A (11:42)

This message may be shocking to many millennials. If you are one, you might want to sit down. Right now, loads of people are searching the following on low rise jeans, halter top, velour, tracksuit, puka shell necklace, disc belt. You likely place these in the dark of your closet in 2004, never to be seen again. But if you can find it in yourself to dust them off, there are a lot of people who will give you money for them. Sell on depop where taste recognizes taste.

B (12:17)

Larry Zorio is CISO from Mark 43. We're discussing first responders sounding the alarm on insider cyber risks.

C (12:26)

Well, we put it out every year and every year it has different themes. Every year we typically focus on different cybersecurity trends. We actually do a lot of tracking ourselves with different trends we see in the industry, especially breaches and attacks on government agencies. So this year was definitely focused. There was definitely a focus on AI, which I'm sure you definitely know that that also access management. So this was. Yeah, this is something we do every year, Dave.

B (12:58)

Well, I mean, let's dig in here. The focus is public safety. What are some of the specific issues that folks in that part of the world have to deal with?

C (13:08)

I would like to just start, especially for your listeners, just to kind of level set with them. There are a lot of things that public safety agencies struggle with with cybersecurity. I think we're all used to seeing movies and TV shows with very advanced technology following the dot around the screen, sitting in different security operations centers. Right. But that, that is really only for the, the top, top, top tier of public safety agencies. Many of these agencies are struggling with similar things that small businesses are struggling with. They're struggling with technology budgets, a lot of old legacy systems. They're struggling with people trying to recruit and retain talent in the cybersecurity industry. So many challenges in this space and some of them have come out in our trends report this year.

B (14:03)

Well, let's dig into the report. What were some of the key findings that caught your eye?

C (14:08)

A near total majority, 98% of law enforcement believe that cybersecurity is an important part of evaluating technology. I thought that was interesting because if, if you were to ask that Question five years ago, I think you would get a totally different answer because five years ago public safety was very much, they wanted things on prem. They wanted to be in charge of their systems. They, they knew how to protect their systems in their, in their data centers. I think what this, this stat is, is telling us is they understand that they need to level up. They understand that they need to start leveraging modern technology and they know that cybersecurity needs to be a piece of that. So that, that, that was the near majority was an interesting one for me.

B (14:59)

One of the things that caught my eye was the concerns about insider threats. Can you dig into that a little bit?

C (15:06)

For us, it's the, the public safety. We're talking police, we're talking fire, we're talking EMTs, we're talking even like the federal agencies dealing with such sensitive information. We're talking FBI data, we're talking warrants, arrest records. You know, in these records there is the potential for very private information. There is even some cases, there's, there's medical information in there. So agencies understand that, that this is so, so sensitive. And they have a lot of legacy systems, Dave, that just don't give them what we would consider in your audience would consider just like it's table stakes, right? Like the role based access control. A lot of them are struggling with that. They're struggling even with like zero trust, this, this thing that's been around for many years. So it was interesting to see, you know, the responders come back that way with, you know, more. A good majority of them are worried about it and they know that it needs to be something they got to focus on.

B (16:14)

Well, you mentioned access control. What did you learn when it comes to that?

C (16:19)

There's a couple things that we've learned actually from that. I mean, it's definitely we're seeing them respond, you know, with this, with the 65% we're seeing, we've seen in past trends reports, them respond to how much they're struggling even with just again for your listeners, Dave, they're struggling with multi factor authentication. These are old legacy systems and they're finally starting to modernize and they're now being pushed and required through different compliance standards that they have to follow to roll out mfa. And it's either a technology struggle, which I spoke to earlier, or it's a people struggle. Like we would love to roll out mfa, but we don't have the personnel to do it. So I think it's, it's just important for, for people, for folks like myself that are in this industry that can help to educate and be there to help them in that space. The other thing I'll mention today of outside of mfa, we've learned that even these legacy systems, they don't even have the granularity that you're looking forward in an activity report to be able to see what people are doing in the systems themselves. So it's another reason why modernization is so important.

B (17:35)

Can you give us an idea of the range of systems that we're talking about and the functions? I guess top of mind for me is something like a 911 call center where obviously downtime is the last thing you want, but I'm sure there's a lot more to it than most of us think about.

C (17:54)

You hit the nail on the head with the 911 system, right? That is one of the absolute core critical infrastructures that public safety is using. So those, those Systems, there's the 911 call taking system. There's also what's called a computer aided dispatch system. That, that's kind of, if you ever see a picture of a 911 environment, a dispatch center, you see all these screens and, and typically they're the call taking systems, they're the computer aided dispatch systems. So there's that piece of it, but then there's also what's called records management systems, rms. And that is basically where they live and breathe for 80, 90% of the day. It's where they're writing up all their arrests, they're, they're filling out forms for, for warrants, they're doing all their research. Detectives are going in there looking, looking at different evidence. This all happens in, in an rms. So those are kind of the big core ones. Then you have things like license plate reader systems that, that have been making the headlines recently and, and, and some analytics software as well. That, that's very, very important to these, these public safety officials.

B (19:07)

You know, we were talking about insider threats and also AI. And I know that's a big concern for a lot of organizations that employees may be using AI. We refer to it as shadow AI. And when you're talking about this sort of sensitive information, that could be a real big problem.

C (19:27)

It is a real big problem. It's something that I, I talk to a lot of public safety agencies about for many different reasons. In some cases they're just looking for guidance. They're looking from, guidance from, it could be from the state or even the city level. What, what are we allowed and not allowed to do? So there's definitely that side of it. I know, I know that a lot of states are starting to make progress, the federal government's starting to make progress in that area to give them the frameworks. Many of them are aware that they are using these shadow it, these shadow AI tools and they are concerned about it. We're talking to them about how they can lock it down, certainly try to keep it within the boundaries of those RMS systems and those CAD systems. And some of those providers are starting to now offer AI technologies that can really kind of bring everything back into, into the core systems and give, give these leaders a bit more control over where the data is going to go.

B (20:33)

Is there a big gap between the, the haves and the have nots when it comes to communities that are able to fund these sorts of efforts?

C (20:44)

There definitely is. Your big cities are thankfully they're going to be able to have big cybersecurity teams and that's great. But it's also shocking in some cases that big cities that we're, we're, we're all aware of that. They're still struggling. They are still struggling, Dave. So with, with kind of your bigger agencies, they might have a team, they could have a team of 100 cybersecurity professionals, which is wonderful and that's great. But if you're, you're in your local town agency, you're lucky if they even have an IT manager and that's it. So it very much is a have and a have nots in this space. We, we do talk around, especially with those smaller agencies. A lot of states are actually offering these smaller agencies services. So we're talking to them about hey, go talk to your state officials. There are some, some tooling and some services that you can get out of the state as well.

B (21:42)

Well, based on the information that you all gathered in the report here, what are your recommendations? How should these organizations go about best protecting themselves?

C (21:51)

I think it really all comes down to, and I talk about this a lot, Dave, and for your listeners this is going to sound very obvious, but I talk to a lot of agencies about just settling on a framework that you want to follow, like whether it's NIST or ISO or cis, like just find one that works for your agency. We put out a lot of documentation around this for them and what that can then do is it, it gives them a comfort level that they can build a roadmap, they can build a plan over the next two, three, even five years of some of the things that they need to work on, some of the controls they need to put in place. Funding is a really big issue. Budgets, funding, finding dollars. But having that framework then allows them to go to town leadership, city leadership, state leadership, and say, hey, we do have a plan. And the great thing about it is this plan actually maps to some of the state regulations we have, some of the federal regulations we have. And then the other great thing about that, Dave, is once they have that, they can actually then go for grants because there are a lot of great grant programs out there for these, these agencies, they just don't necessarily know how to go grab that money. And having a framework, having a plan can really help with that.

B (23:14)

That's Larry Zorio from Mark 43.

A (23:29)

So good, so good, so good Score Holiday gifts Everyone wants for way less at your Nordstrom RA Save on ugg, Nike, Rag and Bone, Vince Frame, Kurt Geiger, London, and more.

C (23:41)

Cause there's always something new.

A (23:42)

I'm giving all the gifts this year.

B (23:44)

With that extra 5% off when I.

A (23:46)

Use my Nordstrom credit card. Santa who join the Nordy Club at Nordstrom Rack to unlock our best deals. It's easy. Big gifts, big perks. That's why you rack. Ford BlueCruise Hands Free highway driving takes the work out of being behind the wheel, allowing you to relax and reconnect while also staying in control. Enjoy the drive in BlueCruise enabled vehicles like the F150 Explorer and Mustang Mach E. Available feature on equipped vehicles Terms apply. Does not replace safe driving. See Ford.com BlueCruise for more details.

B (24:33)

And finally, a small nonprofit with a long memory and a short tolerance for corporate lock ins is paying people to answer an awkward when you buy a device, how much of it is actually yours? Freedom from unethical limitations on users or Fulu runs bounties not for security bugs, but for proof that abandoned or restricted hardware can still be made to work. The effort gained momentum after Google retired support for early Nest thermostats, leaving owners with expensive wall ornaments that still worked locally but had quietly lost their smart Fulu now offers cash rewards for fixes that bypass drm, expired software support or parts pairing schemes. Targets include filter locked appliances, disk drive encryption in game consoles, and other features that seem designed to outlive warranties, not usefulness. The irony is that fixing these devices can violate US Copyright law. Fulu pays anyway. The group's point is not just to revive gadgets, but to highlight how a decades old law now stands between ownership and permission. And that's the cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.