B (9:26)

Yep.

A (9:27)

Jerry, go ahead and say hi to Mrs. Boston. I will, Bilbo. It's good to see you, dude. By the way, fun fact, Fun fact, his name's real Bilbo, but it's not anything to do with the Lord of the Rings. I. I made that mistake. A lot of people make that mistake. So just fun fact, I'll. I'll leave it to the trivia nerds to figure out what it's all about. All right, let me reset this music. We got to read some ads because I got to pay the bills. Chat doesn't pay for itself, everybody. All right, so let's check it out. First of all, let Me say shout out and thank you to Delete me. Delete Me. Paying for TEMU chat. This cup of coffee. My, my situation, my add all these things. Delete Me. What's up? Delete Me. I see you, yo. Delete Me makes it easy, quick and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone, including you, space tacos vulnerable. Zmif, your data is a commodity. Anyone on the web can buy your private details. Ray W699. This can lead to identity theft, phishing attempts and harassment. But guess what, Grady? Now you can protect your privacy with Delete Me DJ B sector. You know, as someone with an active online presence, privacy is really important to me. Listen, I'm up here doing this show all the time. I have hot takes. Sometimes I have political things that accidentally leak in and I could piss someone off. You know what? I don't want them showing up in my house. How do I help manage that? From being sold through data broker websites, I use Delete Me. It's awesome. They basically take care of it all and go get rid of my data. Take control of your data. Keep your private life private by signing up for Delete Me now at a special discount for our listeners. Get 20% off your delete Me plan when you go to join deleteme.com simply cyber. Use promo code Simply Cyber checkout. The only way to get 20% off is go to joindelete me.com simply cyber and a code Simply Cyber at checkout. That's joined deleteme.com cyber code simply cyber. Let's see how to delete Me for the year. All right, what else we got cooking in this bit up in this piece? Oh, anti siphon training. Come at me, bro. John Strand is going to melt your face with 16 hours of cyber security education. That is next level. This is not a security plus primer class. This is straight up hackback. Honey tokens, canary tokens, ethics, morals, the Gambit Live Labs 16 hours, 4 days. 4 hours a day, 11 to 3. Which means you get to get to work. Check your email, talk to Kevin, make sure he gets handled. Boom. You take an early lunch, four hours of training, you button up a couple loose ends at the end of the day. Easy peasy lemon squeezy. It's not even like you took time off. Plus the education is as low as 25 for the live training. Don't sleep on this. Go to antiphontraining.com today. Scoop that up and giddy up on it. I'm going to take a huge slug off my coffee while we listen to Threat Locker and when I come back we are going to tear the top off this sucker. I want to give some love to the Daily Cyber Threat Brief sponsor Threat Locker do zero day exploits and supply chain attacks keep you up at night. Worry no more. You can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about how ThreatLocker can help prevent ransomware and ensure compliance. Visit threatlocker.com DailyCyber Foreign. Do me a favor everyone. If today's your first episode, you picked a heck of an episode. Drop a hashtag first timer in chat so we can celebrate you being part of this community. Sit back, relax, get your fifth cup of coffee like me and let's let the cool sounds of the hot news wash over all of us in an awesome wave. I will see you in the mid roll from the CISO series.

C (13:48)

It's Cyber Security Headlines.

D (13:54)

These are the cyber security headlines for Friday, December 19, 2025. I'm Steve Prentice. Recent Windows Updates Break Remote App Connections Yesterday we reported on Microsoft's December 2025 security update breaking message queuing on older Windows 10 and server systems. It appears another update related breakage is also occurring. This one, Based on the November 2025 non security update, is triggering remote app connection failures on Windows 1124H2 and 25H2 and Windows Server 2025 Devices in Azure virtual desktop environments. Remote App enables users to stream individual Windows applications from the cloud without loading an entire virtual desktop, making them run like local native applications. Microsoft says this issue does not affect personal devices running Windows Home or Pro editions. Since Azure Virtual Desktop is predominantly deployed in enterprise settings, no timeline for a permanent fix has yet been announced.

A (15:04)

Okay, so a couple things. One, if you are a IT administrator, again, this is like less cyber security and more IT administrator. But it is worth noting because this is one of those issues that because it's a patch that broke it, if you have to constantly harangue your workforce or harangue your IT counterparts to patch their stuff and then they finally do it and then it breaks something, they're going to be like see and and this is the words they're going to use every single time I patch or you have me do something security, it breaks something, right? So like every single time is absolutely hyperbolic. But just be aware that these are some of the fights you're going to have to get. This particular issue I, I think would have already cropped up in your environment, so you already would have seen it. And because it's causing remote connection issues, it would have needed to be troubleshot sooner than later. DJ B might want to chime in on this, but essentially this is more for corporate environments, which is fine. There has been somewhat of a push in some businesses with this Azure remote desktop. So basically the more things change, the more they stay the same. Like I'm not even joking. Like 50 years ago they used to do thin clients, okay. So like you would just have a stupid little, you know, displaying like little easy connector and then you'd connect into the mainframe, like the server and you would run your processing on there. And then we got fat apps and you know, big beefy hardware. You got your Gateway 486SX with the Turbo button. You got your, you know, E machine or whatever, you were doing your Hewlett packard in the 90s, you know, pick your favorite color of beige and that was what color mirror machine looked like. And it was all running local. And then we got cloud and all this, you know, high end bandwidth networks deployed everywhere. And now we've gotten back into having cloud based solutions where all the processes is being done, which is why SaaS apps are huge right now. Now that's fine and not a big deal. The next iteration is to have your workforce's endpoints hosted in Azure. So now you get back to having these kind of thin clients that are dumb and all of your storage, all of your things are up in the cloud, which is great from a cyber security perspective because number one, you're, you're able to kind of self contain the data, right? So your data isn't floating around with Carl, the end user, right? It's all hosted in your enclave, to use a DOD term, your enclave. And then when Carl leaves his laptop in an Uber or Carl defects to your competitor, you can just cut it off and be like, no, not today, bud. Right. So this is kind of the benefits. The problem is you have to access that, that desktop up in the environment, right? So if your remote app connection, which I assume is kind of the standard approach to getting into this thing, is broken now, you have operational issues. And this is literally just the trade off. Any. Listen, I don't care what it is. Anytime you elect an option, there are always going to be pros and cons. Okay, you, I'll give you a perfect example that would resonate with everybody here. Oh, am I gonna get an Xbox or a PlayStation? Xbox or a PlayStation. No one's gonna get both. Unless you're like the kid down the street whose parents, like gave him everything because they were trying to overcompensate. You know, they own like a really cool golf cart and all that. Like whatever that kid aside, most of us. Xbox or PlayStation. Right? Well, get PlayStation, that's fine. You get the exclusive Spider man games, no problem. But now you don't have access to like Xbox Live and all the Xbox features. Right? So there's always a trade off when you do this. Yes, you get great data governance, you get great ability to update endpoints, do asset inventory, and rule all the things. But then if you can't access it, you're down. Right? And you can come up with compensating controls around that. But just know the bigger picture here is anytime you make a decision, architecturally speaking, you must evaluate the downsides. What are you giving up? What risks are you introducing it? Everything isn't just rainbows and unicorns for the option that you like and crap for the other options. You've got to be pragmatic and objective or else you're going to ruin everything. All right, what do we got here for the talks. He says this affects Windows 10 only, so they could be affecting systems that would not have been upgraded. Yes. No, I didn't have a golf cart growing up. By the way, it does say connection failures on Windows 11 in the story here. And Windows Server 2025. Just saying. So it does affect all these. Again, let me tell you, my whole value proposition for this show is to give you value in stacks, right? You can read this story on your own. You don't need me to read it to you. This isn't like kindergarten where I'm getting you guys all up on the play mat right before nap time and I'm going to read you something you could read yourself. The value is giving you additional insights beyond the headlines or bigger macro level pictures. And the macro level one here is it doesn't matter what you choose, you always need to evaluate the consequences or the impact of the or the downside of those options. This right here isn't breaking news because if this has already happened in your environment, you are already dealing with it. It has already blown your phone up and complained at you. You've already been thrown under the bus at the weekly IT meeting because of this. All right. Also Patrick stuff. Ah, you got a Patrick. All right. They do have a workaround. It's basically running some type of registry command here, adding a key in there, whatever. Classic Windows fix. Just put a stop gap in it. I will say if you do modify the registry, make sure if you have to back it out, you back it out too. Back it up, pack it up, pack it in. Let me begin.

D (21:10)

France arrests threat actors for installing malware on Italian ferry.

A (21:14)

Oh wow, there's a lot of euro going over that.

D (21:16)

One arrested two crew members working on an Italian passenger ferry. These crew members are suspected of infecting the ship with malware that could have enabled them to remotely control the vessel. One of the pair, a Bulgarian national, has been released without charge, while the other, a Latvian suspect who recently joined the crew of the Italian owned ferry, remains detained and faces charges of conspiring to infiltrate computer systems on behalf of a foreign power. This after a remote access tool was discovered by the shipping company itself while the ship was docked at the Mediterranean port of Cette, which is located in southern France.

A (21:56)

All right, hold on, let me re. So I don't research or prep for these stories, so I do have to I get them with you in the moment. This particular one, I want to read just a little bit more here. Malware was discovered by gnv, who's the company that owns the ferry, by the way. This isn't like Huckleberry Finn's Fairy where it's like six logs lashed together in like a stick with a white flag on it. This is like a friggin cruise ship basically, designed to ferry people around whatever the Mediterranean. So we're talking big, big, big boats here. Okay, let's see. Seizure of number of items that will be need examined. Okay. Whatever malware was discovered by them, which alerted Italian authorities and French general directed. Whatever. Let's see. So it was docked at a port and then got infected. I'm loving this, by the way. I'm going to tell you why in a second. Try to hack into a ship's data processing system. All right? Okay. Okay. So the, the group is facing a maximum of 10 years in prison and they're being charged with access to an automated personal data processing system. Whatever, whatever law you need to throw at them in order to charge them with something, go for it. But there's a much more insidious impacts statement at play here. First of all, I'm confused. There's so many different Countries involved in this one. I think it's the French that did the arresting. Okay, French. Let's do. You know, I don't know, regular LE regulators. Oh, come on. Regulators. All right, so check it out. Listen, listen, really quickly. Number one, insider threat. So some jack wagon got on the boat or worked on the ferry, got the thumb drive and plugged it in. This whole thing reads like the, like the, The. The second act of a James Bond movie where the threat actor compromises this fairy and it's like a high action sequence. But it does get thwarted, right? If it was the opening sequence, it. It wouldn't have got thwarted and it would have set up the, The. The. The plot line of how bad the bad guy is and all these other things. Technical acumen, whatever. So insider threat number one. Number two, like, they buried the headline. The. The. The malware could control the boat. Are you kidding me? Did you not see what happened in Baltimore last year when that cargo ship hit the Key Bridge? I think it's called the Key Bridge, right? Like, serious, serious infrastructure damage, loss of life. Like, if you could control this ferry, you could drive it into that other boat in the background or drive it ashore. That boat probably cost hundreds of millions of dollars. So, like, the fact that it could be driven is insane. Like, they're being charged with, like, having access to pii. Like, okay, whatever, like, whatever, you got to throw cuffs on these people and get them out of here. But. But yeah, it stucks in that 2.0. Yeah, I mean, it sounds very much like that. Now, the only thing I'm gonna say right now about this is I absolutely love it. I've been on a. I've been on a boat, like a legit huge boat like this when I went to Antarctica and I got to be on the bridge and all this other stuff. There is a unbelievable amount of technology inside the bridge. Like stupid amounts and, and lots of, like, satellite comms and GPS everything. And there's, like, hooking into other, you know, systems and whatever. So personally, you're not going to stick an EDR solution on some custom appliance on the bridge? The fact that they were able to detect an infection is awesome. I don't know what kind of sec ops capability this fairies company's running, but I don't know about you, but I wouldn't think about like, oh, yeah, we better put. Put some EDR on this boat. You know what I mean? So, so love the fact that they did that. Love the fact that they. The. They took swift action. This was not Like a, hey guys, let's spend, you know, 16 to 32 hours, you know, evaluating what's going on. No, it's like they, the problem, they took care of it, arrested these guys and got out of there. Also, by the way, like, how often is it like the person is on, like on the boat, right? I mean, obviously it's not a boat very often, but like the criminal was physically there, insane. So I, I, you know, I'm glad no one got hurt. I'm sure none of the passengers were aware, but way to go, gnv. Okay, also just as a shout out since I guess since we're doing this and I'm feeling myself today. I'm on a boat. I'm on a boat. Yes, sir. Snl. Great skit. Love it, love it, love it.

D (27:01)

Senate Intel Chair UR Safeguard Against Open Source Software Threats Tom Cotton, the Senate Intelligence Committee Chairman, is asking National Cyber Director Sean Cairncross to take steps to counter the risks of foreign adversaries playing too heavy a role in open source software. Describing the environment as one in which, quote, threat actors assume that contributors are benevolent so they can insert malicious code into widely used open source code bases, end quote. As some examples, Cotton mentioned a beta version of the compression utility XL Utils, as well as a Russia based developer that is the sole maintainer of some open source software that exists inside Defense Department software packages.

A (27:47)

All right, so looks like center. Senate Intelligence Committee Chairman Tom got an Eye Joe. Okay? His name's Tom Cotton. Okay, we're not going to do a Cotton Eye Joe reference. Drink. All right, so listen, looks like we're slowly sliding into McCarthyism here. So because there's a Russian, a Russian citizen who's a developer of an open source package, it, well, we got to pull it. Now listen, I, I agree with him. I understand what he's saying. He's saying that because anyone in the world can commit code to open source repositories, which is, which is why it's called open Open source, okay? Because anyone can contribute to that. There is a high risk that there is foreign adversaries meddling in the software packages that are being used by the Department of Defense. Now I just want to point out something really quickly. Senate Intelligence committee Tom Cotton 100%. The fact that the DOD is using this piece of software that has a single Russian developer behind it for whatever they're doing in the dod. I hate to be, I hate to be like this guy, hold on one second. I am going to be this guy. I am like, I'm out of my mind today. Look at this. Hold on one second. Here we go, here we go. Here we go again. Look at like Senate Intelligence Committee Tom Cotton, actually you elected to implement that software in your environment. The problem isn't, it is a Russian developer behind it. The problem is that you selected it and put it in, probably because it cost $0. So like, you know what I mean? Like what, what are we, what are we saying here? So like the whole idea behind open source is that it allows anyone to contribute to these libraries, right? You're not required to use them. That's the shocker. This isn't authoritarianism where you're told, here is your, you know, here's your shovel, here's your flashlight and here's your open source code that you need to use. Like you get to pick your own adventure, dude. So as far as like legislation goes, you may want to consider, I don't know, dictating that the US Federal government is not allowed to use, like do the due diligence to figure out who the authors are. Not to mention, by the way, like it's trivial for a Moscow based developer to just say they live in Tallahassee, Florida, VPN in and do all their codes there. So like, like, I don't know man, I, I get what he's saying. He's saying, oh like Russia and China obviously don't have America's best interest at heart. So here's the, here's the leap that I don't like. Therefore anyone that's Russian or Chinese must be bad for America. That's kind of what he's saying with this, with this particular thing. Yes, threat actors have made contributions to open source code repositories that have led to malware infections. It's not necessarily nation state aligned. And oh, by the way, the United States can do this to other threat act, I mean nation states just as easily as they can do it to us. Additionally, they can be from anywhere. Okay, I like this. This just feels like digital internment camps from World War II. Okay, now listen. Yes, back doors, Trojans, keyloggers, info stealers, they're all over the place. I, I don't think the citizenship of the author is the thing. You know, it's, it's more about the ideology, ideal ideology of the developer than it is anything. And I don't understand what the solution is. The solution is to not use that software, period. Right. We've made these big decisions in the past, right? You're not allowed to have Kaspersky antivirus. You're not allowed to use Tick tock. You're not allowed to purchase Huawei technologies. Okay, And. And, you know, some of these things are rooted in truth and, you know, make sense as a policy decision. But if you're going to say you can't use software developed by Russian citizens, okay, how are you going to possibly enforce that? Have you not attended my talks, Senate Intelligence Chairman Tom Cotton? On supply chain? That I did in 2025, I had, like, a road show going where I gave the same talk, like, five times. Dude, like, anyone in chat right now tell me your. Your. Your grandmother's father's name. You're probably not gonna know it, like, just a few generations away. You don't know that, right? Everybody knows their dad's name. Everybody knows their dad's dad's name. Many of us may not know our dad's dad's dad's name. Okay, so just like one generation above your grandfather, you may not even know. The whole reason I bring this up is because when you think about software, you. Oh, hey, we run. I run obs. Like, I know what software I'm running. I run obs for my visual studio stuff. Okay, well, what's in obs? Well, let me look really quickly. Okay? I see that we're running, like, you know, whatever log 4J in obs. Okay. What's. What's inside of log 4J? Well, I don't know. Okay, so it's hard. All right? It's hard. What you really need to do is actually do, you know, either test the software. So you're looking to see if it makes any communications back to unknown C2s or does any type of anomalous trojanized behavior or put detections in place. So once you implement it, you can track these things. That's what's up. Just carte blanche. Saying you're not allowed to use it is kind of a. A lame, lazy answer. All right? The DoD will not procure any hardware or software susceptible to adversarial foreign influence that presents risk to mission accomplishment. Okay, Pete, Hegseth, That's a fine policy, okay? And let me go beyond the headlines for a second, guys. Okay? Here's going beyond the headlines. Number one, your executive team can come up with a policy like this. Art, I'm going to say it says dod, but let's just say our business, okay? Whatever business you work for right now, it doesn't matter if it's state, federal, local, private sector, fintech, petroleum products, it doesn't matter, okay? Our company will not procure any hardware or Software susceptible to adversarial foreign influence that presents risk to mission. Okay, that's fine. Thank you, cio. Now, how do we implement that? You're only going to purchase tech that goes through US based sourcing, and you can get a clear providence of the, of where all the software that built into that product came from. You are, can do that. You can absolutely do that. Okay. And I'm sure you, you felt great when you made this big policy declaration and signed it with a fancy $300 pen. But implementing this in practice is, one, going to be incredibly difficult. Two, it will be expensive because you're going to have to source basically, like only organic food. And three, you're going to be limiting yourself on innovation because now you've just cut off a giant part of the software population that could possibly help you innovate and, and achieve your goals as a business. But no, no, no, no, no. I'm a peon. I'm just going to go back to my, my trench and with my other troll friends, and we're just going to continue to implement your policy here. Okay? So, yes, you can do this, but in reality, you have to be much more, have much more finesse and much more nuance in implementing policy. It always kills me when you get these, like, I don't want to call them lazy executives, but executives that make these broad, sweeping statements and then they're like, they leave the car running because they're not going to be here that long. They leave the car running, they decide, hey, starting now, we're only going to purchase things from, like, wherever or we're only going to serve, you know, like, we're only going to sell to, like, righteous people. All right, everybody, see you. Good night. I'm. I got a Christmas party to roll to, and it's like, Jesus, man, you just left us in a massive lurk. Like, how do we implement that policy, dude? All right, thank you for coming to my TED Talk.

D (36:09)

Chinese attackers exploit Zero Day to target Cisco email security products. This Exploit has a CVE number and a maximum severity score of 10 and affects appliances with certain ports open to the Internet that are running the company's Async OS software for its secure email gateway and Secure email and Web manager. Chinese hackers have been exploiting this since late November, the company said on Wednesday. The attribution to a Chinese threat group is based on the assessment of the tools and infrastructure used during the attacks.

A (36:44)

I don't know if Cisco's email security gateway has updated its interface in the last three years. But I used it in 2022. It. It needs a visual overhaul. And I hate to be so petty. Like, functionally, it's a great tool, but the UI is like, oh, it's like late 90s, early 2000s. All right. It definitely built for function, not for fashion. All right, so Chinese attackers exploiting zero days. All right, they're able to tell it's Chinese because the TTPs. Yeah, you know me. All right, drink. TTPs are. I always get it confused. Tactics, Techniques and processes. It's one of the acronyms that I just say all the time. Let's see, Tactics, techniques and Procedures. Okay. Basically, what motivates an attacker, how do they execute it, and what's their common practice? Like, they normally fish for creds, they normally brute force for access. They normally call help desk. Like, these TTPs are fingerprints, essentially, because they're. They're pretty common practices for the threat actor. Like, they're not going to learn a new trick because. Because you know, the number. The way that they do it is effective. Right? All right, so what are we getting here? All right, all right, so here we go. Companion blog sister confirmed this thing. All right, let's look at the cve. So if you're running Cisco email gateway. Oh, wait, hold on one second. Let me go to DJ B Sex epss tool. DJ B Sec is in chat right now. Also, he's going to be your host next week. So give it up for DJ B Sec. He'll be. He'll be hosting your daily cyber threat brief next week. As I'm. As I'm put out to pasture for two weeks. All right, let's get some results on this thing. Holy crap, this is ugly. Okay, so number one, if you're running Cisco email security gateway, you have a 4% chance of getting hit in the next 30 days. If you get hit, it's. It's bad. Okay, this ranking right here, 88%. It means of the hundreds of thousands of vulnerabilities in EPS, this is database. This is in the 88th percentile, which means you'll be walking funny for like two weeks if you do get exploited. Okay? Don't mess around with this. There's certain things that, in my opinion, there's certain things that you don't want to mess around with anything to do with security. And I don't just mean that because I'm a security dork. I mean, security is there to control and protect, right? So if your identity and access management servers are affected, your patch management systems, your VPN systems, like Your firewalls, any of those things are, are taught your domain controller, obviously, if any of those things are touched or impacted in any, you know, consequential way, it's okay. That's bad. Your email is on that same par. Because your email, there's all sorts of things in email, right? Business email compromise can happen. Denial of service, obviously you can, you can start doing social engineering very effectively if they can control the email. So don't. You don't want to mess with it. It can, it's seriously damage business operations. Okay. Cisco does recommend restricting access to the appliance. Thank you. My God. I. Okay, so Cisco recommends restricting access to the appliance and implementing robust access controls. Okay, let me, let me put this in like lay speak, if we will, or put this into normal talk. Cisco recommends you don't use default passwords and you remove any user accounts from employees who left four years ago. All right, thank you. The company added that its email and web manager appliance should be put behind a device like a firewall. Also recommend you implement best practice network segmentation and network architecture. Okay. All right. Okay. All right. So what. What are they doing here? All right, let me just do this one quick thing. You can actually see the Talos blog. I love Cisco Talos. They're the Threat Intelligence Group. There's a guy named Joe Marshall who's really, really big into ICS and OT that works over at Cisco Talos. He's been a guest on the channel a couple times. He is an absolute delight. There's certain people in our, in our industry that are exceptional people. Like I know many of us in chat are great. You guys are great. This guy right here. Come on. Where's my Joe Marshall? Oh, give me a picture of this guy. There he is. Look at this guy. If you get a chance to ever meet this guy right here, Joe Marshall, look at this. Here's his, like his, his tops baseball card. This probably would have been like a Don Russ future all star. This guy right here, absolute ace. All star. You want to know who's not getting coal in their stocking this Christmas? This guy right here. Love this guy. All right, so Cisco says get your stuff together. What's the remediation? Hold on. Coverage and remediation. So if you, if you're all about, just get to the point, right? Not for me, but like for your own workloads. Just always control F and look for IOC or remediation. Okay, recommendations are available here. Okay, let's see. Okay, so by the way, always important to note. Yes. Marcus Kyler. Hey. Oh, you know what sucked about Don Russ cards? They were larger than all the other baseball cards so all your top loaders wouldn't work, and then you'd get. You bend the top because you were a kid and you, like, didn't know how to take care of stuff. Okay, listen, always, always, always patch your stuff. Ah, you gotta patch it. Secondly, secondly, make sure if you had. If you had a exposure window that you at least if you have time take a sniff on IOCs to see if you were actually compromised in that exposure window. Oh, this sucks. You have to actually open a. A tac case with Cisco for them to look. So there's no easy to look around and see if you've been exploited. If you can't. What's the. What's the actual fix here, bro? Whatever, I guess just make sure that your. Your products harden. It's confusing to me, like, what the. If this is like a technical exploit or what, but it annoys me, like when you say cyber attacks like that could be brute force credentialing, which means that the appliance is actually fine, but you got to make it a big thing. All right, all right, let's keep going. I am way behind on schedule, honestly. Normally I would apologize at this moment, but I'm feeling good and I'm feeling all right. So we're just gonna cruise. We're just gonna cruise.

D (44:06)

Huge thanks to our sponsor, Adaptive Security. This episode is brought to you by Adaptive Security, the first cyber security company backed by OpenAI. Security training fails when it's generic. Adaptive's platform personalizes training and runs deep fake simulations across email, sms, voice and video. And with Adaptive's AI content creator, you can drop in a breaking threat or compliance doc and instantly turn it into interactive multilingual training. No designers, no delays. Learn more@adaptivesecurity.com that is adaptive security as one word.

A (44:48)

Let's go. Oh, yeah, you like. You thought for a second we weren't gonna blow the copyright out. Come on, I'm like nine hours from vacation. Let's go. All right, all right. Hey. Shout out to all of you. Thank you for being part of the show. Episode 1030. I don't know if we had any first timers, but you picked a banger. Drop a hashtag first timer in chat. If today is your first episode for real. I want to say thank you to the stream sponsors. Threat Locker. Delete me. Anti siphon. Seriously, delete me. Thank you. You've been a sponsor for probably two years. Loved having you. Hope we can collaborate in the future. Wish you the very best. Anti Siphon. Of course, we're still in conversations with Anti Siphon on becoming a 2026 sponsor. We'll see where that goes. I want to say shout out to Flair. I want to say thank you to Barricade Cyber Solutions. Guys, Barricade Cyber Solutions does digital forensics incident response, but they also do education for the community and they've put it to bed for 2025. But you can still register for 2026. January 7th, a Wednesday at 1pm Eastern time. Come on and learn about Microsoft 365. Specifically Entra ID identity. Guys, listen, I gotta tell you right now, identity is what you need to protect. That's the core of Zero Trust architecture. And if you have heard the term. If you have heard the term zero trust architecture and don't know what the heck it means, that's okay. Just know that protecting the identity is critical to implementing zero trust architectures. Basically, to means like it sounds, don't trust anything. So instead of like granting access into an environment or resources and letting that person run around you, you. You secure the identity. And like everywhere it goes, you have to validate, right? But how do you do that in an Azure environment? Well, come on down. On January 7th, 1pm, go to webinars.barricadecyber.com to register for free. In one hour, Eric Taylor is going to show you how to implement mfa. So it's required for all users, Geo locking on logins, conditional access, user risk and risky sign in policies so you get notified when nonsense happens. All these and more. Trust me, this is a banger. Valuable webinar that you would want to attend and it's absolutely free. Pretend that you paid 500 to attend it. So then you'll be like, oh, I better. I better take this seriously. But trust me, it's free. But that has nothing to do with its value proposition. Go to webinars.barricadecyber.com and check that out. Guys, every single day of the week has a special segment. And when's. Hold on, did we get a. A freaking first timer. Hector M. Molina, Sandoz. Welcome to the party, pal. Welcome to the party, pal. All right, so James McQuigan does a joke of the week every Friday. And today we got some holiday ones. What class in school did Rudolph the Red Nose Reindeer fail? Oh my God. Did you know Rudolph went to school? He was great at math, great at science, terrible at history, because he went down in history. Oh my God. Oh My God. All right, hold on, hold on, hold on. All right. Why is the letter E the only one that gets gifts from Santa? Why is the letter E the only one who gets gifts from Santa? Because the other ones are naughty. Oh, naughty, naughty, naughty, naughty. All right, all right. So why is the store where Santa Claus gets his suits going out of business? Why is the store. All right, so I don't know if you guys know this. Down on King Street, Charleston, there's a really nice men's tailor store and that's where Sienna gets his suits. But they're going out of business. Do you know why? They've been in the red for years. They've been in the red for years. Oh, my God. All right, so James McQuiggin finishing it off strong. He's been doing the jokes every Friday for two years. James, we thank you so very much. Genuinely appreciate you guys. I hope you've enjoyed the crap out of it. This is my last dad jokes for the years. You know the words. Alpha, Sierra, Marcus Kyler, lead us off. Let the la la la's wash over you Dancing like no one's.

B (49:45)

La.

A (50:12)

All right, we got eight minutes to do four stories.

D (50:14)

Let's speed run hackers Breach. Britain's health service tech provider, DXS International, a UK technology company whose software is widely used by the country's National Health Service nhs, has disclosed a cyber security incident involving unauthorized access to internal office servers. This was detected on December 14. The company said the breach was contained and that clinical services remained fully operational. It is not yet known whether NHS patient data was affected, though the incident has been reported to the Information Commissioner's Office. DXS is working with NHS cybersecurity teams and external specialists to investigate. The company does not expect a material financial impact.

A (51:00)

Oh, yes.

D (51:05)

Software supports clinical decision making and referral management for GP general practitioner practices and handles around 10% of NHS referrals in England.

A (51:16)

I love how. I love how the update is. We've been hacked. Like, this is a health care thing. We've been hacked. And the update they say publicly is the. This will not result in a material statement. What that means, is it. It. It's the. Literally exclusively in the world of, like public traded companies and stock and shares, whenever you have a responsibility to disclose things to shareholders because they own part of the company technically. Right. The term material is a very specific thing. Now, this is London, but I'm assuming it's the same thing that we have in the United States. I was a Sarbanes Oxley auditor, actually I was a Sarbanes Oxley auditor in the early 2000s because I'm old and a nerd, right? But material means like basically a significant financial impact to the business. Which, you know, obviously shareholders can then use that information to decide if they want to buy more or get the heck out of there, right? It's like, it's not so much like, oh, hey, we're sorry victims, like, don't worry, like we're going to implement good controls. It's like, don't worry, investors. This isn't a problem. So it always kills me. Unfortunately, money drives, the customers are just, you know, fortunate to be able to pay into the business. The, the one thing that jumps out on this to me right away. Hackers breach internal servers. Well, typically when you breach an internal server, that means you got inside access to the network, right? So if you're coming from the outside in, guess what? You don't get to the upstairs bedroom without going through the front door in the living room, right? So this to me immediately says either an individual inside got compromised and their box got popped and the threat actor like landed on that box or threat lock, threat lock, threat actor, you know, did an X Men juggernaut through the front door, you know, through like an email gateway or web server or something. Smashed on through into the internal network and then started doing nonsense up in there. So, you know, just seeing this makes me think, ew, like I, I wanted to go, I wanted to go home for the weekend. I didn't want to stay all weekend and work this. Okay, so December 14th, so what, five days ago also shout out to this company five days ago and they're notifying their shareholders. That's pretty, pretty gentlemanly of you UK people. They're so proper. I saw the Kingsman Roswell uk. I know how British people are. All right, so let's see. NHS England. NHS is the national health system. So obviously a lot of citizens data is up in there. Yep, sure. No, here's that material adverse impact on its finances. So don't worry. Oh yeah, I mean they, they casually dropped that a patient died last year because of a ransomware attack in a completely unrelated incident. Okay. Guess they were just trying to pad the numbers. Editor said we need you to drop like a 1500 word blog post. And they're like, I'm at a thousand. Hm. I'll just reference, I'll just spend a hundred words talking about completely different incident. No big deal. Oh, actually more than that, because this entire paragraph is about that incident also. Okay. And then this is about what it kills. Like, okay, this is like a nothing story. It's like, oh, company got hacked, they don't know what it is, what happened, they're investigating. Don't worry, it's not going to cost a bunch of money. Now here's a bunch of like, you know, ancillary, somewhat related story stuff that you may or may not want to know about if you do. The Daily Cyber Threat Brief. You already knew about all that stuff because we've talked about it before, but whatever. I digress. By the way, for someone who wanted to speedrun these stories, I'm doing a terrible job. Let's see if I can do better. On the next one.

D (55:30)

Soaring increase in the use of dig, the uncensored Darknet AI Assistant. A report from RE Security shows a fourth quarter surge in the criminal use of DIG AI, a tool that enables malicious actors to, quote, leverage the power of AI to generate tips ranging from explosive device manufacturing to, to illegal content creation, end quote. Because DIG AI is hosted on the Tor network, these tools are difficult for law enforcement to find, which has resulted in a significant underground market. The recent surge in use can be attributed to the activities related to the holiday season as well as the winter 2026 Olympics in Milan and the FIFA World Cup. Sisa warns of.

A (56:18)

A US child psychiatrist was convicted for producing and distributing AI generated CSAM. Oh, Oh, okay. I could have done without that. Jesus criminy. All right, so what? So threat actors have AI running around on the dark web, allowing them to develop tools and whatnot. They say the tools are not easily discoverable by law enforcement. I, I don't know, man. You got to remember, like, whoever stood this website up right here is probably charging for it, right? Which means they want to make money, which means they want to have everybody know about it, which means they can't determine if you're law enforcement or if you're just like a run of the mill criminal. So to me, it's like law enforcement not being able to find it seems like, okay, like, I, I don't know, of course, who am I? Right? But it just seems unlikely, right? Like, how could they not find it? They arrest like one per. And like, where'd you find this? Like, here's the website. Like, I don't know. I, I don't believe that particular statement. The fact that there's like, this is one thing that I've, I've, I've known, obviously is possible. I, I find it horrifying, disgusting, just repulsive, frankly. Is, you know, AI art or Graphic generation. I use it in thumbnails, you guys. I use it in LinkedIn post all the time. It, it's. You can have it generate, you know, very. Sensual or sexualized imagery of men, of women, of, you know, whatever, you know, like if you're into boats or like, I don't know, like, you can have it do anything you want. You just type it in, make it look like this, right? So it's, it's not that far a stretch. I mean, it's, it's like, it's not even a step. It's like, it's like a, it's like a lean forward that someone could type in and make it a child. Right, so. Which is gross, obviously. So the fact that this is going on, it doesn't surprise me. It's just unfortunate. I don't want to get into an entire philosophical debate about this. If, if you want to talk to me at a bar, I, I will, I will. I will talk your ear off. I will melt your face with my thoughts on this and how I think this should be handled. It's definitely not Christian, what I'm thinking. So, anyways, let's keep going and Exploited.

D (59:05)

ASUS Live Update flaw this flaw has been added to CISA's kev catalog after evidence of active exploitation emerged. The vulnerability, which has a CVSS score of 9.3, has been described as, quote, an embedded malicious code vulnerability introduced by means of a supply chain compromise that could allow attackers to perform unintended actions, end quote. According to a description of the flaw published in CVE.org's certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise, end quote New password spraying attacks target.

A (59:47)

All right. ASUS does ASUS things Patrick stuff. Ah, you got a Patrick.

D (59:52)

Cisco and Palo Alto Networks VPN Gateways. An automated campaign is targeting multiple VPN platforms with credential based attacks being observed on Palo Alto Network's Global Protect and Cisco SSL vpn. This is according to a report from Graynoise. The attacks originated from more than 10,000 unique IP addresses and were aimed at infrastructure located in the United States, Mexico and Pakistan. The malicious traffic originated once again from the 3xk Germany IP space, indicating a centralized cloud infrastructure structure. This attack is different from the one that occurred on December 12, also originating from 3xk, which in that case also impacted Cisco SSL VPN endpoints. In this particular attack, the researchers stated that the threat actor, quote, reused common username and password combinations, end quote.

A (60:47)

All right, listen, I don't care if you're running Cisco, you know, Avanti, Fortinet, Sonic Wall, Citrix. I don't care. Insert technology stack here. If it's Internet facing, put MFA on it. Thank you for coming to my TED Talk. I. If I like, if I was Richard Branson and I was like filthy stupid rich, I might get put MFA in place tattooed on my forehead. Cuz what does it matter? I don't need to go get a job anymore because I'm like infinite. I have an infinite cheat code. Okay, Put MFA in place, please. Put MFA in place, please. It's not a silver bullet. It doesn't stop everything. But you know what it does stop password spraying attacks because. Yeah. Ooh, you logged in. You got me. No, you didn't, because I have mfa. Get out of here. All right, again, it doesn't matter the tech stack, but it does good to show you that Cisco and Palo Alto, which are tier one enterprise grade big boy tools, can still be compromised if you let your end users use Winter 2025 exclamation point as their password. And you don't put multi factor authentication in place. And listen, if someone's like, I don't like it, it's too much work. Multifactor add friction. It's like, all right, then don't do your job or drive into the office or just shut up.

C (62:14)

Don't.

A (62:14)

Because we need to protect this organization and you are not going to be the reason that I work over holiday break. Kevin.

D (62:24)

Make sure you have your.

A (62:25)

All right, let's go. All right, guys.

B (62:34)

Woo.

A (62:34)

We are landing this plane, but really we're just gonna do like one of those touch the runways and keep on going, cuz I. We're going to go into jawjacking like absolute mother truckers coming in hot. Do me a favor, hit that like button sub if you want. This is my last episode of Daily Cyber threat brief for 2025. It was an absolute banger. We are going to be jawjacking with a panel. So come bring your questions, bring your good times. If you're all about them, we'd love to have you. If it was your first episode, come on back. If it was your longtime episode, I hope you enjoyed it. I certainly did. I'm feeling good, I'm feeling fine. Ready to rock and roll. Want to remind everybody, want to remind everybody that today, today at noon eastern time, we're doing State of Simply Cyber. I've got a slide deck. I'm going to tell you all the cool stuff that happened in 2025, but 90 of the talk is going to be about 20, 26. We're making some big foundational changes to Simply Cyber. All good stuff. Don't sweat it. Don't be like, oh, wait a minute, what are you doing to my Simply Cyber? We're going to be doing great things. I want to share them with you. I try to do this at least quarterly. Sometimes I only get to do three a year. It's busy over here. If you want, go to luma.com/cyber luma.com/cyber. And you can actually see it on stream right now. You can actually click this and just get a calendar invite so you'll be reminded it'll be on your calendar. Okay? Super easy. We're not harvesting data up here. I'm not reporting to my shareholders that we've got great lead gen. All right. It's just a way to get on your calendar. Okay. If you are curious, this is my last episode of the Daily Cyber Threat Brief. The show will go on, though. DJ B, Sec Daniel Lowry are going to be hosting the Daily Cyber Threat Brief throughout the rest of the year. No show on Christmas Day, no show on New Year's Day. But on Monday, DJ B will be your host. You're in great hands, I promise you. I'm gonna try to do a digital detox. We'll see how it goes. Let's get Jawjacking. Y' all ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field live, unfiltered, and totally free. Let's level up together. It's time for some Jawjacking. All right, what's up, everybody? Welcome to the party. This is Jawjacking. I'm your host. It looks a little different. Hold on. I'm your host, Jerry, and we're coming hot and heavy on this Friday morning. It's December 19th. Six shop, five shopping days left till holiday, Halloween, Christmas. I'm a lunatic. Guys, let me introduce the panel. My glasses are getting foggy. I'm so lit up right now. Ladies and gentlemen, you know him as Daniel Lowry. His mom calls him Daniel Lowry. Ladies and gentlemen, Daniel Lowry. Hey.

B (65:35)

Hey, what's up, everyone? How's it going this morning?

A (65:37)

Good to see you, Daniel. We've also got a long timer who's been on hiatus for a minute. You guys know him as FP3. Fleet is posting the third. Come on in, buddy.

C (65:47)

Good morning, everyone.

A (65:48)

I can't even see, dude, because these glasses are all fogged. Up. I am out of my mind today. First day with coffee in five days, y'. All.

B (65:58)

Jerry's the glasses are fogged up because he's running a fever of 116.

A (66:03)

I love it. My brain is cooking. I love it. All right, guys. Hey, so here's the format. If you're not aware of it, I have a bunch of industry experience. Daniel Lowry has a bunch of industry experience. Fleet is post in the third has a bunch of industry experience. We have blue actually. I mean really, it's like GRC red and then blue. So we've got you covered in all capacities. If DJ B sec wants to join from the waiting room. Come on in, buddy. We are more than welcome. So drop your questions in chat with a queue and we will get them answered. Otherwise we're just going to be hanging and chilling. Fletus, if, if I may start with the first question with you, you've been working obviously in a new role here. Can you just give us an update? How are you?

C (66:53)

Sure. So going well to be honest, jumping into manufacturing was a eye opening experience. I tell people all the time if you've never done manufacturing, go give it a try. But just be ready to look at 90s 2000 tech again. Yeah, for a little bit just because that's just what you're doing with on shop floors. But at the same time it's also fun too because didn't realize it, should have realized it. We manufacture on physical printers, 3D printers, but we also write our own software. So I have the appsec piece of our software and firmware that's put on our. So we get to do the manufacturing as well as software development which allows me to bring my appsec that I've been doing for the last couple years to this role as well.

A (67:35)

So yeah, no, manufacturing is a good one. Healthcare is another great environment I will tell you because like Fletus and I basically had the same job or have had the same job with the same boss and every like, like literally it's like a small world kind of thing. When I worked in manufacturing, one thing that kind of surprised me or was an interesting wrinkle to dealing with information security is there are machines in your environment that basically three people, like on a, on a 24 hour rotating shift, three people stand at the same machine and they don't log in and they don't get their email at that machine. It's like a generic machine but that's the only machine they interface with. So in order to communicate with them like on awareness training and updates and MFA and all these other things. It's. It's a tricky thing. Plus, that machine, it really needs to be up and running at all times. So, like, maintaining it is kind of tricky. That was always an interesting one. Like, you have employees in the environment that don't actually have, like, a true account, but you still need to account for them. Kind of crazy. All right, Daniel Lowry, anything. I don't know, anything going on you want to talk about?

B (68:45)

Yeah, you know, that's a good question, because I'm so glad Fleetus is here, because I remember when Fleetus was neck deep in the I could really use a job kind of thing going on. We're all back cheerleading for him, rooting for him. He finally lands this gig. I'm so glad to hear that it's going well. Many of you know that I also have been sitting around. Well, I'm sitting around. I've been doing stuff. I put a nice little course there for the pen Test plus and Simply Cyber. It's been a lot of fun kind of making courses again, but as you know, bills are bills and. And steady work is always nice. And then I had a couple of interviews. Happy to say interviews have paid off. I am gainfully employed. Oh.

A (69:30)

All right. So, ladies and gentlemen, if you're a squad member, do me a favor and grab that wrecking ball emote and just spam the crap out of it. And then at Daniel Lowry. At Daniel Lowry. Hold on. At. Hold on. Why is. Why is. At. Why you're not in YouTube right now.

B (69:46)

Oh, am I not? Oh, you know why? Because I was on my own studio.

A (69:50)

That's fine. That's fine. I. We have wrecking balled you. You can see here in chat. It is now stream. Here, let's.

B (69:55)

Oh, it is coming. It going crazy.

A (69:57)

Yeah, yeah. I want to show it on stream. Here we go. Let's. Let's let. Let the wrecking ball watch over you in an awesome wave. Okay.

B (70:04)

Yeah, it's super awesome. You know, and I. I too, am getting a little bit of a change in. In some of the stuff I'll be doing. My. My role will be as a lab developer, so I'll be working a lot with, like, infrastructure as code and Ansible Terraform, GitHub, that kind of stuff.

A (70:20)

Oh, that's awesome, dude. Congratulations. Super pumped for you. I know. I mean, anytime you get laid off or you quit or you separate or business goes under or there's an acquisition and you're like, part of a reduction in force, like, anytime anything happens and it's out of your control. It sucks. So being able to take control of your situation and improve it is always not just like great in general, but it's like rewarding and then doing it right before the holidays. Daniel must be very like, ah, yeah, I love it. I love it. All right, so if you got any questions, drop them in chat. The last couple jawjackings have been pretty chill as far as things going on. We'll, I'll facilitate as best I can until questions come in. Fleetus, are you ready for the holiday or are you like, oh no, I really got to get out there this weekend.

C (71:18)

So we kind of do things a little bit different in our house. We took a trip to Florida, so I was in Florida the last eight days. So I just got back earlier this week. We do experiential stuff versus exchanging gifts. So took the wife and kids, we went down to Orlando. Just chilled out for a little while. Went to the parks. When I did the parks. I have young enough kids that I can get away with that. So that was kind of fun. And mainly just looking forward to doing some holiday gatherings and celebrations. So I went to one yesterday. We got some family gatherings this weekend, so I'll drive around North Carolina a little bit. So looking forward to just doing some chill family time, to be honest.

A (71:54)

Awesome, dude. I love it. I love it. Daniel, are you, you know, like got your pajamas already and locked and loaded or are you like gonna be frantic fighting people this weekend?

B (72:04)

Yeah, you know, I'm, I'm gonna go to the nearest service station and buy some last minute gifts because that's how I roll. No, I do have, I do have a little bit of last minute shopping to do, some stocking stuffers to grab. I was like, yeah, stocking service? Yeah. So you're gonna get nothing but like deer antlers and dough urine, a Zebco fishing pole, maybe some, some line, couple of lures, maybe something from Jimmy Houston, you know, good stuff. Nothing, no bull crap.

A (72:34)

I love it. Like, your kids are like skull winter green, Daddy, why did I did it?

B (72:40)

Why did I get a spit cup for, for Christmas? Because it's time to start. You're 10 now.

A (72:47)

You got all your teeth.

B (72:49)

Yeah, you go bricking on chewing red man every day. He's about to get to work.

A (72:54)

All right, we got some questions coming in. Chat really quick. DJ B Sec, who is listening from this the awaiting room? Soul Shine wants to know what's the tech field like in Texas. So at Soulshine, DJ B Sec, if you can answer her I haven't vetted this one. So with the new year coming up, what. What advice? Excuse me? What advice would you give to people who spend a lot of time consuming cyber content but don't actually execute on their plan? Is this common with many? All right. I mean, fleetish, you want to go first? I feel like we can all answer this. Yeah.

C (73:27)

I'm about to say, like, it is dangerous. You can doom scroll with cyber content just as much as you can doom scroll with anything else. And we've talked about many times on podcast, on Daniels and others that you got to watch what you intake. There are some influencers out there who are spitballing stuff that's not going to be a value add. If you like. I give kudos to Simply Cyber for the amount of groundedness that we do with our news stories, how we present things, how Jerry makes sure that what content is being presented here and all of his podcasts he puts out through his media group is grounded. So not. Not just because I'm on his panel today. That's. That's a great shout out to the community here. So watch that. And yes, many people drink like a fire hose and never let it out. Like, that's just common. It's so easy to say. I've learned a ton and I've never executed. So we've talked about a few times on here. Apply it. Build that lab, break something. Talk about it. Go teach it. Write a lab, blog about it. Try to put some theory behind what is a zero trust. As Gary or Jerry, we were all talking about what is identity, what is identity, what is not identity? Because we use terms interchangeably sometimes. And tone, they don't translate well. So if you come in and spitball something that's wrong, it's wrong. But at the same time, it's an opportunity to learn, because. Click story. I use the acronym wrong a couple times in a presentation, and someone was polite enough to say, hey, you've been doing that wrong the entire time. That's not what that actually means. You're using the wrong acronym because it's easy to do because you're just so used to it. Like, we change terms. Marketing teams love to change terms on us. So you gotta be aware of that.

A (75:09)

Yeah. Like, I. I have to, like, look up TTP literally every time I say it, because I just think of TTP as, like, what it is. Like, I don't. I. The what it means doesn't matter to me. It's like, I know what it is. So, Daniel, I.

B (75:21)

This happens to Be dear. I'm gonna spit. I'm a tailwind off your. On your little TTP thing here for a second, then, while I answer the question, because, well, I'll answer the question first. You basically answered your own question. It's yes.

A (75:32)

Don't just.

B (75:33)

Don't just sit in the. In the galley listening and never putting your hand, picking up, going to bat and trying to swing at the ball. Have some fun. It's fun to do, by the way. It's. You don't just have to listen to. If that's your thing, you know, what are you gonna do? But I would. I would highly recommend you try something. Go spin up a VM lab of some kind. Go grab something from Phone Hub, get logged into Hack the Box. Go to try hack me. Do something. Just start getting your hands dirty. And you might find that, oh, wow, this is actually really fun. And it's not as big and scary as you might think. So there's the answer to that question. But, Jerry, I identify with that whole. My. My brain stops telling me what the acronym is and just says acronym means this thing. And it's the concept, right? So my brain connects the acronym to the concept instead of to the words that are in the acronym. I hate that. But that's why I'm always forgetting acronyms, because that very fact.

A (76:27)

Yeah. It is what it is, you know. So to this question, the only thing I would say is. And I've. I've. You know, obviously, I've been doing this for years. Do not fall into the trap that because you are watching a webinar or, you know, listening to something or whatever, that you're making progress, okay? Because here's the reality, okay? It's easy to feel like you're still making progress because you're listening or consuming or something. I'm not saying that's not. You should stop doing that. But I think what a lot of people end up happening. And I'm not. I'm not calling you out specifically upload yt. And I want to point out this question's awesome because a lot of people do this. So I think you're helping a lot of people with this question is, well, like, if I. If I just watch this, if I just play this webinar, if I just let this play, I'm making progress. So I'm contributing. I'm working towards the goal. It's easy to stop and actually analytically consume what you're doing and then apply it in some way and then run into some problems and troubleshoot it and then document it and share it. That's hard. Okay? I say it all the time. Ideas are easy, execution is difficult, Right. I do this show every day. It's not easy. It's hard. But I do it because I know it's towards, you know, my goal. Right. So what I, what I suggest is do an 80, 20 rule, right? If you're, if you find yourself in this reality, keep doing what you're doing 80% of the time, but then make it a point to take 20% of your time and actually grind into trying to analyze and apply what you're learning and blog about it. Put it on your LinkedIn feature portfolio, put it on, get, do something. Move towards making it actionable. And once you start doing that, you're going to start, you know, getting some like, processes and workflows that work for you and then you'll start in integrating them into your general workflows and then you'll break free of this like, cycle of just like, oh, I'm constantly busy, I'm constantly making efforts, I'm constantly learning, but I don't feel like I'm getting anywhere. It's because you need to apply it. Okay? So that's the reality. I, I feel like it's, it's the comfort of feeling like you're still doing something that people get wrapped around the axle, that they're, they're not wasting time. Okay, good question though, and I appreciate it. All right. Robert says I'm working with a pen testing team on ICS skater stuff. What's the best way to start a test when working on that? Well, I mean, first of all, I would, I, I haven't personally worked in this space with a pen test, but what I would say is I would almost hope that the pen testing team that's doing this work would have had experience in the past and would have been able to give insight on what the overall project should look like and how to kick it off. Gentlemen, have either of you worked in this space fleet?

C (79:27)

I have, I have with the regulated utility a little bit. And it's very tricky because you don't let them into your production system. Most of it is you give them a diode or PLC that's similar enough and say, hey, do hardware hacking off my network and then tell me if my config is correctly. If you're going to do a full on pen test, you better be sure that you have your scope of work correctly because just like in manufacturing and utilities, that things got to be up 36524 by 7. And you got to have redundancy. You're not tripping anything. So it's very tricky. I will say with modern pen testing, it's a little easier to go into an ics. We have very good offensive pen testers and we know a lot of them. Some of them have been on this show, so it can be done today. But in the past, you couldn't touch that with a ten foot pole. They wouldn't let a pen tester anywhere near that production system.

A (80:24)

Yeah, exactly. You very.

B (80:25)

You need to tell me, Fletus, you're just not going to willy nilly start turning ones into zeros and zeros into ones on, like valves and pumps and stuff.

C (80:33)

Correct.

A (80:35)

The light.

C (80:35)

The light switch stays on. The light switch doesn't get to turn off.

D (80:39)

No.

C (80:40)

Yep.

A (80:41)

Yeah. So you, you don't want to go full MC hammer. You can't touch this. Okay.

C (80:45)

Just, you're not meta spoiling it. You're not running random rootkit, like you're not running random exploits against an ICS environment. I'm sorry.

A (80:54)

I love it. We just got a super chat in from Nerman. I'm a big fan of Nerman. If you met Nerman at Simply Cybercon, you know how awesome he is. Nerman says, do you have Any thoughts on El Comsoft iOS Forensic Toolkit? I just purchased it and I'm planning on making a YouTube video about it. I have not had any experience with it, Norman, but making a video about it would be awesome because then I could watch it and learn about the toolkit. So thank you. Also, Nerman, I just want to point out, if you're interested, Jessica Hyde at Hexordia H E X O R D I A has a lot of like, mobile forensic education in labs as well. So if you're interested, you could scoop up on some of that stuff. Thank you very much and Merry Christmas, Nerman. Let's see. Why is a WI fi pineapple dangerous? I also want a quick shout out. I bought a Wi Fi pineapple last year. It's still in my drawer over there. I desperately want to do something. I think that might be a project that I do over my vacation as well. By the way, my family I really like. I have to like, spend some time convincing them that like, working with like the Wi Fi pineapple or, or dinking around is not work. Like, I love this stuff. It's. It's what I want to do. So why is the WI fi and a pineapple dangerous? Because it's well Actually Daniel, have you ever done labs with a pineapple?

B (82:15)

Yeah, I've messed with a couple of hack five stuff. So basically it allows you to perform different wireless attacks like evil twin, rogue ap, that kind of stuff. And that's where it can be dangerous, right? If you're working within a controlled environment, that's fine, right? You're just testing, you're learning, you're having fun with it. If you're doing a pen test for wireless, then obviously that could be a very useful piece of kit for you because you want to see, hey Will, are there going to be any people on this network that will jump over to my, my rogue AP or jump on my evil twin and start giving me things like, I don't know, credentials. Because once you're on the WI Fi Pineapples network they can start sniffing all your traffic, they can start seeing anything. So if it's not encrypted it's going to be like, oh, what's this? Is that a password? Is that some credentials right there? That looks nice. I'm just going to go ahead and grab that. Appreciate it. So it can become a really nice man in the middle tool for a pen tester or an attacker. So that's where the danger side of it comes from. Obviously if you're using your powers for good instead of evil, that's a good thing because then you can go, hey, we saw Sally and Jim and so on and so forth. You know, their devices kicked over onto this because we did, you know, we spammed authentic or we, we did the authentic deauthentication attacks which you can do with the Pineapple against your system so that they would attack, they would attach to ours and they did. And we were able to do X, Y and Z, that's going to be findings. It's going to be a write up for a pen test. That's the kind of stuff you're looking to be able to do with that. So it's a cool piece of kit. I mean you can do it with just a, you know, go to Goodwill and you can do a lot with that. Or if you don't want to spend the money on a Wi Fi pineapple, you can, you can use WI Fi Pumpkin, which is kind of a software version and does a lot of that stuff. It's really interesting. You just need like a good network card to be able to pull off a lot of that stuff. But if you really want to go down the rabbit hole of WI fi security and the offensive side of things, the WI Fi Pineapple has been long a great tool for that very thing.

A (84:16)

Yep. And I just want to point out, like, it's. It's basically, you could build it on your own. It's one of those things where, like, it's completely built out kit for. For you, and you're paying for not just the tech itself, like the hardware, but you're paying for, like, essentially the convenience of all the tools you want bundled in one thing. Which is why, you know, offensive security pros like it, because it's like they're just trying to get their work done right. They don't. They're not trying to be like, leap level, like, getting lulls and stuff like that. I want to point out one instantiation of using this in an effective way that I think resonates. Luke Canfield's probably gonna get all frothed up and excited when I show this. But let me show this example right here. That's one that I always go to and I. I love. Right. Right here. This happened in October 2022. Essentially, a threat actor took a DJI drone, mounted a WI Fi pineapple to it, flew it on top of the roof of a financial services building. Guess who's on the top floor of a financial services building? All the big wigs and important people put down a wireless cloud. The big wigs connected to it, and guess what? I own all your things. All right? So that is how you can, you know, operationalize something like this to be a real big problem for, you know, a target organization. Okay, that is crazy.

D (85:39)

That's.

B (85:40)

That's creative.

A (85:41)

It is. It really is.

C (85:43)

From. From the defense side, these things just give me, like, jitter slash excitement because, like, there's so much you can do to detect these in a corporate environment. Soon as it hits, like your nac, your Mac filtering, anything that you put in your environment can easily kick that pineapple back off the network or at least suppress the signal, or you bump your bandwidth of your actual APS to step over top of it. But to their point, once it's there, you only need one person to connect to it. That one person can just start hammering all their financial data, anything that they're personal. So back to security awareness or just. It's the holiday season. Don't do sensitive stuff on public networks. Don't do sensitive stuff on your corporate network, because at the end of the day, your corporate team may be inspecting your traffic and putting stuff back into plain text and can get your passwords, your hipaa, your phi, your PII data, because they're Sniffing the traffic, they're decrypting it and they're putting it into a net witness or another packet capture to tool. So don't do stuff that you don't want someone else seeing. Or as we all say.

B (86:47)

That's right. We all know you're supposed to VPN into your home network and through rdp, do all your sensitive stuff from work at home that way.

C (86:56)

No, no, we don't do that either, Daniel. No, no, we're not setting up tunnels. I have a corporate network.

B (87:04)

Come on, man.

C (87:05)

Strong.

B (87:05)

A little VPN in between friends.

C (87:07)

You're giving me heartburn over here.

A (87:09)

And just to demystify all this, like this is the box the WI FI pineapple comes in. And this is what it is. I mean it's, it's literally. It's not like this massive, you know, toolbox looking thing. It's, it's. It probably weighs less than a pound. It like weighs ounces. It's got three wireless antennas on it that I'm not going to plug in. But you get what I'm saying. It's putting this on a drone is nothing like, like an infant can pick this thing up, right?

C (87:33)

Yeah. And then you've got the offensive tools. You can put aircrack and other similar stuff that on software based and do the same thing. Just put a laptop or a Raspberry PI that's running it with a wireless receiver and you do the same thing by putting it behind the desktop or putting it behind the photo in your break room or the cafeteria.

B (87:50)

I literally built that tool one time using this Raspi0w and I connected a. Just like a battery pack and zip tied it to it so that it could run first. I mean that thing will run forever and it would just connect to a wireless network and then phone home. And I had access to it internally from anywhere in the world because I was like, cool. It would, it would just send a reverse shell to me. And now I'm like, cool. It's a. It's connected to the Internet and your network. I like this.

C (88:19)

To be honest, this is where most of your skimmers come back into play too. You put these things behind a skimmer, you attach it to your atm, to the. Daniel's going to go buy that last minute dip for his kid and he swipes that credit card and they want his credit card information because the skimmer also had WI FI transmitting turned on and the guy sitting in the parking lot just sniffing all Daniel's traffic.

A (88:37)

Yeah, yeah. All right. So great, great conversation On WI Fi. Pineapples. That was fun. What else we got? Oh, so Sierra Montgomery wanted a poll on whether or not Die Hard was a Christmas movie. We ran the poll. 88 of you say yes. Quick lightning round. Gentlemen. Fleetus. Die Hard. Yes. No. Christmas it is. Daniel. All right, cool. And I also, I've heard pretty compelling arguments on why it's not, but I still don't care.

B (89:06)

I heard someone say that it was. It's not a Christmas movie. It's a movie about people that are in peril from a horrible enemy, and they're waiting for a savior. It's an Advent movie.

A (89:20)

That is funny. I mean, one of the arguments I heard was, like, you know, like, it could be Thanksgiving, and, like, the story would still, you know, it's. It's not. It's just a part. You know what I mean? But whatever. I, I, to me, I'm gonna call it what it is. There was a question that came in. I, I can't flag it right now because it's way back in the chat, but Modern Rogue is in chat. Who's. Who's a new friend of mine, Modern Rogue. Uh, Brian Bushwood. He asked who's Jessica Hyde? I do want to share this, because I think Jessica is amazing. Okay. This is Jessica Hyde right here. She's a Marine. She is considered one of the foremost digital forensics experts in the United States, at least, if not the world. Her company is Hexordia. She is an amazing professional. Like, just a really great human. Can we computer load up my screen? What are we doing here? Like, anything that doesn't happen immediately, I get pissed off about anyways. So, of course, this is, like, not as exciting as I wanted. She runs this company. She's definitely worth checking out. What I would say is this simply cyber YouTube. Jessica Hyde. She's been a guest on Simply Cyber Firesides a couple times, and every time she comes in, she drops, like, literally. I'm not even exaggerating. 75 to 100 resources for people. It's insane the amount of value she brings. She was on three months ago, which is unbelievable. And I'll drop a link to this right now. Go check this out. If you even for a moment, are interested or curious about digital forensics, this is, without question the best 60 minutes that you could spend to start your adventure. It's so good. She's so awesome. I'm such a fan of her. Jessica Hyde. There we go. Okay, There we go. Now that we've done the Jessica Hyde minute, let's keep going. In manufacturing environments Fleetus, what do you do when cyber insurance wants you to reduce generic accounts? Are there generic accounts accepted risks and you accept the insurance cost increase.

C (91:32)

So it depends. So you're going to have to use shared accounts for those shared workstations, turnstiles that these employees are shift working through. So you just have to accept that most of the time you're showing the auditor. We've talked about this in practice. You're, you're coaching the auditor what you want the auditor to define. Same with the cyber insurance. You're stating what your risk profile is, how are you doing depth and defense, how this is rotated, how this is managed, where you're putting least privilege, how you're doing segmentation is there tiering and that's where you put for those who don't know, your enclaves, your segmentation in place. So even if they could share it, they can't leave the enclave. Like that enclave is isolated off. It's got its own firewall, it's got its own pipe fiber coex into it to allow traffic to come and go. And it's not allowed to do two way communication with your corporate network. Your corporate network, I misspoke earlier is running modern security. I have modern art in my corporate environment. It's my controlled environment, my enclaves, my shop floors, my manufacturing where I'm actually building is where you have to watch. So the generic counts aren't as big of a deal because you're not running those in your corporate environment which is where your cyber insurance is generally going to be picking on you because you breach my OT environment or my IoT environment. Let's just say I'm polishing my resume.

A (92:57)

I like it. Quick shout out. I didn't see this. Come in. Reverend Timothy Johnson, PhD with a ten dollar super chat. Thank you so much, very much. Merry Christmas and Happy New Year. Happy Holidays. Next question coming in. Daniel Saber tooth Sam is transitioning to a SEC analyst role and may get access to some tools and services early. Which tools should I start working with first to learn the most and be prepared for the new role?

B (93:26)

Okay, interesting. Transitioning to a security analyst role may get access some tools and services early. Well I'd like to know what those tools are and then I could better answer that question. Probably really want to just like if it were me I'd probably start with what is the thing I'm going to be looking at almost every day, all the time. This is my bread and butter for the job. So it's probably going to be your Dashboard for your sim and wherever you get your alerts. So just get really familiar, kind of bounce around, figure out where everything goes, where it is, so that when you do start work, it's going to be a much quicker uptick for, okay, we just got a ticket and this is what we do. And this is how we blah, blah, blah, and you go, okay, we've got, we got an alert. We got to go back to be able to handle that. You know where all the stuff is. You're a little familiar with the house at this point. And somebody asked you go get a cup, you go get a cup. You know what I mean? Someone says, hey, can you put this dish away? You know exactly where that goes. That's. That's where I would start. Right. I know you're. You're probably thinking more along the lines of being able to like, learn a skill that can be useful for the job. You do that, it doesn't matter, right? You pick X, Y or Z because you never know what you're going to get. If you know what the job is, you're going to be better equipped to answer that question than I am. Depending on whatever organization you're working for, their industry, their, you know, attack surface, their threat models and all that other fun stuff, that's going to be only stuff that you know. So if you want to go down that route, you know best how to answer that question. But for me, about the job, it's using your tools effectively and just getting familiar with it. That's what I would be doing, is familiarizing myself with all those things that is going to be my day to day.

A (95:07)

Perfect. I love it 100%. And honestly, this is again, probably a biased opinion because I work hard, not smart, but, like, there's no shortcut too. I would just like, to Daniel's point, whatever you're going to be using the most, lean into it, get familiar. There's a reason that I can basically name like all the NIST controls. It's not because I, like, have a great identic memory. It's because I lived in it and I wore them like clothes for years. Okay. But because of that, I can be like, ding, ding, ding, AC6, boom. You know, like, like, I just get it, you know, I mean.

C (95:40)

All right, we're going for the next question. I'll add another one. Sometimes it's the questions you want to ask. Go ahead and be prepared. What questions you want to know, to Daniel's point, like, what is our ticketing system? Where are our SOPs stored? Do we have a soar? Do we use automation? Do I need to know how to use these for my first 30, 60, 90 days? You're really coming in to interview and learn the environment because to be honest, I'm likely not going to give you the authority to do a ton of production work real quickly unless you're just. We're running through a firestorm and I have to get you hands on keyboard on day one. Day one. You're, you're interviewing, you're mentoring, you're shadowing. So go ahead and build a list of questions and you're going to sound intelligent because you've thought about the questions and you're looking at the tools. And if they're Microsoft, go learn Microsoft. If they're Google, go learn Google. Find out what their back end is for, email, what their front end is for, networking. So are they a PA shop, are they a Cisco shop, are they a Fortinet shop? That's what I would go learn. And that way you can start looking for vulnerabilities, what you need to do, etc. Versus just let me get a skill. Let me just be able to speak intelligently of the vendors I'm using and then you teach me my process so that I can fish.

A (96:58)

Brandon Poole, who is the same Brandon Pool from Panopsi, who's also introduced me to one of the best places I've ever eaten in Columbia, South Carolina called Kingsman, has a question. Do you have any unique or interesting holly tree traditions? Also, Merry Christmas and Happy New Year, Brandon. Love Brandon Pool. He's a good friend of mine. I have one. It's not even a tradition. It's like something super obscure. We have tons of things. I'll share more later. But the one that came to mind, I know this is incredibly weird, but like every Christmas I really enjoy because I'm the first one up, right. I love getting the cup of coffee and I go on the back patio because I let the dogs out and I, I love the pure silence. There's no cars, there's no airplanes, there's no one talking. Like you don't hear anything. It's honestly, it's almost like.

B (97:50)

The world ended.

A (97:51)

Yeah. Like there was a.

B (97:53)

There was a Omega man or something. I am legend.

A (97:56)

Yeah. Well, it's almost like not to make it 9 11ish, which is creepy. But like when 911 happened, it was kind of weird how like there was. It was just silent everywhere. Anyways, I love that pure silence because I. You don't. You never get that anywhere there's always some activity going on, so I enjoy that every year. It's like 30 seconds of pure silence. It's almost like, to me, I almost feel like it's. My year was a ball and it got thrown up. And that 30 seconds is right as the ball is reaching its apex. And it, like, floats there for just a moment before coming back. Daniel, any interesting holiday traditions?

B (98:34)

So I'm. I'm a bit of a movie buff, so I. I like watching a lot of movies. I have a very strange. Like, obviously a lot of people would say, oh, Die Hard, right? That's the Hollywood. Yes, absolutely. It's Christmas movie. You know what else I think is a Christmas movie? And I watch it every year. I never miss it.

A (98:49)

Over.

B (98:49)

Die Hard actually is First Blood.

A (98:53)

Stop. That's a holiday. That's Christmas.

B (98:55)

It is Christmas.

A (98:57)

All right.

B (98:57)

You know what?

A (98:58)

That movie is actually, like, su. I know it's like, a seminal classic, but I feel like it's still underrated. Like. Like Stallone's acting.

B (99:05)

Such a great flick.

A (99:06)

Yeah, he did a good job in that one. Check it out. Rambo, First Blood. Okay. And watch the first one before you watch, like, the second and third one, because. Okay, Fleetus.

C (99:17)

Mine's not as exciting as you guys. Most of the times we just do cook exchanges. We like to bake together. We hand out stuff like that. Just doing stuff as a family, as you've probably heard me started earlier. We like to do experiential things for the holidays versus just gifting. So we do a lot of cooking, baking, card games, board games. Just sitting down and slowing down and getting away from tech.

A (99:36)

I like it. There you go. You know what's interesting, too, is, like, I don't know if Stallone wrote First Blood, but he wrote Rocky. Did he write First Blood?

B (99:46)

So it's based. It's based off of a book of a college professor that taught English to returning vets from Vietnam and the stories that he heard having lunch with them. So they adapted the book to a movie, and it had a lot of changes in it because the original, the book is like, rambo dies. In the end, Colonel Trotman kills him. It's. It's very sad and kind of like. But it's meant to reflect what the soldiers were going through.

A (100:14)

Yeah, yeah.

B (100:14)

And then so when they turned into a movie, they screened the original. Like, Stallone hated it. He was like, this is the worst thing ever. So they changed a lot. You'll notice there's not a lot of dialogue. That's because they cut the movie very. A lot. And that's what they came up with. It's like, I'm so glad you did.

A (100:30)

Yeah. It's funny because Stallone gets kind of painted as this like, 80s action star because he was huge and like, Schwarzenegger defined this, like, area, so it became a whole thing. And Dolph Lundin. But if you look at it and think about it, you know, objectively for a minute, like, Stallone was really trying to be taken. Like, not taken, but, like, Stallone was more going for, like, a serious dramatic actor. And Rocky's a very dramatic story about transformation and. And, you know, overcoming adversity. Rambo is the same thing, but it's because he's this, like, giant action hero.

B (101:06)

Yeah.

A (101:06)

You know, he. Man figure.

B (101:08)

Rocky is actually a true story about a boxer named Chuck Wepner.

A (101:12)

Did not know that.

B (101:13)

Yeah. It's basically his life. Every single Rocky movie is basically Chuck Wepner's life.

A (101:18)

Oh, I'll have to go watch. There's definitely gonna be.

B (101:20)

I say every. It's. Most of them are.

A (101:23)

Oh, you know, he didn't have a. A robot that cousin Paul.

B (101:27)

Yeah.

A (101:27)

Was in love with.

B (101:29)

Cousin Paulie was a write in.

A (101:31)

All right, hey, really quickly, Fleetus, Space talkers, wants to know what you baking.

C (101:38)

So usually the wife and I and the kids will make like an Oreo ball, such as cream cheese with Oreos around the outside of it. And then my dad's been very good about making oatmeal raisin cookies that we make and then we usually hand out and or consume during our family gatherings.

A (101:52)

I like it. You got a favorite baked good, Daniel?

B (101:55)

I love oatmeal raisin cookies. They are literally my favorite cookie. I love those things.

A (102:00)

All right, so as soon as the stream ends, Daniel's driving to your house. Fleet is.

B (102:04)

I'll tell you what, man. You know who makes a good one right off the shelf is Sam's Club. They've got a fire oatmeal raisin cookie.

C (102:11)

It's.

B (102:11)

It's about this big and it's moist. It's sweet. It's delicious. My mouth is watering. I'm about to run the Sam's Club right now.

A (102:21)

Yeah, you're like, I've got 15 minutes. Are you doing your show today, Daniel? Yeah.

B (102:25)

Yeah. That's actually about to tell you. I gotta balance because I got to do Cybercast IRL today at 10 o'. Clock.

A (102:30)

All right, well, we'll see you later. Daniel Lowry, ladies and gentlemen, this is Daniel Lowry. He's Been hooking it up today with us, but he's going to be doing his own live stream, very similar, and chill like this, except in his own. His own way with his own vibes and his own monster energy drink. So we'll. We'll raid on over there, Daniel, in 15 minutes. Thank you.

B (102:50)

Thank you, man. We'll see you there.

A (102:51)

All right, chill. Later.

B (102:52)

Bye.

A (102:53)

All right. Hey, Cletus, let's get real, man. Why would anyone want to be a ciso? Such a good question. Given the accountability, the stress, the breach, risk, what makes the role professionally rewarding despite the downside, I can tell you personally, I always wanted to be one until I got there, and then I was like, oh, gross. Personally, the reason I wanted to be a CISO was because I loved the. Well, a. Because I'm a control freak and I love the. The ability to have the. The authority to decide how an information security program could be built. I feel like I've got it figured out and I know the right way to do it, and I know where to allocate resources in the most effective way for cyber risk reduction to be optimized. To me, that's. That was the draw. That's the love is like, oh, man, I get to build it in my own right. It's almost like a. Not a final exam, but it's like a test of my manhood, you know, like, for lack of a better term, it's like, oh, like you study all these things, but can you actually. What's it look like when you're put to the test? For me, that was the draw. Loved it. And then, then you get into all these, like, things where, like, your CIO overrules you on certain things and you're like. Or you don't get budget, and you're like. Or they take your staff away from you and you're like, like, it's. It's all the Game of Thrones stuff that sucks about it. Fleetus hit us. Yeah.

C (104:13)

So I think the problem is, is we call it a CISO. I think we need to probably redefine what CISO actually is in 2025. Most organizations, to Jerry's point, just there, don't treat it as a C level. They don't give it the authority, they don't give it the capability, and they tend to treat it as a scapegoat. Why people like to do it is they still feel that they can add value to Jerry's point. Like, we bring in a lot of expertise. A lot of us have. Have been senior Leaders, directors, advisors. And now we just want the title because it opens certain doors to allow us to go in. Doesn't change our responsibility, doesn't change what we're doing it. Just because you have a title and you're at a logo company in certain places, it allows you to make better decisions for what I would call the greater community. So that's why most people that I still contact, that I know that are still in the CISO role have not gave the title is why they're still doing it. It's because they believe in the greater good in which they're doing versus just holding a C level title. Because some organizations, the CISO is four levels down. Don't get me started on that. We can have a whole nother conversation that's too far removed to have a C and their name. So they're the little C. We have the memes that they're sitting at the kids table. They got to get them away from there. But at the same time they're closer to the trenches. And I think some CISOs need to get closer to what their individual contributors are doing to effectively do their job better because they're not able to manage the risk and be able to speak the business lingo because they don't know how their teams are operating.

A (105:36)

Yeah, unfortunately a lot of times CISO is there because, you know, either compliance requirements or insurance said you need a CISO and they're like, all right, no problem. That, that having a CISO on paper doesn't mean that you empower them with like the full authority of a C level to Fleetus. Point. As a follow up question, DJ B SEC, who's, you know, long time member of the community says, should the CESAR report to the cio? He, he offers up, no, it should report to the board of the CEO. You know, I guess. What do you think? Fleetus.

C (106:12)

I'm going to. I would say I used to agree with DJ B sec. Now I say it depends on the size of your organization. I think sometimes it should be this. The CISO should be also the cio. I know the CIO should be your CISO and you shouldn't have two named individuals just because of the organization if you're small to midsize. So it really depends on the vector you work in. Are you publicly traded, are you VCO and are you private equity? And it decides who you go there. I still think you need to have direct access to the board and ciso. As the ciso, you should be able to come and present and they should invite you to the board meeting, into the audit committees, and to the table. But I think sometimes having the CIO in front of you is going to be a value proposition with everything moving to the cloud. Because I don't want the CISO owning my cloud. I don't want him owning the data center. But the CIO should, and you should be partnering close with him or her to make sure that you're securing it properly and that you have the right responsibility. So again, it's back to it depends. Because if you're a small company, it's fine. You can report to the CEO. If you're a larger company, you probably want that protection and guidance and support and shared responsibility with the cio.

A (107:22)

I don't like, ideally, no, I don't think the CISO should report to the cio. And if you're curious why, like, maybe you're either, you know, junior, not familiar with the industry, or whatever, like, whoever you are, wherever you are on your journey, the reason that I don't think so is because the CIO and the ciso, it's like a Venn diagram, okay? They do have a lot of aligned goals that are equal, but then they have goals that are not in the same alignment as each other. A perfect example. CIOs typically promise high availability or five nines, right? Like, you will be able to get packets flowing across your network when you need it. You'll be able to check your email whenever you want. You'll be able to run the application. We will make money all the time. Well, if a mission critical asset is open to the Internet and publicly exploitable and there's an active campaign going on or whatever, right? And you're like, we got to shut this down now. You have a conflict because you want to shut it down. And CIO says no. And if they're your boss, guess what? They win. Okay? So if you're com. If your peers now, you can like, try to do political capital and all these other things. All right? The one reason I do like being under CIO is because of budget. Because if you're a peer of cio now, you're competing for budget, right? And still in this instance, you still have to be able to basically bend the knee to get the budget you need. But at the end of the day, with the, with the money for your program, it can get a little dicey when you're trying to steal from each other versus being like, dude, what do you want me to do? Like, you're being held accountable for how we're doing things because you're giving me no budget. Like, what do you expect to happen here? So from a financial perspective, there is a nice little buffer by being under that. But ultimately I think it should report to someone other than I've seen a report to CFO before, which is, which is not bad because it is, you know, a risk that you want to materialize into financial risk.

C (109:21)

I've seen them under legal, I've seen them under risk, I've seen them under the chief operating officer. I've seen them as cfo. And the one thing I will say that I've seen effectively, and this is what the CISO has to do when they get hired on, is say, I have a dotted line for these things to bypass my boss and come directly to someone, and that's the CEO or the board. And you put that in your calls. You put that in your incident response plan. If this happens, I'm not going to my boss, the CIO or the cfo. I'm coming directly to you, CEO or you, the board of advisors. And you put that clause into your agreement.

A (109:52)

Yeah, I mean, you can do that. I mean, obviously you got to have thick, not thick skin, but like, you're going to piss off the CIO with that move and just be, you know, ideally, you want to have a good relationship with the cio. Yeah.

C (110:05)

But another quick story, real quick on that one. I've seen places where the CIO has left the boardroom when the CISO is reporting because they don't want to be held responsible for what the CISO is about to say just because of the accountability piece they got up and left because they don't. They need to be able to say that, I didn't know about that. And that's sometimes important that people need to think about. Some C levels have to be blind to certain things because of legal requirements. And it's sad to say that, but there's been times I've watched the CIO or the CTO walk out of a room when a CISO is giving a report.

A (110:36)

9:52, we got eight minutes. As some of you know, I've been working in different for three years. This is Marcus Kyler and he wants to pivot into GRC because that's his passion. What's one cert I should focus on for Q1 that will position me for that pivot? CISA, ISACA CISA or ISACA CISM. Depends on what you want to do in GRC. But if you can get the ISACA CISM, get on it. I think you have to have five years of experience in order to get that. So you'd have to look to see if you qualify. But please you want to comment on this.

C (111:09)

I'm going to try to go get a technical cert and automation because I think GRC engineering, I think GRC is going to be more technical. So if you can come in with your deeper skills and say hey I can write policy as code. So learning Hashicorp, learning terraform, learning cloud formation, that's probably going to be a good avenue for larger organizations who are moving to automation especially with the new PKA requirements of rotating your your certs and soon in 47 days so the GRC team being able to put capabilities but if you're doing traditional I agree the any any audit certification is going.

A (111:45)

To be helpful really quickly. Compuchris says he's been a CIO for seven hours. So compuchris like does that mean you like you got hired and then fired or you like it was like no. What's the word? You know how like continuity of government like when like you know, like people get picked off and then you know, the Department of Agriculture secretary is now the president. Like did you get like a field promotion to CIO and then they like or you did you start today? Because if you started today, I want to play the wrecking ball sound effect. I just need a little bit of context on what this means. Zero keystrokes. You ever been hacked? What did it teach you? I've had my credit card stolen a few times. I'm pretty sure the guy at Hardee's somewhere in North Carolina stole it. Only because we were on a road trip and I stopped there for food and then like an hour later like Groupon, like a weird Groupon purchase got made. Pretty sure it was that guy. It didn't teach me anything. It taught me that I'm pretty pumped about the modern modern credit card companies are pretty great at detecting fraud. Super inconvenient. What about you Fleetus credit card Several.

C (112:54)

Times I've bought too many before I had kids clothes in Oshkosh, Wisconsin from Oshkosh stores credit card go but to Jerry's point, they killed it real quickly. Sent me a new card. The pain part is having to reset up all those auto drafts. Auto payments did have one Facebook hack many years ago. We had a old email account that we abandoned. It was still used to log in and Hotmail sold it to someone else. So it gave them access to the Facebook account for a close Family member that made me take a long time to get back.

A (113:28)

Oh, that's gross. That sucks. Cryptic roses. How can an ambitious security pro progress quickly in roles, gain responsibility faster and accelerate towards senior leadership positions?

C (113:42)

That's a tricky. That's a tricky question. So some orgs are going to make you sit and seat 6 months, 8 months, 12 months, 13 months before they'll progress you. Other others will bring you in and promote you every six to eight months, depending on the size of the organization. So know what you want to do, what you want to be when you grow up. So it sounds like you want to move into senior leadership, so pick up leadership roles. I tell people the role. You start doing the role before the role finds you. So you're not going to get the title until you've been doing the role that you want. Three, six months, one year, two years, sometimes depending on the org moving into new opportunities. So ask for new things. Do new things continue to move around? Because some orgs are not going to promote you, you're going to have to leave. If you want that promotion, you're going to have to just leave. Others, if they're small enough, will just keep giving you new titles and keep giving you new responsibility. Sometimes with pay, sometimes with about to pay.

A (114:32)

Also, if you want to increase your salary significantly, you have to leave. No company's gonna jump your salary as much as going to a new company. Unfortunately, it's the truth. And if you really like the company, you can boomerang, right? Which means you go somewhere else and then you come back and it, it is complete chaos and insanity that when you come back you can get a much significantly higher salary even though you. We could be doing the same job, but it is what it is. Great cash, homie. All right, we've got about three minutes here until we're gonna boogie out of here. I don't see any questions in chat right now. Felitus, let's take a minute and pump whatever you're doing. Tell us, tell us where we can get some more fleetus in our life.

C (115:16)

Yeah, so don't have a ton of going on right now. I do have some articles that will be coming out in the next bhis that are finally being published. Those will come out in January that I wrote a couple months ago that finally got to the editing process. I'm still dropping my Saturday morning sipping with cyber security, so still putting those out every Saturday. Still doing my food for thought, so I appreciate those. As this community knows I sent out a nice gratitude message. I mean That I appreciate every single one of you. It's been my year long project. I started my YouTube channel in November of last year so I've just now hit 13 months and we'll see what 26 looks like and may continue to put out daily content. I may not. I mean just let this the channel stay kind of this there and add stuff as it's appropriate and I look forward to doing some more stuff. I'm still teaching. I completed my first semester as an adjunct so that was fun. I closed out grades this past week and I was asked to teach another section next year. So I will be teaching one more section in the spring. So looking forward to doing that and then just being active here in the Charlotte community. So if you're in the greater Charlotte area or North Carolina, let me know. Happy to meet up. Happy to share and get you connected with the community here in Charlotte.

A (116:26)

I love it. All right, so for adjunct faculty getting the first semester done. All right, we'll give you a Ric Flair woo on that one.

C (116:35)

I love it.

A (116:36)

Congratulations. Please, it's great to see you. I'm glad you had time to join us today for the jawjacking panel. Everybody. I'm going to, I'm going to take a long moment here. We got about a minute and a half before Daniel Lowry irl. I have pinned the link to the Daniel Lowry IRL so we can raid over there in a minute. I can see many of you already in chat there on the right streaming in there. So it's going to be good. Celebrate with Daniel. I want to thank you guys. I'm going to be doing the the state of Simply Cyber here at noon. I hope you can join us. Really. If you care about Simply Cyber and where we're going and what we're doing. I, I am very deliberate in my decisions, especially large strategic decisions for Simply Cyber. There is some big changes coming. Obviously I'm excited about them which is why I want to share them with you, get your feedback, get your input. Other than that, at five o' clock today I'm, I'm turning the lights off. I'm shutting it down. I'm taking my phone and throwing it in a pond. Not really, but proverbially speaking. And I am going to be going on vacation for two weeks. I haven't done it in 16 years, since my honeymoon. I'm excited. I am excited. Thank you very much, Felitus. Guys, I want to say thank you to all of you. It's been an amazing 2025. Absolutely grateful for what this community is. I just hit live and. And start talking. I don't. I can't force you to be here. I can't force any of this stuff. So for you guys to show up on the regular, it means the world to me, and it. It basically empowers me to want to keep going and keep driving and keep delivering value and keep celebrating everybody's wins. So thank you for making Simply Cyber amazing. Thank you for making 2025. Great. I hope you guys all have a wonderful holiday season. Enjoy DJ B Sec and Daniel Lowry next couple weeks, and be well, man. All right, I'm gonna send it off, everybody. On behalf of Fleetus and Daniel Lowry, thank you so very much. And until next time, y' all stay secure.