Department of Know: iPhone, iPad and Grok get greenlight, WiFi gets snitched

A

This is Rich Stroffolino with the Department of no. Dan Holden, CISO at Commerce. I have to ask, what is your priority this week?

B

I am a huge fan of Gene Kib's Phoenix Project. I am attempting to make my way through his new book, Vibe Coding.

A

Ooh, I didn't know he had a new book. The Phoenix Project. Legendary, right? All of the networking guys I knew that were trying to learn software that was required reading from them, so I will have to check that out too. Excellent, excellent rec. Mark Eggleston, CISO over at csc. What is your priority this week?

C

Hey Rich. Hey Dan. Glad to be here. My priority? Well, we had a town hall last week and I verbally announced some of our promotions. Always happy, fun times. Now is making sure that we do the same release to a broader audience in a more formal manner. So that's top of mind and looking outside, I'm sure hoping. I'm so thankful to see less snow and I'm hoping to finish that deck that I started about six months ago.

A

We can all hope to be more deck forward and weather forward going forward. But with that being said, producer Steve, let's start the show from the CISO series. It's Department of no. Yes, indeed indeed. Welcome to the department of Know your Virtual Monday strategy meeting. Our sponsor for today is of course Adaptive Security. Protect your company from deep fake powered phishing. Remember, you can get involved in our YouTube chat live. If you're watching us on YouTube and you somehow don't see a chat, something is broken in your browser. I really can't help you. I don't know how any of that works, but we broadcast every Monday at 4pm Eastern, so maybe try a different browser or email us feedbackisoseries.com I also don't know how email works, but I'm told that's how you can get in touch with us. Just a quick disclaimer here. The opinions expressed by our fantastic guests are in fact their own, not necessarily those of their employer, their friends, family, even Nemesis is nemeses. Sure, why not? We've got about 30 minutes. Let's dive in, get into this news here. We're going to start out with our Know or no segment. This is where there's so much news out there. We just need a quick breakdown. Is this a story that we want to be bringing to our security teams, letting them know, having them go more of a deep dive and see how it applies to us? Or is this something like, hey, great headline, not going to be bringing it to the team this week. First up here, we have some updates with Claude and Grok. They're cops, except for Grok. The Department of Defense has confirmed that the Pentagon will use its GROK model on classified systems. This comes amid a tiff between Claude and the Pentagon, even though it seems Claude was used in recent US Attacks on Iran. In the context of cybersecurity responsibilities. Is this large scale issue sucking up a lot of the oxygen in the news cycle? Is this a no or a no for you? Dan, let me start with you.

B

It's a no.

A

Please expand.

B

It's just typical of the way the federal government works with any of these vendors over the years so that they, they need some kind of ability or control or partnership agreements, et cetera, et cetera. They've been doing this for years with any of the big dogs, Google, Apple, etc. So I'd say it's very normal. You don't want to know what they're doing. The only upside, I'd say from an everyday user, and if you're worrying about, you know, the Terminator scenario with AI, certainly that's what they're going after. The only upside is the fact that it is being tested in ways that none of us will test it. So you have to hope that the companies involved do the right thing as much as they can.

A

All right, Mark, I have to ask you, is this a no, a little more on this or a big no? Thank you.

C

For you, I'll leave it as no with an N. From my perspective, it's somewhat political theater. Right. I believe that current administration has some disagreements with OpenAI and certainly looking at other things that Elon Musk has may be more attractive to them. But regardless of what LLM you're choosing to use, I think the bigger concern is what are public officials putting into these LLMs and let's focus on that versus anything else.

A

And I think the avenue of entry for the story, at least for me and for cybersecurity headlines is the idea of dubbing anthropic a supply chain risk, which I that to me is kind of the security angle. And yes, someone in our chat pointing out that OpenAI, well, OpenAI and Anthropic, they're all posturing along different spectrums of this kind of in real time. And to your point, in terms of being political theater, a lot of this I feel like is various forms of negotiating tactics for a lot of these companies and the government certainly going forward. But we will keep you updated with the latest on that on cybersecurity headlines. So stay, stay tuned for that next up here on Know or no. IPhone and iPad cleared for classified NATO work. Similar theme here. Apple has announced that its phones and tablets are the first consumer devices to receive approval for working at the NATO restricted level, which means they can be used with classified information without requiring special software or settings. The listing specifies that the native mail calendar and Contacts app for iOS and iPados provide secure access to data. It is not clear if they provide a satisfying user experience, particularly mail. You guys, folks, come on. We got to step it up. Given that wasn't that long ago that the NSA was creating modified black barriers for presidents, is this a know a little more or a no, thank you?

C

For you, Mark, I'm going to say it's, you know, another no, thank you. Unfortunately, I think it's great. Look, don't, don't get me wrong, it's great that their configuration has passed these standards. And I understand from reading the article they do some level of testing as well. It's not just a rubber stamp. So that's good. Good to hear. And I do think, you know, Apple has shown overall a good approach to privacy in a lot of regards. So again, no ding against them. But, you know, again, it's more like how are they using these devices? Where are they leaving these devices, what else are they doing to. On the human element to secure the information that they're putting into these devices? That's. That's more concern to me.

A

Dan, what about you? Is to say no a little more or a no, thank you. Not using that default mail app.

C

It's.

B

It. It's very similar to the last topic going on forever. Right? Your defense contractors make specific images for these phones. To Mark's point, I mean, this is just classic James Bond, literally the last however many James Bond movies, hell, even going back to the 90s. And so all this is making the procurement process a little bit easier. Besides that, very little change, I'd argue

A

how disappointing would it be if q just hands 007 just a regular iPhone. He's like, it's perfectly secure. Don't just download whatever. Download the Taser app. It's fine, right?

B

Yeah, well, the hardware is the same as what we get, but the software is different.

C

Dan, I'd be more interested too. I wonder what service they're using to manage these devices. Is it intune? Is it something else? I think that's the bigger story.

B

That is probably very custom as well. That is where Q comes into play.

C

Really.

B

Q is not.

A

Your Q is the equivalent of Red Hat, right? He's just like the service provider on top.

B

That is your modern Q. And they're probably a little bit different than our typical IT worker, but same kind of management, just managing very different situations, I imagine.

A

All right, next up here, ransomware payments dropped in 2025. Now, despite that drop in payments, ATTCK and median payments continues to soar. But chainalysis suggests that companies are getting better at instant respons and that regulatory scrutiny has increased to the point where payouts are now heavily discouraged. With cyber attacks always top of mind, is this report a no, a little more or a no thank you?

B

For you, Dan, I'd say that this is just the further commoditization of a threat type that's been with us for decades. You could track ransomware, DDoS, spam, phishing all back to the 90s. It's been with us forever. And I'd say this is an aspect of where it's so damn commoditized at this point that the attacks are easier and easier, yet the payouts are harder and the negotiations are probably the most difficult part for the ones that are actually breaking through these days. The attacker is broader than it used to be and the defenders are better than they used to be. And there's a hell of a lot more specialized software and defenses these days than there were just pre Covid. So a lot has changed very quickly and hopefully we continue the same thing. Even if folks are getting popped to ransomware, hopefully they're paying less if they are paying at all.

A

Mark, what about you? Is this. No, a little more. You bringing this to your team? Popping the bubbly? Hey, we're beating ransomware or is this a no, thank you for you?

C

I think it's no, a little bit more. I think there's news, good news here to celebrate, right? People are paying less ransom. That's wonderful. That tells me maybe they're being more reliant on backups that they actually are testing their business continuity plans. Both of those two things will give you much higher success rate of recovering from these type of things. But it's no real surprise to see that ATTCK numbers are reaching record levels with AI out there. You're going to continue to see things move faster from both an adversarial perspective and both from a SOC perspective. So I know we're going to talk about these things a little bit more in some of these articles, but yeah, it's worth touting less payments and worth better understanding and see how we can adapt our defenses to make sure that we stay current on these things.

A

CCL in our chat pointing out, I believe this is CCL pointing out that insurance companies might get some credit in this case. I think as well, possibly, as you guys were saying, the playbook for this, it feels like we've gotten better at it even as the attacks have become ever easier to do. And I think making ransomware more boringer and insurance is the boringest thing ever is probably a sign of good things overall. The arc of cyber attacks bends towards boring is the saying I'm going with. All right, next up here, Rich, one

B

more comment on that, just for the audience. There's the. If anybody's into threat intel, there's the sticks ranking of attacker sophistication. And I think the real question in these sorts of scenarios is is the attacker sophistication going down? And I think that's exactly what Mark was alluding to. And if that's the case, your population is going up. And so if you, if you think about your controls, like, you know, kind of stacked sandbags, the water level is kind of decreasing, but there's more of it is maybe the way to think about it. So sophistication going down, yet your population goes up due to that.

A

I like that. That is a, that's an excellent way to think about that. Sandbags in depth. We're changing the name of the show, folks. All right, next up here, AI Dr. Makes security unattainable. Sorry, guys, hate to break it to you. This warning from Veracode says that more vulnerabilities are being created than are being fixed and that high velocity development with AI is making comprehensive security unattainable. How does this make you feel? And does this a no more, a little bit more or a no thank

C

you for you, Mark, definitely a no a little bit more here. So first of all, security being less attainable, do we really need more bad news? I mean, come on, folks, let's be a little bit more optimistic here, right? We can do these things, but shame.

A

I knew Varicose.

C

There's an important citation in this link there, which is basically that one of the reasons for this is the increasing use of testing tools. So if they're using more of these tools. Yes, they're going to find more things. Right. Then of course, the other epiphany in this study is that some of these things are going to have more false positives. So I think we have to peel the sun in a few layers deeper to really see what is the net number of increase in vulnerabilities. But no. Does it surprise me that we're finding more vulnerabilities and we're having trouble catching up in the age of AI? No. That's a hard no.

A

Dan, what about for you?

B

Yeah, no, I'm with Mark on this. No more. This is a fascinating topic. I'd say this is very good PR from Veracode, given the fact that Anthropic just gutted the market cap of many, many companies, including security companies. CEO of Sentinel 1 was just on CNBC yesterday or day before, I guess yesterday. Can't keep my day straight, y'.

C

All.

B

Highlighting that, you know, that part of the markets may be, you know, 5% of cybersecurity. Right. You know, so Anthropic's not replacing, you know, S1s and crowdstrikes tomorrow. Are they threatening the Vera codes, you know, the black ducks, et cetera?

C

Sure.

B

But the issue is that our paranoia as humans is so high, even as we have the robots and the agents doing these things, we're going to want someone checking their homework. And so I think those companies are actually quite fine due to the paranoia, especially of particular verticals. FedGov, Finance, et cetera, et cetera. So I think it's. Is what Anthropic is doing fascinating and interesting and is it slashing, pressuring market? Yeah, but the issue is this is all going to come down to like right now, it's time and effort and skill. At some point it's going to become about the tokens. And so the funny thing is you can pump out the code, but in order to have to patch the code, find the SQL injections, whatever the case is, you have to overlap and you have to go through the same code base over and over and over again. And so you're just eating up tokens. And so it's always been a quality control issue. It will remain to be a quality control issue. The question will be how do you want to solve that? Do you want to throw more robot at it? Do you want to throw human power at it? But this will continue being a fascinating topic because there's more than one way to skin this cat, so to speak.

C

I'll also try and throw a little more optimism in it too. The number of false positives is truly unknown and these tools are continuing to crank out more false positives than, say, a managed services would doing the same thing. Isn't that a wonderful opportunity for agentic AI? You know, teach a bot how to do false positive, you know, reconciliation, teach a bot how to go and look at various places and do other non intrusive testing things to actually, you know, define or confirm a true positive. I mean, I think there's still some more work here. That AI is underutilized in this respect.

A

That old sod give a bot a false positive, you know, for a day.

B

Mark just nailed it though, because we opened up a Phoenix project. That's exactly what this is, right? The whole AppSec industry has been trying to shift left. We just have to get our robots down on the manufacturing floor with their robots. And that opportunity is actually the greatest opportunity we've ever had in security. It's the first time we can actually put the robot next to the robot and not be after the fact bolt on. And so if I'm veracode, not only was this a smart PR piece, it's exactly the business opportunity that that kind of company should be looking for. So whether it gets worse or gets better kind of doesn't matter. The question is, are we actually able to get security where it should be? And whatever those numbers are now or later is just a metric to be managed and accounted for.

A

We'll get this tip from CCL in our chat here. Tip that stuck with me before. Asking an LLM to make change, ask it to plan how it will verify its own work. I absolutely love. Yeah, we have thumbs up around ccl. Well done. All right, we're going to end nowhere. No here on our last story here, Block drops Shock job, chop. Thank you, producer Steve. I passed. Twitter co founder Jack Dorsey says technology firm Block is laying off almost half of its workforce because artificial intelligence fundamentally changes what it means to build and run a company. The layoffs will mean headcount at the company which owns Square Cash, app and title. Nice portfolio guys will fall to less than 6,000 from 10,000. This is the first time it's been cited AI as a major reason for redundancies and marks the latest in a series of major job cuts in the tech industry. That's been a drumbeat we've been following for more than a little bit here. Dan, I'm going to start with you here. Do we want to know a little more about this or is this a no thank you for you, this is

B

no more for years to come. I think they highlighted every company is going to be asking themselves this and the real question with AI is whether you've crossed the bridge with understanding what it can do currently and what it will be able to do and what that means to the business world and the reality that we live in. And if you haven't crossed that bridge yet. You might have a lot of questions and paranoia if you have crossed that bridge, you know, and understand the existential crisis that this is. I think those folks have crossed the or enough of those folks have crossed the bridge at that company that they are doing something early and they are attempting to be in control. When all of us feel out of control, is it the right move? That very much remains to be seen. But if you're trying to stay viable in a world where market caps are getting crushed and investment is being called into question, yeah, it doesn't surprise me one bit that the stock moves. That's exactly the sort of thing that investors in Wall street probably want to see. Wrong or right. That again, remains to be seen. But I can't say the move surprises me and I can't say the reaction does either.

A

Mark, what about for you?

C

Yeah, I'm agreeing. It's wise to also notice our producers are letting us know in the chat here that the stock price went up 20%. And we do work in a capitalist society, at least on this side of the globe. So, you know, that's going to move the needle. That's going to move some decisions here. But I look at it, you know, again, from a humanistic perspective. All of us as cybersecurity professionals should be soaking in AI should be very, very good by now about prompt engineering and how to use this tool to your advantage and not let it use you to your dismay. Right? So that's a big, big lesson learned in any of these new, you know, stories that are continue to come out. Think that what keeps clients sticky and this is hard to reflect in the market is good human interactions and creativity. And AI thus far has not proven to be so great at that. Right. And sometimes it continues to make just dumb decisions, like the whole one that I'm sure many people saw the other week about, hey, should I take my car to the car wash or should I walk there? And it's like, yeah, you should walk there. You're only a half a block away. I mean, it does dumb things, right? So use those things to your advantage. Make sure that you're using prompt engineering to help your creativity. And I think most managed services vendors know this too. The cybersecurity vendors that I'm sticking with aren't just the ones that come in and check in from time to time. Goes, here's your quote, here's your invoice. They're making sure that we're taking full advantage of the product. They're having QBRs with us and I think that's an important thing here too. Make sure that you're using the relationships first.

B

I just want to echo what Mark mentioned there, mainly this aspect to all of our vendor friends out there. It's your sales and support that we can't help you with. We can help you build a better product, the robot can help you build a better product, but no one can help you fix your sales and support. And as long as you've got those two functions strong, you've got a viable business now and into the future. Great comments, Mark. Thanks Dan.

A

Before we move on to the back half of the show, we have to spend a few moments and thank our sponsor for today. Adaptive Security this episode is brought to you by Adaptive Security, the first security awareness platform built to stop AI powered social engineering. AI is rewriting the cybersecurity rulebook because attackers can now scale persuasion as easily as they scale code. The real target isn't just your systems anymore, it's human trust. If you aren't actively testing your organization against AI driven phishing, vishing and deepfake, you're leaving a gap. Criminals will exploit adaptive runs, realistic simulations and delivers tailored, engaging training so teams respond correctly when it counts. Learn more@adaptivesecurity.com all right, let's dive into some more stories here. First up here, threat actors breakout in under 30 minutes. That's according to CrowdStrike's annual global threat Report. The average breakout time from initial network intrusion to other systems, aka lateral movement, fell to 29 minutes on average in 2020 25. That's 65% faster than last year. The fastest time seen was 27 seconds, which was almost half the time of the fastest time seen last year. Of these incidents, most involved legitimate credentials or social engineering and others used zero days. It's been noted by many experts, including some we've had on our shows, that exploitation of the of the human weak link is becoming more central to threat actors. I mean in some cases these threatened. In a lot of cases these people are just logging in with credentials. I'm curious, how have you been working to address this living breathing vulnerability? Dan, I'll start with you

B

primarily training. I think this is very different for every business as security is for every business. Kind of depends on size, depends on whether you're in tech or non tech. If you are in tech and you're smaller, I think the training can work really well and you can build culture. You know, years ago I was inspired by AT&T. They had their employees Wearing T shirts that said I am the firewall. And so it can be done at scale as well. It ain't easy, but I think the big thing is Zero Trust went from a marketing moniker and something that everyone was chasing and had to get very good at kind of during COVID I think the reality of our situation now is we can't really tell the difference or we can't assume. Right. I don't know if you're a legit employee, a contractor, a robot, or a North Korean IT worker. And I can't make any assumptions. And so that just has to be the new default state. I think regardless.

A

Yeah. I mean, Mark, is this just the greatest marketing for Zero Trust as a concept that we've seen here?

C

Well, let me first say that I'm not sure Zero Trust needs any more marketing. I haven't heard of it.

A

What, this newfangled thing?

C

That message is out. No, look, I agree with Dan. Look, use this as an opportunity to treat your people as your greatest opportunity, not your greatest weakness. Make sure that you are continually to hammer on the human firewall and giving them every opportunity to succeed and making sure that your tools are giving them help to make good risk based decisions. Because that's where risk lives. Risk doesn't live in the CISO shop. Risk lives at the business with people making decisions they're making. I think all that's true. I also look at this too, and just for our audience's sake too, because we were batting around the whole definition here, I think we're taking it as lateral movement. Right. So it doesn't surprise me that lateral movement is going to continue to get shaved by minutes and there will be seconds before too long. In fact, I've personally seen attacks that have taken less than 60 seconds. Did a little timeline, ripped off the Nicholas cage gone in 60 seconds and just showed how things can happen and really adversely at a former employer. So educate people that these things can happen in less than 60 seconds and that what is their role? To promptly notify. Hit that Phish alert button, hit all those things, hit it immediately. Don't think twice. Right. Because seconds count. I also think too when I looked at this in the deeper dive, you know, the other piece here is dwell time, Right. How long does it take for an attacker to get in? Then you actually notice that they're in. I can remember, I'm not going to say how many years I've been in this profession, but I remember when it was easily over 180 days. And I think right now it's down to a few days to maybe a week, depending upon which study you reference. But dwell time is decreasing, lateral movement time is decreasing. But unfortunately the lateral movement time is a shorter time period than dwell time. And I think they're also getting faster. It's not commensurate between those two metrics. So we still have some additional work to do. And, you know, I'm going to beat the AI drum again and say there's probably some AI agents, things in here that we can help ourselves out to make sure that we're detecting things faster and taking autonomous responses faster as well. You know, taking on a little bit more risk for some of these things to make sure you're stopping these attacks.

A

Yeah, I like the idea of turning this into an opportunity, you know, because as much as we say, we want to say, oh, the, you know, the human weak link, that's like incredibly demoralizing because it's like I tried my hardest and I still got, you know, I still clicked on the link and now, you know, I'm the reason X, X and X and X are happening, you know, at my organization. I like the idea of like, oh, hey, we're, we still need humans, like, for the foreseeable future. So, like, let's not make them feel like garbage. Like, let's actually empower them to be part of the solution as opposed to finger wagging at them. Like, I, I think that is too often missed in this conversation.

B

It's a bit of a cop out. I mean, if one user's click can undo your company, then you're not in a very good position from a policy or control perspective. I'd love to see how many of these had to do with byod. And that is something a company controls from a CISO perspective. If you're battling this, talk to your executive peers and the board and you can simply say, this is software. Anything's possible. But do you want to pay for the software and the people it takes to control this, or do you just want to change the policy and not allow the attack surface to exist? Because those are our choices.

C

Good call out on attack surface management. Definitely something we should all be focusing in on more.

A

All right, next up here, hackers weaponized CLAUDE code in Mexican government cyber attack. Ten Mexican government bodies and one financial institution were compromised in a recent cyber attack in which, according to researchers at Gambit, over 1,000 prompts were sent to Claude code to mount the attack attacks. And that information was also passed to OpenAI's GPT 4.1 for analysis. Here's the kicker, though. The attack bypassed Claude's guardrails by convincing it that all actions were authorized. Pretty classic jailbreak attempt here. I'm filing this under Wallet Inspector Techniques, specifically the do anything now subset. Dan. Sorry for the acronym there. Does this strike you as. Does anything about this? Like, it's a pretty straightforward jailbreak to get some pretty nasty functionality here, Dan. Does any of this just worry you in kind of how this was orchestrated here, or is this. This par for the course?

B

Par for the course for me. We'll hear more about this, but I think the issue is that the companies building these LLMs are of course not many. And their responses to these sorts of events have always been very quick and very good and so won't be the last time. But at the same time, that's not what's worrying me about AI. I'm far more worried about privacy than I am these kinds of stories because from a real world business perspective, that's where you're more likely to get bit

A

privacy in terms of company data getting ingested into public CLAUDE or.

B

No, it could be anything. Yeah, I mean, just the fact that ccpa, yeah, like CCPA this year is gaining some serious claws. We're moving from a world of consent based with annoying cookie banners to intent based, where what do we assume the agent was wanting to do based on the user? So everything's changing on that front. And from a business conducting standpoint, it's not the security issues that are the problems with AI right now, it's the privacy issues because the law is far more stringent and that is where the lack of controls are going to show up first. I often challenge CISOs, tell me what your AI incidents actually look like versus what your AI privacy incidents look like, because I bet you they've had next to no AI security incidents, but they've probably had a pile of privacy incidents related to AI.

A

Yeah, that reminded me, I saw someone on LinkedIn talking about this, like I might have been you, Dan, saying like, everyone, like AI poisoning attacks and techniques and stuff like that always get like front page coverage and like. But it's like you never will have to worry about that actually, like Claude, like anthropic, has to worry about OpenAI has to worry about it, that you actually don't need to worry about that at all. Mark, is there anything in here that is striking you in terms of striking terror into your heart, or are we here?

C

Yeah, color me less than surprised here. You know, I mean, wasn't it just a month ago that people were shocked that someone misabused AI and had it actually do a penetration test, you know, that was not ethical. Right. So this has happened before. So I look at this as just another oops. Right? Oops. Our guardrails didn't contain this. And I think that's going to continue to happen. You know, if you read into the story, it does mention that this could be a replay attack. So maybe some of the stuff is not that novel and being breached some of this information may had already been out there. So maybe this isn't a deep sophisticated AI attack. But you know, I think it'll be an interesting one to continue to follow. But you're going to see more of these. Yeah.

B

If you've got a scenario where you're returning back to the era of worms and they're infecting large networks of open bots and you can actually crowdsource these sorts of things, that would be worrisome. But the onesie twosie, not so much.

A

Our last story for today here, Air Snitch attack bypasses WI FI encryption in homes, offices and enterprise. Capitalizing on newly discovered weaknesses in WI fi, Air snitch variations can work across a broad range of routers. Kind of a class of vulnerabilities. So everything from Netgear, D link, Ubiquiti, Cisco, even open firmwares like DD WRT and open WRT are impacted. According to researchers, Air Snitch makes client isolation a thing of the past, allowing anyone on a router or access point to access other SSIDs on the same device. It bypasses worldwide WI FI encryption and it might have the potential to enable advanced cyber attacks, adding that their research physically wiretaps the wire altogether. So the sophisticated attack attacks will work, creating potential threats to worldwide network security. The researchers do point out though that things like wireless VLANs and VPNs could be potential mitigations for this. But Dan or Mark, I'm going to start with you here. You know, I would suggest that we all give up, we just go home. Since though maybe we can't just give up on wireless Internet anymore. Are we having mom and pop shops setting up wireless VLANs? Is that the solution here?

C

I fully endorse your recommendation. I kid. I kid. No, look, when I read through the article, there's a lot that you could do. There's no silver bullet, there's no update for this. Right. But when I read through it, what gleaned for me is that, wow, this is really a wake up call to continue to have the knock and the sock tied at the hip and making sure that your network engineers are involved on this. Because a lot of the things that are read through there is something in a network engineer really, really has some appreciation for and can probably take some different steps. Your point on the VPN was well taken. I think also doing some more war walking, you should probably increase the frequency of those type of things and make sure that, you know, there aren't people that are actively trying to, you know, get this information and intercept it and use it, you know, to your disadvantage. So talk with your network teams, folks.

A

Dan, are you, are you walking over to the NOC right now and, and figure out what's going on here?

B

As an old networking nerd, I love the fact that there's some aspect of the network that still matters in a world of SaaS and cloud.

A

Oh, that, that delights my heart.

B

Yeah, like, you know, hang on, network, you're still, you still matter.

A

You're so sweet. You're so sweet.

B

But I think this, I think Mark and I would take all day long the attack surface, that is our neighborhoods and our cities, city over the rest of planet Earth, that's after us. Right. So I'll take that risk versus the right. Because it all comes down to Vegas odds. What is a CISO these days? We're a business bookie. And the Vegas odds against this versus the other things that we're up against, they're not even in the same conversation. So this is a fun one to talk about and to think about. And I'm with Mark now. You get to talk about the network again and that's oddly enjoyable. Even if there is risk.

C

Yeah, it's probably a good opportunity too. What's the Cisco, something like that. Talk with your vendors that can manage IoT see if they have some other detections that could be leveraged by your soc as well for some of this. Because the article does have some rather technical guidance on things to look out for. But you couldn't put a human on that. But you could probably build a detection on that, that to help you out in the interim.

A

Yeah. Shout out to Ars Technica for some of their write ups on this. I mean, they did not, they did not skirt the, the details and obviously the, the research papers go way deeper into it. But some really, really good reporting out there on that as well. Before we get out of here, we want to leave, you know, some, some heavy stuff here that we've been talking about today, but maybe let's leave some with some advice for Our audience here, Dan, the. The business bookie. I want to ask you if there's one piece of advice based on all the stories that we've had today, something that stands out to you that you would want to share with their audience. They could walk away from maybe being in a better place. Anything strike you from our discussion today?

B

I guess it's going back to our AI conversations. It's both good and bad. But Mark nailed it. Regardless of what your position is, what age you are, what company you're at, that now is the time to understand that there's no hiding from AI, there's no getting away from it, and make yourself viable or don't be surprised by whatever happens. You got to roll with the punches right now. None of us know what's going on, so not necessarily. It's good if you are in as much control as you can be and so attempt to do so.

C

Well said, Mark.

A

Anything you want to leave our audience with?

C

Yeah, I'll, you know, thank Dan for his collaboration here. And as you saw from this, you know, podcast here, we're, you know, amazingly in agreement here. It's not always that case, but use the power of community to get through these news stories, to get through what's important here. Talk with a ciso phone a ciso, right. And you know, poll, poll your CISO audience whether you're using signal or something else and say, hey, I saw this. How worried should I be? Because, you know, taking any one of these stories, especially this last one, is probably a good hour to digest that and really look through that and who has that kind of time? So, you know, crowdsource a lot of your reviews of these type of things with the peers that matter and the peers that you trust and we'll get through it all together.

A

I love it. I feel, you know, control what you can control in an uncontrollable world and build community. I think are pretty great advice for to end any show with. Absolutely. Love it. Thank you so much. Dan Holden, the CISO over at Commerce, and Mark Eggleston, CISO. We will have links to their LinkedIn profiles in the show notes, so make sure you give them a follow for lots and lots of excellent takes and wisdom. Maybe ask them a CISO question as well. Thanks also to our sponsor for today, Adaptive Security. Protect your company from deepfake powered phishing. Remember, you can shoot us an email anytime. Feedbackisoseries.com if you have some thoughts about what we talked about. If you disagree with some of our no or nos or or if you just have a CISO question, we would love to hear from you and feature it on the show. Join us again next Monday, 4pm Eastern, for another edition of the Department of Know. To register for the live show on YouTube, just go to the events page@cisoseries.com thank you so much for joining our Monday standup. Hope you have a great week. For myself, for our glorious producer Steve Prentice, for Dan, for Mark, for the big boss man David Spark and the rest of the CISO series team, here's wishing you and your to have a super Sparkly day. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.