Click for Full Transcript

Intro  0:01  

Welcome to the She Said Privacy/ He Said Security Podcast. Like any good marriage we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.


Jodi Daniels  0:22  

Hi, Jodi Daniels here I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and Certified Information Privacy professional providing practical privacy advice to overwhelmed company.


Justin Daniels  0:37  

Hello Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.


Jodi Daniels  0:55  

And this episode is brought to you by Oh, we should introduce at the end of the day, more often. Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, and to check out our best selling new book, data reimagined building trust one bite at a time, visit


Justin Daniels  1:37  

You know, this is Red Clover, but I noticed you’re very blue today.


Jodi Daniels  1:42  

Well, there’s blue in my logo. And then our company colors too.


Justin Daniels  1:46  

And people can’t see that your earrings are a dead match for your shirt. You know, everyone


Jodi Daniels  1:50  

has a thing that they do. And I like to match my earrings to my clothes. Yes, you’re very adept at that. We all have to excel at something. All


Justin Daniels  1:57  

right, let’s move along to our guest. So today we have Chris Bullock, who is the CEO and Managing Member of a Cyber Investigations and Intelligence agency CI2A. Chris combines and utilizes his unique hybrid of experience and training and criminal intelligence, cyber threat intelligence, specialized technologies, executive management and law enforcement to build award winning and effective cyber security programs and to protect company’s most valuable trade secrets and sensitive customer and employee data. Chris, welcome.


Chris Bullock  2:32  

Thank you. I’m very happy to be here.


Jodi Daniels  2:35  

You really have your like, DJ voice going on here.


Justin Daniels  2:37  

It’s my late night DJ voice.


Jodi Daniels  2:40  

We should record for those listening. We are having a lot of fun recording this on late Friday afternoon. It’s not it’s five o’clock somewhere. It’s almost five o’clock here. That’s right. It’s right. All right. Well, so Chris, that is quite a really interesting and fascinating background. We always like to understand how people got to where they are today. Can you help walk us through that journey?


Chris Bullock  3:02  

Sure. Yep. So I started out in law enforcement is that kind of readout said, I began as a dispatcher actually in a small SOUTH FULTON COUNTY law enforcement agency and worked my way up to a detective sergeant where I ran the Criminal Investigations Division and ended up being a SWAT operator. And at the same time, I was paralleling my Mikey could and have always been the case, since I was a child. Building radios used to be if anybody remembers that he kits, projects, I used to build heat, hid radios and those types of things. And eventually decided that I needed to go in and go on and finish my degrees and move into a little bit more lucrative area. And I really wanted it to be within my passion of Law Enforcement and Investigations. And so my college advisor, when I did my first degree, my associates degree, told me you really need to combine law enforcement and technology somehow. And so here I am, I ended up doing that and got my first position as a technology manager with a truck and trailer parts company, and then eventually worked my way into doing database administration. And then from there, saw it because I was so close to the data. The first FinTech company I worked with called magnet communications, bought eventually by Intuit told me, Hey, we want you to be our our CFO and our CFO and do physical and cybersecurity. And that’s how I ended up in this in this line of work. And from there I have spent the last 25 years building out programs for various organizations, all the way from the Georgia lottery, built their first cybersecurity program to working at Home Depot for over five years and and doing a lot of penetration testing and vendor risk management assessments and those types of things, building out the first cybersecurity program for errands, and then eventually making my way over into the dark side as they call it with cybersecurity consulting, and worked for Dell SecureWorks for a period of time and then ended up with my current business partner, Ashley Ferguson, creating a very unique program where we’re protecting ultra high net worth individuals through cybersecurity, offerings and a really, really unique program a for cyber VIP protection, we call it a cyber executive protection, really putting the concentric circles of protection alongside of the executive protection people to protect their class from cybercrime.


Jodi Daniels  5:51  

As a really fascinating background, and one of the things that actually came to mind is I, too, got to work with the Georgia lottery. Once upon a time, in my early days, I was a financial statement, auditor and Georgia lottery was my client, it was really, really interesting to understand the ebb and flow of ticket sales. And the psychology of people it was fascinating. And now it’s kind of come full circle. But I remember working with many of the the kind of IT side of the house, and it’s just looking back on things, it’s always interesting to see how it all kind of comes together. But fascinating background, I’m excited to dive in to what you do.


Chris Bullock  6:32  

Thank you. Thank you.


Justin Daniels  6:34  

So Chris, from a cybersecurity perspective, how have the threats against executives, movie stars, the high net worth individuals evolved? And how are you helping protect those, that group of folks,


Chris Bullock  6:49  

the the evolution really, I believe, begins with open source intelligence and the way that it’s really proliferated itself. Throughout the years, it’s, it’s a lot simpler to find information on people. And the tools out there are free and available, just like the hacking community started, you can get a lot of free hacking tools. And so the digital footprint of an individual is so much more exposed because of our need to always have our phones in our hands, and always be on social media and always check in like things. And, you know, really give away information that holistically establishes what we call a pattern of life activity, which really raises the neck hairs of executive protection folks that protect on the physical level, because that gives an individual the intelligence ability to know where a person their target is, at any given time, know where they like to frequent and specific information about them that may provide password information, or specific cyber habits that they have. And so we’ve built the whole program around protecting against that, that particular exposure is is very significant. Because the pattern of life piece really allows those cyber actors, cyber bad actors and physical bad actors to combine those, those areas to perform very horrific attacks. And so that’s increased because of the open source intelligence I truly believe. And exposure, we, we didn’t even hear that term, you know, several years ago, oh, SATs, OSI and t, is what it’s called. And we use that same open source intelligence to protect those clients that we have, and you really have to be on top of what your digital footprint exposure is, and what your exposure is on social media, and chat forums and things like that.


Justin Daniels  9:04  

Chris, is a follow up for audience. Can you explain exactly what Oh, since open source intelligence is?


Chris Bullock  9:09  

Certainly so open source intelligence is, in its simplest, simplest form, Google, so you can go Google somebody’s information now, right and find out a lot about about them. Even further than that, there are specific types of tools out there, you know, all these websites that, you know, say, hey, you know, people Finders are, you know, not picking on a specific website and they change literally every couple of months. And availability of those, those tools are out there. So open source intelligence is really any and intelligence information or information that you can find, without having to log in to something without having to pay for something. It’s just freely available. And there’s tool sets again out there that were They are powerful, that provide a lot of information. You know, you may have heard of some of the ones you can check to see if you’ve had been involved in a data breach. You know, what your email address may have been exposed, those tools in and of themselves can provide, you know, an attacker information on whether or not your information is out on the dark web. And if if your audience might be not be too familiar with the dark web, that’s really an area of the internet that’s encrypted, that you can use a free tool like Tor to go and access. And it’s like a another internet, you can think of it as, and that data is typically dumped by bad actors out in the dark web, so that it can be shared and or sold, to amongst those groups to do bad things from, you know, committing financial fraud to, you know, hacktivist groups that may utilize it. To, to damage individuals. I mean, one of the famous cases was in Ferguson, Missouri, where not only were they having to deal with a, a physical attack, they were very ill prepared to deal with the cyber attack that came along with that. And anonymous, a famous group, hacking group that a lot of people probably heard of actually got involved in that attack and did a cyber level attack and took the city down to the extent that they had to work off text messaging for a period of time. Wow.


Jodi Daniels  11:33  

In the spirit of text messaging, and you talked about how we’re all addicted to our phones, what are some settings that people can change? Or that maybe they’re not aware of that is sending information to continue that digital footprint?


Chris Bullock  11:51  

Certainly, yeah, we actually have done a lot of research in this area. And one, you know, the specific area, if you think about just disabling your face ID, a lot of people use their face ID but that that identifies a person, picture your picture, along with, you know, the digital information with that picture. So that’s one. One that’s probably known to be a lot of people now is the location services, because you can take the photograph. And the metadata are the data that’s embedded inside of the photo. If you have location services on it will embed that data of your location. And you can have a picture out and a lot of the websites now such as you know, the social media sites will scrub that data. But if you throw them out on forums, and things like that, that data is still readily available. So disabling Location Services is very important. Not only that, but you know, with all the tracking information out there now available, the your Google, there’s a Google advertisement ID that follows your phone around, that is easily tracked, based on that location services data. And so if you turn that off, you cannot turn it off all of that ability. Another one is, you know, not auto joining a hotspot or you know, being able to auto connect to Wi-Fi because there are nefarious Wi-Fi, WPA or access points that are out there that can actually have you connect to them, and then start siphoning your data. If they’re using specific nefarious tools. And then when we have the ability through some of the technology that we have to, to duplicate a Wi-Fi network that you may be used to connecting to, we’ll just pick on Starbucks for a minute not to pick on them, because we don’t like them, because we like Starbucks. But if you allow people are used to going to Starbucks and connecting, we can actually fake that connection. And if you have auto connect to set up, you will get very easily connect to our in the forest at work, thinking you’re all Starbucks, and then we’re basically getting all of your information. So that’s another one. There’s a slew of specific settings that are out there, that that it’s if you if you look at all the apps on your phone, for every application that you have, one of the best things to do is turn off the access to photo and your microphone. Because there’s a lot of applications that do not need that access to your photograph or to your photo or your camera and your microphone. Because that can be a way for those applications to quote unquote spy on you, especially if they’re applications that you might have downloaded just to do something fun and you don’t really know what the purpose of that application was intended for. And there are state sponsored actors and operate by dropping the various applications out there that are fun maybe to make your face look funny or, you know, add some crazy background to your to yourself, that is collecting information. So we always tell people, be very careful of the applications you install on your phone, and then be very cognizant of the settings that you’re allowing those applications to access. So you really have to constantly look at your settings on your phone, which is very difficult, because we all use our phones regularly. And it’s extremely difficult to go through every single setting. And we’re not all going to have that time it takes hours sometimes, to to configure. So we’ve got a base set of configurations that we publish out on our website, that will he says, here’s what you need to cut off. And these are the configurations you need to set. But you really have to be vigilant overall, as you’re installing different applications because they those can change your settings and actually have your settings altered by what you’ve already set up because the application was installed on your device.


Jodi Daniels  16:12  

We will definitely include a link in our show notes to what you had just shared. But for those listening, can you what’s the right website name so that they can go if they’re listening here?


Chris Bullock  16:23  

It’s So


Jodi Daniels  16:29  

Well, I think everyone listening should go and grab that very long list of helpful settings. I have a follow up question. I don’t use face ID. But I’m curious because let’s just poke a pic on Apple, they’re going to tell how safe and secure it is. But here this suggestion is actually it’s not. Can you talk a little bit about that disconnect?


Chris Bullock  16:50  

Yeah, sure. So if your device is compromised in some way, those that data can be grabbed. So when we do digital forensics, that’s that’s not to say it’s not as secure, you know, based on the way it’s used by Apple. But if your device is compromised, and we all know that can happen when you know the old saying it’s not a matter if the when those compromises can get a hold of that data itself, and be used against you or use to populate some database to go and do an impersonation attack or put a fake social media profile up. And Apple does do a level of encryption. So they do have some good things out there. But we all know that technologies only as good as technology can be at the time that you download it or use it. Because actors, bad actors are constantly trying to break those things, and constantly achieving being able to compromise those things. So it’s just better to not have a face ID active. Not only that, if you can, if you’re in a physically compromised situation, someone could open your device by forcibly making you basically stand there and have your face put into your face ID to open your phone and your device. With Absolutely. So, Chris, when we


Justin Daniels  18:21  

talked about oh sins? What are your thoughts or recommendations to people to how to reduce their digital footprint? So they’re not tracked as well, I assume the first one would be maybe not share where you’re going out of town for a week and exactly where that is.


Chris Bullock  18:36  

That’s exactly right. Yeah. But those things are some of the very just surface level things for sure. And you can’t just say, don’t use social media, because that’s just not reality, right these days, that what you said is exactly right, is that you want to share as limited amount of information as you possibly can. On social media, you don’t want to publish your real date of birth. You know, people love to get the birthday, happy birthday notifications and things like that. But you certainly don’t want to have your real date of birth out there. Your you know, where you were, what school you went to, you know who your spouse is who your brothers and sisters are, you know, all those things are available on social media when people populate them. Because we can then you can do cross connects when you’re doing so. Open Source Intelligence, there’s cross connects can get you to other pieces of information that may not be readily available. If that information wasn’t sitting out in the middle of social media, check ins and things like that. To your point. If you’re out of town, if you’re checking in people know you’re out of town and maybe they decide that’s a good time to burglarize your home. Or in the case of the executive protection folks that we work with. They don’t want their principle, the person they protect is called a principal exposed to that level, there’s some famous articles on Michael Dell, I’m not picking on Dell at all. But there, it’s openly available on Google about how his security was compromised by a family member, just because of posts that that family member was placing, when they were out of town and those types of things and, you know, multimillion dollar security system compromised by a couple of posts on social media. So very, very important to limit your exposure from a social media perspective. And, you know, publishing different things. We did some workforce, some athletes, say, at one time, and those athletes were publishing their offer letters. And in the publishing of their offer letters, they forgot to blank out their address. So now they had their address exposed out there, pretty simply. And the posts that some of those individuals made as well weren’t necessarily politically correct posts. And so those posts were used against them in their athletic careers. And so we had to try to get those removed. There’s a delete me kind website that’s out there, that will help you delete some of your data. But we always say and, you know, I did some work with the Georgia Bureau of Investigations, Internet Crimes Against Children Task Force for over a decade, once information is out there, it is very hard to pull it back. So the best thing to do is not have it out there at all, then to try and go and reduce all that, or I’m sorry, delete all that. So you reduce it from the beginning. It’s not easy for everybody. And they’re always to get some of that data removed. But at the end of the day, the best thing to do is not share that data.


Jodi Daniels  21:57  

These are some really great tips. And I’m sure you’ve seen a variety of different stories like you’ve just shared, right with the athletes and some of these other ones. Are there. Any other particular areas? Obviously, we have iPhone and sharing information that you see people can be doing, whether you’re a high net worth individual, or you’re just not high net worth individual at home, right, and you still want your data to be protected. What are some of the common mistakes that you’re seeing people make that we haven’t talked about yet? Maybe from some of the cases that you’ve had to deal


Chris Bullock  22:32  

with? Sure, yes, certainly. So I hate to say this, because technology is a wonderful thing. But overuse of technology is something that we’re going to see and we are seeing manifests itself more and more in society as we get more and more dependent on technology. And if you look at it, we’re really becoming addicted to technology. A particular case that I worked, we we do pen testing, too. So that’s called ethical hacking. Penetration testing is basically where you go in your hire to try and break into a company’s information, or an individual’s information in the case of ultra high net worth folks that we work for. And we had a case where their whole home automation system basically had even their door locks online, we were able to find a vulnerability in that particular I’m not going to actually match the technology, but that particular technology and manipulate it so as to open the door locks remotely, we were able to take the blinds and move them inside of the home based on the vulnerability that they had. So one big thing, don’t put your door locks online. I mean, that’s just I know, it’s really convenient. But it’s not a good thing to do. Because anything that’s online is exposed. Right now. I mean, I have vulnerabilities but tomorrow it very well can have vulnerabilities based on the research that the bad actors or maybe the good actors are doing and they publish. And now all of a sudden, you’ve got to make sure you’re patching your IoT devices, Internet of Things devices, which is everything other than computers and iPads and phones. It’s your refrigerators are now allowed. It’s your outdoor grill, I’ve got an outdoor grill that you know will text me and tell me when my steaks done that I’m cooking. It’s getting absolutely insane the dependencies we have on technology. So you have to really be cognizant of the ability for those things if their own line you’re basically opening those things up to the world to the entire world and the infrastructure on the internet. So if you’re not certain that you have a good home firewall or you’re not certain that you have a good home and this is a term that a lot of people don’t know intrusion detection system we all think of alarm systems for intrusion right for physical intrusion but there are also detection mechanisms for Internet intrusion or data intrusion Those things need to be in place for you to start using those types of devices, our Roku devices, you know, our Alexas, all of those things. Once the more you automate, the more you’re opening yourself up to the possibility of an attack from a digital perspective. We also like in law enforcement, they call those things the evidence of things instead of the Internet of Things. Because every single thing that you use has some type of evidentiary value. And that’s not saying to help bad guys, but the bad guys can use that against you, including looking at the time that you’re using your thermostat, we had a case where we actually saw a breach on a particular thermostat device. And they were trying, they could tell when the individuals were home based on the fact that their heat was turned on or off at certain periods of time. And set for those times. So this is all going towards that pattern of life activity I talked about. It sounds like something out of a James Bond movie, I know. But the reality is, the bad guys are out there. And they’re learning this more and more and more. And it is being used, we’ve seen this be the case, even from the simple things, for folks that that are in positions, like CEOs, CEOs, you know, celebrities, they oftentimes want convenience. So they will share their password list whether executive assistant, we have worked cases where that has happened, and they every single password is in a spreadsheet in that executive assistants desk, which is not a good thing to have happen. So we’ve had to advise on that. Don’t you know, get rid of the convenience for a little bit you have to and because when your bank account password sitting in the executive admins desk, and somebody figures that out, they can get out very easily and cause many, many problems.


Jodi Daniels  27:01  

For sure, oh, my goodness, well, you’re gonna have too many IoT things. Right.


Justin Daniels  27:11  

Are you going to ask Chris, our privacy related question?


Jodi Daniels  27:14  

No, it’s much more fun when you do it. Okay.


Justin Daniels  27:18  

So Chris, given that I’m sitting next to the Maven of privacy, as you know, we now have what is it now five states have privacy laws? And I think what Jodi there’s another eight to 10 states considering privacy legislation. And so the question we wanted to ask you was, has this proliferation of privacy laws had any impact on how your clients perceive security?


Chris Bullock  27:44  

Yes, privacy and security are one in the same we like to say, in fact, when we develop incident response plans for organizations, and we do a lot of those, we’ve actually now combined it to be not just computer incident response, but privacy incident response. So we call it spring security and privacy incident response. And so when we do their spring, or their security, privacy incident response plans, we include privacy and the CPO, the chief privacy officers of the organization, or if they have somebody acting in the capacity of a chief privacy officer, because the technology exposure obviously can result in privacy and you know, Miss compliance or not complying with privacy law, CCPA GDPR, depending on what you’re dealing with. And oftentimes, the privacy person is left out of the technology piece, or vice versa, the technology folks who left out the privacy piece, very important to combine those two. And that’s why some of the privacy certifications now have technology components in them, right, from IPP, I believe is one that has now kind of have a technical privacy certification. I was just at dinner with a good friend of mine who is the chief privacy officer of a large FinTech company, and we were just talking about, and he keeps up with the privacy laws. And I don’t know how he does it, because they I know y’all know this very well. And being experts in that area. There, they change constantly. And like you said, there’s multiple states that are starting to deploy privacy laws, started counting CCPA with California, right. And having to deal with California privacy law, Massachusetts has one that’s pretty pretty intensively. And so we’ve definitely seen that many companies who may have not considered having a cybersecurity program, because of needing to comply with privacy law are now having to put in good solid cybersecurity programs. We’ve helped several companies through consent order issues, with maybe the FTC, for instance, where we’ve had to put in a good solid cybersecurity program. And that kind of coincided with some of the privacy pieces as well. And, you know, even the loss of a laptop, for instance, and they’d has records on it that maybe or healthcare records, right, or, you know, personally identifiable information is classified. If that laptop was encrypted, that exposure is a lot less, right. So they have to work with the technology folks, the cybersecurity folks to go and prove and say was his laptop, in fact, encrypted. So if they’re not communicating, which happens a lot in the organization’s they don’t know the difference. And they may have to, they may make a report and have to, you know, do that mandatory reporting, but really, the laptop was encrypted. So you really don’t have to do that necessarily. So we’re finding, you know, working together with, with the privacy, folks, the privacy officers, is very, very helpful. And especially in developing those plans, and getting the two groups to work together the CIS Oh, and the CPO.


Jodi Daniels  31:08  

I like when, as Justin would say the peanut butter and jelly of privacy and security go together? Yes.


Justin Daniels  31:15  

That’s how I refer to it.


Jodi Daniels  31:17  

I gave you credit. Well,


Justin Daniels  31:18  

that’s the first report. You should say yes. But now people know we’re married, because that’s been put out online. So I can’t recall.


Jodi Daniels  31:27  

You can’t. It’s official. Ah, well, Chris, we have talked about so many unbelievable, cyber tips. But we do always ask every guest the same kind of what is your best privacy or security tip? If you think about maybe one that we haven’t covered? that you think is a really good, important one. What might that be?


Chris Bullock  31:50  

There’s so many the basic and most easy ones to stay vigilant, right. But the one of the biggest attack vectors is is phishing, it still is the most simplest form of attacking someone to this day. Fishing still is very successful for for many bad actors. So I would say definitely be very careful of things you open in email, text messages that you click on on your phone that may have a link on them. Because there is more and more advanced software being used now or malware, should I say that, once you click on it on your phone, you they now have access to your microphone, your phone calls with chats, your email, your bank account information, all of that stuff that you do on your device that we all have now, man, we all carry those devices. And we all do business on those devices. So use caution in that whole fishing realm. And the whole, don’t click on things. Make sure you know where things are coming from, make sure you know where things are going. And make sure that when you do do your online banking or sensitive activities, that you are well aware of the security of the device that you’re own, and that that device is protecting that information. And you don’t let anybody in. Excellent tip. Thank you.


Justin Daniels  33:25  

So Chris, we always like to ask our guests, when you’re not helping clients deal with cybersecurity, what do you like to do for fun besides having your grill tells you your steak is ready.


Jodi Daniels  33:39  

You just done when I got you a new grill, you got the like, boring kind of Wi-Fi available.


Chris Bullock  33:49  

It took the grill one away from me. Actually I am. In my spare time I still volunteer with volunteer with the National Child Protection Task Force. So I’m very passionate about helping the world human trafficking and child protection. So believe it or not, that’s really my recreational time. So I don’t have a whole lot of like, really, really fun time. But I guess if I did say some things I do, I like the boat. So I have a boat on the lake. And I do get over there every now and then to to jump on the lake during the warm months. But outside of that I’m typically volunteering my time and helping with the National Child Protection Task Force. And just to give them a little plug, completely nonprofit organization that helped law enforcement to in the fight against human trafficking. We have a whole huge intelligence unit that does nothing but feeds intelligence to law enforcement for helping to find missing children and helping to find human traffickers. Well, Chris,


Jodi Daniels  34:58  

thank you so much for all the great work that you do protecting children, we really appreciate it. And, Chris, can you tell us again, where can people find you and connect and learn more?


Chris Bullock  35:10  

Certainly, so they can email me directly at They can go to our websites and thought of that contact form. myself. My business partner, Ashley Ferguson, will get back with him relatively quickly. We answer those a lot a lot faster than some organizations do so they can find this. They’re


Jodi Daniels  35:32  

wonderful, any lasting thoughts? That’s great.


Justin Daniels  35:34  

Thank you for coming on. Chris. Thank you


Chris Bullock  35:36  

very much for having me. I appreciate it.


Outro  35:43  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.