DOGE-eat-DOGE world. - CyberWire Daily

Summary8 min read

CyberWire Daily: "DOGE-eat-DOGE World" – Detailed Summary

Podcast Information:

Title: CyberWire Daily
Host/Author: N2K Networks
Episode Title: DOGE-eat-DOGE World
Release Date: February 7, 2025

Overview: In this episode of CyberWire Daily, host Dave Bittner navigates through a series of pressing cybersecurity issues, ranging from the controversial use of AI by Doge in government auditing to critical vulnerabilities in popular applications. The episode also features an in-depth interview with John Anthony Smith, Founder and Chief Security Officer at Phoenix24, who emphasizes the paramount importance of robust backup systems in cybersecurity strategies. Additionally, the UK's newly launched Cyber Monitoring Centre is introduced, aiming to categorize and manage cyber incidents effectively.

1. Major Cybersecurity Headlines

a. Doge's AI-Driven Government Auditing

Overview: Doge, led by Elon Musk’s Department of Government Efficiency, is utilizing AI to scrutinize financial data within the US Education Department. This initiative extends to other departments, aiming to optimize government spending.
Details:
- AI Utilization: Analyzing grants, internal financial records, and personally identifiable information using Microsoft’s Azure cloud services.
- Objectives: Cut costs, eliminate inefficiencies, and potentially dissolve the department.
- Impact: Significant workforce reductions, including placing 100 Education Department employees on administrative leave due to diversity training participation.
- Concerns: Privacy violations, data breaches, lack of oversight, and potential misuse of sensitive data.
- Legal Actions: A federal judge has temporarily restricted Doge’s access to treasury payment systems following a lawsuit by advocacy groups.
Notable Quote:
- "Privacy experts worry about the unchecked power DOGE has gained, the potential for misuse of personal data, and the broader implications of AI-driven government restructuring." [02:25]

b. UK Demands Access to Encrypted iCloud Accounts

Overview: The British government has issued a secret legal demand to Apple for access to encrypted iCloud accounts under the Investigatory Powers Act Technical Capability Notice (TCN).
Details:
- Legal Basis: While reporting the existence of a TCN is legal, disclosing its specifics is prohibited.
- Implications: Potential creation of a backdoor for authorities to access global iCloud data.
- Apple’s Stance: Introduced optional end-to-end encryption for iCloud in 2022 despite law enforcement concerns.
- Ongoing Debate: Similar to debates surrounding Meta's end-to-end encrypted messaging.
Notable Quote:
- "Apple introduced optional end-to-end encryption for iCloud in 2022, despite law enforcement concerns about crime prevention." [02:32]

c. Critical Vulnerabilities in Deep Seek iOS App

Overview: Security firm NowSecure has identified severe vulnerabilities in the Deep Seek iOS app, urging enterprises and governments to ban its usage.
Details:
- Risks Identified: Unencrypted data transmission, weak encryption, insecure data storage, extensive data collection, and transmission to China.
- Impact: High potential for surveillance data breaches and compliance violations under PRC laws.
- Recommendation: Immediate removal of Deep Seek, adoption of secure AI alternatives, and continuous monitoring of mobile applications.
Notable Quote:
- "Under PRC laws, these issues pose significant threats, including surveillance data breaches and compliance violations." [02:32]

d. Microsoft Edge Enhances Security with AI Scareware Blocker

Overview: The latest version of Microsoft Edge introduces an AI-powered scareware blocker aimed at detecting and preventing tech support scams in real-time.
Details:
- Functionality: Utilizes computer vision to analyze webpage content without sending data to the cloud.
- Advantages: More effective than Defender SmartScreen in blocking scams by assessing webpage content directly.

e. Phishing Campaign Targeting Facebook Users

Overview: A sophisticated phishing campaign is compromising Facebook accounts by sending fake copyright infringement notices.
Details:
- Scope: Targeted over 12,000 email addresses, mainly affecting enterprises in the EU, US, and Australia.
- Methodology: Utilizes Salesforce’s email service to mimic legitimate communications, referencing companies like Universal Music Group.
- Risks: Victims directed to counterfeit Facebook support pages, leading to credential theft and account hijacking.
Notable Quote:
- "Attackers use Salesforce's email service to make phishing emails appear legitimate." [02:32]

f. Malicious Machine Learning Models on Hugging Face

Overview: Researchers at Reversing Labs have uncovered malicious machine learning models on Hugging Face that exploit vulnerabilities in Python’s Pickle serialization format.
Details:
- Threat: Embedded payloads capable of executing arbitrary code.
- Impact: Exploitation through seemingly legitimate models, posing severe security risks.
- Response: Hugging Face is enhancing its security measures, and developers are urged to avoid unverified models and consider safer serialization alternatives.
Notable Quote:
- "These models contain embedded payloads capable of executing arbitrary code, posing serious security risks." [02:32]

g. Gravy Analytics Faces Fourth Data Breach Lawsuit

Overview: Gravy Analytics, now part of Unicast, is embroiled in a fourth lawsuit alleging a massive data breach exposing 17 terabytes of personal data.
Details:
- Data Exposed: Precise locations of millions of smartphones from apps like Tinder, Grindr, Candy Crush, and VPN services.
- Affected Regions: Users in the US, Europe, and Russia.
- Legal Allegations: Negligence, breach of contract, and unfair competition.
- Regulatory Actions: The FTC has banned Gravy from selling sensitive location data.

h. CISA Warns of Critical Microsoft Outlook Vulnerability

Overview: The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about an actively exploited Microsoft Outlook vulnerability known as Moniker Link.
Details:
- Vulnerability Type: Remote code execution flaw allowing attackers to bypass Office Protected View.
- Impact: Enables malicious Office files to open in editing mode, leading to NTLM credential theft, remote code execution, and full system compromise.
- Affected Products: Multiple Microsoft Office applications.
- Action Required: Federal agencies must patch by February 27th as per CISA’s known exploited vulnerabilities catalog.

2. In-Depth Interview: Importance of Backups with John Anthony Smith

Guest Profile:

Name: John Anthony Smith
Title: Founder and Chief Security Officer at Phoenix24

Key Discussion Points:

a. The Critical Role of Backups in Cybersecurity

Insight: John Anthony Smith emphasizes that backups are not just a standard security measure but potentially the most crucial control against modern cyber threats.
Quote:
- "What we see threat actors commonly doing is having an increasing willingness to not only target backups but also target production systems both for mass encryption and mass deletion." [13:38]

b. Current State of Cyber Resiliency and Recovery Strategies

Observation: Many organizations overestimate the effectiveness of their backup and recovery mechanisms.
Statistics: According to Smith, "80 to 92% of the time, the recovery capabilities that organizations believe will allow them to timely recover simply do not survive." [15:06]
Issues Identified:
- Poor orchestration of backup systems.
- Inadequate alignment with breach contexts.
- Dependence on flawed vendor guidelines for backup strategies.

c. Lessons from High-Profile Breaches

Takeaway #1: Ensure absolute confidence in recovery capabilities beyond relying solely on backup tooling manufacturers.
- "You need experts in recovery to advise on the survivability of your backup and recovery facility, period." [18:42]
Takeaway #2: Organizations must be prepared for mass recovery scenarios and rigorously test their recovery processes.
- "You should have absolute confidence in that technical rehydration time through rigorous and regular testing." [18:57]

d. Risk Assessment and Investment in Recovery vs. Resistance

Argument: There is a disproportionate focus on preventing breaches rather than ensuring effective recovery post-breach.
Quote:
- "Cyber resiliency essentially can be summed up with two pillars, resistance to a breach or prevention, as many call it, and recovery. He said essentially all organizations are over investing in resistance and largely ignoring recovery." [25:20]
Recommendation: Shift investment towards assured recovery mechanisms to complement existing preventive measures.

e. Solutions and Partnerships

Strategy: Orchestration of backup and recovery systems requires expertise and alignment with real breach contexts, which organizations often lack internally.
Solution Offered by Phoenix24: Providing expert guidance to orchestrate backup controls that are survivable and ensure timely recovery.
- "We work breach, we have breach context. Therefore we know how to orchestrate recovery in a survivable and timely recoverable fashion." [21:45]

f. Industry-Wide Preparedness

Finding: Across all industries and organization sizes, preparedness for mass recovery is glaringly inadequate.
Quote:
- "It seems to be all industries, all scales, all revenue sizes. Largely, largely every industry is getting this wrong." [23:20]

3. UK Launches Cyber Monitoring Centre (CMC)

Overview: The UK has introduced the Cyber Monitoring Centre, a pioneering system designed to classify cyber incidents similarly to how meteorological events are categorized.

Details:

Leadership: Former NCSC Chief Kieran Martin spearheads the CMC.
Functionality: Ranks cyber incidents from Category 1 (minor) to Category 5 (catastrophic), based on financial losses and the number of affected organizations.
Test Runs:
- Synovus NHS Fiasco: Rated as Category 2.
- CrowdStrike’s Self-Inflicted Chaos: Rated as Category 3.
Purpose: Initially for cyber insurers, with aspirations to inform policymakers, businesses, and the UK government.
Skepticism: Critics question the long-term efficacy, but proponents argue its necessity.
Notable Quote:
- "If this was easy, somebody would have done it already." – Kieran Martin [Timestamp not specified]

4. Additional Highlights and Upcoming Content

Research Saturday Preview: An upcoming study titled "Cleopatra's Shadow," featuring a mass exploitation campaign deploying a Java backdoor through zero-day exploitation of Clio MFT software, to be discussed with Mark Manglikmot from Arctic Wolf.
Listener Engagement: The podcast encourages feedback and ratings to enhance future content delivery.

Conclusion

This episode of CyberWire Daily delves into the multifaceted challenges of modern cybersecurity, highlighting the aggressive tactics of AI-driven entities like Doge, the ongoing battle over data privacy with encrypted services, and the ever-present threat of sophisticated phishing and malware campaigns. The conversation with John Anthony Smith underscores a critical gap in organizational preparedness for cyber incidents, advocating for a balanced investment in both preventive measures and robust recovery strategies. The UK's initiative with the Cyber Monitoring Centre represents a strategic move towards better classification and management of cyber threats, indicating a maturing approach to national cybersecurity governance.

Key Takeaways:

AI in Government Auditing: While aiming for efficiency, Doge’s AI applications raise significant privacy and oversight concerns.
Encryption and Law Enforcement: The tension between data privacy and law enforcement access continues to evolve, with governments pushing for backdoors despite resistance from tech giants.
Application Vulnerabilities: Continuous vigilance is essential as even widely-used applications like Deep Seek can harbor critical security flaws.
Phishing and ML Threats: Attackers are leveraging sophisticated methods to exploit both human and machine vulnerabilities.
Data Breaches: The recurring lawsuits against data brokers like Gravy Analytics highlight the persistent issues in data security and privacy compliance.
Backup Strategies: Effective backup and recovery systems are indispensable, yet most organizations are inadequately prepared to handle advanced cyber threats.
National Cyber Strategies: Initiatives like the UK's Cyber Monitoring Centre signify proactive steps towards comprehensive cyber incident management.

For a comprehensive understanding of these topics, listeners are encouraged to engage with the full episode and explore the detailed discussions and expert insights provided by CyberWire Daily.

Loading summary

Transcript23 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network, powered by N2K. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try Deleteme. I have to say, DeleteMe is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data Privacy is protected. DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.com n2k and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K Security concerns grow over Doge's use of AI the British government demands access to encrypted iCloud accounts. Researchers identify critical vulnerabilities in the Deep Seq iOS app Microsoft Edge uses AI to block scareware. A phishing campaign targets Facebook users with fake copyright infringement notices. Researchers discover malicious, ambitious machine learning models on hugging face A major data broker faces yet another data breach lawsuit. CISA warns of a critical Microsoft Outlook vulnerability under active exploitation. Our guest is John Anthony Smith, founder and chief security officer at Phoenix 24, sharing his insights into why backups could be your most important security control and the UK's Cyber Weather Report says expect light fishing with a chance of ransomware.
[02:26]
John Anthony Smith
Foreign.
[02:33]
Dave Bittner
February 7, 2025 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Happy Friday and thanks for joining us here today. It is great to have you with us. Elon Musk's Department of Government Efficiency Doge has been using AI software to analyze financial data at the US Education Department, including personally identifiable information related to grants and internal financial records. The team, which includes former Musk employees, is leveraging Microsoft's Azure cloud services to scrutinize every dollar spent by the government, with the goal of significantly cutting costs and potentially eliminating the department altogether. The Washington Post reports Doge's actions align with the Trump administration's broader agenda to shrink federal agencies. The group plans to extend its AI driven auditing across multiple government departments, including the Department of Health and Human Services, the Treasury, and the Centers for Disease Control and Prevention, seeking to optimize government spending. Their access to Medicare and Medicaid payment systems has raised concerns about potential privacy violations and data breaches. Critics warn that Doge's approach lacks oversight and could lead to security risks, particularly as AI systems are prone to errors and may expose sensitive data. The rapid implementation of Doge's strategies has has already led to significant workforce reductions, including placing 100 Education Department employees on administrative leave based on their participation in diversity training. In response to growing concerns, a federal judge temporarily restricted Doge's access to treasury payment systems after advocacy groups filed a lawsuit. While Musk's team claims they're rooting out inefficiencies and fraud, privacy experts worry about the unchecked power DOGE has gained, the potential for misuse of personal data, and the broader implications of AI driven government restructuring. The British government has reportedly issued a secret legal demand to Apple requiring access to encrypted iCloud accounts under the Investigatory Powers Act Technical Capability Notice, according to the Washington Post. While reporting on the existence of a TCN is legal, disclosing its details is prohibited. The demand could create a backdoor for authorities to access global iCloud data, though officials claim it only ensures compliance with legal warrants. Apple introduced optional end to end encryption for iCloud in 2022, despite law enforcement concerns about crime prevention. Similar encryption debates continue, with UK officials criticizing Meta's end to end encrypted messaging. Tech companies argue alternative security measures suffice, while law enforcement insists metadata alone is insufficient for serious investigations. Neither Apple nor the UK government has commented on the report. Research from security firm NowSecure has identified critical vulnerabilities in the DeepSeek iOS app, urging enterprises and governments to ban its use due to severe privacy and security risks. Since its rise to the top of the App store on January 25, DeepSeek has been downloaded on millions of devices, including those used by government employees, prompting swift bans from multiple agencies and the US Military. Key risks include unencrypted data transmission, weak encryption, insecure data storage, extensive data collection, and data transmission to China. Under PRC laws, these issues pose significant threats, including surveillance data breaches and compliance violations. Now Secure recommends organizations immediately remove Deep Seek, seek secure AI alternatives and continuously monitor mobile applications for emerging risks. The latest version of Microsoft Edge is rolling out globally with key improvements, including an AI powered Scareware blocker and a revamped downloads ui. The Scareware blocker now available in Edge's settings, detects tech support scams in real time using computer vision without sending data to the cloud. Unlike Defender SmartScreen, it analyzes webpage content to block scams more effectively. A phishing campaign is targeting Facebook users with fake copyright infringement notices, aiming to steal login credentials. The scam, sent to over 12,000 email addresses, primarily affects enterprises in the EU, US and Australia. Attackers use Salesforce's email service to make phishing emails appear legitimate. The emails claiming violations under the dmca, reference major companies like Universal Music Group and create urgency by threatening account restrictions. Victims clicking the appeal link are directed to a fake Facebook support page designed to capture their credentials. Attackers can then hijack accounts, alter content, and manipulate messaging, posing risks for businesses relying on Facebook. Researchers at Reversing Labs have discovered malicious machine learning models on Hugging Face exploiting vulnerabilities in Python's Pickle serialization format. These models contain embedded payloads capable of executing arbitrary code, posing serious security risks. Pickle is widely used in ML but allows attackers to embed harmful commands with seemingly legitimate models. The researchers identified two Pytorch based malicious models, dubbed Nullif AI, that bypassed Hugging Face's security tools by executing payloads early in the Pickle stream. The incident highlights the risks of collaborative AI platforms where productivity often outweighs security. Hugging Face is enhancing its protections, but developers should remain cautious, avoid unverified models and consider safer serialization alternatives. Security experts recommend monitoring for suspicious activity linked to Pickle vulnerabilities to prevent potential cyber threats. Gravy analytics is facing yet another lawsuit over a massive data breach that allegedly exposed 17 terabytes of personal data, including the precise locations of millions of smartphones. This is the fourth lawsuit since January, following claims that hackers stole sensitive data from the company's AWS S3 storage buckets and posted evidence on a cybercrime forum. The stolen data reportedly includes geo coordinates collected from popular apps like Tinder, Grindr, Candy Crush, MyFitnessPal and VPN services affecting users in the U.S. europe and Russia. Gravy, now part of Unicast, has already been banned by the FTC from selling sensitive location data. The lawsuit alleges negligence, breach of contract and unfair competition. While Gravy denies direct collection of location data, critics argue the company failed to secure its license datasets, leading to serious privacy risks. CISA has issued an urgent warning about active exploitation of a critical Microsoft Outlook vulnerability dubbed Moniker Link. This remote code execution flaw allows attackers to bypass Office Protected View, making malicious Office files open in editing mode instead of read only. The vulnerability affects multiple Microsoft Office products and can be exploited via zero click attacks leading to NTLM credential theft, remote code execution, and full system compromise. CISA has added this flaw to its known Exploited Vulnerabilities catalog, requiring federal agencies to Patch by February 27th. Coming up after the break, John Anthony Smith from Phoenix24 shares insights into why backups could be your most important security control. And the UK's cyber weather report says expect light fishing with a chance of ransomware. Stay with us.
[11:40]
John Anthony Smith
Foreign.
[11:47]
Dave Bittner
Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with Threat Locker, the cybersecurity solution trusted by businesses worldwide. Threat Locker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off.
[13:30]
John Anthony Smith
Foreign.
[13:39]
Dave Bittner
Anthony Smith is founder and Chief security officer at Phoenix 24. In today's sponsored Industry Voices segment, we discuss why backups are your most important security control.
[13:52]
John Anthony Smith
Well, what's top of mind for me is I believe that what we've seen in the past will actually continue into this current year, and it will only get worse. What we see threat actors commonly doing is having an increasing willingness to not only target backups, but also target production systems both for mass encryption and mass deletion. And so I believe that what's going to dominate 2025 is frankly more of the same, but in an amplified fashion. What we also see is threat actors are now commonly willing to even target what I would say more sensitive industries like nonprofits and healthcare organizations. Organizations providing very critical life Saving infrastructure. I believe that we will continue to see a heightened willingness of threat actor groups to even target these industries with destructive acts.
[14:47]
Dave Bittner
Can we do a little level setting together here? I mean, when it comes to cyber resiliency and recovery strategies, what is the current state of things? What is considered sort of the, you know, the baseline standard that people should achieve?
[15:06]
John Anthony Smith
Yeah, that's an interesting question. Actually, in working breaches, which is what Phoenix24 does, we help organizations recover from their worst day in their career. What we see is that most companies, while they commonly do believe that their backup and recovery mechanisms will hold in the event of threat act or destructive acts, they commonly do not. Matter of fact, depending on when we look at our recovery sample of clients, 80 to 92% of the time, the recovery capabilities that organizations believe will allow them to timely recover simply do not survive. And so what I believe will continue to dominate, what we'll continue to see bluntly is that organizations simply aren't orchestrating their backups in a survivable fashion, despite what they believe to be true. Not only that, not only are backups not commonly survivable, they're also, when they do survive, they commonly cannot provide a timely recovery. And this is for a variety of reasons. Obviously, recovery from a mass destruction or mass encryption event is complex, but things like Dr. Mechanisms, right? Business continuity, disaster recovery systems, things that organizations depend on from, for our act of God type recoveries. Commonly orgs believe that these things will work in the event of a mass destruction event, but this simply isn't true. Most of these systems, these secondary environments, these replicated systems, they too get destroyed by threat actor behaviors. And so survival and timely recoverability, I believe are essential. And what we see is most orgs simply aren't prepared.
[16:59]
Dave Bittner
That gap that you describe really fascinates me. Can you help me understand that? I mean, to me, it's not like people are trying to fool themselves when it comes to their backup strategies. They believe that the things that they've done are going to be effective. And yet the data doesn't reflect that that's correct.
[17:22]
John Anthony Smith
And the reason why really boils down to what we call breach context. The fact of the matter is, most of the technical details of breach largely get locked up. They do not get publicly disclosed. And so defenders, in essence, are making guesses about how to orchestrate bluntly their most important security control, which is their backups, in our opinion. Therefore, they don't commonly orchestrate these things Aligned to the realities of breach. Breach context to us are what are threat actors? Able and willing to do. And unfortunately this data is not commonly made public and therefore most defenders, most organizations are not orchestrating their backups in a survivable manner because bluntly they don't have the data to do so, nor do the manufacturers that actually make the underlying backup tooling that organizations have come to depend on. Actually you can follow some of the most prominent backup tooling providers direct guidance on how to orchestrate immutable backups and it will be wrong. From a breach context perspective, threat actors will still commonly be able to delete organizations ability to recover even when aligned to the best practices of the vendor.
[18:43]
Dave Bittner
Are there any high profile incidents that folks would know about where there's some take home lessons that you can share from them, things that folks in your line of work had some good takeaways from?
[18:57]
John Anthony Smith
Yeah, I mean so there are many high profile breaches, some of which have had some of their technical details disclosed. I would say key takeaways are, and obviously it's what we started the conversation on is that most orgs simply are not orchestrating their recovery capabilities. Well. And so what I would say is number one key takeaway is that you should be absolutely confident, assured if you will, that your recovery capabilities will hold in the event of modern threat actor behaviors. And so you cannot and should not be depending on upon your backup tooling manufacturer's guidance solely in this regard because they will steer you incorrectly. You need experts in recovery to advise on the survivability of your backup and recovery facility, period. So that's learning number one. Learning number two is that the organization should be ready for mass recovery and they should be rigorously testing it. So not only should you have a survivable capability facility that you're confident in, you should also have confidence in your rehydration time. Right. Essentially you should know how long it's going to take your org to get your tier 0 and tier 1 data rehydrated and you should have absolute confidence in that technical rehydration time through rigorous and regular testing. And I will say in practice literally no one is doing this. At least that's what we've seen in our assessment.
[20:41]
Dave Bittner
That was going to be my next question. It seems to me like that is the easiest can in the world to kick down the road.
[20:48]
John Anthony Smith
Yes. And essentially it's funny actually Dave, many orcs are very focused on their act of God protection, right? Fire, flood, earthquake. But in many cases, now again it probably depends on where you are on the planet, but in many cases that's your Lowest risk, it is highly more likely that a threat group will gain initial access into some point of entry into your org, attempt lateral movement, and therefore then attempt some form of destruction. That is a much more likely risk, yet largely no one is prepared for it.
[21:30]
Dave Bittner
What's your advice in terms of kind of steering folks toward particular technologies or solutions when we're talking about best bang for their buck, you know, being most effective in achieving these optimal outcomes?
[21:45]
John Anthony Smith
Yeah, that's a great question. And so this is not product decisioning. I commonly say that it's a three part orchestration problem and a one part product decision problem. Orchestration, in other words, how you orchestrate your tools, how you configure your tools, the processes you wrapped around them, the testing you do with rigor, those things are what is leading to destruction. And here's the fundamental problem, which is why our company has been so successful. If you're going to do this with absolute assurance that your backup facility, your recovery facility will hold, you need breach context. You need someone who can technically guide you on the orchestration of those controls such that they can and will survive and provide a timely recovery with confidence. So you need a partner. Most orgs simply do not have the data, have no path to the data, and therefore cannot ever achieve success in this regard without a partner. Right. So, and that's really where our organization has comes in for many, many companies in the world is, and which is why we've had so much success is because we work breach, we have breach context. Therefore we know how to orchestrate recovery in a survivable and timely, recoverable fashion.
[23:20]
Dave Bittner
You mentioned earlier that the bad guys are broadening their scope of the folks that they go after here. I'm curious what you're tracking in terms of the threat landscape, cyber resiliency, when it comes to different industries, to what degree are there haves and have nots out there?
[23:41]
John Anthony Smith
Generally speaking, from what we see, both from recovery and from assessment, because we do assess organizations against breach context, there seems to be consistently true across all industries that they are not prepared for mass recovery. I don't know that there's any delineation, if you will, between industries that are less prepared versus more prepared. It seems to be all industries, all scales, all, all revenue sizes. Largely, largely every industry is getting this wrong. I wish I could name one that's going to have positive outcomes from the recovery capability. I believe in my career I have only assessed one organization to date out of hundreds that I would argue will have a survivable backup or does have a survivable backup facility and therefore will likely have a survivable recovery. Only one, most organizations who have some form of a survivable backup, it's got some significant risks imposed upon it because the orchestration that surrounds the immutability algorithm being employed is in some way significantly flawed.
[25:10]
Dave Bittner
Is there a risk though of the perfect being the enemy of the good? I mean, people have to, they have to dial in their appetite for risk, right?
[25:21]
John Anthony Smith
They do. But here's what I would say, actually a breach counselor recently said this quote to us. He said, essentially every organization within the United States has leadership, responsibility or fiduciary responsibility of cyber resiliency. He said to us, cyber resiliency essentially can be summed up with two pillars, resistance to a breach or prevention, as many call it, and recovery. He said essentially all organizations are over investing in resistance and largely ignoring recovery. So to your point, your question is perfect the enemy of the good? What I would say to you is this is one security control you can't get wrong. We need to be investing more in recovery and less in resistance, essentially. Dave, you've probably heard many security professionals say you can't prevent all breaches. It's essentially a matter of when, not if, all organizations will have a breach. If we truly believed this statement, then we would be doubling down on our investments in recovery and spending maybe a little less time on resistance. I'm not saying all those things aren't important. I'm just saying we need to be investing in an assured recovery. And yes, I do believe it is possible to have confidence in your ability to recover. I do fervently believe, as a matter of fact, we have a model for this that works. We call it Secura Tsuma. Where recovery can be assured. It absolutely can be assured.
[27:05]
Dave Bittner
That's John Anthony Smith, Founder and Chief security officer at Phoenix 24. And now a message from our sponsor. Zscaler, the leader in cloud security Enterprises have spent billions of dollars on firewalls and VPNs. Yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security. Zscaler Zero Trust AI stops attackers by hiding your attack surface. Making apps and IPs invisible. Eliminating lateral movement. Connecting users only to specific apps, not the entire network. Continuously verifying every request based on identity and context, simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more at Zscaler.com Security exclusively on ESPN. UFC 312 Saturday Reigning middleweight champion Dricus Du Plessis defends his title in a rematch against Sean Strickland and Zhang Weili defends her strawweight title against undefeated tatiana Suarez. UFC 312 Saturday at 10pm Eastern. Buy it on espnplus.com ppb and finally, our London fog desk reports the UK just launched the Cyber Monitoring Centre, a first of its kind system that ranks cyber incidents like Hurricanes from Category 1 annoying drizzle to Category 5 cyber apocalypse. LED by former NCSC chief KIERAN MARTIN, the CMC's job is to determine whether a cyber attack is a systemic event or one so massive it ripples across industries like NotPetya or CrowdStrike's recent meltdown. The scale is based on financial losses and the number of affected organizations. Test runs well move it barely registered Synovus NHS fiasco hit category two and CrowdStrike's self inflicted chaos landed at category three. While initially designed for cyber insurers, the CMC hopes to inform policymakers, businesses and even the UK government. Skeptics question its long term impact, but as Martin put it, if this was easy, somebody would have done it already. And that's the Cyberwire. Be sure to check out this weekend's research Saturday and my conversation with Mark Manglikmot from Arctic Wolf. Their research is titled Cleopatra's Shadow, A mass exploitation campaign deploying a Java backdoor through zero day exploitation of Clio MFT software. That's research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback is ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here next week. SA.