Cyber Security Headlines: Department of Know

Episode Title: President signs defense bill, time flies at NIST, Italian ferry malware
Date: December 23, 2025
Host: Rich Stroffolino
Guests:

Jason Tall, CISO at Luminous Health
Chris Ray, Field CTO at Gigaom

Main Theme

A virtual Monday cybersecurity strategy meeting discussing the week’s top security news and their practical implications. This episode covers: the passage of the U.S. defense bill with implications for public-private offensive cyber cooperation, evolving infrastructure threats (from atomic clock outages to medical and maritime systems), ongoing challenges in supply chains and insider threats, and strategies to build resilient organizations amid dynamic risks.

Key Discussion Points & Insights

1. Holiday Security Vigilance

[00:10] Jason Tall: Emphasized the importance of heightened awareness during the holiday season, as adversaries exploit reduced staff presence.

"My number one priority is remaining vigilant and making sure that we can't be compromised because of the fact that we've got some people enjoying some well deserved time off."
[00:34] Chris Ray: Appreciated the downtime for research, focusing on deep dives into XDR (Extended Detection and Response), highlighting the value of learning during quieter operational periods.

2. Noteworthy News Segment: "Know or No"

a. REACToshell Ransomware Exploit

[01:20] The exploit allows attackers to gain access and deploy ransomware in under a minute, illustrating how patching alone isn’t sufficient—log and telemetry review are needed.
[02:29] Jason Tall:

"It's not log 4J yet... if you're doing the basic things... you should be all right."
[02:52] Chris Ray:

"My takeaway wasn't so much about the actual vulnerability as much as it is about the touching on patching. Like patching isn't enough—that's cool. You know, what other security fundamentals should we be abandoning?"

b. UK NHS Tech Provider Breach

[03:48] DXS International breach's impact on NHS operational integrity and patient data.
[04:10] Chris Ray:

"Hey guys. We put patient lives on a SaaS platform, so now we're surprised when the attackers find them."
[04:45] Jason Tall:
Outlined healthcare’s layered ecosystem and the risks of unsupported, embedded systems in medical devices.

"If you're making a product and you're going to sell it to me in a regulated sector, anticipate that I need to kick some tires and make it easy."

c. Italian Ferry Malware

[07:12] Discovery of malware on a passenger ferry’s systems, possibly intended to allow remote control of the vessel.
[07:38] Chris Ray:

"Physical access can literally be the same as administrative access. And I don't think that's often equated when we're talking IT to OT."
[08:09] Jason Tall:

"I would also likely take this story and share it up chain, not just with my technical folks... Props to GNV for spotting and nuking this thing before... it could have taken the ferry down."

d. Foreign Influence in Open Source Software

[10:48] U.S. officials concerned about foreign adversaries influencing open-source projects (e.g., XZ Utils).
[11:15] Jason Tall:

"I don't know that for national security issues that we want to be using open source because the difficulty of understanding everything."
[12:25] Chris Ray:

"Senator discovers that free software has cost security debt now due in full... going to be probably one of the last things I really dig into."

3. In-Depth Discussion Topics

a. U.S. Defense Bill and Private Sector in Cyber Offense

[14:10] Passage did not authorize direct involvement of private firms in offensive cyber ops, refuting earlier rumors.
[15:15] Chris Ray:

"Where did this data come from?... there's a lot of promises made... Don't put too much focus on it. Don't spend too many cycles figuring out what you're going to do if this actually happens. Until it happens."
[15:57] Jason Tall:

"Bringing in outside expertise is nothing new... The difference is what is the government doing? Are they still remaining an active participant or are they abdicating their responsibility?"
[18:33] Chris Ray: Raised questions of ethics and operational risk if security vendors become "combatants":

"When your security vendor becomes a combatant, what does that do to their SLA?"
[19:24] Chris Ray:

"Insurance coverage. I think cyber policies exclude acts of war. Right? Your vendors, government work."

b. NIST Atomic Clock/NTP Outage

[20:14] NIST’s attempt to take down NTP servers after blackout highlights dependencies on core infrastructure.
[21:36] Jason Tall:

"For your audience who may not understand this, the reason for synchronization is... if you want to hold people accountable or take advantage of legal remedies, you have to have all of your different data across logs...all of that has to happen." "Cyber doesn't care whether it's a hacker or disk full or self-inflicted bad script or Mother Nature. Down is down."
[23:07] Chris Ray:

"This is kind of rhetorical and funny... when was the last time you tested your NTP failure scenarios?"
[25:37] Jason Tall: Advocated for cloud adoption but warned about the real-world fragility of internet and DNS as single points of failure.
[27:16] Chris Ray:

"If the Internet's down, then we have bigger problems. Well, no, it could just be down for you. The attackers may still very well be online."

c. Insider Threats: Ransomware from Responders

[28:40] Former cybersecurity professionals pleaded guilty to perpetrating ransomware attacks while employed as responders.
[28:57] Chris Ray:

"When your incident responders turn threat actors, that's when the call is coming from inside the SOC... They knew your detection blind spots. They know your response."
[29:43] Jason Tall:

"I'm not sure it's an extreme edge case, Chris... There is no outsider threat. All outsiders compromise insider credentials. The call's always coming from inside the house." "You really need to look at separations of duties... We've solved for this. We just don't go to those lengths in other industries where... we don't think the risk is there."

Notable Quotes & Memorable Moments

On IoT/OT Convergence:
(about ferry malware)

"Physical access can literally be the same as administrative access." — Chris Ray [07:38]
On Threats from Cloud & SaaS:

"Breach a vendor, you've compromised an entire healthcare system. The effort is the same or relatively close to the same. The results are magnitude order of magnitude higher." — Chris Ray [06:19]
On Insider Threats:

"The call's always coming from inside the house." — Jason Tall [29:43]
On Risk Management:

"It's not my job to say yes or no. It's my job to inform the conversation... It's not okay to accept a risk because they are accepting it by default because they're not aware that it exists." — Jason Tall [34:04]
Philosophical Reflection:

"Trusted parties betray us. Static defenses fail against dynamic adversaries... The only winning move is to assume everything fails and build resilience accordingly." — Chris Ray [33:26]

Timestamps for Major Segments

00:00–00:53 Holiday security priorities
01:06–03:16 News headlines: REACToshell exploit
03:16–06:46 NHS tech provider breach and SaaS in healthcare
07:12–10:10 Italian ferry malware and OT risks
10:48–12:40 Open source software and foreign influence
14:10–20:14 U.S. defense bill, public-private cyber ops, and its implications
20:14–27:36 NIST NTP outage: dependencies, resiliency, and systemic risk
28:40–33:08 Insider threats: IR teams gone rogue
33:08–35:04 Closing advice and philosophical takeaways

Closing Advice (Takeaways)

Chris Ray:

"The assumptions we built on our security programs are obsolete. Trusted parties betray us. Static defenses fail against dynamic adversaries... The only winning move is to assume everything fails and build resilience accordingly." [33:26]
Jason Tall:

"With respect to nation states, most of us, if they want in, they're in... It's not my job to say yes or no. It's my job to inform the conversation." [34:04]

Summary

This “Department of Know” episode offered a lively, practical, and at times philosophical survey of current cybersecurity headlines including major policy changes, new forms of infrastructure threats, the hard reality of supply chain and insider risks, and the evolving threat landscape for healthcare and critical infrastructures. Both speakers stressed the inevitability of failure—whether in controls, trust models, or technologies—and underscored the need for resilient architectures, risk-appropriate management, continual scenario testing, and vigilant communication up the chain. The conversation maintained a candid, occasionally wry tone, balancing actionable recommendations with industry wisdom and memorable analogies.

Cyber Security Headlines: Department of Know

Episode Title: President signs defense bill, time flies at NIST, Italian ferry malware
Date: December 23, 2025
Host: Rich Stroffolino
Guests:

Jason Tall, CISO at Luminous Health
Chris Ray, Field CTO at Gigaom

Main Theme

Key Discussion Points & Insights

1. Holiday Security Vigilance

[00:10] Jason Tall: Emphasized the importance of heightened awareness during the holiday season, as adversaries exploit reduced staff presence.

"My number one priority is remaining vigilant and making sure that we can't be compromised because of the fact that we've got some people enjoying some well deserved time off."
[00:34] Chris Ray: Appreciated the downtime for research, focusing on deep dives into XDR (Extended Detection and Response), highlighting the value of learning during quieter operational periods.

2. Noteworthy News Segment: "Know or No"

a. REACToshell Ransomware Exploit

[01:20] The exploit allows attackers to gain access and deploy ransomware in under a minute, illustrating how patching alone isn’t sufficient—log and telemetry review are needed.
[02:29] Jason Tall:

"It's not log 4J yet... if you're doing the basic things... you should be all right."
[02:52] Chris Ray:

"My takeaway wasn't so much about the actual vulnerability as much as it is about the touching on patching. Like patching isn't enough—that's cool. You know, what other security fundamentals should we be abandoning?"

b. UK NHS Tech Provider Breach

[03:48] DXS International breach's impact on NHS operational integrity and patient data.
[04:10] Chris Ray:

"Hey guys. We put patient lives on a SaaS platform, so now we're surprised when the attackers find them."
[04:45] Jason Tall:
Outlined healthcare’s layered ecosystem and the risks of unsupported, embedded systems in medical devices.

"If you're making a product and you're going to sell it to me in a regulated sector, anticipate that I need to kick some tires and make it easy."

c. Italian Ferry Malware

[07:12] Discovery of malware on a passenger ferry’s systems, possibly intended to allow remote control of the vessel.
[07:38] Chris Ray:

"Physical access can literally be the same as administrative access. And I don't think that's often equated when we're talking IT to OT."
[08:09] Jason Tall:

"I would also likely take this story and share it up chain, not just with my technical folks... Props to GNV for spotting and nuking this thing before... it could have taken the ferry down."

d. Foreign Influence in Open Source Software

[10:48] U.S. officials concerned about foreign adversaries influencing open-source projects (e.g., XZ Utils).
[11:15] Jason Tall:

"I don't know that for national security issues that we want to be using open source because the difficulty of understanding everything."
[12:25] Chris Ray:

"Senator discovers that free software has cost security debt now due in full... going to be probably one of the last things I really dig into."

3. In-Depth Discussion Topics

a. U.S. Defense Bill and Private Sector in Cyber Offense

[14:10] Passage did not authorize direct involvement of private firms in offensive cyber ops, refuting earlier rumors.
[15:15] Chris Ray:

"Where did this data come from?... there's a lot of promises made... Don't put too much focus on it. Don't spend too many cycles figuring out what you're going to do if this actually happens. Until it happens."
[15:57] Jason Tall:

"Bringing in outside expertise is nothing new... The difference is what is the government doing? Are they still remaining an active participant or are they abdicating their responsibility?"
[18:33] Chris Ray: Raised questions of ethics and operational risk if security vendors become "combatants":

"When your security vendor becomes a combatant, what does that do to their SLA?"
[19:24] Chris Ray:

"Insurance coverage. I think cyber policies exclude acts of war. Right? Your vendors, government work."

b. NIST Atomic Clock/NTP Outage

[20:14] NIST’s attempt to take down NTP servers after blackout highlights dependencies on core infrastructure.
[21:36] Jason Tall:

"For your audience who may not understand this, the reason for synchronization is... if you want to hold people accountable or take advantage of legal remedies, you have to have all of your different data across logs...all of that has to happen." "Cyber doesn't care whether it's a hacker or disk full or self-inflicted bad script or Mother Nature. Down is down."
[23:07] Chris Ray:

"This is kind of rhetorical and funny... when was the last time you tested your NTP failure scenarios?"
[25:37] Jason Tall: Advocated for cloud adoption but warned about the real-world fragility of internet and DNS as single points of failure.
[27:16] Chris Ray:

"If the Internet's down, then we have bigger problems. Well, no, it could just be down for you. The attackers may still very well be online."

c. Insider Threats: Ransomware from Responders

[28:40] Former cybersecurity professionals pleaded guilty to perpetrating ransomware attacks while employed as responders.
[28:57] Chris Ray:

"When your incident responders turn threat actors, that's when the call is coming from inside the SOC... They knew your detection blind spots. They know your response."
[29:43] Jason Tall:

"I'm not sure it's an extreme edge case, Chris... There is no outsider threat. All outsiders compromise insider credentials. The call's always coming from inside the house." "You really need to look at separations of duties... We've solved for this. We just don't go to those lengths in other industries where... we don't think the risk is there."

Notable Quotes & Memorable Moments

On IoT/OT Convergence:
(about ferry malware)

"Physical access can literally be the same as administrative access." — Chris Ray [07:38]
On Threats from Cloud & SaaS:

"Breach a vendor, you've compromised an entire healthcare system. The effort is the same or relatively close to the same. The results are magnitude order of magnitude higher." — Chris Ray [06:19]
On Insider Threats:

"The call's always coming from inside the house." — Jason Tall [29:43]
On Risk Management:

"It's not my job to say yes or no. It's my job to inform the conversation... It's not okay to accept a risk because they are accepting it by default because they're not aware that it exists." — Jason Tall [34:04]
Philosophical Reflection:

"Trusted parties betray us. Static defenses fail against dynamic adversaries... The only winning move is to assume everything fails and build resilience accordingly." — Chris Ray [33:26]

Timestamps for Major Segments

00:00–00:53 Holiday security priorities
01:06–03:16 News headlines: REACToshell exploit
03:16–06:46 NHS tech provider breach and SaaS in healthcare
07:12–10:10 Italian ferry malware and OT risks
10:48–12:40 Open source software and foreign influence
14:10–20:14 U.S. defense bill, public-private cyber ops, and its implications
20:14–27:36 NIST NTP outage: dependencies, resiliency, and systemic risk
28:40–33:08 Insider threats: IR teams gone rogue
33:08–35:04 Closing advice and philosophical takeaways

Closing Advice (Takeaways)

Chris Ray:

"The assumptions we built on our security programs are obsolete. Trusted parties betray us. Static defenses fail against dynamic adversaries... The only winning move is to assume everything fails and build resilience accordingly." [33:26]
Jason Tall:

"With respect to nation states, most of us, if they want in, they're in... It's not my job to say yes or no. It's my job to inform the conversation." [34:04]

wavePod

Department of Know: President signs defense bill, time flies at NIST, Italian ferry malware

Powered by Wave AI

Summary

Cyber Security Headlines: Department of Know

Main Theme

Key Discussion Points & Insights

1. Holiday Security Vigilance

2. Noteworthy News Segment: "Know or No"

a. REACToshell Ransomware Exploit

b. UK NHS Tech Provider Breach

c. Italian Ferry Malware

d. Foreign Influence in Open Source Software

3. In-Depth Discussion Topics

a. U.S. Defense Bill and Private Sector in Cyber Offense

b. NIST Atomic Clock/NTP Outage

c. Insider Threats: Ransomware from Responders

Notable Quotes & Memorable Moments

Timestamps for Major Segments

Closing Advice (Takeaways)

Summary

Summary

Cyber Security Headlines: Department of Know

Main Theme

Key Discussion Points & Insights

1. Holiday Security Vigilance

2. Noteworthy News Segment: "Know or No"

a. REACToshell Ransomware Exploit

b. UK NHS Tech Provider Breach

c. Italian Ferry Malware

d. Foreign Influence in Open Source Software

3. In-Depth Discussion Topics

a. U.S. Defense Bill and Private Sector in Cyber Offense

b. NIST Atomic Clock/NTP Outage

c. Insider Threats: Ransomware from Responders

Notable Quotes & Memorable Moments

Timestamps for Major Segments

Closing Advice (Takeaways)

Summary