A

All right. Good morning, everybody. Welcome to the party. Today is Wednesday, December 3rd, 2025. Episode 1016. Listen, if you're looking to stay current on the top cyber security news stories of the day, while getting insights and additional value from industry practitioners with tons of experience and helping you go beyond the headlines, ultimately leveling yourself up as a practitioner so you can do better work for your organizations, be the CEO of you so you can move around the industry and take jobs that you want. Or if you're looking to use this information to crush job interviews. All that and more is what you're going to get from Simply Cyber's daily Cyber Threat Briefing. We're off and running on a beautiful Wednesday morning. Let's go.

Good morning, everybody. I'd like to say shout out to Keith, Sloan, Marielle and Kennel. I see you guys in there. Mar Levy, ad tech. Mike Andruzzi, Port Zero up in the Midlands. Good to see you all. Hello, Triple D. Mar Levy, as always, the whole squad member crew, all the regulars. Good to see you guys. I hope you are having a wonderful week. Hey, Mike, Mike, Mike, Mike, Mike, Mike, Mike, Mike. Guess what day it is. Hope day. A little throwback to Geico commercial with the camels. All about good times, guys. Listen, if today is your first episode, welcome to the party, pal. Like to welcome you and encourage you to drop a hashtag first timer in chat. You can see the chat above my head just rolling with all sorts of friends and regulars in the community and you are here. I hope you have a great show, but let us know because we have a special sound effect and a special emote hashtag first, first timer in chat to activate that love. Also, every single episode, guys, there's eight stories. We're gonna go through them. I'm gonna give my opinion on all of them. Obviously, you get the story in the headline itself, which you can get anywhere from your RSS feeds or your own listening of the podcasts out there on cyber security. But what we like to do here at Simply Cyber is go beyond those headlines. I've got 20 plus years of experience. Many people in chat have a lot of experience. And we like to go beyond those headlines because honestly, sitting in the chair, seeing how things actually happen is. Is. Is vital, right? There's things that you just won't hear in a textbook, you won't see in a. In a lecture, right? I got a great one. I met some friends last night for beers. We were talking about a situation where, you know, a guy had to spend two hours doing hunting something that I t sent to him and come to find out Chat. GPT told the IT guy what the problem was, which he told cyber security people, and it was completely hallucinated. So my buddy had to spend two hours chasing down a phantom. So we're gonna do that. But for those stories, I don't research or prep for any of them. Mary Ellen Kennel. You know why? Ain't nobody got time for that. That's right. Ain't nobody got time for that. That's not how we roll up in this piece. You wouldn't do it at work. I don't do it at work. We just take these stories as they come. 116 episodes in a row, and I haven't been faltered one. So I'm feeling pretty confident about today's episode as well. Now, every single episode is worth half a cpe. So say what's up in chat if you need to maintain those cyber security certifications.

Excuse me, Say what's up in chat if you have to maintain those cyber security certifications by dropping a. Whatever you're. Say hi. Right. Rhonda Rummerfield saying good morning to Mara Levy. You can even say cpe, you know, Marcus Kyler, whatever. But here's the trick. Number one, take a screenshot. May I encourage you to include the episode title and, well, the episode title, because if you're on YouTube, you'll see that it has the unique identifier episode 1016 plus the date. Today's date, December 3rd. It is not a coincidence. I'm big brain over here. 4D chess moves. Deliberately doing this. So your evidence is solid and.

Basically easy to audit. Right? GRC Mafia. You know, we love an easy to audit piece of evidence. File it away once a year, you count up those screenshots, divide by two because it's a half a CP per episode and boom, just like that, you are crushing your CP goals. So don't. Don't come at me with that weak sauce, baby. We got solid CPEs for days. CPE, Marcus Kyler, all caps, guys. Every single day of the week has a special segment. And you know what we do on Wednesday? We go hard into the paint on community, demonstrating how amazing this community is and how international inclusive and just amazing. I do want to say shout out to the Australians. We do have some Australians that regularly hang out, stay up late so they can touch Australia for us before they head to bed. So if you're out there, thank you very much. We appreciate it. We look forward to seeing you in just a minute. But before we go around the World and then do the news. By the way, if today's your first episode and you're like, jesus, guy, can you please get to the news? We do it a little different here, okay? We have some fun, right? Work doesn't have to suck. We don't just have to get to it. We like to have a little fun in a little community. Let me say shout out to the stream sponsors, pay the bills. We're going to do some Daft Punk, go around the world, and then I will melt your face with the top cyber news stories of the day. Simple as that. Guys, check it out. I want to say shout out to delete me. They make it easy, quick and safe to remove your personal data online. At a time when surveillance and data breaches are common enough to make everyone vulnerable, Data brokers make a profit off your data. Your data is a commodity. Anyone on the web can buy your private details. This can lead to identity theft, phishing attempts, and harassment. But now, you could protect your privacy with delete me. As someone with an active online presence, privacy is really important to me. I've been using delete me for quite a while now. Essentially, I don't want people know my home address. That's like my key thing here. But if they can delete all the things for me, do it. Please delete me. They sent me a report monthly. It's pretty sweet.

But, dudes, I got a really public Persona and I'm all up in here with hot Take Central. Ask Marcus Kyler. It's easy what I'm doing up here, but it is public. All right? Take control of your data. Keep your private life private by signing up for deleting now at a special discount for our listeners. Get 20 off your deli plan when you go to join del me.com Simply Cyber. Use promo code Simply Cyber at checkout. The only way to get 20 off is go to join deleteme.com/cyber. Enter code Simply Cyber at checkout. That's joined me.com simply cyber code Simply Cyber at checkout. Holla. Also want to say shout out to anti Siphon training. Now, Guys, I've been talking about this for the last couple days. Anti Siphon Training has their holiday special right now.

It is kind of a big ticket item, but I will say if you extrapolate it over an entire year's time, it is mad valuable, right? If you've got some training dollars that are gonna expire at work and you need to burn money, right? It seems crazy to burn money, but in corporate America, you Got to burn money sometimes, you know what I'm saying? So if you got to burn money, 1500 bucks, you get a full year with Anti Siphon Training. Access to all of their courses. Red team, Blue team, IR cloud, AI forensics, threat hunting, OSINT programming fundamentals. So much more. You get a virtual ticket to Mile High West Fest or their Denver conference. I forget what they call it. And the cyber range access. So actual infrastructure to test your skills, huge value. Go to AntiSiphon Training.com, check it out and you know, see if it's a good fit for you. All right. Also, let's hear from Threat Locker really quick. And then it's worldwide. Wednesday. Let's go. Get ready. Get your coffee, get going. I want to give some love to the daily Cyber Threat brief sponsor, Threat Locker. Do zero day exploits and supply chain attacks. Keep you up at night. Don't worry no more. You can harden your security with Threat Locker worldwide. Companies like JetBlue Blue Trust threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cyber security and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about how Threat Locker can help prevent ransomware and Ensure compliance. Visit threatlocker.com Daily Cyber.

All right. Every single day of the week has a special segment and Wednesdays is worldwide. Wednesday, I'm gonna turn the clock to 2 minutes 22 seconds. I'm gonna throw up. Marcus Kyler's map here. I'm gonna ask you, tell me where you are. I'm gonna see if we can go around the world. We Spoiler alert. We typically do. We've been crushing it. So go, go, go. Mods, get ready. Where are you at? Who's the first one? Texas. Carrie's always the first one. Nailed it. Texas. America's online. San Jose Valley, east side. What's up? 0x3 Security D. Pratt. All right, good morning from Big Apple. New York City. Space talkers, Orlando, Florida, Brian Gruss. Larry Shervington is in the Caribbean. All right, here we go. Oh, wow, you guys are going fast. Greenville, we got the upstate. Yeah, the upstate. Austin, Tex in the house. Tyler, Texas is also announced. Face Doyle. I didn't see your name, but I saw the Irish flag. So we'll count it. Dallas, Fort Worth's in the house. UNI brings on India. Asia's in the house. Let's go. Asia. San Francisco. Thanks for getting up early. Cyprus, we got some.

Some Mediterranean action. South Africa. Thank you for bringing Africa online. Mississippi. Ethiopia. Yes, sir. Love it.

There we go. Jamaican me crazy. Damien. Yes. I love it. All right, we got the Caribbean online. The Mediterranean. Norway. Printer device. Bringing on Scandinavia. I love it. The Baltic Sea says, good morning. The doctor. Alabama, Florida, Georgia. All right, Kenya. Rice secure lab. Eastern Africa is coming online bright this morning. Dirty jurors. What up, New Jersey? Long Island's in the house. Bangladesh. Bangladesh. See you, Bangladesh. There we go. Nice, nice, nice. Hello, Norway. Switzerland. Hello. Where's the Switzer? Where's Switzerland? I. I remember. Hold on. I have watched the Sound of Music several times. I think Switzerland's right here. There it is. There we go. Switzerland. I got you, Chai Town, Trinidad Tobago. Holy crap, we are going hard. Where is Australia? In the house. Mistletoad. Bringing on Canada. There we go. I don't have any mod support right now, so I don't know where the mods are, but I'm flying blind right now. We got the uk. Africa's in the house. Space tacos, if you can help me. If you see Australia or a country that I haven't flagged yet, please let me know. Hotlanta, the Dungeon. I love Outkast at Aliens is dope. Asia's in the house. Of course. Yes, yes, yes. Canada. Trinidad. Philly. City of Brotherly Shove. Am I right? Flat Rock, Illinois. Good. Gotcha. All right, scrolling through. We got Wisconsin. Denmark. Thank you, Denmark. Europe is coming. Correct. I love it. All right, D.C. boy. Okay, I am. I am flying. Okay, so, guys, check it out. Chai Town. I am flying blind. I have no mod support this morning, so I'm not sure what's happening with that, but let's do a quick inventory. Perth, Russia. Monday. 7700, bringing in Perth, Western Australia. That is how you do that. Thank you. All right, so let's do an inventory. Australia, check. Asia, check. Europe, check. Africa. Check. North America. Oh, no. Where's our South America?

Marcus Kyler. I know, I know, I know, I know. Where is. Do we have any South America? Damn. Sometimes we get Colombia, Chile, Argentina. Colombia. Andres Molina is typically in in this piece. Hold on, I'm trying. All right, no mod. Yeah. Cyber Risk, which is going to do a takeover. All right, so, guys, the Australians came in and pulled their weight here, but South America, Sleepy South America today. All right, let's keep going, guys. We didn't do it, but we came really close. I appreciate y'. All. Appreciate y', all, but now it's Time to get to work. So do me a favor everyone sit back, relax and let's let the cool sounds of the hot news wash over all of us in an awesome wave. I'll see you at the mid roll.

B

It's Cyber Security Headlines.

These are the cyber security headlines for Wednesday, December 3, 2025. I'm Sarah Lane. Microsoft Defender Outage Disrupts Threats Microsoft Defender for Endpoint experienced a 10 hour portal outage affecting XDR features including advanced threat hunting alerts and device visibility. Microsoft attributed the disruption to a CPU spike from high traffic on portal components. Mitigation steps have restored access for most customers, though some organizations still face issues. Microsoft is collecting additional diagnostics to resolve lingering impacts and continues monitoring system performance.

A

Apple resists all right, so interesting Defender. I mean this is a supply chain issue. It's not one that you can really deal with, but essentially the back end infrastructure that supports Microsoft Defender XDR had, you know, a CPU spike issue utility spike issue. So here's the deal. You got to remember guys like even though it's the cloud and there's so many resources and etc. Like at the end of the day, Microsoft Azure, AWS, AI, big compute, crypto miners, all of it is software running on hardware. At the end of the day there, there's hardware. When you go all the way down the track, the train tracks, all the way into the train yard, all the way to the bumper thing at the end, there's hardware there. You can't run software, not on hardware. You can containerize it, you can Docker it, you can use Kubernetes, you can stick it in a hypervisor, you can do all the things. At the end of the day there is hardware at the bottom somewhere. Okay, so up in Microsoft Defender is their EDR solution. I use it personally and although I'm going to be switching to CrowdStrike soon, by the way, I'm doing a pilot right now like CrowdStrike has like a small business one. I'm not trying to deploy a full on CrowdStrike. So this defender Portal and the Defender capabilities of the portal go down. Now my understanding here is that the EDR solution did not fail. It was just the interface for portal capabilities went down because of the cpu. This issue is already moved on. So this is more of a post mortem.

And you can see Microsoft took swift action and mitigate the issue and ALLOW yeah, see December 2nd, this happened yesterday. We're investigating, they've identified it and they moved on. I mean honestly, this is what you want to see from your software vendors, right? Your supply chain vendors is you, you, you can't imagine, you can't be realistic and expect that bad won't happen at some point. This is why we say five nines, right? Like, or we used to say five nines.

All you want is business resiliency, cyber resiliency. This is, God dang. This is why I say cyber resiliency is what we should be striving for, not cyber security. Can we, can we continue to operate even when there is adversity? Can we, can we investigate and then remediate and then return to known good states swiftly and quickly? And if we can, yes, take my money. And if we can't, like who's your competitors? Because we're going to go investigate. I'm a big fan of this, so nice job Microsoft. But at the end of the day like you're, you're already like, if you're coming into work today, this is not an issue. Like you're done with this. You can see here post incident report within two business days and a final post incident report within five days. Okay? So this isn't an issue that you got to worry about today. This is just a. More of a situational awareness. But as I like to do, right. As my, as I am proud to say, I love going beyond the headlines and delivering additional value. Allow me to do that right now. Okay? So this incident went down and they're doing a post incident report and then communicating it out. You don't have to do post incident report or post mortems on all the things. Okay? But when there is a bad situation at work and you get through it. I'm not talking about Kevin, you know, in accounting or Carl in accounting.

Falling for a fish and clicking on and installing malware. No, no, no, no, that's not it. I'm talking like there's a more systemic issue or a downtime or something, something bad, right. Like an email routing or loop or something like that. Or deploying some software enterprise wide that causes a problem. Right? Like when there are these type of.

Major incidents, right. You should absolutely push for some type of post mortem, lesson learned debrief kind of thing. And, and I'm going to tell you why. If you don't, you are bound to repeat it again. Okay. And I know a lot of people like to just move fast, break things like, oh, we don't have time for that. We're already on to the next thing. Yeah, Just, you know, can we maybe slow play this a little bit? Move Thoughtfully move deliberately and try to improve as time goes on. Because the best time to make an improvement is when you just had an issue and everybody felt the pain. Because then it becomes visceral, right? Because as a cyber security professional or GRC person, if we come to management or we go to the business and we're like, guys, there's this real big issue and we should be really careful, that doesn't have visceral impact. It's just like a theory. Like, oh yeah, that could happen. Like, this is why you don't really want to shoot your, your political capital all the time. Because then you look like a Chicken Little screaming about the sky's falling when it never really does fall. Right? But when hits the fan, I'm telling you, it's a great opportunity to do a lesson learned and then provide feedback. Right? And then most importantly, what can we do to prevent this in the future and then take action on it. You're more likely to get management support because they literally just saw how bad this was.

B

India's state run app order. Reuters sources say that Apple will not comply with India's order to preload its iPhones and with the state run Sanchar Southie cybersafety app citing privacy and security concerns and will raise the issue with the Indian government which wants all smartphones, including those from Samsung and Xiaomi devices, to install the app to track stolen phones and prevent misuse. Other manufacturers are reviewing the directive amid political backlash and surveillance concerns.

Muddy.

A

All right, so this is a follow up from yesterday's story where India, and we have some Indian citizens in the chat right now. So if you live in India or you're an Indian citizen and you want to comment on this, please let us know your thoughts. Because I live in Eastern America or United States, whatever you want to call it. And you know, I just have my thoughts on this. So the story is that India, the government wants to require state owned application pre installed on all mobile devices for safety. Now the rub here is that it's a mass surveillance tool and even though it's, you know, can help track stolen phones and make sure people are safe, it can also be weaponized. Just like any of these other, you know, things for safety can be weaponized to spy on you, to identify.

To identify dissidents, to identify factions of people meeting for revolution or coups. Right? So it's a, it's a utility. Like the reason Apple is pushing back is because Apple's like very pro privacy, right? And they're pushing back because they think that this is a privacy invasion. Invasion and they won't stand for it. And as I mentioned yesterday.

For better or worse.

Apple has obviously run the numbers and discovered that from a financial perspective, they're willing to fight this fight. Right? We'll see how it goes. I mean, India's gonna either stand down on this or they're going to try to tell Apple they can't sell products in Indian anymore, which means a financial hit to Apple. Right? But we'll see. We'll see. I will tell you, if this app does get.

If this app does get released into.

The main population, I guarantee you it would be like a filet mignon, perfectly cooked level of juiciness for someone to reverse the binary. Because the Android app, there's definitely going to be an Android version, right? Because they can get it pushed into Androids a lot easier. Or, you know, they mentioned Samsung. Someone's gonna be able to rip that APK apart and, and analyze it and see what's actually happening. And I'm telling you, that is going to be appointment viewing.

Sack lunch. All right.

B

Water strikes Israel with Muddy Viper Iran linked Muddy Water hit multiple Israeli organizations and one in Egypt with a new tool set built around the Muddy Viper backdoor. According to Eset, the group used a snake themed fooder loader, new credential and browser data stealers and go socks five reverse tunnels to maintain access, steal data and stay quiet. The campaign ran from late 2024 to early 2025 and across engineering, government, manufacturing, utilities and universities, showing tighter operational overlap with other Iranian units. Eset says the group's tactics are becoming more sophisticated but still follow a predictable script research.

A

All right, there you go. I mean, maybe Muddy Waters is using AI to help refine their workflows.

So, all right, so Elliot Matice is saying that Apple has a 10 market share in India. So, all right, so muddy water, we've heard muddy water before. I mean, as far as I'm concerned, Muddy Water is like the, you know, varsity squad, the A team for Iranian based state sponsored threat actors or state sponsored apts. I shouldn't call them threat actors. That's not there. But.

And like any other, you know, group, their skill set is refining. They're becoming less noisy, they're establishing, you know, they're hiding a little bit better, bit more persistence. Right. But as they said in the thing, their, their kind of methodology, their ttps are consistent and predictable, which is, number one, how they're able to fingerprint Muddy Water as the threat actor or as the apt.

And you Know again, I always talk about this David Bianco's Pyramid of Pain. The same David Bianco who I shared an elevator with and didn't realize it was him until he got off until.

This is the Pyramid of Pain. As you can see, ttps are at the top. Very, very difficult for threat actors or APTs to change all the way. At the bottom is what is easy to change. Right? So these are kind of fingerprints of threat actor behavior or APT behavior. File hash values, trivial IP addresses, domain name, that's all infrastructure you can change as you get taught higher up the stack. The ttps, how they do their.

Missions and their operations, that is a human quality and one that is very difficult to change. So that's why it's tough and that's why we're able to fingerprint them. Now I do want to say that they are doing things like using Mimikats.

I like. I can't believe Mimikats still work. Like Mimikats has been around for a while is hey, Mary Ellen Kennel, are you in, Are you in chat still? Mary Ellen? Is Mimikat still.

Still used today on pro engagements? So I'm asking Mary Ellen Kennel in chat right now and I, I invite anyone who is an offensive security professional to comment. But I know Mary Ellen's a very senior offensive security professional. Mimikats has been around for a while. It's like well documented. It's what, like it's well established. So like when in my experience, anytime Mimikats has ever detonated in an environment that I'm responsible for, we have seen it. Of course I can't prove a negative. So maybe it did detonate and we didn't see it. Right? I wouldn't know, but I just, I don't know, man. So Mary Ellen Kennel is saying yes, Mimikats is still used in pro engagement. So there we go guys. You know, this old dog learns a new trick today. They're using remote management software like any desk.

Log me in, TeamView or VNC et cetera. Except they're using synchro PDQ. I mean this essentially allows them to run like their local on the machine.

All right.

I'm just looking now at the story again. I don't research or prep these if you are. So here's the deal. It's Iranian based and they target Israeli based businesses. So you know, during Worldwide Wednesday, nobody said they were from Israel. You know, again, not everybody chimes in because some people like to stay, you know, kind of lurkers. But if you are responsible for protecting an Israeli based business. Right. Maybe you're working at a security vendor who's Israeli based. Maybe you're just an Israeli based business and you're tuning in. You are the target, right. So this should elevate in your threat model things that you need to be mindful of. Okay, now. Oh, hello. Hold on one second. I didn't realize you were here. So let's see. Stage one launcher.

Executes and then it detonates an embedded payload. Okay. So I mean at this point when you're running the stage one launcher, you're detonating malware on your box, right? So you've been socially engineered to run this malware. So step one, educate your end users not to fall for things. Step two, tune your email security gateway to, you know, if you can to prevent these type of emails from even being delivered from your end users. Step three, have a good EDR solution that is looking for behavior based.

Behavior based signatures. Where you're seeing it provided encryption key on the command line. Maybe that, maybe that CMD EXE dash decryption key. Right. Maybe like an encoded payload or something like that. That could be something you want to detect on. All right.

All right. I do want to say quick shout out. I see the saxophones. Quick shout out really quick. Just as a completely aside and space tacos. You're gonna definitely want to drink on this one. Shout out to Donna Summer and she worked hard for her money song. I listened to it this morning getting ready for work and great saxophone near the end of that song as well as an electric guitar that follows the saxophone and just shreds. So Donna Summer, the anniversary of her opening opening of the Grammys 1985 where she played this song and set a record. I think it was 1985 for most viewed opening with 5 million views. So just little fun one. And if you don't know Donna Summer, she works hard for the money. Throw it in your queue and give it a little listen. It is not a bad jam.

B

Capture Lazarus APT's remote worker scheme.

A

All right.

B

Researchers say Lazarus Group's famous Kima unit was caught live trying to sneak North Korean IT workers into Western companies by posing as remote hires. Researchers from BCA Ltd, North Scan and Any.run impersonated a US developer and funneled the operators into sandboxed laptops, watching them use stolen IDs, AI generated job application tools, OTP generators and Google remote desktop to seize accounts without malware. The objective was full identity takeover to embed North Korean workers inside finance, crypto, healthcare and engineering firms.

A

This is awesome. Okay. I don't know how they figured out how. I don't know how they targeted the.

The North Koreans, but this is phenomenal. Okay, so fake IT workers. North Koreans have long been a problem, you know, like for numerous reasons. Right. I. I didn't know Lazarus Group was doing this. I guess they're saying Lazarus Group's famous cholima division. So now Lazarus is basically just North Korea cyber capability. It used to be Lazarus was just the cyber crime, financially motivated cyber crime group. But now I guess this is news to me that we've, that people have decided they're going to call Lazarus a function and then there's divisions underneath it, whatever.

But there's been these laptop farms, right? So here, Tennessee woman.

Laptop farm.

Justin Gold. Always likes looking at my, when I do the Google thing. And it has like recent tabs. Always likes looking at those. A lot of magic things. All right, so check this out. Here's a story. Oh, my God. Here's a story from, I want to say the spring, the spring 2025, right? This is a. A woman in Tennessee who's serving eight years in prison for basically abetting North Korea. Fake it. So basically they get a job fake. And then they have the laptop sent to an American who's agreed to do this. And then they remote into the laptop and then they like legit work.

And then give their paychecks to North Korea. Well, this has been a problem and really what we've been trying to do is treat the problem at the businesses, right? So make sure you're hiring. You have people turn their mics on, their cameras on, make sure you're, you know, investigating backgrounds of people, etc. Well, North Korea's gotten around that. So now these, these organizations have taken it to them and basically had them docs their own workflows. There we go. Look at Lazarus Group. You're looking good, dude. Looking good.

I love it. Steeler borrowing at any past interviews with AI tools, funnel salary back to that. Yeah. So.

This is so brilliant. So basically any dot run created a laptop farm just like this woman in North Korea. I mean, in Tennessee, right. So they virtually created this. And because North Korea doesn't physically go to the woman house in Tennessee, they just make assumptions. They.

They thought they were logging in and instead they were completely under scrutiny and review by researchers. This is brilliant, guys. This is brilliant. I, I would leave this as a case study for you. I'm not going to go through the whole thing. This is awesome though. I'm, I'm actually pro not probably. I'm highly likely going to do a high level LinkedIn post, like a quick debrief, like key takeaways from this. But I love this. I think this is hilarious. First of all, this is hilarious. Two, this is like great research and super valuable. And three, very clever. If you followed me for a minute, you know that I really appreciate clever, innovative, thoughtful ideas and I'll celebrate it on the threat actor side when they circumvent a control that seems uncircumventable even though I don't a lot or condone the behaviors of criminals. But I appreciate the innovative ideas. This is why I can't be a pen tester or a red teamer because I don't really think innovatively. Right. I'm more of a conformist. But I can recognize it. And right here, this is frigging awesome. Nice job guys.

B

Huge thanks to our sponsor Vanta. This message comes from Vanta. What is your 2am Security worry? Is it do I have the right controls in place or are my vendors secure? Enter Vanta. Vanta automates manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. Get started at Vanta CISO that's V A N T A dot C I S O.

A

All right, hold on one second. I do believe.

I do believe that Haircut fish pinned. All right, we're gonna try this song. Okay, this is another version of don't you forget about me. We're not going to listen to the whole thing because we already did worldwide Wednesday.

But we'll see if this gets flagged for copyright. We've been trying to work through this for a minute. Okay, guys. Jesus Christ, that was loud. Hold on one second, hold on.

This is first to eleven's version of don't you forget about me. Okay?

All right. Hey, quick shout out to all of you. Thank you very much. I definitely appreciate you. Definitely appreciate you guys. It's great talking to you. And guys, I gotta tell you, I really, really appreciate being able to you know, ping like Mary Ellen Kennel live in chat and be like what about Mimikats? Or talk to you guys about, you know, India and how this Apple pushback in this government state sponsored, like this is what I'm talking about. This is what community is, this is what inclusion is. Whether it's male, female, international, you know, us based old young city versus country, right? Like it's it's awesome. This is why having these different perspectives are awesome. All right, so shout out to all of you. Definitely appreciate it.

I want to say shout out to Barricade Cyber Solutions sponsoring.

Marcus Kyler. We can certainly try it. I don't. If I have a link to the instrumental, I will give it a shot.

Guys, quick Shout out to Barricade Cyber solutions in their Fortify 365 webinar series. If you have been following the show for a minute, you know that Barricade Cyber has been doing this bi weekly webinar series. If you go to webinars.barricadecyber.com you can check it out. But today at 1:00pm there's still time to register for this. Today at 1:00pm Microsoft Defender for endpoint. Guys, this is the EDR solution for Microsoft 365. High likelihood you're using this in your environment if you don't know how to configure device groups, vulnerability alerts, global exclusions. Use the MDM element for iOS and Android devices, onboard Windows machines, and test the capabilities for piloting all of this functionality. If you don't know what I'm talking about, come to this webinar series. Not only will you learn it, if you don't know it, you'll be able to talk about it at job interviews or you'll be able to level up your overall security posture at work because you'll be able to tune up the security hardening for your defender for endpoint deployments. All that and more. Go to webinars.barricadecyber.com now and register. You still have time. This is at 1:00pm Eastern today, so just about five hours from now. Four and a half, five hours from now.

All right, thank you all so very much. Let me see if we can get the. La la la la. I don't know how they do it in this one.

B

Let's go.

A

All right, hold on, I'm trying to get. La la la. Here we go. I think this is.

B

La.

A

All right, not bad, not bad. We'll see if it flags the copyright. Okay, we're working through this, guys. This is what, this is what it looks like when you're making the sausage. You know what I'm saying? All right, let's keep cooking.

B

Pickle Scan vulnerabilities expose AI model supply chains. Critical pickles Three critical zero day flaws in Pickle Scan, a tool for scanning Python pickle files and Pytorch models, could let attackers bypass sign safeguards and distribute malicious ML models. One allowed file extension spoofing. Another exploited zip archive, handling differences between Pickle Scan and Pytorch. And the third bypassed dangerous import blacklists via subclassing. The vulnerabilities have since been patched.

A

Ah, you gotta patch it. All right, so someone took heart and they patched it. Now, I will tell you.

I don't know if I'm old or something or what, and chat, let me know, please.

I'm not familiar with Pickle files, okay? I, I'm, I'm very well aware of Python and Pytorch, but Pickle files. Not familiar with Pickle files, and certainly not aware with a tool that, that scans pickle files. All right, so neck beard's making me feel better about myself. Sierra Montgomery's like, it doesn't matter about the Pickle files. You're still old. Yikes. But very funny, Sierra. All right, hold on, let me look at this. What, What's a pickle file?

Hey, I gotta tell you guys.

You know, I'm a lifelong learner. Gotta stay current. A Pickle file is a serialized Python object using the Pickle module. Pickling is the process of converting a Python object, like a list or a dictionary, into a byte stream. The byte stream can be stored into a Pickle file and transmitted across a network. And the purpose is to allow for the persistence and later reconstruction of a Python object. All right, I guess it's like deconstructing it to make it easy to communicate. Whatever.

Yeah, I don't know, guys. I mean, I love giving value to you guys.

I, I, I, I really can't on this one. I mean, I don't even understand how this, what, what does this have to do with AI? Like, this is, like, this looks like one of those ones that, like, a business person stuck it in the buzzword machine and came out with this title. Pickle Scan exposes AI model supply chain, single pane of glass.

All right, so when there's zip archives and they're scanning them to see if any of the files inside the archive are a problem, I'm assuming Pickle Scan is looking for vulnerabilities or potentially malware.

And the threat is that.

The.

Threat actor can, in fact, get malware into an archive, and the Pickle scanning tool will not see it. I honestly don't see how this has anything to do with AI.

But, you know, maybe I'm just.

Maybe I'm just not smart enough to figure this out. But when I read this, it says, basically, the scanning tool, the way it's built it doesn't look exactly at all the things inside the archives, and a threat actor can hide.

Malware in it. Again, this has nothing to do with AI. I'm actually quite confused what it has to do, but. Oh, thank you, Marcus Kyler. But, you know, whatever. If you're using Pickle Scan, don't worry because it's already patched. Right, so this is another postmortem story. Way to go, developers.

B

University of Pennsylvania joins clops.

A

Okay, so Ebenezer Luke Canfield says that Pickle files are used with a lot of AI stuff. So I guess maybe that's the AI hook in.

Whatever. Tldr. Today I learned about Pickle Files number two.

They've already patched it, so no issues.

B

Oracle EBS raid. The University of Pennsylvania confirmed a data breach after Klopp exploited a zero day in Oracle's e business suite affecting at least 1,488 Maine residents. Attackers accessed personal and financial data used in payments reimbursements and general ledger processing. PEN patched systems, alerted law enforcement, and is offering two years of Experian credit monitoring. Legislate.

A

All right, so, bunch of things here to dig out on. Number one.

B

I.

A

All right, so I don't call.

I don't say this often, but I, I, I do enjoy, I do enjoy this. Okay. It makes me feel like, I don't know, let me know in chat if this is arrogant, because I don't like to be arrogant. I think arrogant is such an ugly quality. But I said the other day, because Dartmouth got hit, right? In Harvard, right? Didn't Dartmouth get hit? Dartmouth College cyber attack, I believe. Dartmouth.

Yeah. Dartmouth College just got hit with a cyber attack as well, right? And I call, I said at the time, hey, interesting. So Harvard had this problem, then Dartmouth College. And I said, I wouldn't be surprised if these Ivy League schools are all cahooting with each other, you know, looking down their nose, talking about, hey, this is our best practice. I wouldn't be surprised if more of these Ivy League schools got hit. And hello, UPenn comes into the. Has entered the chat. So Brown University, Columbia, Cornell, Dartmouth, Harvard, Princeton, UPenn and Yale.

You know, it's it not a coincidence, right? I mean, to me, three is not a coincidence, right?

So I wouldn't be surprised if we see more of these Ivy League schools get owned because they're all running this Oracle ebs. Now, the Oracle EBS co op ransomware found a pretty gross vulnerability, started exploiting it at scale. I bet you if we dig into this upenn story. The attack happened in late August, early September.

They said that they discovered in on November 11 that the data was gone, which means they probably found it because Klopp posted it.

Yeah.

I don't see anything in here about what Upenn is saying. So all Upenn is saying is, yep, everybody got hit. I assume that they have fixed it. At this point, the story's more about Klopp ransomware just running roughshod on people shout out to Maine, the main attorney general always getting the privacy notifications out there. 1400 people from Maine involved in the data breach. And because of that it comes to light.

As usual. The Oracle issue has been fixed. They did patch it, but, ah, you gotta patch it. The damage is done. So.

I don't want the other Ivy League schools to have suffered a data breach. But I'm just calling it.

I'm calling it. All right, guys. Clop ransomware, very good. I said recently too, like, if I was going to draft, like if I was doing like a fantasy football draft, but instead of players, it was like threat actor groups. Clop ransomware is like my number one overall pick.

B

Would designate critical cyber threat actors. Representative August Pfluger reintroduced the Cyber Deterrence and Response act to let the US Formally designate foreign hackers behind major cyber attacks as critical cyber threat actors subject to sanctions. The bill directs federal agencies, including the Office of the National Cyber Director, to attribute attacks with input from intelligence and threat firms. Targeted actors include those disrupting networks, stealing sensitive data or threatening critical infrastructure, finance, energy or elections. The president may waive sanctions with written explanation to Congress. Coast Guard.

A

All right, so.

We'Re seeing, you know, cyber legislation. Oh my God, I can't read these bills. Dude, just a bill, right? You guys ever done Schoolhouse Rock, right? I'm just a bill here.

This is like an epic memory. Very nostalgic. A straight up double drink, right? Who hasn't seen this one? If you haven't seen this one, kids.

This is a Elliot Matice feel scene, I'm sure, right? Anyways, this is how we learned about how government works when we were kids.

Anyways.

Federal legislators are trying to get laws put in place. This one was sponsored in or this one came about in 2022. So they've been trying to get this over the finish line for quite a while. Cyber attacks have increased, right? We've seen critical infrastructure. Remember, critical infrastructure is like 18 different industry verticals. I mean everything from telecom to agriculture, right? Kathy Chambers is in chat feeling seen with the agriculture getting their, their day in the Sun, Financial guys. In the last six months, China allegedly has targeted our Internet service providers, our telecommunication providers, our energy sector. Right? Volt, Typhoon, Flax, Typhoon, Salt, Salt, Typhoon, Go look at those three typhoons. Flax, Salt, Volt. All right. And we haven't really done much about it. So I do think that this is.

Taking it to the next level as far as trying to protect America's critical infrastructure, which is super, super important. Right. You actually here, I don't research or prep these stories, so I don't even know what's going to be written in the stories. But you can see here.

They literally say the legislation is the latest reflection of congressional dismay that began growing after Salt typhoon cyber espionage campaign infiltrated telecom. So again, like, I'm not, I'm not some big brain dude over here. Like, it's just, if you follow what's going on and you pay attention, this is the vibe.

Now, Ted Cruz from Texas says the United States needs to do a better job.

Okay, Ted.

Let's see.

What, what's the actual.

I'm trying to see, like, what's the actual law trying to do? Like, it, dude, finger wagging and waving, saying we've got to be harder on criminals. Like what, okay, like what's the actual meat of this thing? Like, what are we doing here? Critical cyber threat actor applies to hackers who disrupt the availability of computer networks in service of critical infrastructure, steal significant personal data or trade secrets, or destabilize financial or energy sectors or undermine election process. So this is. God damn, this is too vague, man. Compromised computers that provide service in critical infrastructure. Okay, that's a lot of different computers. Now they, they say destabilize financial or energy sectors. I think you're going to run into a problem with. What does destabilize mean? That's a subjective term, right? Like one man's destabilization is another person's, like just a tough day, right? Like, I mean, crowdstrike, when they had crowdstroke a year and a half ago, I'm sure there are a bunch of financial, energy sector computers that got destabilized, right? It wasn't a hacker that did it. Also, I don't really like the term hacker here. I think we, you know, threat actor or cyber threat actor would be more appropriate.

Whatever. I like the idea of this legislation. I think it has a lot of challenge to be able to have teeth and do something with it. But we'll see.

Oh, hold on, Trump. President Trump's administration is saying that one of its core Pillars is cyber.

Which is interesting since.

Since. Hold on one second.

Top figures in the administration have been slowly unveiling details of the strategy, with the draft being currently reviewed by agencies. I would love to see this draft, guys. Okay, here's the deal. The current presidential administration, if I'm not mistaken, and I. I'm not trying to get into the politics of good or bad. I'm just, you know, looking at it, they had the top cyber seat vacant for a while.

They defunded or they. They greatly reduced the budget of CESA to allocate the money into border patrol type things. So. I don't know, man. If cyber is.

A top pillar for the administration, it doesn't seem to be, but I guess we'll. We'll see how it goes.

B

Mandates cybersecurity training. The U.S. coast Guard requires all personnel with IT or OT access on vessels, facilities or OCS sites to complete cybersecurity training by January 12th. Untrained users may access systems only under supervision or remote monitoring. Owners and operators must document training, maintain records, and ensure that contractors meet regulatory standards with oversight tied to the cybersecurity plan and the designated cybersecurity officer remember to.

A

All right.

Okay, so first I'm going to tell you the objective details of what this means to you as a practitioner. And then. I know, I know, I know some of you enjoy this I like low key feel. Some people call it red hulk. I'm gonna try to be cool, but this is the last story, and it makes me want to crush my coffee cup because I, you know that meme of, I think it's Arthur, where his fist is shaking. And that's just like the meme. It's just his fist shaking. That is how I feel about this. All right, so U. S. Coast Guard. All right, I'm gonna be cool. U. S. Coast guard is mandatory cyber training for personnel with access to technology.

By January 2026. All right, for sure. There's a lot of tech on, you know, boats, a lot of tech in ports. The coast guard is responsible for protecting the, you know, kind of the shores and the waters of the United States. Technically, if I'm not mistaken, the US Coast Guard falls under Department of Homeland Security. Right. Or Department of Transportation, not the Department of Defense. What agency does Coast Guard fall under?

I'm almost positive.

Yeah. So the Coast Guard is under dhs, not the Department of Defense. Okay, so a lot of people think it's a DOD thing, but it's not. It's dhs. Right.

And they're. They're requiring their people. This is fine, guys. And then they said, oh, we're gonna make sure that you have to document that people took their training and everything, like a pencil whipping exercise and personnel who do not receive the training.

People who do not receive the training must be physically accompanied by someone who has received the training. Okay.

This is gross, dude. Okay, so yes, you should absolutely do the training. Coast Guard, Any federal employee should receive the training. I have worked in federal IT in my, in my career. Okay, Shout out to the Coast Guard. Shout out to the Department of Homeland Security. Super happy that they're requiring their staff. Only their IT and OT staff. Apparently not all staff, but we'll just put that pin in that one. Requiring their staff to take cyber training best practice. Okay, couple things. Number one.

Federal IT cyber security training is typically once a year. And. And it gets made fun of on the regular. Okay. On the regular. Because it's not very good.

Okay, let me federal IT.

Cyber training.

You know, guy, sweater vest. Okay, let me see if I can find this. See this guy right here?

This is what I'm talking about. This guy right here. If you have taken federal cyber security awareness training in your life, you know exactly who this guy is, okay? And if it looks like golden eye level graphics, that's because it is. This is the training you get. And it's like a simulator. And this guy's like, hi, like, I recently got fired, but can you let me in? Like, it's like the most over the top absurd scenarios. And it's just people click through it, people tune out, People don't really do anything. So this once a year training approach is not very good. Now the Coast Guard is requiring people to do this. Again, I love the idea that they're requiring this. You should require all your staff to do it. What I want to say is the following.

What? Why is this a requirement? Now federal DHS gets money from Congress. Congress requires all federal agencies to be compliant with FISMA and has since 2002, which is, if I'm checking my math right, 23 years ago. And one of those things requires that the AT control family awareness training at 2 at 3, which is under NIST 853. So go look at it. And even if you are the lowest level of security, FIPS199, FIPS200, if you have the lowest level of security requirements at your agency, you still have to do training. So I don't know how this is news or why we're pushing this. What has the Coast Guard been doing for the last 23 years riding dirty.

So it's just, what are we doing here? How is training a freaking new thing over there, like.

For any business? I don't care what your business is. Right, Meaning? Meaning it doesn't matter. Okay. Manufacturing coast guard, you're making boats, you're selling magic cards, whatever your business is. Minimum security should be multi factor authentication, some level of EDR solution or anti malware. And training your workforce.

God.

Okay.

That's going to do it.

For Simply Cyber's daily Cyber Threat Brief podcast, I was your host, Dr. Gerald Ozer. I hope you got value from it. I tried everything in my power to deliver value that exceeds your expectations and goes beyond the headlines. If I did that, please come back tomorrow. I would love for you to return. It makes my day getting up and sharing this experience with you on the regular. If it was your first time. Thank you for coming. This was a pretty typical episode, so giddy up on that. Shout out to everybody who turned out for Worldwide Wednesday going around the world, Marcus Kyler hooking it up. Don't go anywhere because it is Wednesday. And on Wednesdays, well, every single day of the week, we do jawjacking. But Wednesdays is my day. Monday, Wednesday, Friday. So we're gonna cook doing jawjacking. So if you are looking to get help, if you're looking to share, if you're looking for community, the next 30 minutes are for you because it's a commitment I made. I can't respond to one on one dms. I can't do one on one coaching despite, you know, people wanting that. But what I can do is mentor at scale. So I give 30 minutes every day, whether it's me or it's another community member to make sure that we offer this service to you. It's absolutely free. Come on, hang out, let's go. I'll see you in a minute. If you got a piece out, see you tomorrow at 8am Eastern Time for the daily Cyber Threat brief. I'm Jerry. Until next time, stay secure. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field live, unfiltered and totally free. Let's level up together. It's time for some jawjacking.

What's up, everybody? Welcome to the party. My name is Jerry. Guy straight kicking it like a boss. Coming off of the daily Cyber Threat Brief hosted by that nerd, Dr. Gerald Ozier. Bro, can you be more outraged about cyber security training? UGRC Dork. Seriously, though, this is all about good times. I'm Jerry. I want to answer your questions. If I don't have the answer, I will do everything in my power to get you an answer that is valuable. We got tons of community members in here. I see so many regular friends. A B. Kathy Chambers, Rhonda Rummerfield, Sierra Montgomery. Elliot Matice, Phil staffer, ad tech. Who's Brad Real? Kyle. Kyle. So many guys on the regular. I'm sure Mara Levy's in here. Friends.

If you got questions, drop them in chat. If you got something you want to share, drop it in chat. If you got an update, drop it in chat. I met with some friends yesterday for a beer. It was really nice. I had to go to the other side of town for it, North Charleston, which isn't bad because I picked up some takeout from a restaurant that. I love that. It's just we never go there because it is too far to go. But I was right around the corner. And for those locals, it is dashi.

Elliot Matice has the first question.

Let me get my chat up here. Elliot says, are you growing out the beard for winter? No, no, I just. I need to shave. Honestly, I. I've just been lazy, so. Thanks, Elliot.

You can imagine that at some point in the next couple days, you'll see me much, much more trimmed down. I have to go to Austin, Texas on Sunday, so I'll probably do it before then.

I gotta tell you, like, here's a completely. Tidbits Tuesday on a Wednesday that no one asks for.

Is, I love. I hate when I travel because I sleep in a hotel bed, which is uncomfortable already. But, like, I have. I've been with my wife for 20. I mean, how long have I been with.

Over 20 years. Right? So I'm very used to. I just. I. I hate being away from her. All right, hey, really quickly, I see a question in chat.

What's up? Says Charleston's nice. What? Why don't you have the accent? Because I'm not from here originally. I am from Boston, which is why I flip out all the time. I am very good at driving and I love the Bruins.

All right, Phil Stafford grows his beard out for Christmas. Would like to see that. Luke Canfield's flying to Dallas. I like it.

All right. Are you participating in no Shave November? Drop it in chat. Jose, Alfredo says, can you share a link to the first 30 days of a new job? Or was it 90 days? It's been a while. It's 90 days. But, yeah, I'm happy To share that simply Cyber Crush. I think it's crush your first 90 days.

Yeah, here it is.

It's this one right here. Me and Stefan Semleroth.

Look at this, look at this. Whipper snapper, young man.

All right, I'm gonna share a link. Who asked that question? Jose Alfredo. All right. Jose Alfredo. Here we go, buddy. At Jose Alfredo Crush your first 90 days. Doink. There we go. Good question.

All right.

You're welcome, dude. It's my pleasure. Like, I gotta tell you, like, I love service. I love helping. I love this community and being able to help. All right, Awarum says, what's the best way to clean up hundreds of old distribution lists?

Right click, select all delete.

I mean, disable them if you can.

See if anyone calls and complains.

Soul Shine. How can I solicit my business to schools like higher learning since they are targeted as far as it MFA and cyber security goals? I mean, a couple different ways.

So this gets more into business. I'm actually thinking of starting. Well, whatever. Basically, here's what I would do. I would do two things. One, Soul Shine. I would. You can go to like, conferences where higher ed people go in order to like, learn about, you know, new, new tech and new stuff like that and try to like, talk to people there. And a more organic way that I would personally do is I would start developing some tools like checklists, best practices. Right. For higher ed. Right. And then make it a download, but have them give you your email address to get the download. Right. And then share it. Share it, share it, Share it. Get their email address, Start marketing to them. Deliver value. Deliver value. Deliver value. Have a conversation. Another good technique is first five clients, be like, hey, let me help you out. I won't charge you anything because I'm starting this business. All I ask in exchange is that you provide me with a true testimonial. Doesn't have to be fabricated. It doesn't have to pump my tires. If you like the work I do, all I want you to do is pay me with a testimonial and then.

Use the testimonial in your marketing. Collateral on selling. Right. That's what I would do that. This question's more about business and sales than it is about anything.

Jonathan Handler says. Jerry, I'm speaking in a webinar about cyber in a small business. Can I give a shout out to you in the daily cyber threat brief? Absolutely, dude. Hey, listen. Carte blanche, everyone. If you want to share, listen. If you're doing a a conference, you're teaching a class. You're hanging out with buddies. If you want to share the daily cyber threat brief, you have do it. Do it all day. I desperately want people to know about it. I want people here. Come on down, man. Absolutely. If you want to shout out me, cool. I appreciate it. If you want to shout out the daily cyber threat, be definitely. And hey, seriously, guys, my kid told me the other day, he's like, dad, you have to ask people to subscribe. If you're not subscribed to, simply cyber subscribe. Like it. It helps the channel get discovered. If you want to help the channel. If you want to help me share it on LinkedIn, I know many of you do. I see Tasha do it all the time. Kimberly Marcus. I see people do it all the time. I love it. Thank you.

Wading through logs, by the way, Wade, I actually did really quick. This is a conversation for Wade, but yesterday at the Citadel, I basically fired up KC7 and took the students through basically a soc analyst.

Scenario. Right. Going through logs and looking that. And I used the term. They didn't know it, but I. I use the term waiting through logs. And I thought of you. If you were asked to do Hot Ones Challenge again, would you? Oh, yeah. Not only would I do the Hot Ones challenge again, I would actually be properly prepared for it. If you guys didn't know me, Wade and Josh Mason did the Hot Ones challenge, which is eating a bunch of hot, spicy food and answering questions. I didn't understand how it worked, and I wasn't prepared when it started, but I would be totally prepared. And now that Kathy's helping me, from a production perspective, it would probably look a lot better too. Let's go, Wade. In fact, Wade, what I would really like to do is the Hot Ones challenge in person with you. Like, maybe we could coordinate it for.

Wild West, Hack and Fest or defcon or something like that. Although we got to be careful. I do not want to eat a ton of spicy food before. Right. The day before I fly. Ain't nobody. You know, I'm old enough to know better than to do that. Gotta have at least 24 hours on the ground, so I have quick access to anything that I need quick access to. If you're picking up what I'm putting down.

Is splunk still a good tool to get certified in, or should I just study and get the job without the cert? I mean, I think splunk you. If you ask Wade Wells, splunk is the, you know, a good tool. I. I would say splunk is still considered a enterprise grade standard SIM solution. Getting certified in it certainly wouldn't hurt your chances.

Certainly wouldn't hurt your chances. I mean, if it depends. I mean, if you're gonna have to pay to get certified. Oh, I don't know if the ROI is solid there, but learning Splunk is definitely valuable. I, I think if you can get the cert, it wouldn't be bad, though. All right. Elliot had to go.

Where do you get the Tyler Ramsby merchant Keith Sloan? So it's funny you say the Tyler Ramsby merch again. I, you know, one of my biggest, I think is one of my biggest faults is I don't tell people enough about, like, what I'm up to.

I will share this with you. Okay.

So really quickly, if you, if you're wondering why I'm wearing this Cairo sex shirt. Tyler and I.

Run CairoSec. Okay. Kyra, Tyler's the practitioner. I'm the director of strategy and business development and I represent the CISO on the call for sales and stuff like that. So I, I'm wearing this because I'm, I'm kind of like a financial vested owner.

Now, as far as the shirt goes, I don't. Tyler posted it on.

Online. Let me see if I can find this. I'll find out. Hold on. Can we. Is Tyler in a mod?

Yeah. Let me, let me see really quickly.

Where to get the Kairos sex shirt. I wear. People want to wear it.

Yeah. So anyways, I will get that for you, Keith. Basically, Tyler posted it on social social media and I bought it because I want to represent the company. Also, if you're looking for a pen test.

Reach out to me or Tyler. We have a pen testing company.

All right.

Trey Black says, how do you navigate creating a social media policy? I'm wanting to get the apps off company devices. I care more about the technical vaults. HR can control what people do at work.

Well, I mean, Trey Black, it's very difficult. If it is a BYOD environment, which many CFOs are big fans of. BYOD means you'll allow end users to use their own phones or even their own laptops, which means it costs less for the business because they don't have to do with tech refreshes and invest in.

Capital infrastructure. But the chain, the exchanges, people, you know, basically can run whatever they want. If you own the devices and you're deploying them to the workforce, I mean, you could just. It doesn't have to be a social media policy. It can just be a authorized Software policy. Now, if you're talking about people posting on social media, things that you don't want them to.

There certainly is that. And you can get some pushback on that one. You got to be careful. I mean, I know certain businesses that won't allow their staff to have YouTube channels. Right.

So I. I've never really had to dictate what is okay and what is not okay. At musc, we had a policy that I helped develop that was more around the lines of you're not allowed. It was a healthcare organization. You're not allowed to talk about patients. You're not. And we kind of wrapped it around a HIPAA angle.

But, I mean, you got to figure out, here's the deal. No matter what you're going to do with this social media policy, you got to figure out what is the tolerance of the organization, because you can't make a policy that says you can't do this. And then when someone does it, you know, there's no repercussions. Right? Like, so you have to figure out what is the business willing to go to go to the mattresses on. Right. Is. Is. Is the business willing to fire somebody or, you know, garnish their wages or put them on a pip or whatever if they post something on social media that violates the policy. Right? So you got to do that. Okay. This is definitely not one of those. AI, create me a policy.

Oh, angular says that pit 1315 had a question and didn't put a queue in front of it. Yeah. Hey, listen, if you want a question answered, you have to put a Q in front of it. I can't. With all due respect, I can't scroll slow. It's not good. It's not entertaining to watch me scroll and stumble through all the chat to see if I can find a question. All right. Unfortunately, this is why I asked you to put a queue in front of it. So if you asked a question and you didn't put a queue in front of it, ask it again. Put a Q in front of it. What would a cyber security field or job market be like if AI never became a thing? Well, I mean, Zach, it would be what it. I. And I. I say this flippantly. Okay, but, like, AI, I mean, wasn't really a huge thing until 2023. So, like, just go back and look at 2019, 28, you know, 2020, 2021. Right. I mean, it'd be ransomware, business, email compromised, threat actors Getting paid, cryptocurrency, NFTs, rug pulls, scams, espionage, info stealers, zero click spyware, critical infrastructure attacks. It would be what it was pre2023. Are socks and HIPAA generally considered frameworks now? So HIPAA is. No, these are definitely not frameworks at all. Okay, so really quickly.

SOCKS is Sarbanes Oxley, which is basically regulation around publicly traded companies and how they ensure.

Segregation of duties that can't. It came hot on the heels of Enron and I think Tyco when they were doing all sorts of shenanigans through.

Not having separation of duties. Okay, if you want to learn about socks, go look at cobit, C O, B I T and koso. Now, KOSO is a framework. I wouldn't consider these cyber security frameworks because they're not really helping you protect an organization. Socks specifically is helping you make sure that you have separation of duties off on a technical perspective. Right, so like a person in a database that can create accounts isn't the same person that can like, you know, I don't know, issue checks or something like that. HIPAA is around healthcare. HIPAA really only cares about really like access to patient healthcare information. Who has access to, how is it shared? HIPAA doesn't even get into like patching and business continuity and data backups and risk management and supply chain and all that other stuff. Hipaa. HIPAA is very narrow. All right, so I wouldn't call these frameworks.

All right.

Continuing to look through chat. Thank you, thank you, thank you. Real Kyle. Kyle says not a question, but we got to fix this. This, this is for the people working on that container ship and in the container yard.

Okay.

May I please. Where to best learn about vulnerability research and bounties.

All right, so I guess what you're asking about is.

I mean, okay, so if you're wanting to learn about vulnerability research and bug bounties, what I would recommend is.

And again, I'm trying to understand what your question is here, but if it were me, if my son came to me right now and said, dad, how do I learn about bug bounties and researching vulnerabilities?

Hold on one second, I'll show you. I, I would tell you 5, 5, 1, 5 number thing. The first thing I would do is I would go to Jason Haddix and look up the bug hunter methodology. Okay. Jason Haddix is an absolute stud when it comes to vulnerability research and bug hunting. It's amazing. He is so good. Okay, so at five, okay, here's the first place I would go. And then once you start there, there's a ton of videos of Jason walking through his Bug Hunter methodology. He has a YouTube channel showing you this with a playlist showing you this. The other thing I would show you is.

Ben over at Nahamsec. He is.

This guy is another amazing practitioner and educator, okay? And he's got all sorts of videos and content. Okay, Eat. Look at this.

B

This is.

A

Look at this right here. 500 bounty easy. 500 vulnerabilities easy. This is. This is like the name of the video. Easy 500 vulner. I will tell you, this is where I would tell my son to go. All right? Now, the one thing I want to prepare you for is this isn't easy. It is a lot of work, and it can be frustrating, and it takes grind and consistency and persistence. So if you want to sign up for that start, all the resources are there and they cost $0. Okay.

Okay. I'm continuing to look at chat, by the way. I've decided, like, it, literally, if it has a Q, I'm just going to click on it. I don't even read it in advance because, you know, why ain't nobody got time for that. All right.

All right, question. Anyone here doing Advent of Cyber and try hack me? Oh, hold on one second. My wife is texting me.

Okay? I'm not doing Advent of Cyber. Honestly.

Yeah, I'm not doing Advent of Cyber. Look, hey, if you're in chat, let me know. If you're doing Advent of Cyber, you can collab with Jose. They asked me to make a video and do one of the couple rooms this year. I declined for reasons I don't want to get into. If catch me in person and for a beer and I'll tell you what's up.

All right. Continuing to look through Chad here. Angular's getting ready for work. All right. Jared Rodriguez says it's been a year since he discovered Simply Cyber and he wanted to thank me. Thank you for thanking me, Jared, for all you do. For being an enjoyable part of my morning since then. Keep up the amazing work. I'll keep doing it. You keep showing up, I'll keep showing up. We'll make a pack. What was the second channel he showed for the bug bounties? That is Naham Sec. I'll drop a link to it.

Who asked that question? Chris Shirk. Chris, I'm gonna tag you right now. All right, Chris Shirk.

Naham Sec.

Bearded Ruckus. What do you think the landscape will be with bachelor's and master's degrees? Many say that it's not needed. Others say it's beneficial. What's your take on it? All right, so, you know.

I mean, you don't need them to work in cyber. I will say that a bachelor's degree. I like a bachelor's degree. I think it does give you perspective, right? I, I, for me, I like a bachelor's degree in computer science. The reality is, say you work in pen testing, right? Okay. You can be a great pen tester and go deep on the pen testing, but if you don't have visibility into like, GRC and SOC analyst and databases and networking and operating systems and, you know, kind of all the other things that you would touch on in a program.

You know, you might have kind of a myopic view, whereas a bachelor's degree might give you that more rounded perspective. Now, one thing that sucks about a bachelor's degree is that they make you, you know, take like Greek civilization and they kind of like want you to be a well rounded, you know, educated individual. I'm fine with that. I hope my kids go to college. Right. I will tell you, the master's degree oftentimes is a blocker for a management promotion, right? It, I'm seeing this ebb away a bit, but, you know, over the years, and I still see it from time to time. I've seen it where it's like, hey, we'd love to promote you to director or management or executive or whatever, but you need a master's degree for whatever reason. Personally, I like a master's degree. I, I have two of them, but I got a master's degree in computer science and a master's degree in information assurance. And I love both of those topics, right? Like, I got the master's in computer science because I was bored. I was waiting for my wife to graduate college, so I needed like a hobby and then the information assurance one. I just, I love cyber security, so I was like, let's go.

I will say that.

I, I think that they helped differentiate me in a candidate pool, but it's not like I was able to demand more money the second I got the degrees. Okay. Zach Morrison, is GRC and Identity and Access Management very different from each other? Yeah. Oh, yeah, yeah. I mean, for sure. So, like, really quickly, like, GRC is like, what are we doing here and what, where do we spend our money and how do we allocate things? Identity and Access Management is like, who has access to what and what functionality and how is that managed and when can they touch it and what level of access do they have? I would say that GRC helps dictates how identity and access management is implemented operationally at an organization. But they are very different from each other. What's your thoughts on getting a CSP after getting SEC plus? Yeah, definitely get one. Giddy up. Scoop it up. I feel like CISSP is still super valuable from a marketing yourself perspective. I, I'll tell you how old I am. When I got my CISSP, it was a paper test. Scantron, you do need five years of experience to get the CISSP. That is true. All right, we are at 9:26. I got a couple questions, a couple minutes left. Silence. Poet, wondering what your goals you set for the new year are doing? Well in my new role and currently don't need a new cert.

So for new goals, I mean honestly I, you know, my goals are more associated with my business. Right. So I would like to at least have a couple AI, you know, workflows in place that help me get business done a little bit more effectively. I have some revenue goals that I would like to hit. One of my goals, honestly, Science Poet is.

In. Kathy Chambers is helping me with this. We are gonna. There's more information coming out on this, so don't think that I'm, I'm just telling you about it, but I have. We're actually going to formally educate people on what this is. But starting in 2026, starting in January, we're actually rolling out two initiatives, among other things. But we're rolling out a bunch of stuff. Two initiatives. One is we're going to have monthly webinars. So once a month, for one hour a month, we're going to do a webinar. It's going to be free, it's going to be super value. We're going to it, it, it. The schedule is already mapped out from here to June. So like we'll be able to tell you who our instructor is and what you're going to be learning in the one hour webinar. And it's like a rotating webinar series of unbelievably senior industry practitioners. Really, really awesome people that you're going to love. Okay. Also we're going to do once a month we're going to do two to four hour workshops. Right. And this is going to be a much deeper dive into a skill set and you're gonna, you know, basically get trained up in workshop. Now those will be paid workshops and the current format we're doing is I think it's like, like 50, like, like $99 for a two hour workshop I believe is what we're doing 198 for a four hour workshop. And you'll see like, it'll be crystal clear what the value is of that and it'll absolutely be worth it. Trust me. We're big on.

Making sure that, you know, it's.

B

It.

A

You're getting unbelievable value for your money. So free webinars, paid workshops, that's a whole thing that we're rolling out for all of 2026. It's a bit of a, it's a bit of an investment, frankly. Those workshops are not free to put on. I have to sign up for like a freaking, like thousands of dollars in zoom licensing, so we'll see how it goes. But I'm very excited about that. Kind of taking a little bit of a, A risk, frankly, like a financial risk I'm investing into a project that I hope works out and, and I certainly hope I don't lose money. That would suck. God, that would suck. Oh. So anyways, yeah, those are my goals. Get better at AI automations, build those things. You know, continuing to grow Simply Cyber and all of the business things associated with that. And.

You know, another goal. Silence, Poet. And I know you're going to be part of this because you're talking about running the poker tournament at Simply Cybercon. I would love for Simply Cybercon to be even better and bigger and more enjoyable and, and awesome in 2026. I know that's all the way in November 2026, but I'm into it.

All right, we're at 9:29. I'm gonna speed run. Lightning round.

Lightning round here. The questions. Is there a mistake you've made in your career that randomly will pop in your head and make you cringe?

No, not really. I mean, I mean, I have a m. I have many mistakes that I've made.

Actually, I do have one that makes me cringe. I mean, I remember earlier in my career, you know, like, speaking way too technical in certain meetings, but feeling really proud because I was like, absolutely communicating exactly what the problem was in a very technical detail. And it made me feel really smart in the meeting. And then I realized years later that, like, I just look like a douche. Like, like, like no one knew what I was saying because that I wasn't speaking to the right audience with the right language. You know what I mean? That makes me cringe. Oh, young Jerry. Also, you know what? It doesn't make me cringe, but I do reflect on it from time to time. I am very lucky, guys. I, I'll. I am very lucky. I mean, I Worked very hard for what I have. But I am very lucky. I was an absolute zero in college. Like I was such a making bad choices and like really glad my wife didn't meet me until after I graduated. Really glad that I was able to pull up from the nose dive that I was in. So when I think back to how stupid I was in college.

You know, it made me who I am today, but God dang, I was dumb. That makes me cringe from time to time.

Foreign.

I'm continuing to look at chat really quick.

Any recommendations on ISACA Beta certs? No, I don't know any. I don't have any recommendations on that rogue cyber. I mean, if you can get them for free, any cert you can get for free, get them for free, right? You're gonna have to pay for it. That's when you got to question the value on the return. How's the vulnerability management course coming along? I got to tell you, I reached out to Nessus and confirmed in writing that I can use their vulnerability scan engine for students. So I'm working on a lab. I'm going to be working with Hack Smarter, Tyler's company to build the lab out or the labs out for the vulnerability course. So that is exciting. Definitely excited about that.

Bruise and Hacks is wanting to purchase my. I know, guys. I definitely know you want it. I filmed all the lectures already. I just.

All right, what would be the best resources to learn and get certified on SEC Plus? How much time is Jesse still doing Slay Security Plus? I don't know. I would say Professor Messer is roundly accepted as like the best place to go get SEC plus training. Jesse Johnson has Slay Security plus, which is a great thing, although I. I'm not sure if he's still doing that. All right, guys, I gotta get out of here.

What's the best mistake I learned from?

I mean, I don't know if it's the best mistake, but hey, just really quickly, you got to be careful asking extreme questions like what's the biggest mistake you ever made? Or what's the best thing you ever ate? Or when you ask questions that are like the extreme example, you end up having the person you're asking have to stop and think critically over a bunch of different things that they've done and then qualify each mentally on which one's the best? As opposed to just saying what you know. What's, what's, what's, what's one mistake that you've learned from. Right? Because whatever initially comes to front of mind is probably going to be one of the best ones anyways. Just. Again, I'm not trying to critique you or judge you. Kyle. Kyle, that's just. Since I interview people all the time, that is a core lesson that I have learned and I wanted to share with you. One time I made. I used to develop in production which is a terrible practice and I committed a code change to production on a SQL statement without joining in the where clause. Which if you don't know what I'm talking about. Basically I ran a. I set up a production environment to have a really really really bad database query inside of it and as soon as I committed it, people started banging on it and it caused a complete. The entire application collapsed and because it was active database calls into a production database, I could. You couldn't. You couldn't just kill the process because it was actively manipulating data in the database.

Very bad. I caused an absolute denial of service attack.

What is your one of your top five things on your Christmas list? Ah, thanks for asking Jose Alfredo. Really quickly. My entire Christmas list this year is all magic the Gathering stuff. There is a pre con for the Edge of Eternities. I told my kids this yesterday. There's a pre con Commander Deck for Edge of Eternities called. I think it's called World Breaker. I asked my kids for that yesterday.

All right, I think we. I gotta get out of here. I got work to do. But hey, you know what? We had a great stream guys. I hope you all.

Got value from the jawjacking. Surprise. It was always me. I'm Jerry from Simply Cyber. Go forth. Have a great day. Go crush it. Your goals. I hope to see it early tomorrow morning at 8:00am Eastern Time. Until next time, stay secure. See ya.