Navigating cyber threats: FBI perspectives on protecting business and family with Scott Augenbaum

Secure Talk - Scott Augenbaum

Justin Beals: Welcome everybody to SecureTalk this week. We are very lucky to have an excellent guest joining us today. Scott. Scott Augenbaum, a retired FBI agent and cybercrime prevention trainer. Scott has written a book, excellent book. I really enjoyed reading it. “The Secret to Cybersecurity:  A Simple Plan to Protect Your Family and Business from Cybercrime”. Scott, thanks for joining us on the podcast today. It is good to see you. 

Scott Augenbaum: Do you see the big smile on my face? 

Justin Beals: I do. Think I can hear it too, Scott.

Scott Augenbaum: Because I'm retired from the FBI.

Justin Beals: Congratulations. Thank you for your service. That's exceptional. 

Scott Augenbaum: Thank you. And you know, the number one question I get all the time is, Scott, do you miss the FBI? And I'm like, are you kidding me? And I had an amazing 30 years spent the majority of my time handling cybercrime. But, you know, when people say, Scott, why do you not miss the FBI? Because today I do what I love to do. I've taken the best elements out of my career with the FBI, and that is to teach people how to reduce their chances of becoming the next cybercrime victim. And I live a passion project life. 

Justin Beals: Oh, that's exceptional. I'm striving for it, Scott. Someday, I'll be there myself.

And, I thought, I certainly read part of this in your book, but I'd love for you to tell us the story a little bit of how you got involved with the FBI, even to begin with.

Scott Augenbaum:  Oh, do you know that? That's a question I get all the time because I meet all these people, and they go, Oh, did you always want to be an FBI agent? And I go, no, I, it wasn't even on my list. I mean, I'm raised by a single mom growing up in Brooklyn, New York. And it was back in the day when we didn't have helicopter parenting. It was just, you know, my mom, you know, my, my kid said, “Dad, did you ever get in trouble as a kid?” I said, “No, never”, I said.  I only had one rule: don't get arrested. And when I was able to do that, so I went to community college and I graduated with a 2. 27 grade point average. And when you have that kind of grade point average, the world is at peace. knocking down your door with opportunities. But my mom, as part of her grand plan to keep me out of jail, she filled out an application for me to be a file clerk with the FBI, making five, $5 an hour back in 1988.

And that's how I got my start just as a file clerk. And I worked my way up. So really. Kind of cool story.

Justin Beals: And you, while you were working in the FBI, you went to college at night, right? It was, you know, you were working on your academic career as well as a professional career at the same time.

Scott Augenbaum: Yes,  I found the City College of New York.

I had an associate's degree, and they offered four-credit classes at night once a week. So I would take like two classes and I just grinded it out. And then, when I was 22 or so, I got my bachelor's degree and my good friend at the time, her name was Natalie O'Connell. She said, “Hey, why don't you go to grad school?” And I'm like, “I can't get into grad school”. And she's like, “Come on”. So. To learn about technology and finance. And I started working on an MBA in technology and finance back in 1992. And we were talking about one day you would be able to do crazy things like purchase airline tickets on a computer at home, 

Justin Beals: right?  You mentioned in your story that you're one of the first FBI agents in your field office to have a home computer. That was a big, like, lean-in for you. 

Scott Augenbaum: Yeah, let me just tell you, as I always like to joke, I had a home computer. But when in 1998, the FBI formed what was known as the National Infrastructure Protection Center, which was the FBI joint interagency task force to handle critical infrastructure protection. And since I had at the time, I was the only agent in the office with advanced computer skills, which meant I knew how to use AOL, so by default, I became this cyber guy in the office, which was not the cool and fun, sexy job to have back in the late nineties.

Justin Beals: Not at first, huh? Like, I bet you were the nerdy kid on the block, huh? 

Scott Augenbaum: No, I was trying to update it. They couldn't find a nerdy kid on the box. So they had me, and we had two female agents in the office. When I worked, we had a staff of nine, and you would judge by the programs that you had. 

So it was like the food scale of the chain. Like you had like the old-time guy who was doing, you know, organized crime, and this one had bank robberies and fugitives. And here's your white-collar crime guy. And then we had two female agents, and one was worked drugs. She was way cooler than me. And then we had another one who was working in healthcare fraud, which was a higher priority, and then there was me. Seekers and amateurs and you would judge by what you did and, you know, and here I am just trying to do it, deal with it. And, it was different back in 1998 dealing with cybercrime. 

Justin Beals: Yeah. I want to own. I was one of those late eighties kids that had a computer that was war dialing and very interested in what was going on. Most of it was just like, what? You wanted to take the thing apart and see how it worked. 

Scott Augenbaum:  I remember one day, it's probably right before Y2K. You know, I got a call from the National Infrastructure Protection Center. And this is before the Department of Homeland Security. I get a call. It's a snowy Sunday in Syracuse. It's 8. April. And all of a sudden, they tell me that there is some kid at one of the colleges, which is two hours away and it's snowing out. And they tell me he's trying to gain unauthorized access to the Cape Kennedy Space Center. And they tell me I need to go up there and Neutralize the threat. So what does that mean? What do you think? What does that mean? Neutralize the threat. 

Justin Beals: I mean, in my mind, I think you're coming in guns blazing. Yeah.

Scott Augenbaum: Well, So I go up there, and I have the, you know, I play social services worker, and I kind of read the kid the riot act because I'm kind of pissed off, you know, I go back, I call the National Infrastructure Protection Center, I said, “listen, I neutralized the threat. It's never using the computer again”. And then three days later, I get a call from the kid's parent, and she's pissed, and I'm like, she goes, “I just want to let you know, she goes, my son hasn't left his house in three days” I go, “what did I have to do with that?” Well, she goes, “Well, you said that there was going to be a surveillance van parked outside of his house, you know, following him wherever he goes and he keeps seeing this van” and I'm like, “All right, we'll call the van off”. There was no van, you know,

Justin Beals: I would have been terrified. 

Scott Augenbaum: Let me tell you, I'm glad I didn't get fired for that little stuff. 

Justin Beals: I understand. Oh, that's amazing. You also, you know, because adopter of computing and, and started to learn about cybercrime as a practice, and we're the first one there. It turned into a leadership role for the agency for you as well.

Scott Augenbaum: Well, again, there's nothing more than always a good story with me. And so let's kind of progress with this. So September 11th happens, changes the FBI forever. Okay. Terrorism, number one priority, number two, cybercrime, number three from 2001. I'm working on terrorism cases for the FBI. I'm still dabbling in cyber.

And I took a little detour in 1997. And I met a young lady while I was working on the Atlanta park bombing investigation. Yeah. And I tricked her into marrying me and I moved her to upstate New York, and she couldn't handle the 200 inches of snow. So she, after five years, you know, she wanted to move to the deep south, so the only opportunity was to go to Washington DC, whereby some kind of luck, I got a supervisory position with the FBI building their cyber task force capabilities, because in 2002, right after September 11th,  the FBI builds a cyber division at FBI headquarters to work on the emerging cyber threat because the cyber threat transformed from 1998, and now we're talking almost 25 years ago. Yeah.

How like the FBI was on the forefront. So I go to FBI headquarters and in 2003, as a supervisor and all of my friends make fun of me. Yeah, they tell me the cybercrime problem is going to go away by 2007, and it's going to be solved by technology. 

Now, Justin, let me ask you, how's that working out for us as a society today?

Justin Beals: I'll tell you that if I knew what the solution was to solve cybercrime, I'd be out talking to investors today and building that business.

Scott Augenbaum:  That's a whole other issue that we can talk about here, because I'm telling you, and we'll get to, we'll get to this through the four truths. I don't know how do I help a world that doesn't want to be helped.

Justin Beals: Yeah. 

Scott Augenbaum: And we'll get to that. That's it. 

Justin Beals:Yeah,  absolutely. 

Scott Augenbaum: And here we are. I'm in DC for three years. I'm in the cyber division of the FBI. I'm working on the national cyber strategy. I'm traveling around the country doing presentations to other communities and fields. And that's where I learned my skill, which is public speaking, and I get to Nashville in 2007, and I lead up one of the first FBI cyber crime task forces in the state of Tennessee.

Justin Beals: Oh, that's brilliant. Yeah. And it's changing right at that point. We're starting to see real impact from cybercrime. 

Scott Augenbaum: Yes. Now we're starting to realize that cybercrime at the time, and it's different today, is really taking place in two forces.

Well, first of all, it's financially motivated. Yeah. It has ties to transnational criminal enterprises, and there's another component of state-sponsored threat actors. Today, it's completely blurred. Those lines are blurred, but they haven't changed. 

Justin Beals: Yeah. Yeah. We've certainly seen the blurring of, of that type of activity.

So, one of the things that and I, I liked that you mentioned the four truths. It's something I want to get into, but there was a phrase in the very beginning of your book that really stood out to me. You stayed in the book in the very beginning, that the topics we're going to be talking about are going to be uncomfortable as a discussion of victims. Can be scary. 

And certainly, I think broadly, in the security space, we've created a lot of that fear, uncertainty and doubt. You know, there's a lot of scary stories to tell. But you coined a phrase, and you really are flipping the idea here. “Fear from real experience”. And as a trainer, um, You know, you've got to talk about scary things, but I feel like you're trying to drive a different outcome from those types of discussions.

Scott Augenbaum: Absolutely. And that's what I try to do today. If we jump ahead a little bit, what do I do today? I try to change people's mindsets. Through what I call the cyber secure mindset, which was adopted from the book because we hear about fear, uncertainty, and doubt all the time. And this will be a really kind of interesting lead into the four truths because what I need you to do is put you into the field, into the, into the mind of the victim.

Just as I was talking to you before, I'm talking to a person right now. And this will be a great segue into the four truths. I'm talking to a person not more than 10 minutes ago; a friend of a friend just lost 5 million in a scam. He's, I'm trying to convince him that he's been scammed. He's still not convinced that he's scammed.

And I'm sitting here going like this: this is where I get my PTSD from. Because when I join the FBI as a young FBI agent, my role was simple. Bad people did bad things to good people, and I worked with state and local law. So let me just talk about the, get to the book for a second as I try to get all these million thoughts.

Justin Beals: Please. 

Scott Augenbaum: If you're looking to read a good book by an FBI agent who is the hero and saved the day and put a lot of bad guys in jail and got people's money back, don't read my book. I'm not your guy. I am not your guy. I am the guide in the story. Okay?. You're the hero. I have to get you from fear, from real experiences I'd like to, when we go through the four truths, I want to talk about this victim. I need you to understand what it feels like because my job when I wrote the book and we called it the secret to cyber security was just a catchy title. There was no secret, but the secret is that most stuff can be prevented.

Justin Beals: Yeah. Let's dive into it. You obviously know them by heart. I think for truth. No one expects to be a victim. 

Scott Augenbaum: That's the telltale sign. The four truths is what I have discovered from after interviewing a thousand victims. These aren't things I read in a book. These aren't from articles. These aren't listening to podcasts, These are things that I've touched. And unfortunately I still touch them to this day. 

None of my victims ever expected to be a victim. Why would anyone want to target me? I don't have anything that anybody wants is a famous last words that I would hear all the time. I'm just a retiree. I'd even deal with it with my mom. “Scott, what are you carrying on for all the time? I only have $1,200 in my bank account”. What are you going to do when it's gone? Why me? I didn't have anything that anyone would want to steal. And that's part of what I have to do to change your behavior because I don't care how much money you have.

The gentleman I just talked to had 5 million in his bank account. He was a big mark, but now, through different platforms, it doesn't matter how much. So I need everyone here. And this is where it takes you out of your comfort zone. You can become a victim if you have an email, a telephone, and a bank account.

Justin Beals: Yeah, absolutely. You're probably not going to get your money back. 

Scott Augenbaum: So, let's go jump into this victim that I just dealt with right now. This individual was involved in a pig butchering scam. Have you heard of those, Justin? 

Justin Beals: I have not. That's a new one. 

Scott Augenbaum: So here's, here's, here's your typical pig butchery can do a whole episode just on pig butchery, get an email, a LinkedIn message from a very attractive Asian woman or a European woman. And she befriends you and talks to you and says, Hey, I've been investing in cryptocurrency. So what does he do? He takes a little bit of a chance. He puts a little bit of money in, and then the account grows, and it grows, and then they get you so confused, and they tell you how you're going to leverage money, and he keeps putting money in.

So, at one point, He's up to a hundred million dollars in his investments. He only they only took $2.5 million out of him. So they tell him that if he invest another $2.5 million, it'll probably go up to 300 million. So this is where they fatten the pig. And now there's nothing there. It's a complete scam.

And this breaks my heart as I'm sitting here talking to someone who has just lost their entire life savings. Justin, it could be like any of our parents. It could be like someone we know, and I'm on the phone with him, and I'm like, And this is the second truth. The chances of law enforcement getting your money back is slim to none.

Now, why is that? In the old days, we used to follow money. I followed wire transfers around the world. He puts it into a crypto wallet, and from there, it disappears. And that's the same thing when your data is stolen, your identity is stolen. There's no magic button. Nobody's going back in time. 

Justin Beals: Yeah, I think about how easy it is to build an interface even that looks like a cryptocurrency wallet. But at the end of the day isn't even that on the back end. 

Scott Augenbaum: And it's funny because I had to go to one of my best sources for information, which is my 18-year-old. And he's like, “Well, yeah, dad, it's really, it's really easy. You know, if you, if you're buying on margin and if someone borrowed 500, 000, 5 million, it's realistic that it could go up to 210%”.And I'm like, how does my 18, you see, and this is where they trick us because it's the fear of missing out. Here we are. I'm in my fifties, or this guy was in his sixties, fear of missing out on crypto and cyber criminals are using that against us. So he's out of his, he's out of luck. We're not getting this money back.

Justin Beals: To your third truth, the bad guys probably are not going to get arrested. 

Scott Augenbaum: Because in this case, this is being run out by Chinese organized crime out of Southeast 

Justin Beals: Yeah. 

Scott Augenbaum: And then we have the Russians, we have the Nigerians, we have the Iranians and the North Koreans. So, in the FBI, we have offices all over the world.

We just dismantled a group in Eastern Europe the other day who was involved in ransomware. And I was quoted on Bloomberg. They said, what do you think about that? I said it's like arresting a drug dealer. Problem's not over. So, putting the bad guys in jail is very hard. So let's just talk about that for a second, Justin.

The chances of getting your money back or data back is slim to none. And this is before we go into the fourth trip. The chances of law enforcement putting the bad guys in jail is really Challenging. How does that make you feel? How do you think it's making our listeners feel right now? 

Justin Beals: Certainly pretty powerless.

You know, you're like, what can I do? And if there's no impact to bad behavior, you know, how do you really curb it, right?  

Scott Augenbaum: And I'm going to throw another wrinkle in because that I don't I harp on it now. I don't harp on it as much in the book. So, let's go back. I write the book in the books released in 2019. I'm working on it in 2017 and 18. I'm using the statistic from my friends at cyber security ventures. 2015, the cyber crime global cost is $3 trillion. And by the time 2021 comes around, it's a $6 trillion. Yeah. Well, today we're in 2024, and it's an $8 trillion problem, and it's tracking to go up to a $10 trillion problem.

So, can we all agree that the problem is getting worse? 

Justin Beals: Yes, I'm happy to agree to that. 

Scott Augenbaum: Here's the problem that really bothers me that nobody really talks about. We keep spending more and more money on information security, products, and services. So what does it mean to you if we keep spending more and more money on products and services and the problem gets worse?

Justin Beals: Well, I think even as a technology professional and one of my criticisms is it's such a marketing-driven kind of. Solutions adoptions perspective, and so much of it is not focused on the actual porous surface areas from a security perspective. It's like. You need really powerful computing systems to break our encryption technologies, but it doesn't take much to get someone on your team to give up their password.

Justin Beals:  But we don't do a lot of work on social engineering.

Scott Augenbaum: And that leads me to my fourth truth. Because let's just regroup everything. You're not getting your money back. Nobody is going to jail. You're going to keep spending money and the problem is going to keep getting worse. So when you said you're depressed, so when I'm doing trainings and I'm being brought into organizations, what am I trying to do?

I'm trying to take the fear from real experience. I'm trying to take the FUD, and now I'm putting them now I'm amplifying it a thousand times. Yeah. And then it gets to what, and then it gets to the major epiphany I have during my career, which is what I call the fourth truth. 

Justin Beals: Fourth truth. A majority of cybercrime can be prevented.

Scott Augenbaum: Yes. And I learned that kind of when I was sitting with a victim who just wire-transferred his life savings and never to get it back. And I'm sitting with the family, and the family's like, you're the FBI. What do you mean? You can't get our father's money back. What do you mean? You can't identify it. And at that point, I just wanted to put my arms around them because I'm getting beat up emotionally from victims.

And I go, I wanted to say, “well if your dad just would have done these things, he never would have been victimized”. And that was the epiphany. That was the turning point in my career where I said, I know what I'm going to do the rest of my life. And then I'm going to share this stuff to keep people safe.

Because if I could turn back the time and I can get people. Not even to read my book, but just to focus on a couple of core, core elements. I could have prevented a lot of cybercrime victimization. 

Justin Beals: Yeah. I really liked the way the book, in a very pragmatic approach is broken down. You know, it's like you lead into what the issue is, but then you have a number of chapters, I think a dozen or so, that are, you know, this is a particular attack vector and this is the prevention technique. And they broadly fell underneath three things that you identify. User education and awareness, sound business processes, and the use of multi-factor authentication. It's not rocket science, right, Scott? 

Scott Augenbaum:  It really isn't, but here's the thing, and this is what I struggle with all the time.

I mean this, this is the self-help podcast that I'm on where I can talk about my problems, right? And you're gonna help me solve them. I mean, that's what this was about, right? , I'm gonna be honest with you. So what do I do now? I mean, I get brought into large organizations, and I help them change their culture.

And I get brought in, and I'm like, okay, this is great. I can break this down, we can do this, we can do that. And then they say to me. Listen, can you do this in 45 minutes for us? Yeah, yeah, but you're paying me a lot of money. Why don't I do a video for you on how to keep your kids safe? I mean, each chapter in my book, and this is one of the things I'm working on now, is to turn this into a course Each chapter I can take it and turn it into a standalone thing, But even today, when we talk about like the cyber security awareness marketplace is exploding, But it's check the box.

It's like 15 minutes a year. You take your quiz, you know, I've identified a phishing email, and I'll take one of these as a deep dive. We'll go into the world of social engineering. And I mean, this is what people are failing to see. It's not a one-and-done. And if you hang around to the end, I mean, I don't even want anyone to buy my book.

I'm going to tell you how you can connect with me, and I'm going to give you a copy. Of my audio version of my book, but how did it's not one and done, because let's be real. I have all these books on my bookshelf that are supposed to change my life. They haven't. How do we change the mindset of people?

Justin Beals: Yeah. Security awareness training is something that comes up for a lot of my customers. A lot of the time. And they are typically like, Oh, we, we need to do security awareness training. And then they will pull like an off-the-shelf kind of canned 45 minute training exercise. And we've taken a different approach where we're like, no, we want to design the security training to our business a little bit.

It makes more sense. It's more applicable. And I think people remember it. And I'm curious how you've led into a little bit what you want to deliver. You know, what, what is, what are some of those You know, best practices from a training perspective, like what's, what's the pragmatic approach that even a midsize business needs to be taking on to user awareness and training?

Scott Augenbaum:  It's very difficult thing for me to articulate because I've been sitting here, and I'm, you know, I put a lot of thought, and I'll give you an example. I get a call from a large Fortune 500 company that has good off the shelf. Cyber security awareness training, but all their employees are getting hit by the business email compromise.

So they need customized content on how to teach their telephone, their HR, their finance, the other folks safe. So I kind of build that for them. I give them quizzes, pay me a great thing. Yeah, I would say probably what? A week later, everybody forgets about it. Who's gonna know? Yeah. So, I'm building something right now for a group for small doctor's practices, to be able to go here to deliver content that nobody else is being able to do with my experience on how to do this.

But how do you take it to the next level? You know, I know we're going to go over there. We're going to go take notes. We're going to do this. You know, I've been building some virtual platforms for a couple of select customers who come to me to be able to say this, but my pure passion is how do I take my book and how do I Turn that into digestible information that people will use because unfortunately, everybody wants the easy button.

Nobody wants training. I just want a product. I just want, you know, if I would say, like, look, if you take this book and you put it in front of your router, you'll be safe. People would buy it more. I'm able to see on the people who bought my audiobook and I've sold a couple, and I don't usually sell it. I have it on a platform that I can sell it, but I usually give it away more.

Yeah. Very few people have actually dove into it, and they actually listened to the entire book. They bought it. 

Justin Beals: Yeah. This really resonates for me because one of the things that we do a lot of work around is, you know, what's your security posture? And I do have this discussion oftentimes where people are like, Oh, I just want to buy a tool.

And my security posture for my business is done. And we have to have this discussion with them where we're like, actually, that's the absolute wrong way to do it. Your business, your business processes and your users are really unique. And if you don't envelop it in a security posture that fits, then you're not engaged in security.

And therefore you're not acculturating your company around good security. And two truth. Number one, you're doing that because you don't expect to be a victim. You didn't walk into here saying, I need security posture. Cause otherwise someone's going to hack me. You came into here saying, “I need a security posture because someone else is expecting me to do that work”.

Scott Augenbaum:  It's a very difficult thing. I remember doing things with the FBI. I used to give out a sh**, and this is what caused me to write the book. Probably about 2014, I'm doing presentations, and somebody comes to me and says, “Scott, your presentations are filled with FUD, but you're not here to give us any practical advice”. I go, listen, we're the FBI, you know, we're not here to fix things. I'm here to tell you. And so I decided that I was going to make a list like here are your 15 things that you should do. And it wasn't sanctioned by the FBI. So I used to just tell people, listen, here's my email; send me an email, and I'll send you this sheet of paper.

It's not, it's going to say. Cyber tips and I would get maybe 10 to 15% of the population would take me up on that, and it's the same thing today when I speak, but every once in a while, I come across someone who says, Scott, you saved me. You help me. And then I heard this really good story that I use.

What do you do, Scott? I help those who swim towards me. Now, I can afford to do that. I got a great pension. I get paid as a speaker. It's not about this. If I was trying to build an actual company where I was trying to sell products or services, I probably would quit because it's just too frustrating. 

If you follow me on LinkedIn, Every day on LinkedIn, I'm trying to provide practical cybersecurity advice. And that's where I get all my information, all my leads from. And if you see me on there, I never ask anyone to hire me. And I never ask anyone to buy my books. I just. The more I give, the more I get.

Justin Beals: Yeah, absolutely. One part of your book that I found really interesting, especially from the perspective of the different types of prevention tactics, especially for businesses, was the business email compromise and the work-from-home nightmares. It just seems like this is a worst-case scenario where we'll.

It's just everything is so virtual now. You don't see the people. You can't reach over and say, “Hey, did you send me that email or not?” And we've got work from home, and we have some pretty high profile, um, breaches like colonial pipeline, I believe was breached this way. We've even had issues at it, at our business from this combo. 

Scott Augenbaum: Everybody has had because we don't have the money to spend to get this. But all I'm trying to tell people is, and this is what I tell them, I don't care what you buy if you don't do what I tell you to do. And that's this. And that's why the cyber secure mindset was born out of this.

And this was just my kind of. I'm sitting down in Puerto Rico, drinking a beer at the beach, listening to a podcast where they're talking about building businesses and you need to have a framework. And I'm like, okay, I'll call it a framework. Here are the ten steps you need to do taken from the book. And then they're like, look, you got to come up with a really cool name, and you got to, you know, talk about mindset.

So I'm like cybersecurity mindset. I go, that's really cool. So I go to GoDaddy, and I realized that I think Proofpoint bought cybersecurity mindset. But nobody bought cyber secure mindset. So that was just my whole thing. And I'm still trying to figure out what that is and and really what it is is if you don't do these basic things and you don't put the oxygen mask on yourself to save you to save your family by taking what I've learned and digestible steps, you're still going to be a victim. You can have the best antivirus, the best malware protection, MDR, XDR. It doesn't matter. You just need to change your mindset. 

Justin Beals: Yeah, I think one of the things we've done in our company because we have a little like thing that happens every time a new person starts, they get SMS fished, you know, within a day usually comes from the CEO, but it's almost like clockwork.

You know, they change their LinkedIn profile and they'll get an SMS message supposedly from me to go do something. And so we've had a lot of discussion about. Open communication channels versus ones where there's some assumption that the other person has to log in, and we have a lot of distrust in our company, especially about email and SMS, because there's no login on the other side, right?

It's too easy to masquerade and I'm curious what you think about moving to more closed communication channels for trusted communication. Well, and gimme an example. What's your close communication? 

Justin Beals: We use Slack, so certainly, you have to authenticate into it, but we can provision people in and out. Um, but it is helpful. At least I had to log in.

Scott Augenbaum: You know what? And I've seen, let me tell you, nobody's hacking Slack. What are they getting into? Use your name and password without two-factor authentication. So I'm telling he and to this day. As I go back, if you have any platform in communications and you know where you're storing data and you are able to log in, and you are not using two-factor authentication, and you have cyber liability insurance, call your insurance company up and get a 20-year policy because someone has screwed something up in your operating for you to allow.

I just dealt with a hospital the other day who called me up. And said to me, Hey, the CEO's email was compromised. And I'm like, did you have two-factor authentication? Well, no, I can't understand why our MSP allowed us to do this. I'm like, gotta blame somebody. that's one of my telltale signs. So when you said secure channels, that's not secure.

Unless you're able to make sure that everyone's using two-factor authentication, and even with two-factor authentication, you still could potentially get it. 

Justin Beals: Yeah, by the way, we do have multi factor authentication turned on, but still.

Scott Augenbaum: But think about your customers. 

Justin Beals: Yeah. 

Scott Augenbaum: And even if all your customers have it turned on,  what about the third parties? That's what you're doing. So you see, it's not. So even if you use two-factor authentication, you're not safe.

Justin Beals: Yeah. And I think to your point, Scott, you still have to have user awareness, right? Like if you're asking someone to do something, they're asking you to do something that doesn't seem like I would ask you to go, double check, use another form of communication. Yeah, 

Scott Augenbaum: But when it comes to user awareness, I'm just like, it needs to be good user awareness. And when people go, well, what do you mean? I go, we can talk to two people in school who went to the same algebra class. And we had one good teacher and one theoretical, boring teacher. And the people who got through the stories were ending up doing that.

And that's, you know, and that's one of the things I'm trying to figure out now in my journey is creating a new category in the marketplace. 

Justin Beals: Excellent. Scott, you know, one of the things we like to do on the strike graph podcast is kind of review a prior breach.  And we have one prepped here today for us.

Allow me just a second. I'm going to read some of the background on this particular breach, and then you and I can chat about it a little bit. Is that good? 

So today, we're going to chat about the last pass breach. LastPass is a password management system. It's used to store multiple authentications to multiple systems, and it allows users to centralize their authentication credentials and create differentiated credentials instead of using the same password for multiple systems.

Utilizing the same password for multiple systems is a security vulnerability that can result in credential stuffing. On December 22nd, LastPass notified their customers of a cyber security incident that may put the stored passwords of LastPass users at risk. A copy of their customer password vaults.

Was stolen in November 2022. LastPass learned that an unknown threat actor accessed a cloud-based storage environment, leveraging information obtained from the incident previously disclosed on August 22. While no customer data was accessed during the August 22 incident, some source code and technical information were stolen from a development environment and used to target another employee obtaining credentials and keys to access and decrypt some storage volumes within a cloud-based storage service.

LastPass officials wrote: “This was accomplished by targeting the DevOps engineers' home computer and exploiting a vulnerability third party media software package, which enabled remote code execution and allowed the threat actor to implant key logger malware. The threat actor was able to capture the employees master password as it was entered after the employee authenticated with MFA and gave access to the DevOps engineer's LastPass corporate Vault”

With the copy of the data, the backup of the customer, vault data was encrypted. However,  the encryption strength was dependent upon the password length that the users of LastPass had put for the vaults.And some users had put very small password links for their vaults. Therefore making it easier to decrypt. 

So the response on August 25th last past notified users that an unauthorized party had gained access to portions of the last past development environment on September 15th, LastPass disclosed the incidents and stated that the incident was closed, feeling that no customer passwords that actually been breached.

Then, they reopened on November 30th, 2022, that they had detected unusual activity within a third-party cloud storage device and this breach allowed for production backups to be exfiltrated from LastPass. And then on December 22, 2022, LastPass confirmed the theft of source code. Then, on October 23rd, 2023, Taylor Monahan, a Lead Product Manager of Metamask, had been documenting crypto thefts via Twitter since March 2023.

Their team had identified a highly reliable set of clues that connected recent thefts targeting more than 150 people. Collectively, these individuals have been robbed of more than 35 million worth of crypto. On October 28th, Monaghan concluded that the common thread among nearly every victim was that they'd previously used LastPass to store their seed phrase, the private key needed to unlock their cryptocurrency investments.

There's an ongoing class action lawsuit against LastPass. We've got multiple failures here, it feels like,  Scott. 

Scott Augenbaum: Do we have another, what, three hours we could I, right? No. Let's just really kind of start at a high level here. So what do we really have? This would be the perfect example of a supply chain attack.

Yeah. What's the end goal here? Which is, you know, the theft of money, Okay.? So what do we do? You know, when you, when you hear about this at first, you know, very, very coordinated, you know, really strong intentions here. But now as you dive into it, there's a couple of reoccurring themes, you know, cloud buckets. Insecure, okay? Another thing, you know, when we start talking about is the cloud safe, and I don't really go into that in the book. I mean, I'm talking more about keeping your own thing, but, you know, I remember one report that said maybe about 90 to 95% of cloud breaches are because of, you know, something that has been misconfigured in the 

So obviously, we have some things here that we have some misconfigurations, but,  you know, getting into that kind of infrastructure is really, really hard, really, really difficult. So what do we do? We target an end user and we, how are we up looking at the end user? It's very easy. You can go to LinkedIn.You can map out, you can find that development person that you want to target, and then you just go over and see if he has a Facebook account, you target his kids, and now you're able to go in, and you're able to get into the systems. And a lot of times, you know, we end up seeing, you know, and during my career when we were responding to data breaches, you know? there were DevOps machines that were connected to the main network.

And here you have a whole thing over there that you're, you know, obviously, we're not talking about network segmentation, We're not talking about least privilege. There's so many different aspects here that completely can go wrong that we can write a great case study on this. 

Justin Beals: Certainly, like one of the things that really stood out to me that I hadn't thought of, you know, two or four truths. And I use a password management tool. I need to make it complicated. The password and the authentication to that password management tool. Because that drives the encryption level on the actual data in the vault. And if it's five or six characters. It's exponentially easier to decrypt. 

Scott Augenbaum: And I tell everyone, and even in the book, 12 to 15 characters on everything.

Now, a couple of things that I always hear, look, I don't use a password manager. I just have it. Do you know, first of all, if you can find one that's easy enough that I can explain to a group of elders and my 21-year-old killed calls me his elderly parent at age 56, so I'm elderly. 

But you know what? here's the typical attack that I see. Look, I'm all, I  am the guy who goes like this. Put your passwords in Google. Store it in Google Chrome. But if you store it in Google Chrome and you don't put two-factor authentication, which is almost 85% of the population, bad guy's getting in. And now it's the same thing with your iCloud account because all of a sudden now everyone's like, Hey, I'm moving to the Macs. Macs don't get viruses. Macs don't need to get viruses because here's a couple of key points that I really want to take away from the lessons that we learned. Social engineering is the number one tool in the cyber criminal's toolbag. Email, text messages, telephone calls. As I'd like to say, what we believe are secure communication channels, like Slack, Teams, all of those things, we're seeing social engineering in there.

We're seeing pop ups, we're seeing robocalls, and the use of artificial intelligence is really giving the bad guys an edge. And all the bad guys really need to do is steal your username and password because the account compromised is the actual, as I would like to say, that's the theft. All you need is a stolen username and password.

And in the old days, we used to think it was so simple. All we needed to do was have proper two-factor authentication. But even if you do all of those things, social, realize social engineering is the number one tool in the cybercriminals tool belt. The account compromise. So, what are your mission-critical accounts that you need to protect?

Then you secure them with strong passwords, two-factor authentication. That's going to get you out of a lot of hot water. But that's not going to stop the business email compromise. Yeah. Yeah. It goes back to social engineering. So that's the endless loop. And then when I sit down with companies, and they go, “Hey, Scott, that's too complicated. I don't want to do it. I go, I don't care”. Don't do it. But when you have an incident, let's just remember the truth. You're not getting your stuff back, and nobody's going to jail, and it could be prevented. 

Justin Beals: Yeah. Scott, this has been an exceptional conversation and we really appreciate your expertise and the hard work that you do in teaching people to prevent cybercrime. your work in the FBI, and just grateful to have you as a guest today. 

Scott Augenbaum: And thank you so much. Your questions were great. You were the first person who's ever asked me about fear from real experience. So that was kind of cool. 

Justin Beals: Good. Yeah. I take it as a personal requirement that I do research and read the books.

Scott Augenbaum:  I'm glad you picked up on that because nobody's ever asked me about that. 

Justin Beals: Good. Well, thanks so much, Scott, for joining us today. Thanks, listeners, for joining us as well. Have a wonderful day.