The Security Circle

EP 136 Hiring the Enemy? Is Your applicant a Trojan Horse? Former CIA Operative: Nick Gicinto Explains How a Bad Hire can Literally be Hiring your Hacker

Yoyo Hamblen Season 1 Episode 136

Share episode

Send us a text

🔐 Top 5 Things This Podcast Unpacks

  1. 🚩 The Rise of Fake Identities in Remote Hiring
     Nation-state actors — particularly from North Korea — are using stolen or fabricated identities to secure legitimate remote IT roles inside Western organisations, bypassing traditional recruitment filters.
  2. 🎭 Deepfakes and Digital Deception
     From AI-generated avatars to fake GitHub profiles and forged documentation, adversaries are creating sophisticated personas that fool even seasoned HR professionals and background checkers.
  3. 💼 How Insider Threats Start at the Interview
     The episode explores how the threat doesn’t walk through your front door anymore — it logs in from halfway across the world. Hiring is now a critical attack vector.
  4. 🛑 Why Zero Trust Must Extend Beyond Networks
     It’s not just about access controls or segmentation — zero trust thinking needs to be embedded in people processes too, especially during recruitment and onboarding.
  5. 🎯 Real-World Case Studies of High-Stakes Infiltration
     Nick shares real examples where threat actors embedded themselves in organisations, stole cryptocurrency, accessed sensitive code, and even touched on national defense data — all under the guise of being a “remote developer.”

NISOS.com

https://www.linkedin.com/in/nick-gicinto/

BIO

Executive security leader and veteran of the Central Intelligence Agency (CIA), Tesla, and Uber as an insider threat, intelligence and security specialist. Successfully developed Uber, Tesla, and Chainlink Labs’ first global intelligence collections, investigations, and insider threat programs from the ground up.

Now, CISO at William Jewell College and Professor of Practice in Cybersecurity, a new major at WJC.


Security Circle ⭕️ is an IFPOD production for IFPO the International Foundation of Protection Officers

If you enjoy the security circle podcast, please like share and comment or even better. Leave us a fab review. We can be found on all podcast platforms. Be sure to subscribe. The security circle every Thursday. We love Thursdays. Hi, I'm Yolanda And welcome to the Security Circle Podcast, produced in association with ifpo, the International Foundation for Protection Officers. This podcast is all about connection, bringing you closer to the greatest minds, boldest thinkers, trailblazers, and change makers across the security industry. Whether you are here to grow your network, spark new ideas, or simply feel more connected to the world of protection and risk, you are in the right place wherever you are listening from. Thank you for being a part of the Security Circle journey..

Yoyo:

Don't forget to give us five stars on your podcast platform. Okay, so listen, uh, what can I say? Every single week I bring you an amazing guest, Now, this gentleman first appeared on the Security Circle. Wow. Episode 30. That was a long time ago. Nick Jacinto, welcome back to the Security circle. How you doing?

Nick:

Yo-Yo, thank you for having me. I'm well, and I don't know if that was like an age joke by saying it was a long time ago that I was on the podcast, but I'm glad to be here again.

Yoyo:

Feels a long time ago, but it would've been about what? What are we now episode, we're publishing now episode one through five, so it's like 70, 80 weeks ago, literally. So that's

Nick:

wild.

Yoyo:

Why have you not been back since?

Nick:

Uh, well, I mean, obviously I'm a very busy, important person. That's the only explanation I can give. Or you have a tremendous number of highly qualified and amazing experts lined up who want to be on this podcast, and it's much more important that you give them opportunities than just to hear from me all the time. So I am also thankful for being back. It's great to be

Yoyo:

here. Oh, no, it's great to have you. In your career as well as being a CIA veteran and working through a number of different prestigious organizations working in insider threat, you are at the forefront of, intelligence when it comes to insider threat. The new thing, the new subject, is this kind of like,, fake persona application thing. You have designed a great program, haven't you? Talking specifically about why your applicant is potentially a Trojan horse, what led you to getting into this subject, Nick?

Nick:

Well, I lived at Yo-Yo, I worked in companies, where I knew that the intellectual property, the company knew the intellectual property was valuable, not just to competitors, also though, to state actors and governments. I remember being back at places like Tesla, thinking we have to work extremely hard to protect that autopilot software. The the crown jewels, the keys to the kingdom. And that was where I really gained a fundamental appreciation for how not it, it wasn't just insider threats, being disgruntled individuals looking to, uh, to settle a score and to do it publicly or maybe to sell out the company secrets to a competitor so they could get a better job. We saw state Actors Intelligence services attempting to infiltrate the organization in order to gain access to that intellectual property. That was not necessarily surprising what I was, what, what surprised me. Was the links that they were going to in order to try and acquire that information. Tesla was just the beginning. Um, where I've seen it most prominently featured recently, not so much around intellectual property, but around digital currency is in the blockchain space where I've worked for several years, uh, through either in-house at Chainlink Labs or doing consulting projects for various companies. The, the digital currency is, uh, is something that groups like North Korea and Iran are now working hard to try and acquire, and they're doing it through this Trojan Horse applicant kind of operation in, in order to try and gain privileged access so that they can then exfiltrate funds and support their illicit weapons programs or nuclear program development.

Yoyo:

So there's a lot there to unpack, right? Yeah. Number one, blockchain, number two, imposters. And then number three, raising funds for, uh, you know, for, for dubious and nefarious acts, let's say. So what's the link? And there are a lot of people who listen that maybe don't understand blockchain brilliantly well. So why has blockchain got these, uh, imposters latching onto it, and why is it so successful? Let's start from the beginning.

Nick:

Yeah. So most blockchain platforms and entities that, that stand themselves up do so based on a concept that their chain, or their program has some associated token or coin that is assigned a monetary value. And when these companies are formed, they have, a significant amount of these tokens that they then make available so that, those who are interested could acquire those tokens or those coins as, as a means to, to gain access to services on those platforms. And then because they sit on these formal, or sometimes elicit cryptocurrency exchanges, they have monetary value and can be converted then into fiat currency eventually. And, that's ultimately what these groups are looking for when you have countries like North Korea that are so crippled by sanctions. They don't have many opportunities to earn money, and so they have to rely on their partnerships with countries like Russia or China. And, you know, we know North Korea is contributing militarily to Russia's efforts in the Ukraine war, the full scale invasion. Um, beyond those relationships. Very difficult for the, for the North Koreans to, to, uh, to, to earn money. And so they have to turn to these tactics to, and specifically targeting blockchain because of the, um. The, the quasi an anonymity of being able to steal these funds. It's much easier in a, in a decentralized, unregulated environment to steal funds. Um, very different than when you would target a bank historically. And they have, they've done that in the past. I think things like the blockchain have been a gift for them to be able to move funds, move them quickly. They don't necessarily get everything. A lot of times, uh, some of those funds are recovered, but they get enough where it makes it, it makes a difference. And I mean, we're, when we're talking about theft in the billions of dollars, obviously you can do a lot with that.

Yoyo:

Yeah. But isn't the one added advantage to blockchain technology, the security of the technology along with the traceability of funds, isn't that one of the biggest USP's for using blockchain?

Nick:

So the, they're not necessarily you and you're right, and they're not necessarily targeting the chain itself, or the protocol itself, or the platform itself. They're not trying to disrupt that platform, which provides some type of a service or some type of unique application. On, on, you know, on a chain. The, what they're targeting specifically is just the currency that's associated with it. The companies themselves, when they publicly issue the, these coins or these tokens, they, they always. Hold more themselves than what they release. So they hold the most value in their own entity. And so to get access to their wallets, one thing, you know, when you have a blockchain company is they've got wallets somewhere. And those wallets typically have a lot of currency, digital currency within them. So it's, it's kind of a sure thing, right? Not necessarily that you're gonna be able to hack them or to steal you. Just from a target perspective, you know that blockchain companies have accounts and wallets that carry a lot of currency. So it provides a target for you to focus in order to try and exfiltrate those funds.

Yoyo:

And let's be frank, you know, most major trading banks now all use. Blockchain and cryptocurrency, they've all been using it for quite some time. It's now becoming quite prevalent, isn't it, in terms of like, China's government pays its employees in cryptocurrency. And so you can see how the targets are moving and, there are more of them.

Nick:

I think what you just pointed out is a testament to the inevitability of crypto and blockchain continuing to proliferate in our society. China was one of those countries that really sought to crack down and lock down the use of blockchain and specifically digital currency transactions. Here you are, you know, mentioning how they compensate their employees using digital currency. It's, it's a tidal wave. I, I think at this point. Is, that's not gonna be stopped. So we do have to figure out how to work with this technology. And there are so many, there's so much upside to blockchain, and its uses and its utility and value to the world. It, it also comes with, um, the same historic cybersecurity or digital security challenges that any type of information comes with. When you have humans operating these systems, you have humans controlling passwords to wallets and those are accessed through devices that they own. That target vectors are no different than trying to steal a piece of information or data because that's what digital currency is. Ultimately, it's just some ones and zeros.

Yoyo:

Before I move on to your presentation, would it be fair to say that China have got a firm foothold in this cryptocurrency blockchain market in the same way that America did when founding the, is it the International Monetary Fund, the IMF? Hmm. Are they looking to be the next digital generation of controlling global currency?

Nick:

Well, I think that that would make a lot of sense considering, one, we know that China plays the long game. They're patient, they're thoughtful, and wherever they invest because they know it's an area that they believe they can control and that they can win, and they are looking for. Global superiority. It makes so much sense that they would focus on this from a digital currency standpoint, considering you even have the vice president of the United States now coming out and talking about how we should be moving towards a decentralized form of finance. And China would absolutely wanna be at the forefront of that and have as much con controlling interest as possible in that effort.

Yoyo:

I can see that being a very difficult conversation in the future. Nick.

Nick:

I think you're right and I don't look forward to having that one.

Yoyo:

I think it's Jo good that you and I aren't sitting at that table. Um, yeah, no

Nick:

kidding.

Yoyo:

Uh, but look, your applicant is a Trojan horse. Why are we now focusing on the employer and making sure that they don't hire Trojan horses? And what is a Trojan horse to an organization?

Nick:

A Trojan horse is someone that presents as one thing, something that is of interest or value to the organization, and then once it's in inside the door or it has access, privileged access to systems, then it obvi, it then reveals itself to be something that was unwanted and obviously malicious or harmful. It's a little bit different than worrying about someone just falsifying their resume or saying, well, I've got a degree when I didn't get a degree. Uh, and it's not really what we're talking about, although I perhaps that is a, a, a another type of applicant, Trojan Horse, all its own, and something that I'm, I'm sure HR managers around the world are constantly on the lookout for, uh, for, for fraudulent resumes and things of that nature. In this case, we're talking about a Trojan horse that has one goal of gaining access to your organization for the purposes of escalating privilege and exfiltrating funds, and to do it in such a way that could be crippling for the company. And that's a little bit bigger threat than someone who just says, well, I got, I graduated cum laude. When in reality they, you know, they never made it out of university.

Yoyo:

50 shades of Trojan horse. That would be the very light, uh, almost white off white shade. And then we are talking about the dark space, aren't we? We're talking about the noir. Uh, take us through a case study.

Nick:

Sure. So from my own experience, um, dating back to, you know, sometime around the 20 21, 20 22 timeframe, I remember being involved in a project where, uh, an applicant presented themselves to an organization, uh, claiming on paper to have about eight years of experience. And, you know, back, back then, and even still now, right, as from the blockchain space, finding individuals, engineers that were, uh, proficient in coding languages like Solidity and Rust, uh, and go these were, these were like the golden gooses of, of engineering talent and organizations were just scooping them up as fast as they could. So to find somebody with that much experience claiming also. To have, uh, FinTech and traditional finance background working engineering at, uh, a bank in Japan. Uh, they had an established GitHub repo of code and projects that they had worked on claim to have a master's degree. I mean, really checking all the boxes, right. This is, this is maybe an employer's dream for us, for an engineer in the blockchain space. Um, I mean,

Yoyo:

and you're showing me, you're showing me a picture of him. I'm looking at a really smartly dressed Asian guy, looks young, competent, professional. Right,

Nick:

right. And, and checks all the boxes. Mm. I mean that you would be looking for, particularly because engineering in, in these entities on the chain. Carry a lot of privileged access. Uh, and, and the, and it's often that within blockchain code, there are wallets that are embedded within that code stack because it, the code is, uh, is facilitating the routing of funds or transfer of tokens and things. And so, um, when you get that access, at times you will get access to wallets as well. And that's a high position of trust. All right, so in reality, what we found out was this individual was not who they said that they were. Mm-hmm.

Yoyo:

And

Nick:

we found out that they were not, uh, a Japanese national, but rather a North Korean sitting in China. Poor spoken English skills. Uh, they were quite inconsistent with their, with their persona story or cover story, as we would say back in the, the Intel community. And also. Unwilling to turn on their webcam.

Yoyo:

That's a big recruitment red flag though, isn't it? Not putting a webcam on.

Nick:

I think for any applicant, whether they are, uh, intending to steal your cryptocurrency or whether they're just perhaps not, uh, not possessing a lot of professional maturity, I think that's something that you would be concerned about. Yes.

Yoyo:

Mm-hmm.

Nick:

In this case, uh, though it was very clear that the applicant was looking to infiltrate the hiring process to gain privileged access, uh, most likely for the theft of cryptocurrency.

Yoyo:

Okay. Tell me then why Lazarus Group is significant in this particular use case.

Nick:

Well, uh, it's, it's a great question and it's because Lazarus Group is considered to be the. Advanced Persistent Threat Group of North Korea. It's a PT 38 for those who, follow that nomenclature. They've been active since about 2014, and they are understood to be tied to North Korea's reconnaissance General Bureau within the government. They have been responsible for numerous high profile, widespread, cyber attacks over the years. I'm sure you remember the movie, the interview back in 2014.

Yoyo:

Yes. But I've never seen it. But I have heard of One Cry and I think a lot of professionals know both. One about one acquire. What's significant about the interview?

Nick:

Well, what's significant about the interview was that we have an example of a state actor. That is, that launches, a computer attack and a rather malicious one because we're talking about physical hardware that was destroyed as part of this, Sony lost hundreds of computers, maybe thousands. They actually had to break out their old printers that printed paychecks because they couldn't pay their employees through their traditional means, uh, given that, they were, um, they were completely taken offline. So that's a rarity. It also in that attack though, saw emails and, uh, very private conversations of Sony executives exposing the, uh, their true feelings about different actors. Um, it was, it was quite embarrassing publicly, uh, for Sony. And also there was a threat of terrorist activity if the movie was, was released in, in theaters. And so it caused, it caused an uproar in the United States. And, and really, um, started to pose the question of to what extent does a government need to step in and provide defense for the, uh, for, for corporations within its territory? And or how should the government respond to attacks against companies? Because at least in the United States, you can't hack back. That's, that's not allowed. Um, so from an offensive standpoint or a, um, a standpoint of, of response, it's, it's a government response or it's, it's probably no response at all. And, and this, this, uh, this example with, with the interview and Sony Pictures kind of started that conversation.

Yoyo:

What acquire was huge. This is where it affected the shipping industry. I.

Nick:

Uh, among many others, yes, it's, uh, but definitely the shipping in industry as well. And you know, if you recall with that one, uh, victims, um, with, with outdated windows machines, uh, that hadn't been, that hadn't had the proper security up, upgrades, got a, got a, a message that said, if you want this unlocked, please send some crypto to this address. So they've been, they've been working in payment via digital currency for some years. Uh, and it started back, it started back then.

Yoyo:

But you said in the pre-chat that buy bit exchange heist is more significant. Tell me why.

Nick:

Well, it's significant because of the size of that incident. So now this was recent, right? We're talking February 25. It's the largest crypto heist ever in, in history. They got$1.5 billion in Ethereum tokens from, from by bit, which is a Dubai based cryptocurrency exchange. I think it was estimated that they took it something like 160 million funds within the first 48 hours of the attack. But considering the totality, this was not something, this was not, kind of a drive by or hit and run. They got 1.5 billion after taking 160 million in the first 48 hours.

Yoyo:

That's pretty scary really. How were they able to do that?

Nick:

Uh, well it's a great question. They exploited a free storage software product that buy bit used to move Ethereum to another location. And they coupled it with, I, I guess, uh, believed to be a phishing attack that, uh, allowed them access control. And then the, the employees downloaded malware, which then allowed them, you know, access to the system.

Yoyo:

Ah, that old trick. So the Lazarus group,, they're quite, um, well-funded, well organized. Mm-hmm. And they're very strategic. That's, that makes them the triple threat, doesn't it?

Nick:

Well, and I think they're also desperate.

Yoyo:

What are they desperate for?

Nick:

Well, they're desperate for collecting funds because it's tied to their nation state's survival. Right. And,, so they're, they have very little to lose in, in this case. And that definitely makes them dangerous. Uh, it doesn't mean that they're sloppy, though. I don't mean to suggest that They're quite calculated and they're good, although they're not. I. There. I wouldn't put them on par, on the level of nation state actors from Russia or, or China or the United States.

Yoyo:

Clearly utilizing 4,000 plus IT operators sitting in North Korea, China, Russia, what we know, they're all kind of allies of each other anyway. But this surprises me. Parts of Africa in the Middle East, India, Malaysia, and Southeast Asia, India really do know how to sit on the fence politically, don't they?

Nick:

Well, they, they do. And it's not that these are nationals, Indian nationals there, it's, you've got North Korean Lazarus group operators who reside in these countries either under, uh, may, maybe under false identity perhaps, or, some legitimate resident status in these countries. And also they do employ contractors, right? So, they'll do pay to play schemes as well. And so it's a very decentralized model that they run. And they are, they're rewarded and paid based on their success. And they can also be recalled if they don't, if they don't produce. And so their incentive right, is to continue to live in some of these environments outside of North Korea, um, which are, it's probably a much more comfortable lifestyle than they would enjoy otherwise.

Yoyo:

Most large organizations hire, you know, it contractors, contractors that are given amazing amount of privileged access. Mm-hmm. What can an employer do? What considerations that they need to be thinking about when hiring?

Nick:

Boy, that's a great question. I mean, obviously you have to hire to the role and to the needs of the role, and you need to, you know, do your research to find the resumes and source the con, the, the, the right, applicants and so it. It's always gonna start with HR and then ultimately though it's a partnership between hr, the hiring manager, and the reality is now a security team and hopefully a security team that has counterintelligence, uh, or corporate espionage types of experience. Because you need someone who has the ability to, um, to investigate in a way that doesn't necessarily put the hiring process at risk or in, in jeopardy, uh, but allows the organization to get the questions it needs answered and to feel comfortable that there, that there's a low. Risk of hiring someone. Um, what I found, and this occurred everywhere I've worked in the private sector, is that while I might have been hired to build a program for security and intelligence or to work at insider threats, I ended up building in a process of integrating security into the hiring process and working with, the HR teams in order to put someone from my team, or it could have been me in many cases, into the interview process. And really it was, we had to limit it to the roles that were of highly sensitive access. We couldn't do this for everyone. We had to prioritize, but it's one added interview where we would show up and say. Yeah, we're here as a bar raiser. Uh, we just, we like to put somebody who's not gonna work on your team into the interview process so that they can, they can get our perspective and feedback. We don't have group think so let's, you know, we're just gonna talk. You got stuck with me today, huh? What? You know,, what are the odds? And we would use that, I would use that time to ask the applicant questions that would help give me insights into whether or not they were being truthful, whether or not we could trust them, whether or not they would be hopefully successful in their role with a low amount of risk.

Yoyo:

It's interesting that you say this. So we're talking about, you know, this fraudulent application process where imposters are basically claiming to be an incredibly desirable candidate. And yet this morning I received from Barclay Simpson the outcome of a big survey that they've done in terms of cybersecurity hiring. And it was interesting because not only was remote working, still a key factor, but the availability of suitable candidates was less on in 2025 than it was in 2024. So that means for the employer, for the recruiting, the talent requisition, uh, manager, finding that candidate, the authenticity of that candidate is, is now becoming more and more critical because the ones that we really wanna hire, they're fewer and farther between. Now it's tying up, isn't it?

Nick:

I, I would agree and I think one thing that will get organizations in trouble is an over-reliance on hiring for hard skills and not taking the appropriate amount of time to vet for soft skills. Ultimately, that is one of the most successful approaches you can take to prevent that Trojan horse hire, is to get them to talk about things apart from just the hard skill of coding or the hard skill of whatever they claim on their resume. Getting into learning more about them as a human being, it's really hard to defend a cover story if you have not practiced and lived it over and over and over again. And that's where you get them to, to, to show cracks in that armor.

Yoyo:

Two things, and this is the important part of this survey. Despite widespread candidate availability, employers tell us they're still trust, struggling to find the right people. According to Barky Simpson's annual salary survey, 94% of organizations have found attracting skilled talent in the current job market, challenging with 40%, describing it as very challenging. That's quite telling. So you present as an ideal perfect candidate. I mean, that's gotta bring up red flags in itself.

Nick:

Yeah. What's wrong with you? There's gotta be something wrong, right? You're too good to be true.

Yoyo:

Right? That's pec. Especially if this is a role that isn't offering the best compensation, Nick, but someone comes along and says, yo, I'm quite fine with that. You know, all of a sudden, you know that the desperation is there on both sides. Right?

Nick:

Oh, I agree. And I, I think that it, it. Companies are going to take bold risks when it comes to hiring at times. And, and they know that, you know, some, some applicants are gonna pay off and some are gonna be busts and, you know, they'll cut their losses and move on. That's always been the case. The difference here is that some of your busts could be more than just having someone who didn't meet their OKRs for that quarter, but they could have walked out with a billion dollars of your assets. And that's where, you know, you have to bold risks, still have to be managed with, uh, with sound process to ensure that you don't let somebody in the door that that has no business being there.

Yoyo:

Mm. Okay. Take us through the rest of the presentation then, in your own time.

Nick:

Well, so the what we, what we found with that candidate profile and then how they act actually presented in 2022, when you roll around to 2025. Now things have changed. Believe

Yoyo:

time has flown. Nick

Nick:

has it not. Yeah. And, and things have changed, not only in in the world, but things have changed in terms of how these North Korean applicants are presenting themselves. Okay. So, so think back to who was our, what was our applicant profile in 2022?

Yoyo:

He, he, he was Asian professional looking suit. No tie, but very smart, you think? Yeah. Do you know smart, presentable ticks, all those boxes?

Nick:

Sure. And now what does that app Clint look like?

Yoyo:

Well, you have picked a rather handsome man. Uh, he's like, he's just out of a catalog for young men's fashionable clothing. I mean, he is a very handsome white Caucasian guy.

Nick:

You know, that's a picture of me, by the way. I

Yoyo:

just, that's not you. Oh, is that with ai?

Nick:

No, it, so it is with ai, but it's it's not me. So, um, that's so

Yoyo:

funny, but

Nick:

Oh, I see what you

Yoyo:

mean. I saw you did that. It's late in the day for me, but I understand this is not, this is not an Asian guy and it's not a North Korean looking guy either, right?

Nick:

Correct. And where does he claim to be from?

Yoyo:

He claims to be from Baltimore in, in mud. Where's mud? Massachusetts.

Nick:

That would be Maryland.

Yoyo:

Oh, there you,

Nick:

yep. But what do you notice that's similar? So let's focus on the experience and the proficiency in coding. Same. Same?

Yoyo:

Yeah. Yeah. Same. Mm. What what about, oh, he's got prior experience at Bank of America

Nick:

versus a prior experience at a bank in Japan.

Yoyo:

Yeah,

Nick:

right. For the most part though, it's the same profile. It's just American.

Yoyo:

Yeah.

Nick:

Right. Yeah. And here's the difference. The real difference between 2022 and 2025 is now the webcam is on. Okay. And you can see your applicant. Now, who's really the applicant behind this? So,

Yoyo:

so the applicant's clearly Asian, but I can see on the screen that is the applicant is presenting as a white American.

Nick:

Right. Does it look similar to the individual you saw in the actual Yeah. Uh, applicant profile? Right.

Yoyo:

Rea reasonable. Yeah. You, you just had a haircut possibly. Um. Maybe he needs to go on holiday. It's very pale. But, um,

Nick:

right, right, right. So this is the big change. The big change is now they're not hiding, uh, behind a webcam. Now they're hiding behind DeepFakes

Yoyo:

ai. Yeah.

Nick:

AI is now making this possible, except it's not perfect yet. And there's, there's a piece, if you look down at the bottom of this profile, tell me what might be wrong with seeing this, uh, Caucasian American profile. And how it presents in the actual profile.

Yoyo:

Yeah. We wouldn't expect him to have a foreign accent. We would probably expect him to sound American.

Nick:

We would, we would not expect a deep, uh, foreign accent, um, of someone who grew up in, in Maryland. So now we have regional dialects, language reflections.

Yoyo:

Yeah.

Nick:

Correct. I'm not talking about this. I'm talking about something that's quite drastic and extreme, which means they're getting better, but it's not perfect. It's not perfect. Now there are ways, go ahead.

Yoyo:

Talking, talking about the development of this technology. I had a chat with a work colleague and I said, should we, um, should we use AI on one of us? You know, we, we'll turn up to a team meeting, uh, on teams and, and I'll use like the AI technologies. So it's, I'm really like in another room in the house, but I'm just talking and the, and the AI is talking. We thought we would do that. We haven't got round to it yet because we haven't found anything. Uh, we haven't done enough research, but we, we wanted to prove a point. Yeah. That if one of us could present and not be authentically us, then that's how important it's to consider remote workers.

Nick:

Workers a Absolutely. And if you were to hire this individual, they could present on any number of your. Uh, all hands or team meetings as looking like somebody that they're not, and particularly if it's not a meeting where they have to engage significantly. Yes. Well, I just gotta you, I need to sign a life. Yep. So and so he's, he's on, he's, he's there. Um, and, and in reality, right? It's obviously somebody different, but they don't have to, they don't have to push themselves to defend that cover story.

Yoyo:

Yeah.

Nick:

And that's pretty scary stuff.

Yoyo:

Rehearse, cover story. I mean, that takes effort.

Nick:

It does. It does. Because they learned, they learn what doesn't work. They analyze that, they go back to the drawing board and they get better. And one company falling for a cover story. Is great, but 10 companies falling for the same cover story is also that's amazing, right? So they can, they, they repeat these things, um, they repeat these things not only in the actual interview process, but I'll jump down to something and I have to use, I'm gonna use some really good work by a company called NISO's that put out reporting on this, where they did internet research on the profiles potentially associated with North Korean, hackers with Lazarus, group hackers attempting to infiltrate hiring processes. And what they found is a lot of replication of personas. And that guy

Yoyo:

on the left is not called Alfred Yian. He looks like he needs to be called Chad. Chad. Chad surfing. Chad. Do you know what I mean? So clearly he's having his identity stolen.

Nick:

Right. Absolutely. Or it's an AI persona, right? Mm-hmm. And they just, that somebody was, was either moving too fast or they don't have a lot of cultural sensitivity to think about what sort of fits, or what doesn't fit. But if you notice in this one of, on the screen with Alfred as his name mm-hmm. Is depicted here, NISO investigators found six additional profiles matching that same name, that same individual, and then I. When they went deeper, they found three additional profiles sharing the same experience as our original Alfred Yin. Uh, however, it's just slight variations, right? So it's like,, let me change a couple of things on my resume. But by large, in part, it's, they're just cutting and pasting, which in, you know, coming from an intelligence background, we would say, well, that's just being sloppy. Yeah, well, maybe, or they're okay with producing profiles quickly because they're not seeing a lot of scrutiny put on these profiles,

Yoyo:

bang on. I wonder if people don't know where to scrutinize, you know.

Nick:

And where would they, or why would they, or how would they, if they've not been taught and they've not been aware of the risks or the issues that are out there or the threats that they face. And that's why I think, this research is super important because it demonstrates how widespread and pervasive these accounts can be. And how if you spend just a little bit of time or you work with a company that knows how to do this quite well, obviously they're going to mitigate a lot of your risk. And that's a big, big deal.

Yoyo:

When you, when you say that there are three additional profiles sharing the same experience with slight variations, this is more than being called John Smith. Right?

Nick:

Right. They're

Yoyo:

right. This is clear. They're, they're too similar to be dissimilar.

Nick:

Yeah. So let me, let me go a little bit deeper and show you, uh, uh, this, this example of one individual who was I. Uh, who, who went by the name we dip. And he, uh, he had a, a GitHub account, which we're used to seeing. Right. We know that that's standard that they have, they have to demonstrate their coding skills because they know that employers look at their code. Um, yeah. To, and, and that's what they focus on. But they, um, you know, the, the ni these NI search, uh, NISO researchers found that the GitHub account was listed on a website belonging to this person. And he had co-authored different code commits with an individual that was known to be DPRK. Uh, yeah. And so it's the overlap that gets them, but if you don't know what you're looking for, you totally would've missed that.

Yoyo:

Yep. Right. But is there anything, is there anything we can do to trace the IP address of a remote interview to check that that location is not coming from somewhere in deep inside Russia in instead of Baltimore

Nick:

s So the answer is, it depends, and it depends on the infrastructure that you use as a company to do your interviews. Are you using a service like Google Meet or are you using something like teams? Are you using Zoom? Do you have that ability of, uh, of, of acquisition, of data and logs from, from that? Or do you have your own, your own system that you've put together that allows you to gain intelligence immediately upon or, or using some type of interviewing platform that gives you that intelligence? And if so, which by the way, I think this is like gold standard if you do this, if you have that ability. To get that telemetry about the user and also in the hiring process, get them to agree to that type of collection. Right. As part of the interview process. You know, the old terms of service check. Great. Now I've got all this telemetry. Are you using A VPN? Oh, interesting. So if I get a candidate that uses A VPN, I'm gonna ask them why are they using it? I'm gonna ask them if they would turn it off.

Yoyo:

Yeah.

Nick:

Right. I'm also gonna ask, here's, here's one of the top ways, and I'll let you describe this to listeners. One of the best ways to cut through a deep, fake video, uh, of an applicant and determine whether or not they are, they are who they say they are. Get them to do this.

Yoyo:

Yeah. Show you around the room.

Nick:

Yep. Let's take a tour. Show me what the weather's like outside, show that person at multiple angles because the ch it becomes much harder for that AI to, uh, to keep up. Yeah. Without getting pixelated or, you know, that weird sort of sketchy, yeah. Almost like somebody is, uh, uh, is going through some kind of a, a glitch, right? Yeah. That's, these are the things that, these are low tech, by the way. I mean, obviously if you have your own interview platform or you subscribe to one that allows you to get telemetry on applicants, which I think is Yeah, would be the best. There are some pretty low, low cost, low tech hacks to this process.

Yoyo:

The, the whole thing about, show me the weather outside. You can get through that just by building a rapport. Nick say, Hey. Oh gosh, yeah. It's got horrible weather in, in say England today. And we talk about that a lot. So it's hardly unusual. And say, what's the weather like where you are? Oh, show us outside the window. You know, it can be, you can, you can soon see if they turn around and say things like, oh, you know, my room's really untidy. My sister's been in here and she's left stuff everywhere. Oh, no, no, just show me out the window. It's fine. Mm-hmm. You'll start to pick up red flags because you are almost breaking into their shield of confidence. But this, this GitHub check. Class Nick? Yeah. Did you cover that by yourself?

Nick:

I wish I did. Now I have to, again, I have to give credit to Ni os in their investigation. They published this, all this online. Right? So, awesome. I have to piggyback on some of this because it's good work. I'm gonna show you this. This is one of the things that Ni os picked up, from the website. Now, the individual on the left, the image on the left that you see is from Hu's website. They were able to image match this to a stock photo, which you see on the right now. What's the only difference you may notice there?

Yoyo:

The only difference that I can notice, is that the chair is slightly different.

Nick:

It is, yeah. There's a slight difference there.

Yoyo:

There's a slight about slight diff. The glasses. Do you know, I'm looking, I wanna be a smart ass here and get this right. It's,

Nick:

it's subtle.

Yoyo:

It's really subtle.'cause you are actually putting a, his eyebrows look slightly different.

Nick:

Mm-hmm.

Yoyo:

Like they're thicker in the, in one and then they're thinner in the other one.

Nick:

So this is his image right here? Yeah. From his, from one of his social media accounts. So you see that face?

Yoyo:

Yeah.

Nick:

Let's look back here. Is that the same face?

Yoyo:

That looks very similar.

Nick:

Okay. Looks very similar. Yeah. Now what about from the stock image?

Yoyo:

The stock image is, these are eyebrows are a lot busier, to be honest.

Nick:

Right. Oops. And

Yoyo:

darker.

Nick:

Right, right. So what you've got is speed

Yoyo:

adapted.

Nick:

Correct. Correct. And the haves are a bit

Yoyo:

fuzzy as well, aren't they? They're a little bit fuzzy.

Nick:

They are a little bit fuzzy. It's for the most part though, it's very subtle adaptation of the stock image face to, to match his face.

Yoyo:

Most people wouldn't notice that, Nick.

Nick:

Right. I understand. And that's the beautiful part for these guys. Um, yeah. These workers claim to have tremendous depth and breadth of experience. Right. And it's really hard for a company to turn away from an applicant that claims to have this level of proficiency,

Yoyo:

but this is a red flag as well as a hiring manager, they usually have a dominant programming language and a secondary, and a third maybe, but not

Nick:

six.

Yoyo:

Mm-hmm.

Nick:

Right. Mm-hmm. Yep. Abs. Absolutely. So when, when you see something that's too good to be true, obviously it probably is. Yeah. But this is, if it's too good to be true, it's probably also for a position that you desperately need filled, or it's a position of highly sensitive access. These are the positions where you should be applying a higher level of scrutiny anyway.

Yoyo:

And

Nick:

hopefully you are, because they're going to be, they're gonna be targeting you. Yeah. And uh, and, and by the way, this is not the only tactic that they use. They do a lot of social media phishing or spear phishing, uh, campaigns, targeting your employees inside the organization to, uh, perhaps, uh, uh, look for some side consulting gig. Answer a few questions. Market research. We'll throw a$300 gift card your way. Let's set it up. They'll do a call or they'll just directly send you the link. You click on it. Now you've, now you've compromised, you know, your accounts and, and they're in using your identity perhaps. Um, there's a lot of things that they do. So this isn't the only way. I think this has just been, this is one of the ways where they have the potential to do a significant amount of damage where they, to be successful in getting hired.

Yoyo:

Yeah. So how do we stop them, Nick?

Nick:

Oh, I'm so glad you asked. Yo-yo, there are, uh, there are a number of ways and just like the thought process of how we build physical security defenses or even cyber defenses, a layered defense approach is what I would recommend to you. You know, that you may not get them just at the application level. Maybe you get them at the interview level or hopefully as the last resort. You get them at the onboarding level. But you have to put trip wires in at every single level in order to maximize your effectiveness. Just like we would put a, you know, a gate around the perimeter of a building and a guard stand that they have to get through, and then physical barriers, and then Id checks. These are all, this is a layered defense approach in, in physical security. You have to have one of these approaches in hiring. And so at the application level, the best way to identify these individuals is to have enhanced vetting techniques. Mm-hmm. Um, comprehensive open source intelligence searches of things that they claim on their website. One of, one of the old rules that we used to have, uh, at the agency was if somebody put a topic out there, they're putting it on the table. It's fair game if somebody puts something on their resume, to me, that's fair game. If you say, I've got a GitHub account, well, I'm gonna go look at it. Yeah. If you claim that you have your own personal website, I'm gonna go look at it. Um, social media accounts,

Yoyo:

you know, Nick. I pity the fool who likes lies to you. I really pity the fool who lies to you seriously. I really do. It's like I always hate it when people lie to me. Just being a former police detective, you know, you are given enhanced training to spot people who maybe aren't being their authentic selves. But you don't lie to someone who's, you know, former CIA, like I said, pity the fool.

Nick:

Well, you can try catch them out. You can try. You're gonna have to, at some point you're gonna have to speak to my kids and advise them against it because they still seem to think they can get away with it. But, uh, the jokes on them. I, I think one of the other things that's really effective in this space, considering the prevalence of AI in Yeah. Um, in modifying images is to do reverse image searching with these candidates. Yeah. And you know, it's almost strange nowadays when you search someone's image and nothing comes up.

Yoyo:

Yeah.

Nick:

That's weird. And

Yoyo:

yeah.

Nick:

I think that's something that, that we should take notice of. I think there's also, when we talk about enhanced vetting or comprehensive osint, is we have to look at how people write, and this is something that we don't necessarily spend a lot of time doing. I'll tell you just a quick story of when I was doing one of these bar raiser interviews for an applicant with highly sensitive access at a company, I found out that I was his ninth interview that this poor guy had to go through. Now that, that's absurd in and of itself for many other reasons. However, when we got to me is kind of that last step before potentially making a, a hire, I looked down at the bottom of his resume where he claimed that he was a life coach. And I said, tell me about being a life coach. He said, oh my gosh, you're the first person that's asked that. Yeah. And I said, in nine interviews nobody has read to the bottom of your resume and asked you about being a life coach. He's like, no, this is the first time. I said, well, tell me about that. And he goes, well, I haven't actually done it yet. I said, oh, okay. What does that mean? He said, well, I've taken some classes, but I haven't finished them yet. And you know, I I hope to do this, you know, sometime soon. And I said, well, if I were your life coach, I would tell you not to put things on your resume that you haven't actually done before. He said, oh yeah, I kind of forgot that was on there. I'm really, I'm really sorry. Well,

Yoyo:

he's kind of lied to you in a very honest way.

Nick:

In a way, yes. And how many people looked at that and thought, oh cool, this guy's a life coach. He must have his stuff together if he's telling other people how to run their lives, right? But they didn't bother reading and asking the question and so, you know, I talk about it as enhanced vetting or comprehensive searches. I'm actually just talking about, read the things that they write. Look for consistencies inconsistencies is really what you're looking for because that's the where these profiles tend to become problematic. I'll take a paragraph of somebody's text and I'll just drop it into our old friend Google and see has that been written anywhere else before? And sometimes you find things that it's like, wow. I wonder who, who came up with this idea first? Was it you or was it this brilliant mathematician here who posted their resume online, you know, that you may have, may have come across and decided you wanted to scrape something off of their profile? It's not hard. It just takes time. And that's one thing that a lot of companies don't have is the time to do this. But when it's a position that's this important to your company, you have to take that extra. Time and you wanna look, go ahead.

Yoyo:

Scrutiny over CVS is, it can be a sensitive subject because some of us are looking for confirmation bias that the CV is as good as it pretends to be. Uh, it purports to be sure. Uh, and some of us are looking for confirmation bias that it isn't as good as it's claiming to be. And I think, you know, we have to be, we have to be checking our own biases. You know, some of us are trained to look for biases. Sure. You are trained to, you, you are trained in bias. You, you're trained to look for things that are stereotypical and not stereotypical. Uh, so it's, it's tricky that as well as it, when everybody's trying to get it right, you know.

Nick:

I think you're right and I'm also looking for fact, I'm looking for that which I can corroborate or confirm I'm looking for consistencies or inconsistencies and so I don't, I'm not gonna say I don't care what you write or how you portray your experience. I obviously do. I'm gonna ask you about it. I'm gonna see if that checks out. But when I'm talking about scrutinizing a, a resume and the text on a resume, I'm really not looking so much about what is being said as much as. Is it being said somewhere else? Right? And if it's being said somewhere else, is that another profile? Are you, you know, is this person just cutting, cutting and pasting a resume together? That could mean a couple of things, right? It doesn't mean that they're a North Korean threat actor trying to impersonate a real applicant. It can mean that they just, you know, they didn't have the, the confidence to put something in their own words, or they wanna make themselves look better than they actually are. Who knows?

Yoyo:

Yeah. Either way,

Nick:

though. I, that it matters. Yeah. And, and you, you wanna drive, you know, further into that, and I can't tell you how often, um, I, I find that companies have stopped doing reference checks and validating employment claims and education claims. I think a lot of people, uh, or a lot of companies may look at that as something that's time consuming or they don't hear back. And so they give up. Uh. It really does matter. It's expensive.

Yoyo:

It's an additional cost as well.

Nick:

Correct. But it's

Yoyo:

like, it's ironic, isn't it? When you look at an organization, an entity, you know, you've got half the organization focusing on the physical security, half of it focusing on cybersecurity, and you've got recruitment just letting people in the door

Nick:

Yeah.

Yoyo:

Rolling out a red carpet. And, and so it, there's just so many things to keep an eye on, isn't there? Trust no one. Totally, totally

Nick:

agree. Ah, right.

Yoyo:

Be believe nothing. Trust no one.

Nick:

The zero trust, uh, approach to hiring. Right. Um, so you, you know, I think we, we talked about the things at the application level. Yeah. For somehow, you know, they, they make it through that piece. Then you're gonna get in front of them at the interv, at the interview level. And this is where, you know, your own observations are going to matter. One, is the camera on that's gonna be good for any employees we talked about? Yeah. Do you see consistency in their lip movements with the, uh, with the image? Uh, yep, exactly, exactly. That's, uh, and, and I wish everyone could have seen what you were just doing with your face. It was awesome. I

Yoyo:

was just moving my lips and not saying anything.

Nick:

It's, uh, it, it reminds me of like a really po like one of those terrible impressions of an old, old Bruce Lee film, right? Yes. With the, with the, the voices that were dubbed over

Yoyo:

Yes.

Nick:

Uh, over Bruce, um, um, eight eighties

Yoyo:

children that we are.

Nick:

Exactly. Um, I think we talked about asking the cam, the, the applicant to move their camera around. No, you're

Yoyo:

supposed to say no. You're supposed to say, yoyo, you are not an eighties child. Surely not.

Nick:

I just thought we were trying to commiserate. I, you know, really

Yoyo:

Let yourself down there, kids.

Nick:

I, well, hey, you know, somebody's gotta own it. It might as well be us. So, you know, you, you hit the nail on the head, when you asked to, to talk about the weather and to talk about, things that are in their environment, things that they may be able to describe that should be part of their reality based on where they say they are. And then I love. Acting like I'm an idiot sometimes. Well, I mean, I don't really have to act sometimes, but asking a question that, you know the answer is wrong. Yeah. Is a great way to trip them up on their cover story. Yes.'cause what happens, and I've been in this situation, right, where you're thinking about having to, you know, well who am I today and what is my story today? Yes. What you do when that happens, even if they've got their cover story down cold, is you make them a little bit nervous. So

Yoyo:

like what I did with Baltimore and I said, that's in, in Massachusetts. Right? Right. Now somebody who's foreign, who's making up a story would be like, yeah.

Nick:

Right. If they panic right now, maybe they've got this stone cold cover story and that's, that's great. You're not gonna get'em that way. You're gonna get'em a different way. But those questions where you know the answer, but you appear to, to give them something different. Like obviously Yeah. What did you think of Cambridge right? When you, when they claimed to have studied at Oxford? These are just little tricks that you can try.

Yoyo:

Yeah.

Nick:

So you know, God forbid they get through the interview and you hire them. Oh, damn. Then you've got the onboarding step. And now this is gonna be controversial because it's expensive, but if they're in a position that's of high enough trust, you make them get on a plane and come into your office physically Yeah. To onboard in person.

Yoyo:

Don't mail them or courier them the laptop.

Nick:

No. But if you do. Beware of the sudden change of address when shipping the corporate laptop,

Yoyo:

maybe put a tracker in it.

Nick:

Uh, well, hopefully you've got a really good mobile device management tool on that laptop. So when it's fired up, you, you know where it is in the world. But any of these things, could be effective. Um, and then obviously you need to watch and hopefully you have good logging, from a technical perspective of, what's touching your environment, because you wanna see if they're logging in from VPNs to corporate infrastructure, ask them to turn it off. Ask'em to turn it off and give me a physical address. A physical digital address. The use of remote access tools is also one of the things that they employ. And then I hope and pray that, and not just because we build one of these at Hilltop, but I hope that there's an endpoint detection and response tool on the corporate device that, that manages that device and looks for malicious tools, or malware that's on that laptop.

Yoyo:

I like the remote access tools, the remote access detection tools. Most of the time I'm the one that's saying, Hey, you are using a remote access, device. It's usually always, uh, free source, open source mm-hmm. As well. Mm-hmm. Which is risky. Mm-hmm. But they're like, how do you know I'm, but what, what I, the other response I get is like, how am I supposed, you know, and it gets a little bit heated because I've massively disrupted them. Yeah, finding a quick way of doing something, but, uh, yeah, security

Nick:

is inconvenient and forbidden. Right? And, and this is the constant friction between CIOs and CISOs at companies. Uh, you know, around the world. It's always gonna be that push and pull, but when the risk is high enough, we have to be diligent in, in employing some of these tools or tactics. Let me, let me tell you about just one individual. His name was Matthew? Isaac. Newt, yeah. And he was in Tennessee. He was indicted by the FBI because he was operating a laptop farm in Tennessee, allowing Lazarus group hackers to remote into these machines and then engage companies appearing to come out of an access point in Tennessee under, you know, what we call these sock puppet accounts, these false accounts, fake identities. And, uh, you know, they co-opted a US citizen to do this. Now, uh, jokes on Matthew, he thought he was gonna make hundreds of thousands of dollars in doing this. I think in reality, they maybe paid him about 15 k, but he's looking at, a long prison sentence for this kind of stuff. Oh,

Yoyo:

yes. Kids don't go down that route no matter how tempting the money.

Nick:

No, no, no. There's a, this, there is a better way for sure. Yeah. So one of the things that we know they do is contract individuals to represent them and their identity. Yeah. So that they can beat the interview process. And that's where you look for that rerouting of the laptop.

Yoyo:

Yeah. And it's

Nick:

time to be, shipped out to that employee.

Yoyo:

They're almost becoming an employee mule in the same way that people can become financial mules. You know, you just let me borrow your bank account, I wanna put some money in it, and then I need you to send the money there if they can get an employee to do the same thing and act on their behalf.

Nick:

Right.

Yoyo:

Quirky just bandits. Think of everything, don't they, Nick? Well, they,

Nick:

they do and they're successful, right? Because Lazarus Group has been estimated to have stolen 2.93 billion with a B since 2019, and that's only what we know about.

Yoyo:

That's scary. And

Nick:

so it's real. Yeah. The money, the

Yoyo:

money's, the money's going into stabilizing their economy weapons. Nuclear power potentially more.

Nick:

Scanning most. Well, it's going to the regime. We know that. And then it's going to be divvied up according to their, their priorities. But mostly that's around proliferation of ballistic missile technology. Yep. And furthering their nuclear programs, which are the most expensive thing that they have to fund in the country.

Yoyo:

Because, is that because a lot, not a lot of people will sell them ballistic missiles?

Nick:

Well, according to, uh, you know, international sanctions. They're not permitted to purchase that anyone who sells it to them is gonna be in violation of a number of, uh, un un sanctions and other, you know, uh, methods of international law. So they build their own. But now as we see, you know, they're exporting that we, we see that North Korean missiles are being used against Ukraine. We see that North Koreans are being, uh, deployed to fight against Ukraine, right. Um, Iranian drones are the drone of choice for Russia to attack Ukraine. And Iran does something very similar that the North Koreans do in trying to infiltrate hiring processes specifically, um, you know, how they look to steal digital currency. So we pick on North Korea, it's not just the North Koreans who do this, it's the Iranians who do this as well.

Yoyo:

It's all of a sudden, got a lot of proxy actors, hasn't it? This particular geopolitical warfare

Nick:

in Indeed, indeed it does. And mm, while it's not just necessarily, uh, geopolitical warfare, it, this is a playbook that, that anyone really can use when they want to exploit a hiring process. I mean, North Korea actually has this Operation Dream job, which is, you know, a formal, formalized program to gain access to these companies. But this is not rocket science. This is espionage 1 0 1, right?

Yoyo:

Yeah.

Nick:

So. We, we have to presume, right? We wouldn't just wanna presume that because we have nothing of interest to the North Koreans. Therefore we shouldn't be worried about this type of, infiltration. There are any number of other threat groups that would love to gain access to intellectual property or to, to your data that they could ransomware you with. So

Yoyo:

take me through five easy steps to exploit the hiring process, Nick.

Nick:

Well, we're gonna go right out of the playbook from, from our North Korean friends, although, as I mentioned, it's not rocket science. They are establishing personas usually as corporate recruiters on social media. They are socially engineering relationships to employees at target companies that have this sensitive or privileged access. And we tell them, we do by the way, because we promote our backgrounds and we promote our accomplishments on LinkedIn and, uh, so they know buzzwords. I cannot tell you yo-yo, how much spam email I get after I became a chief information security officer and I put that on LinkedIn. That has been the bane of my existence, at least 15 to 20 outreaches a day. And so they're doing the same thing, right? Looking for sensitive access at target companies. And then they're directing the target to access a malicious link through Spearfishing because they've identified the individual that they want to, to target based on their access. And then from there, they're gonna infiltrate the company network, looking for intellectual property accounts, keys, digital assets would be the golden goose specifically for the North Koreans. And then they're gonna steal it. They're gonna exfiltrate it. And by the way, if you do this for North Korea, you could make up to$250,000 a year. That sounds like a pretty good gig.

Yoyo:

It sounds like a great gig, but personally I'm not in it for the money.

Nick:

These people, I know people

Yoyo:

couldn't, you're all about

Nick:

the mission. Yo-Yo,

Yoyo:

I'm all about the mission, Nick. Wow. Crikey. So not only have we explained the problem, we've provided an example of the problem. We've then provided ways that people can double check if they have a problem. And then this is now about understanding how the overall process can be exploited. We have provided problem and solution in one podcast, Nick.

Nick:

We call that full service Yoyo.

Yoyo:

You charge extra for the full service, then Nick,

Nick:

not for you.

Yoyo:

Bless your cotton socks. Wow. What an interesting world you are in though, Nick, to be honest, this is phenomenal and it's just giving, you know, for all of our listeners who I'm sure have questions and I would say if you do have further questions, reach out to Nick Gicinto on LinkedIn.

Nick:

Thanks, yoyo. I think that while so many could look at this situation and say, well, this is something of, a rarity, this corporate espionage North Korean scheme, it could never affect me. And the reality is security leaders of companies who ignore these types of warnings ultimately they may fall victim or prey to this, or it may be something else. Because the way that we protect ourselves from things like these scams that we've been talking about by implementing some basic security procedures, could protect people from so many other things as well. So the use case may not be directly applicable, but the solution or the response may save somebody's bacon later on. So that's my parting words of wisdom here is whether or not you think the North Koreans or the Iranians may be targeting you or may have something of interest is really pretty inconsequential, isn't it?'cause at the end of the day, we've gotta do things to protect ourselves from just about every plausible threat. And in reality, it's mostly the same solutions that solve these problems.

Yoyo:

And the first step is to understanding the threat itself.

Nick:

Yes, ma'am.

Yoyo:

Thank you so much, Nick, for coming back to the Security Circle podcast. You are always welcome. You smashed it.

Nick:

Thanks, yoyo. I'll see you next time.