What were the hot topics at the 11th Annual Pittsburgh Information Security Awareness Day?
The ISACA Pittsburgh chapter held their annual Pittsburgh Information Security Day this past Monday, and as always, the day was filled with great insights and conversations surrounding the latest information systems and security world.
While there is no way to recap all of the great content and discussions in a single article, here are some of the key takeaways and highlights from our perspective.
There’s No Gray Area in Fraud: Synthetic Identities, Mortgage Fraud and True Crime
The ISACA Pittsburgh chapter delivered an exceptional keynote presentation featuring Matthew Cox, a former mortgage fraudster, con man and true crime author. Cox’s gripping journey began as a local mortgage broker who falsified documents with whiteout, ultimately bilking an estimated $55 million from America’s largest banks. This led to a three-year cross-country manhunt by the U.S. Marshals, FBI and Secret Service.
In his keynote, Cox discussed how his fraud tactics escalated as he learned to create synthetic identities and commit mortgage fraud. One of his most intriguing stories involved exploiting a loophole that allowed him to obtain Social Security numbers for fictitious individuals—often named after characters from “Reservoir Dogs”—using falsified birth certificates and immunization records, as long as the “baby” was under 10 months old. Cox shared several memorable anecdotes, including:
- Close Calls: He described near-captures, often paying back defrauded amounts, knowing that victims wouldn’t recover their money if they contacted the FBI.
- A Narrow Escape: He recounted walking past his own wanted photo in a police station after being brought in under suspicion of fraud. With a fake driver’s license listing him as 5’10”, despite being 5’6″, he cleverly joked his way out, promising not to leave town before heading to Nashville.
- Mortgage Fraud: Cox detailed purchasing an estimated 109 houses with $11.5 million in fraudulent funds, inadvertently driving up the local housing market to one of Florida’s top-growing zip codes.
- Organized Deception: When finally apprehended, Cox had 27 driver’s licenses across seven states and 22 passports. When asked by an audience member if he ever confused his identities, he explained that he had a folder for each persona, and even the FBI noted his remarkable organization.
Cox’s fascinating insights into the psychology of fraud and his experiences as a real-life criminal made for a great way to kick off the day.
Aspiring to Allyship: Commit to Active Listening
ISACA’s OneInTech hosted a thought-provoking panel discussion to explore actionable strategies for becoming an effective ally in our workplaces and communities. Five women leaders in their respective tech spaces took the stage to reveal what allyship means to them and how everyone can use it to drive meaningful change.
All the panelists stressed that effective allyship starts with active listening. When we are ready to learn, grow and listen to our colleagues from different backgrounds and experiences, we can aspire to allyship. However, it’s a fluid process. Approaching allyship with a growth mindset and surrounding ourselves with mentors and other positive influences can help us on our journeys and remind us that there’s always something new to learn.
And allyship isn’t just about listening. It’s about acting when the time is right. Whether it’s speaking out against injustice or taking the time to accommodate a colleague with an invisible disability, such as ADHD and anxiety, it’s important to be available if someone needs direct assistance or a listening ear.
If we are open to new ideas, actively listen and self-reflect on our actions, we can be well on our way to becoming effective allies.
They’re Watching You: The Research Behind Employee Surveillance
Hopefully today, most of us realize that our activity on our work laptops is monitored. And while the IT department does this to find anomalous behaviors, we begin to see them as the “productivity police.” All types of questions come with standard monitoring practices that we haven’t solved yet, such as “Do remote employees need extra monitoring? Should monitoring data help decide who gets fired or promoted?”
Matthew Butkovic from Carnegie Mellon University unpacked data from the Pew Research Center regarding employee sentiment of monitoring activities as well as his own research, and he found that when employees are well-informed of the “what” and “why” behind their employers’ monitoring activities, they are more likely to accept it. But that’s not comprehensive. An explanation must be coupled with positive deterrence-related practices, which includes measures to make people feel connected at work, receive organizational support and possess levels of high job engagement.
When these components are embedded into an organization, employees are more likely to “self-police” and accept organizational monitoring practices. Employers must strike a balance between driving engagement, offering intrinsic motivations and increasing the effectiveness of the organization’s insider threat risk program.
Data, Danger… and More Danger: Third-Party Risk and Data Centers
The presentation on data centers and third-party risk management left a lasting impression on many attendees. It highlighted the vast scale of data centers in our interconnected world, which account for an estimated 2-3% of global energy consumption. Given their significance, these facilities are heavily regulated and often targeted by malicious actors.
The discussion covered existing audit and security measures for data control centers, including contract reviews, third-party risk assessments, questionnaires and on-site audits. Particularly striking was the revelation of how easily threat actors can exploit vulnerabilities—such as hacking temperature controls to compromise the delicate environments that data centers rely on.
Real-world examples underscored the potential consequences of such attacks, including the 2010 incident at the Iranian nuclear facility, the 2015 Ukraine power grid disruption and the 2021 Colonial Pipeline attack, one of the most significant assaults on American infrastructure.
Overall, the session served as a crucial reminder of the need for robust security measures in our data-driven world.
Thank you to all of the ISACA Pittsburgh chapter board members and volunteers for another fantastic year. We look forward to next year!
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.
Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity.
To learn more, visit our dedicated Cybersecurity page.
