Proton66’s malware highway. - CyberWire Daily

Summary9 min read

CyberWire Daily: Proton66’s Malware Highway - Episode Summary

Release Date: April 22, 2025
Host/Author: N2K Networks

1. Overview

In this episode of CyberWire Daily, host Dave Bittner, powered by N2K Networks, delves deep into the intricate landscape of contemporary cyber threats. The episode, titled "Proton66’s Malware Highway," explores various facets of cybercrime, from sophisticated botnets to ransomware attacks on critical sectors. Additionally, the episode features insightful discussions with industry experts, shedding light on the evolving challenges in cybersecurity.

2. Russian Proton66 and Cybercriminal Hosting Services

The episode opens with an analysis of the Proton66 autonomous system, a Russian entity heavily involved in cybercriminal activities. According to Trustwave Spider Labs, Proton66 has been a linchpin in global cyber attacks since January 2025, primarily targeting the technology and financial sectors. Their methods include brute-force logins and exploiting vulnerabilities in networked devices.

Key Points:

Proton66 supports phishing campaigns via hacked WordPress sites, distributing the Xworm malware to Korean-speaking users through sophisticated social engineering techniques.
The infrastructure of Proton66 was instrumental in spreading the Strela stealer malware across Central Europe and managing command and control (C2) servers used in ransomware operations.
Recent shifts have seen malicious domains associated with Proton66 being migrated to infrastructure linked to Changwe Technologies.

Notable Quote:
“At its peak, Proton66 has been linked to multiple ransomware hits, showing the adaptability and resilience of their infrastructure,” says Dave Bittner at [05:30].

3. Rustobot: A New Rust-Based Botnet Targeting Routers

A significant focus is placed on Rustobot, a newly identified botnet developed using the Rust programming language. Rustobot aggressively targets vulnerable routers globally, exploiting known command injection flaws in Totolink and Draytek devices.

Key Points:

Rustobot infects routers in regions including Japan, Taiwan, Vietnam, and Mexico.
The botnet employs advanced techniques such as XOR encryption and system API retrieval via the global offset table to evade detection.
Once compromised, routers connect to C2 domains to orchestrate large-scale Distributed Denial of Service (DDoS) attacks, notably UDP floods.
Fortinet researchers highlight the persistent risks to IoT devices and the increasing utilization of modern programming languages like Rust for developing resilient malware.

Notable Quote:
“Rustobot is a testament to the evolving sophistication of botnets, leveraging modern languages to enhance their persistence and effectiveness,” explains Dave Bittner at [10:15].

4. CISA Budget Cuts and Operational Impacts

The episode addresses the ramifications of budget cuts at the Cybersecurity and Infrastructure Security Agency (CISA), which have curtailed the use of pivotal analysis tools like Census and VirusTotal. These changes are attributed to financial constraints and political pressures, potentially diminishing CISA’s capacity to monitor and respond to cyber threats effectively.

Key Points:

Census usage ceased in March, and VirusTotal support ended by April 20, 2025.
The agency is actively seeking alternatives but warns of possible operational disruptions.
Ongoing layoffs and downsizing within CISA could further impair threat tracking amidst escalating cyber attacks.

Notable Quote:
“Budget cuts at CISA may severely weaken our national defense against the rising tide of cyber threats,” states Dave Bittner at [12:50].

5. Ransomware Attacks on Healthcare Providers

Two prominent healthcare providers, Bell Ambulance in Milwaukee and Alabama Ophthalmology Associates, have fallen victim to ransomware attacks, compromising sensitive data of over 231,000 individuals. Both incidents highlight the vulnerability of the healthcare sector to cyber extortion.

Key Points:

Bell Ambulance detected the breach in February 2025, with Medusa ransomware implicated, affecting approximately 114,000 individuals.
Alabama Ophthalmology Associates experienced a breach in January 2025 via Bien Lian ransomware, impacting over 131,000 people.
The compromised data includes personal, financial, and medical information, contributing to a surge in healthcare data breaches, numbering over 700 in the US in 2024 alone.

Notable Quote:
“These attacks underscore the critical need for enhanced cybersecurity measures in the healthcare sector,” remarks Dave Bittner at [14:00].

6. Scallywag Ad Fraud Network Uncovered

Researchers at security vendor Human have exposed the Scallywag ad fraud network, which manipulates ad traffic through compromised WordPress plugins. The scheme redirects users through ad-laden cashout pages embedded with captchas and forced interactions to inflate ad views.

Key Points:

Scallywag employs four WordPress plugins: Soralink, Uidea, WP SafeLink, and DropLink, which are either sold to threat actors or freely available.
At its zenith, Scallywag generated 1.4 billion daily ad requests, though this figure briefly plummeted by 95% before rebounding through new site deployments.
The network leverages deep linking to disguise malicious pages as benign blogs, revealing their true nature only after specific user interactions.

Notable Quote:
“Scallywag’s exploitation of WordPress plugins illustrates the sophisticated tactics used to bypass traditional ad fraud detection methods,” says Dave Bittner at [16:30].

7. UN Warns of Industrial-Scale Cyber Enabled Fraud in Southeast Asia

The United Nations Office on Drugs and Crime (UNODC) has issued a stark warning about the exponential growth of cyber-enabled fraud in Southeast Asia, attributing it to transnational crime syndicates operating out of Myanmar and Cambodia.

Key Points:

Fraud operations are entrenched in vulnerable border regions, masquerading as legitimate establishments like tech parks, casinos, and hotels.
These syndicates encompass traffickers, launderers, and data brokers, leveraging encrypted platforms, cryptocurrency, and generative AI to scale their fraudulent activities.
The crisis, which grossed $37 billion in 2023, is now expanding globally, affecting Africa, South America, and the Pacific regions.
UNODC advocates for urgent measures including better regulations, enhanced international cooperation, and fortified law enforcement to combat this pervasive threat.

Notable Quote:
“Cyber-enabled fraud in Southeast Asia has become an industrial-scale crisis, undermining governance and state sovereignty on a global scale,” states Dave Bittner at [18:00].

8. Resurgence of Fog Ransomware

The Fog Ransomware family has reemerged with a new variant incorporating a ransom note that references the U.S. Department of Government Efficiency, urging victims to disseminate the malware further.

Key Points:

Distributed via phishing emails containing malicious ZIP files disguised as PDFs, the malware executes a PowerShell script that downloads various payloads including the ransomware loader and exfiltration scripts.
Victims encounter QR codes for Monero payments and odd political references within the script.
Since January 2025, Fog has targeted 100 victims across multiple sectors.
Trend Micro suspects the latest wave may involve impersonators utilizing Fog’s existing tools, recommending enhanced vigilance through updated backups, network segmentation, and active monitoring.

Notable Quote:
“Fog Ransomware’s latest iteration demonstrates the persistent evolution of ransomware tactics, blending social engineering with advanced malware deployment,” explains Dave Bittner at [19:45].

9. Cracked Cybercrime Marketplace Relaunches

The notorious cybercrime marketplace Cracked has resurfaced under the new domain CrackedCrackedSh following a takedown operation in January that seized 12 domains and a payment processor. Despite law enforcement efforts, no arrests have been made, and the site’s new administrator claims encrypted servers have thwarted further investigations.

Key Points:

Researchers verified login access using old credentials, indicating potential authenticity of the relaunched site.
Breach Forums, another platform previously targeted for leaking data, claims a return through a new site under the name Breach Fi, though its legitimacy remains uncertain.
Cybersecurity experts caution that such platforms often reappear under false pretenses or serve as law enforcement traps, urging skepticism among users.

Notable Quote:
“The relaunch of Cracked signifies the resilience of cybercrime marketplaces, often morphing to evade law enforcement and maintain illicit operations,” notes Dave Bittner at [21:00].

10. Industry Voices: Bob Maley on Third-Party Cyber Incidents

In the Industry Voices segment, Bob Maley, Chief Security Officer at Black Kite, discusses the escalating risk of third-party cyber incidents and the complexities of managing third-party risk within Europe’s digital landscape.

Key Insights:

Third-Party Breaches: Maley emphasizes that breaches often occur gradually, with attackers conducting reconnaissance to identify valuable assets before initiating exfiltration or deploying ransomware.
Ripple Effect: A single third-party breach can cascade, affecting thousands of dependent organizations, as evidenced by the CrowdStrike breach impacting numerous companies.
Risk Management: Traditional questionnaire-based assessments are outdated. Maley advocates for attack path management and real-time risk assessments to stay ahead of sophisticated threat actors.
AI Integration: While AI presents opportunities for automating data processing and risk assessments, Maley warns against overreliance, highlighting that AI tools are not a panacea and must be strategically integrated.

Notable Quotes:
“Attackers don’t break in; they log in,” Maley asserts at [14:04].
“Risk management involving third parties should focus on the reduction of risk, not just compliance checkboxes,” he adds at [21:27].

11. Industry Voices: Kim Jones on Cybersecurity as a Trade or Profession

In another Industry Voices segment, Kim Jones, host of the CISO Perspectives podcast, explores whether cybersecurity should be classified as a trade or a profession, highlighting the implications of each classification on career development and industry standards.

Key Insights:

Trade Attributes: Jones compares cybersecurity to traditional trades like plumbing and electrical work, emphasizing the need for defined entry standards, structured apprenticeships, and clear advancement pathways.
Professional Attributes: She notes the absence of an overarching code of ethics and standardized certification bodies in cybersecurity, which are hallmarks of professions like law and medicine.
Career Pathing: The duality of cybersecurity being both a trade and a profession creates challenges in talent acquisition and skill development. Jones advocates for establishing clearer frameworks to guide career progression and ensure the industry evolves to meet modern cybersecurity demands.

Notable Quote:
“If we believe cybersecurity is a trade, then we ought to start instituting formal apprenticeships and advancement structures,” Jones states at [28:19].
“Cybersecurity is neither solely a trade nor a profession; it encompasses elements of both, necessitating a hybrid approach to career development,” she concludes at [31:55].

12. Conclusion

The episode of CyberWire Daily titled "Proton66’s Malware Highway" offers an extensive examination of the current cyber threat landscape, underscored by expert analyses and real-world case studies. From the sophisticated operations of Proton66 to the emerging threats posed by Rustobot, the discussion underscores the dynamic and ever-evolving nature of cyber threats. Additionally, insights from industry leaders like Bob Maley and Kim Jones provide valuable perspectives on managing third-party risks and defining the professional standards within cybersecurity.

Notable Quotes Recap:

[05:30] “At its peak, Proton66 has been linked to multiple ransomware hits, showing the adaptability and resilience of their infrastructure.”
[10:15] “Rustobot is a testament to the evolving sophistication of botnets, leveraging modern languages to enhance their persistence and effectiveness.”
[14:00] “These attacks underscore the critical need for enhanced cybersecurity measures in the healthcare sector.”
[16:30] “Scallywag’s exploitation of WordPress plugins illustrates the sophisticated tactics used to bypass traditional ad fraud detection methods.”
[18:00] “Cyber-enabled fraud in Southeast Asia has become an industrial-scale crisis, undermining governance and state sovereignty on a global scale.”
[19:45] “Fog Ransomware’s latest iteration demonstrates the persistent evolution of ransomware tactics, blending social engineering with advanced malware deployment.”
[21:00] “The relaunch of Cracked signifies the resilience of cybercrime marketplaces, often morphing to evade law enforcement and maintain illicit operations.”
[21:27] “Risk management involving third parties should focus on the reduction of risk, not just compliance checkboxes.”
[28:19] “If we believe cybersecurity is a trade, then we ought to start instituting formal apprenticeships and advancement structures.”
[31:55] “Cybersecurity is neither solely a trade nor a profession; it encompasses elements of both, necessitating a hybrid approach to career development.”

This comprehensive summary encapsulates the critical discussions and insights presented in the "Proton66’s Malware Highway" episode of CyberWire Daily, providing listeners and non-listeners alike with a thorough understanding of the evolving cybersecurity landscape.

Loading summary

Transcript33 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network, powered by N2K. And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire the Russian Proton 66 is tied to cybercriminal bulletproof hosting services A new Rust based botnet hijacks vulnerable routers CISA budget cuts limit the use of popular analysis tools A pair of healthcare providers confirm ransomware attacks Researchers uncover the scallywag ad fraud network. The UN warns of cyber enabled fraud in Southeast Asia expanding at an industrial scale. Fog Ransomware resurfaces and points a finger at Doge the cybercrime marketplace Cracked relaunches under a new domain on our Industry Voices segment, Bob Maley, CSO of Black Kite, shares insights on the growing risk of third party cyber incidents and taking the scenic route through Europe's digital landscape. It's Tuesday, April 22, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. Great to have you with us. The Russian autonomous system Proton 66 is tied to bulletproof hosting services that enable cybercriminal operations. According to Trustwave Spider Labs, since January of this year Proton 66 has been linked to global attacks targeting tech and financial sectors including brute force logins and vulnerability exploits. One IP address was tied to super black ransomware hitting nonprofits and engineering firms. Attackers exploited flaws in products from D Link, Fortinet, Mitel and Palo Alto Networks. Proton 66 also powered phishing campaigns using hacked WordPress sites and served Xworm malware to Korean speaking users via social engineering. Its infrastructure was used to spread Strela stealer malware in central Europe and hosted C2 servers for weeks or ransomware. Some malicious domains were recently moved to infrastructure linked to Changwe Technologies. A new Rust based botnet called rustobot is hijacking vulnerable routers globally to execute remote commands. It targets Totolink and Draytek devices using known command injection flaws. Affected regions include Japan, Taiwan, Vietnam and Mexico. The malware uses crafted payloads to download and run architecture specific binaries on compromised routers supporting ARM and MIPS platforms. Rustobot features advanced techniques like XOR encryption and system API retrieval via the global offset table. Once active, it connects to command and control domains and can launch large scale DDoS attacks such as UDP floods. Fortinet researchers stress that this threat highlights ongoing risks to IoT devices and the rising use of modern languages like Rust to build resilient and cross platform malware. CISA has ordered its threat hunting teams to stop using Census and VirusTotal, key tools for cyber threat analysis and malware detection. This shift, driven by budget cuts and political pressure, may disrupt operations. Census use already ended in March and virustotal use ceased by April 20. The agency is seeking alternatives but acknowledges potential operational impacts. Contractor layoffs and broader downsizing are also underway. Experts warn these changes could weaken CISA's ability to track cyber threats amid rising attacks. Two healthcare providers, Bell Ambulance in Milwaukee and Alabama Ophthalmology Associates, have confirmed ransomware attacks that exposed sensitive data of over 100,000 individuals each. Bell Ambulance detected the breach in February, with Medusa ransomware claiming responsibility and HHS reporting 114,000 affected. Alabama Ophthalmology Associates breach began in January with Bien Lian ransomware behind the attack impacting over 131,000 people. Both incidents compromised personal, financial and medical data. These breaches add to a troubling Trend, with over 700 US healthcare data breaches reported in 2024 alone. Researchers at security vendor Human have uncovered Scallywag, a large scale ad fraud using four WordPress plugins to drive illicit ad traffic through piracy and URL shortening sites. The scheme reroutes users through cashout pages filled with ads before reaching their intended content. These intermediary sites slow users down with captchas, forced scrolling wait times and extra page clicks to maximize ad views. Scallywag relies on deep linking to cloak ad heavy pages as benign blogs, revealing content only after specific user actions. The four involved plugins Soralink, Uidea, WP, SafeLink and DropLink are either sold to threat actors or offered for free. At its peak, Scallywag generated 1.4 billion daily ad requests, though traffic briefly dropped 95% before rebounding with new sites. Cyber enabled fraud in Southeast Asia is expanding at an industrial scale driven by transnational crime syndicates, warns the UN Office on Drugs and Crime. These fraud operations, rooted in Myanmar and Cambodia, exploit vulnerable border regions building scam hubs disguised as tech parks, casinos and hotels. Syndicates include traffickers, launderers and data brokers. With hundreds of thousands of trafficked victims supporting operations, criminals leverage encrypted platforms, crypto, and even generative AI to scale their fraud. Earning $37 billion in 2023, the crisis is spreading globally, reaching Africa, South America and the Pacific. UNODC calls for urgent action, better regulations, international cooperation, and stronger law enforcement. The region now faces a deeply entrenched criminal ecosystem that undermines state sovereignty and governance. Likened to a spreading cancer, Fog Ransomware has resurfaced with a new twist a ransomware Note referencing the U.S. department of Government Efficiency and encouraging victims to spread the malware. Trend Micro reports the malware is distributed via phishing emails containing a zip file with a malicious LNK disguised as a PDF. Once clicked, a PowerShell script downloads various payloads, including the ransomware loader data, exfiltration scripts, and a vulnerable driver for privilege escalation. Victims also see QR codes for Monero payments and strange political references embedded in the script. Since January of this year, FOG has claimed 100 victims across multiple sectors. While Trend Micro suspects this latest wave may involve an impersonator using Fog's tools, they urge vigilance through updated backups, network segmentation, and monitoring for Fog. Related indicators of compromise the cybercrime marketplace Cracked has relaunched under a new domain, Cracked Cracked Sh after being taken offline in January. During Operation Talent, authorities had seized 12 domains and a payment processor linked to Cracked and nulled, but no arrests were made. In Cracked's case, the site's new admin claims servers were encrypted, preventing law enforcement from accessing user data. Researchers verified login access using old credentials, suggesting authenticity. Meanwhile, Breach Forums, previously seized and known for leaking data, is also claiming a return, although its legitimacy is in question. A new site under the name Breach Fi appeared briefly, but confusion surrounds whether it's authentic or a scam. Cybersecurity experts urge skepticism, noting such sites often return under false pretenses or become law enforcement traps. Nulled remains offline, with arrests made in that case Elsewhere. Iranian national Behrouz Parsarad has been indicted by the U.S. justice Department for running Nemesis Market, a dark Web Marketplace active from 2021 through 2024. The site facilitated over 400,000 illegal transactions, including $30 million in drug sales and various cybercrimes like selling stolen financial data, fake IDs and malware. At its peak, it had 150,000 users and 1100 vendors. Parsarad also offered money laundering and crypto mixing services. He faces up to life in prison if convicted. Coming up after the break on our Industry Voices segment, Bob Maley, chief security officer at Black Kite, shares insights on the growing risk of third party cyber incidents and taking the scenic route through Europe's digital landscape. Stay with us. What's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets. With bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks with attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by Spectrops. Head to SpectorOps IO today to learn more. Spectrops, see your attack paths the way adversaries do. Do you know the status of your compliance controls right now? Right now we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. Bob Maley is CSO of Black Kite. And on today's sponsored Industry Voices segment, he shares insights on the growing risk of third party cyber incidents.
[14:05]
Bob Maley
The research showed that a lot of the breaches didn't just happen overnight. So what the bad actors like to do is they like to discover vulnerabilities. They find their way in and they're pretty silent when they're in there. That's, that's something you're very good at, hiding behind the scenes, looking for assets that are valuable to them before they actually start the exfiltration. And a lot of times people find out the breach happened after the bad guys, they either announce it, they're selling their data, or they're shutting their systems down with ransomware.
[14:44]
Dave Bittner
Well, how do you define a third party breach? I mean, what's the breadth of what you include in that definition?
[14:52]
Bob Maley
Well, essentially, if a vendor of yours has something happen to them and Due to that breach, your data is exposed at that company, or what happens sometimes is software that that third party produces gets compromised and you're using it in your environment. So it's used as a pivot point for bad actors, that third party, they'll pivot from there into your environment.
[15:22]
Dave Bittner
Well, let's go through some of the things that are covered in the report here. I mean, when we're looking back to 2024, are there any particular standout breaches from last year that in your mind really exemplify the risks of third party vulnerabilities?
[15:37]
Bob Maley
Yeah, there were several. CrowdStrike was one. And I don't have all the companies in front of me, but I think there was five or six that were very public that are in their report. That just shows how extensive this problem can be. And you have to be very careful with your third parties.
[15:56]
Dave Bittner
What industries do you think were hit hardest by these breaches?
[15:59]
Bob Maley
If I look back through the statistics, I believe healthcare was number one, manufacturing was up there, and technology was also in the top five.
[16:09]
Dave Bittner
Well, let's dig into some of the mechanics here. I mean, what are some of the key methods that the threat actors are using to exploit these third party relationships?
[16:18]
Bob Maley
Well, essentially, they're very good at finding things that are wrong on the outside of people's environment. What I mean by that is there's vulnerabilities present on the Internet, there's credentials that have been leaked, and they combine a lot of these things when they're examining the data to look for victims. And once they find something where they can get inside, it's typically they don't go all of a sudden, oh, they find a. The barn door is wide open, they get in and they get the keys to the kingdom right away. It really doesn't happen that way. They'll find a way in. And once they're inside, and again, that's where the silent talks about is, they'll start their reconnaissance of what they can see from their beachhead and they'll figure out how to pivot to those assets in your environment that are more valuable. That's one way. Another way is the old simple phishing that we've sent out phishing emails to your employees and one of them clicks on it and they are automatically inside because that click will then launch some type of malware. And it depends on what that employee, what their privileges are at that company than what the bad actors can do. But essentially it's another way to establish that beachhead.
[17:40]
Dave Bittner
One of the things in the report that your team talks about the ripple effect of third party breaches. Can you explain that to us? I mean, how does one supplier's breach impact an entire ecosystem?
[17:54]
Bob Maley
Well, you might want to look at the crowdstrike breach they were breached and then how the ripples went out to so many thousands of other companies that were affected. So that's the challenge. And I think that's why third parties have really become a primary target. It's all about scaling your efforts. And from a bad actor's point of view, if I can breach one company and exfiltrate data, get a ransomware paid, hey, that's great. But what if I could breach a single company that I can use now to allow me to jump off into 1,000 other victims? So it is economies of scale and bad actors are doing what they do. They're getting money illegally and they want to do it in the fastest, easiest, simplest way. So they're just leveraging the fact that, well, more of the world is using third parties.
[18:55]
Dave Bittner
I have a hard time wrapping my head around how a defender comes at this particular problem because it can be so broad. You know, there's so many potential suppliers. And how do you know what's going on under the hood of your supplier's software and products and so on and so forth. What are your recommendations for people who feel like this is such a big hill to climb?
[19:22]
Bob Maley
Bourbon.
[19:26]
Dave Bittner
Love it.
[19:33]
Bob Maley
That may help alleviate the pain on a short term. It doesn't help solve. Solve this from, from a long term.
[19:42]
Dave Bittner
Yeah.
[19:42]
Bob Maley
And yeah, that's where research is really valuable. That's where understanding how you approach third party risk management. And I think that's where the challenges are that we're still stuck in. In a very old thought process of how we look at those questionnaires are typically the go to risk assessment process to look at those third parties. And 20 years ago, they were fabulous because there was nothing else. But time has changed. Bad actors have changed, the vulnerabilities have changed. The scope of our third parties has risen significantly. Moving to the cloud. It used to be, oh, we had a hard, crunchy exterior and we protected our environment that way. And then the bad actors started figuring out how to kind of get around our hard, crunchy exterior. And it was an ongoing battle, but now we've out moved out to the cloud and it's easy to spin up new vendors and new vendors can get started. You know, if you don't have to invest a significant amount of money into physical servers and you can do it on the cloud. Which I think everybody today, that's what they're doing. You get spun up on the cloud. So it's just the attack surface has grown significantly and it is daunting. So we have to think about a different way of how we look at assessing third parties.
[21:23]
Dave Bittner
What do you hope that people get from this report? What do you hope the take homes.
[21:28]
Bob Maley
Would be to wake up and look at how their program is running today? What's the focus of their program? Risk management involving third parties should be focused on the reduction of risk. And I think a lot of programs today are more focused on, well, we're being told we have to do it. So it's more of a compliance checkbox process that sure, you're compliant, but have you reduced risk? And it's changing that thought process, having a more agile way of thinking about, well, how do we do this? And it's interesting because I always, when I'm talking to folks about looking at the outside in view of vendors, they go, oh well that's not that important. I'd rather have an inside view. So I have to collect all of their documents and I have to ask them all these questions. And while that information is valuable, it's also dated, it's not current, it's not real time. And bad actors aren't looking at your documentation to figure out how to break into your environment. They are looking at that external surface. So being able to shift your thinking to see the value in thinking like a bad actor and try to get on a level playing field with them in the battle that we're engaged here.
[23:07]
Dave Bittner
You know, Bob, we can't have a conversation about security these days without mentioning AI and how does it play into people defending themselves against third party risks?
[23:20]
Bob Maley
Very interesting. I've watched this whole space over the last two and a half years since ChatGPT became a thing. And every time I would go to a conference, every vendor had the signs up now with AI and most of them really didn't. I was at a conference last week and instead of now with AI, everybody just has the AI symbol that lends the belief that they're all using AI in an effective way. And that's the challenge. They think just because we're going to use AI that we're going to beat the bad actors. And they, I heard some folks talking about, well, we're using AI to help speed up the questionnaire process, to help solve your issues with questionnaires, the time issue. And you look at it and okay, well yeah, I get that you use AI to ingest old documents, old information, and you pre filled questionnaires and you've automated a process with AI that's really not effective. Where AI, I think has the ability to help us go through a lot of data and let us focus on areas that are problematic. Bad actors are using AI not to be ingenious, but they're improving their existing processes that work and that's what we need to look at because AI is not going away. The big discussions around third party risk management is how do we assess someone else's use of AI that we want to buy that vendor. Again, this is changing so rapidly that it's hard to keep track and it's exciting and it's scary at the same time. The big thing going on today is that, oh, you can take your picture now and you can put yourself in a Ghibli movie.
[25:27]
Dave Bittner
Right, right.
[25:28]
Bob Maley
And you know, I'm guilty of that. I on my zoom icon, that's my. I'm in, I'm now been ghibliized, as I call it. And that's all fun, but yeah, there's a lot of value and potential. But everybody's expecting AI to solve all the big problems for us and today they can't. But they can be used to help us identify, to improve, to automate, to do better at what we're already doing.
[26:01]
Dave Bittner
That's Bob Maley from Black Kite. It is always a pleasure to welcome back to the show my next guest, and that is Kim Jones, host of the CISO Perspectives podcast, part of Cyberwire Pro, right here on the N2K CyberWire network. Kim, welcome back.
[26:24]
Kim Jones
Great to be back as always, Dave.
[26:26]
Dave Bittner
We are continuing down this road of exploring cyber talent. And the episode you have coming up, really intriguing to me. It's titled are We a Trade or a Profession? Unpack that for us.
[26:40]
Kim Jones
Yeah, so I've been in the profession long enough. In fact, I'll take a step. Back it goes. This topic began to intrigue me around the mid-2010s. The National Academy of Sciences released a report saying that cyber should still be seen as just an occupation because we were too young, et cetera. And then as I've continued throughout my professional path, I've seen arguments from folks that say what you know, should be the only thing that actually contributes to us being promoted or selected in terms of our raw skills, which would seem to indicate that we are more trade like within the environment. Yet there are certain skills and business capabilities and communication skills as we advance up our career to get a seat at the table that would indicate that we may be more profession like within the environment. So remember, continuing along this multi episode arc regarding talent, it's worth understanding as to are we a trade, are we a profession, Are we both, are we neither? Because we probably have some parts of both of those things within our career pathing. And how do we distinguish between the two? Because that can impact how folks enter our, you know, you know, our, our career, how they enter the cyber, you know, how they enter the cybersecurity domain. And unless we understand what that is and when the inflection points are and what's needed, we can end up inadvertently excluding people who want to actually come join us.
[28:19]
Dave Bittner
Well, I mean, let's dig into that. Why does it matter whether we are a trade or a profession? What difference does it make?
[28:27]
Kim Jones
Okay, so let me just dig onto the trade portion. All right. And I'm going to go to plumbers and electricians and I'm going to give a shout out to my old admin's husband Chad, who was a lineman and okay. Trades have several things in terms of. There are clearly defined standards of entry in terms of. This is what I need. If you're alignment, you have to have a high school degree with at least two semesters of algebra in order to consider to enter the trade. There are structured mechanisms to allow you to advance in terms of knowledge requirements to go forth if you want to go from an apprentice. And by the way, there's a formal apprentice structure. In order to become a journeyman, you must learn certain things, have the capability to do certain things and have X number of hours as an apprentice before you become a journeyman. And the list goes on. So there are pieces and parts of what we do. That said, okay, if that's the case, then I can have clear expectations of requirements of knowledge when I come in. I must be in a situation where we must massively support true apprenticeship within the environment. Not just internship, where we have people go for coffee or go for the mail room, et cetera, but true learning apprenticeships within the environment. And I know what I can expect from those individuals as we advance so we can clarify what those needs are if we are truly a trade. But if we're, if we say we're a trade, there's a lot there. Dave, just what I've talked about that we're not doing. And if we believe we're a trade, then excuse my language, damn it, we ought to start doing that. And if you look on the profession side, there are things that would advocate for us to be a profession. But there's some things we're missing, such as a overarching code of ethics. Although we would all indicate, and we do act morally and ethically within the environment, the biggest thing is to sanction the organization. If you do certain things as a lawyer, you can be disbarred. And again, I told you, I'm not caffeinated to get prohibited from practicing with, you know, practicing your craft. Same thing if you're a doctor. We have no standardization body here. So if I understand what's required in order to advance and I understand how that advancement is structured, I can then begin to solve the problem that we all have. And we talked about this last week in terms of we now have more openings. We don't know how to fill them. As we're filling these openings, we're complaining about lack of skills, lack of capabilities, et cetera, because we don't know what we want to be when we grow up. So maybe one of the ways that we can dissect that is to say, are we a trade, in which case we should be doing these things in order to advance our careers, Are we a profession, which means we should be doing these things to advance our careers, or is there an inflection point? Because we are actually both. And say at a certain point in your career or your or certain jobs, we need to shift from one to the other and then talk about what's needed to make that shift successful.
[31:44]
Dave Bittner
Well, it's CISO Perspectives. It is part of Cyberwire Pro, which you can learn all about on our website. And the host is Kim Jones. Kim, thanks so much for taking the time for us.
[31:55]
Kim Jones
As always, thanks for having me, Dave.
[32:12]
Dave Bittner
Bad actors don't break in. They log in. Attackers use stolen credentials in nearly nine out of 10 data breaches. Once inside, they're after one thing, your data. Varonis AI powered data security platform secures your data at scale across las SaaS and hybrid cloud environments. Join thousands of organizations who trust Varonis to keep their data safe. Get a free data risk assessment@varonis.com and finally, every time you check your email, map a route, search for a hot dog recipe or stream a show, odds are your data packs its bags and settles in the arms of American tech giants Google, Apple, Meta, Amazon, Microsoft. You know the crew. The US is basically the digital landlord of modern life. But what if you'd rather not have your online behavior monitored under the watchful eye of American data laws? Well, Europe has alternatives. And Denmark's information publication has published a handy guide privacy respecting Search engines like France's Quant, Britain's Mojic or Germany's Ecosia offer solid Google Free searching. The Vivaldi browser from Norway built by Ex Opera devs lets you surf ad free with nerdy flair. Ditch Gmail for encrypted inboxes like ProtonMail from Switzerland or Tutanota from Germany. Navigating without Google Maps Organic maps based on OpenStreetMap works offline and doesn't track your steps. Social media isn't off limits either. Try Mastodon instead of X, Twitter, pixelfed over Instagram and peertube for decentralized video sharing. Just don't expect to find your grandma's casserole recipe there. Not yet. Streaming fans can dive into Dr. TV, MUBI or FilmStriben for curated European content and for cloud storage, Nextcloud and Trisoret are strong privacy focused contenders. Even hardware isn't out of reach. Fairphone from the Netherlands and Mourinha One from France offer de Googleized smartphones, while slimbook from Spain and France and Tuxedo from Germany make Linux powered laptops. Escaping the US Digital grip takes effort and a bit of curiosity. But if you're ready to explore tech without the stars and stripes, Europe's got your back. And that's the CyberWire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iban. Peter Kilpie is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home. Blackcloak's award winning digital executive protection platform secures their personal devices, home networks and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one third of new members discover they've already been breached. Protect your executives and their families 247365 with BlackCloak. Learn more at BlackCloak IO.