Week in Review: ClickFake deepfake scam, Krispy Kreme breach, NIST ZTA guidance

David

From the CISO series, it's Cybersecurity Headlines. Watching out for the two F.A. middleman, Washington Post journalists hacked and Krispy Kreme's data collection is hot. Now these are some of the stories that my colleagues and I have selected from this past week's cybersecurity headlines. And we are now looking forward to some insight, some opinion and some expertise from our returning guest making his first fourth appearance, Howard Holton, COO and industry analyst over at giga. We're celebrating. We're putting up the fireworks here. It is just a celebration. We're going to jump on the fourth of July holiday. That means I'm taking off to the 4th of through the 4th of July. David, just so you know. But Howard, I got to ask, how was your week in cybersecurity?

Howard Holton

My week in cybersecurity was fantastic. My CEOs out, my CFOs out. I got a ton of work done. It's amazing.

David

When the cat's away, the mouse will indeed play. That is awesome. And you're spending some time with us getting even more precious work done, helping us understand the news of the week. So I appreciate your time, Howard. Thank you so much. Also, thanks to our sponsor for this week, Adaptive Security Next Generation Security Awareness Training. We've already gotten our chat. Lighten up here. We have people in our chat. These are individuals that choose to spend their time here and we deeply appreciate them. People like Kevin Farrell and people like ccl. Someone pointed out I say CCL sometimes and you could make it think that it's like guidance from some agency. CCL is just someone in our chat. If you want to chat with ccl, you can come and join us live. Just go to our events page@cisoseries.com and look for the weekend review image there. Or just subscribe to us on YouTube and you can chat with CCL in the chat. You can also send us feedback. Feedbackisoseries.com if you can't join us live but you want to let us know your thoughts, we would love to hear them. There, there. Just a quick reminder that these are Howard's opinions, not necessarily those of his employer, friends or family. And we appreciate his time and we'll get into them right now. We've got about 20 minutes, so let's jump in to the first story. Beware the SMS2FA middleman. An anonymous whistleblower has released auto generated login codes related to roughly 1 million SMS messages with two factor authentication codes sent in June 2023. Assume that was one of those, all these messages passed through the Swiss company Fink Telecom Services, which cybersecurity researchers have previously found worked with government and private surveillance contractors to track user phones and spy on individuals. Fink CEO Andreas Fink told Bloomberg that legal restrictions prevent them from seeing message content. And even if they could, they no longer work in surveillance. Fink generally operates as a subcontractor for other SMS processors, the company and the individual. So Howard, this story should awaken any CISO spidey sense. I feel like just a lot of frayed ends here to wrap your head around. Even if think telecom is as secure as Mr. Fink says it is, what do these types of attributes, this kind of supply chain for sms? I guess I never realized it kind of say to you, I mean it.

Howard Holton

Says we don't have a security supply chain is what it says. Ultimately security is more about did I get hacked? Security needs to be about are my services being leveraged in the way that I intend my services to be leveraged? And ultimately if they're not leveraged for ethical use, they need to be sued into oblivion. They need to go out of business. Like it needs to be your responsibility to say I'm doing ethical things with the service that's being provided within the context of the service. Right. I'm not a big fan of too much government watchdogging, but when people are using your service for nefarious purposes, you kind of have some culpability there, right? Especially when it's a B2B relationship or a B2C relationship. The whiplash effect is pretty large. Right? Look again, I'm not a big fan of watchdogs. If everyone gets into a service knowing it's nefarious, great, fine. I don't know that I care. Right? Send the FBI after it, send law enforcement after it, send Interpol after it, it's fine, go arrest the users, fine. But when your service is just used for nefarious purposes and you hide behind. Well, I mean I can't control what other people do. No, but you're providing an SMS service and your SMS service is leveraged by bad actors. You probably need some more security controls in there. At least enable them for your users so you and turn them on by default. Let the user turn it off. Like I could maybe I could accept that. But to. To totally wash your hands of it. I think it's a real big problem.

David

Yeah, that was one of the weird takeaways from the story. It was almost again, not them as a subcontractor, as almost as an out to this and I get like B2B makes these relationships weird because again, how much visibility into how many different parts of your supply chain for sms? Again like something you don't necessarily think of as having a supply chain other than it goes to the telco and it goes out to a customer. That was a weird vibe and a weird read for me for so many people saying that as an out versus I don't know, maybe. Yeah, to your point, suit out of existence and CCL individual in our chat says imagine someone trying to log on and you don't get the SMS because someone in the middle intercepted it before you can. Yeah, that's the nightmare scenario. And even if it's just collecting them for that capability and it, it raises a whole lot of questions. So yeah, thank you for that ccl. Appreciate it. Next up here, NIST publishes new ZTA guidance. This new guidance is meant to serve as a foundational starting point for organizations building their own zero trust architecture. Although NIST is quick to caution that all of these need to be custom built for a given context, these aren't necessarily hey, do exactly this. It's here's what's worked for some people. NIST includes 19 examples of zero trust architectures built by organizations using commercial automation off the shelf tools and technologies. The guidance is meant to augment this previous conceptual level ZTA documentation released five years ago in 2020. It emphasizes a phased deployment that starts by identifying and cataloging assets, building out access policies, and eventually achieving continuous monitoring and improvement. There's some steps in between there, as you might imagine. So Howard, this all sounds good, but should CISOs temper their enthusiasm with practical concerns about implementation challenges or the need to manage internal expectations when you have throwing around terms like custom built complexity off, you know, commercial off the shelf tools come into play.

Howard Holton

So like I have a love hate with. Well, with nist, I think they really do the best they possibly can, but they're also built by committee, so that's a bit of a problem. This thing I have a problem with, not because of what they're attempting to do, but because there's three legs to this stool, right? There's people, process and technology and they seem to be really technology focused and that's actually the least valuable piece for me or really should be the least valuable piece for anybody because anyone at any point can go out and buy crap, right? Hopefully it's not crap, but you can still go out and buy crap. That doesn't mean you're zero trustee all of a sudden. Policy is the most important part philosophy and policy. You have to change the minds of everyone associated with security in the org. We can totally argue about whether security is everyone's job and therefore you have to change everyone's mind. I don't think that's necessarily reasonable to even attain, but let's just say all the people that touch the applications in a way that should be secure, you have to change their mind about how they think about security and how they prioritize security. It is not a tools problem. You cannot solve it with tools. You can never solve it with tools. So if all we're getting is here's the tool stack of people that have done some zero trust stuff without the here's, here's how we rolled it out, here's the policies we put in place, here's how we enforce those policies throughout the entire organization, then effectively it's a one legged chair that's just going to beat you to death.

David

I would love if they put out guidance of here's how to say no to everyone's single use exemption that they insist is mission critical and they can't live without. And that's why, you know, they need like to your point that that whole component to me is zero death or zero trust death by a thousand cuts. Right. It's, it's everybody wanting their, their little exemption because it's the way it's always been done or you know, for, for seemingly legitimate maybe for the business or for that process or for that individual's reasons. And it's like how to be the, the zero trust bad guy so that you can all get to a better place. Yeah, to your point, a little bit more valuable. And the other part of this is like five years is a long time to wait. Also this feels like if this is foundational, I feel like these should have been maybe released at the same time. But to your point, bunch of tech, not necessarily the greatest thing to have out there as well.

Howard Holton

No, I mean we have to keep in mind that zero trust, first off never ends. And second, zero trust also means when your users request an exemption, you don't trust them either.

David

Okay.

Howard Holton

You have to question and you can't trust that they understand what you're trying to do. Right. And therefore don't assign malice. They're not being malicious, they just want to get a job done. So you may have to take it, take a minute and explain to them why you're not going to honor that request. Also why that request is probably not necessary within the guidelines and the framework.

David

And Then you need buy in from leadership. When they go to them and say they won't let me do the thing, it's impacting my job.

Howard Holton

Correct.

David

Otherwise you have nothing to stand on. You're a zero leg stool then.

Howard Holton

Correct.

David

Just a Frisbee, I guess.

Howard Holton

Let's keep in mind, right, if security is not applied equally, you don't actually have security.

David

All right, next up here, we'll find out if the Washington Post has security because they're investigating a hacking incident on journalist emails. The story broke late on Sunday and that there that there has been a possible unauthorized targeted intrusion impacting a few journalists, which the Wall Street Journal has said was potentially the work of a foreign government. In fact, the reporters whose emails were targeted included members of the national security and economic policy teams, including some who write about China. The intrusions apparently compromised journalists Microsoft accounts and could have granted the intruder access to work emails. So, Howard, although many journalists use encrypted channels like signal for their communications, particularly with sources, do you feel journalists cybersecurity should be boosted somewhat as part of a broader national defense posture? I know that there are programs from Google and Apple for, you know, particularly targeted users. Right. Lockdown mode and that kind of stuff that are specifically called. They call out journalists for those things. But I'm wondering, is there anything more we can do or is that better than where we have been already?

Howard Holton

I mean, I think it's an improvement, but there is no perfect security. It would be really interesting for the community as a whole to really kind of adopt security for journalists as a project and see if we could come up with a framework, a methodology that can be adopted by journalists themselves without, you know, suddenly having them become security analysts on their in all their time, because they don't have time for that. And journalistic organizations as a whole as well. I mean, I'd be willing to donate time to such a project to see if we can help media organizations really improve their security posture as well as their awareness and journalists as well. This is a huge problem. Freedom of speech is paramount to any free society globally. And I say that within the context of where I live right now. It's really damaging when journalists are hacked, when journalists are interrupted, and when journalists are stopped and that free press is infringed upon. And so I think as an industry, I'd love to see a project where we look at that. I mean, it'd be great if free nations of the world also kind of stepped up and lend some budget to this because they claim to be free nations But I'm not, I'm never holding my breath around that one.

David

I do love that idea though of yeah, recognizing hey, this is a collective good. You know, we, this is something we should prioritize. We've already identified these as highly at risk. We know there's a resource constraint. I mean there's, there's a lot of different things that I would love to see security professionals get together and get a DIY or you know, some kind of bootstrapped security practices. Again with the goal of not making people into that. Yeah, that would be something I would absolutely love to see. And CCL in our chat points out the EFF has volunteer programs. I know Craig Newmark's foundation has done some work adjacent to this. Not necessarily specifically targeted for media as well, but you know, that kind of more civic minded cybersecurity project. So the more of those, I think as long as we're coordinating with reasonable effectiveness the better. Before we move on to our next story, I have to spend a few moments and thank our sponsor for today, Adaptive Security, the first cybersecurity company backed by OpenAI. Adaptive helps security leaders defend against AI powered social engineering threats like deepfakes, vishing and genai Phishing with advanced phishing simulations and next generation security awareness training. Adaptive's new AI content creator enables teams to instantly convert threat intelligence and compliance updates into interactive multilingual training. No instructional design required. Trusted by Fortune 500s and backed by Andreessen Horowitz and the OpenAI Startup Fund, Adaptive is helping organizations stay ahead of emerging AI driven threats. Learn more@adaptivesecurity.com that's a D A P T I V E S E c u r I-y.com I get my gold star for spelling today State healthcare Exchanges share data with Big Tech an investigation by the Markup and Calmatters found that four state run insurance marketplace sites share sensitive information through embedded advertising trackers on their sites. The Investigation found that Nevada's exchange shared prescription and dosage information with LinkedIn and Snapchat, which are like the two opposite spectrums in terms of social platforms. And the exchanges of Maine, Massachusetts and Rhode island shared information with with Google. Part of the issue is that some exchanges use separate sites to connect users with insurance plans once they fill out some preliminary information, and those services were the ones using embedded trackers. But to the user this would all be the same site. Effectively, all exchanges remove the trackers when alerted by investigators, maintaining that they do not store any personally identifiable information. There's been some kerfuffle that maybe the definition of LinkedIn terms is that they, they do store that stuff. So that's an open question, but the convenience of third party vendor blame game this time comes in the form of embedded trackers. Although these trackers were supposedly removed upon request. Should there be a better policy or enforcement? Especially since I'm assuming a lot of this would be covered by, would be impacted by hipaa.

Howard Holton

I mean if only we had the ability to set up some sort of agency that could audit state and federal agencies that, that care. That contain healthcare information. Like it almost seems like maybe we need some federal funding to help with that. I'm not sure who to talk to.

David

Well, I mean the markup's clearly doing that already for free, so you know.

Howard Holton

Sure, sure, but, but when the market does it, it's when the market gets to it. Yes, right. We need audits that go into place as part of rolling these programs out. We need them early, we need them often, we need them frequently. Right. The market can only solve what the market can solve and the market can only bear with the market. Compare. And the fact that the market picks this up is a problem. It is very, very, very hard to sue the state and ultimately the state's responsible for this. Right. But this is again a drive to. What is the criteria that they're allowed to use? Well, they're allowed to use the criteria set by someone paid in the lowest 30 percentile of pay rate for that job through the bidding process. That requires people to go through a lot of hoops to sign up for, for continuous bureaucracy and then the lowest bidder that meets the quote unquote required qualifications like does any of that work in 2025? Does any of that work in a time where we have state actors attack, constantly attacking our, our being anyone's government? Right. No, I don't think any of that is sufficient. I think we need some serious rule changes in what's going on here and we need far, far, far more culpability and liability in these third party processors. If you're going to sign up and manage our data, the collective, our as the people, then the liability needs to go directly to the directors, not to the corporation. The directors, corporations are people. So there's none of this. You've, you've decided to take an infinite number of shortcuts. You get sued personally, you are personally liable. Right. We need some massive changes in order for this to happen. Again, speaking as someone from the US I can only be US centric. I do apologize for your international listeners I do not see this sitting Congress addressing this issue in the next 475 years. So I'm not going to hold my breath.

David

And the other thing is, with the markup laudable investigation as this is, they were only able to cover 20 out of presumably 50 exchanges that are out there. So this we actually don't know. We don't even have full visibility into this problem. I will say, based on some of the evidence that they found to your point earlier, this doesn't necessarily seem to be malicious. It's not like. But it still breaks, probably breaks the law to collect this information. It was definitely not their intent. It seemed like all the exchanges were surprised that it was happening and knew that they shouldn't be doing it. So, yeah, that's. It's one of those things where, yeah, if no one's checking it, it's probably going to happen more often than not.

Howard Holton

Well, it absolutely violates hipaa. Yeah, right. It is not taking reasonable protections to. To safeguard private. The private information of private health information. Excuse me, sorry. The intent of that law is completely violated, and frankly, the written portion of the law is completely violated by these actions. And yet I doubt there will be much to come from it.

David

All right, next up here, if that story didn't freak you out here, let's try this one up for size. North Korea's tricky click fake deepfake scam. Security firm Huntress reports on a deepfake and social engineering scam in which an employee of a cryptocurrency foundation was invited to talk with a collection of executives at an external company through Zoom. The executives on the call were all deepfakes. This does sound pretty similar to the $25 million Hong Kong heist of last year. That was kind of the watershed moment for deepfake fraud. But the twist on this one is that the employee found that their microphone was not being heard on the call, at which point the very helpful deep fake Persona sent him a Zoom extension which had been altered to stealthily download a next stage Payloader from a remote server. But it solved the issue and they could talk. So, Howard, this is now being referred to as a click fake interview, since it has the same kind of I can fix it vibe as better known click fix scams. You can't. I. I'm sympathetic at least to the employee of. Oh, dang it. You know, Zoom always. Oh, you could solve this. So who takes responsibility for alerting people to tricks that they've never seen before?

Howard Holton

Oh, I mean, this is a difficult one. Thus far, humanity has never solved the alert all the people problem. Right?

David

Today.

Howard Holton

Yes, today. Today. I don't know that there's a way to do that. I mean, I would love if, like, again, I would love if we all kind of took responsibility for it. I am certain everyone listening to this podcast does everything they can to share this in. To share as much kind of security awareness with the people they come in contact as they can. Right, right. And that's most security people that I'm aware of kind of do the same thing. We really do go out of our way to try to. To try to educate people. The shocking thing is like, you know, my daughter's 23. She's been, you know, with me through every C level job I've had. Every time I've been at ciso, on her third day of work, she said, hey, is there any reason the CEO sending me a text message? Even she, like, she's been around all this stuff forever. And even she had to pause and go, oh, this might be legitimate. Like, she was not asking, like, hey, just to let you know I got this scam. Hahaha, funny. She was literally like, why is my CEO sending me a text message? This doesn't make any sense. Does this make sense to you, dad? Right.

David

At least that awareness to create the speed bump mentally. Right. Of being like, let's not comply with this at least immediately. But yeah, like that's. It's. Yeah, it's tough.

Howard Holton

How about we just don't trust anybody anymore? How about we, for the very first time recognize that no one on the Internet is a real person, Even me in this interview. I am an actual human being. But you're getting one facet of my personality, getting one piece of Howard. At no point online do you ever get 360 degrees of any person. So stop thinking that they're actually a person. They are not a complete person. They're the version of themselves that is a Persona fit for purpose to whatever it is that they're on. So stop trusting them like they're an actual full human and validate and verify at a bare minimum. Right. The number of interview scams that are going around right now is just off the charts. I got an email from somebody saying, hey, just curious. Does this person actually work for you? Because they're interviewing me for a job at your company. To which I had to say, I've never heard of that person, nor do I have any of those openings. And I don't know what to do. There's nothing I can do about that. There's no way to actually. What am I going to do? Put a thing on our website that says this is the only person you can take an interview from, then they're just going to impersonate that person. This is a really important thing. And ultimately it's on all of us to do everything we can to get people to stop blindly trusting because it is blind trust that makes this happen. Oh, that's a Zoom extension. Great. I'm going to go to Zoom's website, I'm going to go to their marketplace, I'm going to find the extension and at least see if it's valid. If it's a real extension. If it's a real extension, then it's on Zoom.

David

Yeah, but. Oh, my sound advice. I mean, we're already talking about zero Trust a little earlier. But yeah, that verification component. And it's very interesting at least with. Not that again. None of these schemes are necessarily like net new. It's just these new tools. It's just interesting to see what this completely different scale that's like borderline unconceivable to us is allowing the creativity of like threat actors just squeeze on everything that has trust in it just to see what they can break. Right. It's. It's squeezing. It's like if I say I'm from gigaom, it. It turns out most people will just believe I'm from like, who knew, you know, And. Or if I, if I can, if I can get something on your phone that says I'm the CEO. Same kind of thing. You know, we're on this call. We already have this trust. We're talking face to face. We've already established this trust even though there's no verification. Install this thing. You would never ever do that any other way. But it's like this because the scale of things that we're dealing with is currently unimaginable. Even though we understand it, it's unimaginable. The implications of that is what we're grappling with.

Howard Holton

I feel like right now, good thing, when it's all said and done, we're going to have a real rough time getting through this. But we are right now at the point where you cannot trust anything online and must verify. And I think deepfakes being in the news and being so kind of prevalent and out there, and deep fakes are hitting the average person in a way that too much in the past kind of hasn't. It's starting to wake people up to, oh my God, I can't trust this right you haven't been able to trust it for a decade. And really those of us that have been anti social media advocates have talked about that and people paying attention to the destruction of kind of what we consider news have really been kind of espousing this for a long time. You really can't trust. And I think Deepfake is really going to be the nail in the coffin of trust and is going to force all of us to really change the way we address the information that we get, regardless of the medium. Because if I can't trust that a person on camera is the person on camera, then I absolutely can't trust anything. This is as live as it gets. Still can't trust it. Right. And so hopefully that will help us all kind of take a step back and go, well, if I can't trust and have to verify, I need to verify everything.

David

All right, and our last story of the day just kind of, we'll end on something a little bit more delicious. Krispy Kreme discusses November breach impact. So I'll do my best to glaze over the story and scrumptiously avoid sprinkling tasty donut puns into a story full of holes. So suffice it to say, when reporting on their findings, following the breach that the company suffered last November, the criminals made off with more than PII for the 160,000 victims involved. They also got their sticky fingers on a baker's dozen of critical data morsels such as credit and debit card information, along with access information, email passwords, biometric data, USCIS or alien registration numbers, US Military ID numbers, medical and health information, and health information insurance information. So, Howard, this is the point in the show where I have to look over my metaphorical glasses in a school marmy style showing off my Aqualine profile. This one is a slam dunk in. Let's not try to sugarcoat the issue here. According to the register, the 160,000 or more victims were employees, former employees, members of families. This leads to, I'm going to say a quarter dozen questions here. Why this type of data was collected from family members, why it was retained after the departure of these families, former employees, why it was not better protected. I'm just curious your thoughts on, on this predicament.

Howard Holton

Jail, jail, like it's 2025. Like, this is so egregious. What in the heck are they doing? And, and is there any possible way that they were doing it in any, like, any goodwill, any positive way? No, they were. They were. They, they had a massive Data collection going on in a way that even if not malicious is certainly not reasonable and honest and thus they should go to jail. Just jail. Just period jail. Until it gets to the point where there's some personal fear on behalf of folks this is going to continue to happen. The fact that Krispy Kreme got caught does not remotely mean they're the only one. For all we know there's a company that sold them on this idea that sold it to a thousand other companies. Right. Or a thousand people came up with this idea on their own or whatever. Like it's not, I'm not, I'm not, it's not a conspiracy. It's just simply there's revenue attached so they do a thing. Well, we have to be able, as businesses, we have to be able to say no to revenue that, that, that comes to us through malicious avenues. Right. We already have anti bribery rules and we have anti bribery laws. Why do we not have anti. You're an evil data collector. Loss.

David

Well and, and that's where, you know, I always, I always think of this in terms of incentives, you know. Right. Like not going to jail. Very good incentive. Right. And, and, and empowering someone to, to take it not from, to make it a, not no longer a security function or an IT function and make it a legal function of a lawyer comes in and goes why are we holding on to all this data, empowering that person to do that? Because they're trying to CYA the company and their executives as opposed to, oh, here's the, here's the guy that's advocating for privacy and also our bottom line will go down. Like that's an argument you never ever win. And then you just have a embittered either it or privacy advocate, security guy or girl out there. So yeah, it's, to me it's, yeah, you're absolutely right. The incentives just don't line up and we can't expect it to change until they do. Right? Right.

Howard Holton

Well and these companies are playing with everybody's livelihood. Right. There's no possible way this news help. Well, I would, I would hope, I would hope there's no possible way this helped Krispy Kreme's bottom line. But the stock market's a weird fickle thing, so who knows. But, but this sort of thing, right. If the market is astute should, the market should decide we no longer do business with Krispy Kreme or any other company that does, that does these things. Truth in advertising should be a thing. Truth in data collection should be a thing. And we've done everything we can to obfuscate all of these things and so many layers that it requires something like this hack and the corresponding investigation to really find out what these companies are doing. And again, it's not the only one. So. Right, Timmy's, I expect you to be doing better than Krispy Kreme down south.

David

I assume you're Canadian, so I am not Timmy Hortons. We expect better of you. All right, thanks to everybody that was getting involved in our chat. Couldn't get everybody on the screen, but we had some new faces on here. Shout out to brown paper bag. This is a user in our chat. This is not me shouting out the concept of brown paper bags. Also, though, do enjoy them. They have a nice texture. I much prefer them to plastic. But thanks to everybody that showed up in our chat. Chat. Before we get out of here, Howard, was there any story that was a thumbs up or an old Picard facepalm for you? I feel like there's a number of categories that we could have here for this.

Howard Holton

I mean, I think the most disappointing one for me is the. Well, it's actually the Krispy Kreme jokes.

David

I accept your derision and it makes me want to make all the stories just painful pun dad puns for the next rundown. Next time you're on, Howard.

Howard Holton

I hope you do.

David

I really do.

Howard Holton

And I look forward to coming back and getting my five Timer jacket.

David

Absolutely. Until that. Until. In that. In that interim, where can people find you on the cyberspace? What are you up to? What should people keep an eye on?

Howard Holton

Sure. So LinkedIn is the best way to find me. I'm pretty active there. And then I'm launching a new podcast called the Church of the Southern Technocrat. It's designed to be funny and it is technology focused. It is me portraying a like Foghorn Leghorn type Southern preacher. Really kind of ranting about technology for ideally five to seven minutes. Kind of get everybody fired up. Start with a little bit of fun in your day. And I'll be launching that in August.

David

Can I request that the podcast start for that? Have you in a seersucker suit or something along those lines?

Howard Holton

Oh, yeah, I will happily look and see if I can find pork pie.

David

Yeah, that'd be pretty great. All right, well, thank you so much, Howard Holton, COO and industry analyst over at gigom. Can't wait to check that out when it launches. And thank you once again for lending your wisdom and your advocacy for jail to our show. It's always a treat. We can't wait to have you back. Thanks also to our sponsor for today, Adaptive Security Next Generation Security Awareness Training. And thanks once again to our audience. You make the show better. You make me smile. You make me laugh every single week. So for that alone, you have my heartfelt thanks. And I can't wait to see you again next week. Don't forget, you can send us email feedbackisoseries.com if you have any feedback about the show about a news story. Do you think Krispy Kreme wasn't so bad? Your need for carbs is such that you'll excuse any kind of behavior from someone purveying donuts? I sort of get it, but let us know feedbackisoseries.com and join us again next week. We've got our dual slate going on Super Cyber Friday. We're going to be talking about hacking, the internal politics of cybersecurity and hour of critical thinking about why being right doesn't mean you'll win. That's at 1pm Eastern, and then we'll have another episode of the week in Review starting at 3:30pm Eastern. To head out, just head on over to our events page@cisoseries.com to register for both. In the meantime, you can get your daily news fix every single day through cybersecurity headlines. Give us about six minutes. We'll get you all caught up. Until then, for myself, for our glorious producer Steve Prentice, for Howard Holton, for all of us here in the CISO series Extended Organization, here's wishing you and yours to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.