Marshall Heilman (12:05)

Waka Wak.

Dave Buettner (12:16)

Coming up after the break, my conversation with Marshall Heilman from dtech Systems about his experience with a nation state actor attempting to gain employment at his company and OpenAI opens the door for.

Sponsor Representative (12:44)

And now a word from our sponsor, KnowBefore. It's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBe4, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBe4's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco. 35 vendor integrations and Counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint, identity or web security vendors. Then coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefore.com SecurityCoach that's knowbefore.com SecurityCoach and we thank KnowBe4 for sponsoring our show.

Dave Buettner (14:16)

And now a message from Black Cloak. What's the easiest way for threat actors to bypass your company's cyber defenses targeting your executives at home? According to the latest Poneman research study, over 42% of CISOs have reported cyber attack on their executives in their personal lives and this becomes your problem because executives are easy targets at home for account takeover, credential theft and reputational harm. Close the at home security gap with Black Cloak's digital executive protection platform award winning 247365 protection for executives and their families learn more at BlackCloak I.O. marshall Heilman is CEO of D Tex Systems. We recently got together to chat about his experience with a nation state actor's attempt to gain employment at his company.

Marshall Heilman (15:20)

So there's really three different aspects of this. From my perspective, what has gotten a lot of attention recently is the fake North Korean IT worker, right? There's been a bunch of articles that have come out of that. We know that it's affecting a large number of companies, especially high technology companies. And so essentially what is happening with these situations that there are North Korean workers getting hired into organizations in IT positions where they have significant access into an organization and then what these IT workers are then able to do is either take data to send back to their home country or in some cases they're able to install software that allows other entities from their home country to gain access to their organization to do whatever damages that they want to do. So that's really the first aspect of the safe worker. The second aspect that we see a lot of as well is where in today's remote world or remote environment, we see some employees going, getting hired at multiple companies. And so while they're not necessarily malicious in nature, what they're doing is not spending a lot of time working at the organization that's paying them because they're having to split their time between three or four jobs. So that's the second category. And the third category that we see are employees who get hired at an organization. Sometimes they'll get hired at 10, 12, 15 organizations and they outsource their job to somebody else in another country. And what you have then is a, you know, a worker that now has access into an organization that the organization has no control over. They don't know who that is, and it's not the person that they believe that they hired. And that is obviously malicious in nature. So from my perspective, those are the three main pillars of this particular issue that we see today.

Dave Buettner (17:00)

Well, and on top of that, I mean, it's my understanding that you and your colleagues there had a run in with this sort of thing yourselves.

Marshall Heilman (17:08)

We did, yes. Interestingly enough is right around the same time as the Know before article that came out that really, you know, launched this into mainstream. But yes, we had an individual who applied for a job and as we're going through the interview process, we spotted some, some discrepancies and ultimately there were enough discrepancies that we decided to shut down the interview process and not move forward with the candidate any further. Some, you know, some, some of the specifics around there that we saw is, you know, for one, what we noticed is that the email address that the individual used did not match the name that he used in a very, let's say, obvious sort of way. And so it was clear that there's something off there. And that could be a mistake, or it could just be someone has a funny email address. But in this particular case, paired with the other things we saw, it was a red flag for us. A second thing that we saw is this particular individual claimed to have used a technology in a certain year, but one of our interviewers correctly recognized that that particular technology had not been released until a couple years afterwards when the person said to use it. So that was obviously, obviously fake.

Dave Buettner (18:13)

Right.

Marshall Heilman (18:14)

The employee or this individual claimed to work at an organization and leverage certain technologies that really didn't make sense for the organization he said he was employed at to have used. So that set off another red flag. And then really, the final flag that we saw before we decided to terminate the interviews was this particular individual is using a geometric background. And as you know, on these calls, you can always see a little bit what's behind the person as they're moving around. And it was pretty obvious that they were in some type of a call center. They definitely were not sitting at a home office. And so when you put those four pieces of information together, what you have as a candidate is probably not who they say they are.

Dave Buettner (18:50)

Wow. Do you have any sense for how widespread this actually is?

Marshall Heilman (18:56)

So I personally, I don't. I know from talking with all the senior level executives that I speak with, it is an ongoing problem at pretty much every company I talk to. I know Amanda in the crowdstrike have done some reporting talking about just how widespread this problem actually is. I believe in the companies that we've spoken to, we've seen a 73% or so increase in the number of conversations around this particular topic at the organizations that we talk to on a regular basis. So I think it's probably more widespread than initially thought.

Dave Buettner (19:27)

Well, what are your recommendations then? I mean, in this world where so many people want to work remotely, how do we enable that but also manage this potential problem?

Marshall Heilman (19:40)

Yeah, and that's a great question. You know, remote work is fantastic. I'm a. I'm a remote worker myself. And so. And so I think, you know, finding the way to get this right is really important. So there's a couple obvious things we can do when it comes to looking at a candidate's resume. As I said, just trying to trying to match their name against their email address against the phone number they give. Like, you know, that's the basic thing. When you're doing a background check, make certain that there's no red flags or come back on the. On the background check. When an individual submits his picture or their picture, I should say, I think it's important to leverage some of the myriad of AI tools out there that exist nowadays to try and detect whether picture was AI generated or modified or not. Those are some things you can do when conducting an interview. I think it's really important to always have the camera on so you always see the person that you're talking to and you can match up who you see against the picture that they're using. It also allows you to see through their background whether they're sitting in an area that seems to be where they say they are or whether they're very obviously in a call center. If companies are comfortable with it, they can ask the individual not to leverage the background so they can see exactly where they are. I think it's important afterwards to look at the IP address that the individual connected from to see if they're on any known watch list. Is it a malicious IP address or is it an IP address? Maybe that is in Texas when the person claimed they're in Maine. And that seems like a very unlikely scenario and something you can ask the candidate to explain. And then once you've made a decision to hire the individual, you can do things like when you ship out the computer to the address to the persons listed, you want to make sure that the address you're shipping the computer to is the same one that they claim they're actually living at. If there's a discrepancy there, you obviously want to investigate why. You can also have, you know, if you have employees in the area where the individual is located, you can have them go and have a quick coffee or meet up with the individual to make certain that they, you know, the person that you are meeting is actually there locally and not in some other country or some other area. And I think to give even, even more detail, in a very logical fashion, we, we at Detects released a blog that we call an insider threat Advisory. And we discuss at each different phase of the process. So pre employment or interview phase, pre employment, early stages of employment, later stage of employment, what you can be looking for to make certain that you as a company don't fall victim to this type of malicious activity.

Dave Buettner (22:00)

You know, it seems to me like this really requires close coordination between the folks on the HR team and the folks in it. I mean, perhaps even earlier in this process than it had previously traditionally demanded.

Marshall Heilman (22:17)

Yeah, absolutely. And I think again, as you correctly pointed out, in today's world where we allow remote work more than we ever have in the past, I think we have to think about how we go about recruit and hire and onboard employees differently than we have in the past. And that does mean close collaboration between HR and IT to make certain that the companies are hiring the people that they believe they're hiring into the organization and that those employees are as productive as they expect and need them to be.

Dave Buettner (22:44)

That's Marshall Heilman from DTEx Systems. You can read more about this incident in a blog post from DTEx will have a link in the show Notes do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000. And finally, it was bound to happen. OpenAI, the company that wowed us all with ChatGPT, is considering, wait for it, Advertising. Yes, folks, the tech darling that made us believe in the magic of AI might just join the dark side of Internet monetization, trading user delight for ad revenue The Financial Times reports that OpenAI's CFO Sarah Fryer confirmed the company is exploring ads as a potential revenue stream. While she insists there are no active plans yet, the writing on the wall is as clear as a programmatic banner ad. They're hiring ad veterans from Google and Meta, and their chief product officer is Instagram's former ad architect. Friar assures us they'll be thoughtful about ads, but isn't that what they all say? This isn't just a cash grab, It's a necessity. OpenAI may be pulling in $4 billion annually, but training cutting edge AI models is an expensive endeavor. They're burning through cash faster than you can say monetization strategy, and with a $5 billion spend forecast. Even their enviable $150 billion valuation needs some heavy lifting. To be fair, ads work wonders for companies like Google. But let's be real, nothing ruins a seamless AI chat like a pop up screaming about discount mattresses. OpenAI claims it'll be careful not to alienate its 250 million weekly users. Let's hope so, because once the ad floodgates open, there's no going back. After all, when has thoughtful advertising ever lived up to the promise? And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@the cyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show. Every week you can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwiren2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your team smarter. Learn how@n2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iban. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpie is our publisher, and I'm Dave Vintner. Thanks for listening. We'll see you back here tomorrow. Hey everybody, Dave here. I want to talk about our sponsor, LegalZoom. You know, I started my first business back in the early 90s and oh, what I would have done to have been able to have the services of an organization like LegalZoom back then. Just getting all of those business ducks in a row, all of that technical stuff, the legal stuff, the registrations of the business, the taxes, all of those things that you need to go through when you're starting a business. The hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there. Well, LegalZoom has everything you need to launch, run and protect your business all in one place and they save you from wasting hours making sense of all that legal stuff. Launch, run and protect your business. To make it Official today@legalzoom.com you can use promo code CYBER10 to get 10% off any LegalZoom business information product, excluding subscriptions and renewals that expires at the end of this year. Get everything you need from setup to success@legalzoom.com and use promo code CYBERTEN. That's legalzoom.com and promo code CYBER10. Legalzoom provides access to independent attorneys and self service tools. Legalzoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm LZ Legal Services llc.