Share this
dnsUNFILTERED: Stephen Epting
Podcast > Episode 46 | February 02, 2026
Mikey Pruitt (00:00)
Welcome, everybody, to another episode of DNS Unfiltered. Today I'm joined by Stephen Epting. How are you, Stephen?
Stephen Epting (00:08)
Good, how are you doing Mikey?
Mikey Pruitt (00:10)
Good, great. I'm glad you could join me today. So Stephen is kind of an expert in the education field on cybersecurity. But before we get into that, let's talk about how you guys started in cybersecurity to begin with.
Stephen Epting (00:23)
So I actually was a law enforcement officer for a long time. I worked criminal investigations. And when I started working criminal investigations, working internet crimes against children, you know, I was kind of drawn to the mobile forensic side of getting these criminals phones and extracting them and getting into them and getting evidence. And I actually liked that so much. was like, hmm, I wonder if I can make a career out of this. Did a little bit of Googling. Turns out I can. So I made the career jump at
in my late thirties to cybersecurity and digital forensics. And I haven't looked back since. Love it.
Mikey Pruitt (00:59)
That's really interesting. We actually have someone at DNSFilter that came from a law enforcement background. And ⁓ I wasn't surprised. I'm actually the one to hire her. ⁓ I wasn't surprised at how adept she was at what we do here. Because there's a lot of ⁓ skills that cannot transition across. There's a lot of, or, yeah, talk about those.
Stephen Epting (01:18)
⁓ Lots of transferable skills, investigations, you ⁓
So, you know, you're looking through forensic phones or basically. You're just trying to find evidence, which is, you know, really the central core of any investigation, which. Whether it's a criminal investigation or an investigation into a, you know, breach or something like that, it's all kind of the same process. So, you know what to look for. You keep your cool. You kind of find what you need to get. And just be really thorough.
And you know, every police officer and detective has to document accordingly. So usually our documentation is pretty spot on.
Mikey Pruitt (01:56)
Yeah, that was one thing I noticed, documentation and cool under pressure. ⁓
Stephen Epting (02:01)
yeah, like...
Being an investigator, you get a lot of stuff. So that's pretty serious. So yeah, I mean, I worked in Internet crimes against children. I don't think anyone wants to know what I did, but they were very, very serious. Lots of victims, a lot of, you know, time urgent stuff where you wanted to get stuff handled and make the rest if you're able to as quick as you can. Cause if you don't kids get hurt.
Mikey Pruitt (02:08)
You're like, I don't want to say on camera, but yeah, it gets hairy out there. Yeah, we're good.
So that's really cool because like you transition into cybersecurity, however, you are still in the business, let's say, of protecting children in the school system. So how did that ⁓ translate into education?
Stephen Epting (02:40)
yeah, yeah.
So working with juveniles and children, was actually pretty familiar with the school system where I work now. So I was a lot more familiar with it coming in and just kind of knowing like what kids do, like what to look for and stuff like that too. Just working with juveniles so much, you you just kind of learn how things are with them.
Mikey Pruitt (03:06)
So is your role at the county school system you work at, is it only cybersecurity or is it IT as well?
Stephen Epting (03:14)
So I do a lot. ⁓ I like to describe as purple team because I do cybersecurity, but also do GRC governance, risk and compliance. I do digital forensics and I do, you know, some red team stuff as well. So I do a little bit of everything.
Mikey Pruitt (03:34)
So is the red team stuff that you do, it to bolster the blue team side? Like is it attacking your own defenses to see if they're adequate?
Stephen Epting (03:44)
Yeah, it's penetration testing essentially just attacking our own defenses, see where the weaknesses are, work with the engineering team to see the fix those and remediate any issues that we have. And, you know, we have, we have to collaborate a good bit.
Mikey Pruitt (03:55)
And about...
I gotcha. About how many ⁓ students are you kind of, guess, responsible for, I guess is kind of a good
Stephen Epting (04:06)
So my district's actually the top 50th biggest districts in the US, which I did not know. So we have about 80,000 students and 12,000 staff, which is a good bit.
Mikey Pruitt (04:11)
OK.
What do you think the differences are between protecting staff and protecting the students?
Stephen Epting (04:29)
⁓ staff you just have to be a little more careful for just because they have a little bit more permissions than students have students are very limited what they can see and what they can't see so staff You know And you've been in the game not every staff member is technically savvy ⁓ I found that children a lot more tech smart than you know, some adults are like we're we kind of talked about a little bit earlier just you know, some of these
fifth, sixth graders, they can hack, they know how to, they know what to do, what to look for. They're just a lot more aware of things.
Mikey Pruitt (05:09)
Yeah, we've learned this at DNS filter kind of the hard way. Some of our customers that are in the education industry, their student, they're, you know, that we'll get a message from some staff member and I'll be like, the students got around your protection. We're like, what did they do? Like they're so crafty at getting around security, more so than the staff.
Stephen Epting (05:21)
Mm-hmm.
Yeah, yeah, they're they're sneaky. They're
Yo, they're smart. They, you know, ⁓ to a degree, I respect their curiosity because I'm the same way as like, if they can do it, they're going to do it. You know, if they can do it, it's on us.
Mikey Pruitt (05:45)
Yeah, the children are our best penetration testers, I believe.
Stephen Epting (05:49)
yeah, they, a lot of them want to do anything but learn, you know, math and science.
Mikey Pruitt (05:55)
Well, technically it is math and science if they're learning how to hack.
Stephen Epting (05:58)
⁓ Yeah, I guess the
perspective they're learning one way just not what the
Mikey Pruitt (06:01)
Well, what do you think?
Yes. What do you think big risks are that schools and universities kind of ignore?
Stephen Epting (06:17)
I think there's some school districts that probably budgeting is a big thing with school districts. All this cost is, you know, funded from the public and taxpayer. So, so budgeting is a big risk because to have good defense in depth, need a good software, good tools. And, you know, sometimes you just, you can't afford it or some leadership and some other school districts may not see the importance of a
it because they haven't experienced it yet. So I think you articulate into leadership sometimes and places like not my organization, because I work for a really good one. But from what I've seen some other ones, you know, they kind of struggle seeing the seriousness of a breach.
Mikey Pruitt (07:05)
heard the phrase, the burn hand is the best teacher. I think I saw that on like from one of the inventors of Python.
Stephen Epting (07:10)
Yeah, I'm a big Lord of the Rings fan.
Yeah, big Lord of the Rings fan, but yeah, I love that quote by Gandalf because I mean, it's essentially what we do, right? Like you fail, you learn, you beat yourself up and you get a little bit better. And that's how you say, well, that's never gonna happen again because burn me once. Shame on you, but fool me twice, shame on me.
Mikey Pruitt (07:38)
So when you encounter some staff or someone on like a school district board that doesn't really believe in budgeting for cybersecurity since that's one of the biggest risks, how do you kind of convince them? How do you turn the tides and bring them to your side?
Stephen Epting (07:53)
Well, with education data is a big thing. If you can go back and show them the data, like, Hey, this is what X school district lost, or this is what X university lost in the time. ⁓ took the, bring everything back up. They usually see it that way. And, and if you articulate cause what happens when a school district goes down, kids don't learn, right? Lots of mad parents, lots of staff and a lot of, a lot of yelling. So
you can articulate that and kind of show the data of like, this is what happened with them. We don't want to be that guy. I think they understand it a little bit better that way.
Mikey Pruitt (08:33)
So you're basically bringing ⁓ facts and ⁓ stories essentially of people who weren't quite as serious about cybersecurity. I'm thinking of, ⁓ it wasn't too long ago, ⁓ like a CMS kind of thing for schools. I believe it was called Power School got breached. And when something like that gets breached, there are now tens of thousands or hundreds of thousands of students records out in the ether.
Stephen Epting (08:59)
yeah.
Mikey Pruitt (09:00)
very serious records like social security numbers, like these kids don't yet, and they don't have like a credit history yet.
Stephen Epting (09:03)
Address as parent information like their family dynamic. Yeah, so.
And you know that's that's really bad too with the power school thing too, but. You know, we're essentially protecting kids information like we don't want that out there. And you know, sometimes school districts are at the mercy of vendors. Because a lot of school districts use power school.
That's like one of the biggest educational vendors in the U.S. So they had a lot of unhappy customers and.
You know, and we try to vet all these vendors for security issues as well. Cause we know we do have to comply with the COPPA, the Children's Online Privacy Protection Act. So we have to make sure we do all our due diligence to make sure these vendors are secure.
Mikey Pruitt (09:57)
With something like that particular breach, how can you recover, I guess is maybe a bad word, but how can you further protect the student from that data being out there? It doesn't seem like there's much recourse.
Stephen Epting (10:14)
⁓ think you have to kind of look at it individually. You can't worry if other school districts information got out. Like we have to worry about our students, our district, our organization. So you have to kind of see what, what the damage is for us. ⁓ you know, we're in a more fortunate situation because we weren't really affected, but, ⁓ you know, you just kind of have to handle it as it comes. Like, luckily we didn't have to.
We don't have much recourse of it.
Mikey Pruitt (10:48)
Well, you mentioned about budgets being tight. Is there any like very high impact or or high impact and low cost initiatives that you can push?
Stephen Epting (11:04)
Yeah, so there is, mean security awareness to my one of my partners that works with me and information security. He actually goes to all these schools, primarily elementary schools, and he talks to kids about online safety, digital footprints. You know what you post on the Internet doesn't always go away like Snapchat's not forever either. And you know, there's some other free resources that state offers like with ⁓
the state attorney general's office, they have people that come out and talk to students as well. And you know, that's free. You just have to make the effort and sign up for it. that's some of the budget friendly stuff like we've looked at.
Mikey Pruitt (11:51)
Yeah, security awareness training is really big in business. I'm glad to see schools taking that initiative too, especially teaching kids at a young age when they're, you know, handed their parents iPad to say like watch YouTube or like, like leave me alone for five minutes.
Stephen Epting (11:57)
Mm-hmm.
Now
YouTube can be dangerous too though. There's lots of stuff on YouTube that's not.
Mikey Pruitt (12:09)
Yeah, have you heard of the...
I was thinking of the like Elsa gate scandal with like YouTube videos will devolve into these very odd videos that are on YouTube for kids. and just weird stuff starts popping up. We've also seen things like, ⁓ roadblocks, like the gaming platform where people can be predators can lurk on there and, get children to do things that they would normally do or should do. ⁓ it's, it's a dangerous place out there.
Stephen Epting (12:22)
Mm-hmm.
Yeah.
Right. I'm very familiar with Roblox.
Yeah, very familiar with Roblox from my work in Internet crimes against children. That's a very, very, very notorious area for predators, unfortunately.
Mikey Pruitt (12:52)
Yes, very unfortunate. What do you think? It's really so what do think the people are teaching the children? It sounds like they're teaching them like about privacy. Like you mentioned how Snapchat is ephemeral, but not really. like educating them that anything they put online is really kind of public.
Stephen Epting (13:13)
Mm Yeah, just their digital footprint, like what they post online, ⁓ stuff they do on the computer, like even with forensics, like, know, your metadata shows everything what you did, like when you did it, how you did it, ⁓ where exactly you did it. And that's one thing I learned doing forensics for mobile devices is your picture actually timestamps your location too. And we would use that in a lot of investigations, but
You know, we just try to teach these kids like technology isn't always what it seems like it tracks a lot more than you think.
Mikey Pruitt (13:49)
Yeah, there's a little thing in pictures called exif data. There's a lot of data behind what you see on the image.
Stephen Epting (13:52)
Yeah. ⁓ yeah.
Pictures, cause the mobile forensic program we use that the police department tracked a lot of stuff. Like a lot of stuff comes off that little mobile device.
Mikey Pruitt (14:09)
So what do you, what does the staff and I guess like your, people come to teach children, what do they do ⁓ for students that are kind of on a trajectory that's not necessarily technology? Is it the same sort of training? So like kids that are like in, you know, more of a liberal arts path or social sciences, like how do we educate them on becoming better internet citizens, I guess?
Stephen Epting (14:35)
Yeah, well, we try to like some kids that are in like special programs, we try to get them to implement MFA and you know, we tell them that don't share your password. Try to enforce a strong password policy just so you know, you're teaching these kids when they enter the real world, know, password 123 is not a good password. ⁓ You know, it needs to be complex, needs to be as long. You need to change it, you know, fairly often. Always enable MFA.
Mikey Pruitt (14:54)
Thank
Stephen Epting (15:04)
And like some of the kids are in the older classes too, we try to talk to them about that. Cause if these kids are in high school having their birthday or password one, two, three as our password, we're kind of failing them a little bit, you know?
Mikey Pruitt (15:20)
I'll tell you little story. A local school near me had like a STEM week or something and they invited people to come teach the kids about a thing. And I went to talk about cybersecurity. And it was shortly after Christmas and I had a bunch of boxes from my neighbors, like an Xbox and an iPhone. I these empty boxes up behind me on the lectern or whatever. And ⁓ the students came in the class and they're like, can we win that? Can we win that? And I was like, yeah, you can win that. I'll show you how in a minute.
Stephen Epting (15:26)
Mm.
Mm-hmm.
Mikey Pruitt (15:49)
I basically, was like, give me your email. I set up a website with a evil jinx. I don't know if you ever heard of evil engine X. So I set that up and, and, so just give me your email. And that triggered, you know, after a random delay of time and email from their teacher, um, that said they had one and to click on their school's portal to claim their prize, pick out what they wanted. Everybody wins. Everyone's the winner. So.
Stephen Epting (15:56)
Right.
Yeah, but I'm sorry, how many people clicked
that? Everyone?
Mikey Pruitt (16:19)
everybody and all the staff. So the crazy part was they used a system called RENWeb at this school. Maybe you're familiar with it. So I purchased a domain RENWeb with two Vs, like a typo squatted version of it. And with Evil Engine X, you can just say, I want to mimic this website. So during the presentation, they were all getting these emails and going crazy, clicking on their tablets and stuff.
Stephen Epting (16:22)
wow.
Yeah. Right.
Mikey Pruitt (16:47)
I was teaching them how to spot a phishing email. Like these are some things you should look for. And the emails that were getting sent to them had most of these telltale signs. I even misspelled a couple of things and the signature wasn't exactly right from what their teacher normally sends. And while I was talking, I was asking them questions. Like, did you spot any of these? they're, you or sorry, after I revealed the thing, they get to the end and it's like a you've been hacked page. ⁓
Stephen Epting (16:56)
Yeah.
Right. Yes.
No.
Mikey Pruitt (17:15)
So then
I was like, you know, who noticed anything from these emails? And kids were like, well, you know, that didn't look like the way my teacher writes. And it had this weird button on the top that it was from a mailing list and all this stuff. And then I was like, but you clicked it anyway. And they did, everybody.
Stephen Epting (17:25)
Right.
Yeah,
that's funny. There's a lot of high schools like all around the US that are facing this phishing campaign. Basically, they're saying, hey, you can work two to three hours and make $700. Click this link and give us your information for and we'll send you an application. And you know what high schooler doesn't want, you 700 bucks to work just two, three hours. So a lot of schools have seen like those kind of phishing scams like
specifically targeted towards them.
and a lot of them fall for it.
Mikey Pruitt (18:05)
didn't know that so
there's fishing campaigns dedicated to students really. Wow.
Stephen Epting (18:11)
Yes, high school students specifically, like almost like a spearfishing where it's just high school students. Cause you know, most of them are, you know, 14, 15, 16, 17 within close to working range. So it's just kind of a smart.
Mikey Pruitt (18:27)
Are those emails coming to their school email address or a Gmail they have or Yahoo school? Wow. So those could have been obtained through one of those data breaches, like the Power School one we mentioned, perhaps.
Stephen Epting (18:30)
Yep, school emails. All those ones I've talked to have been like school emails.
Yeah, and you know, some students could theoretically use their school issued email for, you know, to sign up for Spotify or, you know, any other billion vendors or, you know, accounts.
Mikey Pruitt (18:58)
Yeah, I can put myself in the mind of a student if it's on my school account, it seems a little bit more legitimate. Like there's already a level of trust baked in.
Stephen Epting (19:06)
Yeah,
you know, my parents may not check my school email. Like they check my regular email, but they don't check my school email. So that can be a little bit sneakier with it too, probably in their mind.
Mikey Pruitt (19:20)
As crafty kids. Well, what kind of role do you think the kids should play on their own? Like, maybe the ones that are a little bit more aware of the dangers. Like, what do think they can do to secure their campuses?
Stephen Epting (19:20)
That's the kids, they can be sneaky. Yeah. Yeah, they're smart.
They can report stuff. Yeah, I mean they can report stuff when they see it reported to their teacher, their principal. They can be a little bit more suspicious of stuff when you know, just in the age we live in, not every person that comes in contact to you has good intentions for you. So they can be a little bit more suspicious and we actually have a lot of ways they can report phishing and any suspicious like not even like digital, but like
Mikey Pruitt (19:40)
or their digital lives maybe.
Stephen Epting (20:08)
they see anything like out of the ordinary there's lots of options for them to report it ⁓ but yeah for them to play their part they need to be suspicious of more stuff and not so trusting you know bad people are out there unfortunately
Mikey Pruitt (20:23)
Yeah, absolutely.
We have a suspicious at DNS filter.com email that all of us employees send suspicious emails that we can research them. And if there are some malicious domains in there, add this to our, our lists or whatever. ⁓ But one of my coworkers today was making a joke. Like I got, I got this email from my manager that said she had assigned me a task, but I think it's suspicious. So she's like,
Stephen Epting (20:41)
block out.
Yeah.
Mikey Pruitt (20:51)
I'm just going to send everything to suspicious ad.
Stephen Epting (20:54)
Yeah, so when I worked at the police department actually got an email from it was a not a real emails efficient simulation, but It was signed like it's my supervisor's name and it said something like hey, can you help me open this? Because he wasn't like a technically savvy guy. So he would normally send me stuff like that. Okay, can you help me with this? electronic or this Whatever digital thing So I sure enough I opened it. I was like, okay. Well, he's just asking me for You know help on something. So, know
I got stuck with a 20, 30 minute training for fishing.
Mikey Pruitt (21:28)
Yeah, they got you really good there because that's a routine thing that you always do.
Stephen Epting (21:33)
Yeah, so they actually have a like sufficient campaign. Like there's a bunch of companies apparently that have those targeted towards K-12 environments. Instead of having a 20, 30 minute training that kind of explains to students and staff, like this is what was fishy about this email. And they call it like a micro training where it's like 30 seconds to two minutes. And we like that because, you know, if a student clicks something, you don't want them to be
out 30 minutes taking efficient training because that affects their learning environment. So like I'm glad very, very glad to see there's lots of K-12 security awareness vendors out there.
Mikey Pruitt (22:14)
Yeah, bite size, tidbit, that's a good strategy. Even for adults, honestly, all of our tidbits are getting very small.
Stephen Epting (22:20)
Yeah, mean, teachers are busy
too. Like they have to teach a class and if they're out 20 minutes for a fishing, you know, campaigner and training, they're, going to be upset. Students will be happy, but teacher will be upset.
Mikey Pruitt (22:33)
So with.
Yeah, for sure. So I'm curious, you know, the environment has kind of changed in education since ⁓ the COVID pandemic, and there's a lot more remote learning now. What type of challenges do you see in this hybrid or fully remote education? Like, what are the things you have to do differently?
Stephen Epting (22:57)
Mmm
As far as differently is just, we have to be kind of cognizant that the kids were not being supervised. Like they can try to, there's a little bit less supervision on them from, you know, parental figures or siblings or whatever their living situation is like. And so we can always, we have to be able to make sure they're doing their schoolwork. So it's a little bit more focus on them to make sure they're doing what they're supposed to be doing versus, you know.
going to sites they're not supposed to or proxy sites.
Mikey Pruitt (23:34)
Yeah, they love those proxy sites. That's how they get around DNS filter when we hear about it.
Stephen Epting (23:37)
Yeah,
you you block three proxy sites and a hundred more pop up.
Very, very familiar with proxocytes.
Mikey Pruitt (23:46)
And
yeah, and that's what we have to do is we have to, ⁓ we use like machine learning to figure out, this is a proxy site. And then gets auto added to our category or whatever, but it's like a, it's a cat and mouse game. It's hard. It's rapid.
Stephen Epting (23:58)
Right.
Yeah, I mean you
like I said you block one five more pop up and it's just a never-ending battle like I'll do it tomorrow. I'll do it Ten years from now and I'll be doing it 20 years from now like students are still gonna get a proxy sites and try to bypass network security
Mikey Pruitt (24:19)
So there's always a trade-off between security and convenience. And I'm curious how you balance this in the education system, ⁓ security versus control and segmentation of things.
Stephen Epting (24:36)
So you want security, but you also want students to not be bogged down by tons of security controls, tons of, you want them to be able to have access in a somewhat quick manner. So it's all about a balance, just finding like, let's make it as secure as we can, but let's also have them learn and not have to go through 50 hoops to get logged into one website because you know,
schools have so many vendors and so many websites they have to go through. We just want to try to find that balance of like secure, but you know, not a pain in the butt.
Mikey Pruitt (25:18)
So it's more like guardrails than say, super strict security controls. Like I'm thinking of zero trust and all these things we kind of strive towards. it's just too hard.
Stephen Epting (25:26)
Yeah.
There's
so many, there's so many great websites for learning is, you know, it's hard to do zero trust or, you know, whitelist or just blacklist, whatever you want to call it. Like it's hard to do block everything when they need access to so many different sources for learning. Cause you know, YouTube is a big thing in K-12 because some people want to block it. Some don't, but you know, you could argue I've learned, I've personally learned a lot from YouTube, like getting into cybersecurity.
There's this kind of a hit like, you you you kind of have to weigh the pros and cons sometimes like Yeah, YouTube's has a lot of bad stuff on it. But also has a lot of good stuff like You have to kind of go with the pros and cons and see which way the scales tip
Mikey Pruitt (26:18)
Well, let's talk about that learning, you know, that broader learning. Cause I mean, I, I'm sure like most of the audience, I learned a lot of stuff on YouTube, just like you said. Um, and also learn a lot of things from, uh, like, uh, chat bots now, like AI chat bots. And you know, some of it is, you know, you gotta be a little cautious when you're, can't take it as, as gospel for say, but there's.
Stephen Epting (26:33)
yeah.
⁓ yeah, you
have to call these AI LLMs out sometimes because they're just not right.
Mikey Pruitt (26:50)
But like you say, you can't just block everything. What are school systems doing to prevent the use of AI in a negative way? Because it can of dull your mind a bit into that thinking.
Stephen Epting (27:02)
be a good source.
Yeah. So we, there's still some AI services we've looked into and we've used, but you know, it's just kind of slippery slope because you don't want kids to have access to like chat, GBT backs, you know, for example, just because a they're going to cheat probably some may use it for legitimate learning experience, but ⁓
A lot of students will also use it for cheating, unfortunately, or Googling the answer and stuff like that. So, or writing papers, because a lot of students have to write papers. You know, it kind of defeats the experience of learning if chat GBT is regurgitating a paper form. So, I'm hit or miss on kind of AI in schools right now.
Mikey Pruitt (27:51)
Yeah, I had a someone I spoke with does training for cybersecurity and they do teaching at a university level. And they said that because of that, because students can cheat that she requests them to create like a sub two minute video of them talking about the topic. It doesn't have to be, you know, like public, but they have to record a video of them disseminating the topic and in a way that shows they understand it in lieu of a paper.
Stephen Epting (28:22)
Yeah, that's actually pretty smart too because I know they make like these programs that filter like they're supposed to AI detect, but I feel like we even with AI, like you can have AI work around that if you want like, hey, rewrite this, but avoid AI detection tools. And you know what? Or it could detect something that's legitimately written just, you know, sounds like AI. So I think schools have a lot of skepticism with AI detection tools, just from my experience.
Mikey Pruitt (28:59)
Yeah, I can see that. with no dashes. That's like, like,
Stephen Epting (29:04)
Yeah, yeah. Anytime I see him dashes, I instantly think, I'll try GPT.
Mikey Pruitt (29:09)
Yeah, or in the digital landscape. You know, one of those starting phrases.
Stephen Epting (29:13)
Or, know, whether from this to that, you know, from A to B or whatever, like a really like a contrasting statement. I always think it's ChatGPT. Like even on LinkedIn, you see this post.
Mikey Pruitt (29:21)
Yeah. I know I actually do a lot of research and it presents information to me in that way. And I'm like, this is really bad. Like it's hard to understand what you're even saying AI. Like where did you learn this?
Stephen Epting (29:38)
Yeah, it's it's like literally talking. I know you're literally talking to a robot, but it sounds like a robot like Sometimes I just if I'm using ChatGPT, I'll say like say it casually like You don't you don't yeah, like don't talk to a rocket robot like
Mikey Pruitt (29:51)
Yeah, casually, like talking to a friend.
So ⁓ going back for a minute to the people that are targeting students, you specifically called out high school age students. Are these like ⁓ nation state actors or are they just hacker groups? good.
Stephen Epting (30:11)
Yes, nation state this not from not from the US all foreign IPs just and from what I've seen it looks like they're just trying to harvest information.
Causing the forms.
Mikey Pruitt (30:29)
Yeah, that was my next question.
Like what do they, what do they want? Because students typically don't have access to like credit cards and bank accounts. So what are they after?
Stephen Epting (30:36)
Credit cards, but know, Social Security is PII. ⁓ Their names, emails, phone numbers, so they can continue their attack.
Mikey Pruitt (30:49)
So they're harvesting data for perhaps a future event. That's scary.
Stephen Epting (30:53)
a future event
or, you know, hey, if we have this kid's phone number, let's start texting them about this job or that job. And like, Hey, like only 20 bucks to start it, provide a credit card. And some kids may have a credit card or debit card and, you know, provide that.
Mikey Pruitt (31:15)
So how should schools train educators and staff against these situations that can arise? We talked about cybersecurity awareness, but what specifically should it include?
Stephen Epting (31:32)
First off.
Mikey Pruitt (31:34)
Yeah, start with staff. Like how do we, how do we get them over the hump of understanding the bad stuff that's out there and how to protect against it?
Stephen Epting (31:36)
Yeah, I mean really does they have to understand that like fishing happens to people and if you're a victim of a fishing attack a it's a pain in the butt to kind of you know, get everything back to where it was if you ever had your social security, you know compromised because you have to call these credit places but also it is kind of us the organization on a bad spot to cause you know, their assets could be leaked out or information about their systems you just
Always be suspicious of everything. Like that's what I tell staff just. And I don't, people want to forward those emails to me. Like I'm always fine. Like you're not going to bother me. Like if you say, Hey, can you look at this? Does this seem legit? Or even ask a coworker like, does this seem legit? It seems weird. They're saying they're using the word kindly like three times. ⁓ you know, just be suspicious of everything. Like kindly do this.
Mikey Pruitt (32:43)
You're like kindly.
Stephen Epting (32:44)
That's a lot of, that's a lot of kindly
in the email, like probably, probably not legit.
Mikey Pruitt (32:49)
So how
do you and your team design security policies around kind of a unique sector in our world of educators and students? It's not like any other really. How do you design security policies for them?
Stephen Epting (33:08)
Kind of got but going back to what I saying earlier just You want to tip the scales in a right way like security policy where everything's secure, but also where it's not affecting children's learning ⁓ You know, don't want to bog down staff with So many hurdles where they can't do their job and then get frustrated, but you also want to keep things secure. So it's just you want to find that policy and kind of see what works and
You know, if it works, say like, what step can you go further to make it more secure and, you know, not hinder the learning environment.
Mikey Pruitt (33:45)
Well, let's say, let's do like a hypothetical. If something were to happen, someone, one of those high school students were to click on whatever's in that phishing link, malware was downloaded, moved laterally across the network. What are some of the remediation steps that are specific to education? Or maybe they're not unique to education. Talk about that. And also like, what are those steps?
Stephen Epting (34:06)
Same,
know, contain it, you know, cut off access, cut off the, cut off the machine that needs to be cut off. Same way really. I mean, just make sure it doesn't affect the network and cut it off and handle it.
then you would educate the.
Mikey Pruitt (34:24)
in schools and
I'm good.
Stephen Epting (34:30)
And so then you just educate the user and the staff over the student. Like, hey, you you click this, this was actually, you know, a big thing. wasn't real. It was a virus.
Mikey Pruitt (34:45)
So quarantine, educate.
Stephen Epting (34:46)
And that'll be in convenience.
yeah, just incident response stuff. Just you handle like you would any other incident. But the kids are probably going to be inconvenienced too, because they're probably going to take away whatever computer they have and give them a new one.
Mikey Pruitt (35:08)
Yeah, that is good. The devices are kind of ephemeral. You can just provision a new one, give it over, and then perhaps ⁓ investigate, go back to your law enforcement days, and do a little forensics on that specific device.
Stephen Epting (35:13)
and
Right. ⁓ yeah, I love
forensics still like I still get to do forensics and I love it I love taking around and stuff
Mikey Pruitt (35:26)
So we often hear that like governments and, you know, kind of therefore schools move slowly with technology. Do you see that happening currently still?
Stephen Epting (35:38)
⁓ across the U S I would say government in general is notoriously slow. If you ever had to work with the government on anything, it's really slow because most places have to do requests for proposals where like, we want this type of software, this kind of service. You have to do a request for proposal and you know, companies and vendors get to apply for it. And you have to kind of vet between them and choose and
There's a lot of processes, especially with the government funding and taxes and, you know, lot of school districts can't really spend willy nilly. They have to kind of choose like, Hey, this is what we have budget for. How much do we need this? ⁓ is there a substitute that's cheaper? Like how big of a problem was it just kind of managing your risks and seeing how big of things and weighing stuff in. But, you know, some of that kind of stuff takes time. Sometimes it's
School districts don't have the money to just splurge unfortunately
Mikey Pruitt (36:42)
Yeah, that I've definitely seen. So you mentioned the high schoolers getting targeted by, it seems like nation state actors. What are some other trends that you see growing in the education sector?
Stephen Epting (36:51)
Mm-hmm.
kids now, like I know when I was in school, we obviously didn't have any computers or anything, but kids are on their computers most of the day. So they just have a lot more access. They're on the internet more. They're going to different sites just, you know, for learning and just, there's a lot more. When you walk in a big minefield, there's a lot more mines out there, obviously. So
There's a lot more dangers when you're on the internet a lot more than we were 15 years ago.
Mikey Pruitt (37:37)
Yeah, I was in the generation where they told us we would never have our calculator in our pocket.
Stephen Epting (37:42)
Yeah,
me too. Yeah, there's like, yeah, you can't have a calculator, but you're required to buy this Texas instrument. This like 150 bucks. It's like, wait, what?
Mikey Pruitt (37:50)
Yeah.
Trying to cripple us with the tech of the instruments, graphing calculators.
Stephen Epting (37:56)
Yeah, and just
that's kind of a personal concern I have with AI and, you know, not just K-12, but universities, you know, these kids and young people are just going on, instead of using critical thinking, they just go on chat, GPT and say, Hey, how do I do this? You know, your brain's a big muscle when you stop thinking how to do stuff, you kind of goes away, like use it or lose it. So that's
Personal concern I have with AI is just I hope these kids don't become ever relying on it in the future because he's AI is good for what it's good for but It's not gonna run your life for you
Mikey Pruitt (38:39)
Yeah, I would agree with that. think most of audience would too. the critical thinking, like with AI, you really become more like an editor than a originator of things, but you still have to have a critical thinking to understand like what is a good idea versus a bad idea. Perhaps the AI response can spark something novel within you. And the AI can't do that. Like it cannot.
Stephen Epting (38:50)
Yeah.
Mikey Pruitt (39:07)
create new things out of the ether. It may combine things in new ways.
Stephen Epting (39:10)
Yeah,
it just uses pre-existing data. Like it's just basically pulling from a little bit everywhere. Like, and you know, not every situation is the same as, you know, XYZ. So AI may give you the wrong output. It just all depends on the prompt.
Mikey Pruitt (39:32)
I'm thinking of a theoretical feature where, if you take a textbook or whatever, 12th grade math, let's not use math, let's use like social studies or something. If you take that and you ⁓ format it in a way that's like markdown or whatever, something easily ingestible by AI, you chunk it up and put it into a database and then you put an AI agent in front of that, then the student can then ask.
Stephen Epting (39:43)
All right.
Mikey Pruitt (40:00)
questions against that textbook and theoretically it would know everything there is to know in that textbook. And I think what you're posing is that the students would know what to ask. they would just be, their critical thinking would be.
Stephen Epting (40:12)
Yeah, they wouldn't know what to ask and
yeah, they just wouldn't know what to ask or like, where do I go from here? Like I can't, what's the first step? Like what's the first step in doing this? But, and you know, and I think we'll see a lot more stuff with AI with like data poisoning too, just AI having the wrong info and it just outputting something completely wrong. Cause I've personally gotten wrong outputs before and
Mikey Pruitt (40:22)
Yeah, what?
Stephen Epting (40:42)
I've had to call out AI before it's like, hey, that's not right.
Mikey Pruitt (40:47)
Yeah, the problem when you tell it it's not right is it'll be like, you're absolutely correct. It's this. And you're like, that must be it. Then you're like, wait, is that it? You can't trust it.
Stephen Epting (40:57)
Yeah, AI is very agreeable. I've personally kind of found like it's not really gonna say like, no, that's incorrect or whatever. It's just like, yeah, you know, that's a good, good way to look at it. But you know, maybe it could be this too. It's like, okay. Yeah.
Mikey Pruitt (41:14)
Yeah, you have to be very skeptical, just like in your
security life and your privacy life, you have to be skeptical and just with AI, you have to do the same.
Stephen Epting (41:22)
Yeah,
ai is not the gospel just Validate everything it says like don't take its word for it Because ai is incorrect a lot
Mikey Pruitt (41:33)
So with you in the education space and you know, kind of in a unique corner of that space in cyber security and IT, how do you like stay up to date on information? What do you go for for your news?
Stephen Epting (41:48)
I go to a lot of different places. I go to, know, hacker news. go to LinkedIn where I have a fairly large cyber network. talk to them. I go to local events, Defcon, besides Greenville or besides anywhere really. ⁓ Just Google stuff. I I don't trust in any one source. I try to go to a lot and just local news too. ⁓
You know, the power school breach, I saw that on the news before, you know, hacker news covered it. ⁓ there's some K-12 specific newsletters. Like we like to read just, you know, I don't believe you get your news from any one source. Just go to everywhere.
Mikey Pruitt (42:36)
Yeah. And then use your own critical thinking to decipher what's, what's accurate or important for you.
Stephen Epting (42:36)
Like talk to people. Yeah, critical thinking just like, like,
well, yeah, just, you you look at a news article and say, hey, does this affect us or, hey, this company got breached. Do we use them? wait, we do. We should probably look into it and see what is affected and if we were affected.
So just.
Mikey Pruitt (42:58)
100%. Well, Stephen, thank you. Yes, absolutely. I was just going to say thank you for joining me today, chatting a little bit about education. And I think we got a little deeper on AI than I was expecting, I should always expect because it's like the hot topic these days, especially in schools.
Stephen Epting (43:01)
Yeah, just that's kind of the ground.
yeah, absolutely.
Yeah, that's a hot topic. Yeah, it's a hot topic.
Yeah, schools are all using it too. And these students are trying to use it too. And it's not always for learning.
Mikey Pruitt (43:32)
Yeah, we have to train them on a new ⁓ vulnerability, essentially, like how to use AI properly.
Stephen Epting (43:38)
Yeah, and what information you're putting into it.
Mikey Pruitt (43:42)
yeah, data exfiltration is real.
Stephen Epting (43:45)
yeah.
Mikey Pruitt (43:47)
Well Stephen, where can people find you on the internet?
Stephen Epting (43:50)
So they can follow me on LinkedIn. ⁓ I'm not always consistent with posting just because, you know, life happens sometimes, but I like to engage with people and talk with them on LinkedIn. And I like to mentor new people from like interested in cyber. I always like to teach them because I actually had a mentor get into cybersecurity named Robert Wettstein. And I made him a promise I would mentor people to like pay it forward. So.
I always like to talk tech with people or Lord of the Rings. I have some chats where I just talk Lord of the Rings with people. Favorite hobbits, favorite characters, whatever.
Mikey Pruitt (44:29)
Yeah, you're like, this is how I exercise my critical thinking as I analyze Lord of the Rings lore.
Stephen Epting (44:34)
yeah. Yeah, I'm a big Samwise GameG fan.
Mikey Pruitt (44:40)
I have no idea what any of that means.
Stephen Epting (44:43)
Okay, man, you gotta watch the movies or read the books. Good movies and good books.
Mikey Pruitt (44:47)
I definitely have some educating to do. What did you say it was? Samwise? I'm looking up right now.
Stephen Epting (44:51)
Samwise GameG - he's the best friend for one of the main characters, but he's a gardener.
Mikey Pruitt (44:57)
I'll do some research on that later.
Okay, I see it right there. man, it's gonna be a deep dive after this. Well Stephen, thank you so much.
Stephen Epting (45:06)
You're welcome.
Welcome, everybody, to another episode of DNS Unfiltered. Today I'm joined by Stephen Epting. How are you, Stephen?
Stephen Epting (00:08)
Good, how are you doing Mikey?
Mikey Pruitt (00:10)
Good, great. I'm glad you could join me today. So Stephen is kind of an expert in the education field on cybersecurity. But before we get into that, let's talk about how you guys started in cybersecurity to begin with.
Stephen Epting (00:23)
So I actually was a law enforcement officer for a long time. I worked criminal investigations. And when I started working criminal investigations, working internet crimes against children, you know, I was kind of drawn to the mobile forensic side of getting these criminals phones and extracting them and getting into them and getting evidence. And I actually liked that so much. was like, hmm, I wonder if I can make a career out of this. Did a little bit of Googling. Turns out I can. So I made the career jump at
in my late thirties to cybersecurity and digital forensics. And I haven't looked back since. Love it.
Mikey Pruitt (00:59)
That's really interesting. We actually have someone at DNSFilter that came from a law enforcement background. And ⁓ I wasn't surprised. I'm actually the one to hire her. ⁓ I wasn't surprised at how adept she was at what we do here. Because there's a lot of ⁓ skills that cannot transition across. There's a lot of, or, yeah, talk about those.
Stephen Epting (01:18)
⁓ Lots of transferable skills, investigations, you ⁓
So, you know, you're looking through forensic phones or basically. You're just trying to find evidence, which is, you know, really the central core of any investigation, which. Whether it's a criminal investigation or an investigation into a, you know, breach or something like that, it's all kind of the same process. So, you know what to look for. You keep your cool. You kind of find what you need to get. And just be really thorough.
And you know, every police officer and detective has to document accordingly. So usually our documentation is pretty spot on.
Mikey Pruitt (01:56)
Yeah, that was one thing I noticed, documentation and cool under pressure. ⁓
Stephen Epting (02:01)
yeah, like...
Being an investigator, you get a lot of stuff. So that's pretty serious. So yeah, I mean, I worked in Internet crimes against children. I don't think anyone wants to know what I did, but they were very, very serious. Lots of victims, a lot of, you know, time urgent stuff where you wanted to get stuff handled and make the rest if you're able to as quick as you can. Cause if you don't kids get hurt.
Mikey Pruitt (02:08)
You're like, I don't want to say on camera, but yeah, it gets hairy out there. Yeah, we're good.
So that's really cool because like you transition into cybersecurity, however, you are still in the business, let's say, of protecting children in the school system. So how did that ⁓ translate into education?
Stephen Epting (02:40)
yeah, yeah.
So working with juveniles and children, was actually pretty familiar with the school system where I work now. So I was a lot more familiar with it coming in and just kind of knowing like what kids do, like what to look for and stuff like that too. Just working with juveniles so much, you you just kind of learn how things are with them.
Mikey Pruitt (03:06)
So is your role at the county school system you work at, is it only cybersecurity or is it IT as well?
Stephen Epting (03:14)
So I do a lot. ⁓ I like to describe as purple team because I do cybersecurity, but also do GRC governance, risk and compliance. I do digital forensics and I do, you know, some red team stuff as well. So I do a little bit of everything.
Mikey Pruitt (03:34)
So is the red team stuff that you do, it to bolster the blue team side? Like is it attacking your own defenses to see if they're adequate?
Stephen Epting (03:44)
Yeah, it's penetration testing essentially just attacking our own defenses, see where the weaknesses are, work with the engineering team to see the fix those and remediate any issues that we have. And, you know, we have, we have to collaborate a good bit.
Mikey Pruitt (03:55)
And about...
I gotcha. About how many ⁓ students are you kind of, guess, responsible for, I guess is kind of a good
Stephen Epting (04:06)
So my district's actually the top 50th biggest districts in the US, which I did not know. So we have about 80,000 students and 12,000 staff, which is a good bit.
Mikey Pruitt (04:11)
OK.
What do you think the differences are between protecting staff and protecting the students?
Stephen Epting (04:29)
⁓ staff you just have to be a little more careful for just because they have a little bit more permissions than students have students are very limited what they can see and what they can't see so staff You know And you've been in the game not every staff member is technically savvy ⁓ I found that children a lot more tech smart than you know, some adults are like we're we kind of talked about a little bit earlier just you know, some of these
fifth, sixth graders, they can hack, they know how to, they know what to do, what to look for. They're just a lot more aware of things.
Mikey Pruitt (05:09)
Yeah, we've learned this at DNS filter kind of the hard way. Some of our customers that are in the education industry, their student, they're, you know, that we'll get a message from some staff member and I'll be like, the students got around your protection. We're like, what did they do? Like they're so crafty at getting around security, more so than the staff.
Stephen Epting (05:21)
Mm-hmm.
Yeah, yeah, they're they're sneaky. They're
Yo, they're smart. They, you know, ⁓ to a degree, I respect their curiosity because I'm the same way as like, if they can do it, they're going to do it. You know, if they can do it, it's on us.
Mikey Pruitt (05:45)
Yeah, the children are our best penetration testers, I believe.
Stephen Epting (05:49)
yeah, they, a lot of them want to do anything but learn, you know, math and science.
Mikey Pruitt (05:55)
Well, technically it is math and science if they're learning how to hack.
Stephen Epting (05:58)
⁓ Yeah, I guess the
perspective they're learning one way just not what the
Mikey Pruitt (06:01)
Well, what do you think?
Yes. What do you think big risks are that schools and universities kind of ignore?
Stephen Epting (06:17)
I think there's some school districts that probably budgeting is a big thing with school districts. All this cost is, you know, funded from the public and taxpayer. So, so budgeting is a big risk because to have good defense in depth, need a good software, good tools. And, you know, sometimes you just, you can't afford it or some leadership and some other school districts may not see the importance of a
it because they haven't experienced it yet. So I think you articulate into leadership sometimes and places like not my organization, because I work for a really good one. But from what I've seen some other ones, you know, they kind of struggle seeing the seriousness of a breach.
Mikey Pruitt (07:05)
heard the phrase, the burn hand is the best teacher. I think I saw that on like from one of the inventors of Python.
Stephen Epting (07:10)
Yeah, I'm a big Lord of the Rings fan.
Yeah, big Lord of the Rings fan, but yeah, I love that quote by Gandalf because I mean, it's essentially what we do, right? Like you fail, you learn, you beat yourself up and you get a little bit better. And that's how you say, well, that's never gonna happen again because burn me once. Shame on you, but fool me twice, shame on me.
Mikey Pruitt (07:38)
So when you encounter some staff or someone on like a school district board that doesn't really believe in budgeting for cybersecurity since that's one of the biggest risks, how do you kind of convince them? How do you turn the tides and bring them to your side?
Stephen Epting (07:53)
Well, with education data is a big thing. If you can go back and show them the data, like, Hey, this is what X school district lost, or this is what X university lost in the time. ⁓ took the, bring everything back up. They usually see it that way. And, and if you articulate cause what happens when a school district goes down, kids don't learn, right? Lots of mad parents, lots of staff and a lot of, a lot of yelling. So
you can articulate that and kind of show the data of like, this is what happened with them. We don't want to be that guy. I think they understand it a little bit better that way.
Mikey Pruitt (08:33)
So you're basically bringing ⁓ facts and ⁓ stories essentially of people who weren't quite as serious about cybersecurity. I'm thinking of, ⁓ it wasn't too long ago, ⁓ like a CMS kind of thing for schools. I believe it was called Power School got breached. And when something like that gets breached, there are now tens of thousands or hundreds of thousands of students records out in the ether.
Stephen Epting (08:59)
yeah.
Mikey Pruitt (09:00)
very serious records like social security numbers, like these kids don't yet, and they don't have like a credit history yet.
Stephen Epting (09:03)
Address as parent information like their family dynamic. Yeah, so.
And you know that's that's really bad too with the power school thing too, but. You know, we're essentially protecting kids information like we don't want that out there. And you know, sometimes school districts are at the mercy of vendors. Because a lot of school districts use power school.
That's like one of the biggest educational vendors in the U.S. So they had a lot of unhappy customers and.
You know, and we try to vet all these vendors for security issues as well. Cause we know we do have to comply with the COPPA, the Children's Online Privacy Protection Act. So we have to make sure we do all our due diligence to make sure these vendors are secure.
Mikey Pruitt (09:57)
With something like that particular breach, how can you recover, I guess is maybe a bad word, but how can you further protect the student from that data being out there? It doesn't seem like there's much recourse.
Stephen Epting (10:14)
⁓ think you have to kind of look at it individually. You can't worry if other school districts information got out. Like we have to worry about our students, our district, our organization. So you have to kind of see what, what the damage is for us. ⁓ you know, we're in a more fortunate situation because we weren't really affected, but, ⁓ you know, you just kind of have to handle it as it comes. Like, luckily we didn't have to.
We don't have much recourse of it.
Mikey Pruitt (10:48)
Well, you mentioned about budgets being tight. Is there any like very high impact or or high impact and low cost initiatives that you can push?
Stephen Epting (11:04)
Yeah, so there is, mean security awareness to my one of my partners that works with me and information security. He actually goes to all these schools, primarily elementary schools, and he talks to kids about online safety, digital footprints. You know what you post on the Internet doesn't always go away like Snapchat's not forever either. And you know, there's some other free resources that state offers like with ⁓
the state attorney general's office, they have people that come out and talk to students as well. And you know, that's free. You just have to make the effort and sign up for it. that's some of the budget friendly stuff like we've looked at.
Mikey Pruitt (11:51)
Yeah, security awareness training is really big in business. I'm glad to see schools taking that initiative too, especially teaching kids at a young age when they're, you know, handed their parents iPad to say like watch YouTube or like, like leave me alone for five minutes.
Stephen Epting (11:57)
Mm-hmm.
Now
YouTube can be dangerous too though. There's lots of stuff on YouTube that's not.
Mikey Pruitt (12:09)
Yeah, have you heard of the...
I was thinking of the like Elsa gate scandal with like YouTube videos will devolve into these very odd videos that are on YouTube for kids. and just weird stuff starts popping up. We've also seen things like, ⁓ roadblocks, like the gaming platform where people can be predators can lurk on there and, get children to do things that they would normally do or should do. ⁓ it's, it's a dangerous place out there.
Stephen Epting (12:22)
Mm-hmm.
Yeah.
Right. I'm very familiar with Roblox.
Yeah, very familiar with Roblox from my work in Internet crimes against children. That's a very, very, very notorious area for predators, unfortunately.
Mikey Pruitt (12:52)
Yes, very unfortunate. What do you think? It's really so what do think the people are teaching the children? It sounds like they're teaching them like about privacy. Like you mentioned how Snapchat is ephemeral, but not really. like educating them that anything they put online is really kind of public.
Stephen Epting (13:13)
Mm Yeah, just their digital footprint, like what they post online, ⁓ stuff they do on the computer, like even with forensics, like, know, your metadata shows everything what you did, like when you did it, how you did it, ⁓ where exactly you did it. And that's one thing I learned doing forensics for mobile devices is your picture actually timestamps your location too. And we would use that in a lot of investigations, but
You know, we just try to teach these kids like technology isn't always what it seems like it tracks a lot more than you think.
Mikey Pruitt (13:49)
Yeah, there's a little thing in pictures called exif data. There's a lot of data behind what you see on the image.
Stephen Epting (13:52)
Yeah. ⁓ yeah.
Pictures, cause the mobile forensic program we use that the police department tracked a lot of stuff. Like a lot of stuff comes off that little mobile device.
Mikey Pruitt (14:09)
So what do you, what does the staff and I guess like your, people come to teach children, what do they do ⁓ for students that are kind of on a trajectory that's not necessarily technology? Is it the same sort of training? So like kids that are like in, you know, more of a liberal arts path or social sciences, like how do we educate them on becoming better internet citizens, I guess?
Stephen Epting (14:35)
Yeah, well, we try to like some kids that are in like special programs, we try to get them to implement MFA and you know, we tell them that don't share your password. Try to enforce a strong password policy just so you know, you're teaching these kids when they enter the real world, know, password 123 is not a good password. ⁓ You know, it needs to be complex, needs to be as long. You need to change it, you know, fairly often. Always enable MFA.
Mikey Pruitt (14:54)
Thank
Stephen Epting (15:04)
And like some of the kids are in the older classes too, we try to talk to them about that. Cause if these kids are in high school having their birthday or password one, two, three as our password, we're kind of failing them a little bit, you know?
Mikey Pruitt (15:20)
I'll tell you little story. A local school near me had like a STEM week or something and they invited people to come teach the kids about a thing. And I went to talk about cybersecurity. And it was shortly after Christmas and I had a bunch of boxes from my neighbors, like an Xbox and an iPhone. I these empty boxes up behind me on the lectern or whatever. And ⁓ the students came in the class and they're like, can we win that? Can we win that? And I was like, yeah, you can win that. I'll show you how in a minute.
Stephen Epting (15:26)
Mm.
Mm-hmm.
Mikey Pruitt (15:49)
I basically, was like, give me your email. I set up a website with a evil jinx. I don't know if you ever heard of evil engine X. So I set that up and, and, so just give me your email. And that triggered, you know, after a random delay of time and email from their teacher, um, that said they had one and to click on their school's portal to claim their prize, pick out what they wanted. Everybody wins. Everyone's the winner. So.
Stephen Epting (15:56)
Right.
Yeah, but I'm sorry, how many people clicked
that? Everyone?
Mikey Pruitt (16:19)
everybody and all the staff. So the crazy part was they used a system called RENWeb at this school. Maybe you're familiar with it. So I purchased a domain RENWeb with two Vs, like a typo squatted version of it. And with Evil Engine X, you can just say, I want to mimic this website. So during the presentation, they were all getting these emails and going crazy, clicking on their tablets and stuff.
Stephen Epting (16:22)
wow.
Yeah. Right.
Mikey Pruitt (16:47)
I was teaching them how to spot a phishing email. Like these are some things you should look for. And the emails that were getting sent to them had most of these telltale signs. I even misspelled a couple of things and the signature wasn't exactly right from what their teacher normally sends. And while I was talking, I was asking them questions. Like, did you spot any of these? they're, you or sorry, after I revealed the thing, they get to the end and it's like a you've been hacked page. ⁓
Stephen Epting (16:56)
Yeah.
Right. Yes.
No.
Mikey Pruitt (17:15)
So then
I was like, you know, who noticed anything from these emails? And kids were like, well, you know, that didn't look like the way my teacher writes. And it had this weird button on the top that it was from a mailing list and all this stuff. And then I was like, but you clicked it anyway. And they did, everybody.
Stephen Epting (17:25)
Right.
Yeah,
that's funny. There's a lot of high schools like all around the US that are facing this phishing campaign. Basically, they're saying, hey, you can work two to three hours and make $700. Click this link and give us your information for and we'll send you an application. And you know what high schooler doesn't want, you 700 bucks to work just two, three hours. So a lot of schools have seen like those kind of phishing scams like
specifically targeted towards them.
and a lot of them fall for it.
Mikey Pruitt (18:05)
didn't know that so
there's fishing campaigns dedicated to students really. Wow.
Stephen Epting (18:11)
Yes, high school students specifically, like almost like a spearfishing where it's just high school students. Cause you know, most of them are, you know, 14, 15, 16, 17 within close to working range. So it's just kind of a smart.
Mikey Pruitt (18:27)
Are those emails coming to their school email address or a Gmail they have or Yahoo school? Wow. So those could have been obtained through one of those data breaches, like the Power School one we mentioned, perhaps.
Stephen Epting (18:30)
Yep, school emails. All those ones I've talked to have been like school emails.
Yeah, and you know, some students could theoretically use their school issued email for, you know, to sign up for Spotify or, you know, any other billion vendors or, you know, accounts.
Mikey Pruitt (18:58)
Yeah, I can put myself in the mind of a student if it's on my school account, it seems a little bit more legitimate. Like there's already a level of trust baked in.
Stephen Epting (19:06)
Yeah,
you know, my parents may not check my school email. Like they check my regular email, but they don't check my school email. So that can be a little bit sneakier with it too, probably in their mind.
Mikey Pruitt (19:20)
As crafty kids. Well, what kind of role do you think the kids should play on their own? Like, maybe the ones that are a little bit more aware of the dangers. Like, what do think they can do to secure their campuses?
Stephen Epting (19:20)
That's the kids, they can be sneaky. Yeah. Yeah, they're smart.
They can report stuff. Yeah, I mean they can report stuff when they see it reported to their teacher, their principal. They can be a little bit more suspicious of stuff when you know, just in the age we live in, not every person that comes in contact to you has good intentions for you. So they can be a little bit more suspicious and we actually have a lot of ways they can report phishing and any suspicious like not even like digital, but like
Mikey Pruitt (19:40)
or their digital lives maybe.
Stephen Epting (20:08)
they see anything like out of the ordinary there's lots of options for them to report it ⁓ but yeah for them to play their part they need to be suspicious of more stuff and not so trusting you know bad people are out there unfortunately
Mikey Pruitt (20:23)
Yeah, absolutely.
We have a suspicious at DNS filter.com email that all of us employees send suspicious emails that we can research them. And if there are some malicious domains in there, add this to our, our lists or whatever. ⁓ But one of my coworkers today was making a joke. Like I got, I got this email from my manager that said she had assigned me a task, but I think it's suspicious. So she's like,
Stephen Epting (20:41)
block out.
Yeah.
Mikey Pruitt (20:51)
I'm just going to send everything to suspicious ad.
Stephen Epting (20:54)
Yeah, so when I worked at the police department actually got an email from it was a not a real emails efficient simulation, but It was signed like it's my supervisor's name and it said something like hey, can you help me open this? Because he wasn't like a technically savvy guy. So he would normally send me stuff like that. Okay, can you help me with this? electronic or this Whatever digital thing So I sure enough I opened it. I was like, okay. Well, he's just asking me for You know help on something. So, know
I got stuck with a 20, 30 minute training for fishing.
Mikey Pruitt (21:28)
Yeah, they got you really good there because that's a routine thing that you always do.
Stephen Epting (21:33)
Yeah, so they actually have a like sufficient campaign. Like there's a bunch of companies apparently that have those targeted towards K-12 environments. Instead of having a 20, 30 minute training that kind of explains to students and staff, like this is what was fishy about this email. And they call it like a micro training where it's like 30 seconds to two minutes. And we like that because, you know, if a student clicks something, you don't want them to be
out 30 minutes taking efficient training because that affects their learning environment. So like I'm glad very, very glad to see there's lots of K-12 security awareness vendors out there.
Mikey Pruitt (22:14)
Yeah, bite size, tidbit, that's a good strategy. Even for adults, honestly, all of our tidbits are getting very small.
Stephen Epting (22:20)
Yeah, mean, teachers are busy
too. Like they have to teach a class and if they're out 20 minutes for a fishing, you know, campaigner and training, they're, going to be upset. Students will be happy, but teacher will be upset.
Mikey Pruitt (22:33)
So with.
Yeah, for sure. So I'm curious, you know, the environment has kind of changed in education since ⁓ the COVID pandemic, and there's a lot more remote learning now. What type of challenges do you see in this hybrid or fully remote education? Like, what are the things you have to do differently?
Stephen Epting (22:57)
Mmm
As far as differently is just, we have to be kind of cognizant that the kids were not being supervised. Like they can try to, there's a little bit less supervision on them from, you know, parental figures or siblings or whatever their living situation is like. And so we can always, we have to be able to make sure they're doing their schoolwork. So it's a little bit more focus on them to make sure they're doing what they're supposed to be doing versus, you know.
going to sites they're not supposed to or proxy sites.
Mikey Pruitt (23:34)
Yeah, they love those proxy sites. That's how they get around DNS filter when we hear about it.
Stephen Epting (23:37)
Yeah,
you you block three proxy sites and a hundred more pop up.
Very, very familiar with proxocytes.
Mikey Pruitt (23:46)
And
yeah, and that's what we have to do is we have to, ⁓ we use like machine learning to figure out, this is a proxy site. And then gets auto added to our category or whatever, but it's like a, it's a cat and mouse game. It's hard. It's rapid.
Stephen Epting (23:58)
Right.
Yeah, I mean you
like I said you block one five more pop up and it's just a never-ending battle like I'll do it tomorrow. I'll do it Ten years from now and I'll be doing it 20 years from now like students are still gonna get a proxy sites and try to bypass network security
Mikey Pruitt (24:19)
So there's always a trade-off between security and convenience. And I'm curious how you balance this in the education system, ⁓ security versus control and segmentation of things.
Stephen Epting (24:36)
So you want security, but you also want students to not be bogged down by tons of security controls, tons of, you want them to be able to have access in a somewhat quick manner. So it's all about a balance, just finding like, let's make it as secure as we can, but let's also have them learn and not have to go through 50 hoops to get logged into one website because you know,
schools have so many vendors and so many websites they have to go through. We just want to try to find that balance of like secure, but you know, not a pain in the butt.
Mikey Pruitt (25:18)
So it's more like guardrails than say, super strict security controls. Like I'm thinking of zero trust and all these things we kind of strive towards. it's just too hard.
Stephen Epting (25:26)
Yeah.
There's
so many, there's so many great websites for learning is, you know, it's hard to do zero trust or, you know, whitelist or just blacklist, whatever you want to call it. Like it's hard to do block everything when they need access to so many different sources for learning. Cause you know, YouTube is a big thing in K-12 because some people want to block it. Some don't, but you know, you could argue I've learned, I've personally learned a lot from YouTube, like getting into cybersecurity.
There's this kind of a hit like, you you you kind of have to weigh the pros and cons sometimes like Yeah, YouTube's has a lot of bad stuff on it. But also has a lot of good stuff like You have to kind of go with the pros and cons and see which way the scales tip
Mikey Pruitt (26:18)
Well, let's talk about that learning, you know, that broader learning. Cause I mean, I, I'm sure like most of the audience, I learned a lot of stuff on YouTube, just like you said. Um, and also learn a lot of things from, uh, like, uh, chat bots now, like AI chat bots. And you know, some of it is, you know, you gotta be a little cautious when you're, can't take it as, as gospel for say, but there's.
Stephen Epting (26:33)
yeah.
⁓ yeah, you
have to call these AI LLMs out sometimes because they're just not right.
Mikey Pruitt (26:50)
But like you say, you can't just block everything. What are school systems doing to prevent the use of AI in a negative way? Because it can of dull your mind a bit into that thinking.
Stephen Epting (27:02)
be a good source.
Yeah. So we, there's still some AI services we've looked into and we've used, but you know, it's just kind of slippery slope because you don't want kids to have access to like chat, GBT backs, you know, for example, just because a they're going to cheat probably some may use it for legitimate learning experience, but ⁓
A lot of students will also use it for cheating, unfortunately, or Googling the answer and stuff like that. So, or writing papers, because a lot of students have to write papers. You know, it kind of defeats the experience of learning if chat GBT is regurgitating a paper form. So, I'm hit or miss on kind of AI in schools right now.
Mikey Pruitt (27:51)
Yeah, I had a someone I spoke with does training for cybersecurity and they do teaching at a university level. And they said that because of that, because students can cheat that she requests them to create like a sub two minute video of them talking about the topic. It doesn't have to be, you know, like public, but they have to record a video of them disseminating the topic and in a way that shows they understand it in lieu of a paper.
Stephen Epting (28:22)
Yeah, that's actually pretty smart too because I know they make like these programs that filter like they're supposed to AI detect, but I feel like we even with AI, like you can have AI work around that if you want like, hey, rewrite this, but avoid AI detection tools. And you know what? Or it could detect something that's legitimately written just, you know, sounds like AI. So I think schools have a lot of skepticism with AI detection tools, just from my experience.
Mikey Pruitt (28:59)
Yeah, I can see that. with no dashes. That's like, like,
Stephen Epting (29:04)
Yeah, yeah. Anytime I see him dashes, I instantly think, I'll try GPT.
Mikey Pruitt (29:09)
Yeah, or in the digital landscape. You know, one of those starting phrases.
Stephen Epting (29:13)
Or, know, whether from this to that, you know, from A to B or whatever, like a really like a contrasting statement. I always think it's ChatGPT. Like even on LinkedIn, you see this post.
Mikey Pruitt (29:21)
Yeah. I know I actually do a lot of research and it presents information to me in that way. And I'm like, this is really bad. Like it's hard to understand what you're even saying AI. Like where did you learn this?
Stephen Epting (29:38)
Yeah, it's it's like literally talking. I know you're literally talking to a robot, but it sounds like a robot like Sometimes I just if I'm using ChatGPT, I'll say like say it casually like You don't you don't yeah, like don't talk to a rocket robot like
Mikey Pruitt (29:51)
Yeah, casually, like talking to a friend.
So ⁓ going back for a minute to the people that are targeting students, you specifically called out high school age students. Are these like ⁓ nation state actors or are they just hacker groups? good.
Stephen Epting (30:11)
Yes, nation state this not from not from the US all foreign IPs just and from what I've seen it looks like they're just trying to harvest information.
Causing the forms.
Mikey Pruitt (30:29)
Yeah, that was my next question.
Like what do they, what do they want? Because students typically don't have access to like credit cards and bank accounts. So what are they after?
Stephen Epting (30:36)
Credit cards, but know, Social Security is PII. ⁓ Their names, emails, phone numbers, so they can continue their attack.
Mikey Pruitt (30:49)
So they're harvesting data for perhaps a future event. That's scary.
Stephen Epting (30:53)
a future event
or, you know, hey, if we have this kid's phone number, let's start texting them about this job or that job. And like, Hey, like only 20 bucks to start it, provide a credit card. And some kids may have a credit card or debit card and, you know, provide that.
Mikey Pruitt (31:15)
So how should schools train educators and staff against these situations that can arise? We talked about cybersecurity awareness, but what specifically should it include?
Stephen Epting (31:32)
First off.
Mikey Pruitt (31:34)
Yeah, start with staff. Like how do we, how do we get them over the hump of understanding the bad stuff that's out there and how to protect against it?
Stephen Epting (31:36)
Yeah, I mean really does they have to understand that like fishing happens to people and if you're a victim of a fishing attack a it's a pain in the butt to kind of you know, get everything back to where it was if you ever had your social security, you know compromised because you have to call these credit places but also it is kind of us the organization on a bad spot to cause you know, their assets could be leaked out or information about their systems you just
Always be suspicious of everything. Like that's what I tell staff just. And I don't, people want to forward those emails to me. Like I'm always fine. Like you're not going to bother me. Like if you say, Hey, can you look at this? Does this seem legit? Or even ask a coworker like, does this seem legit? It seems weird. They're saying they're using the word kindly like three times. ⁓ you know, just be suspicious of everything. Like kindly do this.
Mikey Pruitt (32:43)
You're like kindly.
Stephen Epting (32:44)
That's a lot of, that's a lot of kindly
in the email, like probably, probably not legit.
Mikey Pruitt (32:49)
So how
do you and your team design security policies around kind of a unique sector in our world of educators and students? It's not like any other really. How do you design security policies for them?
Stephen Epting (33:08)
Kind of got but going back to what I saying earlier just You want to tip the scales in a right way like security policy where everything's secure, but also where it's not affecting children's learning ⁓ You know, don't want to bog down staff with So many hurdles where they can't do their job and then get frustrated, but you also want to keep things secure. So it's just you want to find that policy and kind of see what works and
You know, if it works, say like, what step can you go further to make it more secure and, you know, not hinder the learning environment.
Mikey Pruitt (33:45)
Well, let's say, let's do like a hypothetical. If something were to happen, someone, one of those high school students were to click on whatever's in that phishing link, malware was downloaded, moved laterally across the network. What are some of the remediation steps that are specific to education? Or maybe they're not unique to education. Talk about that. And also like, what are those steps?
Stephen Epting (34:06)
Same,
know, contain it, you know, cut off access, cut off the, cut off the machine that needs to be cut off. Same way really. I mean, just make sure it doesn't affect the network and cut it off and handle it.
then you would educate the.
Mikey Pruitt (34:24)
in schools and
I'm good.
Stephen Epting (34:30)
And so then you just educate the user and the staff over the student. Like, hey, you you click this, this was actually, you know, a big thing. wasn't real. It was a virus.
Mikey Pruitt (34:45)
So quarantine, educate.
Stephen Epting (34:46)
And that'll be in convenience.
yeah, just incident response stuff. Just you handle like you would any other incident. But the kids are probably going to be inconvenienced too, because they're probably going to take away whatever computer they have and give them a new one.
Mikey Pruitt (35:08)
Yeah, that is good. The devices are kind of ephemeral. You can just provision a new one, give it over, and then perhaps ⁓ investigate, go back to your law enforcement days, and do a little forensics on that specific device.
Stephen Epting (35:13)
and
Right. ⁓ yeah, I love
forensics still like I still get to do forensics and I love it I love taking around and stuff
Mikey Pruitt (35:26)
So we often hear that like governments and, you know, kind of therefore schools move slowly with technology. Do you see that happening currently still?
Stephen Epting (35:38)
⁓ across the U S I would say government in general is notoriously slow. If you ever had to work with the government on anything, it's really slow because most places have to do requests for proposals where like, we want this type of software, this kind of service. You have to do a request for proposal and you know, companies and vendors get to apply for it. And you have to kind of vet between them and choose and
There's a lot of processes, especially with the government funding and taxes and, you know, lot of school districts can't really spend willy nilly. They have to kind of choose like, Hey, this is what we have budget for. How much do we need this? ⁓ is there a substitute that's cheaper? Like how big of a problem was it just kind of managing your risks and seeing how big of things and weighing stuff in. But, you know, some of that kind of stuff takes time. Sometimes it's
School districts don't have the money to just splurge unfortunately
Mikey Pruitt (36:42)
Yeah, that I've definitely seen. So you mentioned the high schoolers getting targeted by, it seems like nation state actors. What are some other trends that you see growing in the education sector?
Stephen Epting (36:51)
Mm-hmm.
kids now, like I know when I was in school, we obviously didn't have any computers or anything, but kids are on their computers most of the day. So they just have a lot more access. They're on the internet more. They're going to different sites just, you know, for learning and just, there's a lot more. When you walk in a big minefield, there's a lot more mines out there, obviously. So
There's a lot more dangers when you're on the internet a lot more than we were 15 years ago.
Mikey Pruitt (37:37)
Yeah, I was in the generation where they told us we would never have our calculator in our pocket.
Stephen Epting (37:42)
Yeah,
me too. Yeah, there's like, yeah, you can't have a calculator, but you're required to buy this Texas instrument. This like 150 bucks. It's like, wait, what?
Mikey Pruitt (37:50)
Yeah.
Trying to cripple us with the tech of the instruments, graphing calculators.
Stephen Epting (37:56)
Yeah, and just
that's kind of a personal concern I have with AI and, you know, not just K-12, but universities, you know, these kids and young people are just going on, instead of using critical thinking, they just go on chat, GPT and say, Hey, how do I do this? You know, your brain's a big muscle when you stop thinking how to do stuff, you kind of goes away, like use it or lose it. So that's
Personal concern I have with AI is just I hope these kids don't become ever relying on it in the future because he's AI is good for what it's good for but It's not gonna run your life for you
Mikey Pruitt (38:39)
Yeah, I would agree with that. think most of audience would too. the critical thinking, like with AI, you really become more like an editor than a originator of things, but you still have to have a critical thinking to understand like what is a good idea versus a bad idea. Perhaps the AI response can spark something novel within you. And the AI can't do that. Like it cannot.
Stephen Epting (38:50)
Yeah.
Mikey Pruitt (39:07)
create new things out of the ether. It may combine things in new ways.
Stephen Epting (39:10)
Yeah,
it just uses pre-existing data. Like it's just basically pulling from a little bit everywhere. Like, and you know, not every situation is the same as, you know, XYZ. So AI may give you the wrong output. It just all depends on the prompt.
Mikey Pruitt (39:32)
I'm thinking of a theoretical feature where, if you take a textbook or whatever, 12th grade math, let's not use math, let's use like social studies or something. If you take that and you ⁓ format it in a way that's like markdown or whatever, something easily ingestible by AI, you chunk it up and put it into a database and then you put an AI agent in front of that, then the student can then ask.
Stephen Epting (39:43)
All right.
Mikey Pruitt (40:00)
questions against that textbook and theoretically it would know everything there is to know in that textbook. And I think what you're posing is that the students would know what to ask. they would just be, their critical thinking would be.
Stephen Epting (40:12)
Yeah, they wouldn't know what to ask and
yeah, they just wouldn't know what to ask or like, where do I go from here? Like I can't, what's the first step? Like what's the first step in doing this? But, and you know, and I think we'll see a lot more stuff with AI with like data poisoning too, just AI having the wrong info and it just outputting something completely wrong. Cause I've personally gotten wrong outputs before and
Mikey Pruitt (40:22)
Yeah, what?
Stephen Epting (40:42)
I've had to call out AI before it's like, hey, that's not right.
Mikey Pruitt (40:47)
Yeah, the problem when you tell it it's not right is it'll be like, you're absolutely correct. It's this. And you're like, that must be it. Then you're like, wait, is that it? You can't trust it.
Stephen Epting (40:57)
Yeah, AI is very agreeable. I've personally kind of found like it's not really gonna say like, no, that's incorrect or whatever. It's just like, yeah, you know, that's a good, good way to look at it. But you know, maybe it could be this too. It's like, okay. Yeah.
Mikey Pruitt (41:14)
Yeah, you have to be very skeptical, just like in your
security life and your privacy life, you have to be skeptical and just with AI, you have to do the same.
Stephen Epting (41:22)
Yeah,
ai is not the gospel just Validate everything it says like don't take its word for it Because ai is incorrect a lot
Mikey Pruitt (41:33)
So with you in the education space and you know, kind of in a unique corner of that space in cyber security and IT, how do you like stay up to date on information? What do you go for for your news?
Stephen Epting (41:48)
I go to a lot of different places. I go to, know, hacker news. go to LinkedIn where I have a fairly large cyber network. talk to them. I go to local events, Defcon, besides Greenville or besides anywhere really. ⁓ Just Google stuff. I I don't trust in any one source. I try to go to a lot and just local news too. ⁓
You know, the power school breach, I saw that on the news before, you know, hacker news covered it. ⁓ there's some K-12 specific newsletters. Like we like to read just, you know, I don't believe you get your news from any one source. Just go to everywhere.
Mikey Pruitt (42:36)
Yeah. And then use your own critical thinking to decipher what's, what's accurate or important for you.
Stephen Epting (42:36)
Like talk to people. Yeah, critical thinking just like, like,
well, yeah, just, you you look at a news article and say, hey, does this affect us or, hey, this company got breached. Do we use them? wait, we do. We should probably look into it and see what is affected and if we were affected.
So just.
Mikey Pruitt (42:58)
100%. Well, Stephen, thank you. Yes, absolutely. I was just going to say thank you for joining me today, chatting a little bit about education. And I think we got a little deeper on AI than I was expecting, I should always expect because it's like the hot topic these days, especially in schools.
Stephen Epting (43:01)
Yeah, just that's kind of the ground.
yeah, absolutely.
Yeah, that's a hot topic. Yeah, it's a hot topic.
Yeah, schools are all using it too. And these students are trying to use it too. And it's not always for learning.
Mikey Pruitt (43:32)
Yeah, we have to train them on a new ⁓ vulnerability, essentially, like how to use AI properly.
Stephen Epting (43:38)
Yeah, and what information you're putting into it.
Mikey Pruitt (43:42)
yeah, data exfiltration is real.
Stephen Epting (43:45)
yeah.
Mikey Pruitt (43:47)
Well Stephen, where can people find you on the internet?
Stephen Epting (43:50)
So they can follow me on LinkedIn. ⁓ I'm not always consistent with posting just because, you know, life happens sometimes, but I like to engage with people and talk with them on LinkedIn. And I like to mentor new people from like interested in cyber. I always like to teach them because I actually had a mentor get into cybersecurity named Robert Wettstein. And I made him a promise I would mentor people to like pay it forward. So.
I always like to talk tech with people or Lord of the Rings. I have some chats where I just talk Lord of the Rings with people. Favorite hobbits, favorite characters, whatever.
Mikey Pruitt (44:29)
Yeah, you're like, this is how I exercise my critical thinking as I analyze Lord of the Rings lore.
Stephen Epting (44:34)
yeah. Yeah, I'm a big Samwise GameG fan.
Mikey Pruitt (44:40)
I have no idea what any of that means.
Stephen Epting (44:43)
Okay, man, you gotta watch the movies or read the books. Good movies and good books.
Mikey Pruitt (44:47)
I definitely have some educating to do. What did you say it was? Samwise? I'm looking up right now.
Stephen Epting (44:51)
Samwise GameG - he's the best friend for one of the main characters, but he's a gardener.
Mikey Pruitt (44:57)
I'll do some research on that later.
Okay, I see it right there. man, it's gonna be a deep dive after this. Well Stephen, thank you so much.
Stephen Epting (45:06)
You're welcome.