A

Gary Chan, CISO over at SSM Health. I gotta ask, what has been your priority this week?

B

Hey, good afternoon. Great to be here. So my priority this week was really rounding at the different hospitals to talk with the IT techs that were on site because you can learn a whole lot from those. From those folks every time I do, every time I see them.

A

Yeah, I'm sure there is so much institutional knowledge. Right. That you can kind of take advantage of there. All that on the ground stuff. I remember we talked to the CISO of Amtrak and this kind of a similar thing where they you talk to the conductors. It turns out you learn a whole bunch of stuff. So really fascinating stuff. I'm going to turn to Peter Liebert now, the CISO over at Sales Loft. Peter, I got to ask, what has been your priority this week?

C

Preparing for the AI apocalypse.

A

Oh, okay.

C

Yeah, Mythos and all of that stuff coming. So we're relooking at the entire SDLC process to see how we can make it even faster.

A

You say apocalypse, I say opportunity. Lips is what I'm hearing from everybody involved. Fan catch. We'll touch on some AI apocalypse stuff. Don't you worry, dear audience. But producer Josh, we gotta run that opening. Let's get it started from the CISO series. It's department of no. Yes, indeed, indeed. Welcome to the department of Know your virtual Friday strategy meeting. We're gonna get you all set and ready for for the weekend. Thank you so much for joining us and thanks also to our sponsor for today, Doppel. Really appreciate them helping make the show possible. Remember to get involved in our YouTube chat if you are joining us live and if you're not joining us live and you're saying, what is this live stream? I've never heard about this. It's every Friday at 4pm Eastern. You can join us on the CISO series YouTube channel. It's a fun time. Make sure you do. Lots of fun to be had. Or send us a good old email. Feedbacksoseries.com before we jump into the news, just a quick disclaimer that our fabulous guest today, their opinions are in fact their own, not necessarily those of their employer. So all grains of salts and disclaimers applied. We've got about 30 minutes here, so let's dive in with our no or no segment. This is where there's just so much news out there. We want to cover these stories. We can't give them the full discussion treatment. But I still got to know your take on them first. Up here. BitLocker zero day accesses protected drives. A researcher known as Chaotic Eclipse or Nightmare Eclipse. And I got to say, make up your mind, both are great. Released a proof of concept exploit for two unpatched windows zero days dubbed yellow key and green plasma, including a BitLocker bypass that could expose encrypted drives through the Windows recovery environment. Security researchers confirm parts of the yellow key exploit which abuses NTFS transaction logs to launch a command shell with access to unlocked BitLocker volumes on TPM only systems, otherwise known as, I'm going to say bad. The disclosure follows earlier leaked Windows exploits from the same researcher. Gary, I gotta ask, I'm a little surprised it's gonna get a little bit more run in the cybersecurity news this week. So I'm curious, does this rank in getting some dedicated discussion time with your team or is this yet another in a long line of Windows hurting for them?

B

Oh, this is definitely an important one. So when I saw this I shared it with my team and who had also actually picked up on it. This is really important, especially for regulated industries, I think. So like healthcare, which is where I work, because we oftentimes make the assumption that if it's encrypted like a employee's laptop, that we're fine even if it's lost. Right. You don't have to necessarily report on those types of losses if it's encrypted. But with this out there, you now you have to check, you know, could. It could do I have to go report that. And that's so that's a really big deal because it changes the process or changes the assumptions which will lead to a different outcome in that process.

A

Peter, what about for you? Were, did this show up on your radar this week? Were you. Were you digging in with your teams?

C

No, not for my company. We're a Mac shop. So woo. Dodged one. But of course you know, I have tons of PCs and like you know every computer nerd out there. So I'm like great. I have to rethink how I'm going to secure all that.

A

So yeah, yeah, I love that idea of breaking the underlying assumptions because like we've covered there's been signal hacked stories like every single week, but it's like oh no, like turns out like once it gets to the phone it's the problem. But this is kind of unique in that sense. Certainly not the first BitLocker exploit we've seen. Luckily, Microsoft seasoned hand at patching things, so hopefully this will be a familiar process for them. Next up here, fake OpenAI repository on hugging Face pushes Info Stealer Malware. A malicious hugging face repository that reached the platform's trending list impersonated OpenAI's privacy filter project to deliver information stealing malware to Windows users. So again, Mac Shops, you're welcome. It accumulated 244,000 downloads before the platform responded to reports and removed it. Researchers at Hidden Layer discovered the campaign on May 7 after noticing a malicious repository named OpenOSS Privacy Filter, which had Typo squatted OpenAI's legitimate privacy filter release. Peter, I'm going to start with you. This one just has like a little bit of everything, right? A little supply chain attack, a little typo squatting, even some AI sizzle to it. Is this something you want to learn more about? And I guess the broader question, you're still shocked that we're leaning on reputation as a signal of, of anything really, at this point?

C

Yeah, I mean, no, certainly. This is actually really interesting, I think. And it goes beyond hugging Face. It's just a lot of trust we put into these, you know, software companies that if they're hosting like a, like a little, you know, marketplace or whatever, and they're on there, hey, we're, we're good, right? We're assuming that it's, it's all, you know, hunky dory. And if you look at like Claude or ChatGPT or any of them, they all have the similar type of structure. And so I think now it's just really for our security teams to go through, which I, which I told our folks to look at and like, hey, how much do we know about what their approval process is? Is it really robust enough where they're not going to see something like this come in? And certainly, you know, we just have to be more careful from that supply chain angle.

A

Gary, what about for you? Did anything about this stick out to you? Do you want to double down, learn a little more about it?

B

I think the second part of your question was really the part that interested me the most, which is reputation and using reputation for, I guess, your biggest signal on whether or not you can download and use this piece of software. You know, the vast majority of people, I would say, are not a security specialist. So they download it, it works, they give it five stars. You know, that's just what you. Right. Even if they uber ride, we give them five stars, but that's beside the point. So, you know, I just think that we need to just be very conscientious and know that whenever it has five stars, it's ranking, it's trending that is not necessarily the greatest indicator. And in fact, sometimes it might even be a good indicator of the opposite because a lot of these bad guys will go out and buy like these browser plugins like from the author that have made it to like the top 10 or the top whatever. They offer them some sum of money, they buy it, they have the rights, they've got the code. They now add malicious code into there and then the next update, all of these people get that malicious thing. So that's how they're monetizing, they're making money because they're doing that. And I, I don't mean to imply that this is what happens with every, you know, five star thing. I'm just saying stuff like this.

A

But we've seen that in the Play Store all the time, right? Like we'll see, you know, now sometimes that's, I always think like that's like the silver lining, right? Because you'll see the headline. Apps that got 10 million downloads have, you know, have, you know, backdoors installed. Well, it was like they bought 8 million. Listen, any percentage of that is not good, but usually it's not quite as bad as it seems. But in this case it seems like, I think it's an open question about to the extent of which this was paid to inflate this versus people legitimately using it here. So really, really great reminder there. Next up here, Senator Schumer seeks DHS plan on AI cyber coordination. The Senate's top Democrat called on the Department of Homeland Security to work closely with state and local governments to defend against artificial intelligence strength hacks. The Senate Minority Leader wrote to DHS Secretary Mark Wayne Mullen to make sure state, local, tribal and territorial or sltt, governments aren't left behind as AI models advance posing new hacking threats. In his letter, he stated that it was glaringly obvious that the Department of Homeland Security needs to update its plan for coordinating these efforts with their respective governments. Schumer wants a plan from DHS by July 1st. This seems like something that we, I don't know, should have already had in hand yet also is an extraordinarily aggressive timeline for the government for any kind of strategy. I'm not sure here. Peter, I want to start with you. What do you want to know more about as they build out the strategy or do we want to wait until we have that strategy before we even dive into it? I'm curious, where do you land on this?

C

Oh man, I really feel for sltt, right? I mean, they are underfunded, constantly behind from A technology and updating standpoint and everything else. And they're just the soft underbelly of America when it comes to cyber. And good Lord, now comes the AI apocalypse again. Right. Should have like a little bell and say it. And they're just, they're just gonna, I mean they, they're still struggling to patch, you know, in general. And so I love how they're, they're emphasizing this and they're putting this out there. Cyber should be a bipartisan issue and I think I'm hoping that this has the administration relook at how they're doing funding for dhs. If you looked at some broad cuts from DHS and their other cyber unit, especially with the engagement side for state and local. So I'm hoping this, this, you know, puts a light on that and has them rethink their strategy.

A

Yeah, in terms of the, the unifying power of potential AI apocalypse that does give. Like we have seen some bipartisan support of, you know, whether it's regulations about data centers or stuff like that. Like it doesn't seem completely partisan at this point. I'm sure give it six months. You know, it's, it's politics. Eventually it'll get to that point, I'm sure. But at this point, yeah, I am a little hopeful that hopefully we can, you know, I would assume this would have been under the banner of CISA up until, you know, a couple of months ago, but that seems to be kind of a four letter word now at this point. Gary, I'm curious, what about for you? Where do you, is this a, is this something that you want to kind of be thinking about now or you wait until we have that strategy in place?

B

Well, I think I'd like to double click on kind of what Peter mentioned, which was budgets, because I think that's actually the biggest issue. Like most of the time people aren't like, hey Rich, I'd love to be insecure. I mean, nobody says that everybody wants security, everybody likes that. The problem is they don't want to pay for it. So if the federal government or DHS comes in and says, hey, I'd like you to do this security control and here's a bucket of money, guess what? It's probably going to get done. But if there's no budget that's involved and you're just telling them hey, do this, and they're like, well how can I do it? I have no money, then you know, all you're doing is you're creating a bunch of churn because now you're just having people create reports to look like they're doing something even though they're not. So I think whatever, whatever bill comes out of this or whatever, you know, whatever standards or whatever, they have to come with a bucket of money.

A

Yeah. Here's a mandate with no resources to actually accomplish it is. Is a great way to get people out of civil service, to be quite honest. So, yeah, hopefully, hopefully that is part and parcel with that and our last appear on our no or no Tables turn on the gentleman. Checkpoint analyzed leaked internal data from the ransomware group the gentlemen. After unknown hackers breached the gang's backend systems and began selling 16 gigabytes of stolen data. The leak revealed a structured ransomware as a service operation led by an operator known as Zeta88, with specialized members handling reconnaissance, credential access negotiations, and malware development. And they had a 90 to 10 affiliate payout model. The group is said to rely on known vulnerabilities, common ransomware tooling, and some AI assisted development. So not the most sophisticated, but definitely kind of operating seemingly as a, as, you know, a organization, a business, if you want to call it that. Gary, I'm curious for you. This is now the third week in a row we've covered threat actors doing something to go after each other in very direct ways. Do you want to know more about why this is happening or are you just happy that they aren't targeting us?

B

I would say it's more of the latter. Now, I do think it's interesting. Right. Personally, I think that's quite interesting. But in terms of from a defender standpoint, what am I going to do with that information? Really, not much. The most interesting fact that here was really the 9010. That's a pretty good payout, frankly. Yeah, Yeah.

C

I was like, man, I'm in the wrong side.

A

App store developers would love to get that cut. Right? Yeah. Peter? Yeah. Where are you at with this?

C

So one more time, Rich, what was the name of the threat actor group again?

A

The gentleman.

C

Thank you. I just wanted to hear it one more time. All right. So, you know, yeah, this is. I think there have been a lot of like, you know, industry rumors that this type of scenario was. Was out there and that this is, this is how these organizations were set up. You know, and the fact that, like, hey, you know, it's a ransomware as a service, we've heard for a long time, but now we actually have some evidence that this is truly the case. And also payment structures, which I also think is just fascinating, you know, which shows how lucrative it is for them to run this. So yeah, other than that it's like great. Thanks for letting me know what kind of what we already knew. So it didn't get too much attention from our group other than it was a, you know, an interesting article.

A

All right, before we run to our deeper discussions, want to spend a few moments and thank our sponsor for today. And that is Doppel. Social engineering attacks look trustworthy. A routine request, an eternal email, a familiar face on a call. But Doppel sees through the disguise. Their AI native platform detects and disrupts attacks across every channel while training employees to recognize deepfakes and deception. They fight relentlessly to protect your brand, business and people. Doppel outpacing what's next in social engineering? Learn more@doppel.com that's d o p p e l dot com and we had one of our commenters always reminding us on our last story there no honor among thieves. Although you would think you would get some loyalty with that kind of revenue split. I'm just, I think that's a perfectly. Maybe, I don't know, maybe someone's holding out for 95. I think that's, you know what, you're pushing your luck. The right actor. That's all I'm saying. All right, let's dig into one of our big stories here. Ruby Gems hit with a Gem Stuffer attack or Gem Stuffer. It's not a type of attack, it's just a cool name for it. The standard package manager for Ruby, creatively named RubyGems, announced that it's dealing with a major malicious attack and as a result it temporarily suspended new account signups. We got details about this from socket researchers. They're calling the campaign Gem stuffer. It abuses RubyGem package repository to use as a dead drop system for exfiltrated data rather than using it. What we typically see with these kind of things deploying malware. More than 100 malicious gems scraped public facing UK government websites and uploaded the collected data back to RubyGems using a embedded API keys letting the attackers retrieve information without dedicated command and control infrastructure. We've seen threat actors using like Dropbox and Google Drive and stuff like that for kind of similar things. But this is the first time I've seen a package manager used for this. We certainly have seen package managers abused in other ways gestures broadly at NPM and you know, wishes them well. But this seems, I think, like a new approach. I'm curious here, Gary, for you, what's more notable here that Ruby cut off account signups or that threat actors are finding new uses for legitimate utilities.

B

I would say the second one because the broader threat category is quite interesting. And now what's also interesting is here is that nobody knows. Well, I'm sure the bad guys know, but none of the other people know what's their purpose here because they're scraping all these public information but storing all that, but they don't really know exactly what they're going to do with that. So I think the threat category is super interesting. And that for me brings me immediately to things like file transfer software. So something might move that had an issue a couple of years ago or something like that, but to actually abuse that by adding a new job to pull data to send somewhere else, that's a perfectly legitimate use for file transfer software and you can hide it in there. There are all sorts of these other things that this Ruby sort of makes me think of that hackers might be already abusing and we just don't know about.

A

Yeah, because I'm thinking like it probably took them. It was probably. I mean I'm assuming unusual traffic is how they spotted this. But like you're completely right, Gary. Otherwise it kind of reminds me of torrents. Right. It's like more how you're using it versus the actual like the capability of it. Peter, where are you at with Ruby gems and this kind of attack here, this kind of novelty?

C

Yeah, no, I think it's very interesting and it's more of that kind of like living off the land using legitimate services. Right. Which is, I think it's going to become more prevalent. When we saw certain things like Azure Blob S3 buckets are at one point being used for dead drops and things like that. Especially if they can utilize credentials that they steal from different organizations. I think we're going to see more of this. It bypasses a lot of detection and prevention and so really it's going to have organizations internally of like, are we monitoring our like throughput, like how much, you know, you know, bandwidth and data are we transferring on some of these things? Like suddenly gigabytes of data are going up to gems. Is that normal? Right. So that's probably how they, I'm assuming caught it. I think I saw it was like there were like free accounts or brand new accounts that suddenly like would, would dump, you know, 100 gigabytes worth of data into a gem. Like oops, yeah, that should be a problem. But it's also for SAS providers, like if you have your free, free infrastructure etcetera you have to rethink like, could this be abused by a malicious actor, you know, for something that we didn't intend it to do. Right. And so I think it's threat modeling is going to be something else we have to look at as a SaaS provider. For sure.

A

Yeah. Thinking about, you know, in terms of, I mean, if, if any kind of simple allow list kind of thing is even relevant anymore, but like completely, you know, we've seen this in a number of instances when it comes to, you know, Microsoft 365 free email accounts using those as vectors and stuff like that over time. And because people just, I mean, in some ways it's, it's similar to the hugging face thing, right? Where it's like, oh, this is, this has a marker of legitimacy. So it's, it's, it. Our previous model allowed for this to happen and all of a sudden everything becomes much more contextual in how it's being used rather than necessarily the source. So, yeah, definitely. And Knight Raider in our chat here sharing their opinion that supply CH is the greatest vulnerability in software. I mean, it's definitely one we talk about all the time on this show. So Knight Rider, I am not disagreeing with you in your humble opinion. Thank you for sharing that. Much appreciated. All right, next up here we got a big old roundup of cyber policy. I'm going to try and run through this. I need you to tell me what's the biggest deal here? Okay, so first up here, the European Union is considering imposing rules to restrict its member governments from using US Cloud providers to handle sensitive data as part of its tech sovereignty package that's due to be released on May 27th. This doesn't impact private sector companies. This would apply essentially to public organizations, that kind of thing. Next up here we have agencies from the us, Canada, Japan, the United Kingdom. The European Union have now published the software bill of materials for AI Minimum elements. That obviously focuses on AI, as it says on the tin. This document aims to help public and private sector organizations enhance transparency in their AI systems and supply chains. Hey, SBoM's good. SBoMS for AI. Also good, I think is kind of the track of thinking there. And finally, the British government announced on Wednesday that its intention is to update the Computer Misuse act after years of warnings that outdated legislation was hindering security researchers and weakening the country's cyber defenses. The original law came out in 1990, which I think, if I check my calendar, was a long time ago. Lots of big stuff here. Gary, let's start with you. Here, which one of these kind of interests you? What do you think is going to have the biggest impact?

B

I think the one with the biggest impact is going to be the first one, which is what the EU does. Right. So, you know, there's so. And we can't just say, oh, just because it's going to be just for government stuff, that the private entities won't be as impacted. That might be true from a legal perspective, but we all know everybody kind of follows and they're like, want one standard and they try to go in one direction. But, you know, long story short, I mean, when we, when we have all these restrictions for, like Chinese companies to use American cloud providers and things like that, or. And then they start adding their laws and you start with this decoupling, really. So, like in China, you don't, you know, they have their own, like, operating systems. They started building them whenever we started adding these, you know, firewalls, so to speak, for our technologies. And so there's this decoupling and then now they're building out a bunch of stuff. And, you know, that, that really impacts the level of influence that America has. So if the EU goes this route, I think that really impacts way more than just the technology, but also just the cultures and everything. I think right now a lot of the, you know, there's a lot more globalization, you know, between, especially within the Western countries, because we share so many things and technology is one of those things. So we speak a more common language. It allows us to be more cohesive, it allows us to have some of the more similar values. So I think that has the biggest impact financially, culturally, all of these things, sort of aspects. And, you know, I want to leave some time for Peter to talk about other things, but I have thoughts on those other two articles, or rather things going on too.

A

Well, Peter, let's go to you. What do you think is going to have the biggest impact? Are you, are you in alignment with Gary here?

C

Yeah, I think I would. I would be alignment with him. I think certainly AIs bombs are great. I think that's, that's a good thing. I think people kind of knew that was coming, so we're kind of able to prepare for that, you know, since the SBoM, you know, component already came out. So there's only a natural progression. So. But in terms of what Gary was talking about with Balkanization, if you will, of data and it's allowing, also not allowing, but giving us like a bellwether, if you will, of the overall sentiment for how folks are looking at US tech companies. And I think to Gary's point, this is not going to be isolated to just government systems because every one of those government organizations has other SaaS solutions, other technologies, et cetera. And now if they're having to abide by that restriction, that means those organizations will also have to do it. And then also those organizations that feed those organizations have to do it. So it's a waterfall effect for sure. And I think that this is going to be a broader implication that we're going to start seeing more of these restrictions coming out. And if you're developing software again or you're trying to serve in these markets, your architecture is going to have to be relooked at from data structures, how you do everything. And it's increasing costs, increasing complexity. I'm not saying it's a bad thing, but certainly it's going to be something that we're going to have to take into account. And moving forward, I do think it's

A

interesting that this is coming after we've spent a decade trying to have various forms of the privacy shield that Max Schrems immediately sues out of existence every single try to they tried to do. I know it's not directly a one to one thing, but after years of trying to make that happen, essentially kind of turning a little significantly the other way. Again, this all depends on how much teeth this has and what's, you know, devils in the details there. Gary, though, what else, what else was standing out to you from the policy perspective here was, was there any of these that were. That was a. Was a yawn for you, I guess.

B

Well, I think that the other two are going to be less impactful. And the second one that you had mentioned, which was what was the. I'm trying.

A

AIs bombs.

B

Yeah, the AIs bombs. That's right. That one was not. I don't think it's going to be terribly impactful because this stuff changes all the time. Like all these AI models, all these things, they're going to be adding new packages, this, that and the other. I mean, who can keep up? I mean, I get news feeds and I, you know, on my phone and I don't read, you know, I don't read most of it. So if you're getting this bombarded with this stuff multiple times a day or weeks or however many you have, and they're going to be more and more of them faster and faster, you're just not going to read it. And then if it's all sort of automated now, you've just Got AI reading AI and like doing this circular sort of thing. So I don't, I don't, I don't know the reason for the bomb because that was a sort of quote unquote best practice years ago. But we're beyond that now. We're making updates. All these apps on the phones change every two weeks because of these sprints. That sbom was great whenever we were doing releases twice a year, but it's not great for every app every two weeks.

A

Yeah, I think, yeah, we've kind of again, not to say that S boms I guess don't have a purpose, but I think they're not the cure all that we thought they were going to be at one point. I think we've seen very much the limits of them. If you know, I never want to say like hey, disclosure of things is bad but if it's not meaningful because things are moving so fast, yeah, I think it's okay to be skeptical about what actual impact that could have. We got to move on to our last story here. And this is AI apocalypse prime territory here. Prime cuts of AI apocalypse here. Threat actors generating AI driven zero day campaign. The Google Threat Intelligence group discovered a well known cybercrime group using AI to build a novel zero day exploit. You may notice that was lacking in a lot of details. That's because Google is being cagey about a lot of spilling a lot of the tea there. But they did say it allowed attackers to bypass two factor authentication in a popular open source web based admin tool. I tried to plug that into Claude to guess what it was and it gave me terrible guesses so I won't share them here. Researchers believe that the group used an LLM through the development of a whole campaign based on that zero day. Luckily this time Google patched the flaw before any active exploits were underway. Peter, I'm going to file this under. I'm not at all surprised by this but now I'm breathing into a paper bag. News obviously major news story here but will, Will, how long is it going to be until AI generated zero day campaign becomes like the equivalent of reporting on a individual ransomware attack?

C

I think it's just going to be. They're going to be so many. It's just going to be, it's going to be wild. We have a wild couple years coming up and honestly like these probably have been going on for some time, we just haven't noticed them. But what's interesting with this one was like they, the code that they had submitted was detailed documentation. It Looks like it took a lot of time. That almost is a red flag within itself what engineer actually goes through and does documentation. It should have been like wait a minute too good. Yeah, there's something fishy here. Error free and everything else. No, it's going to be coming and we know it is just our detection systems up for it and are we able to, you know, have recovery and resilience in place for when it occurs and quick identification of supply chain and knowing that we have it. So s boms are good in my opinion. Right. So at least we know that we have these libraries and these issues. But. But yeah, no, this is tip of the iceberg.

A

Gary, are you trying to redirect the Titanic as we we head to AI apocalypse iceberg now where we're finding ways to make. I'm not to besmirch icebergs. I think they get a bad rap. But Gary, like what did strike you with when you were kind of going through the news this week?

B

It's definitely not surprising. I think we just need to make sure we got some good backups because everyone's going to get hacked. Now. I do think that we have a little bit of time because it costs a lot of money to run these LLMs and it's. You know, most people are going to want to spend that amount of money to go do that, especially not like as a hobby or something. So I do think that it's going to trickle because there's a cost here that's associated which is very, very good. But once, whenever it gets a little too cheap, then everyone's going to get hacked. So you just got to make sure you got all your backups ready.

A

Yeah. What is it? The AI Security Institute. There was a report that came out after Mythos and basically they said, yeah, it turns out the more tokens we pump into it, the better it does. But you also need to pump a ton of tokens into it to get do things. I think that is completely underreported thing of all of the mythos hype train that it can do spectacular things. But. But that someone's got to pay that bill, right, for it to be worth it. You could argue that just incentivizes really horrible damaging attacks or nation state actors. Peter, I see you raising your hand and shaking.

C

Yeah, I mean, look, hey, here's two components. I don't haven't heard of a threat actor actually using their own credit card. That's one number. Or their own instance of something. The other component to consider here is like guys My assumption here isn't that they're using the cloud latest version of Claude. I mean, we already saw Mythos come out briefly, the code for it, they're just going to run it locally and get a whole bunch of GPUs and away they go. Right. And jailbreak it so they don't have to worry about any of this stuff. So I don't think it's a cost issue from that perspective, to be honest. It's more of a cost issue for the defender because when you're looking at running and actually using the models and we were doing testing, it was like 75 to 100 bucks per repo. Man, that is not cheap. So. And that's of course depending on complexity, repo size, etc. So. Okay, well, how often we want to do it, it's going to be a dollar cost averaging or what do we do here? So. Yeah, no, I think there's certainly considerations for cost, but that's a defender problem. And I think it's going to be, in my opinion, you know, the right thing to do for, for these models owners is to maybe lower the cost of cyber if we're using it for legitimate use cases to help protect their, their clients because the client goes away because just got massively hacked and they lose that token base you don't have. Yeah.

A

Turns out not having customers is worth giving a discount to that. I absolutely love that. Although I love the idea of like someone threat actor trying to max out their Amex to get points to buy tokens. Yeah. It turns out Amex Platinum, great benefits for buying.

C

There you go. Exactly.

A

You got to get it. Got to get it. All right. We've already gotten a lot of great advice out here. I feel slightly less dreadful, or at least I feel like I have clarity about my dread more than when we started, which I think is progress. But we're going to get a little advice from both of our fantastic guests today. Peter, I'm going to start with you. Before we get out of here. Is there anything from the news from the day that leaves you with a piece of advice you can give our audience before we get out of here?

C

I would say adapt quickly. So I guess that's not really happy fuzzy one, but. And I think everyone knows this. Right. But I mean, honestly, what we're seeing is the tip of the iceberg. And I think that the good news is that security practitioners for years have been really trying to push to try to get engineers to do fixes and patching and prioritize this stuff. And I think the existential dread that's coming from this is something that's finally being able to clear through, at least from talking to others, clear through some of those barriers before. So I think there is a silver light on the horizon and I do think as these models become available and we are able to point on our own stuff and it's not just finding the vulnerabilities. There's a whole bunch of new companies out there and technologies that are fixing stuff that they find just like that just as rapidly as they find them. I think I'm hoping we're adapting as an industry quickly and I have hope that we are. So

A

anytime we can have hope and the idea of getting to the other side of this I think feels like it could be a possibility. If it's going to be this bad because of these tools, that gives us the opportunity for it to feel like it's going to get better. Gary, I got to ask any piece of advice you have for our audience before we get out of here.

B

Yeah. Rethink your security program. Things are coming, they come in differently. If you just try to do the same thing but faster, you're going to lose. So, you know, you don't need a faster horse, you need a car. Right. So just rethink the security program. That'd be my advice.

A

Well, thank you both for your time today and thanks to everybody that contributed in our chat watching us live. Remember, we are live every Friday at 4pm Eastern. So make sure you join us next week for the department of no Peter Liebert, the CISO over at Salesloft. Thank you so much. We will have your LinkedIn profile in our show notes. And Gary Chan, the CISO over at SSM Health, you have some stuff going on. Let people know what you're up to and where they can find you.

B

Sure. So I do security themed magic shows. So imagine people who love security awareness training. That's what I do. I try to create something that people love. So you can learn a little bit@security mentalist.com or just look me up Gary Chan Mentalist and you'll find some videos. You can just go and take a look for free. It's just a lot of fun.

A

We will have that in the show notes as well. No, no need to to Google, to DuckDuckGo to Bing It. We will, we will provide that service for you as well. And also a big thank you to our sponsor for today, Doppel, for helping make the show possible. Remember, send us our feedback anytime. Feedbacksoseries.com we read them all. We enjoy them all. They. They bring joy into our day, even when it's constructive feedback. We do appreciate that. And remember, we are live every single Friday at 4:00pm Eastern for another edition of the Department of no, no, no, no. Super Cyber Friday next week. But on the 29th, we're going to be hacking pen testing in the age of agentic AI. So make sure you go to the events page@cisoseries.com to register for that. Check that out as well. A huge thanks to everybody for joining our Friday stand up here. Hope you have a great week. Stay secure out there. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full story behind the headlines.