B (9:36)

These are the cyber security headlines for Monday, December 1, 2025. I'm Steve Prentice. CISA adds actively exploited XSS bug to Kev CISA has added a security flaw that impacts open plc scada br to its known exploited vulnerabilities catalog citing evidence of active exploitation. The vulnerability has a CVSS score of 5.4 and it's a cross site scripting flaw that affects Windows and Linux versions of the software via SystemsSetting. SHTM, the security company Forescout had seen a pro Russian hacktivist group called twonet that's t w o n e t targeting its honeypot in September 2025, mistaking it for a water treatment facility Japanese brewer.

A (10:26)

All right, hey, really quick, it's been a minute, but shout out to real Bilbo who called me out for this. If you've been a longtime member of the show, you'll remember I do this every once in a while, but I. I can't put the hoodie on because I have this earpiece in. So I just put on the arms. It's like, it's like leggings for my arms. Don't judge me. All right, guys. SISA adds two bones to the known exploited vulnerability list. Now, I want you to know this vulnerability is four years old. You can tell by the naming convention here of the cve. So this one's been a well known vulnerability just kind of sitting out there and now someone's going ham on it, exploiting it. A couple of things. One, this is for an OT system and it's in the human machine interface, the hmi. So if you've been taking Mike Holcomb's ICS OT training, which is free by the way this probably sounds familiar with to you, tldr, if you are running or responsible for OT and ics, you absolutely should have patched this already. But now you, you have no excuse. You, you should go out and get it. Ah, you gotta patch it now. Chances are that it is not Internet facing. I would hope so. You know, you might have a little bit of time to get, you know, get in front of this, but you should patch it. It's. It's four years old at this point. One other thing that's kind of gross, I don't get it is it says it's cross site scripting vulnerability, which is a, you know, top three OAs, top 10 web application vulnerability. XSS is at least top three. I think they're actually updating the, the list here. It's the Last update was 2021. My problem is, First of all, the vulnerability is a 5.4, which is not very high. I could see why you would not patch this. I wouldn't patch a 5, 4, honestly. But now that it's being exploited, you know, of course. All right, Okay, so here is what I don't get. Okay, I'm going to call shenanigans here. Okay, so listen, as a practitioner and as a host of this show, I like to go beyond the headlines. I like to deliver value. I also like to call out things that I think are weird. Okay. Roswell UK is dropping the EPSS score with a 48%. So if you have this, you are going, you have a coin flip to get exploited in the next 30 days. So patch it. It's a cross site scripting vulnerability which allows you to interface through the web application and execute commands on the operating system. Lying underneath this infographic says initial access default credentials. What? That is not cross site scripting, bruh. So I'm not quite sure what the hell we're doing here. It just annoys me because like someone who doesn't know is gonna look at this and be like, oh, cross site scripting. Initial, initial credential, initial default creds. All right, here's the thing. Number one, you shouldn't be running default creds on any of your systems. That's ridiculous. Second of all, cross site scripting is a technical exploitation attack, not default credentials. So the TLDR is if you're running this open PLC scada br, patch it. The second thing is, and I guess just to go a little bit further, they talk about how for Scout discovered this by running a honey pot with this technology, making it look like a Water treatment plant and a pro Russian faction got into it and tried to mess with it thinking that they were causing damage. Honey pots are a great way to have threat actors tip their hand on their ttps. I will tell you. And this is, this is guidance from Eric Capuano. Honeypots on the Internet are fun, but they're very, very low fidelity. Right? Honeypots inside your network are high. High fidelity meaning if you stick a honeypot up in your network behind your firewall and it gets tipped over, you have a real problem. If you have a honeypot on the Internet, it's just cute and quaint, right? So sticking a honeypot on the Internet with this vulnerable piece of software, I mean, okay, I mean you get to see if people are looking for it, but it's, it's, it's what it is, right? Just don't have your HMI Internet facing. Right? That would be your first step. O J E S 9M tough name to say out loud, but first timer, we, we do like that. Welcome to the party, pal. We're gonna, I'm gonna do a full on. I'm gonna take a minute and put the emotes in place. I am a squad member too. Also shout out to DJ B Last Thursday hosting the show Asahi provides details.

B (16:18)

Regarding October ransomware attack. The Japanese brewer announced on Thursday that the ransomware attack that occurred in October, quote, may have exposed personal PII of about 1.5 million customers as well as thousands of employees, their family members and external contacts, end quote, unquote, but not credit card details. The company has seen, quote, no evidence the data had been published online and said the impact appears limited to systems managed in Japan, end quote. The attack forced production shutdowns, delayed product launches and disrupted order processing and shipping nationwide. Cal.

A (16:54)

All right, so it is beer. Not very good beer in my opinion, but it is beer. Okay, but dude, whether you're brewing beer, you're making pennies, you're, you know, generating 20 sided roll down dies or spin down dies, it's manufacturing, right? The product doesn't matter as far as I'm concerned. Right? Like it doesn't matter. It's manufacturing. Ooh, 30 months space tacos. Thanks for being here. All right. Yeah, exactly. Sunshine 2477 says leave the beer alone. Leave Britney alone. Leave us. All right, so guys, manufacturing traditionally runs very lean margins. 3% margins is what I've heard as a rule of thumb. Oh, Robert Hendrickson starts a new job next week. Hello, Robert Hendrickson. Thank you, Justin Gold. Don't judge me Spin down manufacturing is a remains to be a top threatened industry. If you work in manufacturing, absolutely. Ransomware should be the top of your threat models. You should be doing tabletop exercises ensuring your technical capabilities to recover from a ransomware attack are sound. You understand who does what in what order. Make sure your backups are s. Are. Are in place and think about your, your ability to be like resilient and, and business continuity during a cyber attack. Okay. I thought a Sahi got hit a while ago, honestly. Oh yeah, it is earlier this year. Oh yeah. By the way, I don't research or prep for these stories, so I don't even know what we're going to be walking into. Ain't nobody got time for that. All right, Names, gender, addresses, phone numbers. So I mean, I, I don't want to poo poo this, But it was just a data exo. Why did they. This, this is interesting. So it's. So it didn't actually impact the production line of the manufacturing process of the beer. It screwed up IT systems that ran the business so they couldn't do logistics. That's the problem. H. Okay. I mean the, the chilling ransomware threat actors are the one or killing whatever claim responsibility. They stole financial data, internal forecasts, etc. Again, I don't really know anybody that's like, like, Again, I don't, I hate to like downplay it, but in 2025 or 2026, walking into it like stealing employee data and like some internal forecasts, like, I don't even know if they paid the ransom, Frankly. Oh my God. $19 billion for a second said 2.9 trillion, but that's in the Japanese currency. But $20 billion making beer. I mean, geez, man, that is a lot of beer. So I, I don't know, I don't think this, this company, like really, they did shut down for 50 days or whatever, but I don't know.

B (20:45)

California law regulating web browsers might impact national data privacy. In October, California Governor Gavin Newsom signed a law to amend the state's Consumer Privacy act in order to.

A (20:57)

Kevin Farrell, it's been a minute. Welcome back to the party, pal.

B (21:03)

Mandate that web browsers, quote, create a turnkey tool for residents to opt out from data sharing once instead of having to do so each time they visit a website, end quote. Now, privacy changes required by a newly enacted California law could mean web browsers will soon offer all Americans a mechanism to easily opt out of all data sharing and sales when surfing the web. End quote. Currently, most web browsers do not offer mechanisms for residents to exercise these rights. But once they do, tens of millions of consumers, including those outside of California, may benefit. The law goes into effect on January 1, 2027.

A (21:42)

All right, so the reason that they're saying that this is a privacy law for the state of California. California has famously been one of the leading states in individual privacy rights. Right. In the United States, you know, privacy laws are a patchwork because we are uber into capitalism and data is valuable and marketing. Right. States, okay, like, I hate to be so ridiculous, but like, laws are made by politicians. Politicians have to be funded to run their campaigns, money drives that most businesses have the money. Right. So in those businesses, it's in their capital interests to have looser privacy laws. Right. California's led the charge on this one and now they're January 1st, they're going to have a law that requires web browsers to have like basically one click out, right? Well, Google Chrome, Netscape Navigator, Opera, whatever, choose your own adventure here on browsers. It's ridiculous for them to have like a California version, a Beach Boys Chrome edition than. Than it is just to make it available for everyone. Right? Which would be awesome because now you and I could opt out if we want, but you know, this is going to be, I could imagine, you know, big, big tech, big data, whoever you want to call it, pushing back on this somehow. So we'll see how it comes. But I mean, this is great for privacy. I'm sure the state of Maine, who, who is another like, leader in the privacy game, is all in on this. We got a first timer. Brute 7679. Welcome to the party. And if I can read Brute's name like my son would. Welcome to the. Hold on. Welcome to the party, pal. At Brute 7679, Windows 11 password window disappears.

B (23:56)

Microsoft is warning its customers that Windows 11 updates released since August may cause the password sign in option to disappear from the lock screen options, even though the button remains functional. The password icon appears only when multiple sign in options such as pin, security, key, password, and fingerprint are available. For users who just use passwords, the icon may not appear at all since Windows will just show the password field by default. However, hovering over the space where the icon should appear reveals the button allowing users to sign in with their password. Microsoft has yet to provide a timeline for the fix.

A (24:34)

All right, so couple things here. Number one, Microsoft as a company has been on a massive charge to basically make passwords dead, right? We're not making passwords great again. We're making passwords history, right My kids are going to be talking about. Oh, dad, you're always talking about passwords. That wasn't even a real thing. Oh, dad, you're always talking about. You're always talking about landline phones, BBSs, and passwords, okay? Microsoft's been on this charge for a number of years, and now, I mean, for better or worse, they've made the login option with passwords a pain in the butt to get to. Okay, guys, let me tell you this really quickly. Let me tell you something. Fire Marshal Bill. If you want to encourage people in, like, again, in the world of cyber security, all right, and especially in grc. GRC Mafia, where you at? We are. Listen, we are righteous, okay? We are trying to do the right thing for our business. But grc. One function of GRC People is to modify people's behavior, okay? I know that sounds very dystopian and puppet mastery, right? But we. That's what awareness training is. That's what knowledge share is. It is to modify people's behavior, make them make better decisions, make them less risky to you, to the organization, to themselves. We modify behavior, okay? And there's a bunch of ways to do it. One tool in the toolbox of moder behavior modification is adding friction. And this right here, Microsoft is pulling a classic example of how to add friction. They make it. If you really want to use your password, they make it incredibly challenging for you to use your password. Imagine if you will, you go to the grocery store and you, you. I go to the grocery store all the time. You have the frequent flyer zip thing, right? You know what I'm talking about. It gives you the discounts. It's usually on your keychain. I always type in my password, right? My. I type in my number because it's my. It's my phone number. But, like, if that wasn't an option, I probably wouldn't use it because I don't carry that zipper thing on my keychain, right? So it would be frictionful for me to carry it. So I. So I wouldn't. I just wouldn't do it. Instead, they offer me multiple options. I find a frictionless experience. Microsoft is basically forcing people to choose alternative options over password. And they're going to because it is less friction for them to choose to use a passkey or, you know, a facial recognition or click on a picture in. In a couple different places, whatever. I'm telling you, this is the death knell of passwords for Microsoft Login. Very nice, Microsoft. Very nice. I like it. All right, let's keep going.

B (27:58)

Huge thanks to our sponsor Vanta. This message comes from vanta. What's your 2am Security worry? Is it do I have the right controls in place or are my vendors secure? Enter Vanta. Vanta automates manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. Get started@vanta.com CISO that is V A N-T A.com CISO all right, hold on.

A (28:41)

I still haven't gotten this. I have to add this to the playlist y' all bro. All right, all right, all right. Shout out to all you guys. This is Ninja Ninja X Party. All right. It's all good. All right. Hey what's up everybody? Welcome to the show. We are at the mid roll if you could believe that. We're already halfway through the show. Jesus. A lot of big updates, a lot of people starting new jobs, a lot of people having babies up in this place. Shout out to all you hey what's up man? I definitely appreciate all of you. Thank you for being here. We're in that kind of like we're often running on a December the holiday season. Definitely enjoy the crap out of it. Thank you to the stream sponsors, those who enable me to bring this show to you every single day. Threat Locker, Delete Me, Anti Siphon and Barricade Cyber Solutions. Guys, really quick. Barricade Cyber Solutions is providing differ services to businesses but one of the things that they're doing for this community is a bi weekly Fortify 365 webinar series. And guys, Wednesday of this week they are running a webinar that is absolutely free to sign up and it's all around hardening Microsoft 365. Now if you've been following the series then you know that every session focuses on a different space and session eight is this Wednesday and we're looking at Microsoft Defender for Endpoint. Very important. I I'm going to try to dial into this Honestly the only reason I use M365 is for defender. There's probably a cheaper solution but I have moved to Google Workspaces for my business but I still have Microsoft 365 literally just so I can just get access to the EDR Solutions and the security tooling that M365 offers. So if you'd like to figure out how to help harden Ender Ender Defender for Endpoint like EDR threatened Vulnerability management, Device group configuration hardening, the MDM solutions, which I also take part of. Come check it out. Go to webinars.barricadecyber.com to register now. All right, guys, every single day of the week has a special segment. And do you know what Mondays is? Yes, yes, it is Simply Cyber's Community Member of the Week sponsored by Threat Locker. Threat Locker takes a deny by default approach to application and operating system security. Just like Simply Cyber takes a. It takes a village approach to building community and helping people out. Guys, I. I'm very happy to present this week's Simply Cyber Community member. Oh my God. How do I. There he is. Look at this right here. This. These are three different community members. Right in the middle there. Bruising hacks. Kia Aura. He is in chat right now, Ryan. He does a lot, but he is the DC, MD, VA simply cyber community Locals ambassador. And if you don't know what that means, we've been doing it for a few years. It is a little difficult to manage honestly. But there are local community groups like, think of like your local B sides or your local DEFCON group. There's local Simply Cyber groups and they get together and hang out and have fun. I know Ryan brought his kids, so I just wanted to recognize Ryan and thank him among, you know, just like all the other ambassadors for the Simply Cyber Locals. Thank you. Ryan and AB here featured in the foreground, took this picture. I definitely appreciate all you. So Ryan, thanks so much. Congratulations and appreciate what you do. All right, let's keep cooking. I also saw someone pass the system Rogue Cyber. Congratulations. All right, guys, let's get it. All right, Let the la la la la's wash over you. The Shola passed the ccna. Hell yeah. All right. I'm pretty sure I get hit with a copyright strike on this one. I'll have to double check, but I mean, if we're going to get hit with a copyright strike, we either have to find a new one or I'll just play the original. All right, let's keep cooking everyone.

B (34:09)

Microsoft to speed up teams. In additional Microsoft news, the company says that in January it will be adding a new teams call handler to reduce launch times and boost call performance for the Windows desktop client. The process will be named ms.teamsmodulehostexe, which will handle the calling stack separately from the main application process to optimize resource usage and enhance meeting experiences without requiring additional end user training. IT admins are quote, advised to prepare for the change by allow listing the new process in Security software and endpoint protection systems to prevent false positive detections and calling issues as well as user confusion. Yeah, French.

A (34:54)

All right. I mean, I don't know. I mean, personally, Microsoft Teams is kind of a pig application. Like, like, it's just, it's, it's slow, it's, it's resource intensive. It's not my favorite, you know, but whatever. I, I guess I, I never once thought like, oh, you know what? Like, this is slow. I need to, this is, I need them to speed this up. But whatever, they're doing it. The TLDR for everyone here is, this is for soc analysts. All right, number one, also it. But really SOC analysts right here. Ms. Teams underscore Module Host Exe. This is the new binary that's going to be running. So if you see this, it is legit. So I would, I would, you know, pass this around the old water cooler at the sock and let people know. Also, if I was a threat actor, I know what I'm doing, I would name my malware Ms. Teams module Host Exe. So just be on the lookout for that. Don't, don't sleep on behavior based detections, right? Just because you're white listing or. I don't even know if that's politically correct anymore. Even though you're authorizing this binary to run in the environment or at least be aware of it if it starts reaching out to C2 nodes or launching something in command exe, you know, perhaps it's a threat. So don't just say approved and then move on. But, but to me, this is really the thing, right? This isn't about end users. It's about an architectural change underneath is what it is. But, yeah, but don't sleep. I mean, if I was a threat actor, I would absolutely. The timing of this is perfect, right? Think about it this way for a second. If you were a criminal or a threat actor and you saw this story come through, you'd be like, oh, perfect. Teams are going to be thinking or not Microsoft Teams. But like organizations are going to be expecting this binary to show up and be flagged. They're going to be exp. They're going to be educated that this is a true pos. A true, this is a valid authorized binary to be running on an operating system. So approve, right? So chances like this don't come around very often for threat actors. So if I, like I said, if I was a criminal, I would, I would be like all up on this. This is like akin to when a really popular event is happening. Like World cup or presidential election or something like that, and you jump on top of it for your social engineering campaigns. This is like social engineering Soc analysts essentially.

B (37:44)

So look out for that federation that suffers data breach. This breach came as a result of a compromised account which allowed attackers to steal PII belonging to its members. The breach involved software, quote, used by clubs for their administrative management and in particular that of their members, end quote. The organization did not disclose the number of members impacted. Democrat wins.

A (38:08)

Okay, okay. Soccer company, soccer group had data stolen. They don't know how much data was stolen. They don't know how many victims. They don't know what data was stolen. They don't know how they got in. So this is like a story, like someone who's terrible at telling stories, telling you a story, you're just like, what's the point? What, what's going on? Compromised account. So could have been an initial access broker sold it, or info stealer got it and dumped it on Telegram, one of those things. They immediately disabled the account and reset all user account passwords. Jesus. All right. I mean, hey, listen, when you do incident response, right, There are many, many different choices you can make when you do incident response, sometimes you just wipe the machine, reimage it, send it back to the end user, let them keep on cooking. Sometimes you have to reset everything because you have, you have low confidence that the overall system hasn't been compromised, like your overall, you know, active directory and all that stuff. A domain admin account got out, golden tickets type things. So you reset all of the accounts. This is a big decision. And by the way, this is one of those ones that you may want to give consideration to if you're doing tabletop exercises. Resetting all user accounts should not be taken lightly. This isn't a video game where you're just like, whatever, who gives a sh, right? Resetting all user passwords is amazingly full of friction for all end users, okay? You're, you're, you're putting a burden on every single user of your system. Now they're going to change their password because if they want access to the network or to the application or whatever it is you're giving them access to, they're going to have to change their password. And they will, because what they want is on the other side of it, right? This is why people fall for click fixes all the time, because they want whatever's on the other side of it. And they will click through a captcha or do whatever the capture tells them. This is essentially like a captcha, except you're resetting your user account password. I just want everyone to know if you do this enough, it is, it is very full of friction. And if you do this, they may want to consider having funding a help desk or support desk to be like staffed for 24, 7 because you're going to get a lot of people calling in with, with challenges of oh, I can't reset my password, my password's not working, why can't I access it? All these things right now you can try to introduce automated workflows and educational information and emails out to people, but you're still going to get a huge population of people who don't understand what the heck's going on and help. So just, just be aware it's not as simple as oh, just everybody research password. We're on to the next thing.

B (41:22)

Nope. Jinia Largely on the topic of Data Centers, John McAuliffe, a 33 year old small business owner and former civil servant, won election to Virginia's legislature this month in part due to voters concern over quote, the deleterious effects of data centers and their impact on electricity bills, end quote. The data centers of Loudoun county handle more traffic than any other concentration in the world and are central to the functioning of much of the Internet. The warehouse sized facilities impose upon farmland and create significant noise in addition to electricity bills. A 2024 report from the Virginia General Assembly's Joint Legislative Audit and Review Commission stated that Virginia's rate structure charges the facilities themselves for the use of electric power. However, energy prices are likely to increase for all customers to cover costs of new infrastructure and power importing needed, end quote. McAuliffe described this as an artificial tax on everyday Virginians to benefit Amazon, Google and some of the companies with the biggest market caps in human history. Which is not to say they don't provide benefits to those communities, but that we need to do a much, much better job of extracting those benefits because the companies can afford them, end quote.

A (42:41)

Okay, yeah. So here's the deal. We don't talk politics in up in this show but the story here is that, I mean this isn't a cyber story at all like at all. This is like so far removed from cyber security that I'm stunned. I think, I think my 10 year old could identify that this is not a cyber security story. Okay, so what can I give you for this? All right, Here's the tldr, right? Data centers are AI takes an assload of energy. Okay. And I mean I've seen story like Three Mile island is getting Reactivated. Okay? Like, power plants are coming online because everybody is, you know, eating AI like it's a sack lunch, like, right? So data centers are coming in. Guys, I hate to be so cynical, but large companies have lots of money, and, yes, they could be paying their own way, but this isn't. You know, this is not a government structure that requires big business to.

B (44:08)

You.

A (44:09)

Know, I guess, pay their way. The. The idea here is that data. Existing data centers, obviously, they have to pay for the power, but just like a sports franchise, having a city pay for their stadium, which still blows my freaking mind. This is one of those ones where the idea here is that more data centers are going to need more. More power, which is going to require new infrastructure, which then would be paid for by citizens. Again, this is not a cyber story in any capacity. So thank you. Let's keep going. Oh, that's. That's all the stories. Geez, what a wet fart to finish on. All righty. Hey, holla, holla, holla. We finished early, guys. 8:45, saving you all 15 minutes. Hey, it's Cyber Monday. Big deals. 25 off the show today. LOL. Right? All that means is we got an extra 15 minutes to do some jawjacking, which is an AMA style. Guys, if you want to get out of here and go scoop up your deals on Cyber Monday. Get on, go on, get on, Get. But I will tell you this right real quick. I saw this on social media, and I thought it was hilarious. You know what I want for Cyber Monday? I want 30 off groceries. I want Black Friday pricing at Harris Teeter, please. Dude, I'll buy my rib roast today and freeze it for my Christmas Eve dinner if I can get a discount, bro. All right. I'm Jerry from Simply Cyber. Don't go anywhere. We got Jawjack. And thanks so very much. I hope you had a great Monday. If you got to get out here. Peace. Otherwise, let's cook. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field live, unfiltered, and totally free. Let's level up together. It's time for some jawjacking. What's up, fam? Good to see you. I'm Jerry Guy coming at you live from the studio. Coming hot off the heels of the Daily Cyber Threat Brief, hosted by that nerd. Oh, What a dork. Dr. Gerald Ozier. Okay, okay, you academic. I'm just kidding. It's me. But seriously, let's cook. This is Jawjacking. All I want to do here is help you level up, help you be the best you can be, help you CEO of yourself, help you either socialize, level up as a professional, get what you need as a individual. And I give. I give this time willingly. Every single day. I make sure that we provide at least a half an hour of mentorship at scale. I had a couple really, really nice DMS this past week from individuals who shared how impactful Simply Cyber has been to them. And this isn't me like, flexing. It's like, it's. It's partly me. It's partly the community, but people. Guys, I'm gonna share this right now. I had someone tell me that they would have abandoned cyber security had it not been for Simply Cyber in the community. So shout out to all y'. All. We are doing. We're doing some good work up in here. Drop your questions in chat with a queue, and I will answer them as best I can. Chris Young says, can we get a Cyber Monday pricing on our Yeet Crew starter kit and membership card. There you go. It's been a minute. On the Yeet Kia Ora Falstad on time. Thanks, everybody. Bruising hacks are simply Cyber community member 16 months. Squad member. Cyber risk witch is up in here. Good to see you. Devin Grady's gotta go. Look at this guy with his jobs. All right, Steve Young's in the house. Good to see you, Steve. Cyber Monday pricing on mortgages. Yes. No kidding. Marcus Kyler. All right, Sunshine says it's the earliest the daily cyber threat briefs ever ended. Yeah, well, they only had seven stories today, which is one less than normal. And that last story was stupid. Right? Looking at chat. I'm scrolling background. Wet fart finish. Okay. All right, let's keep going here. All right. Looking at chat, guys, what do you got? I mean, do you want to share anything from your weekend? I gotta tell you, we're. We're doing the just little fun fact for myself, personally, we're doing the. There's like a. A county park around here that does a huge Christmas light thing. That's going down tonight. Keith Sloan with the first question. I feel you have a potty mouth like me. What do you exact. What do you do to actively watch it when you're live? I don't know. I feel like I run a just in time filter directly in front of my mouth so you'll hear me say, like, holy or what the. You know what I mean? Like, I kind of catch it. And if you've ever hung out with Me in person. I think I do cuss a little bit more than I do on stream. Just a little bit. S Cole07 what would you rather use instead of teams Slack for internal DMS or Discord for internal dms for meetings? I use Google Meet. It's easy, it's quick, it's consistent. I like it. Zero keystroke says I'm a GRC enthusiast. Yes sir. Can you share your experience? How hard is it to get into? How are GRC analysts viewed in orgs? All right. Zero keystrokes. So if anyone is unaware, I built my entire career in grc. I'm a card carrying GRC mafia member. I have done blue and sock work, IR work. But it's usually when you work at smaller organizations you have to kind of do all the things. So I mean you say share my experience. Hold on one second, let me. I will tell you this. How hard is it to get into? That's up to you. I mean that's a very subjective question. I think it's easier to get into than other roles in industry. Right now in the United States. I don't know where you are. Zero keystrokes but CMMC Charlie Michael, Michael Charlie is becoming, it's a law and it's becoming a requirement for government for defense industrial based contractors to do work with the United States Department of Defense or war, whatever you want to call it. And this is, this is going to surge as far as demand goes. I, I was talking to Brandon Pool last week. It. So I think it's a best, it's the best time ever to get into grc. GRC analysts, how they're viewed in orgs. I mean they're viewed as the cyber security people at the org internal to cyber security. You will get some shade thrown at you by different members of the information security team because it's, it's technically less technical than others. So they might kind of give you like the side eye but everybody has their role in cyber security. Now I want to say you said can you share your experience? I'd love to share this with you. This is simply Cyber Academy. It's my online school. We have a bunch of education there. But I want to call your attention to this GRC jump start this course right here. 20 bucks. Literally the premise of this course is discover if GRC is the path for you. I literally put this together. It's me sitting down. I think it's a couple hours long. I'm sitting down and I'm shooting, I'm shooting straight. All right, so this is my 20 years jammed in. Essentially, the way you should think about this class is I said you, I. You said you asked this question, and I sat down with you for several hours and answered it at length and then told you whether or not it'll work for you or not. All right. Real Kyle. Kyle says hot chocolate or cider. Oh, man. I feel like each one serves its purpose. I'll tell you this. I like. I like hot cider if it's got a little in it, and I like hot chocolate if, like, we're watching a movie with the kids. Or to me, hot cider is more of a party drink or a sitting around just staring at the Christmas tree. Hot chocolate is like a family activity. That's. I guess that's how I break it down. Did you see Simply Cyber Community Member of the week teammate Ms. Julian's newsletter, CyberCon Speaker Checklist. Great for Those preparing. Yep. Ms. Julian's got a very good newsletter on LinkedIn. Worth checking out. Not only it says, any Cyber Monday deals you have your own eye on. Yeah, I'm gonna check. I don't know. Usually Amazon puts all of their echo devices on massive sales. I was gonna look, you know, they have, like, we have Echo devices, right? I'm. I'm looking at getting one of the ones that has, like, a display on it for the kitchen. Kind of a nerd thing, but. Excuse me. Kind of a nerd thing, but that's about it. Honestly, guys, I'm 46. I've. I've got. I got what I want. Like, I don't really. It's always a struggle when I'm asked by my wife, like, what do you want for Christmas? It's like, like, can I just. I just. I'm happy. I'm. I'm very blissful in my life right now. But I will tell you a lot of Magic the Gathering stuff I did ask for. Since I did have to make a Christmas lift, I did put a lot of magic stuff on it. So. Goat in the Machine sharing his story. He got over imposter syndrome because of Simply Cyber Awesome Dude Cyber Risk, which, in your opinion, is there an ideal length of time to stay in a role before looking for the next opportunity? Yeah. I mean, in an ideal situation. Right. Assuming that you don't have toxic people. To me, personally, I think two to three years is kind of the idea. I feel like two years is like, the right time to start looking. Three years, you might be getting long in the tooth. At the same time, though, you know, I, I. My Very first job, like one year to the day is when I quit so I could have one year of experience. But that was like kind of a toxic job. I, I met my wife at that job though, which is like the best thing ever. But yeah, that, that, that employer was exploitative to say the least. But I would say two years Chat. Let us know your thoughts if you have thoughts on cyber risk, which is question here. I mean if you have a great company you can, you can promote internally but also remember cyber risk which your street value is higher than your internal value, right? So say, say you take a job and you're making 50 grand a year, right? And after two years you're like hey, like I'd like a new role. And they're like we're going to promote you to senior, you know like say you're whatever GRC analyst. They're like we're going to promote you to senior GRC analyst. Maybe you get a 10 pay bump maybe. So now you're making 55,000 but you go on the street and a senior GRC person can get 75, 80,000. Right. So that's what I would say to that. Let's see, looking for questions. If you have questions, drop them in chat with a Q up the front. Makes it easier to find. Thank you. Elliot Mati. What are fun and interesting cyber related holiday gifts for the non tech savvy of all ages? Hold on, I gotta read this question. What are fun and interesting cyber related holiday gifts for the non tech savvy of all ages? So I think what you're saying is what's an interesting gift for people that work in cyber for someone who's not tech savvy and doesn't know how to, how to gift for this person? Geez, good question. I mean I gotta tell you, like, like maybe for where is it great stocking stuffer. Obviously like these little power bricks are great little stocking stuffers. Secret Santa gifts I think I'm trying to find. I have an absolute dynamite stocking stuffer. I can't find it right now but basically they sell these little things that basically they fold down to like very small, like credit card small but then you can open it up and put your phone on it. Right? This is not exactly that. This is actually my wallet and my phone, phone stand. But I like those for people for myself obviously. A nice webcam, right? Since we're all on, we're all on stream all the time or not stream. Trying to think what else would be good? I mean I, I'm like, looking around at my gear setup here. What do you guys think? You know, it's another solid. Another solid for cyber people. A good backpack. Now, I know that sounds ridiculous, right? But think about when you travel, right? When you travel, you go to cons or something like that. If you're packing, like, these briefcase things or hand, you know, like. Or you've got several bat. The person's got several bags, dude. A good. A good backpack for tech people is a solid w. When I travel, I mean, obviously with the. With if I'm doing the show, I have to take crates of stuff, but for the most part, like, I'm going to Austin, Texas, in a couple days. I'm just taking this guy right here. All right, fun question. I do. I would love to see what other people say. Code Bruce has a password manager subscription for sure. That's a solid. Face. Doyle, our Irish rep, says I lucked out and got someone to mentor me. It's been massive boost. I told him about Simply Cyber, and he messaged me saying he sees why I love the community. Time to load my Starbucks card. That's right. Nicely done. Our WI fi routers secretly spying us. Or is this untrue? I mean, I. I'm not. I wasn't aware of a big WI FI conspiracy. I don't think they're spying on us. I mean, if you want to fact check this one, it's very simple. Just span port out the WI fi router and see if it's sending data out to some unknown C2. Right? Simply Cyber. And please don't take this. That as a hit to you. It's totally not a you thing. Oh, I don't know what that you're saying, Keith Sloan. I don't know what Keith's. That's okay. I don't. I don't even know what you're talking about, so I definitely can't take it. What is your go to Magic debt set? Magic deck set, Jerry. Oh, boy. All right, all right, all right. So. So really quick. Unfortunately, it depends, right? But right now, my go to deck, the one that I like, really enjoy playing, I have a Urza's Precon Commander deck that I've upgraded. So that's my go to deck. If you played Magic back in the 90s, like, 60 card standard decks was the only way to play. And now Commander, which is like 100 card singleton format, is the only way that people play. So that's my go to. I also played Zach Hill this weekend with a blue popper deck that was Pretty good. Yeah. Ronda Rummerfield knows the, knows the struggle. When you really don't want anything, you're just happy. Elliot Matai says some of the best gifts are replacing worn out things. There we go. Elliot's asking for a replacement hoodie. I love it. Are you okay with a microphone connected to the Internet at all times? Yeah, yeah, Goat in the machine. I mean I listen, you know, I'm not a, I'm not like a, like I like my privacy but at the same time like dude, you have a phone on you all the time that has a microphone. Right? You know what I mean? Like so I'm okay with it. Yeah. E Lucky says bumped send. Too soon? Just got my CC cert taken on more of a security role at a small org. When do you recommend to go to next? For someone with a long IT background, where do you recommend to go next? Okay, so first of all we gotta double shot this. Congratulations on passing the CC and getting that. Congratulations on taking them more of a security role at your small organization. And I, I gotta tell you right now, like working at a small org, you are gonna get your hands in so many different things. Great, great learning opportunity. You have a long IT background. So honestly what I would recommend you do next is you like, if you have a long IT background, being able to communicate effectively, being able to do risk analysis and like, like basically the non tech parts of being very good at cyber security. I, I would, I would look into that. And I'm not just trying to like push you into grc. What I'm trying to say is if you're building your character in Madden and a long I T background, you've maxed that to 99. But you're like risk and analyst. Your risk analysis skills, your communication effectiveness are all at like 10. Doing more IT stuff is like not helping you, but complementing the other parts of your skill set would be. So again, I don't know you, so I don't know if you're already great at communication, but that's one thing I would look at also. What else would I recommend? I mean it depends on how good you are at cloud, but that would be good. And then I guess the final thing, E Lucky, since it's a small org, maybe try to get into like CIS18 and start actually deploying more of a cybersecurity framework at your organization so you can begin to measure and see data points on how your overall cybersecurity maturity is and the effectiveness of your cybersecurity on risk reduction. For the organization. That's what I would do. All right, Zero keystrokes. Any tips on how one can stay on top of cyber threats without drowning? Yeah, I mean, honestly, I mean I, I just to level set, yes, there is a ton. So I know you say without drowning, but unfortunately you just get a big old straw and start sucking. What I like is, you know, you have your stories that you like to read. If you're on social media with any level of regularity, subscribing to some of those accounts that provide cyber security news, right? Like bleeping computer or dark reading or you know, any of the hacking news like those. So you're regularly kind of seeing the information. Zero keystrokes. If you work at an organization where it aligns with an ISAC or an information sharing analysis center, get on those because then the threat intelligence is actually custom for your industry, right? So like automotive, isac, healthcare, isac, Ren, isac, whatever. So hopefully that works. Cheddar Bob says there is something to be said about having a great organization culture and not switching jobs on the regular. Cheddarbob's absolute, you know, demonstrates that decision too. Guys, I'm telling you, for me personally, like, yes, I like money, I guess like anyone else, but I'm not really financially motivated, which is why my, which is why simply cyber academy courses are so cheap. So, you know, if you, if I was at a great organization with great culture and I felt appreciated and I loved my job and my boss was flexible and everything like that, I wouldn't quit and go work in some toxic place for like 10 more, you know. So there is something to be said about that. Bustin just. Justin, what's next after Sock Analyst 2? Well, you got a couple options bustin justin. You can go to Sock Analyst 3 where you're doing very specific hard cases. You become, you can become a manager of SOC analysts. That's another option. You can pivot to pen testing where you're gonna be better at purple teaming because you understand how the defenders are going to work and you can help deliver better value for them. I guess those would be the obvious ones. If you want, you can get into GRC since you'll be able to inform on the reality of how defense mechanisms are implemented. And you know, testing those defense, like auditing those. Test auditing those controls effectively knowing how they actually are implemented. Because you were in the SoC. Fedex, dude. FedEx. Spitting truth here, he jumped and got 40k more. I mean, dude, the easiest way to get more money is to switch jobs, period. Full Stop now if, hey, here's another pro tip, guys. If you really like your job, right, like, let's say you're Cheddar Bob and you love your job, right? But you need more money, right? You've been working at the same job, they haven't been giving you pay raises or whatever. Unless your boss is an absolute a hole. What, what I would do is, and I've done this in the past is I would say, hey, like at a, you know, one on one or whatever, just say, hey, you know, what would it take for me to get, you know, a 10 raise or a $30,000 a year raise or whatever? Like, like don't say, I want this 30,000. Say, hey, what would it take? What would I have to do? Like what, what, what tasks, what metrics, what gates do I have to pass for a $30,000 a year raise? Now you've, you've given it to your boss as an option and they can say, oh, well, let me go find out, right? And then they come back and they say, oh, there's nothing, there's nothing you can do because we don't have the money. Or if you do these things, we can promote you and then you can get the 30 grand raised, right? At least there's a path there. And then if they say they can't help you, well then you, you're, you're not saying, I'm gonna go find another job or I have an offer letter. You're just saying, how can I get that 30 grand? So if they, if they can't deliver on it, well, then you can go look for another job. And then when you say, hey, I'm gonna quit because I got, I'm quitting because I got this job, they can't be like, why? You're like, I, like, I literally, unbeknownst to you, gave you an opportunity to retain me and you said it wasn't possible. And, and by the way, if you come up with the 30 grand, now that's gross, man, because I literally asked you and you told me it wasn't possible. Okay, all right, here we go. Wow. Real Kyle, Kyle with no context. I don't know what to say about that. Excuse.

B (70:24)

Me.

A (70:29)

Oh, Mike Andrewsi said, my crush, your first 30 day video. And he took it to heart. Nicely done. Guys, I gotta tell you, I make all this content. I'm not making it for clicks or views. Like, look at my performance of my content. I'm not going viral. You know what I mean? I'm making the content because I Know it is effective and can help you. That's what's up. All right, hold on, let me get my little chiron sliding by here. All right. Elliot says looking to help non techies be more secure without overwhelming them. All right, hold on. I'm way behind on chat here, so I'm going to start scrubbing ahead and doing lightning round. Not a question, but I saw an old raggedy cat named Carl at the SPCA this weekend and thought of this show. Thanks. Cyber Risk, which Marcus Kyler loves backpacks. I love it. All right, a lot of people talking about the backpacks here. Lightning round. When are you going to be? Where are you going to be? Simply Cyber. We could meet up in Austin. So I am going to cyber marketing conversations because I, I have to. I shouldn't say I have to, but I'm going to this conference right here. Here's the reality, guys. You know, for what it's worth, I, you know, I do consulting and I do work, but I, I, you know, this show like basically I work in media, right? And my sponsors pay to, you know, sponsor me. So. And that's how I fund a lot of what we do here. So this conference is like where those people are going to be. So I, I'm going to IT for business development. So I'll be there, Robert, and we could try to connect. I don't know. I gotta look at what the schedule is. It'd be nice to have a simply Cyber meetup. Possibly. I have a dinner one of the night on Sunday night. I get in late, I have a dinner and then one of the two days, I think Tuesday I have an event with this company I've been working with. So we'll see. A gift card for massage Envy. There you go. Stress reliever. That's always nice. All right, what's a good password vault online company or app to use? I like Bit Warden. I like bit Warden. You have a. If you, if you feel strongly about your password vault, please let me know. See Kyle. Kyle's on in that. Are you aware on intel management engine? No. Okay, looking for. How did you feel about cds, certification, memberships? I love cyber. Second, want to learn how to install secure smart home systems? I mean I've never heard of Cedia, Certs and membership, so I don't know anything about that. Installing smart home systems that are secure, I mean that's a whole business for sure. So yeah, I mean, sounds interesting. S. Cole says I have a GRC analyst interview today with a hiring manager and panel. Is there a method to answer behavioral questions. Oh, I mean, I don't know if there's a method. I mean, I mean, I guess for me personally what I like to do is I like to think through the whole question and then I like to build like scaffolding, kind of like an outline in my head of like three points I want to make. And then I mean I treat it just like a, a YouTube video, right? They asked me a question like, oh hey, you know, you find a vulnerability, like you do an audit and you find a vulnerability that's pretty gross. And the business says that they're not going to fix it because of budget constraints for six months. How would you handle that? Right? So in my mind I'm like, okay, you know, there is budget issues and a cyber risk. All right, so what I want to talk about is what's the risk itself? Like how, how bad is it? So let's do an analysis on the risk, let's talk about understanding the business needs and then let's solve this gap for six months. So there's my three points. So I, and I, I, I'd be writing this down, right? I have like a little pen and I would say, okay, listen intro, like, you know, we've got ourselves in this tough position where we have this gap for six months. And while that is bad, I understand that the business needs to operate and we have this financial constraint so it's not going to get fixed. So the first thing I would want to do is understand how risky is this gap. Is it a SSL cert on a lab machine or is this an Internet facing asset of mission criticality? Based on that I would need to understand, you know, how risky is it? And let's assume, because this is going to give you more meat on the bone, let's assume it is an Internet facing mission critical asset. Well now sliding into the business, I want to make sure that the business can continue to operate. So what I would do is I would meet with the business to understand what is it about this application or system that they need working to make money. Once I figure out that function, I can look at what could be disabled or what could be mitigated. What kind of risk can I tamper down? And assuming that I can't tamper it down, can I work with the sock to put detections in place? Can we, you know, like look for user accounts getting created, look for traffic coming out of it to weird places, whatever, elevate the EDR solution and then put a six month reminder on it, something like that. Okay, and then, and then an outro. Just make sure your outro isn't. And if you like the answer to that question, ask me another one. Until next time, stay secure and then get up and like ninja bomb yourself out of there. All right, what would you recommend as a computer, as a compensating control for dlp? Ah, geez. I mean, that's hard. I mean, if you could put in. I mean, if you can. I mean, dlp, if it's very specific. Right. You're not going to catch it. But I mean, if you could put in some controls around at the SIM level to see large file sizes being exiled. Like, you know, if someone's like sending an ass load of information from their work account to their personal email, like gigabytes of data, that could be an indicator of. Of issue. Chatterbob had to get out of here 10 minutes ago. Sean Sailors 43 raise. I like it. What positions are ideal for entry level to pivot into cyber other than help desk? Some online sources say, yeah, system. System administrator is a good one. All right, what else? I'm speed running the questions now. So FedEx, he gave us notice and then they tried to give him more money. Yeah, I mean, here's the thing. If you like the job, try to give him the opportunity. Just don't screw yourself over. Do not, do not, do not ask. Hey, can I, you know, what will it take to get 30 grand more? And they come back and they say, there's nothing we can do for you. And then say, well, then I'm gonna go look for another job. The moment you tell your business that you are not fully on board, like you are putting a target on your back. Okay, I, and I know there's a lot of people who are like, oh, like, like I know personally. Someone who got a job offer, went to their boss, said they were going to quit, the boss convinced them to stay, they stayed, and then when they did their first round of layoffs six months later, he was the first one laid off. Okay, what ring light do you use? My wife wants one for her Korean skin care. Instagram. Yeah, sure. Elliot. Matthias. This one's actually very, very affordable. Let me see. I've used this one for years. This is, I think this might be the first ever thing I purchased, like for simply cyber.

B (79:47)

Foreign.

A (79:49)

It's. This right here comes with a little stand. I literally, I literally have it off camera. It's. It's been here for. I mean, it's not. I mean it's, it's very cheap built. So if you're going to be moving around a lot, you might want to get something a little bit more resilient. But it's just mounted here off my desk and it's great. I'll drop a link and chat to it. Oh, allow me to drop a. Let me. Let me drop an affiliate link. Get 4%. Thanks for supporting the channel, Elliot. I'm terrible at affiliate sales. There we go, dude. All right. What do you think of Hack the Box's new cert? The cjca Thinking about getting it. I don't know anything about it. Bizarro. I mean, I've heard good things about their CD essay or csda, whatever it is. I've heard good things about their sock Analyst 1. So I don't know about this one. If anyone in Chat knows anything about cgca, holler at us. Sunshine says imagine ninja bombing in an interview. I think that's funny. All right, let's see here. Continuing to look through chat, we have an extended jawjacking. Because I finished the stories a little early today. Lazaro passed the Aw Assert back in February. Congratulations. Oh, I'm all caught up, baby. Come on down. Love it, love it, love it. All right, Kyle. Kyle says he's been seeing job requirements saying needs OSCP or hacks the box. Esco07's getting out of here. I like it. I'm gonna call the vet right after this. Get some meds for the kids or for the dogs. What? Hey, since I'm caught up on chat, any Cyber Monday deals that people need to share. 258 people in chat. If there's any Cyber Monday deals, holler at us. I am so amped up, dudes. On Friday, I said this on channel the other day. I woke up on Friday morning, the day after Thanksgiving, and all I could think about was cooking a rib roast on Christmas Eve. I am so pumped about that. Also, I'll be making a meat A meat quiche here pretty soon. Humble bundle's always good. Let's see. What humble bundle? Dude, I kind of wanted a stream deck, but like, I thought about it for real. I probably won't play a stream deck. I like the idea of the stream deck, but I don't have time. Oh, by the way, Mrs. Oer doesn't think I'm gonna do the two weeks vacation. She thinks I'm going to work. She's like, literally everything you talk about all the time is work all the time. All you do is work, work, work, work. I said I'm gonna do it. She said, oh, you're not gonna reply to any email, you're not gonna look up anything, you're not gonna do anything. I'm like, I am excited about playing Final Fantasy Tactics. All right, here we go. Stones fan. Mr. Cooper, what was your favorite dish at Thanksgiving this year? Mine was the pumpkin risotto. Oh, pumpkin risotto does sound good. My favorite dish, You know, You know, it wasn't like, it was particularly delicious, but there was a charcuterie board at Thanksgiving before dinner, and I ate the crap out of some charcuterie. Dude, I love meats and cheeses, period. Full stop. There were like some bacon wrapped figs in there. Oh, I love charcuterie. L, like, not every day, but like many days, I go into the house at lunchtime and I just pull out a bag of meat and a big block of cheese and I just like work on it for like 10 minutes and then I come back out to the studio. All right, Dr. Oer, which would be the best for an aspiring GRC analyst to home lab, compliance and audit, risk management, security awareness, governance and policy? Well, the best, the best would be risk management. It's. It's difficult to home lab, but you can, you could do, if you really wanted to, you could turn your home into a business and you could do NIST CSF against your home. That would probably be the best way to do it. Security awareness is probably the easiest to do because you can so be social about it. All right, What else guys got?

B (85:34)

We.

A (85:35)

I got five minutes left. You got five more minutes. I got five on it. And then we are gonna do. Simply Defensive. Oops, Simply Defensive is here. Final episode of the season. Oh, we're talking about. This is Josh Stro Shine. Guys, this, this guest is awesome. I didn't realize he was their guest. Guys, couple things. Number one, Cyber Yeti on YouTube if you don't know him, This is awesome, dude. Dr. Josh Roshein. I graduated DSU PhD with Josh. I love this guy. This guy is a treasure right here. He has amazing content on his channel. If you want to. Dude. If you want to learn reverse engineering and software exploitation binary Ida Ghidra assembly, this guy right here is where it's at. I love myself some Josh Stroshine. And he is going to be their guest right here on Simply Defensive. He works for Google as a malware analyst reversing all the things. All right, so definitely get, get on that. I also want to remind everybody. Oh, hey, I'm asking a favor for the 239 people who are here asking for a friend. This Thursday, if you guys are available. This Thursday. This Thursday? Where is. Oh no. Kimberly. Is Kimberly here? Kimberly. We've got to get the Thursday stream up. This Thursday, Simply Cyber firesides Thursday at 4:30pm, please. I'll set up a like a calendar thing you can click on. We're having a Threat locker. Come on. Yuri from Threat Locker is going to come on and we're going to be talking about, you know, basically cyber security stuff and just all the things it is. It is going to be a sponsored firesides. So I would definitely appreciate the support if you guys can come turn out for it. I would appreciate it not forcing anyone, but I am asking a favor. We definitely got to get that scheduled though. When do tickets go live for Simply Cybercon? So I was thinking about this, Chris. I was thinking about this on this morning actually in the shower. I think what I'm gonna do is I'm gonna wait until after my two week vacation and start of the year, we're gonna open all of it up. Okay? So think start of the year. All right, Kimberly, that's my goal for today, is to get you all that stuff. Thank you, Real Kyle. Kyle. Thank you, Kishan Infosec. All right, guys, I want to say thank you. Thank you for all you guys do. Definitely showing it, showing up. We're gonna head on over to Simply Defensive. Go meet my friend Josh Stroshine. Such a great dude. Such a great dude. Wicked smart. All right, here we go. Simply Defensive Raid. Also guys, on December 19th, hours before I start my two week vacation, I am going to do a state of Simply Cyber and tell you all the things that are coming in 2026. Big changes. Just that you know, if you're still here, you're a hardcore Simply Cyber community member. We're many of the like. Basically most of the Simply Cyber Media Group shows Simply Defensive, Simply Offensive, Simply Secured, Simply ics, all of them are either ending or they're going to be migrating to their own channels. And I'll give you all the updates that on December 19th. But now let's go. Raid. I'm Jerry from Simply Cyber. I hope you got value from the Jawjacking. Be well everyone and until next time, stay secure. Thank you.