Higher Education under Cyber Attack. Clemson CISO John Hoyt.

[00:00:00] You know, we all have a lot of data and it has to positively absolutely stay safe.

[00:00:06] It can't get into the wrong hands and the biggest challenge we have is how to transfer

[00:00:09] it from here to there.

[00:00:11] We all know as leaders that legacy tools that transfer our important files and sensitive

[00:00:15] data are mostly outdated and fall short on security especially with the demands of today's

[00:00:20] remote workforce.

[00:00:21] Relying on outdated technology puts our organization's brand at risk and that is unacceptable.

[00:00:28] So we are excited to invite you to step into the future of completely secured managed

[00:00:32] file transfer from our friends at KiteWorks.

[00:00:35] KiteWorks is absolutely positively the most secure managed file platform on the market

[00:00:39] today.

[00:00:40] They've been Fed ramped, moderate authorized by the Department of Defense since 2017.

[00:00:44] And unlike traditional legacy systems with limited functionality, KiteWorks has unmatched

[00:00:49] software security with ongoing bounty programs and regular pen testing to minimize vulnerabilities

[00:00:53] and the coolest part, they have easy to use one click appliance updates you will love.

[00:00:58] Step into the future of secure managed file transfer with KiteWorks.

[00:01:01] Visit KiteWorks.com to get started.

[00:01:03] That's KiteWorks.com to get started today in now the show.

[00:01:09] Today's Cyber Crime Junkies this is your host David Mauro.

[00:01:14] We have in this episode John Hoyt, the CISO of Clemson University.

[00:01:19] And we're going to talk about the top cyber risks in higher education.

[00:01:24] We're going to talk cyber crime but we're also going to talk about what it's like to be

[00:01:29] in the trenches and to move your way up in organizations from help desk support to various

[00:01:39] networking roles and then to catapult your career into cyber leadership and what that really

[00:01:46] means.

[00:01:48] The overarching concerns all the different threats that face organizations of any kind in

[00:01:54] particular higher education and it's a great discussion.

[00:02:00] John also created a student run security operations center, a student run sock that's right.

[00:02:08] And it's providing the graduates of Clemson unprecedented experience that is helping them

[00:02:15] launch careers in cyber security and beyond.

[00:02:20] And there's great other insight about breaches that we hear about in the news and how collaboration

[00:02:27] among organization information sharing is so critical today.

[00:02:31] So we hope you really enjoy it.

[00:02:32] This is the story of John Hoyt and top cyber risks in higher education.

[00:02:42] Some join us as we dive deeper behind the scenes of security in cyber crime today.

[00:02:48] Interviewing top technology leaders from around the world and sharing true cyber crime

[00:02:52] stories to raise awareness from the creators of vigilance.

[00:02:57] The newest global technology newsletter transmits cyber news into business language we all understand.

[00:03:05] So please help us keep this going by subscribing for free to our YouTube channel and downloading

[00:03:10] our podcast episodes on Apple and Spotify so we can continue to bring you more of what matters.

[00:03:17] This is cyber crime junkies, and now the show.

[00:03:31] Well welcome everybody to cyber crime junkies.

[00:03:34] I am your host David Morrow.

[00:03:36] In the studio today with us is John Hoyt.

[00:03:40] John is the CISO, the chief information security officer at Clemson University.

[00:03:46] He's been working in cyber security for over 16 years and began his career in IT back in 1999

[00:03:54] which I believe John we were worried about why to gay back then.

[00:03:58] Working for the city of Greenville in desktop support.

[00:04:02] His first experience with IT was when an ethical hacker hacked into the city's computer systems.

[00:04:09] I'm going to ask you about that during his career he's worked in hardware and software support

[00:04:15] as a UNIX and Windows system administrator as an and and also as a information security engineer

[00:04:24] and a SOC manager security operations center manager.

[00:04:27] He also served as director of information security deputy CISO and now has elevated himself

[00:04:34] to chief information security officer with Clemson.

[00:04:37] He's a published author and common in demand speaker on cyber security topics

[00:04:44] and assisted with cyber security courses at the university.

[00:04:47] He is a passion for IT security and helping people get into the field through mentorship

[00:04:53] and internships. He has four great children, a wonderful family and has been married for 23 years

[00:05:01] which by the way you should get a medal for at a fantastic moment welcome to the studio John.

[00:05:06] Yeah thanks David.

[00:05:07] Well I'm really excited about having you.

[00:05:10] Yeah thank you.

[00:05:11] So you know as we were preparing and talking earlier I didn't even know that your first experience

[00:05:19] with IT security involved an ethical hacker hacking into the city of Greenville's computer systems.

[00:05:26] Let's start there is that okay yeah we'll back up into what we had planned to talk about.

[00:05:31] Sounds good.

[00:05:32] So tell me about that story please share it with the listeners.

[00:05:35] Yeah so just working like you said why 2k was was the thing everybody was worried much

[00:05:44] to do about nothing but it was a big deal and we got a report an email with a PDF that had a printout

[00:05:55] of this ethical hacker that said hey I've broken into your systems.

[00:06:00] I found all these weaknesses I found data on your systems and please hire me and I'll come in

[00:06:07] and fix it for you right.

[00:06:09] Well that's a pretty common that is a common approach in terms of bug bounties right.

[00:06:17] But back in the day that was pretty aggressive.

[00:06:21] Yeah it was even for me I think the cool I actually still have the report I have the printout

[00:06:27] I kept it and what was cool that kind of triggered me into security was you know back then

[00:06:34] Cyberscurity was a voodoo black magic.

[00:06:38] Yeah you know you didn't know how to get into it you didn't know what the techniques were

[00:06:44] and so this PDF went through okay I use this tool that I'm enumerated this way then I move

[00:06:50] to this step and it wasn't the fault break down but it was he moved laterally within the systems

[00:06:56] right right probably escalated privileges moved up right and interesting back then they didn't even

[00:07:02] have a firewall so it wasn't that hard.

[00:07:05] Is it bug?

[00:07:08] People today don't understand and some of our listeners don't even understand all the technology

[00:07:12] but in general like firewalls you know like basic right.

[00:07:18] Basic antivirus things like those don't stop they stop a lot right now right yeah but there's

[00:07:24] such a staple that the threat actors are are already beyond that they're already trying to get

[00:07:30] it in other ways yeah right but can you imagine like the days where you don't even have that.

[00:07:35] Oh yeah the desktops were on the internet you know your personal computer was on the internet

[00:07:41] on the internet and so he went through that and that was like oh in a hot moment.

[00:07:45] Oh yeah.

[00:07:46] This is something I could do okay I can I get it now and that put me on the path for

[00:07:52] okay this is where I want to go.

[00:07:54] So that event really kind of sparked your interest into while this was almost super human

[00:08:00] like this right.

[00:08:01] This was really powerful how what he demonstrated.

[00:08:06] Absolutely you know I had seen more games you know that was the thing is oh this

[00:08:10] this is so cool but you you could go and IRC forums in the old school forums and try to find

[00:08:16] how do you know how to do this you know there wasn't information out there wasn't you couldn't

[00:08:21] go Google and YouTube everything on all the techniques it wasn't there.

[00:08:25] And now they have complete classes online I mean you can learn everything.

[00:08:29] I mean when a new device comes out like flipper or whatever those like the new device comes

[00:08:34] out and instantly within a month you have like 200 different ways of using this to start a car

[00:08:41] get into a house all this different all different things.

[00:08:45] Spoiled yeah yeah the kids are spoiled today but yeah now it was it was the trigger for me to

[00:08:53] get on the path for cybersecurity.

[00:08:56] That's wonderful I love that's I was going to ask you kind of like what inspired you to do this

[00:09:01] as opposed to the the arduous task in the in the in the traditional career of network engineering

[00:09:08] help desk support serving people things like that.

[00:09:12] Yeah I still had to do all that too right yeah because there wasn't a entry level as it's

[00:09:17] people say today there's no entry level positions there weren't entry level positions then either

[00:09:22] right you just kind of have to migrate and as organizations evolve and mature kind of in their

[00:09:29] cybersecurity maturity then they create these roles right.

[00:09:33] Right that so for me I went to a system administrator role and was looking at cyber the whole time

[00:09:39] like how do I do this how do I do this yeah and was just lucky and knew somebody here at the

[00:09:44] university and they were built they had just built their cybersecurity program their folks their team

[00:09:50] and he's like hey I know you're interested we've got a spot we need people when you want to come talk

[00:09:56] to us and that's great yeah went back and or went over and you know haven't looked back I'm still here

[00:10:02] 2007. That is just fantastic I mean let's talk a little bit about kind of top cyber risks in higher

[00:10:10] education I mean cyber risk how higher education it's pretty I mean higher education is targeted

[00:10:17] quite a bit there's there's there's a lot of data I mean k12 is targeted too as well because

[00:10:24] most parents don't pull the credit right of children when they're younger and so people if

[00:10:31] they can capture that they can do identity theft sometimes for decades before parents know about

[00:10:37] it we've seen a lot of tragedy there but Clemson is a phenomenal university I mean let me just

[00:10:45] talk a little bit about Clemson I got this off the site and it's pretty amazing so for 130 years

[00:10:51] Clemson University has shown unwavering dedication to the people of South Carolina university

[00:10:56] was founded with a land grant mission an innovative vision to increase the material resources of

[00:11:02] the state as a high seminary of learning since that time university has grown and esteemed

[00:11:08] an impact earning the R1 classification as one of the nation's most active research institutions

[00:11:15] developing international leaders and installing the core values of honesty integrity

[00:11:19] and respect more than 160,000 graduates so like staying at Clemson moving up there dedicating your

[00:11:29] career there and then becoming the chief security officer that's no small fee congratulations

[00:11:35] yeah thank you yeah and in universities are and I say this often they are small cities

[00:11:41] you have it's a great way of thinking about it yeah they really are well we have

[00:11:45] it we have a water treatment plant we have a skater system we have a police department we have a

[00:11:51] fire department we have people that live on your network right uh you know they're here all the

[00:11:56] time they're on your systems all the time and they're coming from all over the world to come

[00:12:01] to Clemson so you know a lot of people call it the Wild West which it is but it's not as much as

[00:12:08] when I first started when I first started security was was not in the culture you know it's just

[00:12:14] we we're here the secret sauce for the faculty right and researchers and you can't tell them no

[00:12:21] right that was the thing no no no you can't make their job more difficult they got to be able to do

[00:12:26] what they need to do and that's that's where those these risks have come up that you see higher

[00:12:32] ed incidents and breaches have really changed the perspective for leadership and other higher ed

[00:12:38] say hey you know those are our those are our brethren we see what's happened to them you know we've

[00:12:43] got to do something here and make sure we shore up our security on such a challenge because

[00:12:49] the threat actors only have to be right once you guys have to I mean I think as defenders a lot of

[00:12:56] defenders don't get the credit they deserve right like there are so many things that you guys stop

[00:13:03] on a regular basis and catastrophes that that you that you avoid regularly that nobody really

[00:13:11] hears about right you know I mean you know it's like Batman the one person yeah exactly Batman

[00:13:18] but I mean like the one person that gets through right that will throw your data up on a leak

[00:13:24] site on the dark web or whatever like they're the ones that everybody finds out about at the end

[00:13:29] and then they're like well what what did you do wrong and it's like they didn't do anything like

[00:13:33] it's gonna happen like right things happen but there's to me there's a difference between a breach

[00:13:41] right one that occurs even though best practices were happening and it gets

[00:13:45] were mediated relatively quickly it's responded well and a breach where it exposes like all

[00:13:52] these bad practices right where you where you just see this and you're like oh I can't believe

[00:13:57] they didn't get breached earlier like I can't believe this didn't happen five years ago right because

[00:14:02] it because of the media attention or the focus on it you you you you become aware of whether you're

[00:14:10] doing the best practices and you're you're doing as many good things as budgets will allow right

[00:14:16] and then as long as you're doing that everything generally works out pretty well

[00:14:22] that's what we've been seeing so it is and really it's cyber resiliency right it's just being

[00:14:28] prepared and preaching that to leadership that it's you know it's the sound of inevitability

[00:14:34] it's going to happen yeah um we want to do our best to mitigate it as quickly as possible

[00:14:39] we want to be prepared we want to train to be prepared for when it does happen you know

[00:14:44] and everybody talks about that but really putting it into action is best you can yeah and don't

[00:14:49] let's not let's not avoid the elephant in the world and that is the the the the Gen Z

[00:14:57] not even really the millennials anymore but the Gen Z the Gen Alpha group that you guys are

[00:15:04] they're going to be using your networks that are using your networks they are statistically

[00:15:11] at least more likely to fall for certain social engineering and certain tactics because they

[00:15:20] it's something about being what the data is showing is they they tend to be these digital natives

[00:15:25] right they tend to just assume you know hackers like ghosts in the wires are going to get in any way

[00:15:32] you know um and and and really a lot of what you guys do is educate all everybody

[00:15:38] educate the the the professors the researchers the staff the operations team as well as the

[00:15:45] students about you know digital hygiene cyber digital hygiene yeah it's actually that's a good topic

[00:15:53] we I helped with a class that we taught we taught social engineering actually use Chris

[00:16:00] Hayden Nagy's book dark waters fishing dark waters and um used topics from there and what we did

[00:16:08] is we there's the class it was not security folks they weren't cyber folks they were all walks of

[00:16:14] of degrees and majors and it was a technical writing class that most people have to take

[00:16:20] so we fished them initially like just fished them they're all the students we fished them

[00:16:26] and capture their score and then I taught on these topics about social engineering and

[00:16:32] and actually reviewed the fishing message that we sent them said hey here's the fishing message

[00:16:37] message we sent you interesting here's the things that you could have looked at they respond

[00:16:42] yeah you know just like most people oh you got me right you know they're like oh okay now I know

[00:16:47] right so there was like a few modules courses in the in the middle we fished them again

[00:16:54] and they did much better because we're literally showing them these this is how social engineering

[00:16:59] works this is how you are targeted and and it was actually for a free parking it was a raffle for

[00:17:04] a free parking so universities parking is like always the worst right right yeah so we were

[00:17:11] weren't sure but no it was great you know they like most of them fell for them finished it up and

[00:17:17] at the end we fished them at the end and then had them do a a presentation on what they learned

[00:17:24] and it was that was the coolest thing right to see them put together like a website of man my whole

[00:17:30] vision changed on what what security was and why I have to use two factor because most students

[00:17:36] you talk to like you know you're telling me from security they're like oh you're the guy that makes

[00:17:40] me have to use two factor right yes but this is why you know this is because this isn't this

[00:17:46] the balance between inconvenience and and harm right like right like cyber security

[00:17:55] is inconvenient but it's necessary right I mean and so as we can balance a little bit of

[00:18:01] inconvenience to avoid a major catastrophe then then then it's all worth it and we're seeing

[00:18:08] a shift to targeting students yeah over the of the last couple years and it's over faculty

[00:18:15] over faculty in faculty as well but we have more controls around and protections and

[00:18:20] invisibility around faculty students are a little harder to put around because there's so many

[00:18:25] and right what they're doing why you've got everything using their own devices right right right

[00:18:31] so it's a lot of job scams hey you know I'm a and they use professors we met earlier can you walk

[00:18:38] though listeners through some of the cyber risk that that college students are facing yeah definitely

[00:18:44] so what they're doing they're doing research threat actors are doing their research and they'll go

[00:18:49] look at professors at Clemson at other universities too this is global worldwide I know it's

[00:18:56] US based for sure and they'll identify professors and they'll send a message to students and say hey

[00:19:03] a bunch of students we're looking for a research position work remotely you know all you have

[00:19:09] to do is you know this is super easy you're gonna make 300 bucks a week send us your resume they don't

[00:19:15] even look at their resume they just say send us your resume and they ask them to go look up the

[00:19:20] prices of some equipment like a computer a printer a calculator whatever and they send that back

[00:19:28] to oh you're hired congratulations now we're gonna send you a check your first check and oh by the way

[00:19:34] how much does your mobile do you do mobile banking okay great now you're definitely hired

[00:19:40] and how much does your mobile banking allow you to deposit what's your max limit which these

[00:19:45] should be alarm bells right right oh it's two thousand dollars okay well we're gonna send you a check

[00:19:51] and we want you to deposit through mobile banking and let us know as soon as you get that deposited

[00:19:58] and they do they deposit it and then they say okay great that was for your first week

[00:20:03] we were just testing the whole system to make sure it worked now send this back say they send

[00:20:07] you two thousand send us back a thousand dollars so they go and they send back a thousand dollars

[00:20:13] and then the check bounces and the banks calling the student and they're out you know money

[00:20:20] yeah and they're like oh and their account may get closed down and everything else and they have

[00:20:24] the wiring instructions or whatever right they've got oh yeah it's that they'll use Zillow or

[00:20:30] Katio cash out they're using all digital oh yeah yeah yeah yeah yeah so students you know these

[00:20:37] are poor students anyways and they're getting hit with this and all of a sudden they think it was

[00:20:42] a professor they were working with yep and oh no now you're out you know real money and you can't

[00:20:48] pay for food next week or so it's it's a big problem well yeah and those that that scan I see

[00:20:56] that often with with elderly too that that targets various you know utilities and and other forms

[00:21:07] and they're they're operated in various parts of other countries oftentimes they're huge call centers

[00:21:15] right like they've they it's very sophisticated like the way that they are able to socially engineer

[00:21:23] the people build confidence and for a struggling student I mean like an opportunity like that

[00:21:29] sounds great like right to be true it's too good to be true yeah for sure oh what a challenge

[00:21:37] what a challenge um you know one of the other things that that you've done for the last

[00:21:41] couple years is a cyber auxiliary member with the United States Marine Corps could you explain

[00:21:46] what that is like what's what all do you guys do there yeah you know I was involved because

[00:21:52] another friend of mine had got into that as a volunteer and really just just they're kind of when

[00:22:00] they have questions or as a mentor they may get a call spun up and they're asking questions about

[00:22:06] a specific product or a strategy and as they have cyber teams within within the Marines which I

[00:22:13] didn't know they even had cyber teams within the Marines they'll invite professionals to come in

[00:22:19] you have to get through a vetted process you know get get get all the background checks completed

[00:22:24] but they invite you in you come in you can just be there as a sounding board or be there to offer

[00:22:30] advice or just if they have a question like for example Splunk if they want to know they're using

[00:22:35] Splunk for example and they want to know have you used that okay please show up at this call

[00:22:40] and you can give submit bias on pros and cons or tactics and techniques so yeah it's a

[00:22:46] cool way to be involved yeah yeah what do you think in your research in your experience yeah

[00:22:54] several of the military arms as well as the federal agencies all have different cyber teams

[00:23:01] right and and there's a call recently to kind of have a US kind of combined because

[00:23:10] like each each branch of the military is kind of doing their own thing they're all doing well but

[00:23:16] they're all kind of doing the best practices in their own way they're a unique way what are your

[00:23:22] thoughts if they create like a national cohesive there be benefits to that whether we downsized I

[00:23:29] don't know if you know anything about that yeah I know like what your thoughts are that's a good

[00:23:33] question I have been involved with the with the National Guard just like I've worked with those guys

[00:23:39] they've come here and visited Clemson actually visited our our sock and kind of wanted to know how

[00:23:44] we were operating in our local National Guard and talk to those folks talk to the Marines they are

[00:23:51] you know it's a good point they are all kind of in their silos right they're doing their own thing

[00:23:56] and maybe they're talking maybe they're not talking and I think that's a big deal and with CISA

[00:24:01] being a great example of how they're trying to collaborate all the information to disseminate it

[00:24:06] across everybody and in higher ed that's one of the thing coming from corporations to

[00:24:13] two Clemson to higher ed higher ed is all we're not competing you know and we're all in it together

[00:24:20] which everybody should be but you know when you're a corporation a corporation there's still something

[00:24:25] you might be holding back or you know there's some competitive competitiveness with that

[00:24:30] and in those silos in the government and military they're still silos there so I think

[00:24:37] the better we can collaborate that's what we need to do for sure yeah absolutely yeah and I

[00:24:42] think that information sharing between the private sector and the federal government and and

[00:24:49] agencies you know I think that is something that a lot of uh iSACs are trying to work on a lot of

[00:24:58] think tanks are trying to work on right now and I think that would be hugely beneficial because seeing

[00:25:04] what other you know see you know we all kind of know what we're supposed to be doing right but they

[00:25:10] all kind of have different threats depending on their sector right so seeing the tool sets that are

[00:25:17] used the best practices how they're actually rolled out it's one thing to have a list of things

[00:25:24] but everybody does them differently right and sorry it's really interesting to kind of uh

[00:25:31] have that information sharing um because I think that collectively then we we all kind of raise our

[00:25:38] level uh of defenses overall it's good to have some competition you know yeah

[00:25:45] and uh and I've seen those teams kind of compete in competitions which is great because they all

[00:25:50] bring their A game um but at the end of the day you know we it's us against the threat actors we

[00:25:56] all need to to help each other out right and one thing that a lot of uh listeners don't always

[00:26:01] realize is a lot of times the uh the threat actors live in parts of the world where

[00:26:09] they're not there's no consequences for them to do it like they can go and destroy lives

[00:26:16] interfere with health care treatment cancer treatment disrupt ruin somebody's financial

[00:26:23] condition destroy the reputation of of of businesses or universities whatever and there's no

[00:26:32] consequences to that right so long as they don't do it to one of the cis countries like the

[00:26:40] the the Russian speaking or the Syrian or whatever it all kind of depends on which threat actor group

[00:26:46] we're talking but um that's something that's that's always shocking to so many people

[00:26:54] stay with us we'll be right back

[00:26:58] you know we all have a lot of data and it has to positively absolutely stay safe

[00:27:03] it can't get into the wrong hands and the biggest challenge we have is how to transfer it from here

[00:27:07] to there we all know as leaders that legacy tools that transfer are important files and sensitive

[00:27:12] data are mostly outdated and fall short on security especially with the demands of today's remote

[00:27:17] workforce relying on outdated technology puts our organizations brand at risk and that

[00:27:23] is unacceptable so we're excited to invite you to step into the future of completely secured

[00:27:28] managed file transfer from our friends at kite works kite works is absolutely positively the most

[00:27:34] secure managed file platform on the market today they've been fed ramp moderate authorized by the

[00:27:38] Department of Defense since 2017 and unlike traditional legacy systems with limited functionality

[00:27:44] kite works has unmatched software security with ongoing bounty programs and regular pen

[00:27:48] testing to minimize vulnerabilities and the coolest part they have easy to use one click

[00:27:52] appliance updates you will love step into the future of secure managed file transfer with kite

[00:27:57] works is it kite works dot com to get started that's kite works dot com to get started today and now

[00:28:04] the show

[00:28:09] yeah you get the well who who are we going to arrest

[00:28:13] well yeah and how are you not gonna arrest anybody right yeah yeah I mean we do a lot we're

[00:28:20] we're part of infragard and so we work a lot with Department of Homeland Security and

[00:28:24] and the FBI and we've we have people on the on the podcast as well as other kind of public service

[00:28:32] presentations where we've done with a former heads in the FBI and and they're like

[00:28:38] unfortunately you people are not going to get their money back these guys are not going to

[00:28:43] get arrested like that's the general truth right that's the scary part now how do we defend and

[00:28:50] how do we you know I think in the last year we've been able to take down we meaning the the

[00:28:57] law enforcement generally from the from the from North America in collaboration with with the EU

[00:29:06] and the United Kingdom it looks like we've been able to take down quite a bit of these cyber

[00:29:11] crime gangs yeah I mean when you see the you know when you think about lockbit which was the

[00:29:17] top yeah it was the top in I mean they had more breaches and more revenue generated illegally but

[00:29:27] yeah they they run out like a big business they had more done than most of the others combined

[00:29:34] like they weren't even close to them and they got taken down in the way they did it was it was

[00:29:40] psychological operations I mean when you think about what breaches what these ransomware gangs do to us

[00:29:46] and due to organizations they destroy your reputation right and but what they recognized is how

[00:29:54] important the reputation is for cyber criminals cyber criminals go after other cyber criminals right

[00:30:01] there's no real honor among these right and and and by destroying their credibility there right

[00:30:08] they weren't able to attract and maintain and keep the level of of talent that they needed to

[00:30:17] run their operations then they got banned by their own Russian forums right then the feds went

[00:30:23] and took down their site their infrastructure and then by doing that they actually you know would post

[00:30:32] things kind of mocking them yeah I saw that showing them that which kind of showed look your

[00:30:38] reputation isn't all that good is it right it was one of the first times we've seen in a long time

[00:30:44] where we were playing not just the technical game but the political and and and um and psych ops

[00:30:55] basically uh approach yeah to that it was very effective yeah I was cheering yeah it was really

[00:31:02] it was really powerful see yeah I I I absolutely loved it um and then you saw black hat

[00:31:11] mm-hmm you know black hat which had been disrupted back in look a couple November December

[00:31:18] first it sounds right yeah in the fall by by a coordinated effort between federal law enforcement and

[00:31:25] and and and uh the nac the uk's FBI essentially and then um and then they came back

[00:31:35] and had that change health care breach which was a big one um apparently got 222 million

[00:31:42] right and then said they claimed oh look the feds got us again and they put up the old

[00:31:49] the old notice that oh we were taking town meanwhile they ripped off their own criminals they

[00:31:55] ripped off their own hackers and basically did an exit scale yeah shocking right like everybody's

[00:32:01] sitting there watching this going is this really happening like you guys have no rules at all

[00:32:07] yeah yeah doesn't like do you guys not hang out at the same clubs or something like it's

[00:32:11] somebody not gonna like yeah is somebody not gonna like bump in you and go hey you know you owe me 22

[00:32:17] million right like can we like at least shore up like I it was just it was an amazing year to see

[00:32:24] and now it's going to be a totally different year because the two top and the reason we just talked

[00:32:29] about those is those were the two top like almost every breach you saw about in the news

[00:32:35] it involved one of those two essentially and now they're gone so now it'll be interesting to see

[00:32:42] some of these other vacuum power vacuum yeah the power vacuum happens fast yeah

[00:32:48] so and they rebrand a lot of these are the same people that were involved with conty back in the

[00:32:53] day after they were taken down things like that so uh really really didn't mean to go down that

[00:32:59] down that hold but um uh several crimes kind of interesting it's like Batman yeah yeah basically

[00:33:06] that's what this is so in higher education and I'm gonna ask you about anything specific

[00:33:12] involving Clemson you guys do a phenomenal job but what you're seeing you see higher education more

[00:33:18] than more than other people in other industries so what are the what are some of the top

[00:33:24] like what are the what what do you say I mean clearly social engineering right fishing happens

[00:33:31] um the scenario that you talked about with the job scam while it scammers more than like

[00:33:37] ransomware gangs it still sounded like it it involved a level of business email compromise

[00:33:44] or not really it was more impersonation oh it was just more impersonation but we do we definitely see

[00:33:51] more levels of impersonation you know from executive leadership and even trying to get out of

[00:33:58] a lot of it is just getting out of our monitoring and detection and I think this is across whatever we

[00:34:04] see we usually check with other higher ed and they're like yep we us too right so they're

[00:34:10] emailing directly to personal email accounts of executive leadership impersonating

[00:34:16] the president or somebody else and saying hey and their name dropping the cfo their name

[00:34:22] dropping the coo hey you know can it still money mostly money related can you give me can you

[00:34:29] transfer me this money right but they're doing more homework for sure and a lot of osin a lot

[00:34:35] of resource intelligence tech you know wishing more that's I think it's still gonna increase right

[00:34:43] um and you know you saw the the AI being involved right and I'm sending these to my leadership

[00:34:50] like hey just be you know a healthy paranoia right trust with verify trust with verify we need

[00:34:56] to code word yeah right yeah and just education i think that's the difference yeah vigilance

[00:35:02] but that that's what we're seeing is more homework by the threat actors to target individuals

[00:35:09] and a finance department or just leadership executive leadership to try to get those

[00:35:15] folks hooked and then get them out of our system so even if they started and our email system

[00:35:22] they'll quickly say oh text me here or send me an email here because for whatever reason

[00:35:29] so then off the off the off the main off the main system to try to get our visibility out of it

[00:35:35] because then we're really relying on i mean you know there's not really great solution for text-based

[00:35:41] stopping text-based threats and identifying those um so that's they're clever i mean they're

[00:35:48] definitely clever um and still the big the big ones that you know social engineering and vulnerabilities

[00:35:54] right internet-exposed vulnerabilities move it was huge for universities that was a big one if

[00:36:00] you look at a lot of university breaches last year they were around move it most of them were

[00:36:06] around move it which could have turned into also ransomware yeah but that was a big one.

[00:36:11] was run by move it was the encrypted on one end and crypted on the other it was that file transfer

[00:36:18] program right talked about it on on our show numerous times we have several episodes on it

[00:36:24] I mean it's one of the largest just pure extortion campaigns in history um and it was

[00:36:29] it was run by it's still being still going on today and it's being run the campaign the

[00:36:36] criminal campaigns being run by the clop ransomware game but they're not really launching ransomware

[00:36:41] could have it doesn't seem like they have they've just looks like they've exploited

[00:36:46] the zero-day originally and and continue to get into either certain vulnerabilities or

[00:36:55] or or they still stemming off that original access that they had but um it hit a lot of

[00:37:02] organizations like massive just thousand and three out of the four major consulting firms

[00:37:09] right like the Ernstian Youngs in the in the and the Pricewaterhouse all of those

[00:37:16] see yeah and and you're seeing I would say you're seeing what I'm telling leadership is it is more

[00:37:21] extortion than necessarily encryption you know it's easier so let's head a less things you have

[00:37:27] to get detected get the data and get out if you can um so you know ransomware still a problem or

[00:37:34] that gang is still a problem even if it is extortion it's really turned almost into is it

[00:37:39] is it more like extortion as a service yes yeah yeah you know and they they create the leak sites

[00:37:45] and they publish right right absolutely what seems like you you you guys there it clums in

[00:37:53] collaborate with other higher ed groups absolutely when you see things so that's phenomenal yeah um

[00:38:00] you don't really see that all that time all that often in the commercial private sector

[00:38:04] and it's because you see a domino it's right hey if we got hit you're going to get hit if you

[00:38:10] haven't gotten hit yet so it is a shotgun usually approached but then it's they'll try especially

[00:38:16] if they have success at one higher ed they know somebody else is probably running similar platforms

[00:38:23] or software and they will just hit as many higher edges they can yeah um so it's it's it happens

[00:38:29] over and over again so we just try to get the word out you know sound the alarm hey we saw this

[00:38:35] you may be seeing this be ready and just just kind of always talking it it's just great

[00:38:40] it really is one of the best things I see with higher ed is just the collaboration

[00:38:45] yeah that's really important yeah for sure yeah um

[00:38:51] you I mean I don't want to let you go without you sharing the the story of creating like a student

[00:38:58] run sock I mean I mean uh that is just a phenomenal like initiative that you guys created can you share

[00:39:08] with us that story I mean it is fantastic yeah it's one of the best things I've ever done really

[00:39:15] for my for me and for my career um and I almost decided not to do it but me back up you know in

[00:39:22] 2015 they were discussions like hey we're gonna build a sock and at that time there was only like

[00:39:28] three people in cybersecurity me as the main engineer doing detection and architecting

[00:39:34] and basically doing all the groundwork and the tech work and we had to see so and another guy

[00:39:39] and I'm like what who's gonna run this sock right you know we I can't do my day job and manage

[00:39:46] students but um you know I decided I said hey I'm gonna put my name in the hat I don't know who

[00:39:52] y'all were thinking about um for this but I'm I love working with students I had a few interns

[00:39:58] a couple interns before this and said this I love working with students I'd love to do it right

[00:40:04] I don't know how I'm gonna do it but I'm glad to do it so they built a room had monitors had you

[00:40:09] know a desk had desk and a kind of a u-shape and it was cool it was like all dark and everything no

[00:40:15] windows um proper sock and so we just put the word out and said hey you know hopefully if we

[00:40:22] build it you will come and we had three four five and then six or seven students come and they

[00:40:29] they had no idea what it was I didn't know what it was gonna be right um and we didn't know

[00:40:34] exactly how to filter for like who's the right student mainly based on passion like what do

[00:40:38] you know about cybersecurity yeah how interested are you in cybersecurity and uh and really right

[00:40:44] right out the gate it was a game changer like we were able to like for me an incident happens

[00:40:51] and I'm like okay force multiplier student A student B you know can you go look at this can

[00:40:57] you help me investigate this right and divide and conquer and even though they didn't have all

[00:41:02] the skills yet they were still giving him capes yeah they just still give him capes to go fight

[00:41:08] crime yeah and they're doing it on the job training right they're fighting fires with me so

[00:41:14] how much how great is that for them when they go interview and they're like hey I was involved

[00:41:20] with real incidents I helped protect Clemson and while I'm finished I finished my degree and got

[00:41:27] this real experience so we went from there and built to more students and then eventually I

[00:41:35] hired a sock manager who I tricked into coming back he actually was my very first intern very

[00:41:41] first intern that's good social engineering yeah you know as I hate I need somebody help run

[00:41:46] the show please come back right now you're amazing I love bomb in the beginning we're telling

[00:41:52] you're the greatest come on back we're lucky to have you yes and you're like please do please I

[00:41:58] can't do everything now he's my deputy C so so he was my first intern yeah it's awesome

[00:42:04] and the and the student run sock is still always kids it's doing great we usually have about nine

[00:42:10] to ten students that are really and they could difference it's not just they're not doing tickets

[00:42:15] I mean they do just tickets but they're really doing real work yeah and then they go out there

[00:42:21] and they're they're killing it right they're ready to hit the street get a job because so many

[00:42:26] otherwise gorgeous graduate with the book knowledge right at the practical experience absolutely yeah

[00:42:32] oh that's fantastic that is like the greatest thing I've heard yeah that is really cool

[00:42:37] yeah that's really cool thank you so let's talk about other ways that people can can break into

[00:42:43] cyber security first of all I mean now you're the guest so I'm gonna let you tell me what what

[00:42:49] your ideas are especially since since you sit in that position in higher ed but I just want to say

[00:42:54] one thing and that is like cyber security is as broad of a term as business like it's really broad

[00:43:00] is it not like right there's so many like you could be highly technical and be able to break things

[00:43:07] down go offense go do ethical hacking like go become a hacker for the good side right but there's

[00:43:14] so many other roles why don't you walk us through the kind of what you've experienced what

[00:43:20] what suggestions you may have yeah you know a big thing I get most folks get us this all the time but

[00:43:28] is how passionate or how interested are you you may not know how passionate you're gonna be

[00:43:33] yet but it's a journey and in art do you want to be a seesaw are you just trying to get your feet

[00:43:40] in the door and you don't really know what the security is and that's one thing we find when

[00:43:44] students they think you know they hear about security it's cool you get to hack things maybe right

[00:43:50] right um what do you know about cyber security is it something you really want to do because maybe

[00:43:55] it's not when you find out what the day job is um maybe it is and so that interest level how serious are

[00:44:03] you and then it is kind of choose your own adventure I think and that's how it was for me and now looking

[00:44:10] back as a seesaw there's things I think I would have went on branches out ahead of time like more

[00:44:17] GRC more governance risk compliance knowledge along the way where I went more the technical route

[00:44:24] now I have to do both right I have to put both hats on depends on what the day is or the meeting

[00:44:29] or whatever yeah so in GRC for those not technical is governance risk compliance right right governance

[00:44:36] is the the the initiative the regulations the the um overarching right right

[00:44:47] right translation of cyber to the impact of the organization yeah risk is the risk management

[00:44:53] component compliance are the actual technical aspects of reaching certain levels of standards and

[00:45:00] control is absolutely and students now you know when like I was saying there wasn't there weren't

[00:45:06] entry level jobs when I started and now they they're going straight into a job normally or maybe

[00:45:15] they're starting they're not going in IT first right which is the advantage I had is I built up my

[00:45:21] IT skills and then I could use that as a platform to get into cyber security right mostly the need

[00:45:28] you know is so big you might go straight into an entry level security job and you won't have had

[00:45:34] those experiences of working at a help desk right getting called it 3 a.m. to fix a server um having

[00:45:42] to do you know whatever in IT and I do think that is good I don't say you have to do that but it's not

[00:45:48] a bad thing to do because it does give you language when you talk to those groups yes you can speak

[00:45:54] their language like you can talk to the if you've done development where you can talk to developers

[00:46:00] you can talk to system administrators you can talk to network engineers because it's another

[00:46:05] group that has their own lingo it's something that helps with the negotiation and

[00:46:09] and whether you realize it or not no matter what field you're in like there are multiple

[00:46:15] negotiations that we all do every single thing and part of it is internal and that is making an

[00:46:22] internal business case right and so by being in if you're in the cyber security role

[00:46:28] and you have to make your case to the technology network operations center right it really does help

[00:46:35] being able to speak their language and having to be like I've been there I you know I I know what

[00:46:41] that's like and being able to to guide them along the way and understanding that business

[00:46:48] speak right understanding the business motivations so that if you can't sell in security

[00:46:54] that the business side of the risk then you're going to have a hard time making your case

[00:47:00] well over security they should just do it and it doesn't work that way right no not at all right I

[00:47:05] mean and and here's a common thing we see in every industry including K-12 higher ed and commercial

[00:47:13] financial institutions you name it is there are needs that like the cyber security team has internally

[00:47:22] at the organization whether it's something they're building or something they're buying some level

[00:47:27] of service whatever that they're buying but that that translation that making of the business case

[00:47:34] to non-technical decisions absolutely absolutely right that is where a lot of this falls down

[00:47:40] and then I also feel that the industry itself has hurt itself because there's so many companies

[00:47:48] and one trick pony's out there that just make these over premises like they're like buy this box

[00:47:54] and you will have security right and you know like all the hacker friends of ours are like oh

[00:48:00] love kit let's see that box we'll say we'll bring that box up at the next b-sides and we'll blow

[00:48:06] that thing up right you know it's like no it's not gonna work that like yeah like that but

[00:48:12] but the over promising has hurt but really the the the challenge of breaking down the technical aspects

[00:48:21] like all these merg raise will be oh we'll be able to detect this and they're still sitting

[00:48:25] there going why do we need it's expensive right like what language are you speaking again like

[00:48:32] because it's like measuring risk and being able to talk about it as without it right your risk is

[00:48:42] is very high right and there's a lot of standards out there that could help guide that

[00:48:47] having that business impact conversations really I think one thing that really changed my perspective

[00:48:52] because it was from a friend of mine his name's Adam Anderson and he said be Yoda not Luke

[00:48:59] because I used to be Luke I'm like the hero I have to say no because on my watch if I say yes

[00:49:05] then it something happens it's on me versus be Yoda and you're just there hey in my opinion

[00:49:12] I highly recommend you do this because the risk is this and this is what's gonna happen if we

[00:49:19] don't do it here's what it's gonna cost to fix it right and you're you're advising you're giving

[00:49:24] then the this is a business decision exactly versus a year just there to stop

[00:49:31] the everything because sure it's gonna not work and you know it's gonna reduce the risk but it's

[00:49:37] also not gonna work or not the way they think it's gonna work so be advising be a Yoda right give them

[00:49:43] the that's a great analogy yeah that that that really is because should they're come a day

[00:49:50] and everybody will experience it right one one when a breach gets through and and there's some

[00:49:56] damage hopefully it's not massive right but it's just some level of damage then there's gonna be

[00:50:01] an inspection about like well did you recognize the risk yeah we did we recognize the risk and we

[00:50:08] we brought it up to leadership and we explained it and they made the decision for whatever reason not to

[00:50:14] right right but at least you explain pros and cons and then leadership is there and they're still

[00:50:19] able to say well yeah at the time we didn't feel that was necessary because we figured it was a

[00:50:24] manageable risk and they're still fine and and both sides still are will survive that the brand

[00:50:31] will still survive after that right it's when there's no thought behind it or or or they don't

[00:50:39] explain it well enough right right don't get it done when they really needed it and then

[00:50:46] and then there's finger pointing and suddenly yeah that's what you want to avoid

[00:50:50] yeah for sure and just be beware of the tech speed for sure you know that's what yeah especially if

[00:50:55] you come up the tech tree and you're just they're just glazing over there don't know what you're saying

[00:51:02] so you need somebody to help you be able to craft it in a way that they understand and they's in

[00:51:08] their language that's what I do every day my day job like my day job is yeah like sitting in the

[00:51:14] meetings hearing all the technical speak going okay now what does that mean in English translate

[00:51:20] and then having to translate that into impact right it's a matter of risk it's this and then just

[00:51:26] hopefully just evolving organizations over time right right like whatever is happy I mean let's

[00:51:34] talk about AI real quick like how has AI impacted what you're seeing yet or has it not yet like

[00:51:42] generative AI yeah there's always been machine learning right and I'm not talking about

[00:51:47] every product now says like everything like gym shoes are like made with AI and like how is that

[00:51:54] possible so it's interesting you know definitely keeping tabs on it and I send Chris had nagging

[00:52:01] messages email or slack messages when I see hey this new social engineering attack use the AI

[00:52:07] and those kind of things I definitely keep tabs on it I do think we're going to see more of it

[00:52:13] it's it really is the way I describe it's like AI versus AI right how good is our AI exactly

[00:52:20] detecting those things versus somebody using AI to create those especially social engineering attacks

[00:52:26] and it's gonna be an arms race and it's gonna be who has a better AI one of the red flags whenever

[00:52:32] you would train people on how to spot a fishing email right it was like well might be broken

[00:52:37] English there might be you know misspellings or my my my look odd or whatever all that's gone yeah

[00:52:46] all that's good yep yep for sure so I think it's just an awareness thing and really communicating

[00:52:53] hey these are going to get better and they are gonna they're if they're not already which they are

[00:52:58] um how does our tools deal with those attacks does it detect it does it miss it because it

[00:53:04] looks so good and it's you know using AI to help it look that way yeah so you just got to keep up

[00:53:09] with it it's the genie's out of the bottle right you just got to deal with it and grow with it

[00:53:15] how does how does you know you don't need to tell me about Clemson but but in general on higher

[00:53:21] how are you guys handling the use of generative AI just as an institution like I'm like I'm sure

[00:53:28] there's like students that are using it and like professors probably have some software yeah

[00:53:33] that that like we'll detect it and and then they're arguing why I really wrote it like well the

[00:53:38] software is still going right yeah all that but are you seeing it in any other facets

[00:53:44] I'm just curious like we're all AI has been yeah implemented in higher ed they you know

[00:53:49] well you've got researchers that are looking to research AI they want to do research in AI

[00:53:55] right um but a lot of universities what they're doing when not a lot a few I have seen is they

[00:54:00] are getting their own version of like chat GPT you know it's like ex-universities on

[00:54:07] instance so everything's within that bubble right so that way they can share some

[00:54:12] a little bit of confidential information right right you can you give them guidelines and what we're

[00:54:16] doing is we're giving guidelines we're saying hey here's what you know data not to do based off

[00:54:22] of classification here's how to be safe it's education getting the word out there.

[00:54:27] When it first came out like you saw what was it Samsung like the engineers there like put the source

[00:54:34] code right in right in there and because it was fixing bugs yeah it was doing it great the problem

[00:54:39] is is it's out there once you put it in the machine you can't get it back right and so then other

[00:54:45] people were like give me the source code for for the new Samsung product and boom it was spitting

[00:54:50] it out and they're like oh my gosh that's not right I don't know I think it was Samsung

[00:54:56] I don't remember yeah as as as I read but if it wasn't please don't send me hate me

[00:55:02] okay I'm like it was somebody like just put an asterisk by whatever the point is that

[00:55:08] that did happen with a technology creator so and you can see how that risk could happen

[00:55:16] yeah we're just trying to get that get as far ahead as we can to get the word out to faculty

[00:55:21] and students hey we know this is a thing we know you were going to use it just here's the guidelines

[00:55:28] around it now there's still an issue of detection of people using it for submission grades sure

[00:55:35] that's going to be our race too yeah that that that I mean that's just I mean that's like

[00:55:42] I mean it's like the old days where people would like have it on the inside of their bottles right

[00:55:47] they would like have the test there I might love to bring a water bottle in okay good and then you're

[00:55:52] like right can I look at your water bottle I mean it's just an arms race that arms race will always

[00:55:57] go on so long as there is testing absolutely take away testing we won't have that problem

[00:56:03] so that's that's fantastic hey John Pleasure speaking with you today absolutely fantastic what's

[00:56:10] on the horizon for you coming up we're going to be speaking at any besides are you going to black

[00:56:16] hat what's what what's on your horizon yeah for me I'm thinking about the Wild West Hacking Fest trying

[00:56:22] to get out there this year haven't been haven't been yet so I'm excited to go may try to put in

[00:56:28] to first speaking slot if I can get around to it get to it oh people would love to hear from

[00:56:33] yeah and my my cohort Steve and I just recorded our first cybersecurity mentors podcasts

[00:56:40] that's great that's around mentorship and lessons we've learned doing this with students and others

[00:56:46] and trying to get the word out there not just for people that are looking to get into cybersecurity but

[00:56:50] also encourage more folks to volunteer and to be mentors absolutely absolutely well that's

[00:56:57] great well we're excited well as that podcast keep keep going um we're we're happy to help you

[00:57:04] guys promote it like that's fantastic thank you David love man that's great well John Hohe thank

[00:57:11] you very much good luck with Clemson we will this won't be the last time we talk I just talked

[00:57:16] to Chris Hannigay earlier today so like I'm sure we were going to be bouncing around the same circles

[00:57:21] for awesome yeah keep up the great work man what you've done is just absolutely outstanding and I

[00:57:28] love I'm I'm gonna as soon as you get that podcast going I'm definitely gonna give it a listen and

[00:57:33] spread the word so yeah thank you thank you for having me now absolutely welcome thank you so much

[00:57:39] yes sir

[00:57:48] well that wraps this up thanks for joining everybody hope you got value out of digging deeper behind

[00:57:52] the scenes of security and cybercrime today please don't forget to help keep this going by

[00:57:57] subscribing free to our youtube channel at cybercrime jokies podcast and download and enjoy all

[00:58:04] of our past episodes on apple and spotify podcast so we can continue to bring you more of what matters

[00:58:12] this is cybercrime junkies and we thank you for joining us