What Happens When an Iranian APT Targets You Personally | Amanda King

Amanda King (00:00) So our media relations leader, he, he called me he goes, are you sitting down? And I was like, no, but I can be. And he tells me, he I just got off with the Associated Press and

there is an Iranian cyber terrorist group that is targeting you. And I was like, I’m now going to sit down. Thanks.

Joe Patti (00:18) Yeah.

Welcome to the Security Cocktail Hour. I’m Joe Patti

Adam Roth (00:23) I’m Adam Roth.

Amanda King (00:25) I’m Amanda King.

Joe Patti (00:25) Adam?

Yes, we have Amanda King, who is reminding us what day we’re recording on. It is, it is Pi Day. There we go.

Amanda King (00:31) Bye.

Yes, go enjoy some banana cream pie today.

Joe Patti (00:38) that’s right. See, now I got to go out and get some.

But we’re actually not here to talk about mathematics. At least I don’t think so. We’re probably not going to get into anything that heavy. We’re talking about security and cyber. And this is a morning edition we call a hangover edition. So we have our official mugs, our coffee mugs, which is always fun. Amanda’s got the special edition. Awesome.

Adam Roth (01:00) look at that one!

Amanda King (01:01) think I have the best one of the bunch. I just have to say that is

special edition. Only the elite get this one.

Joe Patti (01:07) Thanks. All right.

we got a lot to talk about. We’re going to get a little more down to earth to start,

Amanda King (01:11) Mm-hmm.

Joe Patti (01:13) Everyone has heard of APTs and being targeted. And especially these days with what’s going on in the world, we’re hearing more and more about cyber attacks.

Amanda King (01:23) Yeah.

Joe Patti (01:25) Amanda, you’ve got a story to tell us about it that’s really interesting.

Amanda King (01:28) I do, yeah.

Adam Roth (01:29) I think we should jump in first. For those who don’t know, an APT is an Advanced Persistent Threat. And basically that’s the way they code nation states, the states that attack people. And some different companies, have numbers for them. Some of have names. I if I was an APT, I would be like a Pretentious Panda So something like that.

Joe Patti (01:52) Yeah.

Amanda King (01:54) I love the names though. I mean, I will say like if they get credit for anything, some of them have very interesting names. So the particular one that the targeted me is the Charming Kittens And I will tell you there is nothing charming about these kittens in my view.

Joe Patti (02:07) They’re a nasty one too, from what I understand.

Amanda King (02:10) They are, they are.

And it was, I thought it was timely because of everything that’s going on around the world right now, particularly with Iran. And so, you know, these kinds of threats are really increasing. And so I thought it would be good to just kind of share my story. And I really wanted to focus on why it’s important that we think about the mediums that we’re using to send information and our personal mediums, you know, your Gmail’s, your Yahoo’s, your, does anyone still use like AOL or, you know, whatever.

Adam Roth (02:39) They do.

Joe Patti (02:40) I thought they went out of business or something. yeah.

Amanda King (02:40) Okay, so like

Adam Roth (02:42) No, they still have it.

Amanda King (02:43) I think there’s

a few emails out there for them still. I mean, you want to be really careful with what you send. So let’s go back in time. We’re going to go back to 2018. And I was working at a very large company. And I had a cool title. It was actually one of the best jobs I’ve ever had in my life. It was so much fun. senior director of breakthrough technology and innovation. And so it was a cool, it was a great job. Yeah, it was so much fun. And so we were on like the leading edge and even bleeding edge of a lot of really cool things.

Joe Patti (03:06) that’s fantastic. That’s…

Amanda King (03:13) Well, there are other people in the world who find innovation by large American companies interesting. And my title, I think, happened to be interesting. I personally am very uninteresting, which I’m sure they found out when they dug through my life. But there was a list of 77 specific people who were targeted. And I happened to make that list. to this day, I just have no…

no idea how I made this list. was like 77 people.

Joe Patti (03:44) Was Amanda, was this in your company or was it just everywhere? really, is that right?

Amanda King (03:47) No, this was globally were, yeah,

these were like major political players. These were like people with like very strong nuclear backgrounds. mean, people who like legitimately were very interesting. And then me, here I was.

Joe Patti (04:04) I

think I think you are that is that on your resume because I’d be at the top of my resume that Charming Kitten came after me. I was that important

Amanda King (04:10) Maybe I’ll revamp my resume and add that to the top. Charming kittens love

me.

Adam Roth (04:17) I’m gonna do that Joe.

I’m gonna put that on my resume. APT minus four, Persistent Panda or I don’t know, something like that.

Amanda King (04:26) There you go. I love it. I love it. But you have to have a little snuggly panda like logo with it. anyway, so these guys, it was really fascinating the whole process because they were targeting these folks who they believed may have something to do with some technology that they were interested in. And I had just gone through a few months earlier media training with my company. And so I was doing these sort of like industry periodical things.

Joe Patti (04:27) Yeah.

Amanda King (04:54) and interviews and so that the Associated Press called me and I was in DC at the time. And I thought my first thought, this is so stupid, but I was like, Ooh, I have like hot stuff. Like I got the Associated Press calling me now. They must’ve heard that I’m really good at interviews. Now, mind you, I’ve been doing like aviation journal magazines, which are awesome for aviation geeks, but the rest of the world’s not as like, know, hyped up about that. but as, a, you know,

Adam Roth (05:11) You

Joe Patti (05:17) Yeah.

Amanda King (05:22) good media trained employee. was like, you’re going to have to talk to our media relations folks. And so I blew this guy off. He’s like, no, I think you really want to talk to me. And I’m like, no, no, you have to go through our channels. So I punt him off. He calls me again. He calls me like three times and all three times. I’m like, I’m a really good employee. And I’m like, you got to talk to our media relations.

So our media relations leader, he, he called me he goes, are you sitting down? And I was like, no, but I can be. And he tells me, he I just got off with the Associated Press and

there is an Iranian cyber terrorist group that is targeting you. And I was like, I’m now going to sit down. Thanks.

Joe Patti (05:59) Yeah.

Adam Roth (06:02) You might have almost fell down. Yeah.

Amanda King (06:02) Like, what in the world does this mean? What does this

Joe Patti (06:04) Yeah.

Amanda King (06:04) mean? And so it was just really, it was a really eye opening situation for me. And they did end up getting into my personal stuff. They did not get into any of my work stuff, which was great. Because from a company perspective, like you always want to protect your company. And the companies I’ve worked for have always had really strong info sec really strong, you know, measures to make sure that people can’t get in. So that part was safe. That was great.

My personal life stuff apparently was all out there for them. And that was, again, for them probably very uninteresting. I’m sure they dug through it and they were like, yeah, okay, next. But for me, it felt so exposing. And I started thinking about, gosh, what are the things that I’m sending through my email? What are the things that they could have possibly seen? Anything with bank information, with tax information, with my kids’ information, whatever that is.

And then I got phone call from like a three letter agency and they’re like, Hey, we know what happened. Like, my gosh. And I know I’m like, my goodness. And they’re like, we need to get into your information. Are you willing to give us access? So now not only did these like less than charming kittens have my information and all of my, you know, uninteresting life exposed to them. But now, you know, of course I was more than willing at the time I was super terrified. I’m like, you can look at anything you want. have nothing to hide.

Adam Roth (07:05) You

Joe Patti (07:06) I would have been like, do something, what are we paying you for?

Amanda King (07:28) So gave them access, but now I gave access to my whole life, to this group of fine individuals who were there to help me. But it was a lot to take in, and it just really made me think about the world of anything that’s traveling via any medium of the cyber world, and who can access it. And then when someone accesses it, who else is gonna need it, right? And what are you putting out there? And so it just was…

A good reminder for me that I need to get my, not only my sort of work information life secure and safe, but my personal life too.

Adam Roth (08:07) Yeah, Joe

does the Snowden thing. I mean, I do it similar to it. Joe uses a certain domain for his email.

Joe Patti (08:12) you

I assume with my private stuff, except for I do use some Snowden type things, that people are in it.

the three letter agencies. I think it’s hilarious because if they came to me and asked for access, I’d say, like, cut the crap, guys. I know you have everything. But knowing that and knowing that someone’s looking at you specifically is very different. So mean, Amanda, how did you deal with that? Like, did you change anything? Did they help you at all? I mean, like, where did that go?

Adam Roth (08:31) You have access.

Amanda King (08:41) Yeah, well, they were

very, I will say they were very helpful. And it was also just personally very interesting because my husband was deployed at the time. he was in Iraq, being a Marine. Yeah, I call him Captain America. He’s amazing. He was a Marine for 30 years. Master guns, wasn’t actually Captain. He might not prefer to be called an officer. He worked for a living.

Joe Patti (08:54) wow.

Adam Roth (08:56) Thank you for your service. And yours.

Amanda King (09:09) So he was he was deployed I found out about this when I was in DC and my kids were in Arizona and so there was this sort of mom instinct that kicked in immediately or it’s like How far could these guys reach you know, and are my kids safe and in end so So yeah, the first thing I did was I had these sort of ancillary Like emails that I hadn’t really used a long time. I just shut all that stuff down got rid of

cut the fat, right? It got rid of the things that I don’t really need. And we went and we had a friend of ours who knows a lot about in-house networking and stuff come in and just make sure that we had all the security measures within our network in our house that we could possibly do. And then I made sure that I had, you we have kids who grow up on devices. And so I had to make sure that we had the

anything, right? The McAfees, the Nortons, the whatever is loaded on every device that we have in the house and make sure that things were kind of meshed together and that we could understand what was going on. And I just had to get more educated on how do I understand these things? How do I read these reports that come back from these security companies that you can contract with or whatever? it was…

Yeah, and was just a really, again, eye-opening experience. And I think there’s a lot of stuff that people can do that isn’t that hard and isn’t very costly. And then there’s things that you can do that are, you you can go as big as you want. Again, we’re pretty uninteresting people, so I didn’t feel like we had to go create, like, know, Fort Knox protecting the gold around our house. But I definitely felt like we had to do something. And with the kids, my word, of all the gaming and the, you know…

friends and whatever that they can make on that. We have pretty strict enforcement. We use all those parental controls to make sure that people can’t come in through that avenue and access our family that way. It’s like an ongoing effort.

Adam Roth (11:11) My thing is

if you have a cable modem, have files and you’re using their equipment, they’re in there. They know all the zero days. They know all the access. They know all the exploits.

you realize the more you know, the more vulnerable you realize you are.

Amanda King (11:28) Yeah, and I think there’s also lot of education with our youth because they’re just like, you know, yeah, throw any app on your phone and, you know, anything on your VR headset and whatever. mean, and these are these are real risks that they need to understand too. And I think making sure that our young folks have an appreciation for that without sounding like, you know, doomsdayers and.

Joe Patti (11:55) Yeah, well, it’s

the family that’s tough and that you worry about the most, I think. Because you worry about your family, because you worry about your family, my stuff is for an individual pretty tight. It’s kind of my hobby, too, to do all these things. And I’ve actually loosened up a little bit to allow my life to progress. But my family.

Amanda King (11:59) Mm-hmm. Yeah.

you

Joe Patti (12:15) And my kids are another story. And my kids are pretty good. You know, they don’t go off and do crazy things that I’m aware of and everything, but still, you know, they watch TikTok. My son who’s older now, but he was into gaming. mean, I’d see he’s on these groups and I’d have to go in and make sure it’s not some crazy thing or whatever that these people he’s talking to. You know, I worry much more about them being targeted.

Amanda King (12:35) That’s right.

Yeah, I think there’s a lot though also just with our work lives too to think about because as we have to be good stewards to our family and that’s always like the number one priority. The other thing that I guess I didn’t do differently but that I was hyper aware of was I can’t send anything over any kind of like personal email that may have any kind of company.

anything in it, right, that somebody could use because, you know, it is so much easier to get access to, again, you know, sort of common email type accounts versus, most, bigger companies have pretty good security, but even those are at risk. But at least if, if, if somebody were to get into that, that’s not on you, right? That’s, that’s on the company infrastructure.

Adam Roth (13:24) Well, actually

it is and I’ll tell you why because when I was working for Joe, Joe had me doing DLP or data loss prevention, especially with email so at one point we had these attorneys not really engaging in anything bad, but they would forward stuff to their personal emails because they would want to work on it at home and they don’t want to log in.

Amanda King (13:28) interesting.

Yeah,

that’s what I’m saying. That’s on them then. Like that’s on them. If they’re forwarding it from work.

Adam Roth (13:50) No, it’s on me.

Joe Patti (13:50) Yeah.

Adam Roth (13:51) It’s on me because I… Yeah.

Joe Patti (13:52) Well, yeah, I know you took it very seriously. And I told you it was all on you. But in reality, I can tell you a few years later, we often say in security a lot of the controls are there to keep honest people honest and to keep people from making mistakes, especially when you’re talking about DLP data loss prevention. It’s impossible to filter.

Amanda King (13:59) you

Yeah.

Joe Patti (14:16) everything. It’s there to catch stuff. also, you got to be careful. It’s like, just because your car has anti-lock brakes doesn’t mean you go flying around the neighborhood at 60 miles an hour. I mean, you need to have some level of discretion with stuff.

Adam Roth (14:17) Yeah.

Test them. Yay.

Amanda King (14:30) That’s right. That’s right.

Adam Roth (14:32) So Amanda like for lack of a better term again, Joe threw me under a bus. He’s like, hey, you know, put these rules in place. Make sure that these attorneys don’t forward stuff. So I did that. And then I had an attorney reach out to me saying, Adam, why are you stop being forward to my personal email? I go because that’s part of the, requirements of our customers. He’s well, look, the first time I understand the second time I understand.

But the third and fourth, you should have realized that it was normal. So Joe said, go, go speak to the attorney. So basically I was on a 30 minute call and the attorney basically deposed me. He was like, Adam, at what time did you realize and what date did this started occurring? Uh, March 13th, you know, 1986, you know, I mean, I’m being funny, but he goes,

Joe Patti (15:12) you

Amanda King (15:21) It was.

Adam Roth (15:22) He

goes, how many times did it happen? I go, I don’t know these. He goes, why did you come to this school unprepared type of thing? I go, don’t you ever put me in that position again. laughed.

Joe Patti (15:33) That’s I sent you to him deliberately because there are

Amanda King (15:37) Yeah, I think there

was definitely a plan there.

Joe Patti (15:40) But you

know what, when I was a manager, when I was running things, that was one of my privileges, especially at the law firm, that I could send my technical experts to talk to people directly. I said, I’ll talk to them if they get ticked off on the next level.

Adam Roth (15:51) Yo

Amanda King (15:53) I love

it.

Well, you do have to balance the business needs, And there is the probability factors, right? So what is the probability of something happening? And what is the consequence if that were to come to fruition? And so I think there’s a lot that goes into it. But it is a tricky balance. And oftentimes, people wait until they have to respond to a thing, and it becomes a reactionary.

Joe Patti (16:14) Mm-hmm.

Amanda King (16:22) you know, process. And so it’s just finding that balance of where can you have the fewest amount of reactions and the maximized, you know, proactive actions so that you can prevent and, you know, it’s a formula that nobody has perfect. And because if companies went to the model where everything were protected, they would be able to afford sustained business. just wouldn’t make sense. It wouldn’t make business sense, right?

Joe Patti (16:46) Yeah,

well, along those lines, Amanda, mean, you talked about how when you found out about this, of course, you look at all your personal stuff. start to tighten it up. You start worrying. You do all those things.

what was the reaction that you got from work?

Amanda King (16:56) That’s right.

So they were fantastic, I will say. Both the government side and the company side, they responded, think, in a really appropriate way. First and foremost, they made sure I was like, OK, because they knew that I was a little bit stressed out about being across the country from my kids and other than the other side of the world. And so, I mean, they were they were great from that personal perspective. But then as far as the

be, you know, how they responded. Every discussion that I was in with my new friends with three letters on their names, they were a part of. And, you know, they made sure that they understood, you know, what can they do? The good news was that they had done enough at that point where none of my work stuff had been breached. And so that was really, really important. And so there was a lot of validation in that, but I think they also needed that validation because, know, just like any company, like every year you go through the

what are we spending money on? this do us any good? Do we still need to do it? And so I think there was a lot of validation for some of that stuff. so I’m sure it was part of the incentive for them to continue to do the things that they were doing. And working in aerospace and defense, those companies generally are going to, I think, err more on the side of caution with some of this stuff anyway. And so very risk averse when it comes to a lot of things.

Joe Patti (18:15) Right.

Amanda King (18:20) I felt like the company response was super appropriate. And, you know, they were very involved and they, they, they weren’t, you know, I don’t know, they weren’t laissez faire about any of it. And so they’re, they’re, you know, sort of engagement, I think gave me a lot of confidence in the, you know, their sort of future steps there. But I do think that there are some companies that would have taken a different approach and some companies may been like, what did you do? How did you get yourself on this list? You know,

Adam Roth (18:39) Probably because it was… yeah.

Joe Patti (18:47) Well,

that’s it. can get, and you’re not going to get this in aerospace and defense and regulated industries, but you can get the reaction of, what did you do? Or we checked our stuff, so it’s your problem now. And yeah.

Amanda King (18:57) Yep.

So clearly this is on you, yeah.

Adam Roth (19:04) But

let’s be…

Amanda King (19:05) Could have been a very different story. This company was fantastic though, the way they

Joe Patti (19:08) There’s a lot of discussion of this amongst the cyber people all the time, of what it means and what you get out of working with the government, the three-letter agencies. Sometimes they’re not there to help you. They’re there to help themselves. And so they’re looking for Intel.

Amanda King (19:24) they for sure wanted to learn as much as they could. And I think they wanted to understand, and you know, this, this list that the Associated Press provided, which was interesting. was this group, this like sort of, you know, white hat hacker group in the UK had gotten in to the Charming Kittens

Joe Patti (19:27) Mm-hmm.

Amanda King (19:44) network and extracted this list. And so that’s how this whole thing came about, were these like good guy hackers and they turned it over to the Associated Press and that’s how, you know, anybody got ahold of it. But yeah, I mean, they were interested in other people on that list for sure as well. And I think they were trying to put the puzzle together. And I think for me, was because again, I was probably the least interesting on the list. I was like never popular. It was really funny to be on this like elite list, one that I never wanted to be on.

Adam Roth (20:13) yeah.

Amanda King (20:13) people had like legitimate,

I think, interesting things that, you know, people had gotten a hold of. It would have had some, you know, broader sweeping consequences. I think for me, it was like, okay, give us everything you’ve got. They did their diligence. And I think they just pieced together that mine was more of like, your title could theoretically be interesting because nobody really knows what you do. And so we want to know what you do. And is it tied into the things we’re interested in?

I think that was the extent for me. I think for other people it was deeper.

Adam Roth (20:41) So,

Joe Patti (20:43) Anyone who would wear a Pi Day shirt is definitely interesting. But you have to worry about it. Because even if you’re not the CEO, even if you’re not the chief scientist and stuff, when you start getting into the world of the espionage and the intelligence, it’s not like the ransomware guys are looking to steal money. Other guys are looking to steal your identity so they can steal money.

Amanda King (20:46) Well, thank you. Geeky, perhaps. Geeky, but maybe not that interesting to, you know, Charming Kittens

Joe Patti (21:12) But here, they’re looking for things about you, anyone in the company at any level that they can use that can be leveraged, that maybe you even have access to something that you really shouldn’t. Maybe you don’t even know what it is, but that might be useful to them.

Amanda King (21:28) The leverage is,

that’s a really interesting point. So luckily, because I do have a, I mean, I love my life, but to the outside world, very boring, just happy marriage, mom of two wonderful kids, like again, nothing very interesting, but thinking about things that people put on their different mediums of communication, whatever that medium is, if they can get access to something that then suddenly becomes,

There’s opportunities for blackmail. There’s opportunities for, you don’t want this to go public, right? And those are really important things to think about too, because people, it is remarkable to me. I listen to Dateline podcasts a lot, right? Like these, know, these people who commit these murders that likely would have gotten away if they just hadn’t put something on social media or in an email or.

Joe Patti (22:09) and

Amanda King (22:20) Recorded like why do they report things like this? I don’t know but they do it’s just like this human nature thing that has evolved and so when you think about you know, the incriminating Anything that you don’t want, you know a spouse to know or an employer to know or your mom, you know, whatever That that could be leveraged

Joe Patti (22:38) Yeah, or even innocent things.

Yeah, you’re like, mean 20 years ago I met Epstein at a wedding?

I don’t know, I don’t remember, right?

Adam Roth (22:46) We actually, we actually, it

was funny, we actually know somebody that, no, no, we know somebody that actually worked for him unbeknownst to him. And he was like, I’m getting kind.

Joe Patti (22:50) Dude.

Amanda King (22:51) That’s, that’s, I wouldn’t even have thought about that. Yeah.

Joe Patti (22:53) wait,

that’s right,

that’s right. We do know someone who worked for his company

or whatever it was.

Adam Roth (23:01) Yeah,

Amanda King (23:01) I think everybody has a vulnerability somewhere. And I liked that you brought up like, I don’t know, did you meet Epstein at a party 20 years ago?

Maybe? I don’t know. I don’t remember. And if someone found a picture of you like, chumming up with the guy, then all of a sudden, you’re like, well, no, that’s not, don’t put that out there. That’s not me. I don’t like this guy.

Joe Patti (23:11) Yeah.

Yeah. He just…

He just boat around with… No, it wasn’t…

Adam Roth (23:24) No, no, the billet, the…

Amanda King (23:24) right he was buying

drinks for everyone. anything like that could happen

there’s an individual that my husband and I are friends with that, you know, it’s one of those like, you know, they locked down this individual’s work computer. I don’t know, he must have gone to a website, not like a nefarious website, but just, I don’t know, maybe he was going to go to DoorDash and order food or something. It wasn’t DoorDash, not to like throw any concerns on DoorDash. anyway, it, you know, it’s one of those like pay us X thousands of dollars or we’re going to

you know, wipe out your computer or I don’t know what the thing was. Yeah, it was some kind of ransomware thing. And it was his company computer. And so he panicked. And this was a good guy. I mean, you know, I would be surprised if there was any dirt to be dug up on this individual. And but he panicked because he was like, oh, my gosh, you know, like, technically, maybe I shouldn’t have been ordering food or shopping on Amazon or whatever he was doing.

Adam Roth (24:02) ransomware okay

Joe Patti (24:22) you

Amanda King (24:26) on his work computer and so he just kind of panicked and he paid the money. he paid the money and then of course they didn’t take the thing off the computer, right? And they were like, dude, what were you thinking? But he just panicked and so they wound up, you know, making some money on him and then he still had to go to his company and say, see what happened was. And so was, you know, kind of a lose lose situation. But I think, you know, that’s another vulnerability.

Joe Patti (24:34) Yeah.

Amanda King (24:52) where people just think like, maybe I was doing, maybe I was doing something wrong. Maybe I’ll get in trouble, you know.

Joe Patti (24:59) a big problem in security when you’re running the program. And one of the things we try to do with the security awareness stuff, when you get the thing like you clicked on the email you shouldn’t have clicked on, or you shouldn’t do this and that kind of stuff, people get angry. But then they also get scared when they see stuff like that. And something that’s really important is to tell people, look, don’t do this stuff.

Amanda King (25:00) Thank

Thank

Yeah.

Joe Patti (25:23) but you gotta send a message that please report it. You won’t be in trouble, or at least you won’t be in as much trouble as if you just let it go or try to hide it or do something crazy like that. Please tell us. Exactly.

Amanda King (25:29) That’s right.

Yeah, it’s that bad news doesn’t get better with time theory. Like

Adam Roth (25:37) you

Amanda King (25:41) don’t let it sit and soldier. I education, I mean, you bring up a really good point, Joe. So I think there’s this element of education too. And I think some companies do a really good job of educating people on, you know, hey, if you see something that looks suspicious, send it to us and there’s no punitive anything, just get it to, if you click on it and it does something bad, send it to us. And here’s why it’s important.

And then, know, some companies, especially, you know, kind of your smaller or maybe small to medium size that really haven’t experienced a lot of this stuff. They just don’t think about it. It’s not in the forefront. So they’re not educating their workforce in how to handle these situations and what to do. And, um, and maybe they don’t even know themselves until they are responding and reacting to a situation. But I think education is really key on this. I love that you guys have this security cocktail hour, because I think it’s, you know, just another.

Adam Roth (26:20) you

Amanda King (26:31) opportunity for people to become more educated on the risks that are out there and how do you handle those risks? And at least if it happens to you, you’re not going in completely blind, right? You can have some kind of a plan in mind.

Adam Roth (26:45) I know if Joe’s gonna agree with me, but I’ll tell you this. most, most.

Amanda King (26:48) Shocking, because I feel like that’s never happened.

Joe Patti (26:50) Let’s see, I

think you’re like 0 for 3 at this point with me agreeing with you in this episode, but go ahead.

Amanda King (26:54) You

Adam Roth (26:54) Yeah, most

most most comprehensive cybersecurity programs for firms are not in place because they’re trying to do good. I’m not saying they don’t want to do good, but most cybersecurity like these extensive programs are in place because clients require them in order to do business with them or in order for them to get cybersecurity insurance. It’s yeah, it’s usually motivated by risk.

Amanda King (27:18) Depending on the type of business, yeah.

Adam Roth (27:23) and revenue. some companies, Joe and I used to work together, or I shouldn’t say work together, I worked for Joe, he was abusive. we put in data loss prevention, we put in endpoint detection and response, we put this all in place because it was a checkbox and we got audited all day. Joe loves audits. So we got audited every week, every week we had audits going on, nonstop.

Joe Patti (27:48) I’ll stop.

Adam Roth (27:53) If we couldn’t satisfy those audits, we didn’t comply, we didn’t get business, and the first person that would call us would be one of the partners that was responsible for that line of business. What do you mean we don’t have this in place yet? Do you agree, Joe? Do you agree?

Amanda King (28:07) Yeah, but I think,

but I like the forcing factors in some cases, personally.

Joe Patti (28:10) Well…

Well, my feelings on it are kind of nuanced, to put it that way. It’s like, yes, security, awareness, education, it’s important. You need to tell people this stuff. People are the first line of defense and all these things, yada, yada. And yeah, A lot of organizations do it because they’re required to, who otherwise wouldn’t. That’s not good.

On the other hand, like every other control and every other thing you do, especially in security, you need to be realistic about it. I’ve always been very disappointed in the field because it’s not nearly as effective as we’d like it to be. I used to be the hardcore cyber guy who’d say, well, you can’t fix stupid. People just aren’t going to listen. as I’ve matured a bit, I’ve learned that, you know what? People have got a lot going on.

They’re trying to do their jobs. They’re trying to do it under stress. This stuff is complicated. And I will also admit that especially lately, boy, some of this stuff has gotten good and has gotten nasty. you’ve got guys who they’re, know, teams of very smart people who, know, their job is literally to figure out ways to trick people. you know, Amanda, mean, if you, if you actually, the one cool thing about getting hit by a top level nation state like you did,

Adam Roth (29:20) AI.

Amanda King (29:21) Yeah.

Joe Patti (29:36) is that if you manage to falter or do something or whatever, you could say, hey, at least I got beaten by the A-Team. At least it was Roger Clemens who struck me out.

Amanda King (29:43) At least it wasn’t like the V or the C2. It wasn’t like

fourth string quarterback. Yeah, no, that’s fair. That’s fair. it’s, I like the forcing function though, I will say. I mean, I think that there’s, because we are busy and I look at myself and I I thought I was doing pretty good and I thought I was pretty focused on this kind of thing. And then I realized, you I was at work, but I was coming home once I’m thinking about it the way I should have been. Because I did allow my…

self to be exposed, right? And again, I was luckily the least interesting on the list.

Adam Roth (30:15) I don’t know if you let yourself be

exposed. You were a good target. I mean, like you didn’t you didn’t open the door and say guys come on side. It’s warm in here. Yeah. Yeah, you know, like I don’t think

Amanda King (30:22) Come on over. Let’s do some kitten videos

now. But there were other measures I clearly could have taken to help prevent that. I mean, even just having things on, you know, like old email accounts that I don’t even use anymore. Like, what was the point? You know, and it’s like, that’s just there for people. Like, just shut it down. Just get rid of it. You know, it’s like the hoarders, right? Like, I felt like I was like a…

Adam Roth (30:33) Hindsight 2020. Yeah.

Amanda King (30:51) you know, digital hoarder of just stuff from, you know, 20 years ago that’s totally irrelevant. But could, to the point you guys brought up earlier, could be a vulnerability for whatever reason, right?

Adam Roth (30:59) You look, yeah.

You live and learn,

you live and learn. mean, like, you can’t live your life worried about every single thing. But like I always say, you try to put things in place when you can. And, you know, this is a very stressful thing. And Joe and I were talking to David on a previous episode, David Warshavski and he said at one point this, I think it was a CEO, he got so stressed about what was going on with a breach.

Joe Patti (31:18) you

Adam Roth (31:33) That this guy went blind in one eye from the stress.

Amanda King (31:36) Stress does a lot. Stress does a lot. Yeah. Yeah, that’s unfortunate. Stressful to even think about.

Joe Patti (31:37) crazy.

OK, so in the aftermath of it, I guess everything was OK. You did not, I can hear the kids screaming in the background, so I guess they’re OK. Well, I’m glad to hear that. So.

Amanda King (31:51) Yeah, every

Kids are fine. mean, they’re wild little maniacs just like they should be.

I call them my terrorists now. They’re nine and 11. They’re boys. Oh, I shouldn’t say that. They’re wonderful. they’re, yeah, everything was fine. But it was interesting because I was a senior director when that happened. And then, you know, my next role, I became a VP and now I was on the executive team. And so it definitely was something where I had to really think about like,

Joe Patti (32:03) god.

Amanda King (32:24) you know, going back to all the discussions we had earlier, like how am I thinking about things? How am I communicating? How am I educating? How, you know, all the things that I needed to be hyper aware of, with this particular team. And I had a blend of commercial and defense in that particular business that I took on. And so I had to be really sensitive and thoughtful to that. and then, you know, going over to the next company that I went to, which was really interesting because they were hitting this like hyper growth.

period. I got there right on the cusp of this crazy hype for growth where they were going from being a small company to a medium or even a large company at this point. They just grew so fast. I had to carry some of those experiences with me and what we were doing because we were working in a world of software and dealing with customers’ information and pretty sensitive information. So how do we make sure that we’re

thinking about all those, those are on the forefront that we have the right relationship with InfoSec that, you know, we have regular cadence with them to make sure the things that we’re doing, the people that we’re hiring, you all the things can at least be a recipe for, you know, lowering our risk factor and, and making sure, you know, as an executive there that I had to be a good steward to that company, to that team, this like new team that we were building up very, very rapidly. And then we didn’t get, you know,

Get too over our skis and too excited about the growth and forget about the risks that are associated with that.

Adam Roth (33:53) That’s the irony, Amanda, right? It’s not necessarily a negative thing that you were targeted by an APT in some ways. It gave you the growth and the experience and the background so that you could actually have the perception in another organization to use your real life experiences to help that next organization or even the current one that you were at at the time. So learning experiences do help us grow.

Joe Patti (34:07) Thanks

you

Amanda King (34:22) Yeah,

I do agree with that. I mean, I do think that, you know, any any situation that we’re in, so we have all these sayings in my house and, you know, some of them come from my days in the military, embrace the suck. That’s one that, you know, come from from my green suit-er days. I think the greatest gift you can give a young person these days is the gift of resilience. And so how do you give them resilience? You do hard things, right? So we have the saying like we do hard things.

And we actually also say persist for the reward of resilience. And all these experiences do build up resilience and allow you to make better and more informed decisions as you go. And so I am grateful for all those obscure experiences, whether it was this or whatever the hard thing is that we’ve got there, we’ve all gone through them. We’ve all had our own fair share of hard things. I think that those we should be grateful for.

which always feels good to say after you’re through the hard things. You know.

Adam Roth (35:16) Yeah, right?

Joe Patti (35:16) Yeah, well, I was going

to say it feels good to say, and it’s very true, I’m glad that you learned all that and were able to apply it and didn’t really have anything catastrophic happened because that would be terrible, you know.

Amanda King (35:27) Yeah, I was very fortunate.

Again, it pays to be the boringest one on the list. So that was cool. But, you know, definitely has me a little hyper aware these days.

Adam Roth (35:41) They say there’s a light at the end of the tunnel, but that might be the train that’s going to hit you.

Amanda King (35:47) That’s right. Might be.

Adam Roth (35:50) No, but they’re like, you know, like…

Joe Patti (35:50)

Such a New York thing that stay out of the subway tunnels. You know? mean…

Adam Roth (35:55) Yeah, I’ll try. But the point I’m making is when you’re

Amanda King (35:55) Is that a New York thing? feel like in Arizona we don’t really have that here.

Adam Roth (35:59) going through a rough time, I was kind of being funny, but when you’re going through a rough time, after you’re through it, like, my God, wow, that was horrible. But I learned from it. But so, you know, when you’re going through it, you don’t think of it that way. But.

Amanda King (36:13) Yeah,

well, you have to try to though. mean, like more more information than we need on this podcast. like I, Adam knows this, but I went through cancer in 2024. So January 5th of 24, I saw I have the big C and it’s like, Whoa, I’m not. No, I’m sorry. Can we start over? Because I think I misunderstood. And, and that was a lot to take on and, you know, to go through that journey. And continuing to go through that journey.

But I do think it’s important that you do have to, this is something that I’ve been trying to do more in the last few years, is be more reflective in the moment. Because it’s always about like, next play, what are we doing next? Pushing forward, pushing forward, pushing forward. But if you don’t stop and just reflect a little bit and think about where you are and how you got there and what you’re learning, then I think you’re kind of missing those opportunities. So yeah, it’s good to think about it.

after it’s all said and done, but I think if you can be intentional enough to reflect in the moment, whether it’s, the Charming Kittens think I’m interesting, that’s terrifying, or, I have cancer, that’s terrifying, or take your poison, right? Whatever the thing is. And I have actually this sticky note on my desk. the cleaning folks came, and so they moved it. But anyway, so I usually have a sticky note that says,

What, so what, and now what? And the what is like, what is happening? And I wrote this down because I’m trying to be more intentional on this, like, reflective in the moment. So what is happening? So what is like, so what am I learning from this? What is the point of this thing that I’m going through, whatever it is? And maybe it’s just a really rough meeting with your boss and you’re like walking away going, I’m an idiot. Okay, so what do I need to learn from that? And then the now what is like, now what? Now what am I gonna do? What am gonna do about this?

Adam Roth (37:42) Wow.

Amanda King (38:06) How am gonna take this forward? And I think you’re gonna play that in any aspect of your life. Anyway, I got a little Philsockle.

Adam Roth (38:09) Hey Joe.

Maybe not our logo, maybe we should make a mug. What? So what? Now what? There’s three lines on a mug.

Amanda King (38:18) Go for it. Go for it. You’re plight of scared.

Joe Patti (38:20) You know what?

That kind of motivational stuff I think would probably sell a lot more than cybersecurity. You know, we should go into that business. No, well.

Adam Roth (38:24) Yeah

Amanda,

I started making mugs and started selling controllers. You actually sold our mugs? I’m like, yeah, we sold out because get out, we’re in the wrong business maybe.

Joe Patti (38:40) Yeah, I still haven’t seen the money at the bank account, but yeah, we sold them. sold them. expenses, I know. All right. OK, well, you know what? You’re very right. Resilience is really important and learning from those tough times. If you’re going to have them, you make the most of them and learn from it. But I am very happy to hear on both counts, especially the health count, that it looks like you’re doing OK and that you’ve come through all of this good.

Amanda King (38:41) Right.

Adam Roth (38:43) I bought a couple steaks with that. It was good. Mmm.

Amanda King (38:43) oooo

That’s right. Yeah.

Thank you.

Yep.

Joe Patti (39:09) And we really appreciate

Amanda King (39:10) Yep. All is great.

Joe Patti (39:11) your sharing your insights with us. I got to be honest, although I’ve been in this for a long time, we dealt with a lot of incidents. I’m trying to think if I’ve ever actually sat down and had an in-depth conversation with someone who’s been through it, who’s been targeted like that. There you go. All right. Well, thank you very much for sharing. It’s been super interesting.

Adam Roth (39:25) Target.

Amanda King (39:26) One of the 77 right here. Yeah.

This has been great and I appreciate it. I appreciate what you guys do. I think just getting the message out there and keeping people focused. I mean, it’s not like we’re going to have less need for cybersecurity in the future. It’s only going to be more and more. And then what happens once we start figuring out quantum entanglement and all the things that are coming in the future? We’re just going to need people like you guys to help keep us grounded and focused on how do we think about these things? How do we address these things? What is happening in the world? And so appreciate you guys.

Adam Roth (40:03) need people like you and our guests to share their experiences.

we love bringing that to our people to our to our audience because that’s how we learned and we appreciate that. I’m not just buttering you up. This is a great experience at least for me. So.

Amanda King (40:18) All right, well this was fun.

Joe Patti (40:18) Adam,

All right. Amanda, thanks again. This has been a lot of fun and really interesting and helpful to everyone. So it’s been great.

Amanda King (40:26) Good, hope so,

hope so. I appreciate your time today, gentlemen. Have a good one.

Adam Roth (40:30) Thank you.

Joe Patti (40:30) All right,

thanks a lot, everyone.