Resiliency in Cyber Security with Michael Quinn
Ep31 Michael Quinn
Jenn Quader (0:01)
Welcome to Resiliency, the podcast. Today's guest is an important one for everyone who uses the internet. He's an expert in cybersecurity who started his career at the FBI. As a supervisory special agent in the cyber division, he was responsible for some of the first ever indictments against state sponsored cyber attackers. Today, he's a senior incident responder with Cyber Reason, where he supports high level cybersecurity for major companies across the globe.
He's worked across criminal intrusion, search and seizure, and digital evidence examinations, all in support of resilience for companies and individuals seeking a secure digital environment. Now we all know in today's world, global cybercrime is increasing at an exponential rate. So we thought it was just the time to bring in the expert to help us become more resilient to this threat. Please welcome the brilliant Michael Quinn.
Michael Quinn (01:15)
Wow, that was very flattering. Thank you. And I do want to point out that somebody wrote that a while ago and said, gave me credit for this first indictments of Chinese. That is a huge team effort. That is not a me alone thing. It was a huge team effort at the FBI. Countless people, time, much credit goes out to all of the FBI offices that supported in that investigation. So hugely, hugely fortunate to have been a part of it, quite honestly.
Dr Kelly Culver (01:40)
And that's a leader speaking right there. Michael, I'm so excited for today's podcast. I can hardly wait. But we'll, it's just really cool. Super cool. And we start our podcast with the same question for everybody. So before we do a deep dive, let's start with what does resiliency mean to you?
Michael Quinn (01:46)
Thank you so much for having me. I'm very excited to be here too. Thank you.
Resiliency to me is really just about getting back up on your feet again. We're going to get knocked down, whether it's in the cyber world, life, wherever you are, there's always knockdowns. And if we can't get back up again, that's kind of part one for me, then we're missing out, right? But the other part of resiliency is being able to go back and look back at, what knocked you down? And what good came of that, right? If we can only look back at things and see them for negatives,
then you're missing out on the true lessons of life, which is I learned a lot from that. And being able to look back, not just get back up again, but be able to go back and look at those things and appreciate what I learned from those is truly what helps us become more resilient in my mind. whether it's like we all have mommy, daddy issues, we all have difficult bosses that we've worked with, we all have difficult times, car breakdown, whatever it is in life, being able to go back and just appreciate, you know, I.
of letting the car just kind of go with the engine light on a little bit longer, we're just going go ahead and take care of it so we don't have that problem again. You know, and that's just an analogy for the rest of life too. So, and now to me, that's what resiliency is.
Jenn Quader (03:04)
Brilliant. You're talking about the power of reflection, the power of looking back and being able, and then also the power of observation without judgment, the ability to look back and see what we did. And I think that lends itself to a person of your career. mean, look, you mentioned you worked with a team on the FBI who's taking down state-sponsored cyber criminals. Now you're working with all of this. That's a high-pressure, high-stakes environment at all times.
So when you talk about being able to reflect on your life, it also requires the ability to stay calm under pressure and to be curious, like infinitely curious. How do you do that? How did you cultivate that ability for yourself?
Michael Quinn (03:36)
Mm-hmm.
The calmness under pressure. I don't know that. I think a lot of us have been given certain gifts. I'm good at certain things. And then I have people in my life that I surround myself with who are very good at things I'm not good at. So I make sure that it's kind of that yid and yang, right? I can fill up this area, and they can fill up that area. And together, we can kind of complete the circle. So for me, to get to that area of being able to
pick myself up again, look back at those things. I think a lot of it came from just life experiences. know, grew up a military brat, we moved a lot. I probably had 14 moves under my belt by the time I went to college. So a lot of change, right? A lot of dealing with things there, getting into the FBI Academy, recognizing or having difficult jobs like, okay, you're now working at a bar as one of your three jobs while you're putting yourself through grad school, right? You're cleaning up some of the dirtiest things that you would ever imagine.
But I appreciated that time because guess what? It's dirty. You wash your hands. You're fine afterwards. So getting into the FBI, there were a lot of opportunities there where you get knocked down because, I guess I'm not the snowflake that I thought I was. Well, you're not. You're not the snowflake you think you are. You are a number that can be put into a hole that needs a number. OK, great. So what do I do with this? How do I make this spot for me the best it can be? So there were so many opportunities every day.
Again, I look back and I gratitude is a huge part of me, where I can look back and go, I'm so grateful for the opportunities where things got difficult because I've learned so much from that. So I think again, it's life experience as part of who you are. and that, you know, now I can take the opportunity to go, okay, great. Something bad happened. As my uncle used to say, you can stay in the problem or you can get into the solution. Well, that sums it up for me, right? Here's our problem. Things changed.
Well, I'm going to figure out how to get the next best thing that we thought we had that we just lost. So let's do it. So that's kind of how I've gotten there, just years and experience. That's it.
Jenn Quader (05:39)
I love the, sorry, Kelly. I was just gonna say I love the, I really resonate with the snowflake and I think a lot of our audience will as well because a lot of the, call it the younger generation and when I was in the younger generation, you really think that you need a certain lifestyle or a certain environment of comfort, but what you actually need is to be tested and tried. And so that's what I heard, yeah.
Dr Kelly Culver (05:39)
It's like...
Go ahead.
Michael Quinn (05:59)
Yes.
Yeah, yeah, I love being tested and tried to prove that I can do that thing that may have been difficult. And I think all of us benefit from that. I think if we're not tested, we're not tried, then we're never going to break out of our boundaries that we set with ourselves to get to that next level. I love being tested and tried. Is it difficult? Is it always comfortable? It's always difficult. Is it always comfortable? No. But you're so much better afterwards. So much.
Dr Kelly Culver (06:24)
And it's an and in those, you know, the descriptors that you've just used for me, I'm hearing it's one foot in front of the other one step ahead all the time. And in some ways, it's around endurance. So it's, you know, the endurance because you can still see the bigger goal at the end, you know, there's a sparkle at the end that you're walking towards path isn't straight, but you're going to get there.
Michael Quinn (06:47)
That is exactly what I try and teach my kids, right? Again, you can see the mountain in front of you, or you can see the path. That's 10 steps in front of you. Let's focus on that. Let's get through those next 10 steps. The rest of the mountain will get there. Just take time. Yeah.
Dr Kelly Culver (06:50)
Mm-hmm.
Yeah.
You've seen the, if we jump into this magnificent background that you have and experience that you have, you've seen the evolution of cyber threats firsthand. know, not a lot of people have. In your view today, what's the biggest risk people in organizations actually underestimate that could happen?
Michael Quinn (07:24)
I think, let me take what you said and kind of rephrase it. I think the biggest problem that people have is that they overestimate their capabilities and they've never truly tested that capability. So now what that does is when I overestimate my abilities, right? I then become comfortable in a place where I have no experience, but I believe I can do this thing because I told myself I can, right? It looks easy enough. I can do it.
But people aren't actually testing themselves, even at these organizations. What that does is it opens you up for attack. If we think we're good at something, but we're really not, we're missing a lot. So what this does is it gives opportunities for attackers to come in to a place where somebody has a little too much bravado, a little too much ego, to then gain access into a network and move unseen because somebody thought they would see it.
They thought they were good enough to do it. So in my experience, think a lot of trust, and it's not necessarily the IT person, the person who makes sure that the network, our computers, our networking tools, our hardware, our connections to the internet, those people make sure that things stay up and running. I'm not just saying it's them who overestimate their abilities, but it's the leadership who looks at those people and says, well, you're not just in charge of maintaining the structure here.
You're also in charge of securing it. But those people have never been trained in securing the structure. They have no experience in securing the structure. They know how to make sure that it's maintained, but providing security around it is not there. So for me, the biggest weakness nowadays is overconfidence in our own abilities and overconfidence in the people that we expect to do things who have never been trained to do that sort of thing.
Those are the biggest issues I see nowadays.
Dr Kelly Culver (09:18)
You know, I've been living in London, London, UK for the last couple of months. in Canada at the moment. But what you've just described for me is exactly what Marks and Spencer's &S has been, right? Or a crowd strike. So these are real examples in the last six months. And with &S, know, yes, cyber criminals came in, the website went down, you couldn't order online. Over Easter, it's only just getting back and they've arrested three people. Do you know what?
Michael Quinn (09:29)
? Yes
Dr Kelly Culver (09:45)
19, 21, and 22 all UK citizens behind this and holding them for ransom. It's unbelievable and they weren't ready.
Michael Quinn (09:49)
Mm-hmm.
Mm-hmm.
Yeah. And again, it takes constant training. And this is one of the things that I work with clients on is what we call a tabletop exercise, where we do a discussion based sit around table. We just discuss. And I say, hey, let me just put yourself in the shoes today. This is the morning of July 16th. And you just got an alert for this thing that happened. What do you do with this? Walk me through it. And we have them kind of walk us through this.
Jenn Quader (09:57)
No.
Michael Quinn (10:21)
My analogy for what we do is it's kind of like when we were in school and we did fire drills. OK, the bell goes off. We get in line. We walk calmly through the hallway. And our teacher leads us to where we're going outside, where we're supposed to meet up. What I want every company to be able to do is have that same analogy or that same idea for if we see an alert, is it an incident? How do we define an incident? What is an incident to our company? How do we know if we're there? Right?
And then we make sure that we walk that fine line until we get to a point where we can say, we understand what has happened and we know what we need to do next. So for me, it's just a fire drill. But oftentimes, fire drills are not conducted at organizations. So they don't know what to do in these cases. So as you guys said earlier, you said, you're in very difficult situations all the time. OK, true. But how do we get comfortable in those situations? It's muscle memory.
It's by practicing it over and over again. Right? So just like we did in school, it was by practicing that fire drill. So same thing for organizations. They have to practice responding to alerts and incidents. Right? Once they get there, they'll feel much more comfortable under fire because they know what's happening. They know what to expect. They know what they're going to do next. That's where the comfort comes in. You, you train yourself to become comfortable in your capabilities.
your awareness of the situation, your knowledge of what will happen, and that spreads to others, right?
Jenn Quader (11:50)
think that is so brilliant and it makes me, what it made me think as you were talking about this practice, this fire drill, but also just about the idea of testing is I've always heard people in the industry of IT and perhaps in the cyber crime or cyber industry as well referred to as scientists, data scientists. And it is a very scientific way to approach it, to say, hey, we need to test, we need to practice as opposed to that more emotional way, as you're saying, that leaders who are overconfident are like, yeah, we'll just deal with it when it comes.
that's not going to prepare us and that's not how a scientist works. So I think it's really wise.
Michael Quinn (12:25)
Yeah. Yeah. If we're not dealing with things in a, because it's a tried and true, right? If we just said, hey, the kids will figure it out when the fire happens, right? They'll figure it out. It'll be fine. We'll deal with it when it happens. The reality is you're going to lose a school full of children because of a fire, one that could have been easily avoidable potentially, right? So if we take that same idea and we say, hey, we're just going to figure it out as we go, I guarantee you're going to run into the same pitfalls that everyone else has fallen into who did not practice this.
prior to an incident happening. So you'll get through it, but you'll get through it making the same mistakes that everyone else has made that you could have learned from and avoided. And it may save you millions of dollars, brand damage from having to over-notify saying, hey, all of this data was stolen or accessed by an attacker, when in reality it wasn't. So there's so many pitfalls that people could fall into if they don't know what they're doing. So that's why oftentimes we get called in to help support those clients and get them through these incidents.
Dr Kelly Culver (13:23)
I love the analogy of the fire drill because it even speaks to, even if we learned, if I'm at company A and we learn how to do this, if I move to company B, I can't presume that what I learned at company A is relevant for company B. It's like children in a fire drill. So you may have a school where kids need to practice the fire drill and where do they run outside. So now let me take you to St. Lucia.
where they have the same fire drill but they have to run up the hill because the fire could be precipitated by an earthquake, which could be a tsunami, and they get wiped out if they went to the flat ground.
Michael Quinn (13:54)
100 % correct. I apologize, it looks like my video has frozen me. I don't know what to do to fix that.
Jenn Quader (13:59)
It's okay, you
don't have to worry because that's part of the platform, don't worry. It'll happen and it's still recording. The platform is called Riverside and so you should still be fine. Asaf, you can come in and tell us if that's correct.
Michael Quinn (14:08)
Okay.
Yeah.
Jenn Quader (14:12)
Did it kick him off? Okay, well we'll just wait for him to come back in. Okay, we can jump right back in, yeah.
Dr Kelly Culver (14:15)
Yeah, no problem.
Let's start with the next question.
Jenn Quader (14:19)
Easy peas. Easy peas. It's okay. It's all right. That's why we're, we're an editing podcast. It's easy. Yeah. Easy peas.
Michael Quinn (14:22)
Sorry about that.
Dr Kelly Culver (14:23)
It's okay, don't worry.
Michael Quinn (14:27)
Okay, fantastic, because I may just have to take the MacBook
off and just do that instead of using my monitors and camera. If it happens again, maybe we'll do that.
Jenn Quader (14:33)
Sure.
Dr Kelly Culver (14:35)
Okay.
Jenn Quader (14:35)
Absolutely. We'll crank through. Yeah, we're easy.
Dr Kelly Culver (14:37)
Yeah,
Michael Quinn (14:37)
Okay.
Dr Kelly Culver (14:38)
don't
worry about it.
So what question do you want us to jump to, Asif, specifically?
Jenn Quader (14:42)
Jump all the way to AI? Sure. That's great. I love that. Yeah, because we kind of hit the resilience in the digital world. hit the, really hit that separation from IT and security. Although we could probably dig into that a little bit more, but I think he got it.
Dr Kelly Culver (14:46)
Sure. Okay.
Okay, then let's start with Jenn with that question. Yeah, let's start there. Okay, are we ready?
Jenn Quader (14:59)
Yeah, we'll talk about the importance of I.C. and security and separating them. Yeah, that's great. Okay. What had we just been
saying, Asif? Asif, what were we just saying? What were we just saying as we got off? We were, okay, so we're going right into the next. Great, thank you. Okay, perfect.
Dr Kelly Culver (15:09)
We just wrapped up. Honestly. Yeah. Next question.
Michael Quinn (15:13)
Okay.
Jenn Quader (15:14)
Ready? Here we go. So Michael, one of the things you talked about and you have talked about in various places is the importance of separating IT from security. What's important about that? Why is that a critical shift and how do business leaders need to understand that change in order to make it stick?
Michael Quinn (15:33)
Yeah, fantastic question. It's one I love answering. And again, I love to use analogies. I think it helps people kind of understand things. And the one I used earlier is, we have building maintenance. Building maintenance makes sure that water is running, electricity is running. They make sure the elevators are running, stairs are safe, doors aren't locked. People can get in and out. And the analogy for that is, look, we have IT folks that make sure computers are up and running. They make sure that they
the network that transmitting data between computers that are firewalls that connect us to the internet are working and transmitting data carefully, that our virtual private network, which is kind of the way that employees gain access to our networks remotely, right? That those are secure and working, right? So we have our kind of building management folks. And as I said, oftentimes those folks are also tasked with securing the building as well. Now, I...
When you put these in terms of analogies, does it make sense to have your building management also have the added duty of conducting the security to the building, checking all the doors, making sure that people who are coming in are supposed to be there? Are they the ones handing out badges to people? Are they the ones ensuring that the employees get the proper badges and guests get different badges? What are we doing to validate guests coming into our office? So there's a lot of security that takes place when it comes to a building. Similarly,
right, that you would separate those in a physical building. I would separate those in my organization, right? So when it comes to computers, you've got your IT team that is managing computers, networks, you name it. But you also need a person who says to the IT team, what you're doing is great, but we have to change the method by which you're doing it to make sure that what we're doing is not just doing something, but it's doing something securely, right? So for example, our IT teams often have to open up
you know, for another lack of a better term, a back door to test accounts going in and out of our network, right? So they open that up. A security person, they want to clear that with a security person. The security person would say, well, how long is that account going to be open for? Who's creating it? Are we securing it? Are we limiting what that account can do once it's in our network, right? Because oftentimes what we find is just little things like, well, that account that we created as a test,
was left out there and nobody shut it down. Right? That's like taking the building keys and just leaving them out there on the front sidewalk right in front of the building. Right? So when an attacker comes in and they'll take a look around, do we see any keys to get into the building? Boom, there's one over by the bushes. You left it there and I'm just going to unlock the door and walk right in. Right? So IT will do things to make sure things work. Security teams make sure that what IT is doing
Jenn Quader (17:52)
Yes.
Michael Quinn (18:17)
is done securely. Same thing if you think about different things. Like we may have people creating applications in our environment, maybe apps that we use in our company. Well, are they creating an app that connects to the internet? Well, how is that data coming in? Could somebody exploit that connection into our network? So we have to make sure that our developers are developing things in a method that is secure. So there are so many different aspects of ways to secure, monitor,
and really make sure that our network isn't just secure at the perimeter, but we also assume bad guys are always in our network. I do at least. And we have to have a security team looking around for those bad guys constantly. Even though we think our gate surrounding our environment is strong and secure, you have to operate under the idea that somebody is always in our environment. If you don't, you once again are placing too much confidence on that gate and you are failing.
to accept the reality that somebody could exploit a vulnerability, find a new vulnerability, a new way into your building, that happens all the time. And last thing I'll say, we often have people who monitor all of our computers in the environment, whether it's a server, a virtual machine, our laptops. We want to make sure that the people monitoring those devices, use another analogy here.
If you have a brand new police officer out of the academy, can have them, you could give them pictures of the top 10 most wanted people. And they will look for those top 10 most wanted people. will look at all the scandal, the faces around them. Does anybody look like these people? Right? This is what antivirus does. Right? It just looks for what we know is bad. But what it doesn't do is look for the behavior patterns of somebody doing something bad.
So it's only looking for the things that we know are bad. So it's looking for convicted criminals who have already robbed a bank, for example. But what about a person who's never committed a crime but is about to? What if a seasoned police officer might see somebody hanging outside of a bank for weeks on end, just figuring out what's going on? now all of sudden they show up, and they're showing up at a convenient time where money is being taken from the bank and sent somewhere else. All right, now they're following that truck. What's going on here?
So a seasoned police officer or an investigator sees the behavior patterns of something that's unusual. More so, which is more important to me, than just finding something that we already know is bad. So again, you've got to have different tools that do different things, and the security team does that. The management team, the property management team, they don't do that. So very different positions. Oftentimes they are butting heads at odds with each other.
but you need both to make sure that the company's network is up and running and secure. So I know it's a long-winded answer. I hope that helps.
Jenn Quader (21:09)
No, it's a fresh perspective and it's an important perspective, especially for business owners, because, you know, as a business owner myself, I've always just thought I had to have an IT person. You know, you don't think about and I think it's important for those who are listening to Resiliency to Podcast today to know when we talked about exponential increase. Actually, Michael, can you tell us, have you seen an increase in cybercrime in the last 10 years?
Michael Quinn (21:31)
Yeah, yeah, a little bit. So, you know, over the last 20 years, it has changed a lot. So I'll focus on the last 20, but or the last 10, but the last 20, I mean, it was a lot of like worms that got out there. Worm is a tool, you know, a piece of malware that kind of finds its way around a network. It installs itself on other computers. But, you know, 20 years ago, the internet wasn't what it is now. You know, it was about seven years ago. Well, actually about, you know, 11 years ago, 10 years ago.
I don't know. Take that back. About 12 years ago, ransomware started to become a thing, maybe 13 years ago. But it wasn't what it is now. Even that has changed over the years. But if you all recall, you may or may not, gosh, it had to be at least five years ago, WannaCry. WannaCry was a nation-state attack from Russia against Ukraine, where they put malware that spread. The malware was used on, I think, an accounting application in Ukraine. It infected computers, and it exploited a vulnerability in Windows.
Dr Kelly Culver (22:25)
Mm-hmm.
Michael Quinn (22:29)
that allowed it to spread to any Windows machine that wasn't updated. It spread across the world and encrypted computers across the world in about a day. It was a huge problem. So yeah, that has changed. Now what we see right now, the two most common types of attacks that we see now are ransomware and business email compromises. So ransomware now, somebody will get access to your network. They will walk in. They'll do a little reconnaissance.
If you use the idea of an attacker getting access into your home, they might sneak in through the back window that was unlocked. They do a little reconnaissance, meaning they're opening up bedroom doors, they're going through drawers, they're looking for your valuables. And then once they find those, they steal those and they put a new padlock on your front door so you can't get in. So essentially what these attackers are doing, they get into your network, they find the most critical information. Usually it's financial information, could be information about employee-sensitive data.
that is that a lot of government organizations require notifications about. So they look for things that they know will make these companies uncomfortable. They steal that data and they encrypt the data too, right? In the hopes that the victim company doesn't have a good backup of their data, which unfortunately many don't. So they need to purchase a decryption key from the attackers. And if you you're also not just purchasing a decryption key,
You're purchasing the trust that they will delete the data they've stolen from you and not dump it on what we refer to as their shaming website. They will dump all of the data they've stolen from you on a website and post the company's name to shame them into paying them. If you don't pay them, they will do that. So that's what ransomware has become. Email compromises on the other hand, are attackers getting access to somebody's email inbox in an organization?
They use that access to hide in plain sight. Typically, it's somebody in finance. And in that email, they're searching for terms like invoice, wire, ACH, payment. Why do they search for those terms? Because they're looking for invoices where somebody either owes them that company money or the company owes another company money. So what do they do then? Well, they get into that email chain. They pretend to be the person that they have compromised.
And they communicate with the other party to say, Hey, that money you owed us, we've got a new bank account. Don't send it there. Send it here instead. Right. So we're seeing millions upon millions of dollars misdirected all because somebody got access to email. Oftentimes people say, somebody got into my email. It's no big deal. it's a huge deal. And have you looked to see what they've done once they got that access. Right. So those are two of the biggest things that we see now. Those have been around for quite some time.
The methods that attackers use changes over time, but those make so much money that attackers have kind of stuck with those two things for now because they work, right? And until our security gets better, people stop falling for certain things. I expect we're going to see this for a long time. How they go about it will change, though. That will change.
Dr Kelly Culver (25:35)
All right, so if we're not all nervous now, let me ask you, right? Okay. You know, what's the next shoe to drop? that's probably AI. So let me ask you about AI. And how's that now changing the game for both attackers and defenders? You know, what? What are your thoughts?
Jenn Quader (25:40)
you
Michael Quinn (25:50)
Yeah. Yeah. ?
Fantastic question. I believe, I don't know because I'm not working with the attackers, but my expectation is we're already there in many ways. For example, you've probably heard the term a phishing email. It's the email an attacker sends to trick somebody into handing over their credentials to their email account. Those phishing emails used to be brutally obvious.
And still people would fall for them. it's, I'm not judging them, but to me, after seeing them for so many years, they would use words like kindly, like kindly return the response. Well, nobody in America really speaks that way. So to me, it always stuck out as, well, there's your attacker. Just search for the term kindly. That's it. but the emails that these attackers would draft were broken English. They were just in my mind, not something in native American.
English speaking person would ever write out. we'd always find flaws with them. Terrible misspellings, you name it. Now those emails are very well written. And I don't think that their English has gotten better. I think that AI is being used to draft all of these phishing emails for them. So those phishing emails are becoming, fantastic, tools to hook the poor victim. I don't know if you guys use AI. I love using it all the time.
It will help you draft things out. It's just wonderful. And I will often ask questions of the AI to say, well, how do ransomware attackers get into an environment? It will just tell you how it's done. So if I can find it and use it as a good guy, what do you think the bad guys are doing? So it's an opportunity to learn very quickly using AI to learn. In time, AI will change and become much more useful to attackers.
I don't think we're quite there yet, but very soon, if not already, we're going to see AI find vulnerabilities in applications and devices that we use in our networks that we're not aware of. So those are what's known as zero days. It's a zero day exploit. It's the very first time it's used. We didn't know anything about it. So those zero days, I fully expect AI will identify in the future.
Now that's scary. The other side of that though, is that that same AI can be used by companies who own those devices, own those applications to help them find those vulnerabilities and fix them before something bad happens. Right? So I don't think it's all doom and gloom. It's not. But I do think that if we're not leveraging AI to help us find these vulnerabilities more quickly.
If we're not then fixing our vulnerabilities quickly, if we're not doing a review to understand if those vulnerabilities were already exploited in some way, then we make a mistake, right? So I think it can be, it's not all doom and gloom, it's not all scary. It benefits both sides quite a bit actually.
Jenn Quader (28:46)
That's really interesting to me. And I see that both sides can use it. I want to dig into one thing that really I just overheard recently with someone. And I want to kind of ask you about it before we go on and talk a little more about AI. But it was being explained to me that kind of the three broad categories of AI. So the generative AI that we know as large language models. Then there's quantum computing, which I had not been as familiar with. I'm much more familiar with the large language models. And then the third bucket that was explained to me was robotics.
Michael Quinn (29:07)
Mm-hmm.
Jenn Quader (29:15)
And the way it was explained to me was that AI or generative AI at the large language model is kind of flat or 2D. That it's repetitive and it can test everything. when you get into quantum computing, the way it was explained to me is it becomes almost 3D.
Michael Quinn (29:30)
quantum computing.
Jenn Quader (29:36)
packets can get encrypted much faster. And again, it was being explained to me as kind of a global security concern that countries that had packets of information that are old could now go back and revisit that. Could you speak to the difference between generative AI, quantum computing and robotics and what impact you think that could have?
Michael Quinn (29:54)
Yeah. So I will try and do my best about quantum computing. It's not an area that I have a ton of experience in. I'm familiar with the idea of it, but I think the example you laid out there is really well done, right? The large language models, they feed them a bunch of data. They weight that data in certain ways such that we get the answers that we get. Is it really artificial intelligence? I think it's a great name for what we have right now. But when I think about artificial intelligence,
Right. think we're really beginning to get to what we are. Well, you'll hear referred to as AGI, artificial general intelligence, which is it is out there is looking at things. is learning and it's able to observe and give answers to things and think about better ways of doing things right now. You can ask it questions and it will spit out the answer. What we will be getting to is something that will observe something. Think of a better way of doing it. And then when you get the robotic side of it, which was, we'll be implementing that.
Right? So the quantum computing, right? I think the analogy of large language models as being 2D, beautiful. With quantum computing being 3D, that makes sense to me. Again, not having any experience in that field, just having listened to a few things about it, it will drastically change the way that we encrypt data, the way that we protect certain things. Right?
So it's drastically going to change that. The speeds that our computers will be able to hit in the future will be unbelievable. With that being said, I still think it's a number of years off. I think there's a good opportunity to get to artificial general intelligence before we get to real quantum computing, especially at a mass market scale. And then when you bring in robotics, you look at some of what we have right now. There are definitely robots at Amazon.
You've got Teslas that are literally driving themselves around. Those are just four-wheeled robots. You've got vacuum cleaners that have been cleaning up our homes for years. I just went to a Smashburger, gave them my order, sat down, and a robot delivered my food to my table. Yes. Like, yes. And it had a little fun little face on it, and it smiled. It was a lot of fun. Now my kids have asked to go back there just because of that robot.
Jenn Quader (31:53)
Nuh-uh! my word! We're there! It happened!
Michael Quinn (32:04)
But again, I just think we're going to see is an unbelievable exponential pace. And as humans, it's so hard to understand what exponential means. We can think of linear things. I'm doubling this. I'm doing it twice as fast. But imagine doing it twice as fast today and eight times faster tomorrow and 16 times what we did the prior day. Exponential is going to blow our minds. And I do expect that we'll see that within our lifetime for sure.
Jenn Quader (32:26)
feel that, especially when you tell me a robot's already bringing smash burgers out, I'm like, we're there. But it's interesting because when I thought of it, frankly, I thought of that television show, I don't know if you guys saw it, but the television show Westworld, they've essentially, yeah, they've essentially created robots and I thought, man, that's what you're headed toward. So I think using that Westworld, I would say maybe we're in the wild west of AI and AGI and those things that are coming. And so I kind of have to ask as a business owner, and you spoke a little to this in the positive, but.
Michael Quinn (32:39)
yes.
Jenn Quader (32:55)
I think if I'm a leader and I'm saying, look, this whole security thing seems like just a little, like a security blanket. Can we really stop a cyber attack? If a company has been targeted, can they actually stop it in this wild west environment?
Michael Quinn (33:09)
I never assume that we can stop a cyber attack. Any criminal who is devoted to getting access in your environment will do so. Why is it impossible to, to, to prevent every attempt to get into our network? Well, devices and applications, we often find new vulnerabilities in them that we weren't aware of when we created them. Those will get exploited. That's one thing, right? To me, the biggest problem.
isn't necessarily the tools, the devices, the applications. It's us. It's the human factor. We are the ones who let the bad guys in. security can only do so much. So the way I think about things is we can secure our network super easy. We're going to cut off access to the internet. There, we're secure. But it also prevents you from doing business in today's world.
Right? So it's that balance of, security is great. We've cut off access to the internet. Nobody can get anything done down here. Right? But the balance has to shift, right? Such that security has to come down and it allows people to do that work. Right? So then we can give people more ability to do work. You know, but again, the security folks will always want to shift the balances to raise security and lower people's ability to get access to the tools they want, get access to the applications, get access to the websites they want.
They're always going to do that because they know that those things invite not just bad actors, but it invites an opportunity for the human to make an error and let somebody in. So you'll never block it. You'll never block everything, which is why I always go back to assume somebody's always in your network because you have people working there.
Dr Kelly Culver (34:46)
Yeah.
Jenn Quader (34:46)
I'm thrilled by that answer. I'm really,
Michael Quinn (34:48)
Okay.
Jenn Quader (34:48)
truly
thrilled because what I see in that is a concept that Dr. Kelly and I talk about a lot here on Resiliency, the podcast, is communal resilience. And you actually spoke to it right in the very beginning when I read that credit with regard to the FBI and you said that's a big team effort.
Michael Quinn (34:59)
you
Jenn Quader (35:06)
And you spoke to it later when you said, hey, when you're a company owner and you separate your IT and your security, they're gonna be checks and balances for each other. And so what I'm hearing in what you're saying, Michael, is no, cannot, we cannot fend off an attack. Attacks are going to happen. The cybercrime is here and it's going to happen, but we can work together and hire the right people and ask the right questions and not have overconfidence to actually move forward. with...
Michael Quinn (35:29)
Yes. Yeah.
Jenn Quader (35:32)
Well, any comments on that before I ask one more question on
Michael Quinn (35:35)
Yeah, I will say this is why it's so critical for folks to, once you come to the realization you cannot stop it, well, what's the next thing you need to do? The next thing you need to do is, again, as we talked about earlier, well, how do I react to that? How do I get comfortable in the space that somebody's in there? And it's by practicing. It's getting that muscle memory. The first time I really heard that term muscle memory was when I was in the FBI. And they asked me, have you ever shot a gun before? Right when I got to the Academy, know,
you what hand do you shoot with? And I was like, I've never touched a gun. I don't know anything about guns. And then what hand do you shoot with? And I was like, I don't know. I'm right left handed, but I do a lot of things right handed. And they said, well, you're left handed now. So, okay. So I became a left handed shooter. Now, where we get into the muscle memory is they don't hand you a gun on day one. They hand you a holster in a piece of blue plastic that is shaped like a gun, right? So you wear that with you every day. And then when you go to firearms practice, you constantly are practicing with
you know, pulling your jacket back, getting your hand down there, grabbing the gun securely, fingers are off the trigger, you point it down range, right? You're locking out your elbows, your wrists are strong, one hand is grabbing, the other one is focusing it. Like, and we did it so many times that it became muscle memory. I haven't worn a holster or a gun, probably in 12 years, but I guarantee if I put it on, it's, it's, the analogy is riding a bike. I guarantee I could do it again.
That's the muscle memory. And I want that same muscle memory for CEOs, CFOs, the chief risk officer, the general counsel. I want that same muscle memory for them. Because the only way you get comfortable in it is by practicing it and getting that muscle memory. That's it.
Jenn Quader (37:12)
I it. I believe it in every way. I can relate it to like playing the piano. It's a muscle memory thing. And once you know what you can do, it really works. I think it speaks to those fire drills, because you're putting people in that position. Now, we've talked a lot about the threats. We've talked a lot about the fact that crime will happen and attacks will happen.
Michael Quinn (37:31)
Yeah.
Jenn Quader (37:32)
If there are individuals out there listening, because we speak here at Resiliency, the podcast to change makers and to entrepreneurs and leaders and also just individuals, anybody who's looking for resilience, and if they're feeling overwhelmed, which that can happen, what are some actionable things that just any individual listening today could do to help themself take a step toward better security and feel more safe?
Michael Quinn (37:44)
Mm-hmm. Yeah.
Great question. And just real quick, go back to what you said earlier. Playing the piano is a great analogy and far less violent than pulling a firearm. So excellent analogy. Yeah. I was a failure at piano, so I love it. With that being said,
Jenn Quader (38:05)
cooler like I could see you like practicing and the holster super cool so I please don't don't remove that cuz that's killer
Michael Quinn (38:16)
With that being said, there are very simple things that anybody can do that cost literally nothing, right? Especially for folks that are in small to medium businesses. Those folks I often see getting affected the worse because they don't have the ability to hire a security team, right? The large organizations, right? They've got the money for security. So they're not going to get hit all the time or as badly.
But our small to medium businesses are really the ones who take the brunt of the attacks. So what can they do? Immediately, the first thing that they can do is simply take an inventory, get a sheet of paper, get a pencil, and let's list out every computer that we have. Let's list out what the function of that machine is. There are different types of servers. Is it something that's storing data like a file server?
is it a much more critical device like a domain controller? A domain controller is a machine that stacks user IDs and passwords and makes sure that we can log in. So anytime you log in on your computer and you're logging into your corporate computer, it's going to go check into the domain controller, make sure your credentials are correct. It then sends back, yeah, that's correct. You can come on in. So that domain controller is critical. Well, if somebody got access to that, would that be important?
Well, yes, because the user ID and password for every one of our users is on that device. And if those are stolen, well, then an attacker can go anywhere on any computer in our network. So simply just taking down a list of what machines we have, what their use is, and a few details about like, what is the operating system? Is it running Windows XP or Windows 7? Are those even up to date?
The reality is no, but we see those operating systems in companies to this day, right? And there's reasons for it. So I'm not judging them, but there are reasons for it sometimes. Other times it's just because, yeah, we knew that machine was there. We wanted to upgrade it. Getting a list like this simply tells you very quickly, here's where I can focus some of my attention on fixing things and increasing my security posture. It's not expensive, doesn't cost anything, but a little bit of time, which I know is expensive to some folks.
They may not have the time to do it, if you don't have the time to do it, the next best thing you can do is recognize that you don't have time to do it, recognize that this is important, and then recognize that you can hire somebody to do much of this for you. So, and this is what I suggest for a lot of people is know what your capabilities are without overestimating, right? Know what you're capable of doing.
know what you have resources for. Can we do this? If you can, great. But do you have enough people and machines to get it done? Well, if you don't, then you need help. And if those things happen, get help. So I always recommend, folks, just make a list. Let's start there. Make it super easy. Well, make a list doesn't cost you anything. And then if we see things that need to be adjusted or addressed, we can do that. And we update our list. Other things, just simple things like
I know people have heard the term multi-factor authentication. For those that aren't aware, we have a user ID to access just about any account that we have on the internet. We are typically given the option to enable MFA or multi-factor authentication. And that's simply the code that gets sent to your cell phone typically. And you take that code and you enter it in when you log in. And now you're more secure. Well, why is that more secure? Because they're not going to let you in until you put the code in. Well, that code was sent to your phone. Nobody else has your phone number.
So that's that second factor of authentication. It's not just your user ID and password. It's that along with a code. Enable that on everything. I've got it on my Amazon account. I've got it on my Starbucks account. Why? Because my Starbucks account was hacked and somebody bought $1,000 in gift cards. Right? Yes. Yes.
Dr Kelly Culver (42:13)
That's not funny. That's not funny. I'm laughing, but that's not funny.
Jenn Quader (42:15)
That's not, that's crazy. But seriously, you would never think to
protect your Starbucks account. That's insane. It's crazy, but wonderful. mean, truly.
Michael Quinn (42:22)
Yes, yes,
yeah, absolutely. I mean, you've probably seen people get email scams saying, hey, I'm so and so that somebody that you know, go out and buy $500 in Amazon gift cards and send them to me, right?
Jenn Quader (42:34)
We had
that happen at our company. They posed as me and they asked several members of our team to go out and they really trick you, just for our audience who hasn't had this happen. Boy, do they trick you, because they send it and they kind of like matched my language pattern and they were like, and they made it very urgent, like, hey, I need this really quick. And it almost got us, it almost tricked that person.
Michael Quinn (42:53)
And it's that urgency need associated with the email that gets a lot of people tricked every time. So slow down is my other recommendation to folks. If you get something that says it's urgent, is it? And then never purchase something like that or change invoicing information, i.e. don't update a bank account where you're sending money.
And this goes in your personal life as well, because I've seen brokers, I forget what the word, real estate brokers, I've seen their email accounts get hacked. And what do they tell their home buyers to do? Well, don't send the money there. I've got a new bank account. We have to send it somewhere else. So hundreds of thousands of down payment is sent to the wrong bank, and a attacker has now stolen it. And this homeowner is out hundreds of thousands of dollars. So it's not just the.
you know, purchasing Amazon gift cards. It's, you know, it could be a massive personal loss. And with organizations, it's much the same thing. So if anybody ever asks you via email to change or update a payment information, do not do it. You only call somebody you've already established relationships with. You speak to them, make sure that you know that voice or you got on a team's call, a zoom call, whatever it might be, and you face to face with them.
AI will get to a point where that will make that very difficult. It already has happened once. But for the most part, we can do these things now that we can build some trust around. But again, if anybody ever asks you to change bank account information, you stop. Stop what you're doing. Take a breath. Think about what's happening. And then communicate with somebody outside of that chain of communication and confirm that that's what's happening and what's needed. So those are just a few things.
Jenn Quader (44:34)
Brilliant. No, it's
brilliant. I love that you say slow down and I love that you mentioned the urgency. There's a leadership program that I attended and one of my favorite takeaways from that program was a good leader is not captured by urgency. And I think what I'm hearing is a good cyber person is not captured by urgency because the urgency is the fast that we go. We actually did have a client who went through something where the threat, the...
What do you guys call them? Bad actors. The bad actor had created an email address and just one letter was off. So it looked like their name, but just one little letter was off and they didn't notice it. And exactly that happened. So I think that the slow down, the not being captured by urgency and then getting outside of that chain, as you said, calling someone, you being able to know what to do. I think that's really, really useful. Well.
Michael Quinn (45:03)
Yes.
Jenn Quader (45:24)
With that, we are about to move into the most fun part of Resiliency, the podcast, which is the rapid fire questions. But I do want to ask Michael, is there anything we haven't asked you that you want to make sure the audience hears before we dive into rapid fires with Dr. Kelly?
Michael Quinn (45:37)
No, I'm very excited about Rapid Fire. There's nothing else I wanted to add. I'm just grateful, like I said, to be here and for the opportunity. So let's go.
Jenn Quader (45:44)
Love it.
Rapid Fire, dot with Dr. Kelly.
Dr Kelly Culver (45:46)
Okay.
Michael, what's your favorite movie or TV show that makes you feel resilient?
Michael Quinn (45:54)
Ooh, me feel resilient. I was going to go with Dumb and Dumber. But I that that is a no, that is a that is a correct answer. What is so there was a Tim Robbins was in the movie where he got out of jail. He was in jail. He had to fight to get out of it. Shawshank Redemption. Love, love that movie. Yes. And I think that's a great resiliency movie. ? Yeah, phenomenal. So I love that movie.
Dr Kelly Culver (45:57)
No! Wrong! Wrong! Wrong!
Jenn Quader (46:00)
She said wrong! Dr. Kelly.
Dr Kelly Culver (46:02)
Pause,
slow down.
Jenn Quader (46:11)
Yes! Great movie!
Great movie.
Michael Quinn (46:20)
I've always said that's tied for my favorite with Dumb and Dumber. I know that's a very weird combination, but welcome to part of what happens in here.
Jenn Quader (46:28)
I love it.
Dr Kelly Culver (46:29)
Internal
and external voices, they have different themes. ?
Michael Quinn (46:31)
Yes. Yes.
You'll always get honesty.
Jenn Quader (46:36)
That's what we like.
Dr Kelly Culver (46:36)
Okay,
so let's do the same thing, but let's do it with music. What's your favorite song that makes you feel resilient?
Michael Quinn (46:44)
I was very much into electronic music, still am. There is a song by Daft Punk around the world that I heard many, years ago, probably 25, 30 years ago, something like that now. And to this day, I still love that song. It just gets me moving, gets me excited. Have loved them ever since. More recently, geez, I don't know. I am a big podcast person now, so I don't listen to as much music. But my kids, I will tell my kids that I'm a Swiftie because it makes them happy.
Jenn Quader (47:10)
Yes. You are the best dad. You're the best dad. you're a Swifty dad, you're the best dad.
Dr Kelly Culver (47:12)
Yeah. Yeah.
Michael Quinn (47:13)
Yes, yes,
yes. went to, don't, I Meghan Trainor, I went to the Meghan Trainor concert not too long ago with my daughter. We were all about that bass.
Jenn Quader (47:23)
I love Beg
and Train her all about that bass.
Dr Kelly Culver (47:26)
you're getting the gold star today, Michael. What's the last thing that made you laugh out loud really hard?
Michael Quinn (47:28)
Excellent.
I think this conversation, this is
Dr Kelly Culver (47:38)
Okay, okay.
Michael Quinn (47:39)
I think anytime I open up and I'm honest with people, it's always kind of shocking. So yes, other than that, it was probably some time at the gym this morning with some friends at the gym and just being dumb as I typically am. Yes.
Dr Kelly Culver (47:51)
Okay, slightly more serious. What's a question that you would like to leave for a future guest?
Michael Quinn (47:58)
our future guest.
What have you done to try and get it not just necessarily in the cyber world, because that's where my head lives, but what have you done to put yourself in the uncomfortable situation and get comfortable there?
Jenn Quader (48:14)
Great question! Yes!
Dr Kelly Culver (48:15)
Yes, living with
the uncomfortable. That's really good.
Jenn Quader (48:20)
That is a resilient question. Thank you, Michael. Now with that, I will ask you a question that was left by a former guest, and that is, what is one book that has helped you become who you are today?
Michael Quinn (48:20)
Excellent.
Dr Kelly Culver (48:22)
Mm-hmm. Mm-hmm.
Michael Quinn (48:27)
Excellent.
I, uh, gonna have to own up to not being a reader. I, I.
Jenn Quader (48:36)
Okay, again, you have or one podcast, what's
one podcast that has helped you become a better who you are today?
Dr Kelly Culver (48:39)
podcast.
Michael Quinn (48:43)
you know, I have listened to quite a few books, but the ones that I have really enjoyed lately, I'm probably a little late to both of them. but was the, biography on Steve jobs and the biography on Elon Musk. know that people have very strong opinions about Elon Musk. I have found both of those biographies to be great examples of people who were incredibly resilient, who probably upset a lot of people along the way.
Dr Kelly Culver (48:53)
Mm-hmm.
Michael Quinn (49:08)
But the things that they have done, I think, changed humanity for the better. And those are things, look, that's great they did all those things, but they also have to live with the fact knowing that they've upset a lot of people, bothered a lot of people. And that's probably not easy either. They may not have ever looked like they cared, but I can almost guarantee there was something in there that affected them. I have thoroughly enjoyed just listening to what those folks had been through to get to where they are or were.
and just see those folks as just incredible. There's a lot of great things that you can take from there to model yourself after. So I love those too.
Jenn Quader (49:42)
It's a great answer.
It's a great answer and it just speaks to who you are from the beginning of this conversation. Kelly said it best. She said those are the words of a leader and you are an inspiring leader and I think you've given our audience a lot to think about and chew on today about how to be more resilient. So with that, if they would like to reach out to you in any way, do you have any social media or anything that you'd like to share if people would like to follow you?
Michael Quinn (50:04)
Yeah, they're welcome to. I don't really don't do a lot of social media. They're welcome to follow me on LinkedIn. They'll find me at Michael Quinn. You can find me at Cyber Reason. That's where I currently work. And a number of my former colleagues from the FBI, Secret Service, Homeland Security, we're all here now. This is what we do day in and day out to help companies not just get through the bad times, but also help them plan for the bad times, help them understand where things could go wrong before they actually go wrong.
So if anybody ever wants to talk to us, they can find us on LinkedIn. Happy to field any questions they might have and help them out.
Jenn Quader (50:36)
Fabulous. Thank you. And just for our guests that is cyber reason C Y B E R R E A S O N Please check them out. Did I do it right?
Michael Quinn (50:43)
1R, C-Y-B-E-R,
E-A-S-O-N.
Jenn Quader (50:47)
Do it again. So for those who are
listening, that is Cyber Reason with one R, it's C-Y-B-E-R-E-A-S-O-N. Give them a look and you can learn more about Michael Quinn. In the meantime, we want to say thank you. Thank you for being with us on this beautiful, resilient journey. You can find me, Jenn Quader, online at jennquader on all the socials or on my company, the smartagency.com.
Our wonderful illustrious host, Dr. Kelly Culver. You can find her at theculvergroup.ca. That's dot CA because she is in Canada. And then also you can find her on LinkedIn and Instagram, Dr. Kelly Culver. And guys, thank you again for the, if resilience is something that you're interested in and you're listening, please give us a like wherever you're listening to us or subscribe on our YouTube channel. Resiliency, the podcast is the place for stories, strategies.
that will help you to overcome challenges and embrace change and really redefine resilience in today's ever evolving world. We thank you for being here with us. We look forward to you tuning in again. And until then, be resilient, be strong, get uncomfortable and learn to get comfortable in it. And we will see you back here next time. Thank you again.
