Week in Review: Crowdsourced ransomware campaign, Windows 10 woes, California opts out

A

From the CISO series, it's Cybersecurity Headlines.

B

Scattered Lapsus Hunters, a crowdsourced ransomware campaign. California law lets consumers universally opt out of data sharing, and hundreds of millions of business PCs are still on Windows 10 as the end day nears. These are some of the stories that we have selected from this past week's cybersecurity headlines and we are now looking forward to some insight, some opinion and some lively expertise from our guest, Dustin Sachs, chief technologist over at the Cyber Risk Collective, and the inevitable Mike Lockhart, CISO over at Eagle View. And we are also on the line with of course, the big boss man, David Spark and our glorious producer Steve Prentice lurking in the background. We may hear from them as well. Also in our hearts today we have our sponsor, Threat Locker. Assume every everything is a threat. If you're listening to the show as a podcast, remember that next week you too can join us and our loyal band of vocal experts on YouTube live. Do so go to csoseries.com, hit the events dropdown and look for the Cybersecurity Headlines Week in Review image. If you click on it, you can join us. And for those of you that are here with us right now, be sure to contribute your comments in the chat. I know Dustin and Mike are not going to be holding back anything on the mic, so you should not hold back as well. Let us know what is resonating with you, what you're enjoying, or. Or just have a lively side discussion about the 20th anniversary Mac and how it was just such a weird piece of hardware. I don't know. Any conversation is valid in the chat and if none of that sounds good to you, feedbackisoseries.com is the electronic mail address you can utilize to your advantage. Before we jump into this, just a quick reminder that Mike and Dustin's opinions are in fact their own, not necessarily those of their employers, their staff, or indeed their clergy. We got about 20 minutes though, so let's jump right into it first up here. Dustin, I gotta start with you here. A lot of interesting news this week. What was the big story for you in cybersecurity that, I don't know, maybe resonated in your context or just you couldn't get outta your brain.

A

I think the one that we're gonna talk about, crowdsourced ransomware, is an interesting escalation of what we've seen and what we've traditionally seen, and I'm interested to dive into that one with you.

B

It is amazing that the bar for ransomware stories has risen so dramatically just since we started the show. In the last five years, the last, like, five years ago, it'd be like, oh, 10,000 people were impacted by this ransomware. It was like, ha, ha ha. And we're now, we're now at Kickstarter ransomware. I mean, I mean, Mike, am I losing my mind here? Like, is the escalation of ransomware notability kind of ridiculous these days?

C

Oh, yeah, no, it's. It's been in an amplitude that's been just absurd for. For quite a period of time. And the data shows us that we're starting to drop a little bit when it comes to the overall cost. But the. The attacks are happening. They're happening in different and more creative ways now that are actually a little bit more terrifying than the loud and noisy ransomware actors.

B

You know it. I mean, you want to talk about creativity in an age of AI, look to the threat actors. They indeed are our inspiration. All right, Mike, since we have you up on the screen here, what was your big story of the week that, I don't know, just kind of. Just kind of grabbed you by the coatt?

C

So there's been a few things that have happened this week, but one of the ones that really stood out to me is the fact that the Windows 10 expiration date is knocking on the door, and there are still tons and tons of companies that are really just waiting to update. And it seems to be a constant struggle with enterprises. These major end of life, end of support events happen.

B

All right, I got to pull the room here. Windows xp, the hardest version of Windows to ever get off of. Is there anyone that's more notable, at least in your careers, that you've had to deal with?

A

I'll go with XP only because I don't think anybody actually installed Windows me anywhere. But XP would certainly have to take seven wasn't particularly fun either.

B

So, okay, yes, I thought I kicked and screamed to move to that weird tile of Windows 8. Mike, what about you?

C

I was trying to get early 2000s getting organizations off of Windows NT, and for good reason. It worked. And it was actually shockingly stable. And telling an organization that you have to move to something that's a little bit more, you know, Windows Server 2000 or other tools that were out there, they didn't really know when to make the move. The NT kernel, the early version, was just a good piece of software, but people had to be dragged kicking and screaming away from it.

B

Little did they know the glories that awaited them with IE6 and all the bountiful non standard Internet rendering that they could have hoped for. All right, let's get into our first story here. Scattered Lapsus Hunters, the crowdsource ransomware. Cam Payne, Dustin and Mike can't wait to get your thoughts on this. So Scattered Lapses hunters, turns out, not a K pop demon hunters wish.com version is letting anyone do their dirty work. So the crime group has been offering a $10 that's not a typo, $10 in Bitcoin to anyone willing to hound executives at companies it claims to have breached. The group has recently claimed to be retiring, posting instructions on Insta or on Telegram and a new data leak site listing 39 alleged victims, mostly linked to salesforce integrations. The cannot take it on, not keep taking it on the chin any longer. Followers are urged to email executives until they pay with higher rewards for using personal accounts or doing an exceptionally well job. Mike, I'm going to start with you here. Crowdsourcing harassment for pocket change bounties. Should we be treating these as, I don't know, social engineering campaigns at this point rather than just a pure ransomware operation and maybe beef up corporate culture to identify and handle this type of, you know, groundswell of harassment.

C

So it's, it's an interesting change in, in culture and tactics at ttps, right? Tactics, techniques and procedures that we're, we're starting to see from these groups. And you know, in personal opinion, I have no data to back this up. I think it's a really clever play. And the reason I think it's clever is it's twofold. It's a new avenue that hasn't been explored before and it's an opportunity to test the waters to see if it provides any return on investment. But I think the timing is interesting as well too. There's economic headwinds that people are feeling and companies are going through restructurings and reductions in force where they might have a higher likelihood of being able to incentivize somebody. You think about the old CIA mice model of money, ideology, conscience and ego. And you know, somebody might be, you know, there might be ego or there might be some ideology they feel about the, the current market right now where they can tap into that. So it's, it's kind of a fascinating exercise and it'll be academically interesting to see how it plays out. As a ciso, though it's also a new avenue of risk that we have to start really considering.

B

This almost reminds me of like Amazon's old mechanical Turk, right, where you could pay Someone like a nickel to transcribe a sentence or something like that. But it just turns out instead of Amazon threat actors, Dustin, this resonated with you. Kudos for creativity. But also terrifying.

A

Yeah, I mean, to me, I think of it, and I almost think of the cartoon, of trying to plug a hole in a boat, and as you put the finger in one, one hole, another hole opens up. You know, as somebody who has been a incident responder and worked in a sock, you know, it's. It's easy when you've got a finite list of IOCs to look after. Indicators of compromise. Now we're just blowing that away because how do I block against the Internet, you know, how do I block every email address that could possibly be out there used? You can't block all of Gmail to say, oh, well, we'll stop all of Gmail. You can't block email from coming in. So it's a really creative way of basically setting up a scenario where there are no IOCs anymore. Because everything is, you know, all your bases are ours, you know.

B

Yeah, yeah. Everything is somehow organic, even though it's completely contrived. Right. It's completely directed.

A

Right, right.

C

What's also interesting about this too is if you look at a step one layer up and not just specifically point examples, but you look at the behavior of these new threat actor groups. So not new, but the. The changing behavioral patterns and culture of these threat actor groups, the dynamics are shifting in a way that I don't think a lot of us really would have been able to forecast or foresee. You know, the. You have this now, this perceived hierarchy or them called the comm. The community, I think, is what it's. What it's short for. And you have, you know, shiny hunters and lapsis and others that are sort of loosely organizing either completely or partially. And they're. They're going about it differently now. They're not, you know, they're really not kind of, you know, going out. This is loud and directed as one. They're taking different tactics where they're just putting a marketplace of all these companies out there, or in some cases, they're no longer even directly ransomwaring. They're doing data exfiltration and they're marketing that data, kind of going back to. Back to the roots, if you will. So the. The dynamics are changing, the culture's changing. But it's really interesting seeing, you know, the common. Some of these things, you know, with scatter lapses and others underneath them where it's starting to homogenize in a way where it's starting to look a little bit more like nation state capabilities. They were already tapping on that door, but if they're able to really get things tied together, they're now just as dangerous as a North Korea or, you know, other geographies where you have those nation state backed capabilities.

B

Yeah. When you have these, this traveling Wilbury, like supergroup. Right. Of threat actors kind of all getting together. It does. I do wonder about like the market pressures of that. Right. Because I do think we're seeing one consolidation on the highest end of the more economic maybe, but also geopolitically aligned threat actors. But then also this groundswell because it turns out doing phishing emails is basically free. Now. There's this very low end, low sophistication. It's never been easier to be a low sophistication to do low sophistication phishing. Maybe ransomware is a different play and stuff like that. I do wonder if this consolidation is also like that kind of market pressure. Right. It's harder to be a mid tier. Yeah. You have to be a blockbuster threat actor. You can't just be your $80 million action movie threat actor anymore. Right.

A

I do find it interesting, by the way, that this is Lapsis, which we all know started out with a bunch of teenagers. So a bunch of teenagers figured out that the way to do it is to crowdsource being annoying, which is what teenagers largely do on their own anyways. It's in their DNA. So let's now pay people to do what they're doing, what they're, you know, hormonal and doing at time anyways.

B

Teenagers, truly undefeated at being annoying.

C

They're just ransomware for the vibes.

B

All right, let's check the vibes on this next story. California law lets consumers universally opt out of data sharing. California's governor, you may know him, Gavin Newsom, signed a new law requiring web browsers to include an easy to find universal opt out option for data sharing, letting Californians block third party data sales with one click. The law expands the 2018 California Consumer Privacy act, which granted the right to send opt out signals but didn't require browsers to make them simple to use. Governor Newsom also approved related bills strengthening the state's data broker disclosure rules and requiring social media platforms to fully delete user data upon account cancellation. Dustin, I'll start with you here. A universal one click opt out of data sharing gives part. You know, we could shut down ad tech economy with just a single click. This is, this is Revolutionary. Do you think this marks the beginning of real privacy enforcement, at least in part of the US or will we see the tech industry find clever workarounds to preserve the status quo?

A

Well, I mean, I think it's interesting because I think the corollary to this is the move to streaming. The whole reason the move was to streaming was to avoid having to watch ads, having to watch commercials. I mean, when's the last time you've actively sat and watched a commercial other than the Super Bowl? You know, most people don't sit and actively watch commercials now. At the same time, though, I think it is a really good move towards better, better privacy in the US because it's going to force organizations and, you know, those who are benefiting from that data to really define what are they using their data for and really be crisp and clean and transparent about it. Which is important because in this day and age, everything is electronic data. So it's your identity, it's your purchasing habits, it's everything. So giving consumers, you know, that that control it is, is an important and meaningful step.

B

I mean, Mike, are we agree with Dustin here? Is this an opportunity perhaps to raise the bar for, you know, good or.

C

Proper data data handling policies is an opportunity, absolutely. Whether that opportunity is realized or not is the $65,000 question. This also, this is going to introduce some unique challenges. So one is implementation. How are our browser vendors going to get there? And they have some timeline. I did a little looking up on this earlier because to be honest, I was not really up to speed on this particular change this week, so I had to catch up in short order. It doesn't go in effect until 2027, which seems like it's a ways out, but in the development life cycle that's that it'll sneak up before you know it. So browser vendors are going to have to struggle a little bit to prioritize some of these features to, to meet those requirements. The, the analytics marketplace that that entire domain is going to really be struggling now to figure out what do we do next. But I think there's going to be some interesting legal aspects of this as well too. There's still a lot of very unsettled decisions on is visiting a website and capturing an IP address. Is that considered public information or not? And different circuits view this, these things differently. So there's, I think really what this will end up doing is act as a forcing function that we've desperately needed to really establish some, some legal standards and boundaries around what is, what is public data, right you can think of a street address as public information that's well settled, but in the digital side of things it's still very muddy in a lot of ways. So getting some of the boundaries established, being very clear and unambiguous about that I think is really what this will potentially drive us towards or litigation that's going to try to shoot the, the laws down and you know, maybe challenge those on a more national scale as well too. So I think all of this comes down to really what we start to see in, in the legal system and what challenges are brought, what sort of legislative effect it has on knock on effect it has on other states who may want to follow suit. And I think the browser vendors are going to be in, in a very tenuous position of monitoring that and making a decision as well. They need to actually invest in these changes or not. But also planning to, to implement as well as the, the analytics and data collection marketplace going. What do we think?

A

As Mike brings up one of the interesting things as well is it's kind of, it's kind of a double edged sword. It had to happen in California because of where the companies that control this are based, but at the same time it happened in California and is that going to be a, an impediment to getting some national attention because it's coming from California and people have their opinions about the legal system in California being what they are. Is that going to, you know, if this had come out of you know, Texas or Colorado or some other state, would it have a better effect in the end for the country as a whole or even at a national level? Or is the fact that it came from California going to be kind of a problem?

B

Yeah, I mean, well, I mean I think we can look at the impact of ccpa. I mean certainly like that's on everyone's mind because California is a giant market within the US but like has that fundamentally changed data privacy everywhere? Certainly has had you know, some, some impacts steered some things. I'm sure for smaller companies that can't afford to do carve outs like that it's a little easier but like certainly not, not universally. Right. The other thing that I think about this is are we missing like the other end of like this is a, this is a good for one side of that equation. I also like this is me, I'm going to get my Linux hit like my, my like open Source hat on here or something like that. But I think of something like Interrupt where you have like, you know, more like, like a disaggregated or decentralized approach to owning your own data and kind of controlling that access on your end versus anytime you visit any website, you're, you're automatically in this illegal morass of, of all the stuff that this bill is trying to address, I do think that there is like, there was like two sides of this only addresses one of them. I'm not saying anything like that is ever going to happen anytime soon again. I know it's a hippie pipe dream, but I, I always wonder with these types of solutions if it's only ever going to be half complete because of that.

C

Yeah. And I think that's where we're going to see a lot of this go individually, taking my, my tech hat off, just speaking as a, as a person. Am I highly supportive of it? Absolutely. You know, there's, we sort of joke around and Dustin, I'm sure you've made this joke as well too. We say a lot. Privacy is dead. And to a large degree that is a, that is a truthful statement. But there does need to be a balance of acknowledging that we are in a privacy deficient marketplace and world now, but trying to maintain some modicum of at least trying to pull some tension there. Right there. The scales are a little imbalanced right now. This is an opportunity to balance that and find a better middle ground. Great. But unfortunately we're at a very contentious time when making rational decisions around privacy is going to be a very difficult effort. And I think that, Dustin, to your point too, the geographic origins, depending on who it's coming from, where it's coming from, also come into play as well too. So this is going to be a set and observe situation for a while. It's going to take. These things don't move fast. You know, the gears of justice grind slow, but they grind fine. And you know, just kind of see where it goes over the next 36 to 48 months. It's going to take a while for it to litigate out.

A

And I'll say, you know, Max Tronic put in the chat, let's create a registry for people that want to opt out. And then my response to that would be, how did the do not call registry work? It's worked so well. Right. Let's create in a registry for people to opt out because we've, we've had such success when it comes to mobile phones. I don't know how many of you I know, I'm sure, Mike, you get spam calls galore. Rich, I know you do too.

B

Oh, listen, maxronic, is a big registry fan, okay? I can't. I can't cite him like. Listen, when. When everything's a registry, you know, everything looks like a nail to you. Big boss man David Spark, hop in here.

A

For about five minutes. It worked.

B

But do you remember those five minutes? They were great.

C

Yeah, and why didn't it work? Lack of. Lack of accountability and enforcement was really, at the end of the day, lobbying dollars.

B

So what you're saying is we need a patchwork of state privacy laws so that it makes such a mess that the feds have to step in and come over? I mean, that's a. That's a policy roadmap right there. Let's rock and roll, someone. We'll get some dark money on that right away. Before we move on to our next story, I have to spend a few moments and thank our sponsor for today, ThreatLocker. Cybercriminals don't knock. They sneak in through the cracks. Other tools miss. That's why organizations are turning to ThreatLocker as a zero trust endpoint protection platform. ThreatLocker puts you back in control, blocking what doesn't belong and stopping attacks before they spread. Zero trust security starts here with threat locker. All right, next up here, the story that may make us smile the most today. Hacktivists aiming for critical infrastructure get poned. A pro Russian hacktivist group called 2net recently switched from launching DDoS attacks to targeting critical infrastructure. Congratulations on the ambitions, guys. A report from forescout describes how the group attacked what it thought was a water treatment plant, but was instead a decoy set up to observe the activities of such groups. The full story is available at. Bleeping computer link in the show notes. Definitely recommend you check it out. Describes the various steps the group took believing this to be a real target. This is somewhere between a research program and a honeypot here, Mike. Do you think this type of proactive approach should be used more frequently?

C

Yes, I do. But why do I think it should be used? I think this is a great example of how to adapt honeypots and methodologies to get better intelligence. There are organizations out there that are doing so. I think we should continue to invest in that. The flip side is, did this really do anything meaningful for the threat actor groups? Likelihood is probably close to zero. So the real benefit here is understanding ways in which you can create honeypots that are realistic, that will be attractive targets to these threat actor groups, and as those capabilities grow and improve over time, might give us some new tools that we didn't have in the past as well too, to create sort of false flag operations. So Dustin, what's your take on that?

A

Yeah, I mean, so as I think I said in the, in, in our, in our prep for this, you know, I, when I saw this story, the first thing that I thought of was my, you know, former CISO I worked for friend of the show, Sean Bowen, who if this story had come out, I would, he and I would have talked about and it would have been something of the equivalent of, you know, bleep around and find out because to, you know, it, this, to me it's kind of a natural consequences. You know, you can't sit there and, and, and hack into critical infrastructure and then be upset when you get owned. You know, you, it's kind of the fact that we're now adapting to Mike, to your point, honey pots to actually, you know, against critical infrastructure. I mean, none of us want to be in a situation where a critical infrastructure asset gets taken down. I mean, we've seen what happens when a water treatment plant gets hit. I worked at, you know, critical infrastructure where it was literally the control of the lights in the, in, in the, you know, at the time the third largest city in the country. The last thing you want to have happen, the thing that's always in the front of your mind is I cannot afford to have this taken down. So I, I applaud the critical infrastructure operators for thinking of, you know, what's old is new again, you know, and leveraging that, that capability to, to thwart and attack.

C

Well, it's also a good exercise too for, for their, their detection teams, their containment teams or response teams. And I, I'm very interested to see the after action report on, on this one here if there's anything that comes out, because those are some really valuable lessons. And look at was the, was the honey pot set up in a way where it was sufficiently representative of what a real infrastructure would have been? Right. And if that is the case there, then what were the things that they were able to observe for behavioral patterns that, for training? So I do think there's a, a dearth of data to be mined from this. But again, you know, double down what I said a minute ago, as far as the threat actor group's concerned, they had a little egg on their face. You know, they will, they will regroup and they will retry again. And so there was, there's also some benefit for them too because they're like, ah, now we got to be a little more careful of that. So just like any operation. Once it's been made public and people are talking about it, the. The value of it diminishes for, for a period of time too. So it's, it's more of a. Let's step back and think very thoughtfully around what worked. How do we continue to apply those lessons and what does that mean for organizations? They want to start thinking about revisiting the traditional honeypot mindset and recalibrating in a way where it would be useful again when it has not really been useful for, for several years at this point.

A

Well, and we talk about, we talk about the flip of, you know, the, the. And the statement, Mike, that we always use in security, which is, you've got to be right 100 of the time. Threat actors only have to be right once. It's nice to see the script flipped a little bit on, on them. And they actually have to. They were actually had to be right and they ended up not being right. So it's kind of nice to see the script flipped a little bit.

B

I see. This is the perspective I love because when I first saw this, I was like, oh, this is like, like a speed bump function, right? Like, this is. We're wasting their time. Yes. This. Does this fundamentally change anything? Not dramatically, but if we do, if we have enough speed bumps, right. We slow down some speeders. Right? Like there is, there is that function, but like the learning function of this, the, the, you know, the ability to. Again, like just, even the psychological nature of that, right, of being like, oh, it's all like any, any threat actor, like any attack is all gravy. Right. It's just like any success is success. Right. But now putting the burden of, oh, you were hacking absolutely nothing and wasting on top of that, I think is brilliant. Steve, hop in here. Let us know what you think about this.

C

I just think it's nice to have them say, hey, you're not supposed to hit back like that. I think it's going to give them pause to think, you know, should we do kudos for them for just at least putting in some degree of concern that they're not invincible as the bad guys.

A

So thumbs up. It's buying McDonald's coffee and then being surprised that it was hot.

B

You know, hey, bleep around and find out, you know, that's. That's brilliant.

C

I do. Like, I just want to call out CCL in the chat here. Undeniable attribution. And that. That is, That's a good call out there, right there. In this case, it was absolutely undeniable who it was and you know, a little bit of. So we got you this time.

A

Yeah.

B

Speaking of bleeping around and finding out, hundreds of millions of business PCs are still on Windows 10 as end day nears. I was the end of days. I kept wanting to say, but I won't talk about my favorite Arnold Schwarzenegger film. We've talked about this before, but it's a pretty big thing. Support for Windows 10 ends next Tuesday, October 14th. Mark it in red on your calendar and buy a cake. Dang it. According to analyst Kieran Jessup of OMDIA, there are one 1.4 billion Windows devices running worldwide among individual consumers and businesses. 550 million of these machines are running in corporations and around half of those will not meet the end of life deadline to switch to Windows 11. All right, so we cut up that pie a bunch of different times. We were like 275 million. I think I roughly have the math right in many cases because the devices do not meet the minimum requirements for the upgrade. I had a Surface go to use as a prop. My son took it to go play games on. So I do apologize for not having my prop work down. But Mike, as of October, the fee for extended security Updates will be $61 for the first 12 months. That will double to 122 for the second year and doubling again for year three. So we're about to see millions of potentially insecure endpoints on corporate Networks. How should CISOs approach this reality? Pay up, replace hardware, rethink their endpoint strategy. And hey, you know, this whole AI thing doesn't work out. You know, Microsoft could rake in a cool $16 billion in year one on this thing. You know, not the worst business to be in. And Mike, what are your thoughts here?

C

So. Oh, there's, there's a lot of thoughts on this for businesses. Specifically A, all businesses have a fiduciary responsibility to go ahead and just, just upgrade if this was not already baked into long term strategy. So you know, for example, you know, personal experience, we started planning this over 18 months ago and it was, it was discussed, it was planned, it was organized. You know, all of the, the requisite precursors were put into place as far as figuring out harder refresh cycles, all the standard business activities that you go through. But in the business world there, I think we need to start dividing the problem space. There's those that, that can and will. There's those that can and maybe are struggling with some, some budgetary requirements. Those are the ones I actually really feel feel for because it is expensive to upgrade. If you have a lot of systems you've been kind of hobbling along. But then there's those who can't too. You take a look at, you know, let's say manufacturing for example. And if you have a fleet of devices that are spread out throughout your national or international footprint that are all running Windows 10 and you have five volume production and you're managing a very thin roll throughput yield on your, your manufacturing floor, that's a good example where it's really difficult to upgrade. And so I think there's, it's not a one size fits all scenario for, for the general enterprise pay up, upgrade, get it done. If you don't, it is a, to a degree a dereliction of duty. But there are a lot of circumstances where it's, the answer is not quite that easy. Before I kick it over to the guest, there's one other part too I think that is the bigger pain point here. And those are the people outside of the business world, those individual endpoint users who economic headwinds are tough across the globe right now. Maybe they can't afford to upgrade a PC. And this is where I think Microsoft very much dropped the ball and not thinking about the risk they're creating to the general population is the most used operating system in the world and billions of people use it on a personal basis. If they can't afford to upgrade, it's. I get why Microsoft is wanting to do this. The intention is right. But the execution leaves a lot to be desired and leaving a lot of people holding the bag going now what? And it creates a lot of global risk and where's, where's their accountability in that conversation?

A

Yeah, I mean I, I struggle with two things. First of all is, is if this is a headline for somebody that this is the first time they're hearing this. That's, that's a bit concerning since as somebody who ran global GRC operations for a Fortune 100 company, the minute they announced this, the GRC teams are saying guys, you gotta upgrade, you gotta upgrade, you gotta upgrade. We get to, you know, a week, you know, four days beforehand and all of a sudden now it's like oh, oh yeah, they were serious. The other thing is certainly if, if you're into investing in the market, I would certainly be buying Microsoft shares because their revenue is about to go through the ro truth for the fourth quarter. Because what's going to end up happening is you're going to have a lot of organizations that are going to say you know what, it's just cheaper to pay the extended service for three years than for me to try to fix it. And in some cases you may have a legitimate reason to have to do that for all the reasons Mike said, you know, you can't, you know, if you're running an OT system that's an operational technology system, you're not going to be able to upgrade from Windows 10. It's just not, not feasible.

B

Or I think on the healthcare side too, like I'm sure that that's, you know, a major problem too.

A

I mean, that's the reason we still see XP and Windows 7 around and you know, and have seen it around for a lot longer than it should be. And I think Mike brings up another interesting, another good point, which is what about the end, what about the average user? What about the person sitting at home who can't maybe pony up the 99 it's going to be to upgrade to the new operating system, you know, and, and God forbid you have multiple computers in your house because you've got, you know, multiple family members using computers, you know, so it is a, an interesting one and it's one that it's, it's interesting because it keeps coming up and we keep hitting these milestones and we keep doing the same things every time and every time we say it's going to, we'll do it better next time and we fail to do it better next time.

C

Well, an end of life, end of support for anything is shockingly difficult. And I, it's hard to, it's hard to explain sometimes for people who haven't necessarily lived in that world because it is a, there's a lot of lived experience that comes along with it. But this is just a, this is a large example of in a life and a support that is, it's hard to stay ahead of and it can be, it can be cycle time with the people in the field. You know, what's my depreciation schedule? My hardware, did I just refresh my hardware a year ago? But I went lowest possible bidder and you know, they don't have the right kind of TPM chips or you know, secure BIOS in there. Great, I can't upgrade. But more importantly, it's really just all the things you think about, all the different asset domains that a technology organization may have. You have your endpoints, you have your servers, you have your network hardware, but then you have the software parts which is, you know, I'm running node and I have this huge node ecosystem for node JS and all of the semantic versions for those packages. Why organizations like Snyk exists to help manage vulnerabilities, but also end of life and a support. And what happens when you know, dotnet7 end of life and now I have this tech stack that's all built on that and I have to Upgrade IT or PHP8 goes end of life and now I need to upgrade to the next version of this. So end of life end of support is a fundamental and foundational skill that every security function inside of a business has to have, but it also has to be part of the larger corporate risk conversation as well too. It's not just security. And if your organizations aren't talking about end of life and support as a top level risk factor for the business of which cyber is a big component, but not all of, then there's a huge miss in the ability to forecast and stay ahead of those risks.

A

Well, and you run into even more trouble when you throw in some of the regulations that are out there. You know, I was at an organization where UK Cyber essentials was an, was a mandatory thing because of the amount of business we were doing with the UK government. And end of life out of support is the thing that will get you to a failing grade. Like it's a do not pass code, do not collect 200. So you have to address it and you have to be addressing it. And even those organizations struggle. So what about the organizations where it's.

B

Not a critical, not under the gun like that? Yeah, like how do you get that? Yeah. And Mike, to your point about you know, individual users, I also think about, you know, SMBs like that kind of stuff where you know, again, you're perfectly something that is perfectly functional right for you and now you're facing in, you know, that additional expense again shouldn't have been a surprise to you, but as CCL point in the chat, this is a, you know, this is mandate like mandatory hardware requirements for anyone with out with no or outdated TPM hardware. Microsoft's own devices fall under that. So it's not like they were future proofing them for that far out. So I'm sure a lot of people definitely feel like that.

A

And Mike, do you want to, do you want to go talk to the developers and tell them that after all the development work they've just done, now you've got to upgrade the operating system on them and make them change everything? How's that conversation gonna go? Walking out with a couple bruises, you're.

B

Gonna need a shop back for all the dust for all the teeth grinding.

C

The individual human factor though is really what bugs me the most. Right. And again take the CISO out off just at a personal technical practitioner level. I had a way explained to my 75 year old aunt who has been fished previously. We did a lot of work to lock her accounts down and educate her on two factor authentication and has will call me with questions. How do I tell her that she has to go spend, you know, X amount of dollars and buying a new system that's now going support Windows 11. And she's already terrified enough because she has been through some events where her bank account almost got vacuumed out. I mean these are, these are the, the unintended but large consequences of these types of corporate decisions where I at times I do not foundationally believe that they've been litigated appropriately at a leadership level within companies like Microsoft and others that sort of voice this. And again it's hard to do but there are a lot of people who are going to be very negatively impacted by this because they're going to lose their abilities to defend their endpoints. And when I say defend endpoint, they have installed the software they've been told to install. They've done the right things but they don't know what they don't know and we're. Microsoft is putting them at risk.

A

Well, and Mike having to explain, Mike having to explain to your 75 year old grandmother how to use Windows 11 after you just got it out. Learning how to use Windows 10 is a whole nother debate there as well.

B

All right, well thank you to everyone that was contributing in our chat. My interface is all messed up. I cannot see the chat rolling through so I, I do apologize but I know I saw ccl, I saw Maxtronic in there and a bunch of other comments as well. So definitely appreciated. Thanks to each and every person that was taking the time to join us. Get in on that chat. It always makes the show more fun. Dustin and Mike, where can people find you on the cyberspace? We're throwing to LinkedIn. Is that a good place to follow what you're up to online?

C

Absolutely. LinkedIn. You'll find me sometimes talking about work and sometimes making very snarky comments that have absolutely nothing to do with technology.

A

Yeah, and I'm at LinkedIn as well. A lot of information about my recently released book and what I'm doing around behavioral science but, and cyber security but really excited to be here. Really thankful and appreciative. You know at Rich, as we've talked about before I met I, you know, I got a introduced to the CISO series, met Sean Bowen, got my last role prior to the one I'm in now because of CISO series. So very appreciative to to finally make it on here and represent that group that has benefited directly from this.

B

Well, it has been an absolute pleasure to have you on, both of you, Dustin and Mike, truly, truly appreciate your time. You're having some fun with the headlines and just your insight. This has been a spectacular time. Thank you guys so, so much. Thanks also to our sponsor for today, Threat Locker. Assume everything is a threat. And thanks again to our maybe if I don't hit my mic when I'm gesticulating wildly. Thanks to our audience today. We can't always get up on the screen, but we appreciate you being here. Don't forget you can Send us feedback feedbacksoseries.com, let us know what you think about the show or indeed about the news of the week. And if you're sharing it with your team, if you have your team listen to one of our shows, like just the regular headline show, the Week in Review or something like that, we want to hear how you're helping, how the show helps you in your job. That is always a big thrill for us. So please, please send those on feedbackisoseries.com remember to join us next week for another episode of the Week in Review that starts at 3:30pm Eastern AM and just a heads up, we may be having some new programming changes coming up with the weekend Review, maybe playing with some more formats. So stay tuned. Check out cisoseries.com for more announcements about that. Some really fun stuff is coming in the pipeline to register to join us for all of our shows for all of our events, whether we're doing a Super Cyber Friday or whether we're doing the weekend review, head on over to the events page@cisoseries.com and if you want just your daily news fix, you got to subscribe to cybersecurity headlines. Give us about six minutes, we'll get you all caught up. For myself, for the big boss man, David Spark, for our glorious producer Steve Pretens, and indeed for all of our wonderful guests that we had on today. Here is wishing you and yours to have a super sparkly day.

A

Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.

C

It.