Former Secret Service agent explains the security mistakes we continue to make

00:00 
With ransomware remaining a major threat to companies and government systems, as well as artificial intelligence enabled threats on the horizon. Are we as humans doing a good enough job in protecting our systems? We'll ask a former secret service agent who now teaches cybersecurity these questions and more on this episode of Today in Tech. Hi everybody, welcome to today in tech. I'm Keith Shaw, joining me on the show today is Professor Justin Miller. He is an associate professor of practice in the School of Cyber Studies at the University of Tulsa. Professor Miller, welcome to the show.

0:39  
Hey. Thanks for having me.

0:40  
I think it's the also the Secret Service agent connection, that also interests me as well. So, you know, just briefly, how does one go from us, you know, being a Secret Service agent, to joining the ranks of academics teaching cybersecurity.

0:57  
Yes, it's a, it's a quite, a, quite a transition, but one I've always been interested in academia. Um, I've always thought about teaching. And then one of my later assignments through the Secret Service was at the National Computer forensics Institute, where the Secret Service trains law enforcement and cyber investigations. And from there, I really got the knack to bring a practitioner side into theoretical side and have those converge? Yeah, and I got really high remarks from the students, because a lot of them were students like me who there were their police officers learning to be trained in cyber investigations. And then they walked into their department one day and their sergeant said, Hey, you're now in the cyber squad. You're going to cyber training. And they were like, I can barely turn the computer on. How am I going to do which was very similar to my, to my career when I, when I made it to Dallas, often protective of operations, the new Special Agent charge walked in and said, hey, you've got really good technical writing skills. Where did you learn that from? And I said, Well, I was a history major in college, and being able to research and spend all that time looking through the the data I found later in life, when I was doing these cyber investigations, I had the patience and the acumen to just, you Know, comb through lots and lots of pages and data, and spend the hours finding that that that link to give you the evidence you need to prosecute somebody, or the evidence to locate a cyber criminal. So having that ability and being able to teach that to others, to make them practitioners as well, to have them sit in a classroom now at Tulsa university to have somebody who's, in a sense, who's been there, done that, has the theoretical knowledge and has been a practitioner in cyber operations, I think is very beneficial to students, because you want to see how what you're learning is going to be used in a practical application right out in your profession. Yeah. And I think that's, that's kind of what I wanted to be on. Like I said those students that I was teaching, those police officers I was teaching, were like, Hey, we believe in what you're you're doing it because you've been there, done that. And I, luckily, Tulsa has given me an opportunity to bring that into the classroom now.

3:19  
When you were first involved with the Secret Service into the cyber investigations and the cyber crime units, was the agency still in the early days of this investigations? Or was it a finely tuned machine when you joined and you just basically jumped in and helped out? Or were you in the early days of that. No,

3:41  
I came into their electronic crimes group probably 1012, years after its formation. Of really, really moving a buddy of mine was because I still remember it was 911 he was actually at the Federal Law Enforcement Training Academy in our cyber training program on 911 and that was probably 11 years before I got I returned to the field from protective operations and was able to dive in at the request of the Special Agent in Charge, who assured me I was going to do Well, right, right. I doubted it at the moment, but I believe it. I believed in education, and like I said, the program was, obviously it's midway. And where we are from 2010 and 2011 to where the Secret Service is now is amazing. We have some really, really smart individuals who, I think at times are underutilized by the agency, but there's some really smart people operating and doing good work to serve, serve our country, serve our community,

4:53  
Obviously, like the high profile things that you hear about the Secret Service is, you know, basically, to protect the president and protect you know. Other officials in the government. But you know, the cyber crime stuff, you know doesn't usually get a spotlight, is that, is that something that you liked having or like not being in the spotlight? Or was it, would you wish that you or do you wish it was like, I just wish more people knew what I did

5:17  
Now we I like to fly under the radar. That's what the Secret Service does. And that's probably, I mean, they've got a good LinkedIn page going, but they're not known, right? They're not known for promoting themselves in sometimes, I think that's a detriment, because we do a lot of good work. I did a lot of good work that was never, will net will never be known. Yeah, in some ways that's probably good. Okay,

5:44  
You could just tell me on the show if you want. But I do want to get to the to a couple of the questions here as you so as you look back over the last 20 years in your involvement with the Secret Service and the world of cybersecurity, are we as humans? Are we getting better or worse at dealing with the cyber crime and and I want, I want you to answer in terms of different groups here, because, you know, there's the regular end users and consumers, there are businesses that need to protect their data, and then there's governments and public spaces that are protecting access to certain systems. So as you look, you know, are we generally getting better or, you know, than the early days, or are, are we still making way too many mistakes here?

6:26  
Well, I think we're making mistakes, but it's kind of a mixed bag with, you know, as technology advances and users get smarter, the balance, see the bad guys, you get users on both sides, right? You got bad guys. Get good guys. That's, that's kind of how you break it down. But really, we're with regular users. It's worse because there there's a lot of misinformation and disinformation online that poses challenges to really find incredible information that you can learn from but on that same tool, being a mixed bag that all this information that's out there, if you, if you're willing to search for accessible resources and educate yourself appropriately, you can protect yourself being being online. This is, again, we're talking about a mixed bag. I mean, there's the positives. Are you know that if they're willing to increase investment in cybersecurity, put in more robust security measures, work with and plan their incident response, look at regulatory compliance that can help keep evolving threats at bay, but on the, on the on the backside of that, right? It's worse in the sense that businesses don't really understand that the how to how to protect their data, right? How to prevent a high profile breach from occurring. And so that's where they need to hire the right people and get the right people in place to understand how to protect data. But if you're, if you're a CEO of a company, and you don't know much about cybersecurity, how do you know you're actually hiring the right person?

8:02  
So, so as we go through some of these different groups, what are the biggest mistakes that a lot of these groups will make when it comes to cybersecurity? Because an end user is probably making different mistakes than a business that's, you know, set up to protect its own data, like there are different levels of mistakes that people make, right?

8:22  
Yeah, absolutely. And really it's just that human factor is where everybody wants to be very helpful in that that finger, that that neurological reflex to click on something right away, right? You get your met, your hand on that mouse, and you start your daily process. It's just automatic, and you may miss something that was different today on your computer, or you may click something that you're just trying to, you know, get booted up and get to your morning coffee and that one mistake, or you answer a phone call and get distracted and give somebody an answer that weren't attended to. And it doesn't have to be really any more nefarious than that. I mean, we can get into the weeds and talk about malware and how, you know, people can hack your network. But a lot of these are, it doesn't matter how robust your network is, it's the end user, whether it's a regular user or business or even governments, right? Yeah, because governments are you're dealing with legacy systems, and you don't know how old and processed some of our our government agencies are, and the funding that they have, and they're getting the I'd say the government's getting better at it, but there are still some, some departments out there that don't have budgets, and that that could be from a myriad of things, of people in positions who don't quite understand the necessities of securing networks in the data, or not just simply having a budget.

9:47  
Before the show, we talked about some of the some of these mistakes, and you came up with the you you were telling me about passive reconnaissance, then that it might be on. The rise. Can you explain what passive reconnaissance is from a security standpoint?

10:05  
Passive reconnaissance is just really nefarious actors looking at you through open source information that you're inadvertent to onto the web, out into the social media space, and I saw it a lot of time. And because it's a double edged sword, you want to you want to promote your company, but then, when you have record profit, and then you identify that your your comptroller or your treasurer or your CEO is managing a $5 million or $25 million or $100 million budget, you're inadvertently making them a target. And as a bad guy, I can just simply log on to your page, your marketing page, and just learn to learn about who you are and what you're doing. So that's kind of what passive reconnaissance is. You're not really being actively looked at, but you've got, when I say actively looked at, like actively being physically touched or targeted, it's just they're using open source publications. And then that also could be a technical aspect of just scanning your network and then finding out what ports you're operating on, and then you can even look at social engineering right now, you're getting just random phone calls. You're getting emails, phishing attempts, stuff like that. So that's kind of the passive stuff, but really it's open source, where you're inadvertently providing knowledge to nefarious actors about your process, and that could be taking a picture of like a lot of times when I was doing critical systems protection advances, I would find that people were taking photographs in very sensitive places and posting them on the net. You don't need to be flying a jet aircraft and taking a photo of yourself in the cockpit and posting it on Facebook and with a caption, you know, saying you're somewhere where, you know, 50,000 feet over Korea, probably not a good idea to be posting that online. So that's kind of the what we talked about. Passive reconnaissance is what you're making you're inadvertently making yourself a target through sources that you don't narrow necessarily see as as a nefarious opportunity.

12:25  
And you would see that on an end user side as well, or or an employee of a company, just on their regular social media pages, right? You could, you could, all you know, if someone's like, Oh, hey, I just bought a new Ferrari, or I just got this new Porsche, look how great I am. And I see this on LinkedIn even. I mean, you know that that's, you shouldn't really see that. Like, does that make yourself a target for a potential, you know, phishing scam or trying to steal your money? If we know that you've got the money, right?

12:52  
Oh, absolutely, that's, you're making yourself a target. And it's like, again, double edged sword. It seems like everything we do in cyber is there's, there's a good and a bad component to it, and trying to find that happy medium well to secure it always,

13:07  
Do companies, if they might not realize that they're doing this, should they take a look at what they're posting and going, Oh, maybe we shouldn't reveal this, but they do have to reveal some information if they're a public company, through regulations and things like that, correct?

13:23  
Absolutely. And that's where our regulators need to look at maybe, you know, maybe that information, because we, we want to be transparent, right? Transparency helps our processes and accountability, and sometimes that that transparency makes you a target. I can think of an instance where this company, it took them four months to figure out that they they reported record profits, identified their Treasurer, and in their, in their in their press release, they said their treasurer transfers $700,000 a week so that that poor treasure now gets how many emails started rolling in, Like you could see, we went back and pulled the network traffic. You could see the amount of information in the email box that just increased by 1000s of emails a week trying to process what is now legitimate and what is phishing. And this individual wound up clicking on a phishing scam changing you thought she was changing her passwords, and then at four o'clock in the morning, these random $700,000 transfers started going out, and there was no process in place that there was checking, why is our treasurer logging in to their network right at 4am and making these $700,000 transfers? Then you got the frantic call to the Secret Service going, Hey, can you help us? We've got, you know, $7.8 million that's been transferred out over a four month period that we thought was legitimate. That is not how can we get that back?

14:51  
Yeah, yeah. Do businesses tend to be wary of contacting the Secret Service in cases like this? Like, do you feel like you were. Always brought in, you know, after that barn door was open?

15:05  
We try to do these community engagements to get you thinking about this ahead of time, yeah, because a lot of times a lot of stress, I found that people were meeting each other for the very first time in a high stress environment during a breach investigation, and nobody's really friendly and willing enough to give a lot of good information to help you investigate, when there's like nine lawyers in the room, right? Because everybody's worried about protecting their job and their livelihood, and it was intriguing to see the blame start to be placed and targeted. And that's another thing that I want to teach our Cyber students at the University of Tulsa, is to be an advocate for yourself during that crisis response. And hopefully there's been an incident response plan in place practice a holistic environment where everybody is basically involved in cyber security of the company. Yeah, because a lot of times I was sitting in that room, and they want to know who they can blame, and then they pivot to the Secret Service, and they're like, Hey, how can you get our money back? How can you help us? And it's, again, it's after the fact. We're kind of like, we're here to catch bad guys. Yeah, and you should have had these processes in place early on, but given, given our investigative knowledge, and obviously, we're a, you know, it's a white collar crimes investigative agency in most cases, so we understand banking laws, and you start working with your banking counterparts to make, to try to, you know, trace those funds and keep them from leaving the United States and recalling them. Yeah,

16:45  
I wanted to ask you another question about some of the mistakes that people are making. And this is what I call the I don't care attitude that sometimes, when I'm talking about security with either colleagues or friends, you get this attitude of, for example, from a consumer, they always go, Well, you know, my data's already out there. So why should I bother about cybersecurity? You get that, you know, we're all we're all screwed anyway. So you know, why should I, you know, not write my passwords down on a post it note. But then, when you also get a similar thing with CEOs, don't you, you get, you know, CEOs that end up focusing on profits, or they end up blaming the IT guys, or other types of finger pointing that goes on, which also has a maybe we don't care as much about security as we thought, as we should, even with the cost too much type of a thing like so is that a problem that that that has been going away? Or do you see more of that these days.

17:42  
I think it's a problem that's it seems to be going away from my early days when I first got into cyber operations. Okay, you would see a lot of CEOs meeting their chief information officers and their IT representatives for the first time during that breach event, which is clearly not the, not the best time to be meeting somebody for the first time. And that's that's where you start seeing, like the whole path, where they clearly didn't prepare because they're involved in a like a network upgrade, and nobody you know the CEO is working on the business side of things, but he didn't communicate that reason why to the IT folks, right? And the IT folks are talking in vernacular and jargon that's totally foreign to the CEO, and they were just butting heads in the middle. And then the blame game starts. And in one of these cases, we had a group with a CEO. They have the contract that allowed them to outsource the upgrade. So they wound up having like, four or five subcontracts in place that the IT network, it guys never even knew was going on. And it turns out the upgrade was being performed by three, three guys in Pakistan. So that's clearly a disconnect, but I've seen over the years that that gap is began to close, and there's, there's a better holistic environment where these teams are working together and planning, but you can definitely when the when I was brought into investigate a breach, you could definitely tell who was practiced in their scenarios and they have an incident response plan and who wasn't. And a lot of that was just from the stress in the room. You could just see the elevation of it.

19:31  
What is the one thing that makes you want to scream when it comes to cybersecurity practices? Is it that not enough people are trained about it, is the is training getting better? Is there, or is there something else out there?

19:47  
Now the training is getting better. It's just what, what makes me want to scream, is just that, that autopilot, that humans, they're not looking at their I'm just here. Process. You know my job and when you access a company's network, when you touch their computer to log on, you now have pretty much the complete access, right? And you can talk about segmentation, or what have you, isolation of systems. But when you're an employee touching your company's network, that's where you really need to be paying attention. And so many times again, I've been in rooms where the CEO was like, Well, I needed to wire this $100,000 over here, but I was trying to buy my wife for Christmas present. So I was online on the computer, and I got confused. And you're like that, that those two processes should never have been occurring on the same computer, and then your attention should have been laser focused when you're accessing your company's network with your company's money. So that's that's the frustrating part is a lot of people don't realize that where you are in the company, no matter what level, if you're given a company computer that accesses the company network. You're an important individual, and what you're doing on that network could have, you know, large consequences for your company and really your job.

21:12  
Have you seen the different types of attacks change over the years? You know, whether it's, you know, I think initially, a lot of the cyber crime stories that we would hear about would be, you know, we were there to take down a system, like, we're going to shut down this website. We're going to shut down the company for a while, or, you know, and those seem to have been going away, and now we see more and more. We're going to steal data because we want to sell it, or we want to make money, or we want to hold the company ransom, you know, you know, or just having access and then just sitting there and waiting or selling that data like, you know, what are you seeing more or less of, or is it just a combination of all three, and you just see things go up and down depending on the day of the week?

21:56  
Well, no, it's like you said, right? The landscape of cyber attacks is definitely involved, and up until about 2000 right? We want, I say we like nefarious actors. Wanted disruption, noted variety. We're dealing with viruses, worms, denial of service, right? And it's it was more showing we have the prowess to do things. And then as the 2000s evolved, we started looking at data theft and The Merv the move to e commerce created the banking credentials all of a sudden. Like, hey, wait a minute, if I can steal your banking credentials, I can wipe out your bank account. So, right, so we saw that. You know that evolution of phishing, malware, SQL injections, identity theft, and there's really that E commerce boom, that kind of made that a lucrative operation. And then, really, since I would say 2010, coming forward, now you're getting a kind of a combination of all three, because that disruption that we thought was just for notoriety is now actually kind of a nation state event, like, if I can disrupt your water, your power, like people when I, when I, when I mentioned cyber attacks, I talk about Die Hard and like, How's Die Hard a cyber move? And I'm like, they took over Nakatomi tower. Man, right, yeah, took over a building. They got into the system. So that's kind of what you're seeing now. And so it's really, really, currently, you've got your financial gain is a clear, a clear avenue, and it's, it's whether it's selling the access is key. A lot of people just break into the network, do some quick modifications, create that back door for that persistent access, and then sell the access. That's what, that's what ransomware individuals, when you get your company gets ransomware, they're not understanding that you're paying to get your access back, which you don't want to do, because you think, you think you're paying to get your data back, but you're not. You're just paying to get your access back, and your data is going to be sold on the dark web. Yeah. So in they and they may not even give you access back. So really now it's a combination of all three, with ransomware supply chain attacks, you've got your advanced persistent threats, and that motivation runs from financial gain to espionage to sabotage.

24:15  
I want to get I want to get back to the ransomware thing. We there were some pretty high profile stories the last couple months of companies that their access was shut down, so much that they decided they had to do it. I think the MGM Resorts case was one of them where someone paid. Well, no, the MGM Resorts, they didn't pay, but the other company did. I think Caesars did pay, and then they were not taken down. But then I think the United Healthcare hack, they did end up paying, and we also hear of hospitals paying, and just because, again, it's a life or death critical situation, and the CEOs have to make that decision, like, do I so? Does that frustrate you that more and more companies are actually paying the ransom?

25:00  
It’s frustrating, but you can see where they especially with hospitals, right? It's kind of a it's really unfit here, like to your targeting,

25:13  
Well, no one ever said the criminals were fair.

25:16  
Right, exactly, right. They don't care, right? Because they're gonna go after the most vulnerable target because they know there's more incentive to pay. Yeah, and then, if they can, in some ways, some cases, if they can make you look silly doing it, they're going to, but, yeah, hospitals are victimized, but that's but that that goes back to reason zinc, like with these users, who you have to protect your data, to not only protect yourself, but to protect others that are doing business with you and that that gets you into your whole defensive depth, defensive breadth strategies and who you're allowing into your network, and those partnerships really need to be defined and well versed. Because everybody, nobody wants different individuals really inside of their business operations, and maybe you know how to trade secret theft or some other business operation taken from them, but when you're partnering with multiple vendors, there's got to be a meeting in the room with all of these vendors to help you understand how you do your cybersecurity, and how I do my cybersecurity, and how that can merge and be holistic, and we're both protected, and that you're going to notify me if there's a strange occurrence, right? And you still don't see a lot of that, that partnership with your defense and breadth strategy to bring those, those forces in line. I've worked with a lot of school districts who had to just shut down all of their external operations because they didn't have those meetings ahead of time where it wasn't so much as them. They shut down some of them, but when they notified their vendors that they had a breach, their vendors lock them out so they couldn't communicate, yeah, which made lunch deliver. Lunch deliverables, hard medical supplies, janitorial supplies, deliveries, a lot of you know, functional processes that got delayed because they didn't have that cybersecurity, security discussion early on.

27:16  
It’s a downside of digitization. It's the you've digitized everything, and then now you have to shut it down. You have to remember what the paper, pen and paper process was for a lot of these things.

27:25  
There's a few the companies I've worked with that's part of their incident response plan, which I was like, kudos to them as they practice. Here's what if we have to go back to paper invoicing. Here's how we do it old school. Yeah, yeah. And everybody's trained on it

27:40  
That came up during the pharmacy discussion, because all of these prescriptions that were being written were electronically delivered to this company, and then they got hacked. So you had all of these doctors who were like, I don't know how to write a prescription, or they forgot, or they, you know, they couldn't find the pads of paper that they used to have to write all these things. So, it's a, yeah, I mean, that boggles my mind sometimes too.

28:04  
It's intriguing as we go through life and we we digitize our world that we still can't forget, the past we've got to learn from, that we still got to have knowledge, yeah, of that understanding, of that process, because if you don't, unless you've got really good backups, and can have a have a clean, isolated backup come up quicker, your downtime is going to kill you.

28:32  
So we could go down the road of talking about apocalyptic scenarios, of whether or not you know we're you know, most people are not going to remember how to, like plant a garden to survive in the world anyway. I don't want to talk about that right now. So are we winning or losing the battle for, you know, the security of our systems? You know, we keep hearing about an arms race where it's like the bad guys, you know, get ahead, we catch up. We might get a little bit ahead, but then the bad guys catch up, like, you know, as you look at the space now, you know, are we, are we tied, or it feels like we're behind?

29:09  
You know, it's really like a pretty good a pretty good match, because we'll wind up ahead, then we'll get behind, and it's just a constant ping pong match. And what was it like the vault typhoon that they were just talking about, an advanced persistent threat that's out there where they're getting into critical systems that aren't necessarily what you would think for traditional cyber warfare, but they're accessing infrastructures that then are utilizing, are utilized to process, you know, electronic components to gain access to certain, you know, waterways or dams or electricity, okay, facilities, um. Yeah, so. And then you see the United States come out with, Hey, we know it's there. So that's that, you know, that's, that's that, that press release that says, Yes, we, we know you're there. We're not able to catch you right away. We're not really understanding how you're doing it, but we know you've, you've exfiltrated data. We know you're inside certain networks. And that's, that's just that, that kind of, that, I guess, I don't think you want to call it diplomacy, but it's just that, that 50/50, battle.

30:29  I was gonna say cat and mouse. It's kind of like a cat and mouse game between, yeah, for sure.

30:34  
I don't think we're sometimes we're ahead and sometimes we're behind. That's just going to be the which that could take us into a discussion about AI, right, depending on how good and even how you want to use that technology for good or evil. But we're it's 50/50, right? Yeah, mouse, I can't really say. Sometimes I wonder being a government employee. Sometimes I wonder. But like I said, we've got some smart cookies working for us, and if we just get them in the right spots, we'll be ahead for a few, hopefully a few years. Okay,

31:07  
So that leads me to another question, where, you know, we always assume that people in the companies or the governments are the ones that are making mistakes, like we talk a lot about the dumb mistakes that people make for that allow hackers to get into the system. But do you know, do the bad guys also make mistakes? Are they doing some dumb things that allow you to catch them because you never really hear about how you know either the Secret Service or how you know law enforcement ends up catching these, these, these criminals, or is it just so dull and dry that nobody really cares about how you caught them and just they just care that you caught them?

31:45  
Well, there's certain when you, especially coming from my background, there's certain, certain tactics that when we identify that that's the tactic or the malware that was used, it gives us an idea of attribution, of whether that nation state is tied to certain countries. And there was a It just seemed like a lot of time when I was dealing with actors that were tied to it's kind of it's kind of funny, tied to Russia or the Ukraine when you're tracking them back and you're trying to find them, they were using acronyms or things related to the Simpsons. So when you find something, you'd find it like something was registered to Bart Simpson at 123, fake Street. You're like, well, that's kind of an idea. Gave you an idea of who you were actually tracking and what actor it was. So there's little keys of attribution that you learned over time. And then just that, this one group like to use the Simpsons, you know, as as their their calling cards, you kind of it gave you an idea of, oh, okay, now we know who we're dealing with. Now we know what regions of the world we're going to Okay, and, but a lot of it, you're a lot of the stuff we did wound up being classified, and because you start learning those attributions, and you don't want to give up to the outside world that you're, you're on their trail,

33:16  
Okay, so, yeah, because there was a story a couple months ago, I think, where it may have been part of the group that was responsible for the MGM hack, and then the Law Enforcement Task Force, or whatever, whatever group is trying to find these guys, they were able to get into one of this one guy's servers, and then he had it was basically because the guy himself had forgotten to secure that one server. So it did feel like, and then they, you know, the law enforcement group was like, yeah, we've got your systems now and then. And then it was like, back and forth via Twitter or some other kind of discord discussion where they're like, no, no, don't worry about it. I shut that one down. You'll never find me. Here's, you know, I'm gonna drive my Porsche around. And it was this back and forth. It made me think about, like, well, sometimes even the hackers kind of make goofy mistakes. That allows law enforcement. So I guess that's that's why I was thinking about that in, oh, you know, or again, or is it just a that they forgot to, they left the system on, and that's how you were able to find them. I guess. I don't want to know exactly how you guys catch the bad guys, but you do catch them at some point, right?

34:33  
Yeah, and I've had cases where they do something silly, where they're, they're, they're logging into the this, this, you know, large retailers network to pull skim credit card data, and then they pivot in place an order for a certain pill at a local pharmacy and then have it shipped so we can match the IP, right? You're like, I. Why did you decide to stay on your network and order your necessary meds.

35:05  
Like the example you're giving of the CEO that was transferring money, but then also had to buy something for his wife and was using the same computer. You see the same thing with with the bad guys too. 

35:15  
Then they want to, and again, goes back to oversharing, right? They want to post stuff. And when you're when you're looking at people, and you have an idea of this could be the certain group you're looking at, and you've kind of generated an identity, they start posting things like, like, I had a case where the I was doing a counterfeit case, where the guy held up all this money, money, money in his hands. Well, then I could just pull the serial numbers off right there from his post and punch him into our system. And it goes, Yeah, that's the counterfeit bill was first seen wherever it was, right? And I'm like, well, there's your evidence right there. We actually, we were able to capture a cyber criminal because he posted a photo of and we were able to figure out that from the back door, the door, or the door he was standing in front of which hotel that was in that foreign country. Wow. So it's just, you know, sometimes they do silly things that they think is inept and and then we and then we have, one of my buddies did a lot of undercover stuff where he met with individuals overseas, and so that that gets, there's your there's your active reconnaissance, right, your active surveillance, right? Which was great.

36:30  
What are your thoughts on on artificial intelligence and some of the generative AI stories that we're hearing about? It's going to allow, it's going to be used by the bad guys. But it's also, we also hear people on this, on the security side, that are saying that generative AI will be able to help kind of stop a lot of these attacks, or at least prevent them. Like, do you have a position on one way or the other about what a cybersecurity official should know about generative AI? Yeah,

36:59  
I think, in the realm of predictive and analytics, understanding how your network operates and what what anomalies can be targeted from having AI operating on your system that can hopefully be an earlier warning system. You can probably use it for enhanced authentication when it comes to biometric authentication systems, right? Provide a more secure, reliable way to log in, that way to verify users, and it just kind of, it can be used, I think, to give you an improved defense overall, vast amounts of data quickly.

37:39  
On the other hand, are you also concerned about a lot of the stories around deep fakes and audio cloning, audio, voice phishing and things like that?

37:50  
It's intriguing, because when I first came into the Secret Service, when we'd photograph evidence or photograph our suspect, we had to use a Polaroid, and then you would, you know, the have this, the bad guy sign that, and you'd sign the back of it, and then another agent would sign it, so you had a witness. And it seems like with that process now occurring, that we need to, we're having to go back to Polaroids, because you're now having to, like, the other day, I we did a family photo because my parents were in town, but my brother in law wasn't there. I sent it over to my daughter. When I got it back, my brother in law was now in the photo, right? So you're now having to go dig deeper into the photograph to look at the metadata, to figure out what changes have occurred. So you can't take things at face value anymore, right? Looking at a video in this voice stuff is but there are ways to, you know, disapprove what it is, but it's kind of like, once that accusation is made that you're a bad guy and you're found not guilty, it's you can't really go back to your previous job in most cases, right? You know, slander may not stick, but it stains is kind of the way I look at that. And that generative, generative process with deep fakes, it creates doubt where I think you can be, you can be cruelly victimized from that using AI in that way.

39:17  
So it feels like, if you start seeing a lot of this that you have to as an end user or a potential victim, you have to really double check or verify, trust no one that you know that the request is legit, right?

39:34  
Absolutely, you take it at face value, but don't take it as 100% accurate.

39:38  
What are some of the biggest tips that you give to your students when they come into your you know, cyber, you know, security, cyber studies class, like, do they come in with it, with a with a general knowledge, and they, they're like, Oh, I would never do that. Or are they? Are they young and fresh? And, you know, you have to mold them into cyber security officials.

40:00  
I think they're young and fresh, and they have a very, a very naive aspect of what, what being a cyber security professional is. And then when I start talking to them about professional liability insurance, they're like, What? Yeah, when you're sitting in a room and everybody's going to pivot to the IT people, if there's a data breach, and you want to be able to protect your spouse, especially if everybody starts laying blame. And I've seen that where now the CEO is cleared of any wrongdoing, and then the CISO gets cleared, and then it all starts rolling downhill, and it's unfairly placed at the it level. And you want to be able to protect yourself in that way, and that's why we also teach surviving the conversation. A lot of times, I was in these rooms where you got wicked smart people running their networks, but they're not exactly socially prepared to communicate well with others. And that's what we're trying to do at Tulsa, is, not only do we have the technical acumen, but we're trying to teach social skills that under pressure, that a lot of these kids, I say kids, right? They remind me every time, I’ve got a good dose of being reminded that I'm old. So which was when you're using Top Gun references, and everybody looks at you like, what are you like, what are you talking about? You're like, Oh, my God.

41:20
Well, they did make a sequel.

41:26  
Exactly right? That's what I said. I'm like, check it out. So that's, that's what I'm we're trying to teach them how to, you know, advocate for themselves, communicate effectively, especially taking technical jargon that sounds foreign to people and putting it in a way that that regular users can understand, and then help them understand the business side. And that's, that's what with the cyber Studies program at Tulsa University, you're getting professors from MBAs, from psychology and how you're using these tools, and how they're they're being utilized in the digital world. Then you have, you know, guys like me, who come from chasing bad guys, understanding network investors, and how you can quickly go in and mitigate and help remediate, and then get the necessary evidence to quickly find the the trail that you need for the the infiltration, the aggregation, the exfiltration, is there persistent access in a network? Yeah? So in obviously, you're teaching defense in depth strategies, you know, password protection. It doesn't have to be something magical, it just has to be sophisticated.

42:35  
So is that something that that's new within the last couple of years, where universities are starting to teach almost like personal life skills or or social skills, versus just the hard and fact, you know, hardened rules of, you know, code, for example, for a lot of these, these security people, because, again, don't, don't, don't. These students tend to be introverted, if you're into the technical jargon side of things?

43:02  
Yeah, absolutely. And I've talked to a couple of our graduates who left our graduate program and went to work for like, you know, the NSA, and they said they were very naive to the fact that now I'm sitting in a in a room with no windows, and I'm working 10-, 12-hour shifts, and I don't see anybody other than my computer in front of me, and that that's, there's, there's got to be a balance, right? A good work life balance. And just because you're in working in a cyber role, a cyber security role, a cyber intelligence role, we want to make sure they truly understand that if that's the career they're going into, that that work environment is going to be such as that you're in a dark room. So what are you doing outside of that? And we really start at least for me, I emphasize to my students that it's health, right, mental health, physical health. If those two things are in line, work, personal, are going to succeed, and there's nothing wrong with asking for help in either, either of those areas, but you've got to take care of you first. And if your physical health and your mental health are not good, then personal relationships fail. Working environments fail, and work product fails. And that I really taken from the Secret Service is that you get you got to take care of you first, especially, you know, because you're protecting the president, you need to be good mental health, physical health, and that really rolls over as a cybersecurity professional to especially when you're because you're battling I'm looking at these young kids coming into Tulsa, and I'm going, my gosh, you're potentially going to be the guy going up against a nation state actor attacking your Network. And how are we going to make you successful? To understand the clues and the techniques to mitigate that quickly and help you not only save your job, but build build rapport and reputation within your group that makes people understand that you are capable individual that can is really helping our company. They succeed in the cyber realm.

45:01  
So I've got to ask this question, since you were a Secret Service agent, so does, does Hollywood get the idea of the Secret Service? Do they get it right? Or do they do, is it just grossly over exaggerated, and then even in the the cyber crime and cybersecurity space, is there, is there a movie or a TV show that got it right, or is it just, is it? Is it just Hollywood? And we should that's not what really goes on. Like, what's the closest movie?

45:30  
Well, I mean, clearly it's White House Down, Right? Olympus Has Fallen. I mean, that's we're all rock stars. We're battling guys. That's what we do on a daily basis.

45:37  
Alright, I'm sensing some sarcasm there.

45:43  
Yeah, it's really if you're gonna be a secret service agent, you're gonna be in a balance between guarding tests and in the line of fire, okay? And reality kind of falls within that domain depending on your assignment. So yeah, but I always tell people like, I love enemy this state, Mr. Robot. I just found my students turned me on to that. So that was a great hacking movie. But, yeah, we I it's just funny when you when you interview bad guys, I'd always use, you know, hey, you've seen that movie, enemy of the state. And they're like, Yeah, I'm like, well, that's for real. That's how we found you. And they were just like, what I can't, you know, and I can trick you at times, right? But that's just a way to try to gain compliance and certain techniques to help, you know, obtain confessions when you need to, but after you successfully Mirandized and all that that's, you know, that's how that goes, right, right? Yeah, but there's nothing, I mean, really, there's no movie out there that I think accurately portrays in some ways, like white house down, or Olympus Has Fallen. What's the key takeaway there is that for their attack to work in those movies, an insider was the problem, right? Human elements. And that really goes back to our cybersecurity discussion of people, processes and technology people, no matter how robust your network is, no matter how robust your security is, if there's a breakdown with your people in the access or in the process or building the technology, then you have a failure. And that's and that's what I like about Hollywood, is, is that the only way for people to beat the Secret Service is you have to compromise an agent. And that's never going to happen, because we're worthy of trusting confidence.

47:37  
All right, Professor Miller, thank you so much for being on the show today and again, great stories from your experience and in the cyberspace. So thank you.

47:48  
Absolutely. 

47:50  That's all the time we have for today's episode. Don't forget to like the video, subscribe to the channel, add any comments you have below. Join us every week for new episodes of Today In Tech. I'm Keith Shaw, thanks for watching.