Doug Houser:
With Rea & Associates remote Newark, Ohio studio, this is Unsuitable. A management and financial services podcast for entrepreneurs, tenured business leaders, and others who are ready to look beyond the suit and tie culture for meaningful, measurable results. I'm Doug Houser. On this weekly podcast, thought leaders and business professionals break down complicated and mundane topics, and give you the tips and insight you actually need to grow as a leader, and help your organization thrive. If you haven't already, please hit the subscribe button, so you don't miss future episodes. And if you want access to even more information, show notes, and exclusive content, visit our website at www.areeacpa.com/podcast, and sign up for updates. These days, businesses collect a ton of data. And this data can be used for a variety of purposes, unfortunately, even to commit fraud.
Today's guest is Greg Kelly, an expert in cybersecurity and digital forensics and chief technology officer of Vestige Digital Investigations. Greg is here to take us on a journey behind the scenes of our electronic data infrastructure to tell us what we should be looking out for, in an effort to keep our data and our organizations safe. Welcome to Unsuitable, Greg.
Greg Kelley:
Thank you, Doug.
Doug:
Great to have you here. And this is very timely, so for those that don't know, we are recording this, obviously remotely. Still in the midst of the COVID-19 crisis. So Greg, talk to me a little bit about how much more and paramount data security is during this period of time, when we're all doing obviously, Zoom meetings and working remotely. Talk to me a little bit about the extra things that are happening in that regard.
Greg:
Yeah, certainly. So in a typical scenario, an organization has their data, their devices, for the most part, for most of the working day, underneath their umbrella, underneath their roof, and in their facility. Now you're talking about 80%, 90% of your workforce working remotely. Now if you have the luxury, they have company laptops and hopefully those laptops are patched enough up to date, but quite often not. It's maybe a home device that someone's using to work on. So the issue becomes is that you don't have as much control as you had before. And furthermore, even if you have those patched devices at another location, it's at another location and it's there for a longer period of time. Your attack vector has just increased. It allows the hacker more time and effort to do that, to make the attack.
Doug:
So are hackers more active in trying to get at these remote folks? That we're all doing now? I mean, is that easier to do? For having that-
Greg:
Yeah. They're definitely taking advantage of the situation. Whether it's taking advantage of people working remotely, or just using the information out there. Think back to some of the past data breaches. You get an email that says, "Hey, in order to protect your information, we need you to sign in here," whether it was a PayPal email or something else. Well now, we have the CARES Act. We have money being distributed by the federal government. This is all additional information for the hacker to use for phishing. And phishing is a big game, and that's quite often how these incidents start.
Doug:
Gotcha. Just to back up a little bit, talk to me about how you got involved in this business and how you became passionate about it.
Greg:
Oh, certainly. So my background is in computers, computer engineer, graduating in the mid 90s. Worked as a consultant for a big firm for a while and then myself and my business partner, started off a company where we did consulting for small businesses. And some of those businesses were law firms. 10, 20, 50 person law firms.
Doug:
Interesting.
Greg:
And it was about turn of the century, about 2000, we started getting requests where they'd hand us a hard drive and say, "Can you recover some emails from this," or "We think someone may have taken something. What can you tell?" And we started looking into this new world of cybersecurity and more importantly, digital forensics, and realized it was neat. It was a lot neater than break-fix on computers or even development. It was this new avenue, a new business line and so that's kind of what steered us in that direction. It's been exciting. There's never a dull moment and-
Doug:
I'm sure.
Greg:
Yeah and just staying on the bleeding edge of technology.
Doug:
So, when it comes to digital forensics, I imagine a lot of this revolves around secure data, as you said that you're trying to recover or that somebody tried to nefariously destroy or something. What are some of the things that you see people do that you try to sort of back up and recover from? I mean, I'm sure you see all kinds of stuff out there.
Greg:
Yeah. Yeah. I mean, everybody's trying to pull a fast one. A lot of times we see someone trying to fabricate an email. You see where an employee would get asked, "Hey, did you send this email to such and such customer?" Like, "Oh yeah, I sent that weeks ago." They go back to their desk, they type up the email, change a couple of things, send it off, and alter it in such a way to make it look like it was actually sent, when they were supposed to send it, but didn't.
Doug:
Wow.
Greg:
And then we examine it and like, well, no, it was actually sent about five minutes after you asked him about it.
Doug:
Interesting.
Greg:
So we see things like that. We see in cases where someone is supposed to turn over a phone or turn over their computer, and come to find out two days before they turned it over, they wipe it clean or reset it and things like that. So everybody's trying to pull a fast one and they don't realize that it's very difficult to do, especially if you don't know what you're looking for.
Doug:
Right. That's where professionals like you come in, right? To help recover that stuff.
Greg:
Well, alleged professionals such as myself. Yes.
Doug:
That's awesome. Very cool stuff. So when you talk about ... We often hear this and I know in our firm, we go through a IT security training and things like that. So I hear this term, mind your electronic data. What does that mean in your mind? What can we do to be most aware in that?
Greg:
Yeah. I mean, be aware of the information you have and be aware of who you're giving that information to. If you get an email out of the blue, where someone says, "Hey, you need to, for security purposes, you need to sign in and verify your password." No one's going to ask you to verify your password. The password is yours. You use it when you want to, not when someone asks you for it. I also see too, a lot of times on social media, especially now, everybody's home, everybody's bored. Everybody's on social media and they're playing these quiz games. Like maybe your top five countries you want to visit, or your top five favorite foods. And the thing is though, that these are all the security questions that you're answering for some of your accounts, and people are just putting the answers out there.
And it takes nothing for the bad guys to just screen scrape all that data, and then turn around and use it in some way, shape, or form. It's quite comical. But it's understanding what you have and who are you giving it to?
Doug:
Yeah. Now in today's world obviously, we're al so interconnected and there's to a large degree, a lot of institutions, a lot of businesses, we all mix personal and professional on our devices to some degree. So talk a little bit about some of the pitfalls that you see within that area. Whether it's phones, laptops, anything else.
Greg:
Yeah. The big issue is for corporations when they need to conduct an investigation, or they need to respond to some type of litigation, even in a response to a fraudulent activity. If the company hasn't thought about that before and conveyed that information to their employees, they run against a lot of stumbling blocks where they letting them ... If the device is owned by the company, it's a lot easier at that point in time. But most companies don't own the cell phones their employees use for work. So how do you force that employee to give you the cell phone when you didn't set that up in the first place? That's a big issue. You got to consider that upfront, lay down the rules, and make sure people understand because then, they'll start putting personal data on work devices and start putting work data on personal devices. I mean, you don't have to worry about it.
Doug:
Yeah, absolutely. And one of the other things that I often think about is, in dealing with financial transactions or obviously financial information that's very confidential, that's got to all be tracked somewhere, right? And I often think of people that say, "Well, I know my bank is tracking that stuff for me," or somebody else is doing that. Is that always the case or? I think some folks just assume somebody else is doing it for them to some degree, and they don't always maintain their own records.
Greg:
Yeah. That's often a very sobering conversation when we're talking with a client that's stuck in a situation and they think certain information is being tracked and it's not. A lot of companies fall into the pitfall of well, "Yeah, this is being tracked," or, "We can always recover this information." Until you have to go through this situation, you don't realize that just by default, whether you're installing a financial application, you may not be tracking all the information you think you are. You can be, but it takes some forethought into it, and looking into and saying, "Are we tracking this information?" So with companies with an IT department, when they're implementing these packages, consider what are you tracking, how long are you tracking that information, and can you get that information back, should you need it.
Doug:
Yeah. Now what about the advent of the cloud? A lot of companies operate all their information now is in the cloud. What types of differences does that present? Both from a security perspective and from a forensic perspective?
Greg:
So from a security perspective, realize that the information in the cloud itself, the provider is protecting it probably better than you're protecting your data. Their impetus is that they want to make sure your data's secure. But it's your access of that data, how are you accessing that data and for what devices? So when all your files were there, your local server in your office, you could control who was on your local network. Well, now it's up in the Cloud, which allows for accessibility, but you got to make sure you have the right security on it, and again, it goes back to what we just talked about. Are you tracking the access to that information? And so from a cybersecurity perspective, don't fall into the trap of, "Oh, it's secure up there." There's still that door that you got to get to that information and anybody else can kick open that door if you're not protecting it.
Doug:
Yeah.
Greg:
From a forensics standpoint, it's realizing that ... Some of my counterparts in the industry talked about the golden age of forensics, back in the day when everything was on hard drives and we could recover all sorts of deleted data. I think actually now is the golden age of forensics because of all the possibilities of what's being tracked. But we don't have that ability. If you have email in the Cloud and it's deleted, unless you have some kind of backup in place, you're probably not going to be able to recover it. Same thing with deleted files. So it's just understanding how things have changed and being able to change with it.
Doug:
So you mentioned about that, what's a backup. So how do you have those backup protocols then changed, with the advent of the cloud? What should companies be thinking about in terms of that?
Greg:
The first thing they should do is look at what is being backed up, how long is it being backed up, and what does it take to get that information back, and does that fit in with your goals and your requirements as an organization? If you need to go back six months for whatever requirements you may have, is your data being backed up for six months?
And I get a lot of people coming to me and say, "Well, Microsoft must be backing up all my emails." Well, they are, but it's for a just in time replacement if they have some kind of a crash. They're not backing up historical information so that if you delete it, they can get it back. So you have to consider that, understand, don't assume anything, I guess that's what it comes down to. Look to engage either with your IT department or engage with a professional that knows and helps you understand what really is going on. And that's the big takeaway for cloud, working in the cloud these days.
Doug:
You would advocate then that companies would say, "Test those backups," I would imagine every so often, right? And you probably find holes in what you thought.
Greg:
Oh, yes, definitely. Brief story, I had a client that came to me, this is about five, six years ago, and the client's business relied on this database and the database was stored on their local server. And the owner of the company said, "If this database went away, we shut down the company, simple as that."
Doug:
Wow.
Greg:
And he told the story that every Friday they have a management meeting, and he'd ask his IT person, "Is it being backed up?" Yep. Database is being backed up. Is it being backed up? Yep. It's been backed up. So they thought they were good. The server had a hardware failure and they had replaced some components, but in that replacement, there was the possibility that the data was going to be reset and erased. And so he turned to the IT guy and he says, "Well, no big deal because it's being backed up, right?" And the IT guy says, "Yeah, to the same box that the data's on." So it was a oh no moment. Very luckily, we were able to recover it. The company went along fine and dandy. But if you haven't gone through the process, you don't realize all the pitfalls. All the things you can run across that totally change your view as to what's being backed up, what's being saved, and how you're going to go about it. Especially, I mean, dealing with ransomware these days as well too. People think they have backups and honest, not always the case.
Doug:
Now we've seen, at least publicly, it seems to me I've noticed much more of these ransomware type of cases. Is that true? Is that becoming more prevalent? Or I'm just noticing it more maybe.
Greg:
Both. It's a big business. It's increasing. You have to realize that in order for you to hear about it, people have to report it. And people are only going to report it if they have to. You only see the tip of the iceberg as far as what's going on out there, but it's a big business and it's increasing because it's simple. And it's shifted now too. It used to be, a year and a half ago, all they would do is they'd encrypt your data, make you pay a ransom, and then you can decrypt your data. Now they encrypt your data, they steal your data, and make you pay a ransom not only to get your data back, but also to have them return it, and not-
Doug:
Wow.
Greg:
Deploy it all over the internet. So it's-
Doug:
Wow.
Greg:
It's a big business. It's big business and the avenues to get at that data are plentiful.
Doug:
What are some of the tools that you guys do to help combat some of these efforts by the parties out there?
Greg:
So, from a preventative standpoint, again, it goes back to, are you testing your backups? Are you testing your backups? A lot of companies do the simple, quick and dirty where they've got a USB drive attached to a machine, and that's their backup. Well, ransomware is going to encrypt that too. Guarantee it. You're not providing some kind of air gap or some other kind of security measure to separate that. The bad apples are actually even going ... they're capable now of, if you were backing up to the cloud, as they attack your machine, they can use the credentials on your machine to get to the cloud, and then take care of your data up there as well, too.
Doug:
Wow.
Greg:
So yeah, it's going through that process. Yeah, that's a big change and a big challenge from a preventative standpoint. From a investigative standpoint, sure, it's a matter of, how do we get the data back? What are we going to restore? But also too, a lot of companies have the obligation that they've got to report any kind of unauthorized access to their data. And so you got to go through that investigation. It's not just, "Hey, what was encrypted and what can we get back," it's, "What may have been stolen?" Especially now, as I said, it's changed. Not only do they encrypt it, but they take it.
Doug:
Wow. Yeah, that's scary. So what are some of the, kind of the coolest forensic investigations that you've been a part of, that you could speak to? I love some of these stories. They're just fascinating.
Greg:
Yeah. Yeah. I mean, like you said, the ones I can speak to and unfortunately, not a lot of them are there. I had a neat one years ago, it involved insider trading. And we were working with counsel for the defense in the case and they want to know, truly, was their was their client involved in some kind of insider trading? And we looked high and low on his computer and found no evidence that he had communicated with the person on the inside at this organization. And he denied it as well too, "Nope, didn't. Didn't at all." But then we ran across something. So the insider at the company had a unique name. A name such that, when you would type it, the autocorrect and in Microsoft Word or Microsoft Outlook, would change the name to what it thought was the right word you were looking for. So in order to keep that from happening, he actually saved ... You could save your custom dictionary, like names and words. So he had saved that name in this custom dictionary.
Doug:
Uh-oh.
Greg:
We found that name in the custom dictionary. And it was like, boom. Get paid, all done.
Doug:
So even though you think you've covered your tracks, you can't cover them all usually.
Greg:
No. No, you can't. Yeah, that's unfortunate,
Doug:
So talk a little bit about analyzing digital evidence. I know that's obviously near and dear to your heart. So some of the things that you guys do to help spot fraud and things like that.
Greg:
Yeah. So one of the things we like to do in fraudulent type investigations, especially if it's like an insider case, is try and connect disparate data, data from different sources. If you've got someone that is basically, fraudulently submitting POs and having them paid to a company that they set up, maybe you find in your human resource data, you're able to connect information like an address of an employee to the address of the corporation. Now, that's a simple one. But maybe you find a phone number for an employee, all of a sudden matching a PO number. Or a phone number, or their social security number matching the federal ID number for the company that's getting paid. So it's taking data from different sources, and being able to combine that and find out, do we have a connection here? And does that lead us to what's actually happening here?
Doug:
That is very cool. That's cool stuffs. Are you using those analytics, in essence, as part of your forensic process to figure those things out?
Greg:
Yeah, most certainly.
Doug:
Excellent.
Greg:
Most certainly.
Doug:
Very cool.
Greg:
Things like that, as well as the frequency of words being used, in relation to how they typically are in the English language. So there's-
Doug:
Wow.
Greg:
A lot of analytics you can apply, but in order to do that, we've got to have the data, we've got to have enough data, and enough pool of data, to make those analytics work.
Doug:
Yeah, that is very cool. So what's ahead for digital forensics in this industry, in the next couple of years? What's exciting that's coming down the pike or where do you see things headed? Any insight into that?
Greg:
I mean, definitely mobile devices and the information that's on them, and the tracking of that. One of the challenges that we have in the digital forensic world is, with using a mobile device, with capturing data from a mobile device, we're kind of limited to what the security is on the device. And for instance, iPhones, and for the longest time, it was very difficult to get a lot of data from iPhones. Well, there was just in the past four months, an exploit that was revealed regarding iPhones, that allows a forensic examiner such as us to utilize, in order to capture more data from an iPhone.
So what that opens up is more tracking information, more location information. So I think what you're going to find are a couple of things. One is, the ability to use mobile devices more and more, to determine who's been where and what they're doing and so on. In which, we've always been doing, we've always been trying to do it, but now there's more data to do it. But I think what you're also going to see is, applications that said, "Oh, we're not tracking this. We're not storing that." And come to find out they are. And it was just hidden behind the security of the phone. And we couldn't see that before.
Doug:
Very interesting. That's fascinating. Particularly, as we think about this pandemic that is obviously ongoing and there's a lot of talk about tracking people and where they are because it's important, in terms of how healthy they are, who they might've been exposed to whom else they might expose themselves to, in terms of potential spreading of this virus. So I can see both sides of that.
Greg:
Yeah. I mean, definitely there's a desire to do that and the information's there. It's a matter of, just because it's there though, who has the right to collect it and be able to combine it and so on. And that's something that is constantly a battle out there. I mean, just because the data is there, doesn't mean that a certain organization group or entity has the right to it.
Doug:
Yeah. Yep. That's above our pay grade to figure out, right?
Greg:
Well, yeah. Definitely. I do deal with it when they've got it, that's all.
Doug:
Right. For sure. Well, this is fascinating stuff, Greg. I really appreciate you being on, so thank you. Great [crosstalk 00:23:25].
Greg:
Well, thank you. I appreciate being on. Always glad to talk about these exciting things.
Doug:
Hopefully next time, we can actually be together and I can sample some of the wonderful Maybach that it looks like you're having so. I was certainly-
Greg:
Yeah, certainly. I'll extra bottle.
Doug:
That looks delicious so, thanks. If you want more business tips and insight, or to hear previous episodes of unsuitable, visit our podcast page at www.reacpa.com/podcast. And while you're there, sign up for exclusive content and show notes. Thanks for listening to this week's show, be sure to subscribe to Unsuitable on Apple Podcasts or wherever you're listening to us right now, including YouTube. I'm Doug Houser, join us next week for another unsuitable interview from an industry professional.
Speaker 4:
The views expressed on unsuitable, on Rea Radio, are our own and do not necessarily reflect the views of Rea & Associates. The podcast is for informational and educational purposes only, and is not intended to replace the professional advice you would receive elsewhere. Consult with a trusted advisor about your unique situation, so they can expertly guide you to the best solution for your specific circumstance.