Phishing For Answers
“Phishing for Answers” brings you insider knowledge from the front lines of cybersecurity. Listen in as we speak with seasoned professionals about overcoming phishing attacks, managing user training, and implementing solutions that work. From practical insights to actionable strategies, this podcast is your guide to strengthening security awareness across your organization.
Phishing For Answers
Deaf Relay Scam Unveiled: Tim Krabeck’s Cybersecurity Journey from Help Desk to FBI Partnership
In this episode, we dive deep into the human element of cybersecurity, exploring how personal experiences inform our understanding of threats and defenses. Tim Krabeck shares his journey from help desk IT to becoming a cybersecurity expert, emphasizing the importance of communication, collaboration, and continuous education in the fight against cyber threats.
• Tim's entry into cybersecurity through a phishing scam
• Importance of personal stories in understanding cybersecurity
• Role of red and blue teams in security practices
• Discussing the MITRE ATT&CK framework
• The significance of system hardening and user experience
• Dual-edged nature of AI in cybersecurity
• Need for ongoing phishing simulations and training
• Cultivating a culture of security awareness across teams
Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.
PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!
Hello and welcome to another episode of Phishing for Answers. Today I'm here with Tim Krabeck, chief Troublemaker, as I hear it, and anyway he's going to talk to us today about all things cybersecurity, particularly the human element in it. But let's start by learning a little bit more about Tim. So, tim, how'd you get into cybersecurity in the first place?
Tim Krabec:Years ago, probably around the turn of the century 2000.
Joshua Crumbaugh:I like how you word that man. I'm feeling old now.
Tim Krabec:Yeah, it just popped in my head. I'm like man, that would make me feel old.
Joshua Crumbaugh:No, I'm going to have to go buy a plot.
Tim Krabec:I got a lot of experience. I was doing help desk for a local government organization. I kept running into the same problems over and over again and I was looking for answers on that. I came across ITIL, which looked pretty cool, but I just couldn't get through the reading of the material back in those days because it was just so dry and you didn't have chat GPT to help you.
Tim Krabec:Yeah, I didn't have chat GPT, I didn't even have chat anything back in those days to help me with that. But another local businessman I was hanging out with and talking to was like oh, I'm involved in this ISSA thing and we've got a meeting up here north of where we are by about a half hour at the community college. You really come out and meet these guys. I think you'll really enjoy it. And then we got out there, met one of the local FBI reps, had a really good time with the meeting. Coincidentally enough, about a month later I get a phone call from the deaf relay service that you guys aren't familiar with what that is. Way before we had smartphones, we only have the dumb regular phones we have. You know, even cell phones were dumb those days and you couldn't effectively text quickly and have good conversations. So the people who are the deaf relay service, they had a video phone at their house. They would call the service for free. The translator there would take the you know sign language call, act as an interpreter for you and whoever you were talking to and you would have a conversation. I was also running my own computer business at the time and the person said hey, you know I'm deaf and whatever else. And I go, oh cool, my, you know, my neighbors who do deaf translation in schools and stuff finally turned somebody on because they know computers and stuff and I was like, okay, we'll get to talking this. They didn't mention anybody. I knew they didn't mention anybody locally. Knew they didn't mention anybody locally. They didn't mention any of that. I'm like, okay, this is kind of weird, but they're looking at buying a couple laptops, pretty decent specs and stuff. So I get the stuff up, I send the email over and then I'm like, yeah, I'll give you guys. Yeah, I'm driving home right now. I'll give you a call back in about 15, 20 minutes or answer your email, whatever, whatever, and we'll get back to you. I can get the phone with them. Five minutes later I get a phone call. I didn't get the email. That's weird.
Tim Krabec:I went through the story again. I'll be home in about 10 minutes, I'll work up the quote and send it to you. And then all of a sudden things started clicking in my head. They're in a deaf relay service. They didn't mention anybody. I know they're looking to buy five laptops. They're not in the state. I'm not advertising my company out of a local area. They didn't mention knowing buddy in the area.
Tim Krabec:I'm like, let me call that FBI agent I just met a couple weeks ago. Give him a call. He goes oh man, that sounds definitely like a a scam. You go run it through the computer because there's nothing in here. I'm like, okay, no big deal, I'll just follow it through and see where things go. So I worked up a quick quote, sent it over there.
Tim Krabec:Um, they're sending stuff back, this all via yahoo, you know and scam. You know scams a lot at yahoocom or something you know scam, scam. You know scams a lot at yahoocom or something you know not quite businessy or whatever. And we're going through it. I'm like it still feels like a scam. So I'm still talking to the FBI agents. Okay, we'll work something out. And they came up and met me and we went through the whole process of becoming an informant for that situation and everything else. And then you know they had the Super Bowl nearby. So they got, they dropped all of their people from everything it's non-Super Bowl, did the Super Bowl stuff. The emails kind of went away from the scammer. And then I reached out afterwards I said, hey, I've had a lot of stuff going on Do you still want these laptops? Like, yeah, yeah, we do. We've had a bunch of stuff going on too, I'm okay. And then they're like do you mind if we send you the credit cards?
Tim Krabec:I'm like, sure, great, no problem, I get five different credit cards five different names right five different names, uh, fed those to the fbi guy and he's like yeah, three of these comes up. You know, three or four of them came up, as you know, flagged for stolen. The fourth one was so fresh that people were on vacation and didn't even know it, so they were working all that stuff there. So we created some fake. So we got the. You know, I told them, I ordered them, I asked them what address they wanted stuff shipped to with the fbi. We gave them a tracking number and an address and they went up there and you know, or they went up and surveyed the area and they found the building they were looking for, but the room or the address didn't exist on that street. So none of that really happened and we didn't really buy anything.
Tim Krabec:So we just kind of wrapped it up, fed them all the information we were on for lives. Probably six to nine months later we'll log it onto tech data large site for resellers and buyers at the time, and they've got a banner at the top of their page If you get a call like Tim just talked about, and this is the information do not sell them anything, do not take the credit card, do not ship anything, don't do that". And then they went through that. But I had missed a part of my story earlier where the FBI is like, yeah, it's definitely a scam, talk to the attorney general and they don't want to touch it because it's not enough money. It was only like 25 grand or something like that.
Joshua Crumbaugh:And they couldn't commit the resources at the time.
Tim Krabec:They couldn't commit the resources. At the time I'm like, okay, no big deal, I'm smart enough to figure this out and whatever. So I just kind of put it out of my head. And then the tech data hit the thing. And then the guy reached out to me. He goes dude, this is blown up. The agency out of DC has taken over this. He goes you're still the only person who's got the full conversation beginning to end on all of this and the MO. Do you mind if those guys reach out and get some more information? Yeah, no problem, you need me to testify or whatever. Nothing ever really came of it, but I think they got the stuff shut down. They needed to. But that was my first thing in the scam and I was just like, wow, this cyber thing's pretty cool. So from there I just started digging more into cyber. What's going on?
Joshua Crumbaugh:That's awesome. Honestly, that's a fairly common story, not as common as I joined the military and they told me I was going to learn cyber. But no, I mean, that's a very common path. That was sort of mine. I mean, I definitely had a scam that I was involved in that helped open my eyes. But I think for me the real turning point was, well, when I learned that ethical hacking was the thing, I was like, oh, I want to do this. So so I did it and I know that probably is oversimplifying it, like it's really that easy. But but I mean, you put your mind to it, it's, you can do anything you want.
Tim Krabec:And it is. That is I mean mean from the standpoint of it back in, back in our day, when we started out we had war games and a couple other really cool hacking movies. You're like, oh, I can act like that and not get arrested and go to jail because of uh, cfaa man, this is pretty cool. And then all of a sudden, like hd, more releases, metasploit. And you're like, oh, my god, I can use this tool, yeah no, metasploit.
Joshua Crumbaugh:Uh, I don't think most people, unless they've actually spent time with the hacker, truly understand what metasploit can do like they like. I even disagree with the categorization and uh and cali, I think it's still under an exploitation framework, and I'm, and there's so much more that it does beyond exploitation, like the scanning, the discovery, the post exploitation. I mean, if for no other reason, I would keep Metasploit around just for post exploitation.
Tim Krabec:So, yeah, for me, I've been, I've been, you know, solidly blue team all of my career. So from my standpoint I don't really get to go out and hack and do a lot of that stuff, but I get a lot of proof of concept stuff. So I still learn as much as I can about the red team tools and everything else. And then a couple of years ago one of our system engineers was like we've got a vulnerable form on one of our websites and it looks like you can send emails as anybody in the company and you know he's on the system copying the file, editing it. That way I think I can. You know he spent a couple hours on it before he got to me. And then he goes yeah, I think we can do this. He's editing on the system work and I'm thinking, okay, so what tool lets me intercept the form that I'm filling out? And going to the web and doing that, I'm like, oh yeah, it's that one from OWASP. I found Zap and there was another one as well.
Joshua Crumbaugh:Oh, that's so much better. I'm sorry You're still using Zap. You've got to switch to.
Tim Krabec:Burp, this was like five or six years ago, I didn't remember. It even came five or six years ago.
Joshua Crumbaugh:You've got to switch to Burp you need to go back in time and tell your-.
Tim Krabec:It might've been burp or zap the cool, it didn't matter for what I was doing because I basically found the form, I filled it out and I paused it. I go look in there and there it is Send as email address from the form. Like ooh. So I put my boss's email in. I tell him that he's approved me for a raise or whatever. No, I sent an email to my boss from his boss telling him he's fired. He comes on the way off, he goes you got it, go. Yep, he goes. All right. They sent email to the guy who is in charge of the site from himself sent a guy who was working on it from the system. That way, and to their credit, I think in about two or three days we had that form secured and everything else. But from my standpoint, I love knowing about the red team tool so we can go through and do the scans and figure stuff out and then, when I've got the opportunity, I can dig into something really nice and deep and and prove the uh, he's done.
Joshua Crumbaugh:I think, as Blue Team, it's helpful to know the tactics. What tools are they using? How are they moving around? How are they escalating their privileges? How are they getting in? So I mean, I imagine the more of that you know, the better. What do you think about the MITRE ATT&CK framework? So they've, uh, they've separated out, like your office frameworks and your email providers into their own uh matrix. Now, um, I mean, what do you think about that that? Does it deserve its own matrix or should it still be part of the primary?
Tim Krabec:I think it does. But I think we need, like they always say on TV show, enhance, enhance. You need the 30,000-foot view that says here's what we're hacking, here's your network. And you go through and you see that it goes oh, this attacker is going to come through with email and then they're going to do this. And then they do that and go home. How do they do email? Hands on the email and it says okay, miter, attack email. Here's the things they use. Here's how they exploit the back-end systems over there.
Tim Krabec:Well, I don't, I can't control our email, because that's those email guys over there and they never talk to me. You know a system guys. You know they don't give us the time of day because they're just handling email, which is way too important. You can say, okay, well, so they got through the email. How do they hack my system? You go through the system portion of it. You look at it there. Oh, here's the frameworks. Oh, yeah, we could patch this stuff over here, put a couple things in here and then we're good. Well, maybe you back out and you're the guy on the help desk or you're only, or you're only in charge of desktop. You know those email guys don't talk to me. Those, those network and system guys don't talk to me, but I've got, I can blow up on this portion here and see what I can affect on the desktop and I think it's really important.
Tim Krabec:If you've got that 30 000 foot view, you can go to your boss and say, hey, this is how we got hacked. Here's the from the email to this to this. You can blow into all those when they go well, how did they do with the email? Oh, we're using the old system that we've been trying to get upgraded for years. Oh, well, we've got to get that done now. Well, they made it past there.
Tim Krabec:Well, that system's like $5 million to upgrade. We can't possibly afford that. Then you go to the next system. They look at that there. Oh, it's only 3 million to upgrade this here. And then you go over here and it's like you know half a million dollars and spend the half a million here and then you've got more budget to spend on other stuff. But if you can see the overall big picture and then zoom into the portions that need be, it makes it really good. But you know what, if you looked at the MITRE email side, it was a simple setting that is going to end up cutting 90% of your spam anyways as well as lock down your network and block that path in. That would be way more effective.
Joshua Crumbaugh:Well, I think that you bring something up that's incredibly critical, and that is just system hardening. And I don't care if it's your cloud systems, if it's a desktop, if it's a server, if it's a web server, a database server, it doesn't matter, they all need to be hardened. There's guidelines for absolutely anything you can imagine. There are step-by-step guides on how to harden, and if you really want to break things.
Tim Krabec:There are stakes.
Joshua Crumbaugh:Yeah, yeah, and it's as simple as enabling these things, monitoring for it inside of your network. And I really can't emphasize enough Like I continuously as an ethical hacker, even now, I still get to, you know, be involved in some of them. I'm more of the you know on the outside because I have to manage and run the business, but when we're doing pen tests I'll pop into that server every once in a while. But I still often see those same issues where we're not doing the basics, we're not hardening, we're buying tools but we're not hardening the systems. And what it means is that for you know, a hacker, it's easy Like we had a network recently it was a fun one, to say the least where we had the test run.
Joshua Crumbaugh:It was running SMB Relay and the goal with SMB Relay is to intercept and relay a domain admin credential. Well, so when he would run an NS lookup anywhere on the network for the domain controller, for whatever reason and we never did figure this out why it would transfer the domain admin credentials, uh, and relay them over the network, and so it took like a second and he's domain admin and then he's looking at some other broadcast traffic and there's different domain admin credentials in plain text. So thoseening things. They make a really big difference. And I think that's also part of the human element is how do we make sure that our IT professionals that are managing these configurations day in, day out and setting up these systems, how do we make sure that they know and are equipped with the knowledge they need to avoid the common mistakes?
Tim Krabec:Yeah, some of that is purple teaming, even if it's just an internal low level purple team. You've got that one guy who on the weekends goes out, and maybe there's a couple of web-based you know ETFs or you know you get a couple of people who go out and listen to the hacking podcasts and stuff. If you can step back three months before you've got a pen test and say, hey, we really want to get value out of this pen test, let's run a couple of tools. We think they're going to run against our network and lock down the obvious stuff so that when they come in, you know they're going to have to work to get it and when we do a retest, we're going to be in a really good situation.
Tim Krabec:If you've got a good team and a good group of people, great, you can run that across everything. You can harden the network, you can harden systems, you can harden everything else. And if you've got a you know competitive can be like hey, boss, we run these red team pools that the pen testers are going to use. We're not going to come up with as many findings as those other guys are. You know, maybe we want to because we'll get more budget, maybe we don't because you want to show your back to back.
Joshua Crumbaugh:Well, we need to strike that from the record.
Tim Krabec:No, you know how it goes. You know, oh, a tight year this year. You know we've got to start cutting your stuff over here and spending money on advertising and stuff like that so we can get more business in. And then they see that the advertising is working well, so they're getting. You know we'll say they're getting 10x on every dollar they're spending in advertising so they can spend more money in advertising to get that 10x. And then forgetting, you've been caught by a decent chunk over here and they spent it over here with the promise of giving it back.
Tim Krabec:Now they're seeing, every time we spend over here we're getting 10x and now they're dwindling over here and you know, sometimes you need the consultant to come in and say hey, your team knows what's going on, they really need the budget to get this done. Yeah, you know. In that case, you don't want to pre-patch things.
Joshua Crumbaugh:I think that's one of those situations. I mean, it actually comes up a lot where CISOs and CIOs that come on this program will talk about how we're not in the business of cybersecurity. We're in the business of cybersecurity. We're in the business, uh, to make money and we have to understand the core mission of the business in order to be effective and uh. And so I see a lot more of of that sort of we got to be out of the way and help facilitate business in a more secure way than what it used to be where it was. You know this silo that is, hey, we're going to throw all these controls on and you'll just deal with it. And I like it because I'm really I like seeing the industry move in a direction where your good users don't see security. Your bad users see it everywhere. I think that's a better way of doing it where you, you can lighten the controls in some places, but tighten them where they need.
Tim Krabec:I think. I think it's Andy Ellis who's got a really good philosophy around this. He's got you know, ideally you want to build the road. Where you can't build the road, you want to put guardrails in place. And then they talk about. You know why are there big brakes on race cars? Not because they go slower, it's so they can go faster. And when you're about to hit something, you hit the brakes, you make your adjustments, adjustments and you floor it in. And that's where security needs to be. It's not that we're not seen, it's that we're right here. When you need us, we hop in, we help out. We're out of the way of the business when we can go 200 miles an hour, but when you need to go from 200 to 50, we're right there. We slow you down right. We give you the tools and stability that you can make the turn of the pivot and then you can accelerate again and work back off the side.
Joshua Crumbaugh:I like that, that analogy. I actually I haven't heard that one before, but it's great. I mean, and it's true, we, we are the, the brakes for the organization. So let's jump into artificial intelligence. So AI is taking over the world, we all know it, but it brings a lot of threats for users. So let's just start with what are you concerned about when it comes to the end user, any user, it doesn't matter what their role. What are you concerned about in terms of AI?
Tim Krabec:I'm concerned about a couple of things. One, that businesses aren't using it. It's not a panacea and it's not the answer to everything, but it's a force multiplier.
Joshua Crumbaugh:Oh, absolutely. I mean I'm able to get at least 300% more work done in the average day thanks to AI nowadays.
Tim Krabec:Anytime I sit down to start a new project, I'll go to Gemini or chat, gpt or anything and say hey, you're a cybersecurity expert, we're working on hardening this type of system here. Give me 20 things, 10 things to look at when I'm hardening this. Now I've got a block of 20 things to look through. I can now, instead of brainstorming on that, read through them and I'm going to immediately go oh, on my linux web server, why would I need to harden? You know my ad. It's completely agnostic to that, so I'll cross it off.
Tim Krabec:Maybe we're running IIS and this? Ooh, that's right. Do we need to have this connected to AD in the background through some way, shape or form to allow the authenticated user to come in? Do we need to drop back and think about are we going to give them a separate environment for that? The trust relation. You know one way trust relationship. So my internal credentials can go through this external system to get permissions from there, but it can't come back in. So it gives you a lot of thought around that. Anytime I'm writing a policy or coming up with something new, I'm going to go there and say write me an email that says this, and then I'm going to go through and edit it, and what I like is they're multimodal, you can talk to them now.
Joshua Crumbaugh:You don't have to type everything. So that's much quicker. At least for me, I find it's quicker. I'm a fast typer, but I'm a quicker speaker, I guess.
Tim Krabec:And what I like too is if I sit down and say, give me 10 things on this with subcategories, and it misunderstands what I want, I can go back and say, oh, on each of those 10 things, give me five subcategories, Boom it regenerates.
Joshua Crumbaugh:For me, oh no, I think that AI will change our lives in ways we still have yet to understand. I think one of the cool things that we're going to see near term from AI are like these Hollywood hits from around the world, so not Hollywood, but you know what I mean these big movies from France or Japan or China.
Joshua Crumbaugh:I see them, redubbing them and going global with every hit from around the world. So if you're a big movie buff, you're going to have a lot of new movies, I would imagine, in the near future New movie buff.
Tim Krabec:Yeah, I think you know. My youngest is still at school and they're not using AI in class my one daughter's in college and they're not using AI class my one daughter's in college. There's some that are blocking it.
Joshua Crumbaugh:They don't let them use AI, and it's ridiculous because they're going to use AI in their jobs when they graduate.
Tim Krabec:But not only that. You're in a perfect situation to say, when you're working on your essay, to turn in. I want you to prompt AI and tell you to give you a summary of what happened in the story. Look over it. Does it make sense? Did you actually read the story? And I'd love to see schools have poisoned AIs. So let's say we read Romeo and Juliet and we're doing our class assignment on that, but you know you read it. I didn't. I'm lazy, I'm just going to go AI.
Tim Krabec:Go ai and say, hey, give me a summary of what happened in there and they're gonna have the wrong characters doing the wrong thing because it's a poisoned ai. And the whole point there is to show the data isn't 100 reliable. You need to understand what's going on and it'll still give you a good outline. And you go, oh, that's this character, not that character, just walking back around. Now you've got a good. Now you've got good, you know outline going and then you can take that and move forward with it. But for them to say don't use it is incredibly stupid. Don't use it to write it. Use it to help you write, have it write a rough draft for you. Go through revise it.
Joshua Crumbaugh:I think it shouldn't matter if they use it. Ai is here. It's not going anywhere. It's going to be here, so we've got to learn to live with it. And it starts with academia. Well, it should it definitely.
Tim Krabec:It definitely doesn't start with academia well, it did start with, but that was just those computer science guys. We can't trust them for English.
Joshua Crumbaugh:But I mean, I guess where I look at it is that we have to be leading, and that means let your students use AI, because it's the new world and, instead of penalizing them, teach them how to build agents and, and you know, do some simple pipeline automation type things.
Joshua Crumbaugh:With AI it's not that difficult and now, all of a sudden, you can do things that you couldn't do just a couple of years ago. Heck, I took this podcast and and wrote software to have it edit it down into short form video, and it uses large language models to find the clips. Yeah, so uh notebook.
Tim Krabec:Lon is pretty cool for stuff like that. It takes white papers or whatever and creates a podcast for you to listen to an interactive podcast.
Joshua Crumbaugh:Now have you seen it?
Tim Krabec:no, I can raise your hand and talk to him.
Joshua Crumbaugh:Interactive podcast. Now have you seen it?
Tim Krabec:no, I can raise your hand and talk to him.
Joshua Crumbaugh:Oh, that's awesome. Yeah, you know, I may have to bring him on. I've actually been thinking about putting an ai character in the podcast. Uh, just having a third person, just that hangs out, but it's not a real person. Nice, might be fun, um, okay, so some, some of the things that are heavily debated. I really like to ask everybody Well, let's get it to the right spot on the screen here, but if you only had one when dealing with users, would you choose the carrot or would you choose the stick? I only go with that.
Tim Krabec:Ideally I want both, but in this case here I'm going to say carrot, and in our discussion beforehand you know we talked about some phishing and I want the hard hitting phishing. Or you're taking whatever teams internally, you need to validate a fake domain to simulate your controls failing and deliver the perfect fish to the right person in your office to have a problem. But I don't want to see it as punitive, I want to see it as okay, we've sent Josh the perfect fish from a company they've been dealing with. Get a contract going. Or maybe you're purchasing another company because fish firewall is doing so well. You found a Bible that you can bring in and add some really cool technology.
Tim Krabec:I don't want to fish you in that process and take the money from you, but what I want is, when you're going through and following your process and following your SOP and doing everything you're supposed to do, you know if you still got that nagging result, go to somebody and say, hey, this just doesn't feel right, you know. Or oh, I successfully got your money, josh. You're like, oh man, how'd you do that? Well, here, here, here, you look at it and go. And you can look at it and go oh, my gosh, our SOP is filed here, our SOP failed here and SOP failed here. So the carrot for you is when you go back and do the post-mortem on that, you find where the SOP failed and you can get credit for fixing things. Not necessarily like, oh, you just lost us $10 million. Not necessarily like, oh, you just lost us $10 million. It's like we followed the SOP that you created, not me. You created my SOP. I followed your SOP and your process and it still failed. You're blaming me? No, no, no, we figured that out.
Joshua Crumbaugh:I think that at least once a year you should absolutely be running simulations uh, uh, simulations like that, if you will. I see that more as a tabletop where we're going to run the simulation, see how the processes work and see where they fall apart Um, but I don't know. To me, I really see phishing fishing for the most part as a tool to embed instincts into the user. So I want the user to have that think before you click. Reaction that's at the same level as look both ways before you cross the street, right. And so I find and my philosophy is that we fish to embed human virus definitions.
Joshua Crumbaugh:I send you a fish and it's hey, tim, I need you to send this money right now, or your account's going to be closed and your whole company is going to go out of business, whatever, I don't know. That's a terrible pretext. But I send you this fish and I use urgency terrible pretext, but I send this fish and I use urgency. And whether you click on it or not, if I'm able to get you to look at it and able to get you to understand how they use urgency against you, you now become that much more resilient against any sort of social engineering attack that uses urgency. So I see it as more of. We run simulations to plant human virus definitions and we do it frequently to make sure that they stay updated. Yeah.
Tim Krabec:Yeah, I've not thought of it that way, but I've always thought about it as if you're going to fish somebody and fish them hard, you better be testing, if you're going to fish somebody and fish them hard.
Joshua Crumbaugh:I want that t-shirt for DEF CON next year. I like it. Print them up.
Tim Krabec:Use them, take it, make it for your company. Just send me one, I may have to, I may have to.
Joshua Crumbaugh:If you're going to fish somebody, fish them hard.
Tim Krabec:But, you're not just testing Usually you're testing the adherence to the process internally.
Joshua Crumbaugh:Yeah, process internally.
Tim Krabec:Yeah, Speaking about that, probably about nine years ago, we've been doing some, you know, internal security method. You know 15, 20 or half hour things in the office. Hey, you know, we're InfoSec. We're new here. This is what's going on. Tell people if you get something suspicious. I've gone through all the indicators. Tell people, if you get something suspicious, send it to me. Me, I'd rather you guys send me a hundred things that I send back. You know, don't worry about it, it's nothing. Then have that one thing get through and I'm going to spend more than 100 you know 100 hours dealing with that one thing so that, to me, is one of the most critical metrics around security awareness.
Joshua Crumbaugh:I see a lot of emphasis focused on, like fish click rates and stuff like that, but to me, the number that I care the most about is what is my report rate? Want to see at least nine of those reported back to me and or, ideally, all 10 of them reported back to me, but that might be a tall ass, but you know, to me that is the most telling number of your culture. If I want to measure how security aware my culture is, well, how well do they do it? Following procedure and reporting things.
Joshua Crumbaugh:And you know we can't test everything, but what I find is, in cybersecurity, yeah, there's certain things we can't test, there's other things we can, and a lot of times they link together enough that being able to test that one thing gives you a really good idea of the things you can't test, like, for example, voice phishing. Sure, I can do a penetration test and try and you know, call up again and get in, but it's typically done against one or two individuals in a large enterprise. It doesn't scale, uh, so you use phishing to help get those same things across, if that makes sense yep, um, so andy ellison andy ellis has got a really good thing on that.
Tim Krabec:When he was at Akamai they were talking about they had an internal ecosystem, an internal like antivirus system in the org. So if you got a phish message, you would hop on the if, say it was all to managers. You'd hop on the manager internal list and say, hey guys, I just got a phish about this, be on the lookout. If it was all to managers, you'd hop on the manager internal list and say, hey guys, I just got a fish about this, be on the lookout for that. You know, if you got a phone, if I got a phone call, it was someone was looking for josh. I would hop on the system to the um, to the admins, and cc josh in there and say, hey, some guy's calling in. This is the name, this is the info I've got. They're looking for josh's cell phone number. You could look at it and go, oh god, I totally forgot. Joe doesn't have my information.
Tim Krabec:If next person gets it from joe with this information, please give it to him. I want to talk to him or give me his number. That's very good internally. You've got an internal um immune system against this stuff. You've got good networks. You've got good people talking and sharing. I may catch this fish. You're going to catch the next fish. That guy over there is brilliant at what they do and they're never going to catch any fishes. If we can help him out with that, he's going to help us.
Tim Krabec:I like the way you worded that he must be a developer Must be a developer DBA, dba.
Joshua Crumbaugh:Oh, okay, now we're going to have some DBA. I like the way you worded that. He must be a developer, must be a developer, dba, dba oh, okay, now we're going to have some people mad at us, I love it.
Tim Krabec:I've got a DBA developer at work. He's an amazingly good guy. I love picking on him about everything. I will pick on him to his face and be like, yeah, that's true, but you know, it's just fun to have people back and forth with that at the office. But back to my school.
Joshua Crumbaugh:Oh, I agree, that's our office culture. I couldn't imagine if we got somebody that couldn't take a joke because, like we're all just, we will give people a difficult time. Emergency alert LOL, probably, I don't know. I don't. We got a comment.
Tim Krabec:I'm not sure I caught it. Yeah, I don't know what it is either.
Joshua Crumbaugh:Ken, what do you mean, Ken?
Tim Krabec:Go ahead. Let me get back to my story real quick. So we went through the training and told people hey, if you get an email, let us know, we'll take a look at it, no problems whatsoever. I'd rather do that. One of our people had sent me an email and said hey, I got this email. Look at the email. It's from a gov Could be spoofed back before DKM and SPF. And it says fill out this form, give us literally all of your personal information and we're going to set you up for some presidential award that I've never heard about, from a branch of government or sub-branch of government that I've never heard about, from a branch of government that or sub branch of government that I've never heard about. So they sent it to me and the reward was here. The risk was way up here.
Tim Krabec:So I go okay, dig into it. Find to see if that branch of government exists. It does. Dig into it. Find their number on the legitgov website. Validate the domain's correct. It's been around forever. The IP hasn't changed. Do all of that. Find the phone number on the website, call the office, get routed to that person's desk, ask them the question Like oh yeah, we sent that to your person, so do you realize? Sense of urgency. Don't talk to anybody. Give us all of your personal information is hallmark of phishing. Like this screams I am a scam. It should have been like from I am a scamgov was like just how perfect this email was.
Joshua Crumbaugh:But we've got one of our phishing domains, as do not clickus and people still click.
Tim Krabec:So I did all that research. I went back to the person. I said hey, this is legitimate. Talk to the person, the government agency, this is legitimate. I'm not going to tell you to fill it out and send all your information via email. I would recommend you don't do it. They do have a fax going in. If you're going to do it, I would do it that way.
Tim Krabec:So they filled out the information for some sort of presidential award. They ended up being one of the winners. So they got a recipient of some funding for their lab. They got a trip to DC. They met President Obama, who had also just been meeting with Jeff Bezos, and Jeff Bezos came in the room and talked to everybody there. So for her it was a huge win. But I could very easily imagine she just clicked and filled that out and it would have been a scam. But I use that to say if you get these, send it to us. We'll do the research, we'll look it up and we'll tell you. You, yeah, this is probably good or it's probably bad. The advice I would give there is 99.9999 percent of the time.
Tim Krabec:that's malicious yeah, but that's why I say send it to us. I would rather have a thousand bad ones sort through them. Give this person, hey, this one's probably good. Please take a look at it. We've got the expertise, we've got the understanding in these fields. Where the people in our organization have understanding in sales that we don't have, they have understanding in marketing. In my org they've got understanding in many different types of sciences that I don't have any clue into. But you have your expertise, we have ours. Let's work together.
Joshua Crumbaugh:Agreed. I think that's really the right attitude in our industry as well. Well, we're running very low on time here. Any sort of final tips for any of the listeners out there?
Tim Krabec:about for any of the listeners out there. If you're in security, try and figure out a way to be ever present with your users but not in the way.
Tim Krabec:A while back someone said information security is like the Secret Service, where the business is the president, and they say I'm going there, your job is to make it as secure as possible, as quick as possible, to accomplish those goals, Whereas if you're the police, they go over there, they get shot. You go there and go. Oh well, it looks like they get shot because of this, that and the other thing. You don't want to be that guy, you don't want to be the department of. No, you want to make things as reasonably secure as quickly as possible and then move on to the next thing. Because every time we go through and knock 10% of the risk off, for however much money we move that down the line we circle back to.
Tim Krabec:Let's say, our thing is email. We do email. Today We've cut 10% of the risk off of that. We go focus on 10 other things by the time we circle back to email. In a year the tools are better, they're cheaper, there's better understanding, there's better stuff coming out. So we can now more easily add another 10 or 20% of risk reduction here that if we'd have done it last year we'd have gotten 5% for the effort and money. Yeah, you can get a lot more if we look at things and just make incremental changes. Absolutely.
Joshua Crumbaugh:Well, hey, I really appreciate you joining today For all the listeners. Thank you so much. If you're in the South, avoid the snow and stay warm, but thank you for joining us for another episode of Fishing for Answers.