A

This is Rich Stroffolino with the Department of no. Jason Elrod, CISO at MultiCare Health System. I gotta ask, what has been your priority this week?

B

Wow. If it isn't dominated by the Mythos drama, it is all about the upcoming HIPAA security rule changes in 2026 and my brand new favorite, which I think we're gonna talk about today, the CI Fortify.

A

Yes. Yes. Oh, so many, so many wonderful things to fill the mind palace of your brain. I just. It's truly glorious. Truly glorious. I hope Jonathan Ball Drop, the CSO over at Acoustic has had a similar priority laden week. Jonathan, where has your mind been at this week?

C

Oh, man. Definitely. We're in the throes of the middle of the quarter. Not nearly as interesting as what Jason's got going on. But we're not at the beginning of the quarter, so nobody's excited about it. But we're not at the end of the quarter yet and nobody's rushing to finish all those projects. So we're right in that kind of dead zone in the middle trying to keep things on track. Keep it.

A

It's not too late. You can jump on the Mythos hype train. Don't worry.

C

It's true. That's true. And Mythos.

A

Yes. Yeah, of course you have to say that. Dot, dot, dot. And mythos for all CISOs for all time. All right, producer Josh, we got everything. We got everything prioritized. Now let's run that open again into

C

the show from the CISO series.

B

It's department of no.

A

Hey everybody. Welcome to the department of know your virtual Friday strategy meeting. And. And I'm going to even say a debrief here this week. We are super excited. We've got some fantastic guests and we have a fantastic sponsor helping make the show possible. Vanta, thank you for supporting the show. We'll talk about them more later. Remember, if you want to get involved in our YouTube chat, you can if you're on YouTube and watching us live. We're broadcast every Friday at 4pm Eastern. If you're watching us later, I guess you could leave a comment. I no way of really seeing it or responding it now and I'm not going to respond to ones from last week. It gets into a whole time is linear. I don't have time to get into it but feedbackso series.com for more of the async communication. If that is your bag. Before we get to the news, just a quick reminder that the opinions expressed by our guests are in fact their own, not necessarily those of their employer. So keep that disclaimer in mind at all times. You are legally now required. We've got about 30 minutes, so let's do dive into our no or no segment. This is where there was so much news, so much going on. We need to jump through some stories quickly, find out if these are things you should be bringing to your security teams first. Up here, I saw someone making a ton of waves. I was scratching my head a little bit, so I need some help unpacking this. Google Chrome installs 4 gigabyte AI model on devices Computer scientist and lawyer Alexander Hand reports that recent versions of Google Chrome automatically Download a roughly 4 gigabyte Gemini Nano AI model to user devices without explicit consent when default AI features are enabled. He says the file installs silently and can be redownloaded after deletion. Hampff argues the behavior may violate privacy laws, cause increased power usage, and calls for an opt in prompt. Jason, I'm going to start with you here. Google updates Chrome all the time. We don't usually bat an eye when it downloads a thing, and we don't necessarily get consent here. But do you think there's more about a local AI model install that we need to dig deeper into? Or is this a no thank you for you?

B

I'm going to go with a nothing burger here. Okay, so we do need to know more about it and should definitely have an opt in here, but this really hasn't earned the airtime in my weekly stand up. For instance, this is just Google updating something with its latest AI. Apparently, if this is a surprise to anybody, they don't run any kind of Microsoft operating system.

A

Yes, I was going to say, I mean people were angry about Windows 11 adding all this stuff, but like no one was asking for, I guess, explicit consent for this. It was just we're at the behest of Microsoft. We're at the behest of Google with Chrome. Jonathan, I'm curious, are you of the same vein or does this maybe rise a little higher in your book?

C

Wait, are we saying that when you download things from the Internet, there's fine print to read and there's other fluff that you didn't know you were downloading that you should go look through to see if you're downloading it? I'm surprised that we're surprised, frankly. Right. To me, I, I agree with Jason. This is kind of a like, yeah, I probably guess I probably just assumed that that was already happening. Anyway, I don't mean to dismiss some of the privacy concerns and there was an environmental aspect to it if, you know, if everybody starts running these, these, these models locally and we're gonna, you know, all that kind of stuff. So I think it's good to be aware of. But yeah, this is not taken up any cycles in my, in my week this week.

A

I will say as someone who runs their hard drive because I'm too lazy to clean it out pretty close to full up all the time. I am sympathetic to the fact that 4 gigabytes is a non trivial amount and could all of a sudden be like that is fair. What have I got on? It's. Oh man, I got to.

B

That's probably the takeaway trash can. Empty trash can.

A

Oh, you know what?

B

That's, that's the data retention policy. Rich, come on.

A

No, I ZFS snapshot everything. I have years and years of snapshots on this thing.

B

Don't worry, don't.

A

All right, next up here, this one of the more interesting stories of the week here. New PCP Jack worm steals credentials and cleans team PCP infections is the most. I thought, I never thought I'd talk about PCP so much in my time here at the CISO series. A new malware framework called PCP Jack is stealing credentials from exposed cloud infrastructure while actively removing Team PCP's access to the systems. It targets services like docker, Kubernetes, Redis, MongoDB, RayML. You pick your enterprise deployment, you're probably using it. Sentinel Labs believes that PCP Jack may have been developed by a former team PCP affiliate or member who started their own operation. Jonathan, this is not the second week in a row we've seen threat groups, I'm going to say kind of getting pissy at each other. Do we need to know more about what's causing what seems to be increased competition among threat actors or if they want to fight each other. Is this a great no thanks, don't need to know more situation for you?

C

So first of all, I would just say that this is the ultimate insider threat turn disgruntled employee, threat actor type of thing. So even, even the bad guys organizations have this problem that we still have in the corporate kind of enterprise side.

B

Right.

C

So I don't want to overlook that. For one, how much do we care? I don't think most companies are in a position to try to figure out necessarily who or, or, or from a retributional standpoint like how, why do we need to attribute. There's some, there's some, certainly some tactics and techniques that we can glean from that and knowing maybe how they, what they do next. But I think the key here is that nobody's happy. Even the bad guys are, are fighting against each other. So is this a case of the enemy of my enemy is my friend? I don't think we're quite on that side of it yet. But no, this is very interesting to see. But again, to me, my big takeaway was like, wow, they have the same HR problems that we do.

A

Yeah. Jason, Threat actors, they're just like us. Question mark.

B

Oh, yeah, question mark. Yeah. When I look at this, I was like, let them eat themselves. That's the kind of competition that happens in the market, even if that market is a criminal one. So it's funny that people are getting surprised that people are going to have their own side hustle against the hustle and then going to go out there and then there's going to be competition. I do like the point that was, that was just made, you know, hey, maybe there is some tooling or some understanding about like, hey, you know, practices and procedures and technologies they're using to attack each other that we can watch. So part of me wants to Atlantic and say, you know, feed it a little bit. Oh, no, I'd pay your ransomware if I wasn't already paying theirs.

A

Ah, wow. Or some advanced negotiation techniques.

B

You know, you're the second person here. I've already, I've already bought Girl Scout cookies, you know, so not to mean that, to make the assumption that those are criminal organizations, but you know, but

A

you know, I've already paid. You're fine. Yeah. Off we go. So this is interesting. I. I love the idea of like more competition among threat actors might actually benefit end users. I can't dispute that logic. It's troubling, but yes. Okay, I think we saw last time

B

they fighting each other is the last time they spend fighting us.

A

So I like that. As a takeaway here, we're going to need it to. Because it turns out Linux kernel flaws abound security researchers at Fiori are informing admins of a newly discovered security flaw that's been hiding in the Linux operating system since at least 2017. Named Copy Fail, this uses an AI or they use an AI power scanning tool called Xint code or Zint code, whatever you got. It allows anyone with a basic account on an affected computer to seize full admin control. It also works as an escape route from cloud containers, which is, you know, bad theories that the flaw resulted from three separate individually unremarkable changes to the Linux kernel and no one recognized the danger created by their combination for nearly a decade. And then we also saw the dirty frag privilege escalation Linux kernel bug that allows users to escalate, to echo, escalate to root on all major distros embargo on that was actually broken early. So there's actually no patches or CVEs even assigned to it yet. But mitigation has been published for that, so not all hope is lost there. But Jason, we're going to be talking about kind of the patch wave coming at us a little bit later in our wider discussion here, but a nine year old potential Linux kernel bug. Do you want to know a little bit more about this or is this more academic than a critical concern for you?

B

No, this one lands specifically in the no item. We want to, we want to know more about this one because this is something that's not only a vulnerability, but an exploitability across systems. I think that's the distinction there between things that are vulnerable and things that are exploitable. And given the mythos effect that has dominated the news cycle, I think we're going to be seeing more automation of these types of composable exploits being taken advantage of by, by threat actors and our ability to pivot to rapid mitigation will be critical. I mean if you think about the copy fail, that's three small things to create one big issue. So our evaluation of the impact of a CVE now needs to contemplate that composable nature of it. It needs to contemplate that type of chaining. So we cannot rely on vulnerability management, we have to focus on exploitability management and that's a little bit different of a thing.

A

I like that, I like that. Jonathan, where are you at with these Linux kernel flaws?

C

Yeah, I love the thought behind exploitability management and I think that is a train that more of us should be on. We focus a lot because there's tons of vulnerabilities like you're talking about, Rich, that are purely academic, that they happened in a very clean lab environment where these conditions are set type of thing, but you wouldn't actually find it in the real world. This one feels a little more dangerous. The Internet runs on Linux, if you haven't heard.

A

Turns out.

C

Yeah, as it were. So this one really is going to be one to watch and to know more about, particularly if you're running in a cloud environment, something that's available over the Internet and all those kind of typical things we would look for in that exploitability. What's the risk level to us. Yeah, this has taken up some cycles where some of the other articles haven't.

A

Yeah, we got this in our discussion, so we'll be digging into that in a little bit. Just a second. But we have to talk about possibly the greatest story of the year. I'm not going to lie here. It turns out every Yarbo lawnmower is essentially hacked instantly. No problem, don't worry about it. Security researcher Andreas Macris disclosed that every Yarbo lawnmower is essentially a Linux computer whose root password is reset to a known stock value with each firmware update. And they're all the same, like it's the same root password. Macris was able to vibe code a map of all mower locations, remotely control them and get passwords for the networks they were on and directly disregard user commands to like shut down, not run over somebody. Like those would be the things that it could override. The company had no bug bounty or channel to report bugs and when trying to go through customer service to report the bug, was told that this was by design so Yarbo could diagnose issues. Jonathan, we all know IoT security is a disaster, but do you want to know more about what's going on with Yarbo because you know there's blades attached to the IOT or is this a so sensational? It's a no, thanks for you.

C

No, I think we should really care about this because anybody who lives in suburbia and has lawnmowers, I mean this is a very real risk. Now all of a sudden now we have machines with blades. No, I think if there's something to take away from here, it, it is that, that we had a, we've got a company who had a responsible disclosure attempt and they said no, no, that's how it's supposed to work. I mean, and who knows? I, I don't know, I wasn't there, I wasn't disclosing it and I wasn't taking the, the call. Right. But I think that is really where we need to train some external facing customer service folks to, if they're even, if they're even. If you think it's so far fetched, take the call, send it to your security team, let them have a look at it. This also does remind me of. It was about a 10 years ago wired had an article about a hacking a Jeep Cherokee on the road. It was like people they knew were in it and this kind of thing, but the same type of thing taking over it and it just, I think it really just Shows you how. How precarious things are, you know, have we, have we talked about Mythos yet?

A

But I gotta get a drink again. All right.

C

Yeah.

A

Right.

C

Yeah, it's definitely some of the underlying aspects. Once we get past the murder blades on the lawnmowers. Murdering lawn lawnmowers. It is really kind of an interesting thing.

A

Potential potentially murderous laws.

C

Yes, allegedly.

A

Let's not impugn the integrity of our Linux running lawnmowers who have kernel vulnerabilities too. On top of everything. Jason, what about you? Is this. How are you contextualizing this story? Sensational? Terrifying? Where are you at all of the above?

B

This is definitely sensational. It's terrifying. And not just because I have a killbot in my garden shed. It's really about the backdoor controls built in by creating a backdoor by design into your infrastructure. Remember, it's a feature, not a bug. You're having this pathway from your IoT CPS, cyber physical security, it's a pathway to the rest of your IT infrastructure. And this particular attack vector is advancing rapidly. So it's a matter in personal life as well as much as the enterprise life. Another example of that frontline being everywhere in healthcare. I'm already in that space where there is a cyber to physical impact. Like you come in and you impact like an infusion pump or something. There's a potential to have a physical human impact. I just didn't think I'd have an episode of BattleBots in my neighborhood.

A

Well, I'm also thinking, I just realized because this is not patched yet, you could just drop a bunch of ransomware also and lock up a bunch of people's. Don't do that also, please.

B

This is bad.

A

Don't do that.

C

Good disclaimer.

B

No. Yeah, yeah. Asking for a friend, Rich.

A

Yeah, I'm not saying that, but what's my Bitcoin wallet if you want to mow your lawn?

B

Yeah, it's my category of it's so awful that has looped all the way back around to awesome. I refer to these as awesome.

A

Well, something that is an unmitigated awesome is our sponsor for today. So let's spend a few moments and thank our sponsor for today. And that is indeed Vanta. Risk and regulation ramping up and customers expect proof of security just to do business. Vanta's automation brings compliance, risk and customer trust together on one AI powered platform. So whether you're prepping for a SoC2 or running an enterprise GRC program, Vanta keeps you secure and keeps your deals moving. Learn more advantage.com CISO. I have to warn we have CCL in the chat. If you're rolling on the floor, make sure there's no lawnmowers around. Okay? Just make sure you're good. The floor is no longer safe. I guess the floor is. It's the lawn. Rolling on the lawn. Laughing would be the danger here. All right, let's dive into our first story. This one making news the last 48 hours really here. Turns out school's out for Canvas. As my children's rising apathy might indicate, the end of the school year is indeed upon us. Which means it wasn't a great time for Instructure's digital learning platform Canvas to go into maintenance mode for free for teacher accounts yesterday following a ransomware attack by the Shiny Hunters group. Canvas had been listed on their league site since May 1 and this outage and defacing of Canvas site seems to be a second wave of attacks to ramp up pressure to pay a ransom. The full scope is unclear. I still think at this point in terms of how many institutions were impact, but shiny hunters claimed 8,800 schools. We saw confirmations from Harvard, Columbia, Rutgers and Georgetown sending alert alerts to students about the outage. And instructor CISO Steve Proud said impacted information includes names, emails, student ID numbers and messages on the platform there. This exploited a flaw in the free for teacher accounts and Canvas seemed quick to want the situation to seem resolved pretty quickly there and then seeing that second stage attack, we've seen long term impacts from the power school breach from last year. This is a big kind of ed tech thing. I can kind of wrap my head around here to compare it to right now. Everything is back up as of this recording and seems like things are back to normal. But this was a big kerfuffle, especially given the time of year. I'm sure we'll get some more details on this. I'm curious, Jason, let me start with you. What lessons are you learning from this that you might bring to your teams or what kind of takeaways are you seeing from this?

B

I think there's a couple of things from one and we talked a little bit about before we got on the show here. It's about the asymmetric attack vector and what I mean there is you're seeing that threat actors like Shiny Happy attacker or whoever call them today, they don't go after the individual schools. They go after vendor concentrated areas like where can I attack? Where can I have that impact? Where it's going to have the most outsized again, impact compared to what I, where I do. I have to hack one spot and it's going to impact like they're saying here, 8,800 different people on it. So I think there's two aspects to it. So we have to be really aware just from a supply chain standpoint, if nothing else, or our third parties, where are not just, you know, me and my close cohorts using, but where is the entire sector? What is an entire sector, whether it's healthcare or in this case, education, where is it concentrated? And we're going to see an increase in these type of attacks. I'm starting to see an increase in these type of attacks where it's a concentrated service. And then to your point right here, they're now looking at how do I even, you know, pour gasoline on that fire? Well, then it's a concentrated, outsized, asymmetric timing. So I'm in there, I get it done, but then I hold it or maybe I just time that. So, hey, you know, not only that, it's going to cause the most disruption for the most drama, the most leverage I'm going to have against those victims.

A

Jonathan, where, where are you at in terms of, of trying to wrap your head around everything that we've seen this week regarding canvas?

C

Yeah, I think honestly, for this one, if you're not directly impacted, it's probably not going to take up much of your time. But again, there's always something to learn. Learn things the easy way when other people have a bad day, unfortunately, and we're not wishing anybody ill. But at the same time, I think there's, there's always lessons to be learned about breach response and, and the public nature of that. And anytime somebody says, oh, yeah, we're good, oh, we're not good anymore, like that, that never ages well. But it's also, it's also indicative of the, the pressure and the stress that these teams are under. And, you know, one of the things that we, we have discussed as well was, you know, this is, to Jason's point, this is the exact most critical time of the, of the academic year for, for most people. And, you know, we've seen threat actor behavior change over the years from, you know, lie in wait, live off the land for a little while until everything's just right. And then it escalate, sorry, accelerated from there to, hey, we saw, you know, the initial, the initial attack and gain a foothold here. And then minutes later, people saw, you know, we're seeing a ransomware screen. Maybe this is kind of Getting back to, hey, let's wait until we can really make it hurt and really make it from an attacker standpoint, that is make it potentially the victim here is more willing to meet some demand or whatever the case is. I think maybe they can talk to the PCP attackers from the previous story and see Ka, can we, can we negotiate down the ransomware payment? If you know, we'll be nice and I'll pay this but I won't pay that, you know, all that kind of stuff. So I think jokes aside, I mean this is very obviously very serious issue for the canvas team. So we wish them well, but yeah, I think definitely things to learn from a public response perspective.

A

Yeah. And to give them, to give them full credit. I mean we like the fact they're coming out with the information that was lost.

C

Oh, yeah.

A

I mean, you know, we have seen, I will say compared to the power school, we know so much more now and admittedly, obviously completely different situation. So I'm not saying anyone's better than anybody else, but if I was impacted by this, I would feel at least a little better. And hey, maybe I'll get some free credit monitoring out of this too.

B

Yeah, but we're not going to change your grades for you.

A

Yeah. Gentlemen.

B

And I think there's a couple of things there. What is good about what's happening there to Jonathan's point, like, hey, is the measured transparency, right? They're coming out and they are giving those updates as soon as they can. So at least the impact individuals beyond, you know, Instructure, which is the company for Canvas, beyond their impact because they're a victim. Okay. So they've been attacked and they're sub victims kind of down the road, you know, the re victimization that goes along with it. So doing your best to help those folks who are also impacted by a second third sort of order is key. But, you know, that's a hard needle to thread for any organization. Like when do I release this information? What do I say? Because unfortunately, I think it's a sad state of affairs. But the re victimization of organizations is a real thing. So every word you put out becomes a potential legal or regulatory follow on attack. And I do consider them attacks, an attack vector for organizations. So again, hard needle to thread. I think they're doing a good job and I wish them all the best on it.

A

All right, next up here, everyone is trying to ride the patch wave. The chief technology officer at the National Cybersecurity center in the uk, Ollie Whitehouse, fantastic British name, said in A blog post. The use of AI tools by sufficiently skilled and knowledgeable individuals is increasing the likelihood that vulnerabilities will be identified and exploited at scale. He encouraged all organizations prepare now. When a patch wave arrives, talk to Linux kernel admins. They're right there with you. And we're already seeing the economics of this patch wave play out. Though Google revamped its vulnerability RE program for Android and Chrome, Android secure enclave exploits are getting a bump in bounties up to 50% for the top prize, 1.5 million, I think now. But Chrome exploits are getting a cut of up to a tenth of their former payouts that they have a really weird weighing scale for a lot of that. So it's tough to kind of know exactly. But Jonathan, I'll come to you first here. I said we're going to talk about the patch wave. Here we are. As AI vulnerability scans are getting more sophisticated, we're likely going to see ever more complex chains of exploits, both from our internal scans. Hey, we found, we found the thing. Yay. And from bad guys. Boo. We know it's coming. But I'm curious, you know, we kind of talked about no longer looking for vulnerability scanning, but exploit scanning. Like, I guess when we, when we see something like this as, as an industry, how are we responding here?

C

You know, I think there's a couple of things to think about. Exploitability is definitely one that's top of mind and what the actual risk to your organization is. There's so many, particularly in software vulnerabilities, there are so many different configurations and layers and possibilities that if this switch is flipped, it is vulnerable. If this one isn't, even though other conditions are true, you know, it may not be vulnerable. So it really comes down to what's your risk tolerance, what's your risk profile? I do think there are a lot of us, and I put myself in this boat trying to figure out if we can automate the identification of vulnerabilities. We should be able to automate the resolution of those issues. And so, you know, I think we're seeing a lot of times we see tools come out and there's a, there's a good guy use of that tool, if you will, like what security teams would be using a tool for. And then we see the misuse and the perversion of that tool by attackers. Maybe this is the case where attackers came out with the, the tool first to identify these vulnerabilities. But we need to turn that around and really work and put our heads together to come up with some ways to automate some of this resolution. Also it's of note that we don't have to patch something to prevent an exploit. There's lots of layers. There's web app firewalls, there's all different kinds of technologies that are out there. Too many to list right now where we need to have this layers of security. It's called defense in depth for a reason. The other side of this coin that I will say is that, you know, we zero day exploits in any form get a lot of press and not unreasonably so, especially when you have potentially murderous lawnmowers. I mean that's again, I can't stress that enough.

B

Pms.

A

Yeah.

C

But I think, I think here, the, the key though is, is we, you, you have to have your whole house in order. Like if, if you've got all the other stuff from, from last year or three or four years ago that's patched up, great think about this too. But there's some basics that I think we, we should all be sure we have set first before we spin out of control on the latest XYZ. Again, some of those things really might float to the top of the list. Some of these Linux vulnerabilities that are coming out very well may, may hit that point. But there's a lot of these that are like, ah, okay, maybe we can take a little risk there to go upgrade that OS that's 7 years old.

A

Jason, where are you at with this?

B

Legacy vulnerability management is dead and that model actually was never achievable. It was never achievable. It's Sisyphean. So you're never going to make everything that's vulnerable invulnerable. I'll even posit that right now, everybody listening, seeing this podcast right now is vulnerable. You just don't know it yet because that's that idea of zero days. So if you're concentrating on like I'm going to be able to react fast enough at the speed of threat, the speed of vulnerability. Nobody's ever been able to do that ever because you're like, oh, patch comes out, I got to fix it and I got to do a patch cycle and it's patch Tuesday or whatever it is and the SLA between there. We used to kind of have a little bit of a time flexibility, a little bit of a time gap to do that. You don't have it anymore. You just, you just don't. And so like as I lean heavily into the exploitability management of it and so find out what's the excess what's the accessibility window look like to the things that are exploitable and then you really concentrate your vulnerability management and your mitigations there as much as you can to break that kill chain to break you know, you know to make sure that you've handled it. At that point it doesn't necessarily need to be a patch, it can be a mitigation and so exploitability can be handled through mitigation. Often is things like internally you should be looking at micro segmentation like okay CI fortify is going to tell you you have to do this in critical infrastructure hypothescurity will going to have to do it no longer addressable what required so when you think about micro segmentation it's really just about limiting that blast radius. You limit the impact of that vulnerability being exploited. So the idea here is to understand where your crown jewels are, what are your primary assets, what are your critical functions and isolate the potential damage should one of those get impacted or the things that around it that could impact it adversely.

A

So all right, I don't need to breathe into a paper bag. Like sometimes I read some of these stories and I'm like okay, all right that that all sounds tough but manageable and I, I'm that that makes me excited for the opportunity as opposed to dreading the inevitable which may be the same thing but I still feel better. So thank you for that Jason. Our last story of the day, a tale of two critical infrastructure attacks. Taiwanese authorities arrested a 23 year old student for interfering with the Tetra communication system used by the country's high speed rail network. The suspect allegedly used a software defined radio to send a general alarm signal that triggered emergency braking on nearby trains. This resulted in four trains being halted for a little under an hour on April 5th. The system's Verific keys hadn't been refreshed in 19 years which was the age of the system and used known broken encryption. Then Poland's domestic intelligence service said attackers breached water treatment facilities in five towns in 2025, in some cases gaining access to industrial control systems that could have disrupted water supplies. The country's internal security. ABW said this posed a direct risk to the continuity of water supply operations. To which I would reply, duh, neither of these sounds great. Obviously water facilities like that is some very critical critical infrastructure and a familiar target for APTs. These gay APTs these days. But the trade one I think sticks out to me. You know SDRs are old tech. Like this is nothing new here but it Seems like we're still encountering critical infrastructure which is secured by the idea that hey, if the hardware is that needed to exploit it is expensive or it's niche. You know, we're kind of. That's kind of a security through obscurity there. I don't feel like that's the case anymore. I'm curious for you Jason, which one of these stands out?

B

Well, they both stand up for different reasons. And you know, security through obscurity is a lie. It's not security, it's smoking mirrors. Yeah, it's security air quotes through obscurity. I think we have two things here. One, when we have a TikTok tragedy, okay, not to make it last, but I think the more dramatic there is the train, right. Because that would be something that would get an immediate news attention. You know, it's literally a train wreck, right. So it's going to be more acute and visible impact on people even if it only affects. Only affects, you know, a few hundred people. The bigger problem here though, the one that's really problematic is the water treatment facility because again back to that asymmetric impact. I take out one train, it's horrible and dramatic and tragic in that aspect. But if I take out a water treatment facility that could fracture a non trivial part of an area's ecosystem. Instead of a few hundred people being impacted, tens of thousands could be. And then I look at it this way. So if I take out the water treatment facility, I'm also taking out the hospitals, I'm also taking out all the things that would rely on that too. So it's that the example of a hyper concentrated thing that you don't necessarily think about that butterfly effect, what is the downstream effect? It is way more impactful. So I think we need a lot more intention, intentional action on what I would call invisible threats because it's definitely the worst of the two.

A

Jonathan, do you feel the. I mean same way there? I mean I. Yeah, I mean it's tough to argue against water, right?

C

Yeah, for sure. As something that one obviously we all rely on every day. We rely on safe drinking sources for all of our water and hopefully everybody has access to that. And that one definitely for sure is the, the one to, to watch closely. I will say on the the train article, I don't want to overlook that the system failed closed and that the result was there were four trains halted for 48 minutes. 48 minutes for people to be inconvenienced rather than the train thought it was slowing down, but it actually was accelerating Or I mean, any other catastrophic kind of thing could have happened there. So I think there, there may have been, I mean, I'm speculating here, obviously, but, but there may have been some sort of control. You know, the last ditch effort is stop the train maybe. And that's the, that's the deny all at the end of the rule set. Right. But, but at the same time, again, the, the water source, anytime you've got to Jason's point, that concentration of impact, it's not even concentration of impact. It's the, the, the reach of a potential impact from one concentrated source is, is really, that's, that's where we should be, we should be focusing. So these kind of attacks, unfortunately, aren't, aren't new, but hopefully we're, we're learning from each one to, to figure out how to close some of those vulnerabilities, because not all of them might be exploitable. But in the case of water supply, anything that's vulnerable, we've got to, we've got to have eyes on it.

A

All right, well, we're just about out of time here on the department of. No, but before we get out of here, is there any piece of advice that, based on our conversation day that you could share with our audience? Jason, I'm going to start with you. Anything that's kind of stuck out here as a, as a good takeaway for

B

the audience outside of Killbots.

A

Yeah, I mean, well, it could just be killed. Don't go buy lawnmowers.

B

No, no, no. I think it's the big takeaway here is start looking at where that concentrated risk is. Where are the key constraints that have the asymmetric impact that happens in your organization, but also happens in your own personal life, too? So start thinking about the things that impact not just you, but could have that outsized impact in your programs, in your life, in your care, in society, and in your friends and family. I would say, hey, that's where you need to focus. And then you need to focus. The second order on that is how do you mitigate it? Because you're not going to stop it from being, you know, it's not going to make it invulnerable. But know where to focus your resources, and that's probably where you should focus them.

A

Interesting. I like that idea of finding a way to, I don't know, disaggregate that bundle of, make that asymmetric, you know, not as big of a target. I like, I like that. I'm thinking about how do I apply that my Personal life that is will be my challenge this weekend. Jonathan, what about you? Any piece of advice for the audience and for me, I'll take it too.

C

I'll take the non cybersecurity path and check on somebody that you know, that you care about this weekend. This weekend is Mother's Day in the US and and unfortunately not everybody has a great relationship with their mother. So check on somebody if you, if you do and you have a mother like figure in your life, please go tell them how much you appreciate them.

A

I couldn't think of a better way to close out the show. I hope everybody enjoyed these, these, this fascinating discussion. I mean just a lot of interesting threads in this show today. So thank you both for being on the show for your time. I know you are busy folks, I know a Friday, lots of stuff going on. So thank you so much for being on the show. Before we get out of here, Jason Elrod, seesaw over at Multicare Health System. I hear you. We if people like you on this podcast, they might be able to hear you somewhere else. Right?

B

There is an opportunity there. So if you want to connect with me, actually go on LinkedIn and connect me. I'm the Jason Elrod. Jason was taken. I'm the Jason ELROD over on LinkedIn. Go ahead and follow me up there. But you'll know it's my site because it'll link to my podcast which is drink coffee, do cool stuff. Less kill bots, more entertainment, more entertaining than Killbots. I don't know, maybe I'm trying. I'm working on the tagline still behave. Really?

A

That's the podcast guarantee.

B

Podcast guarantee. Okay. What would you do if you didn't have to do anything? You didn't have the constraints. The answer would drink coffee and do cool stuff with people of purpose. Come on over and listen.

A

Thank you Jason and thank you also Jonathan Wall, drop the CISO over at Acoustic. We will have links to both of your LinkedIn in the show notes as well and have you back on the show before too long. Two of my favorite guests to have on the show and a big thank you also to our sponsor for today. Vanta. Thanks for helping make the show possible. Remember to feel to send us feedback anytime. Feedbackisoseries.com Remember to join us next Friday or 4pm Eastern for another edition of the Department of no and make sure you're going to events the events page@ciso series.com to see everything that we've going on all of our Super Cyber Friday events. Make sure you're registered for those. We have live events coming up. We have all, all sorts of fun stuff there. So if you're a fan of the CISO series, make sure you're seeing how to stay engaged. Thanks for coming to our Friday stand up here. Have a great week. Stay secure out there. For myself, for our wonderful producer Josh, for the big boss man, David Spark and the rest of the CISO series team, here's wishing you and yours to have a super Sparkly day.

B

Cybersecurity headlines are available every weekday.

C

Head to cisoseries.com for the full stories by behind the Headlines.