Cyber Security Today: Year End Panel Discussion. Saturday, December 21, 2024 - Cybersecurity Today

Summary6 min read

Cybersecurity Today: Year-End Panel Discussion Summary

Podcast Information:

Title: Cybersecurity Today
Host: Jim Love
Description: Updates on the latest cybersecurity threats to businesses, data breach disclosures, and strategies to secure firms in an increasingly risky environment.
Episode: Cyber Security Today: Year End Panel Discussion
Release Date: December 21, 2024

Introduction

In the year-end episode of Cybersecurity Today, host Jim Love brings together a distinguished panel consisting of Terry Cutler (Head of Psiology Labs, Montreal), David Shipley (Head of Beauceron Securities, Fredericton), and Laura Payne (White Toque) to reflect on the significant cybersecurity events and trends of 2024. The discussion delves into major threats, notable breaches, legislative challenges, and practical strategies for organizations to bolster their defenses in the coming year.

Major Cybersecurity Threats in 2024

1. University and Institutional Cyberattacks

The panel highlights the persistent vulnerability of educational institutions to cyberattacks. David Shipley references the University of Windsor breach two years prior, emphasizing the ongoing challenges universities face with outdated security measures and legacy systems. He stresses the importance of adopting a holistic security approach over mere log collection.

David Shipley [02:00]: "We need to start minimizing the monitoring of this stuff. Make sure the IT guys are receiving the proper alerts."

Laura Payne adds that universities are attractive targets due to their legacy systems, diverse user base, and valuable research data, making them "juicy targets" for cyber adversaries.

2. Legacy Systems and Their Risks

Legacy systems remain a significant risk factor for many organizations. The continued use of outdated operating systems like Windows XP leaves networks exposed to potential breaches that modern security tools may not detect.

David Shipley [10:33]: "The average time that a hacker staying undetected is 286 days is the average still."

Terry Cutler underscores the difficulty in removing persistent threats from networks once established, citing multi-year efforts by government entities to eliminate foreign threats.

3. Quantum Computing and Encryption

Laura Payne discusses the advancements and impending challenges posed by quantum computing, particularly concerning encryption. With NIST approving new quantum-resilient algorithms, the panel anticipates a scramble to implement these protocols before quantum breakthroughs potentially render current encryption obsolete.

Terry Cutler [07:13]: "It's a meme that always appears in my mind... persistence."

4. AI's Role in Cybersecurity

The integration of Artificial Intelligence (AI) into cybersecurity practices is both an opportunity and a challenge. While Jim Love views AI as a tool for enhancing productivity by automating mundane tasks, Terry Cutler warns against overreliance on AI, emphasizing the irreplaceable value of human intelligence and critical thinking.

Jim Love [41:24]: "You're better off doing one thing off that list... Everything you do is for the good."

Notable Incidents of 2024

1. Change Healthcare Breach

A significant ransomware attack on Change Healthcare resulted in over $4.1 billion in damages, affecting millions and showcasing the catastrophic potential of targeting single points of failure within critical infrastructure.

Terry Cutler [28:01]: "Change Healthcare is really critical infrastructure... the most expensive healthcare cybersecurity event to date."

2. CDK and Clop Ransomware

The CDK breach, affecting over half of North America's auto dealership SaaS market, led to substantial business interruption insurance claims totaling $25 million. Additionally, the Clop ransomware group compromised Cleo, emphasizing the vulnerability of major file transfer vendors.

Terry Cutler [30:41]: "Clop... refers to a blood-sucking ransomware brand."

3. Federal Credit Union Breach

A breach at a federal credit union exposed over 240,000 records, including sensitive personal and financial information. The incident highlighted the critical need for robust network security monitoring and comprehensive employee training.

David Shipley [43:30]: "They didn't have the proper network security monitoring in place."

4. FinTrac Incident

FinTrac, Canada's financial intelligence unit, suffered an outage in March, disrupting the reporting of suspicious transactions. This downtime impedes the government's ability to track and prevent illicit financial activities.

Laura Payne [44:34]: "It's just another one of those things that happens and goes bump in the night that we should pay attention to."

Legislative and Policy Challenges

1. Bill 194 and Canada's "Mush Sector"

Bill 194, Ontario's cybersecurity legislation, mandates essential security measures for municipalities, schools, and hospitals—collectively referred to as the "mush sector." Terry Cutler criticizes the lack of adequate funding to support these institutions in meeting the new requirements.

Jim Love [07:33]: "Municipalities mean nothing. We are the authority... you can't suck and blow at the same time."

2. Failure to Pass Bill C26

The Canadian House of Commons failed to enact Bill C26, intended to enhance federal cybersecurity measures. Terry Cutler attributes the failure to legislative disarray, leaving critical infrastructure without necessary legal protections.

Terry Cutler [47:18]: "We yet enter another year without a federal critical infrastructure cybersecurity law to help."

Strategies for Organizations

1. Penetration Testing vs. Vulnerability Scanning

The panel advocates for regular penetration testing over mere vulnerability scanning. Penetration tests simulate real-world attacks, providing actionable insights and ensuring that security teams are responsive and prepared.

Jim Love [03:13]: "Do your penetration tests... it should set off alarms on purpose."

2. Employee Training and Awareness

Emphasizing the human element in cybersecurity, David Shipley and Laura Payne stress the importance of continuous employee training to recognize and respond to social engineering attacks, such as phishing.

David Shipley [44:31]: "They need to have a good response plan to get them out."

3. Risk Management and Funding

Securing adequate funding and implementing effective risk management strategies are crucial. Terry Cutler suggests creatively sourcing funds within organizations to address specific cybersecurity risks.

Terry Cutler [14:34]: "Sometimes you can find money inside your organization creatively and think about that."

Final Thoughts and Recommendations

As the panel wraps up, they offer actionable advice for organizations grappling with cybersecurity challenges:

Prioritize Actions: Focus on high-impact security measures that can be implemented within existing budgets.
Seek Professional Guidance: Engage with cybersecurity professionals for assessments and strategic planning.
Foster Collaboration: Participate in network groups and collaborative defense initiatives to strengthen collective security postures.

Jim Love [14:34]: "Talk to one of these professionals... Everything you do is for the good."

Quotes and Insights with Timestamps

David Shipley [02:51]: "What if the IT guy's laptop didn't have the EDR agent? You can still get ransom because that guy doesn't have the protection."
Jim Love [07:33]: "Municipalities mean nothing. We are the authority... you can't suck and blow at the same time."
Laura Payne [12:14]: "Let's take what are our top priority items because they're the most important to do."
Terry Cutler [24:42]: "There's no rush on the long list of change management stuff for organizations to get done."
Jim Love [15:04]: "Prepare a risk analysis and just put it out to people."
Laura Payne [36:43]: "How does the boundary actually get put in place and enforced?"

Conclusion

The year-end panel discussion on Cybersecurity Today underscores the evolving landscape of cybersecurity threats and the multifaceted approach required to combat them. From addressing legacy system vulnerabilities and embracing quantum-resilient encryption to leveraging AI responsibly and navigating legislative hurdles, organizations must remain vigilant and proactive. By prioritizing strategic initiatives, fostering collaboration, and investing in both technology and human capital, businesses and institutions can enhance their resilience against the ever-growing array of cybersecurity challenges in 2025.

Merry Christmas and Happy Holidays from the Cybersecurity Today Team!

Loading summary

Transcript139 lines

[00:00]
Terry Cutler
On the 12th day of Christmas, my CISO gave to me. 12 employees training, 11 encrypted emails, N scans of scheduling 9 threats, A hunting 8 logs, A leaping 7 patches pending 6 tokens rotating 5 backup drives, 4 phishing filters, 3 VPN tunnels, 2 firewall strong and a multi factor authentication key.
[00:26]
Jim Love
The 12 days of cyber Christmas. Welcome to Cybersecurity. Today, the month in review. I'm your host, Jim Love. This is our end of year program. So this is more like a year in review than a month in review. And we've got a great panel. Our guests today are Terry Cutler, head of Psiology Labs in Montreal. Hi, Terry, how are you? I'm fabulous. David Shipley, head of Beauceron securities from Fredericton.
[00:51]
Terry Cutler
Thanks for having me and welcome back.
[00:53]
Jim Love
Laura Payne of White Toque. My friend, how you been?
[00:57]
Laura Payne
I am here and willing to show my face to the world again after about three days of being down and out with whatever's going around right now. But I'm happy to be back.
[01:06]
Terry Cutler
Thank you.
[01:07]
Jim Love
You've made it back to the other side. Yeah. Your voice sounds great. Okay, so let's get started. I've asked each one of you to bring two stories that really hit you from this year. So who wants to jump in first?
[01:18]
David Shipley
Sure, I'll go for it first. The first thing I want to talk about is around universities. Two years ago, University of Windsor was hacked and they disrupted their IT systems, including their email and other online learning platforms. So what happened was the cyber attack led to a wide range of IT outages. They didn't have enough security measures in place to know there was a hacker in there. And of course, they didn't have their preparedness in place to get the hacker out once he's been detected. So what. What we're seeing now is a lot of universities are still being hacked into and they're not finding out how the hacker got in there, why he got in there, what did he take. There's still a lot of lingering questions that are happening. So they need to start looking at more holistic solutions that don't rely on logs. Because a lot of times, a lot of organizations are just collecting logs. So they're just collecting event data. And then they realize, oh, man, looks like we had a cyber attack seven months ago. You didn't detect it all this time. So we need to start minimizing the monitoring of this stuff. Make sure the IT guys are receiving the proper alerts. Do your penetration tests, because the penetration test will set off alarms on purpose to make sure The IT guys are getting the proper alerts, but a lot of times people say, oh, I'm running vulnerability scanning. What's the difference? Like a vulnerability scanner, for example. If we take a layman's terms of a house, layman's terms will say, hey, Jim, your door is unlocked. Better make sure you check that out. But a pen test is going to kick that door in and show you what was in there, take it and show you how it was done, and then show you how it can be avoided in the future. And in a lot of cases, they realize, oh my God, our backups didn't work for the last two months.
[02:51]
Jim Love
Has anybody else noticed that the Cutler has gotten a little more violent? This pen test is going to kick your door down, buddy. I do have a question for you, Terry, and this seems to be a problem, is we have this, we will have an attack. People will notice there's an attack. They'll pull themselves offline, they'll restore. How the hell do you get the hackers out of your system?
[03:14]
David Shipley
Okay, so here's a real example. We had a case with a ransomware attack where the attackers noticed there was an attack going on. They started wiping all the machines and reinstalling them into the same Active Directory environment. They didn't give it a new network name. They didn't start from scratch, basically. So they restored into the old environment, but the golden keys to Active Directory have already leaked. So now they can still gain access through backdoors, through back channels to get right back in and take full control yet again.
[03:41]
Jim Love
And this goes back to your other thing about configurations. And this is, I don't think people appreciate this. Open Active Directory, get somebody who knows what they're doing to configure it. Do not do. This is professional work. Don't try this at home. I've chased the one. That's the reason I ask you this. We chased a hacker around because I inherited a setup where somebody had learned to do Active Directory by reading the manual. Save us some money, put it all together, and it was on that same.
[04:10]
David Shipley
In that same scenario, we, we had to rebuild the environment for them in parallel. And then when we went to connect the data over right using their laptops, all of a sudden our new environment got reinfected again. Like, how's this possible? We're using like the latest and greatest EDR technology. Like, this should never have happened. Fine, we'll start over. Goes and plugs up the data, plugs up his laptop, brings the data over, get ransomed again in a New environment. How the hell is this possible? It's because the IT guy's laptop we're using didn't have the EDR agent on it. So what happens there is that because he's connected to a new environment, the EDR wouldn't pick up the ransomware attack on his laptop which was connected to the old environment. And then just because he had EDR on all the systems except for one, you can still get ransom because that guy doesn't have the protection.
[04:55]
Terry Cutler
Your point about persistence inside of networks and how I think it's getting harder to kick out really good teams once they're in. The British Columbia government is in a multi year rebuild from the ground up journey to try and kick the Chinese out. The US telcos, they got their clocks clean, which may go back quite some time. To Terry's point about people going undetected, they are still actively trying to kick the Chinese out. My reminder that my favorite letter in APT is P for persistence.
[05:30]
David Shipley
Penetration testing.
[05:31]
Terry Cutler
Yeah.
[05:32]
Jim Love
What is this, Sesame Street? We're brought to you by the letter P. Yeah, exactly.
[05:36]
Terry Cutler
Brought to you. Letter P for persistence.
[05:38]
Jim Love
Speaking of the letter P, Laura was going to say something. Jump in, Laura.
[05:42]
Laura Payne
Oh, I could say lots of things. Wow. We take a world tour with that one. I always bring the pain. I think it's a fair point. It's really hard. I do feel sympathy for university environments. They are some of the earliest networks that were set up. They have some of the longest standing legacy systems hiding out in there. They have some really interesting research going on in there. So they're always a juicy target. And they have tens of thousands of not necessarily very ethically trained young individuals hanging out in their that they have to give access to who come from all over the world. And it's just, it's not an easy task. Businesses who think they have a hard job go talk to campus it.
[06:29]
Terry Cutler
So yeah, then that's where I cut my teeth.
[06:31]
David Shipley
Right.
[06:31]
Terry Cutler
That's the. That was my journey in. The UND was running the cybersecurity team for a university and it's a laugh and a half. The University of New Brunswick, for example, because he was one of the first on the Internet. Terry, this will give you a shiver down your spine. Every single device had a full class B IP address on its own.
[06:50]
Laura Payne
Merry Christmas.
[06:52]
Terry Cutler
We didn't need to do NAT. We had IPs for everybody. So that was the scope of the challenge. But it's interesting. This municipality, university schools and hospitals, what I heard someone referred to as the mush sector in Canada Which I thought was relatively clever. They're the ones that are getting hit the hardest and they're the ones in 2025. They're going to continue to be hit the hardest.
[07:13]
David Shipley
What's your thoughts on Bill 194 that's.
[07:16]
Terry Cutler
Coming out, or is that the Ontario one?
[07:18]
David Shipley
Yep.
[07:19]
Terry Cutler
Yeah, great for Ontario. A whole bunch more for the rest of the country.
[07:23]
David Shipley
It's basically a kick in the pants in municipalities to, hey, it's time to get. You need to. It's mandated now. You got to get your cybersecurity at least the. The basics in place to protect yourselves.
[07:34]
Terry Cutler
The only thing I will say to the defense, the municipalities, the universities, the schools and the hospitals, particularly the hospitals, is they need money to do this. The point that Laura was making is the foundational part. That is still the burning dumpster fire. And then there's the tooling and then there's the scale and the collaboration challenge. Right. We've seen really good things in Ontario like Orion, which is the network group that connects all the schools and universities together. They started doing things like shared CSOs and collaborative defense and benchmarking. Canary's been doing the same thing nationally. So there's elements of hope, but what they need is money. And what I don't think is going to happen in Canada in 2025, because we got to keep the powder dry between tax breaks that really don't work and possibly battling tariffs, I don't think any more money is coming to help these areas. And that's. That's going to.
[08:23]
Jim Love
But this is a thing. Whether you're a state in the United States or a province of Ontario, all these states want it. They'll stand up and say, this is our territory. Municipalities mean nothing. We are the authority. Guess what, guys? When you're the authority on healthcare, when you're the authority on education, when you're the authority on municipalities, you're responsible for how they roll this stuff out. This is why I hate this. We'll pass legislation to make the municipalities do this. Really? So yesterday you were responsible for them. Now you're passing laws so that these independent places can take responsibility. You can't suck and blow at the same time. And I think that this happens in the states and it happens in the provinces, and it's disastrous.
[09:09]
Terry Cutler
It's going to cost money.
[09:11]
Laura Payne
Yeah, I was going to say your mush factor there. All four of those are exactly fit into that problem of the responsibility and accountability is being passed down, but the funding is not.
[09:25]
Jim Love
So what do you do if you're in the position of being one of these companies or these organizations. Not it's not a company, it's an organization. University hospital, civic thing. What are you, what should you be doing this year? Or thinking about this.
[09:37]
David Shipley
So we're deep into universities, hospitals and municipalities. Those are our clients. And they all have a common theme where they're still lugging legacy technology. Again, we're still seeing Windows xp. We're seeing. Because sometimes Windows xp, it's embedded into a device that cannot be upgraded. You need to actually physically change the box, change the unit in order to upgrade it. And that could be hundreds of thousands of dollars. So you need to start segmenting off these old devices onto a network. So this way if ever a breach does occur, they, they won't traverse to another network. They won't compromise the whole place. And that's why you're seeing some municipalities that got hacked in 2019 that didn't even know it until four years later or five years later. So when they do the forensic recovery, like, oh my God, hey, they were in here in mid 2000. Found out about this now. So the average time that a hacker staying undetected is 286 days is the average still. So they stayed way longer in this. And why never.
[10:33]
Jim Love
These guys are above average.
[10:35]
David Shipley
Yeah, exactly. Yeah. So it's unfortunate like Laura mentioned, to get budget to lock all these environments down and get proper expertise. So we gotta find ways to get around that.
[10:48]
Jim Love
And Laura, this is your bailiwick. You have a lot of organizations that must be suffering for this. What are you, what are you telling them? In all honesty, with what you can. With all honesty sells it. We tell. Don't tell us the lies. No. When you.
[11:00]
Terry Cutler
Because they're.
[11:01]
Jim Love
These are real challenges and they don't have to do everything. What do you, what can you tell them?
[11:05]
Laura Payne
I. I think it's always interesting there. Money is definitely part of it. It's also then freeing up people's time and, and focus to get the job done and starting where you can. I think a lot of cases too. There is a lot you can do with what you already have. But working with what you have also means like you need the time to actually build a plan and think about it and be able to get around to doing it. If you can't get money, then you gotta move on to the next best thing and work with what you have. A lot of the things are configuration changes. Right. Like even so setting up segregated networks. Most of the devices that are going to be sufficient Grade to be operating in the environments that we're talking about, have the wherewithal to be configured to segregate networks. It's just really hard to do a lot of it in a timely fashion. So I think that's a lot of what we focus on is, okay, let's take what are our top priority items because they're the most important to do. How do we get attention and priority on that so you can actually focus and get meaningful work done and fix that area to where it's good enough so that the next thing on the priority list can now get tackled.
[12:14]
Jim Love
David, any suggestion from you, from your former life, what would you have done differently? Everything, right?
[12:22]
Terry Cutler
Yeah, so much the basic network hygiene. Most of these organizations don't have response teams, they don't have 24 by 7. They don't have the mandate to. And it gets really complicated in universities that have what's known as decentralized or hybrid. It's so all of a sudden different faculties are all running their own little servers, their own little IT setups, their own help desks. And ultimately at universities, one of the biggest issues is leadership interest in buying and investing in change, in the change management process, in doing things differently. Good luck getting that attention next year. As budgets are slashed, as faculty are cut because of the international student enrollment changes here in Canada, it's really hard. And to the teams that are in the trenches in 25, perfect example, the.
[13:11]
David Shipley
Best of luck, perfect example you bring on that. So in healthcare, especially here in Quebec, there's a huge change that's just happened with. They took over, they slashed all the external consultants, they cut everyone's overtime, which means if a server goes down, the IT guy is not allowed to touch it until the following day. So overtime has to be justified. So there's an onslaught happening in their prime.
[13:36]
Jim Love
I'm glad they're trimming the fat from their system because God knows what the healthcare system needs is less nurses, right?
[13:42]
David Shipley
Yeah. They have to trim over a billion dollars for next year.
[13:46]
Jim Love
But the one thing, just because we're at end of year and we have to have some hope in this. And Laura and Terry, you've talked about it, There are things you can do, some segregation you can do creating these lists. And I'll tell you, I'll just share two things with our audience. You may not have the budget, but talk to one of these professionals, talk to people. It's free advice. Sorry for you guys who sell your services, but the fact is, under the marketing, they will come in and talk to you about a whole pile of things. Get a list and at least start. Because, and this is the killer in cybersecurity for me, is because you can't do everything. You don't do anything that's deadly. You're better off doing one thing off that list that you talked about, Laura, and maybe knocking another thing off. Everything you do is for the good. That's just my sunshine advice.
[14:35]
Terry Cutler
There's one area of hope, One thing that when I was most budget constrained, I found that our risk management office in the university had pockets of dedicated funding for specific risks. And I was able to get $50,000 in funding for a project outside of the normal IT budget by showing the risk office, this is going to be bad. So sometimes you can find money inside your organization creatively and think about that.
[15:04]
Jim Love
Prepare a risk analysis and just put it out to people. Because I always tell this to people is people. We go in and we argue as if we got the right thing to do. And, and that's one thing. But as a younger man, I did that. Now I'm looking at people saying, how much risk can you take? I can look at, I can deliver whatever level of risk you're willing to have.
[15:23]
David Shipley
I think you can.
[15:23]
Jim Love
And here's the cost for each one.
[15:24]
David Shipley
You gotta put the basics in place just to get started. Right. I've had calls from individuals that called me two years after they saw me presenting an event. For example. I'd be like, how'd you hear about me? I saw you presenting at this event on how hackers are getting in. Well, two years later, like, what took you so long? Oh, we didn't know how to get started. I'm like, oh my God. These guys can't be the only ones thinking like this. So that's why I built the whole program that's free on how to get started. And then you can bring us in after the heavy lifting has been done.
[15:50]
Jim Love
And you can.
[15:51]
Laura Payne
I would echo that. Yeah, I, I would echo that. I'd rather work with somebody who's figured out what they. They're ready to. That they're ready to work. They don't have to have done it all, but they gotta be ready to, to get down and, and get into the work. If I have to sell you that security is important, we're probably not ready for a conversation.
[16:09]
Jim Love
Yeah. And people should go talk to, to different vendors, different suppliers because they'll supply this stuff for free. But they're not doing it out of, only out of the goodness of their heart. Part of it is a marketing piece, but also is they don't want to get involved until you understand what. What has to happen. There's nothing worse it getting yourself into a contract and the person has no budget, no ability and no knowledge of what they have to do. Nobody wants to share.
[16:32]
David Shipley
I'll share a story of what's happening right now in our industry. So you have a lot of MSPs, managed service providers that now because they offer a cybersecurity tool, all of a sudden now they're a cyber security firm. So now they. They've come up by the hundreds at a time. Right. And all of a sudden now this one company's been working with their IT guy for 19 years. It's Jim, our great uncle, who does their IT and he doesn't know what he's talking about. So we can come in with what's called an attack Surface report. We can show you what the hackers can see about your business from the outside and show you all the weak points. And it'd be totally free to gain your trust. Show you. We can help you by actually helping you with this report. And then we can look at paid engagements later on. But there's ways to get started for.
[17:15]
Jim Love
Free and we know what David does. Laura, do you guys. How do you guys go out to market like that? What's your. What. How do you talk to people?
[17:23]
Laura Payne
I think it's a lot of meeting people where they're at. So for us it's having the conversation, whatever the reason is that they heard about us usually. Is that that opening point of what. What's keeping you up at night? What's gotten you so worried that you finally picked up the phone or sent me an email or whatever it was. Then we go from there and. And there's. Sometimes it's straightforward. Right. Let's say It's a startup SaaS product and they finally twigged that, oh, maybe we should find out what a pen. Our weaknesses are. Maybe we should get a pen test on this or something before we get hacked. Now that we're collecting all of this information and you go, okay, that, that's a great starting point. Let's do that and then we'll go from there.
[18:00]
Jim Love
Done. Great idea. Sometimes it's everybody who's bought a file sharing program this year.
[18:05]
Laura Payne
Yeah. Sometimes we're trying to land a big corporate client. That's often a great starting point as well. Okay. So we now we always knew we needed it, but now we have to have it. So that's okay. I Can work with that. I'm happy to chat with you. Change the conversation from yeah, I know you have to have it for your business drive, but let's make this worth a lot more to you than just a checkbox on a survey that you're filling out in a vendor onboarding form. Right. And that's fun with you, Laura.
[18:31]
Jim Love
Now, so what's your story? Every one of you has brought two. But what's your story for today?
[18:36]
Laura Payne
Oh, I thought this is a good time to do a little recap on what's developed in Quantum, which is almost as bad of a buzzword as AI these days.
[18:47]
Jim Love
No, it got worse when we got to the alternate universe in Quantum. But I digress. Let. Keep going.
[18:53]
Laura Payne
Yeah. So I think two things to highlight from this year. So one is the readiness aspect of it. Right. Things have progressed quite a bit in the sense that this is the year that we now have some approved algorithms. There's three that NIST has approved. There's a fourth one. I think they said they were going to do it by the end of the year. They've got a few days left before they blow that deadline. So it's still certainly possible. But having the approved algorithms should mean that there is the next stage of work happening, or it should have already really been starting to happen, because it's not like what was going to be approved was a secret, but really now, from the traffic that traverses the Internet perspective, it's all about getting the certificate authority and browser forum, the work that they need to do to establish the protocols so that we can actually implement these algorithms in a meaningful way. For all of the asymmetric key exchange that happens at the beginning of every session on the Internet right now. So look forward to that in 2025, maybe. Cab seems to be more busy penalizing interest right now than it is actually getting ready for a quantum.
[19:58]
Terry Cutler
It's a meme that always appears in my mind of the scene from Harry Potter where McGonagall is admonishing Harry, Hermione and Ron. It's like, why is it always you3? And Entrust is usually one of the three that's getting beat on for some kind of. It's like Avanti Fortinet and trust this year. It's like, why is it not was.
[20:18]
Jim Love
So back up on this for Laura, for. For those of us who aren't, who.
[20:21]
Laura Payne
Don'T live in this world. We don't all live in a crypto land.
[20:24]
Jim Love
Occasionally I. I dabble in crypto. It's.
[20:27]
Laura Payne
We're not talking Bitcoin in this case, by the way.
[20:29]
Jim Love
But, but this. Is this the upgrading of algorithms for. To be quantum safe? Is that what you're talking about? Yeah.
[20:35]
Laura Payne
So the next step, the algorithms are the, the really mathy, like super nerdy stuff that has to happen first, where we theoretically decide, okay, this is how we're going to encrypt things in the future. And the next step to making it reality is then those algorithms have to be translated into the protocols of how the things that talk to each other will actually do the exchanges and everything. So that's the next step. And then people can get to work on coding it and actually setting up infrastructure. Eventually it turns gets to the point where people go to a website like the C. The certificate authorities we mentioned, and you go and you say you want a certificate and you give it your parameters and a credit card and you get a file that you put on your website. Magic happens when people visit and they get a little lock that's closed and yay. So we're, you can tell we're still a few steps out.
[21:24]
David Shipley
You bring up a good point, Laura, because a lot of times when we do the assessments, we still see a lot of older protocols that are still active, a little older encryption. So when we come in there, let's say they still had TLS 1.0, still, still turned on. We can come in there with a Windows 7, a Windows NT, which will force it to go old school and then maybe bypass some things. How. Where do you see other problems happening with these older protocols that have to do backward compatibility, especially with devices like, like old.
[21:49]
Jim Love
What's the word?
[21:49]
David Shipley
Like legacy technology.
[21:51]
Laura Payne
Yeah, and I think that's where it's going to be really critical for as part of readiness is people need to start looking at, okay, where are they using crypto? And anything legacy had better be within your realm of control. So I'm going to start with that. You better know why you're allowing it and if it's just because you have a very distributed wide base of general public who uses your service or whatever it is, and you have to stay legacy ready, that's actually a pretty false narrative in this case because the general public is actually a lot more modern technology than most companies. So I think the true risk of legacy is still like internal and generally within people's control. So then the next thing is to look at, okay, where is this happening? Is it happening over the Internet? Can you get it off the Internet? If it still has to stay legacy for whatever reason, at Least then you're minimizing your exposure to network sniffing, your data being trapped and then decrypted down the road when they can do that. So I think that's, that's, that's the short version is minimize your exposure if you have to keep legacy and keep it in your own networks. But yeah, if you're keeping it, if you're open to all the protocols because you feel like that's like inclusive technology, you don't need to do that. You know, the iPhone is still staying up to date. If somebody's running an iPhone3, they probably won't be for much longer for sure.
[23:12]
Terry Cutler
What's interesting about Laura, about the whole quantum issue and the risk of Q day, right, that day where all of a sudden it arrives, but we don't actually have a calendar day so we can't plan and predict for it the same way that we could y2k, for example, or the next Linux one, which is what, 2032 or something. We don't have a date in the sand. We just, we have this, it's coming, it's going to happen. And what I'm concerned about is NIST has approved these new quantum resilient algorithms. And there's no rush on the long list of change management stuff for organizations to get done. They look at past initiatives like IPv6 or Y2K and go, Ah, those were all overblown. And because there's no data in mind and no compliance regime otherwise Q day drops and it's just a MAD scramble. And then we get this kind of unpredictable system instability. The Internet in the best of days is bubblegum sweat, tears and a lot of prayers. And now we're going to introduce quantum upgrades to make the algorithms more resistant. The other part that's interesting is what happens to all the data that spilled in the last 20 years where everyone relied on the defense of it was okay because it was encrypted and sadly not every breach can use that defense. But are they going to fess back up now and go now the crypto's been broken, it's easily broken. We're going to have to go clean up. Or they're just going to be like, it's in the past, it's buried and it becomes the digital version of Love.
[24:43]
David Shipley
Canal, actually, so, so Dave, here's a, here's a comment I got last week from a company. Ah, our data's already out there somewhere. Why do I care about protecting it? Yeah, I got that comment.
[24:54]
Jim Love
You could do that. But this thing about the quantum piece. And I just want to introduce this because there's a lot of. And I'll talk about the hype around quantum right now. And as a person who's written a science fiction book about quantum, I will tell you that the basis that I based it on was not the quantum processors. It's the people out there using quantum programming and simulating quantum. And they're going to come closer. There's a lot of very clever people who are working with quantum programming in traditional computer settings. And I will remind Everybody that in 2019, Google said we've got this thing and it'll take a billion years to calculate or whatever. I'm exaggerating obviously. And then IBM said hold my beer. And that's what I would be watching for is that the, the, we can get into the, the, the science fiction of quantum and then we can get into the reality of quantum which is there are smart people working on cracking these algorithms and you at least need to be aware of it.
[25:53]
Terry Cutler
Yeah. And I'm never gonna bet against the ingenuity of humanity. Right. That's a losing. We're, we're a clever little gang. And, and we are eventually gonna crack this. We're what, What I think is interesting is also the vulnerability that we have as humans to poor risk management. The less defined the risk, the more we're more likely to have the optimism bias. It's not going to happen. Not gonna happen right now. Not gonna happen to me. We got plenty of time. Procrastination is probably gonna be a problem.
[26:21]
Jim Love
You don't have to tell this guy. He goes there.
[26:24]
Laura Payne
I, I think just to circle back to a, a previous kind of question around there or comment. Right. There's no set date right now. So there will become a set date. They will be the ones who ultimately end up setting the date because they will tell everybody. Most likely this is what will happen. But we'll have Q day and they will say great, all your certificates as of X date are no longer going to be valid. So crack to it. Everybody go rotate your certs. And everybody will have to rotate their certificates or they will give you your open lock and everybody will cry over their open lockedness. But there is still some compliance in this space and it's not what I think is maybe the ideal way to practice. But we do get forced rotations. Not necessarily for great reasons all the time, but there have been a few of them and a few noteworthy ones. So organizations have had a taste of what it takes to do a mass rotation of Certificates when an authority is no longer trusted by the browsers. And I guess if you want to be a silver lining kind of person, which I often am, say thank you for the opportunity to exercise my crypto agility.
[27:30]
Terry Cutler
Oh, I'm going to memorize crypto agility.
[27:33]
Jim Love
Yeah.
[27:34]
Terry Cutler
That's the Merriam Webster cyber word of the year.
[27:37]
Jim Love
It'll be a T shirt in Shipley's new store for all of these great memes.
[27:43]
Laura Payne
I don't get credit for it. You can thank the vendors who work in that space who provide the certificate to asset management for what they've been trying to preach to the choir being the people who work in the space for years. But yeah.
[27:56]
Jim Love
So over to you, Mr. Shipley. What's your story for the year here? Or at least your first of the two.
[28:02]
Terry Cutler
Yeah. So story of the year for me is Change Healthcare. Right. We are now more than a hundred million people affected in dollars. It's risen from a $1.6 billion impact cyber event to now 2.7 billion plus US or in Canada now 4.1 billion. Thank you, sinking dollar, who's counting?
[28:24]
Jim Love
Which give us a little bit of rundown.
[28:26]
Terry Cutler
So in winter 24, one of the big ransomware groups, Alfie hit Change Healthcare through an insecure device. No multi factor authentication, username and password. Apparently it was a low level support account. Amazing. Failure on segregation of duties, failure on segregation network, failure on all kinds of badness. But Change Healthcare is really critical infrastructure for hundreds and if that thousands of different medical organizations, particularly running the pharmacy billing software. So when this went down, it included US Military. Right. So everyone's prescriptions is in the wind. The ability to do billing it through massive chaos here at the financial aspects of the US healthcare system had a very nasty appearance in front of the US Congress about it and now I believe ranks as the most expensive healthcare cybersecurity event to date. And if you're wondering what my meme image, it's the image of Homer and Bart saying this is the hottest summer ever to the hottest summer so far. Because I think we're going to continue to see this. And it ties closely to a theme we're seeing happen more and more, which is if you can find that one vendor that has massive market penetration and you can kick it hard, you can make a lot of money. So Change Healthcare paid the ransomware gang 22 million. They stiffed their affiliate, they pulled a little exit scam. So no honor among thieves. Some people believe a second payment happened that's not been definitively proven. But that was 22 million. My second segue on this theme is CDK which controlled more than 50% of the SaaS market for auto dealers in North America. Gotti itself, ransomware hard crippled everything from large multi chain dealerships to small spots. It's probably triggered one of the largest business interruption insurance claims working through the system. Hi everybody paying business insurance. They paid 25 million to an attacker. This is just part of that. And then lastly, you made the illusion earlier Jim, about file transfer. Every single major file transfer vendor has already been hit. But then we had Cleo get hit as well. So it's just these single points of failure are getting squeezed. I know it's on the radar of intelligence community members.
[30:42]
Jim Love
Cleo, you're, you're. They were hacked by your favorite Klopp. Was it Clop that.
[30:47]
Terry Cutler
Yeah, so Clop the. And for those listening to this, why are they my favorite? Because literally like from the school of branding, Klopp actually refers to a blood sucking which I think is probably the most honest branding of a ransomware possible. Yeah. So Clop.
[31:01]
Jim Love
But Clop got Clio. Nevermind, like we're not going back to the letter P here, but Clop got Clio. But they now they said they're going to wipe their site and they're just going to focus on all of the accounts they got from Clio. If I was a CISO there and I'd been using that service, I wouldn't be sleeping now.
[31:21]
Terry Cutler
It's bad news bears. And the fundamental lesson about all of these breaches, these file transfer systems is yeah, there was usually some dumb O day SQL injection, some other coding issue, et cetera. Sure. And that's what everyone's focused on and the big obsession with bad vendor. We should be able to sue you and hold you accountable, et cetera. Sure. All of us who were using file transfer systems as data warehouses gotta own that. Right. That's why it's gonna be so big and so bad, is that these systems were meant to be a subway, not a data warehouse. And that's where process again. I'm sticking with letter B. I think.
[31:57]
David Shipley
We'Re going to see a lot more of that happening in next year where they're going to go after the bigger targets, more supply chain type of attacks, bigger bang for the buck.
[32:06]
Terry Cutler
Yeah. And the biggest one, the supply chain to get cleaned was of course Microsoft with the Russians and the Chinese. And we had a scathing CSRB report on that and a change in culture on the positive side, because I do want to lean look into 2025 with a win the fact that they've aligned executive compensation other things to try and actually get better at security. Fingers crossed it's better than just sweeping it under the rug. But imagine if Microsoft really does get its clock clean. If a Google got workspace got its clock clean.
[32:38]
Jim Love
What if a telco in the United States. Oh sorry that happened.
[32:41]
Terry Cutler
Yeah We've now learned the telcos are actually less important and this is what's interesting. The telcos are less important to the day to day functioning because the spying didn't actually interrupt the flow of data. But if you take down one of these big critical cloud providers we are in locker hurt blocker and I think that in the second part of the 2000s this next five year like if we avoid that it'll be by a grace of God because these are now the too big to fail and nobody is paying attention.
[33:17]
David Shipley
I still think the next World War three is going to be digital. That's it for your diehard. For those who have never seen it it's based on hacking. So where they took down the power grid they took down the banking system traffic systems. I'm surprised something this hasn't happened yet or there's being prepared for these systems are all online like you got to protect the entire critical infrastructure right now.
[33:38]
Jim Love
Russia has brought down some US systems water systems in Romania they that the dress rehearsal was there. These systems that we have that are sitting in all of our communities that supply our water and our our basic services are all open. As a matter of fact I'm going to rerun my hacker goes through a city piece for over the Christmas period. People should take a listen to it that was done a year ago how you could wander through and find anything from camera to camera and sorry I talk about my novel again but one of the things happens in novels is the the getting into this infrastructure. I didn't make that app. I got that from local hackers who were telling me just how easy it was to get into civic systems. You were going to say something Laura. I could see it.
[34:22]
Laura Payne
Oh I don't know. I feel like it's gone whatever it was. Sorry.
[34:25]
Jim Love
It'll come back. Jump in what it jump in what it does. I'm going to go back with my story in this and that is when I started in it 150 years ago when we had abacus and we used to do those and punch cards. The we worried about shadow it because people were buying all these mini systems there and the mainframes were there and they were doing all this stuff. People were bringing minis, they were doing this and the. This. Well, then we got the cloud and all of a sudden everybody's bringing cloud systems in and we all thought of that as a control issue from it. We never thought of it as the cybersecurity nightmare it is because people could be going, well, I didn't do it. That was our cloud system vendor that did that. We've, we've crossed that line with AI. Now we are going to see the biggest movement of shadow IT in history. Everybody in and, and their dog is going to have chat, GPT, Gemini, clothe, meta on their computers that they're working with all the time. And those systems are going to be intrinsically linked to our businesses and very few people have a strategy to deal with that. I am an optimist about AI. I believe we should be experimenting with it, I believe we should be doing things with it. I believe that if companies don't keep up with it, they will be left behind. And I'm not one of these guys who makes these dramatic things. But if you're not, if you're not understanding AI in your business, you're going to be in trouble. But we do the doctor no thing and say we're not touching, keep it out as cybersecurity professionals. We're going to get killed because they're going to bring it in anyway. And just. I'm going to do a show on APIs in January just because I want to talk about. We're moving a lot of data around between these things. Has anybody looked at the security of it? Forget that. The model learns. I get that part of it. Everybody freaks out about that. I'm talking about how are you transporting this data through this little integration program that you downloaded off the Internet that is going to connect all these things. Has it got security on it? Like, remember, those are the things that I think would keep us up at night.
[36:38]
David Shipley
Remember back in the days, oh, we have to secure big data. We can't even secure the small data still.
[36:44]
Terry Cutler
Yeah.
[36:45]
Laura Payne
Like you said, it's not so much about the model learning, it's about how does, how do the boundaries actually get put in place and enforced? And there is not a lot of transparency. I think even companies that try to share information about what they've done do a poor job of communicating. And I think it's also just add it to the list of things you're supposed to investigate and check out and risk assess and really understand what you're doing and I think people are understanding, fatigued. That one I'm taking credit for.
[37:16]
Jim Love
That's good. Go copyright it now. Because of his T shirt factory.
[37:22]
Laura Payne
Yeah, I, I, but we're just tired of having to, to bother and care so much. It's the magic works. Why do I have to understand how the magic works? Can't I just enjoy the magic? And we know that's dangerous. Right? And security people. We know that's dangerous. We've seen that. And all the forms of magic that have shown up there. There were air quotes on that for anybody who's just listening that have shown up over the last 50, 60 years that these computers have been doing their thing. More than that. Who's counting it. It's, but it, it's overwhelming now to really keep track of things. I don't have a solution, but I have a lot of respect for how hard it is to let anything in at this point.
[38:01]
Jim Love
Yeah. And my suggestion to everybody's talk to people, get out and talk to people about what they're doing. And we've had a big thing, not a blaming thing, not a trying to find out what you're doing, trying to get educated on what they're doing. And because if you go out with your little security hat on and say, I'm here to check to make sure you're not doing any of this stuff, they're going to lie to you. Sorry, but every CISO knows this. They're going to lie to you. Do you use AI? No. And there's stats on this. People don't admit they're using AI to their company because they don't want to get laid off for one thing. Or they, but they're not going to tell you the truth about it either. So you've got to get out and get, and have a chat with them and talk to them about what they want to do and how that's going to affect things. And I think if you're not doing that, you're going to suffer from a security point because you're not going to know what's going on.
[38:49]
Terry Cutler
I think the, the most important thing that we need to complement AI in 2025 is HI human intelligence. And what I mean by that is critical thinking skills and understanding. What problems do you seek to solve with this and how can I help you? So instead of being the department of know, like you said, Jim, it's the Department of Know how to help you do this. Know how to use these tools so that you know how these tools work and what they can and they can't do. One of the things that, that still irritates me greatly this year is the completely bogus claims that these are actually thinking rationally, that they're not just stochastic parents repeating what they've been trained on or learned or the statistical probability of word following word in given context. And there are companies out there that are, are continuing the charade that artificial general intelligence is coming tomorrow. It may be, but it's certainly by no means guaranteed. And so it's still being overhyped, interestingly enough, like within my own company. We've been using Copilot now for six months for our development team. And I asked my, my cto, I said what's been the productivity improvement? Because I'm pretty excited. He's. It's not another developer, David. What do you mean you're hoping for a 25% improvement in the capacity of our development team and it's nowhere near that. So it's helped us with some automation of some scripting and some things, but it's also slowed us down sometimes because it's taken people down some rabbit holes. Huge potential. I, I've used it for some things for writing, but it is not yet self aware. It's not Skynet. It's not the panacea.
[40:31]
Jim Love
So I'm going to argue with you there, David, because as the AI guy here, have your guy call me, I'm three times as productive, maybe four times as productive. And I could track it from AI because I focused on the small and I've gotten rid of the small stuff and, and the steps that are there. People. You don't need artificial general intelligence. Think about it as an alien form of intelligence. We wouldn't wonder when it's just good at things. It does find the things it's good at that it's good at. Stop trying to make it into a person and find the things it's good at and use it for those. And you will find that you can generate incredible productivity gains bot again if you're sitting around waiting for it to become another person you can talk to. And by the way, you can talk to it if you like and if you have no friends like me, it's good, but.
[41:24]
David Shipley
And they launched Therapist GPT now, so.
[41:27]
Jim Love
Oh yeah, but this is what I'm saying is that. But the issue here for, for me in the cybersecurity realm is this is coming. It's in your shop now. It has. And forget, like I said, forget the art of the, the Terminator thing. Forget that stuff. Just wonder about somebody and I'll just go back to this. Somebody downloaded a little program to knit together four or five of these things and it comes off the Internet and I don't know how secure it is and it's running in your shop now.
[41:57]
Terry Cutler
And I'm just say this Microsoft continues to push the copilot what we would call spyware recall as the thing I think it's continues to bark up a tree that's going to be more pain than it's worth. Right. Like I don't need an AI to tell me what was on my desktop three days ago or to capture my credit card as I'm entering in doing my holiday shopping. So I think your point Jim about finding the small things it can do well and leveraging that. Yes. But do we need it to try and replace our brains? Absolutely not. And can it be a replacement for pure human creativity? And a well trained developer can help the developer solve problems faster than stack overflow.
[42:40]
Jim Love
Sometimes it can do the dumb stuff. And we all know that 80% of our work is dumb stuff, right? No, but you would think about it. How much time do you spend looking for a document? You spend at least an hour to an hour and a half a day. That's if you're on average you might be better than fix that. Don't try and don't try and get rid. This is what. Sorry I could I'll get on a soapbox but it's don't try and make it think for you. Free up the people and let them think. Let them have a few minutes in the day instead of being overclocked all the time doing tasks to actually draft Laura's list and say what are the 10 things we want to do? Wouldn't you like an afternoon to do that? That's what you want to get back to. Sounds so inspiring. Okay, lightning round. Terry, you got another story quickly one minute. Sure.
[43:31]
David Shipley
Let's talk about the. The federal. Federal credit union breach. So that leaked over 240,000 records everything from social insurance numbers, credit card data, financial details. They obviously didn't have the proper network security monitoring in place security measures and because of that they were able to able to stay undetected for a long time. I move around the network laterally without any detection at all. They also then have MFA in place to lock down more sensitive environments, more sensitive systems. And what's really important here, and this goes to any environment is around employee training. They need to get awareness training into latest hacks and scams that are going around because it just takes. Hackers aren't trying to waste time trying to hack your firewall and get detected when all they have to do is send a crafty email to one of your employees, have them click on a link, and now they become an insider. So you need to have all these systems in place to, to notice a hacker in there, and you better have a good response plan to get them out.
[44:31]
Jim Love
Good stuff. Yep. Laura got another story.
[44:35]
Laura Payne
Yeah, so fintrack had a incident that took them offline back at the beginning of March. They did get themselves squared up to get a number of the large institutions back to reporting status quickly, but it took months. And actually, I think there are still some aspects of the service that are not fully functioning and available yet to allow the smaller organizations that also have a very important role to play in reporting potentially suspicious transactions. That's what fintrac is for, is reporting suspicious transactions. So just things like that. Right. It flies under the radar. Most of us don't have any concept of what fintrac is or does, but it's a really important part of the services our government provides that help keep us safe and help keep bad guys in check and find when bad things are happening. And, and that's a service hugely impacted and still really not up and running a hundred percent after months of, of work on it. It's just, just another one of those things that happens and goes bump in the night that we should pay attention to.
[45:39]
Terry Cutler
I, I think Laura's got a really important point on this, particularly as we hit at 25 because, you know, as Canadians know, there's an unhealthy level of attention being paid by the incoming president on all things Canada. Part of it has started with a kickoff of a potential trade war related to tariffs because of concerns about fentanyl labs and illegal border crossing. But the United States has been on Canada since 2019 about money laundering. One of our largest banks just got a whopping fine for knowingly participating facilitating in money laundering and proceed to crime. And the key infrastructure for Allegedly.
[46:19]
Jim Love
Did you say allegedly?
[46:21]
Terry Cutler
I think it's an.
[46:22]
Jim Love
You are an individual at this point. So I'd go with allegedly facilitating.
[46:26]
Laura Payne
Yes, the fine has been levied, so it's probably a bit beyond alleged at this point.
[46:32]
Terry Cutler
I'm going to go with the fine defines there has been fined for doing this and this is the worst possible time for to have systems and processes for watching this stuff go down. And it's worth noting that in Canada they just increased the fines for money laundering on the financial system in the update by I think a factor of 40. So it's on the Canadian radar to get on this. So I think Laura, that's an excellent point is even the critical parts that are supposed to be keeping an eye on the criminals are getting kicked by criminals in nation states.
[47:05]
Jim Love
Yeah, okay, that keep a good thought.
[47:10]
Terry Cutler
So in terms of the other stories, I guess this is more just the 2024 stinky and I will give the acknowledgment to to this.
[47:19]
Jim Love
You're going to give the Stinky out? Okay, if you're going to give the Stinky out, I want the runner up because I agree with your Stinky but I want to give submit the runner up before you do that. My runner up for Stinky is aws. I have read one too many times about their what is it there? You're co responsible for security in there. And then this year as I pointed out in the program, I went on to provision a server using the back end of aws. I have a high school education folks. I'm not a total idiot. I might be partial but I'm not a total idiot. I've actually provisioned Linux systems and things like that. I gotta tell you, I could not figure out this security model. I'm sitting here, nothing makes sense. You do this, then you do this, then you do this and there and you just drift through it. And so the message I would like to give to AWS is if everybody's got these unsecure buckets because they don't secure them, maybe you should hire a UX designer because either all of your customers are idiots or your designers are. Take your pick. So that's the runner up to the Stinky for me is that Mic, stop blaming people for bad security when you have a bad interface on your security. And there there ends my sponsorship from AWS ever.
[48:41]
Terry Cutler
So how do you follow that? For me the Stinky goes not to a hacking group or an errant vendor, but to Canada's House of Commons for failing to pass Bill C26 before they left for the year. Because when they amended another law they actually invalidated half the law. They did a numbering sequence. So there's a bit of human error in this story. So it was actually at the Senate level where the Senate caught this and in order to correct it they had to amend the bill. The thing that all of us had said, don't do it, just pass it. Because it's better to have a law on the books and improve on it than if you amend it it's going to go back to the House which is just about to fall apart. And this is before the finance minister kamikaze the prime minister in our country. So it's even more dysfunctional now. So yeah, we yet enter another year without a federal critical infrastructure cybersecurity law to help. And this comes after years of telecommunications hacks in the United States, pipelines almost going boom in Canada and all kinds of other badness continuing in the world. So the stinky this year goes to parliamentarians for not getting this right and leaving Canadians holding the bag.
[50:00]
Jim Love
How do you disagree with that? That's it. So thank you very much guys. This is, this has been our year end program. Thank you. Laura Payne, Terry Cutler, David Shipley, thank you for being our panel all year. I hope you'll have you back in the new year. I'm hoping actually in January that we can do a start of the season type of program and we'll be able to take a look forward in the new year and some of the things that we want to be doing. And I'd like to actually challenge the panel to, for us to focus on what are the things that people could be doing that they practically can do within their budget and their means and at that point without having to open a bake sale or something like that to fund cybersecurity. This is the final show of the season. I said we'll, I'll be back probably the Monday after the first week in January, back in doing the daily news in early January. As I said, we're going to be ask our panel to come back and take a look at the new year going forward. David Shipley, I've got to nail you down. I really want to do another research episode because I think those are a lot of fun and been very possible, very positively received by our audience out there. And I'm gonna say the thing that I know some people may react to something as Jon Stewart said the Today show, the seats are free. You can stop listening. I'm gonna say Merry Christmas to everybody. But, but, and not because I'm afraid of saying happy holidays, but a lot of our audience celebrates other things. They celebrate Hanukkah, they celebrate Eid. And so for those of you who want to say happy holidays, go to town, say Happy Eid, say whatever. Just wish everyone the best in this season. And that's my message to everybody.
[51:33]
Terry Cutler
Merry Christmas to everyone except for ransomware gangs, Chinese apt teams and that Carter forum that quoted me in Russian.
[51:40]
Laura Payne
I'm, I'm going to wish them a Merry Christmas so that they don't have to turn to criminal enterprises anymore and they can go and live an honest life.
[51:49]
Terry Cutler
And for Terry, Happy New Year of doorstop pen test gooning.
[51:53]
David Shipley
Thank you all you guys.
[51:55]
Jim Love
Night. Merry Christmas to all of you guys. Have a great new year and we'll see you in the New year. On the 12th day of Christmas, my.
[52:01]
Terry Cutler
SISO gave to me.
[52:03]
Jim Love
12 employees training, 11 encrypted emails, 10.
[52:06]
Laura Payne
Scans of sky jelly 9 threads of.
[52:08]
Jim Love
Hunting, 8 logs of leaping 7 patches.
[52:11]
Terry Cutler
Pending 6 tokens rotating 5 backup drives.
[52:15]
Jim Love
4 phishing filters, 3 VPN tunnels, 2 firewall strong and a multi factor authentication key.