenges that they faced was quite limited. They were lone wolves. So to my way of thinking, a virtual CISO is the best of all worlds. You get to leverage someone who has experience and vision into 10 other companies potentially, and what's working for them, what's not working for them. If they're smart, they join peer communities.

I run a peer group of virtual CISOs. Now we have grown from 5 to 20 in the last three years, because. All those lone wolves wanted to bounce ideas off of someone. And yeah, it's okay to have to go to an ISSC squared or you know, ISACA meetings, those sorts of things. Those are all great places to go, but from the comfort of your own home on a Zoom call, it has proven to be extremely valuable.

So the case for a virtual CISO is powerful from that perspective, but There's a shortage of good cybersecurity expertise in the marketplace today. Any research that you do on this shows that there's more demand for people with your skills in mind than can be met. And if people are hiring them full-time, then they're further exacerbating that problem.

So virtual CISO is a better way to serve the needs of the global community of businesses. While spreading us a little thinner, giving us more exposure and experience and serving that shortage of expertise and talents. Now, the company benefits because it costs less money. You might be a small to medium-sized business, and the most you need is three hours a month of consulting to fill out a questionnaire on cyber insurance, to handle a rare case of a security incident, to build some governance policies, to do some awareness training If you don't have an automated tool to make sure the technology stack Is covering all the bases, backups and data locations and, you know, privacy requirements, a privacy policy on your website. How does that work? All of those different little things, three hours a month, and you might be golden.

 You know, it won't be cheap hours.I would say that you're going to have to look at two hundred and fifties. 200 to $300 an hour for those three hours, but it's a lot better than a, you know, $180,000 salary at the low end. For a real, like for someone with your experience, you're talking 350,000 for a full-time position. 

Justin Beals: Yeah. And as well, you know, is there that much work when you're a smaller concern, say sub a hundred employees.

Also, depending on what you're doing. That's excellent. And do you think about these as long-term relationships with your VCiso? So someone that you're always, you know, building a rapport with, building an understanding with?

Craig Taylor: Yeah, as long as the relationship is working, it is a long-term relationship. At CyberHoot, we have, we, Developed a product that does the cyber literacy training, but we funded the development of that product on the backs of our virtual Ciso offering. 

So offering years ago, we had two separate companies and before we had product market fit on the product, we weren't making enough money on it. We had a very effective virtual CiSOoffering. So we combined companies And the, the experience, the being in the trenches of a virtual CISO engagement for two dozen companies really helped us inform the product's development to meet the needs that we were seeing every day, every week, every month.

And it was a beautiful marriage and it funded the development of a product that now has excellent product market fit. People really appreciate and enjoy the cyber literacy training that we do with a positive reinforcement approach. We can talk about that sometime, you know, later, but the virtual CISO is what helped it happen.

And, you know, my background in that has just been a beautiful experience because we've helped so many companies. One of the companies that I started out with seven years ago still remains a VCISO today, you know, like you, I'm a CEO of our company. I've had to hand that off to someone else. I happen to find a gentleman.

I'm wondering how much I can tell you about him. Let's just say he ran a 20 million budget at a major medical manufacturer for many, many years. And he's semi-retired, but he wants to keep his mind sharp. He wants to help the community out. And he said, you know what, I'll subcontract to you, Craig, and I'll help you run these different companies.

So I put him in charge there and he's amazing. Sometimes he's a little over the top because when you have 20 million and 20 people, that's more than a mid-market company with 250 people can really, you know, they can't go to the same level of specificity, process, change management, etc. So we have to, we kind of have this healthy conversation around how much change management is enough for a company of that size, you know?

Justin Beals: Actually, I love that you started chatting about CyberHoot a little bit. You know, first of all, I think it's very powerful that you made this transition from a services to a product business. It's incredibly hard to pull off. So, Kudos, Craig. Not an easy task at all. Um, and tell us a little bit about CyberHoot? 

 I, I know that you've, your background in psychology has probably helped, but how have you kind of focused on differentiating cybersecurity awareness training on, on CyberHoot? 

Craig Taylor: If it's all right with you, I do owe some credit to the co-founders that that joined me to build Cyberhoot because they share the good.

Yeah, it's good. They did the heavy lifting, right? I wish I could take credit like I was some Steve Jobs, and they were the Wozniaks, but that's not how it is. They had so many great ideas and they've done such a beautiful job of building the tool. They're really good listeners. So Brad Margist and Chuck Taylor, no relation to me.

We all work together. Years ago at CSC, funnily enough, we had a good experience there working in different flavors in that web hosting arena, the early days of the internet. And, you know, we've parted ways, and I went to JPMorgan Chase, and I worked at Vistaprint. And then we sort of figured out, you know, it's time to be our own boss.

Let's take all this knowledge we've gained in these early internet experiences and do something to make a difference in the world for the SMB community, the small to medium-sized businesses of the world that were at the 10 years ago when we founded CyberHoot, they were left behind. They weren't, there weren't really good automated solutions that met the needs of those companies.

There were really good solutions for multinationals and people that could afford 10 people to administer and roll it out and fix it and troubleshoot it and all that sort of stuff. But what we set out to do is build a product that was 100% automated, that dealt with basic cyber literacy skills around phishing, password hygiene, social engineering, and then threw in a variety of other topics that were germane to cyber security, but you didn't have to hit him on the head with it every month.

Things like removable media. Why is a little USB stick a really dangerous thing if you find it in the mail? Parking lot, elevator, lunchroom, you can't stick that in. Not many business owners have watched Mr. Robot to see what can happen when that, when you do that. But it's a really bad idea, don't do it.

Give that to your IT department or your MSP. So we built CyberHoot together, Chuck, Brad and I, and really built a magical product that I take credit for adding the positive reinforcement methodology, kind of through one of those “aha” moments, Justin, we had been working with attack phishing or the fake email phishing to the inboxes.

And it was what we had built just didn't cut it for what was on the market. There were better products out there, and we kept struggling to try and figure out how can we make this better? How can we beat the competition? And something went off in my head where I, I had a coin and on the one side was in my mind, negative reinforcement.

What is that? Negative reinforcement training says. We're going to punish bad behaviors to reduce those behaviors. Imagine a dog with a shop collar that you don't want to leave the yard because there's a road right there, and if they left the yard, they could get run over. It's a really tragic, terrible outcome.

So we need to make sure they never leave the yard. Put that shock collar on, you'll drop that behavior, you know, barring a squirrel chasing across the road. I've seen some dogs that just ignore the shock collar and chase the squirrel. You're going to tamp down that bad behavior. That's what we were trying to perfect and fix.

And that's what the entire industry, quite frankly, for the last 20 years has been doing. It doesn't work. I can show you an empirical study today of  14, 000 people. Over 15 months by the University of Switzerland in Zurich. And they concluded that attack phishing, or the fake email phishing as the industry commonly rolls out, actually has an unexpected side effect that leads to end users actually clicking more often, not less often, since the 6 billion industry venture capital partners bought no before for 6 billion and are more than You know, building this world of negative reinforcement training.

So the aha moment was this, Justin, I said, well, there's another side to that coin, positive reinforcement training. What is positive reinforcement? Well, in the dog analogy, you go to the dog park, and you take the shock collar off and you bring treats. And you say, okay, when the dog does something I like, I'm going to give them a treat.

And for those dogs, not every dog is positive food motivated, but most are. You give them that positive reinforcement, you can accomplish amazing things. Positive reinforcement theory increases positive behaviors, like looking at the sender of an email and saying, Hmm, is there anything really strange or minutely different about that domain name that might something called typosquatting, where they take a Um, and Microsoft or Amazon and they turn it into an R and an N when you put it right together.

It looks like an M unless you're very carefully looking at it or putting a period in the wrong spot or dropping a letter from Netflix. There's no I in the end. That's a typo squatted domain name. The reason that fake email phishing doesn't work so well, Justin, is that you cannot use Type of squatted domain names.

One user reports it as spam. The legal team at that vendor will contact you as a supplier of these training methods and say cease and desist. You can't impersonate Facebook IRS or Zoom. Those are three companies that sue sent us letters. Saying, stop impersonating us. So, we had to stop doing what is what hackers do.

The reality of the world is that hackers do exactly what we do today in CyberHoot’s simulated phishing, with our positive reinforcement solution. Because we no longer send that email to the inbox of the end user. Instead, we send them assignment. We say, Justin, it's time for you to do your phishing test.

And it brings you to the CyberHoot website where we do a simulation. And we present you with six or seven different components of an email. Each of them has a help me button that helps you learn in the moment. Operant conditioning is at its finest when you present a stimulus and the correct response together in time.

That's when people learn the best. And so we present the sender, the subject, the greeting, spelling, urgency, emotionality, links, external attachments, and we tell you exactly what you should be looking at, or looking for to identify if you're under attack or if it's a safe example of those six things. And then we reward you for passing the test with a certificate of completion with a gamified avatar.

It's a beautiful little owl avatar starts as a hatchling, and it moves up to like this wise owl sage with armor and a sword. And he's, you know, it's, it's just trying to take something that is very quite frankly, droll, dull and dry and boring for the majority of everybody and most people and turn it into something that's a little bit fun, a little bit memorable, using psychology again and teach you the skills you need to have that cyber literacy. 

And the results are magical. MSP after MSP tells us just, Justin that they used to get dozens of emails a week asking, is this a fish? Is that a fish? I don't want to make a mistake. I'm full of anxiety over this email in my inbox.

No one had been taught. They've only been when you've only been punished, and may you're fearful of making mistakes. You are full of anxiety. And you don't have the knowledge to be confident, efficient, and secure in your inbox. So we thought, that's what we have to focus on. And that's what we've created.

We even made a game out of it. Something called the Hootfish Challenge, which, I will send to you if you want. And you can publish it in the, the show notes. And some will do a contest and crown a champion of Hootfish. But we've turned it into something fun. At the end of the day, it's educational and fun, and it doesn't erode goodwill.

It builds confidence in the end users, and it's a win win win for everybody. 

Justin Beals: I think cybersecurity training is terrifying in a way, in the way it's delivered to a lot of folks. I mean, the first is, most people don't have a deep technical understanding, so they already feel like they're not knowledgeable and not successful and starting from a place of ignorance.

And fear, therefore. And then you're right, you know, the stakes are so high. You know, if this, if I, if I click on this particular email, I'll ruin my company. I think is, is a thought process that folks will go through. And it's really terrifying. Of course, a lot of times we don't respond as cybersecurity professionals to a mistake.

You know, we get upset at each other. And so we reinforce that negatively. So even the activity of kind of handling an incident can be really painful. It's it's also stunning to me that we have this challenge of trying to simulate learning experiences but being unable to create a real simulation, yet expecting people to understand when it's really happening.

It just seems like a complete disconnect. Yeah, 

Craig Taylor: I completely agree. Imagine you showed up in school in some class, Yeah, high school, university on any topic whatsoever. And the opening teacher remarks was get out your pencils. We have a quiz. We're going to test you on the knowledge of this class. Wait a minute.

I came to this class to learn what I need to know. You're not teaching me first. No, we're going to quiz you first because we want to see what you know. That's how traditional fake email phishing, they call it the baseline test. We're going to test everybody on day one to see what they know about phishing and spotting and not clicking.

And that'll give us our baseline. So that in truth, you know, the ulterior motive here is I'm an IT director of cyber security in my company, and I need to show progress. So if I have a bad baseline, I can show more progress over time. It's not the way to behave. What we suggest at CyberHoot is you educate first, like in a classroom.

Then later, you can run a couple of fake email tests. And you can do that today in CyberHoot still, but at least do it after you've provided people the, the requisite knowledge, a fair chance to pass the test if they pay attention. Then it's, then it's all a good scenario. Then people aren't going to resent the IT department whose existence is supposed to help me do my job.

Instead, they're causing me stress, anxiety, and hours of retraining. Right? It's just a little bit backwards, Justin. It's nobody's fault that we're in this place. I want to be clear. If you're doing this this way, the bad way today, it's not anyone's fault. Cybersecurity is an emerging field of study. It's like medicine was 100 years ago and law 1000 years ago.

We don't have the best practices in the better methods identified. We're starting to cyberHoot, hopefully contributing to that. But we're trying to figure it out no different than I was trying to figure out what's enough security in the C2CSC website 23 years ago, you know? So we hopefully live, learn, and get better at this stuff.

Justin Beals: I agree that like cyber security is playing a lot of catch up and it is an emerging field, mostly because I think the industry of technology or computing is an emerging field and it's, it's constantly accelerating to it's, you know, not only are we kind of bringing innovation to bear, but we're exponentially increasing the rate of innovation along the lines of Moore's law.

And. If you're playing security catch up, which we have been doing, I mean, let's face it, put a lot of software out on the network that does a lot of very powerful things, and I will admit as a chief technology officer that other than identity management and encryption on the wire and some form of change management, most of the time, the rest of security was an afterthought for us.

You know, we were, we'd go into the pen test and be like, okay, tell us where we've made mistakes. 

Craig Taylor: Right. Yeah. And even to this day, I had a conversation yesterday with one of my peer groups, one of the members that I just recently asked to join the peer group. And I said we need topics for the next meeting.

What do you want to talk about? He goes, you know what I've discovered? I have a really interesting perspective. We've been trying to do better segmentation on networks and, and we've been trying to do zero trust. But most people talk about it. There's a lot of hype about it, but there aren't any practical implementation solutions there.

I would like us to talk about micro-segmentation. Turning on that Windows firewall and the Linux kernel firewall and all of these different things so that we only set up allow lists for the things we need in a micro-segmentation. Instead of trying to get accounting on their network and sales on their network, support on their network and making, hoping that the firewalls are set up right.

And we have the any, any deny rules at the end, and the VPNs between 12 different sites are all not wide open because no one knows what people need. Let's just get rid of, let's not follow that segmentation approach. Let's do micro-segmentation and zero trust so that you only get added to the access that you need for the specific data that you need.

And we'll talk about that and what's working and what's not working. I don't know what that conversation will end up being. Shaking out as and what technologies will want to look at for it. But it's going to be a great conversation because it's something that we're all playing catch up on, and it's not an easy problem to solve.

Justin Beals: Yeah,  I'm gonna like, I'm, I'm right there with you, and I have my critics and criticisms here, you know, with, with deep patience and understanding that I am a participant in these behaviors at times, but it seems like we come up with a marketing scheme. And then we try and fill it in with actual information, and zero trust is one of my favorite things to hoist on a petard because when I came into security, they're like zero trust, zero trust.

We're gonna do zero trust. And I'm like, so what's that mean? Well, it's in the name zero trust. And I'm like, Yeah, there's no practical way for me to interpret that into appropriate security practices. I feel more confused than when I started. 

Craig Taylor: And that's what I'm hoping to learn more about, right?

There are, there are, there are small things that you can do. You know, if you're listening to this and you're thinking, well, what can I do? Well, you can adopt a tool like Okta SSO. Put all your applications that you want your employees to go to into a single location. And then grant them access from that.

So if you're on the local area network, or if you're at home, you can't get to those things because it's going to be blocked by your IT policies, but to get to them, you go to your single sign-on location, and that's where you get granted access to these, these services. Various SAS platforms because SAS proliferation since COVID is another nightmare scenario for many companies, but at least there you have one place to turn on access, turn it off, have a checklist of onboarding for this employee needs X, Y, Z, but not ABC, and when they leave, you can reverse it, and you have logging and you have multifactor, and you have all kinds of good benefits to that.

You can combine life. I remember consulting one company, Justin, and they had three different departments buying licenses from the same vendor, and they didn't know someone was paying those bills. But if they bought, if they pooled their resources, they went to the next year and they got a great big discount.

You know, Okta does that, other SSO solutions do that. They allow you to consolidate. It's not necessarily zero trust, Justin, I get that, but it's another step in that direction. 

Justin Beals: I definitely, you know, it's intriguing that we talk about it because I see activities, even sometimes from security companies, like I've railed against this agent model of integration.

To me, that is. Too much trust, you know, because you're just letting someone else's code operate inside an infrastructure essentially, and they can deploy whatever instructions they want into that code, and you'll have no knowledge of it, where at least with an API with authentication, I limit the scope of what can be requested inside of a system.

Craig, I wanted to ask you a little bit. You know, we talked some about AI and your use of AI, and it always seems to me like a looming thing with large language models around these anti-phishing type of training, but even phishing schemes that we'll see. Are you seeing anything on the attacker side and kind of responding to it?

Or how do you think about what LLMs will do to social engineering largely? 

Craig Taylor: Well, I'll start by saying I was disappointed in our recent election in a purely scientific perspective. I had predicted that there would be deepfakes in the media seeking to influence the election. And there wasn't much that I could find about that.

I had anticipated a year ago and six months ago that something, someone would try to sway the election with some deepfake of either candidate saying something they didn't that was very believable and would be too late to dismiss or to disclose. to refute in the media before people voted. It didn't happen.

It doesn't mean it's not coming. I have already heard of real-world scenarios where deep fakes were used to wire money to the, to the dark recesses of the internet, to hackers somewhere else in the world. In one case, a CEO or CFO of a company was deep faked a call to their bank and said, I am John Doe of company, you know, Acme Corp and I need to wire as I often do $700, 000 to this account. And what we need to authenticate you please authenticate me and the deepfake was able to authenticate now I don't know if it was a voice print authentication or if it was actually someone had business email compromised into that person's account to learn those things by the way delete any password you ever got in an email from your IT department, because if they live in the recesses of your inbox, someone else will one day find them.

So, $700,000 was wired to the wrong place through the use of AI and a deep fake. Those sorts of things are happening in extortion cases quite regularly now, where all of, so, I don't have grandkids. One day I hope to, but I have children, and my parents are very gullible. And I know my kids are on social media.

A hacker could go to my children's social media account, get a little snippet of their voice, their face. And they could call my grandparents, my parents, their grandparents, and say, we've kidnapped so and so, and we're going to harm them unless you wire us $ 5, 000. I actually have a firsthand personal experience with this.Not me personally, but a family member. And fortunately, I've done some education with my siblings and them. I got a phone call, and he says, what do we do about this? And I said, well, why don't you call your son? Right now, with your mother in the car, and see if he's been kidnapped, please. And so they dial on the speaker phone.

Hi, so and so. And the, the grandson picks up and says, hi, grandma, how you doing? Oh, I was going to the bank to get $5, 000 for you. I thought you were kidnapped. No, I'm, I'm super fine. In fact, I'm nearby. Do you want to grab lunch? Oh, sure. You know, these things are happening all the time. So as a side note.

Have a secure code word with your grandchildren that if they don't know it, it ain't them. It can make it, you know, very unique and interesting to something that is not common vernacular and don't write it down and don't put it in on your, you know, in your computer where it could be discovered. That's another way to deal with that.

But this is happening all the time with AI. So on the, there's extortion cases. There is every phishing email that we get is now almost perfectly grammatically correct, even though it might've been written in Chinese or Japanese or Swahili the, the language translation models are perfect into English. So you can be a native speaker of anything you want and get a perfect grammatically correct phishing email in English to target a company.

Oftentimes spearfished or very targeted for an individual based on their social media profile. If you like dogs and mountain biking, someone's going to write you an email that appeals to your dog-loving and your mountain-biking skills. Just be aware of that because AI is taking it to another level. 

Justin Beals: I mean, I've certainly, I think it was two or three years ago where I started seeing dynamically generated images based upon a certain number of inputs, you know, utilizing existing images to represent someone that might be alive.

It's so cheap now to produce video, even let alone audio, from an AI input that I think you can pretty quickly mirror someone's voice. I think about the biometric fears that I would have in a situation like that. I also had a colleague that got this kidnapping ransom call from someone. And it was about a decade ago.

And he did, you know, he did ask to talk to his son, I believe it was. And when they didn't put him on the phone, he started to realize it was a phishing attempt. But had they been able to give a sentence From a deep fake on the phone, it would have really thrown him for a loop. I think he would have really fallen for the tactic.

Craig Taylor: Absolutely. And this is happening in romance scams when you are looking to date someone, and you're remote, there are scams going on there. If there's a way to take advantage of someone through the power of the internet, some hacker is going to do it. So you have to be skeptical. And my generation, our generation probably have a healthy bit of skepticism there and it's harder to take advantage of us.

But my parents generation haven't got a clue. And no matter, I've spoken. to my own mom a number of times. And she has had less than stellar behaviors on certain phone calls on certain topics. 

Justin Beals: Okay. Well, there was one other thing I was really interested from a future perspective with you, Craig and CyberHoot did some work in the education industry for many years, but we always wrote our curriculums.

You know, we had curriculum writers, and we would go into video production to produce videos. for education material. I have to imagine that some of these LLMs and the generative models are starting to allow you to more rapidly build content and curriculums and get it to market a little faster. Is that true?

Or is it starting to reach that fidelity of tooling? 

Craig Taylor: It is, to a certain extent. However, you know, you look at if you were to ask for a script on a topic, say phishing, the way we use it at cyber hood is we'll write our phishing script. And we'll document the different areas that we want to focus on and then we'll pass it through an LLM to make it more tight and crisp and concise.

Then we have to piece out of the answers some of the keywords, like I think every LLM in the world wants to use the word vigilant. Right? It's so odd. If I read that online now, I know, Oh, that's an, that's an AI-generated content, but we use it there where we also use it is I'll use it to say, okay, I have a script on phishing.

What are the top 10 phishing risks today? Versus a year ago. And it will just boom, boom, boom, boom, boom, boom, list them out for me. And I'll agree or disagree with them, but then I'll be like, Oh my gosh, we forgot this, right? The type of squatted domain name. We have to put that in. That's a foundational part of phishing.

So at the end of the day, we're always looking to validate what we do. To check it, to tighten it, to fix it, and to clarify it so that we put out the best product going, but it requires someone like yours or my experience to say, this is how it really happens, and to check it. There are hallucinations, there are mistakes, there are unnecessary focus on A, but we should be focusing on B.

So it's still, it's still a computer system that is rife with mistakes, to be frank, but it can absolutely speed up the process of getting to a quality output. 

Justin Beals: I certainly used it myself to kind of trigger ideas in a way. I like the summarization. I think summarization tools are pretty high fidelity at this point.

And then, but it'll be more like, well, for example, for the podcast, I might be like, Hey, I'm looking for a title, and I can give it a transcript, but I'll ask for a bunch of ideas. I'll usually select none of them, but I'll take an aggregate of the couple that I liked and turn it into something that I liked.

Craig Taylor: Right. Yeah, that's exactly what we do. What it where it really helps to is the generation of video content is getting so much better than ever before. It's not quite like Pixar, but it's definitely better than what I've been used to seeing in the past. So there's really a lot of ability to sort of in internet time address the emerging threats that are out there with a new topic video on something like, for example, had a customer last week say, we just had a customer last week said taht a person almost click on a QR code in an SMS text, they were starting to fill out the HR change of address forms. And then they thought, Hmm, this is not quite right. Something's off. But we had to do a quishing video, QR code phishing, and the results were amazing. In very quick order. 

Justin Beals: Craig, it's a real pleasure to get to chat with you today.

We deeply appreciate you bringing your expertise on cyber security and cyber security awareness training to the podcast and our listeners. Thanks for joining us. 

Craig Taylor: My absolute pleasure, Justin. It's really nice to see someone else with the same passion about educating. I love that you have a background, if I may say, in theatre, and you bring that beautiful benefit, knowledge, expertise to your business and to even the interview process.

It's really been a treat for me. Thank you. 

Justin Beals: My pleasure. All right. Until the next episode, Craig, thanks for joining us.