A

This is Rich Stroffelino with the department of no, Jason Tall, CISO at Luminous Health. You know, Christmas is coming, the goose is getting fat. What is your priority this week?

B

Well, you just mentioned it. It's the holidays. So bad actors know that most organizations are downsized. You got people that are off. So. So my number one priority is remaining vigilant and making sure that we can't be compromised because of the fact that we've got some people enjoying some well deserved time off.

A

All right. And Chris Ray Field, CTO at gigaom, same question for you. Busy time of year, where is your prior? Where are your priorities at this week?

C

Sure. So unlike Jason, I'm no longer frontlines. I don't have to stay awake worrying what's going to happen Christmas Eve or Christmas morning. I get to enjoy the relative solitude of everybody being out of the office so I can deep dive into one of my favorite topics as a researcher, which is xdr. Get to learn a little bit more every year.

A

Fantastic. Taking the time for some deep dives. I absolutely love it. All right, producer Steve, let's get this show underway.

B

From the CISO series, it's cybersecurity headlines.

A

Yes, indeed. Welcome to the department of know your virtual Monday strategy meeting. Our sponsor for today is Threat Locker. Remember, you can join Threat Locker for the most hands on cyber security cybersecurity learning event of the year. It's March 4 through 6 in Orlando. We will have some more details about that later in the show. And remember to get involved in our YouTube chat live. You're joining us live. We broadcast Every Monday at 4pm Eastern. We hope you can join us one week and you can email us feedbackisoseries.com Just a quick reminder here that the opinions of our guests are in fact their own, not necessarily those of their employers, friends or family. We've got about 30 minutes, so let's dive in. We got to start out with with our no or no segment. There's so much news out there even during the end of the year here, people are wrapping up. The news does not stop. So we need to know, is this something we're going to be bringing to our staff? Is this worth our time or are we going to say no thanks with this, our first one here, a new exploit of reactoshell. This reactoshell story is becoming like a Christmas dinner guest. They don't know how to leave. A gang. Has been observed exploiting the REACT to shell vulnerability to gain initial access to deploy ransomware in less than than a minute. Disabling Windows Defender, deploying good old Cobalt Strike and simply moving fast and breaking things. Researchers warn that patching alone isn't enough. You got to review those logs and telemetry. Jason, I'm going to start with you. Do we need to know a little more about this or. No, thanks.

B

It's not log 4J yet, so I just lump it in with the million of other ways that a bad actor could get in. I think if you don't have the appropriate steps in place, you should use this as the pain that drives your enhancements. But if you're doing the basic things that a reasonable to advance security program is doing, you shouldn't. You should be all right.

A

Chris, what about, you know, a little more or no, thanks?

C

I'm going to say no a little bit more. And what's funny is about this, when I, when I saw it, my takeaway wasn't so much about the actual vulnerability as much as it is about the touching on patching. Like patching isn't enough. That's cool. Cool. You know, what other security fundamentals should we be abandoning? Right. Why? We're already having a hard time.

B

Who needs to segment?

A

Yeah, I love a news story that causes, like, existential reflection about what we're doing, what's worth our time and stuff like that. I mean, that's something we all need to know a little bit more about. Next up here. Hackers breach. Britain's health service tech provider, DXS International is a UK technology company whose software is widely used by the country's National Health Service, or National nhs, as it is known in the kingdoms United. It recently disclosed a cybersecurity incident involving unauthorized access to internal office servers detected on December 14. The company said the breach was contained and that clinical services remained fully operational. It's not yet known whether NHS patient data was impacted. Its software supports clinical decision making and referral management for GP practices and handles around 10% of NHS referrals in England. So, Chris, I'm going to start with, you know, a little more or less. No, thanks.

C

A little bit more. Hey, guys. We put patient lives on a SaaS platform, so now we're surprised when the attackers find them. Right. You know, this is. I'm not going to say I'm anti cloud because I don't think anybody can be in this day and age. But, you know, if you don't have your critical infrastructure dependencies mapped out, if you don't understand data sensitivity, the regulatory cascade, gdpr, HIPAA equivalents, whatever that is, finds multiply Problems grow rapidly. I don't have to tell Jason this. I'm sure he's already kind of ticking boxes in his head.

A

Jason, for you know, a little bit more or no thanks on this one?

B

Oh no, a little bit more. I'm definitely going to agree with Chris on this one. Having spent the better part of the last 30 years in healthcare, people think healthcare is one industry. It's not. We're at least four or five industries that participate together in an ecosystem. Insurance is probably the most mature because they're already in the risk business. The manufacturers, they're not healthcare, they're in the manufacturing business but, but they don't understand that they're selling their manufacturing products to a healthcare customer. Hospitals are the least financially able to do everything that they need to do. Yet we're all in this together and to Chris's point, we gotta distribute the effort. I don't know all of the details, but if part of the reason that the UK system was compromised had something to do with any of the third party products, I'm talking about biomedical stuff. Anything that's got hardware, software and firmware in it has gotta be addressed. And unfortunately not everybody understands it's. If you're making a product and you're going to sell it to me in a regulated sector, anticipate that I need to kick some tires and make it easy. It's not in their best interest to do a one off non standard security questionnaire with me. Come equipped with something, a high trust, a sock, an ISO certificate, whatever it is. Right. And then I think the other thing we need to do, we've already addressed the abstraction question with respect to apps in the cloud through containerization. Why are we still building medical devices with embedded operating systems that cannot be replaced? Right. The medical device does its job just as well today as it did five, 10 years ago when we bought it. But I can't continue to use it because it's got an out of life end of op or end of life operating system. Right. And if you call the vendor, their answer is buy a new one. Well, sorry, I don't have several billion dollars lying around to buy a new MRI just because the operating system's out of. Right.

C

You touched on something there. Jason, I'm gonna be really quick on this, but I've kind of formulated in my head this theory. I'm going to call it the SAS Healthcare problem. The old model is you breach a hospital, you compromise the hospital. The new model is breach of vendor, you've compromised an entire healthcare system. The effort is the same or relatively close to the same. The results are magnitude order of magnitude higher.

B

And the other reason, Chris, that I want to know more about this is that the risk calculus that we go through in many other industries is different. You started with patient safety, patient lives. So if you're flying an airplane, you got lives at stake. And there are other use cases, certainly the Department of Energy, with respect to nukes, they operate at a higher level in their risk calculus because the impact is so much greater. We have to recognize that that's true in the healthcare sector as well.

A

All right, our next story here. French authorities have arrested two crew members working on an Italian passenger ferry who were suspected of infecting the ship with malware that could have enabled them to remotely control the vessel. The malware was discovered by the shipping company itself while the ship was docked at the Mediterranean port of cet, which is located in southern France. File this under the vulnerabilities affecting the Internet of very big things. Chris, I'm going to start with you. Do we need to know a little more or no? Thanks.

C

I'm going to say no a little bit more. The thing that jumped out at me about this is the shipping company found it kind of indicating maybe vendors don't detect breaches better than the governments or, you know, the organizations. It's a little alarming when we're talking about IoT OT environments. Physical access can literally be the same as administrative access. And I don't think that's often equated when we're talking it to ot. Jason, I know you've got some experience with this, with all the medical devices floating around in your environment.

B

I agree. This is definitely something to know more about. And I would also likely take this story and share it up chain, not just with my technical folks. I'm wired differently. I'll acknowledge that, as most are. Most cyber people are, right. You know, we go anywhere, I go to a restaurant or I go to an airport. I'm like, why are you plugging that USB into that? You know that that can be compromised, right? You know, I'm looking at all the threats. We go out to dinner. None of us want to sit with our back to the door, right? So here's a boat, it's a ferry. It's got all sorts of opportunities for, you know, malware insertion, and I wouldn't use any of that. I hadn't thought about the compromise to the safety. I mean, just God forbid, props to GNV for spotting and nuking this thing before. It Went full Titanic. Right. Because it could have taken the ferry down. I mean, all of these things. I think it was the Dick Cheney AICD case where the public suddenly became aware that if you compromise certain devices, it could have bad outcomes. Well, same thing here. So I don't think most organizations understand the breadth of ways that a bad actor could introduce risk. And none of us have the wherewithal to plug all of those holes, but at least design it. You know, when you're doing things for the convenience of your passengers, like providing ports for them to plug in. You know, our hotel business center is another perfect example. We all know not to do anything in that context. But why are. Why are we not treating. This year. This is. This is an everybody problem. And if the consumers aren't being more demanding, then this is what we're going to get. And it shouldn't take.

A

I'm not supposed to be doing my taxes on that PC in the hotel. Is that a no? No. Okay.

C

You. You kind of made me think of something there. When we're talking about physical environments, there's this complete absence of thinking things through. Lake is in a. A zero trust model. In this case, the crew members of the ship, they have legitimate access to these systems, yet there's no trusted actors. I mean, they shouldn't be trusted actors, but they were.

B

I also don't think people understand their role in the. The kill chain. Not that I kind of hate that expression. But the steps that a bad actor goes through to compromise, you may not be the target. You may simply be the place that's got the data that I can use to give my social engineering attempts greater credibility.

C

Right.

B

Oh, you were riding. You were a passenger on this float. Well, I mean, on this ferry. If I knew that information. Remember Kevin Mitnick, who supposedly was the world's famous, most famous actor? At a point, the man got confidential information out of Motorola by social engineering, not by his fingers on keyboards.

C

Right.

B

Same thing here.

A

All right, we're going to move on to our next story here. Tom Cottonson, Intelligence Committee chairman, wants National Cyber Director Shawn Cairncross to take steps to counter the risks of foreign adversaries playing too heavy a role in open source software. Seeing the environment as benevolent. He mentioned compression utility XZ Utils as an example. We covered that when that was breaking, what, a year and a half ago? Now, I'm curious, Jason, for you, do we need to know a little more about this or. No, thanks.

B

It depends on where you are, depends on your philosophy, whether you use open source. I think There are arguments that can be made both ways. Again, it goes to the risk. What are you using it for? What are you doing with it? What kind of data, what kind of industry? I'd want to know more. I think that there is some, there is some strong benefit to using open source once you. But you need to vet it at the binary level and evaluate what's happening before you put it into your repository of known good stuff and then make sure it doesn't get changed before you use it again. I don't know that for national security issues that we want to be using open source because the difficulty of understanding everything. Look, I hate to pick on Microsoft but there's a reason Xbox is still in the commercial operating system, right? This is how many billions of lines of code are in here. But it's so commingled they can't take that out to shrink the attack surface. It's still in there because of the complexity of the code. So how difficult would it be to obfuscate, you know, questionable purposes buried in some obfuscated. Obfuscated scripts? You might not be able to suss it out. So I think you need to be a little bit cautious and do a little more digging.

A

Chris, what about you need to know a little more about this or are we all good here?

C

I'm going to say no thanks. You know, Senator discovers that free software has cost security debt now due in full. I mean it's. I'm not going to completely say it's not something we want to know, but it's going to be probably one of the last things I really dig into.

A

Yeah, it's one of those things where it's like there are a lot of companies, it turns out you look at the biggest contributors, open source, it's always Microsoft every year, right. Where they certainly have a vested interest in not having this become an adversarial hellscape. Not to say they didn't prevent something like XZ Utilities. Not to say there aren't challenges with maintainers and stuff like that. Chris, I like where your head is at. It brings my anxiety down. Anytime that happens, that is a good thing. The other thing that brings my anxiety down is thanking our sponsors each and every episode. And now is my time to do just that. A big thank you to our sponsor for this week and that is Threat Locker. Want real Zero Trust Training? Zero Trust World 2026 delivers hands on labs and workshops that show CISOs exactly how to implement and maintain zero trust in real environments. Join us on March 6th through the 4th in Orlando, plus a live CISO series episode on March 7th 6th. It will be something to see. Get $200 off with the code ZTW CISO26@ZTW.com we will have that in our show notes. All right, let's get into some bigger discussion stories here. First up, us turning to private firms. That was kind of in the air this week but or in the past week. The fiscal year 2026 National Defense Authorization act passed on Thursday. It did not include the for private companies to help carry out offensive cyber operations as have been rumored prior to passing. This is not to say that it won't become law in some future bill. I guess that's always on the table despite some not inconsiderable legal barriers there. The plan would expand the government's cyber capacity but raises legal and security risks. Since private firms currently lack clear authority. Conduct attacks become targets themselves. There's a whole series of knockout effects there. The strategy what did pass calls for streamlining cyber regulations, modernizing federal systems and accelerating post quantum security with more details expected through an executive order or further legislation. Chris, this is an example, like a really great example of the people reporting on the rumor and then the actual, once the actual sausage is made, it looks significantly different here. When we hear rumors, I mean that's a big shift, right? You know, kind of turning to private contractors for offensive operations. How do you process that when, when you see that and that could have some big impacts, you know, for the industry, let alone individual organizations. How do you process that with your teams when you hear these kind of rumors that don't come pan out?

C

I think it's, it's entirely dependent on the source. And I don't mean specifically the source reporting this. I mean the actual ground truth source. Where did this data come from? Where does this information generated from? In this case, it's the US Government. We know anytime a bill is presented and all the stuff that's put into it, all the bullet points, the headlines that go with it, there's a lot of promises made. But we also know probably just pulling this number out of my butt, 50% of the time those promises are not delivered. So considering the source on something like this, I would say don't put too much focus on it. Don't spend too many cycles figuring out what you're going to do if this actually happens. Until it happens.

B

Yeah, I think I'm going to agree with Chris and I'm going to probably bump that 50% statistic up even further. Given the current administration there is a lot of positioning or posturing before the action. So one side of my brain says, don't worry about something until there's something to worry about. However, if you have the opportunity and you're in the right industry, and I guess the word lobby has a bit of a stigma associated, but if you can advocate for what you believe our government should be doing, then there is a little bit of a thread I'd like to pull on. Having private firms support our US Cyber is nothing new. When I was at General Dynamics, we oversaw the warfighter program. When I was at csc, we oversaw US Cybercom. So bringing in outside expertise is nothing new. The difference is what is the government doing? Are they still remaining an active participant or are they abdicating their responsibility? And there is still a big debate over who is better at solving this problem. And frankly, if you're dealing with nation state actors, we have to have the nation state level funding on our side that many private firms don't have. Right. I know Congress wants industry to regulate itself. We're not talking about the compliance issue. We're not talking about giving assurances to individual patients and customers who engage our businesses because they need respect for the data they're entrusting us. We're not talking about that at a different level. When you're talking about national security, it is, look, we are in a economic war, use that word carefully. But a battle for resources that are diminishing. Right. And the United States is one of the few, if only, nations in the world where we have this moral dilemma because our business and our cyber folks are not together as one. Almost every other country, they've nationalized security. And if there is something that a competing company in another country is doing that is of interest to one of their national companies, they're going to share that with us.

A

Right.

B

NSA is listening to a lot of these conversations, but they're not calling Chris or me up going, hey, we want you to win this bid or this or this, whatever, you know, against these, your adversaries. Here's some information you can use. And that's where we're at a disadvantage. So government definitely needs to remain engaged. And if they're thinking about, you know, we zero budgeted the CVE program, Are you kidding me? Right? So I'm just saying there needs to be some involvement. And if that is the decision that they want to make, because frankly, we don't have the money to, to fund everything, I would advocate that the trade conversation is not a separate conversation. The tariffs and cyber are the same conversation. And I'm hoping there's somebody in Mr. Trump's orbit that will respectfully encourage him to see it from that perspective.

A

Well, Chris, go ahead.

C

You know, I was just going to jump in as you were saying these things, Jason, I'm thinking to myself, what if this actually happened? You know, like, what are the, what are the knock on effects? What are some of the outliers? Because that's what I'm just, that's how my brain works. I want to find the things that are on the edges that no one else might be thinking about, because those are probably the things that have come back and bite you in the butt. So one of the first ones is, you know, when your security vendor becomes a combatant, what does that do to their sla? You know, there's, there's these ethical concerns we've got. Let's say it's an EDR vendor. Not going to say any names, but there's some offensive companies out there that also have an EDR product. Where does their threat intelligence come from? It's no longer defensive only. I mean, are they gathering threat intel from the actions that they're performing on behalf of the U.S. government?

A

I don't know.

C

Is that ethical?

A

I don't know.

C

There's these things like that that kind of make me wonder, Jason, you probably have a better idea. I haven't dealt too much in this insurance coverage. I think cyber policies exclude acts of war. Right? Your vendors, government work.

B

There were a lot of people that were concerned because they saw that the actions President Trump were taking, I think because he is able to do more things in terms of powers, if we are in a time of war that he might have been pursuing without. I don't mean kinetic war. We could have been in a drug war. We could have been in a cyber war. There's lots of ways to get those powers. And I think that was what, to a lot of people, the direction he was moving in, which, to your point, might have excluded coverage for a lot of us who have that exclusion in our insurance policies.

A

All right, our next story here. NIST tried to take down NTP servers after blackout caused atomic clock drift. There are some headlines I just love reading. That's just going to go down. I'm writing that in my journal today, so thank you for that. And that is, of course, producer Steve's favorite story of the week. It gives new meaning to the expression, where does the time go? Jeffrey Sherman, a NIST supervisory physicist who maintains the institute's atomic clocks, acknowledged in a mailing list post that he tried to disable backup generators powering some of its network time protocol infrastructure after a storm related power outage in Boulder, Colorado that was going on for several days. NIST uses its atomic clocks to provide a network time protocol service which much of the computing world relies on to synchronize events. He wasn't able to simply turn the main system off and back on again due to backup generators that automatically kick in to keep the servers running. People may not recognize just how important a synchronized time system is, but we saw China was saying there was an attempt to hack theirs a couple of weeks back here. So there's a lot to the story here that make people worry a little bit about how vulnerable the time system seems to be here. I think we saw what like a 5 nanosecond drift. It was like the main knock on effect of that. Not too much of a concern unless you're running scientific tests, but computers run on, computers run on clocks. Jason, I'm curious, how did this story strike you?

B

I definitely want to know about this. Now we are fortunate that we already have. We're not putting all of our eggs in one basket. We've got multiple sources for time. For your audience who may not understand this, the reason for synchronization is has anybody ever gotten a parking police ticket, speeding ticket, right. And it said 2am and you were there at 2pm you go to court and you say I wasn't there at that time. You get off, you, you don't have the ticket, right? Well that's the same thing when you want to prove something in court. If you want to hold people accountable or take advantage of legal remedies, you have to have all of your different data across logs. If you're going to correlate with physical activity from a badge reader or a camera, all of that has to happen and it only takes one time. Years ago we had an older system that during the daylight savings time change, it didn't make the change. So for a lot of our stuff it was off by exactly an hour. So we knew what it was, but this happened and this happened an hour later and we couldn't prove the case because of that. So you definitely want to use multiple sources. Bottom line, cyber doesn't care whether it's a hacker or disc full or self inflicted bad script or mother Nature. Down is down. And you have to increasingly this is all about resiliency, especially in a healthcare setting. I don't know of many other vertical sectors where you have a required Minimum downtime. Hospitals are required to provide care to their patient. Absent tech, absent power, and frankly even whether your customers can pay. Where do I sign up for that business, right?

C

Paper procedures. I've been there. So one of the things I'm thinking about here is this is kind of rhetorical and funny all at the same time is when was the last time you tested your NTP failure scenarios?

B

No, within the last year.

A

Ah, okay.

C

Well, good on you, Jason.

B

You know, it's. In this case we were, we were, we had a peripheral event that caused us to, to do that, but it since got added to our regular annual.

C

Schedule and that's, that's typically how these things kind of pop up, is unless you've experienced a specific scenario which caused an outage which caused something, it's not going to be on your radar. You know, what are the dependencies on ntp? What needs NTP in order to function?

B

If you'll allow me, I want to take this point to foot stomp what Chris is saying. Increasingly all industries are making greater use of the cloud. And I'm not a luddite, I'm a huge adopter. I'm not saying that the cloud is bad. In fact, for most organizations the cloud is probably more security at better economies of scale than you can do on your own. The problem is the cloud has good resiliency objectives, high availability, loan balance clusters and multiple geographies that automatically fail over. The problem's getting to the cloud. The Internet still is a single point of failure. We've got single points of failure in DNS. Increasingly we have people that are working from home and they're using home Internet providers for entertainment purposes only. Without a service level agreement in a hospital, we often are dependent on local municipalities, county governments for priority access to fire, I mean to power and Internet. Nothing against county governments, but they're the least well funded, least well staffed of all forms of government. Right? And if somebody accidentally has a fiber cut, and yes, even in 2025 that can still happen. You know, that's the 1980s example of why you needed resiliency. That is something we need today. So yes, move to the cloud, but make sure you've got multiple ISPs, you've got cellular backup, you know, you really need to design what presume I'm tech support like most of us, for my family and my. When your kids say dad, I can't download a gig, several gig sized movie through the air instantly in two seconds onto my phone, I'm like the fact that any of that works as well as it does, as often as it does, is nothing short of miraculous. Don't presume it's. You can't presume it's going to work. You got to build in that resiliency.

C

So I'm going to just real quickly expand on that whole idea. So you've done this. You diversified your trust. You have multiple NTP sources. That's good. What about multiple DNS resolvers? Most places, yeah. What about multiple CAs, you know, signing. Kind of getting on the, the thin, thin edge there. Now, have you mapped your foundational dependencies? What breaks if DNS or NTP or your CA is offline? And then the last one, how many of your security controls, your processes, your procedures are dependent on working Internet? For a lot of places, it's probably all of them. Right. What happens if that isn't available? What do you do?

B

Right. So AI is now everybody's big worry. But six months ago, we were still talking about quantum, right? And if that happens, if crypto gets broken by, you're not adopting quantum safe crypto methodologies. We're all back to paper, Right? You know, so, I mean, this is, These are serious issues that we're talking about here. And then we've already got the CA and browser forum that said that the digital search are going to. Their lifetime is going to drop to 47 days in a couple of years. If you're not, you're not going to be able to change every. Basically, it means you got to rotate your search once a month. You're not going to do that manually. If you're an organization of any size, you got to begin to identify that. So for all of those things, I'm not saying make investments in new solutions, but to your point, be ready to understand if that thing happens. Do you have an inventory? Do you have an understanding of what your dependencies are and what things are that you need to fix versus what things your vendors need to be fixing? Those are the questions that. It's all about that readiness.

C

I just want to point out one thing because I've heard this argument made before. The argument is, if the Internet's unavailable, if the Internet's down, then we have bigger problems. Well, no, it could just be down for you. The attackers may still very well be online.

A

Before we move on to our last story here, and Chris, thank you for giving us that word of wisdom to get us out of Veyron. I would highly recommend, if you want some more details about kind of the blow by blow of what was happening with NTS and stuff like that over the last couple of days. Jeff Geerling put together like a five minute video kind of goes into really the nuts and bolts how alternative systems backups and stuff that they were doing. Kind of what the timekeeping community is kind of responding to this with. Definitely worth your time. And we'll provide a link to that in the show notes as well. Gotta get onto our last story here though. Former cyber Incident Responders plead Guilty to ransomware Spree Former cybersecurity professionals Ryan Goldberg and Kevin Martin pleaded guilty Thursday to participating in a series of ransomware attacks in 2023 while they were employed at cybersecurity companies tasked with helping organizations respond to ransomware attacks. They use their positions to collaborate with an unnamed co conspirator to attack victims computers and networks and use alfv, or you may know it as black cat ransomware to extort payments. This raises that issue of hey, why don't we should we be applying zero trust to employees, not just vendors? Chris, I'm curious. The, the people that are supposed to be helping you are hurting you. Classic insider threat. What else can we glean from this?

C

You know, when your incident responders turn threat actors, that's when the call is coming from inside the sock. You know, like so my takeaway from this is they knew everything. And just because they're in trouble doesn't mean there's 3 more just like them or 30 more, 300 more just like them. They know your detection blind spots. They know your response procedures. They know your backup strategies. They know your communication gaps. They understand your trust model. They were part of that trust model. Right? So how do you overcome that? How do you protect yourself from that in the future? It's more of a rhetorical question at this point because this is a extreme edge case that I don't think anybody plans for. But you still need to have an idea of what to do.

B

I'm not sure it's an extreme edge case, Chris. I don't know how often it gets reported. The fact that it got reported is a little bit unusual, but I don't think there's anything new here. Before computers, we had agents and double agents, all of that, where that's essentially what this is. The adage it takes a thief comes from this old school mentality. I think the problem is we rely on outdated background investigation methodologies. Right? You're going to talk to my neighbor. My neighbor doesn't know me, right? They moved in. I'm one of the first owners in this neighborhood. They moved in five, 10 years ago. I think I've met them twice. They don't know me, Right. And yet they're going to be the one to vouch for me. And then what about the problem when you're dealing with non US Nationals? How do you do that? They don't have a Social Security. You're not going to find any results. You know, you're going to, you're going to talk to another nation state to say, are there, Are their credentials bona fide? Well, what's to keep that nation state from lying to you? Right? I mean, this is really an issue. And then the worst problem is I often hear this question about which is the bigger threat, the insider threat or the outsider threat. There is no outsider threat. All outsiders compromise insider credentials. The call's always coming from inside the house. Right. So I think you really need to look at separations of duties. Right? I mean, there's nothing here that we haven't solved for previously. Again, you know, I think of in the, in I spent time in Y12 and down in Oak Ridge, all of the controls that handle nuke, you know, you picture the guy in the silo where there's a guy over here with a key and another person over here, and they physically are so far apart, you can't turn both keys at once. We've solved for this. We just don't go to those lengths in other industries where, again, in our head, we don't think the risk is there. And I think articles like this are useful in helping us elevate the fact that maybe the risk calculus is a little bit flawed and worth revisiting.

A

And also, how cool is it to be able to turn the key at the same time? Like we've all, we've all wanted to do that too, right? Like, let's not lie to ourselves. Well, and the other, the other aspect of this is, I mean, kind of like the other side of the coin is that was kind of one of the themes of this year, right. In terms of emerging threats or threats that are getting more attention is if you're not going to have insiders getting recruited by ransomware gangs, you hired North Koreans that are working within your organization or, you know, choose from threat actor deepfake threats. I mean, Jason, to your point about outdated background checks, I mean, you know, we have machines now that, that's their, their sole job is to, to create passable credentials for people.

B

If I wanted to break in to an organization, I would figure out where their headquarters is or where their IT folks are most it folks have frustration at what they deal with as part of their job. Many of those people express frustrations in a shared therapy session called a bar. And if I go and I hang out and I can just listen, I can quickly figure out which company they're talking about. All I need to do is befriend one of them and say, I'm gonna help you out. Or, hey, you know what? If you open this email that I'm gonna send you, I'll pay you 500 bucks. That's not, you know, boom, I'm in. Right?

C

Tesla.

B

Right, right, right. So, you know, again, we haven't, there's nothing here we haven't solved for. It's just a question of whether you want to incur the cost because you believe that the impact is so severe. And that's up to each organization to decide for themselves. But there's, there's nothing new here. The only thing I is don't do the background investigations yourself. Looking at LinkedIn, that's not a background investigation. Use a pro.

A

All right, well, before we get out of here, I got to ask Chris, I'm going to start with you. You covered a lot of ground here, a lot of big, thorny issues here, I guess. What advice would you have for your security team or for our audience in terms of what we can pull, like some good, positive advice we can pull from the news from the past week.

C

So every one of these stories has a common thread. I think the assumptions we built on our security programs are obsolete. Trusted parties betray us. Static defenses fail against dynamic adversaries. That whole thing, foundational infrastructure fails. Thank you, ntp. The only winning move is to assume everything fails and build resilience accordingly.

A

Trusted parties betray us would also make a sweet emo cybersecurity album. I'm just going to put that out there and will that into the world. Jason, for you, what advice can we take away from the news this past week?

B

I think the movie was War Games where we, through the game of tic tac toe, taught the, that version of what's now in AI, that there is no winning. You can't win. Right. With respect to nation states, most of us, if, if they want in, they're in. I, I, in fact, I would disclaim that so that your leadership or your board doesn't have the expectation that your program is even, you know, funded to even start that battle. Right. The rest of it is the role that I've been focusing on most of my career, which is that it's not my job to say yes or no. It's my job to inform the conversation. As the ciso, it's okay for our leaders, be it a government, be it an organization, to say yes or no to things, to choose to accept risks or not if they're aware of them. It's not okay to accept a risk because they are accepting it by default because they're not aware that it exists. So that's really our role and that's where you can use stories like this if they resonate with your your leadership or your board, you share them with them and start the conversation. Well.

A

Thank you to both of you. Some great advice to go into the holiday season with I think here. Thank you so much. Jason Tall, CISO at Luminous Health and Chris Ray, the field CTO at Gigaom. We will have links to both of your LinkedIn if you want to do a background check. Just kidding for both of them and make sure they're not actually North Korean defects. Thanks also to everybody that was checking us out live. I know everybody's busy right now, but Flanders can find the true two and the big boss man, David Spark all get involved in our chat. So anybody that was just watching lurking in the background, having us on and having a good time while you enjoy what may be a short week for you, hope you got some wisdom here and something you can take to your teams, maybe spark some interesting conversations. Thanks also to our sponsor for this week, Threat Locker. Remember to join Threat Locker for the most hands on cybersecurity learning event of the year. That's March 4th through the 6th in Orlando. And remember to look for our show notes. For more details on that, you can send us feedback@feedbacksoseries.com we would love to hear from you. And remember, we'll be back Monday at 4pm Eastern for another edition of the Department of Know. We always have more details about that on our events page@cisoseries.com thanks for joining for your Monday standup. For myself, for our producer Steve Prentice, our glorious producer, for the big boss man David Spark, and for all of us here at the CISO series, here's wishing you and yours to have a super sparkly holiday.

B

Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines.