B (3:43)

There it is.

A (3:43)

Worldwide Wednesday. So let me do the ad reads. Let me. Let me give some love to the stream sponsors. Hopefully you give them some love too. And then we're gonna go around the world and it's gonna be lit. All right, guys, check it out. Now I'm gonna go to simply cyber IO,/, area. Simply cyber IO area. Look at this. Register for a free trial. Boom. Let me tell you about area. Hello. And check this out. This is what I would love for you to click and check out. There we go. Check this out. All right. Chat's moving so quick, I can't even grab this comment to pin it. There it is. Hey, listen, guys, really quickly. AI is everywhere. I'm sure you're seeing this in your own environments, right? Leadership saying, hey, let's get AI. All of our competitors are using AI. What are we doing with AI? Your employees are all over the place using AI for all sorts of different things. It's shadow it. Basically shadow AI, if you want to start spreading that word around, it creates vulnerabilities, data governance issues, compliance issues, fragmented solutions. The risks begin to compound exponentially. Your sales team's doing one thing, your marketing team's doing another. Your dev team, your engineers, your executives. It literally is a hot mess. Express. So how do you control that? Because one security incident, you know, I know you got IP theft, regulatory fines. Just. It's gross, dude. So we need a solution. Let me tell you this. What if AI became an advantage instead of a risk? What if you could go to your boss today and be like, listen, we can use AI to enable business, and we can absolutely crush it like a bunch of bosses in a secure way. Right? That's exactly what Area does. It delivers a unified platform that combines AI, governance, security, and orchestration. So you don't have to choose between innovation and protection. Take control and turn your AI stress into AI success. Are you ready to embrace enterprise AI? Elliot Matice Visit area Enterprise AI Platform Secure and scalable solutions to see the platform in action. Go check it out. See it in action. That's a I R-I-A dot com. Guys, I pinned the comment in the YouTube chat. Please. It's. It's a. It's one of those links. It's a simply cyber IO slash area. But it has like the UTM link, so it'll. It'll show them that you came from our stream. Here. Go check it out. Do me a solid. I think it's a cool product. A lot of WYSIWYG stuff. We got a super chat coming in. Super pumped for my promotion to I. T. And cyber security specialist Mike. Coming in hot here, Mike. You know, I'm gonna make an assumption here. Okay, so Mike says promotion IT and cyber security specialist. I'm gonna err on the side of caution. And let's assume that Mike didn't have a cyber job prior to this and he's moving into cyber Mike. Congratulations. I love it. I love it. All right, Very cool. I also want to tell you guys about anti siphon training. John Strand is teaching his favorite class. If you've ever seen John Strand teach, he's wonderful at it. And when he's teaching his very favorite class, you know he's going to be passionate into it. That's his active defense and Cyber deception course. This course is actually four days. Four hours a day, 11 to 3am, 11 to 3pm Eastern Time, which means you can get your email sorted out, get cleaned up, get to your work and then take the class. Pardon me? Take the class. And then close up any fires that cropped up during the day. Four days, an unbelievable value. You can get as low as $0. They are asking for a minimum 25 if you can afford it. But it is pay what you can, you get a certificate of completion, you get 16 CPEs. Amazing training, honeypot, honey tokens, hackback, all the things. Very cool. Go to antiphontraining.com, check it out. Tell them Jerry sent you. John and I are friends. I mean, many of you guys know well about anti siphon Black Hills, John Strand, simply cyber me. We're all. We're all one big happy family. So definitely, definitely appreciate them supporting the channel, by the way, for all of 2026. So they will be a whatever, a platinum Cadillac package, partner, whatever you want to call it. They signed up for the year. So thank you very much, John. As Always. I will be at Zero Trust World coming up in a few months. I'm excited about that with Threat Locker. If you don't know what Threat Locker is, let me tell you about it and then I want you to get comfortable because we're going to go around the world. I want to give some love to the Daily Cyber Threat Brief sponsor Threat Locker do zero day exploits and supply chain attacks. Keep you up at night but worry no more. You can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cyber security and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about how Threat Locker can help prevent ransomware and Ensure compliance. Visit threat locker.com Daily Cyber. Oh yeah, thank you very much as always. The links are in the description below. It does support the channel and helps me and all of us at Simply Cyber deliver not just the Daily Cyber Threat Brief, but the produced videos that are coming out every Sunday. If you've seen the GRC interview one many of you have, I've heard great things about it. Those episodes cost money to produce if you didn't know. I pay an editor. So using the links does help support the channel. Literally. There's like a one to one relationship between checking out the the links and me being able to provide this service to you guys. All right now before we get into it, if I didn't see any first timers in chat, so this should not come as a surprise to anyone, but we are about to go. We're gonna have to listen. We're gonna have to find a new song for around the world too because yeah, actually maybe we'll just cut the around the world out. So this is for people live in chat. I might have to start carving this out. The the music licensing has recently been elevated as an issue that's getting more visibility and potentially could come back to bite me in the butt, which I really am not super psyched about. So this might be the end of Daft Punk, but for now do me a favor. Everybody gonna give you 2 minutes, 22 seconds. I'm gonna ask you where you are. We do this every Wednesday just to show how international and amazing. Not yours, mine. I'm going to Zero Trust World. All right, two minutes 22 seconds. Tell me where you are. We can see if we light this whole map up and go after it. Where are you at? All right, Rich464 is bringing Canada online. Good to see you, Rich464. Anybody from Venezuela? Oh, wait. Too soon. That whole thing. All right, come on, let's go. New Orleans. Gary, Sergio Spring in the United States. Online. Florida, Silicon Valley. 0x3 Security. Thank you for getting up early, faced oil, bringing the Irish online. What's up? Denver, Colorado's in the house. Big D.C. las Vegas. Getting up early. Texas, the upper Houston H town. Trinidad Tobago. Thank you. Silver Spring, Maryland. Savannah, Georgia. Charleston's little brother. Manila, Philippines. Yes. Let's get over to the Philippines. What's up? Pacific Rim is online. Oh, hello. Asia. South Africa. Africa's online. Thank you, Johannesburg. Good to see you this morning. Circleville, Ohio's in the house. North Alabama. San Francisco, usa. We got Cyprus. All right, mods are online now. Oh, boy, bro. All right, hold on. Cyprus going. Cyprus is lit up. Ethiopia. I see you, Ethiopia. I don't know why I have to click twice here. Phoenix, Jim. Making me crazy. I'm sure you're sick of hearing that joke, but Jamaica's online. Kansas City, Trinidad Tobago. All right, Trinidad Tobago, we got you online. Thank you very much. Look at. Look at our Caribbean region lit up. Cuba. Are you serious right now? Dr. Fossumsman, let me know if you're serious. I will light Cuba up. We have not had a Cuban representative in the history of the show, but I'm happy to light you up. Cuba's online. Good morning, Cuba. New Jersey's in here. Germany, we got Berlin in the house. Good to see you, Germany. Financial superpower of Europe. Jamaica, Ethiopia. Come on. Where we at? We got Australia. Austin. Texas is in the house. Dirty Jers. We got Hot Phoenix. Ghana. Africa's bringing it correct this morning. Good to see you, Kansas. Come on. There's 218 people in chat. Let's go. Where you at? All right. Kind of a quiet day here on Worldwide Wednesday. I got to tell you guys, really quickly, City of Brotherly Shove. Mar Le's checking in. Dreaded hoser coming in from Cali. Thanks for getting up early. Let's go ahead and check it out. Okay, so we got some stragglers coming in. Thank you very much, Mod team. So in the last minute, we got Argentina. So. So looking at the chat, we've got the map here. We have North America, South America. Thank you. Argentina. We have Africa, Europe. Philippines is holding it down for all of Asia. The longest. The largest continent, Philippines doing the heavy lifting here. And Australia Unfortunately, Suffolk UK is in the house. Australia is asleep. It's understandable. Guys, it is late there. So Australia. So we almost went around the world. The important thing to take away here, people, is that this is a wild, diverse community of professionals who are here to help each other. There was an India. I didn't see it, but there we go. Philippines and India bringing the heat. All right, everybody, do me a favor. I need you to sit back, wait a minute. Near Ashkala 5904 is saying Melbourne. Melbourne will allow it. Ladies and gentlemen, we go around the world. Congratulations, everybody. All right, let's get to work. For real though. Sit back, relax and let's let the cool sound. So the hot news wash your verse in an awesome wave. See you guys in the mid roll from the CISO series, it's cyber security headlines.

B (15:14)

These are the cyber security headlines for Wednesday, January 7, 2026. I'm Rich Stroffolino. The UK hits reset on cybersecurity. The British government presented a new government Cyber Action Plan to Parliament which makes a conscious reset in its efforts to protect public services. The announcement admits its previous approach was flawed and left it unable to meet commitments to secure government organizations to known vulnerabilities and methods. By 2030, this will see the UK move away from providing non binding guidance to public sector authorities and instead establish a new government cyber unit for a centralized mandatory approach. The plan also calls for more coordination on incident response and stronger contractual expectations from strategic suppliers. This comes ahead of a plan to reboot its national Cyber Strategy, set for release later this year. No.

A (16:07)

All right, so check it out. There's a lot of lessons learned here. This is definitely one of the. Oh, wait a minute. I saw someone earlier. I think it was Jordan Lee. Said they were getting promoted from help desk to either cyber it. Jordan. All right, a guy named 303. Good morning to you too. Hey, listen, this is a macro level observation and one that I'm quite happy that I'm going to be able to give you a more, you know, shooting star thing. Now listen, if you live in the uk, this may have some implications for you, but for the most part, this is much more of a massive macro level observation and one that anybody that has gray in their hair could have told you was going to happen. So in the United States, we have nist, right, the National Institute of Standards and Technology that offers voluntary recommendations on best practices. And if you've looked at NIST853. Oh my God, be still my heart. If you looked at NIST 853, which is basically, basically a dictionary of con of potential controls that can be implemented and had to map them into like a FISMA compliance system or something like that. Basically you see all these things that say org defined value. So how many, what is the correct number for how long a password should be 8 characters, 12 characters, 40 characters, 3000 characters. It depends, right? It depends on the system, the organization, the risk tolerance, the threat profile, all those things. So org defined value has, it tricks new people, but it's there to allow for flexibility. Now when you have voluntary based systems, it can be very tricky for people to implement them effectively. You'll get people who are, you'll get people who don't really want a lot of control, so they abuse their power and say, oh, password should have minimum two characters. And then like everything, everything passes everything. Because you're never really going to have a password less than two characters. But it's incredibly risky. Right? So you could see in the UK what they've been doing here is trying to use its own cyber security approach. Hold on, what's that? Let me see how the risk here is. Hold on, let me read this. I don't research or prep for this. So my, my point is going to be relevant here as soon as I tie it to the uk. All right, So they were providing non binding guidance to public sector authorities, which is how NIST currently does it actually. I'm sorry, I'm going to pivot my hot take, okay? When they say non, bind, non binding guidance to public sector authorities. So in the United States right now, if you're a federally funded system, you have to comply with FISMA, which was a law enacted in 2002. All right, so this has been going on for like two decades and it is binding. It says you have to comply with these controls. And it gets really complicated on which controls are in scope. I'm not going to bore anyone with the details unless you want me to make a video about it, but that is binding. You're, you're not supposed to get your congressional funding unless you comply with the FISMA compliance. Right? Those are binding. In the UK they've been saying, hey guys, here's a good idea, you should do this. And then no one does it. What they're saying is that's not working, people aren't agreeing to it and now they're pivoting. So if you're a public sector system, you will have to comply, you will be bound to these controls. And they're actually standing up a Government Cyber unit, which sounds a lot like NIST or not nist, but like, I guess, nist ish, where they'll be responsible, kind of like NIST or cisa, to make sure that those government organizations are getting the controls that they need implemented and being held accountable, which means independently audited. This is going to be a massive overhaul. You can see they're overhauling ir. They're going to have to overhaul everything. Strategic suppliers will face stronger contractual expectations. That's basically what CMMC is in the United States. Here are two hot takes for you. Number one, if you live in the UK and you want to work in grc, I do suspect that there will be GRC related jobs coming. Unfortunately, It'll probably be 2027 before they get their act together, because this is going to require a lot of GRC work, a lot of readiness, audit readiness prep, a lot of audit, a lot of accountability and ownership of cyber risk once this starts happening. So there's something there. Secondly, unfortunately, when you try to turn a cruise ship around, which is basically what they're doing. I've never been on a cruise ship, but you get my point here. Turning a cruise ship around isn't like turning a fishing boat around. You don't just, you know, you don't just turn the wheel as far as it'll go and whip a ui. You literally have to be like, putt, putt, putt, putt, putt. So if you're overhauling an entire country's approach to cyber security, it will be dramatically slow, there will be lots of mistakes. And if, honestly, if they don't learn from what happened with the United States, go look up what happened with CMMC 1.0. I'll leave that as an exercise for you. Just a hint, we're on CMMC 2.0 and 1.0 never made it out of the starting blocks because of issues that are not related to cyber security. I'll leave it there. So if they don't do that, they're going to have a problem. The UK has been getting punched in the mouth quite often lately. There's a lot of younger 19 to 22 year old competent hackers in the UK. So the UK's got a lot going on for it. I hope they turn it around quick, I hope they engage with the United States and we'll see. But yeah, this is a big, this is a big deal, guys. This is basically going back to the drawing board as a country to define how to do cyber security, which is why this doesn't impact you And I today, we're not, we're not going somewhere today to like, make a change based on this news story, but if you do business with public sector authorities in the uk, this will impact you in about a year and a half.

B (23:00)

Mfa, no problems. A threat actor that goes by Zestix or Centap listed data allegedly stolen from roughly 50 organizations on illicit forums, including the American engineering firm Pickett and Associates, Spain's Iberia airline, and the Japanese home builder Sekouci House. Researchers at Hudson Rock found that this data was stolen using compromised cloud credentials, which was easy because none of the organizations listed had enforced MFA for logins. Bro, Zestix isn't new to this game. They've used info stealers to abscond with passwords and serve as an initial access broker since at least 2021. Another example of threat actors that don't break in, they log in. US may have court.

A (23:45)

I don't know what to say. I don't know what to say. If you are. I didn't see any first timers in chat, so we're all, we're all long time friends here. Okay? If you're a first timer, hashtag first timer in chat so I can. So I can prepare you for what's about to happen. Dude. If you are a business of one, put MFA on. If you're a business of 10, put MFA on. If YOU'RE a Fortune 500 company, put MFA on. If YOU'RE anyone, anywhere doing anything for public, private, government, ngo, nonprofit, for profit. If you're on the moon, if you're Elon going to Mars, I don't give a a damn. Put MFA on. It's 2026, yo. MFA has existed for decades. I don't care if it's inconvenient. Oh, it's hard, bro. This is like my 13 year old could hack you. Info stealers are rampant. Rampant. Redline. Info stealer. Raccoon. Info stealer. Insert here Info stealer. There are threat intelligence companies that have made a business model off of showing you dark web activity of just info stealer dumps. Have I been pwned? Is a website that everybody has used at least once. Do you know what you get from there? Well, not directly, but passwords. If people are re. Listen, getting. Getting someone on a password manager or password vault is a hurdle. I get it. My aunt Dorothea is not getting on a password vault, which means she's going to reuse passwords and that sucks. And I know it's winter 2026 and exclamation point oh, way to get creative. And I get it, I get it, I get it. It's your email, it's your financials, it's. It's your vpn, it's your Citrix gateway. It is your corporate password. Fine, have a crappy password. Do you know what MFA does? It stops that crappy password from being the only thing between a threat actor and owning your clothes, putting them on and walking around the office like they're on Dorothea. MFA is not a silver bullet. It will not stop all the things. There are tons of documented instances of MFA getting bypassed. But you know what it does do? It stops the low hanging fruit, it stops the less sophisticated threat actors, and it sure as hell stops this attack from working. What are we doing? What? I'm like sweating. I'm so annoyed by this. 50 global enterprises to me. Listen, this is a hot take. Get your hot take button ready. If you're not implementing mfa, okay? And listen, there are instances where you don't put MFA in and I'm okay with it. But on balance, if you're not implementing MFA for like your workforce accounts, your Internet facing VPNs, or, you know, Citrix gateways, to me, that is negligence. That's negligence. Especially if you're a Fortune 500 or you're a global Enter. See, they say global enterprise, right? I have students that are all over the world, right? Does that make simply Cyber a global enterprise? We just did Worldwide Wednesday and we touched every country. Does that make us a global enterprise? You could be subjective and flirty with the definitions, but dude, if you're a legit company that makes over eight figures in annual revenue and you're not using mfa, that, that's negligence. It's, it's not about cost center business enablement. It's mfa, man. It is a foundational control and everybody is used to it. In 2026, there isn't a single person you're gonna run into. And yes, you could have a straw man argument of like, someone who comes from a developing country that hasn't used tech that works in your, you know, whatever office. But like, let's be real with each other. You're not going to meet someone who doesn't have to use MFA on at least one of their accounts. Google requires you to use mfa. Some banking institutions require you to use mfa. So if you got someone who's like, oh, so much friction, it's giving me chafing. So much friction here. Why mfa? Turn it off. Turn it off. Tell him to go somewhere else because this is Going to happen to you. God.

B (28:52)

Aided cyber attacks with Maduro arrest. Both US President Trump and the Chair of the Joint Chiefs of Staff, General Dan Kaine, alluded to possible US Cyber attacks to cut power in Caracas as part of the arrest of Venezuelan President Nicolas Madero on January 3rd. Kane referred to this as layering different effects as part of the operation. Without going into too much detail, the Internet tracking group NetBlocks reported a loss of Internet connectivity at that time due to power cuts, saying that if they were tied to a cyber attack, it will have had to have been targeted, not impacting the broader network space. While it's widely known that the US Operates sophisticated cyber operations globally, we generally don't get any kind of acknowledgments this close to the event.

A (29:35)

All right, okay, so whatever. The Venezuelan president, Maduro. I don't even know what the right term is. I don't know if kidnapping is what we're calling it or extraction or. Or arrest. I. I don't know what the correct term is. And I don't even know if it's like politically charged to use one term of the over. But let's just say during the recent United States Venezuelan military operation, the lights got cut out. So essentially, Delta Force had a guy in the chair. You know how all these cool act like Mission Impossible and action movies, they like. Ving Rhames is the guy in the chair, right. In the Spider man movie, Tom Holland's buddy is the guy in the chair. There's always a guy in the chair, right? Because you need like plot armor to be able to do things right. So the US Cyber Command shut the lights off. Awesome. I'm totally into it. Let's go. That's industrial control systems operational technology. We've seen this happen in many countries, right? Russia's turned the power off on Ukraine. Ukraine's turned the power off on Russia. United States probably turned the power off on other people. Honestly, I mean, I don't know. I. Listen, I never served in the military. I've never been involved in a military operation. I've only seen it in movies and stuff. But before the Internet, you know, Arnold Schwarzenegger would just deploy into the field and then the first thing we would run over and do is like, cut the power line or set C4 on the power lines and then blow it up and then all the power goes out, right? Like that's how action sequences start. The. The lights go off. Guys, military operations in 2026 absolutely are going to use a cyber capability. The NSA, I mean, cyber Command is doing it now, but for years, the NSA was basically like a consulting service for military operations. You just go grab a couple TAO operators and deploy them into your military operation to do things, and then you send them back to the, you know, to the, to, not to the barn, but like, you know what I mean, to the farm, whatever you want to call it. So whatever. This is interesting, it's relevant because this is a developing story in the United States. But this shouldn't come as anything like, I don't know, like US Cyber Command could have hacked into closed circuit TV systems and like, had visual on Maduro, had visual on the operation. You know what I mean? So cool. Like, Just as an objective observer on the outside, completely separated from this operation altogether. I'm, I'm pumped, I'm pumped that cyber is a capability that is utilized as part of the overall operation for the war fighter. Right? I, you know, I used to think cyber was going to take it all over. Cyber is just another capability. And, and the cool thing is cyber's everywhere. So whether it's air, land, sea, or space, there is a cyber fe function or capability that complements any operation. That's why cyber's so cool. We're the coolest.

B (33:05)

Edward Land Rover sees sales crash after cyber attack. The British automaker is still feeling the impact of a cyber attack last year, which forced it to halt production for weeks in the fall. In its most recent earnings report, Jaguar Land Rover saw a 25.1% fall in sales on the year in Q3, down to 79,600 vehicles. Even this drop depended on old stock already on dealer lots because shipments to dealers fell 43% on the year to just over 59,000 vehicles. The UK's Cyber Monitoring center has described the attack as the most economically damaging cyber attack in the UK, with an estimated financial impact of 1.9 billion pounds. And now, thanks to today's episodes, all.

A (33:47)

Right, Jaguar Land Rover, Jaguar Land Rover, they suffered a massive ransomware attack. This is a manufacturer, like, let's boil it down, strip it away. Yes, Jaguar is luxurious. Land Rover is designed to be. They show you that it can drive upstairs, but no, the, the most, the heaviest Land Rovers get is like a speed bump in your neighborhood. But it's luxurious, right? It's a status symbol. Well, their manufacturing company got absolutely hosed and they suffered like, I don't know, like two months of downtime. This is the impact to manufacturing. When they say sales crash, this shouldn't be a surprise. It's. Listen, nobody that's going to this Jaguar Land Rover dealership is like, no one's like, oh, you know, I really like this Land Rover. Do you have it in green? You do have it in green. Nice night. Oh, wait a minute. You had a massive international ransomware attack three months ago. Come on, Clint. We're leaving. No one's doing that. Sales crashes are not based on that. The sales crash, in my opinion, without doing any additional research on this, is because there's basically a bubble or a hiccup in the supply chain of delivering vehicles to the lot to be sold. Think about it for a second. Just basic, simple things, right? Land Rover buys raw product in steel from wherever, right? They take the raw product in steel and they mold it and put it in an assembly line, and they pop out a car. The car gets shipped on a boat to a dealership. You know, Jan shows up at the dealership and purchases that car. So it's step one, step two, step three, step four. Well, when you break step two of the actual manufacturing piece of it, you're not going to be buying an a load of raw material because you can't do anything with it, and you got nowhere to store it. So you're getting this sorted out. All the product that's on the boats continues to get delivered to the dealerships. The dealerships continue to sell, and there's nothing behind it to backfill. This is why sales are crashing. They have a bubble. It's like. It's like if you've ever tried to, like, pour honey out and you get that big, slow air bubble, and you're like, oh, bro, this is gonna suck when this happened. Like, that's what's happening. This will get sorted out. I'm sure. Right now, Land Rover Jaguars back up. They are producing vehicles, and they're going to get it back up and running. But, dude, manufacturing Companies run typically 24, 7, 365, which is part of the reason it's a pain in the a to maintain their systems because they don't want to go down, so they can't make cars any faster. It's not like they can, like, go on YouTube and hit 2X on the manufacturing timeline and start cranking out cars faster. If they could, they would have been doing that before because they're all about making straight cash, homie. So, yeah, sales cycle, big, whatever. Like, to me, this is a nothing. You could have predicted this. Now, the real question, and this show is not a financial show, but the real question is, let's do this, Jack, bro, Jaguar Land Rover stock value. Let's see where that's at. All right, here we go. Tata. Tata. Does Tata own Jaguar Land Rover now, bruh? See, I don't even know how to. Maybe they're not even traded. I don't know. If they're like rolled up into somebody, if they're rolled up into some other company, then you know, that company could diversify its risk by having multiple companies and, and kind of absorb the hit. Anyways. I always look like, dude, it took me 40 years to figure this out. You could see all these stories about impact and brokenness and whatever. Go look at the stock value. Go look at the value of the company because is the actual indicator of health of a company, right? Oh, we suffered like, like, dude, last one and then I'll get to the mid roll. Crowdstrike, okay. CrowdStrike stock. Two years ago, CrowdStrike had this massive crowdstroke incident right Somewhere right around. I think it was Black Cat right before Black Cat 2024, which would be right here. Actually. You can see it. If you're looking on stream right now, you see this huge dip. I guarantee you this is where Crowdstroke happened. And you could see they were traded at 400 a share and now they're at 458. So this right here, you can see the indicator of something really bad happened. But the company on it, on its own was fine and it continues to grow. So like no impact. Okay, okay, so Tata does own them. So for an instance like that, they've probably own multiple. They probably own multiple companies. So they. Oh my God. I don't know if you're looking on stream right now, but this looks like an absolute puke. Oh, this, this looks like somebody who just got told they're getting called up to varsity and they, they don't feel prepared to like wrestle at 2:15, right? And they're like, oh, and they just like throw up on themselves. This is gross, dude. This is not a financial services. I don't offer financial advice. I actually have someone else manage my finances because I'm terrible at it. But I don't know, this seems like a. Seems like a pretty good dude. Down 13%. I would imagine that this might go back up again. All right, here we go.

B (39:30)

Hox Hunt. A small tip for CISOs. If you're unsure whether your security training is actually reducing phishing risk, check out what Qualcomm achieved with Hoxhunt. They took their 1000 highest risk users from consistent underperformers to outperforming the rest of the company driving measurable human risk reduction and earning a CSO50 award. See the Qualcomm case@hawkshunt.com Qualcomm that's H N.com Qualcomm.

A (40:03)

All right, we will hey, really quickly, we are not going to be playing don't you forget about me. Officially retired until further notice just to avoid I've officially become concerned with financial issues. So I, you know. Okay. All right, here we go guys. Mid roll, I want to say thank you. Oh, hold on, let me do this. All right guys. Hey, I want to say thank you also very much for being here. I know. Hey, this whole week it's my, I'm, I'm back from vacation. I haven't been sticking to the schedule. Nick Barker's not been happy at the mid roll. We're at 8:40, a couple minutes over worldwide. Wednesday is always a thing. Oh, hold on. I want to share this with you. I forgot this came across yesterday and I didn't update the thing I want to say shout out to the stream sponsors Flare threat locker, anti siphon in area. But speaking of flare guys, they got their first Flare academy coming up for January 29th. Now if you don't know what Flare academy is, they put it's Flare is the company. They're a threat intelligence platform. I have a video on the channel for it. I really like not just Flare as a product, but I really like the people at Flare. There's not a lot of companies where I really like the people behind the company. I mean, most of the company's people are fine. I'm not saying I dislike them, I'm just saying like Black Hills, I really like the people behind them. Cairo Sec I really like the people behind them. Flair, I really like. So if you want to learn for free about the inside life of a ransomware operator, this is no joke. Here's my thing with the flare Academy. I am never going to go into a dark web. I, I, I'm too concerned about my own personal safety. I'm concerned about my children's safety. I'm concerned about my livelihood. I am not going to go poke the bear. But in order to be a better practitioner, I would love to know as much as I possibly can about the bear. And that's what Flare Academy does. They have people who are entrenched in these environments and then they do these webinars where you get insights on it. So if you want to learn about the life of a ransomware operator, is it all Ferraris and bougie parties or, or is it a grind? Do you have to meet your Q4 numbers or is it basically you're, you're like, I'm on a boat. I'm on a boat. You know, was, was Christmas time for ransomware operator Bugattis and Rolexes or was it Ramen and you know, I don't know. What else would you do? Was it ramen and teu shopping? I don't know, but dude. January 29, 11 to 1pm I'm going to drop a link. This is a big scary link. I can't even put this link in here. I can't even do it. I'll drop a link to this tomorrow or I'll fix this. But January 29th, here's my thing. Register for it and then if you can't go, don't go. I'm gonna register. I want to know. I, I legit want to attend this and learn more about it because this is very, very interesting to me. So if you'd like to learn about the inside life of a ransomware threat actor, come check that out. I'm actually going to fix the, the redirect here while we're on stream. Not, you know, while it's, you'll see how it'll happen. All right, but that's the mid roll. Thank you very much. Stream sponsors I see it. Career questions in chat, Zach Hill asking if this is AI Jerry. He said, okay, so Zach actually called out that I'm wearing a hat. I gotta tell you really quickly, chat again. There's no first timers here. So I feel like, yeah, I'm definitely not on a boat. Roswell, uk, first timers here. We have my dog. My dog had surgery and it's like a lot of maintenance here at the house. If you ever see me wear a hat. I told mods this early, if you ever see me wear a hat, it means I haven't gotten ready for work yet. Like, I haven't showered. This is like, this is like a pajama top. Okay, so we're, we're, we're making, we're making it work for our family. And because we're huge dog people, we love our dogs. We're making sure that this dog, one of our dogs, is getting the treatment and what he needs to make sure he doesn't hurt himself during his recovery. So if you see me wearing a hat, that is the secret behind it. It's an indicator that I need to shower. Also shout out to the midnight. My absolute favorite band of all time. All right, let's finish the news. Good to see you, Zach. Also, if you want to, if you play Magic the Gathering and you're into Commander, let me tell you what Zach Hill has a very fun, Casual Commander YouTube channel you might want to check out.

B (45:03)

Microsoft Pushes Back on copilot Security Flaws Security engineer John Russell recently outlined several perceived security flaws in Microsoft Copilot, including prompt injection, leaking system prompts, command execution within isolated Linux environments, and bypassing file type restrictions with base 64 plaintext strings. Rossell noted that while all LLMs hit a point where they struggled to separate data from instruction, other major LLMs like Anthropic's Claude didn't have the same issues he saw with Copilot. Speaking to bleeping Computer about these findings, a Microsoft spokesperson said that these were out of the scope for servicing as a vulnerability, saying there are several reasons why a case may be out of scope, including instances where a security boundary is not crossed. Impact is limited to the requesting user's execution environment or other low privileged information is provided that is not considered to be a vulnerability.

A (45:57)

Haircut fish, you are not asking that question. I feel like you're trying to bait me. What's the midnight? Oh, all right, so listen, couple things. Hold on, I got a. Oh, this. Hey, you know what guys? This is what multifactor authentication looks like when you're, when you're logging into a system of some level of importance. As I MFA into my system so I can do the URL redirect. So check it out. For years and years and years, software vendors, specifically Microsoft would would have a vulnerability and they'd be like, it's not a vulnerability, it's a feature. Okay? And this has been like a long standing joke in cyber security when we talk about a feature versus a bug, okay? Same thing's happening now. No surprise you're getting vendors who are financially motivated. Straight cash, homie. Right? To push product quickly. I'm sure software vendors are being told by their management like, go as hard as you possibly can into AI. There's so much money in AI. Literally. AI is a multi, multi billion dollar business, right? And there's just money being printed everywhere. And CEOs are like, get me that money, right? A lot of teddy kgbs running around and researchers are like, whoa, whoa, whoa whoa whoa whoa. We're finding all sorts of things. So now what's happening is you're getting into this issue where vendors are saying, hey listen, this is a limitation of our product. And researchers are saying, bro, this is a vulnerability that could be Exploited to have, you know, the AI turn on you, be weaponized, disclose information, have data leakage, all these things. So for me, listen, as a practitioner, I hope you guys all take this. This is less a story about co pilot being able to detect prompt injection better than Claude. This is a story that's much more nebulous and nuanced in that when you're hearing phrasing like, oh, you know, we have this limitation, or there is this concession, or it's on our roadmap, your ear should be popping up and saying, wait a minute, what does this mean from a risk perspective? How is this introducing vulnerability and attack surface or, you know, risk exposure to my environment, to my data, to my applications, to my workforce. That's what you should be asking. These are the key terms that are being thrown around. And we're seeing this divide between researchers and vendors. Again, it's all about money, right? Great cash, homie. The researchers are about finding research and publishing research and finding bugs and making the product better. Vendors are also trying to do that, but for the most part, at the end of the day, they're measured by how successful they are at generating revenue. All right, don't come at me with altruistic, you know, whatever. It's all about straight cash, homie. Okay, so prompt injection is definitely the number one AI attack right now. And unfortunately, being able to distinguish between commands and inputs for AI is difficult, which is funny because AI is so smart. But it can't tell between a URL and a URL that has a prompt attached to it. So if you work in AI, if you're interested in doing AI, this is just more of the continuing conversation right now. Right now. AI is so hot. Okay? I mean, it's like that Hansel's so hot right now. Dude, if you. Listen, I. I'm giving a. If. If you guys didn't know, I'm doing a. A workshop at the end of the month, I, I probably should tell you guys about this. I. I don't have a link to it right now, but. Oh, wait, hold on. Luma. If you go to luma.com simp. Where is it? Oh, it's not even here. If you go. If you guys didn't know. If you go to luma.com/cyber, you can actually get like, you can. You can basically get a calendar invite for free, of course, to all these events and. But it's not here right now. But I am running a workshop. In full disclosure, the workshop is a paid workshop at the end of the month. It's a four hour workshop about how to build a personal brand using video as a weapon, or not as a weapon, but as a tool. And I just want to point out right now, if you really wanted to make a big splash, dude, put AI on anything. AI is ridiculously hot right now. You say AI and it's like, like tons of visibility. Okay, so just a heads up on that. But anyways, the key thing Here is limitations versus vulnerabilities. Computer, keep playing.

B (51:09)

Eightscape spells trouble for N8N researchers at Sierra disclosed a critical sandbox bypass vulnerability for the open source automation platform N8N, impacting all versions prior to 2.0. This stems from a protection mechanism failure where an authenticated user carries over the same permissions on the underlying host, meaning they could execute commands. Users on version 1.111 can enable improved security isolation to get around the bug. And with version 2.0, this is on by default. Ledger impacted by third party.

A (51:42)

All right, N8N's got a 9 9. By the way, quick shout out to Brooklyn 9 9. One of the most underrated hidden gems of comedy gold ever. I love Brooklyn 9 9. So if you're looking for a. If you're looking for a show to binge or whatever, you will not be disappointed with Brooklyn 99. All right, so 99 CVSS score. Which doesn't mean necessarily horrible, it very likely is horrible. But this particular vulnerability allows authenticated users. So anyone that can authenticate into the environment, which you can sign up for a free account today, anyone that can authenticate into the environment can execute system commands. You don't want that. Now remember, any system you use, I don't care what it is, it is running on a server, right? Any application you use, any system you use, at the end of the day, it's running on some type of server. Whether it's virtualized, whether it's hardware, it doesn't matter. It's running. And if you can run that, Whoops. If you can run those system commands, that. That's not good, right? Obviously we had. This was an issue way back in the day with SQL Server. If you didn't change the way the SA service account worked on SQL Server, people would exploit all that. N8N, which is this WYSIWYG. What you see is what you get. Drag and drop AI automation workflow tool. That's very popular. I. I've tried to use it a little bit. Yeah, this is a bad vulnerability. Now what is the actual impact? Because to me, the impact is to N8N. Not necessarily to you. Now, someone could go in and delete your instances, delete your workflows, modify your workflows, attack the integrity of your workflows. If you're a business selling some service that uses N8N for the back end, that could impact your business operations. But realistically, I believe this is a problem that N8N has to fix. Not you and I. Let's go to epsslookup.com I'm going to drop this in chat, right? I mean, here we go. You can see here, There is a 1/10 of 1% chance that this is going to be exploited in the next 30 days. Okay? You can run N8N local to your own instance, like spin up your own. And that is something to be concerned about. So if you're using N8N through the portal through like the SaaS app, you're probably fine. If you have rolled your own and you're using it locally, then you might have a problem if it's Internet facing. But if you're rolling your own, how many authenticated users are you going to have? Right? So to me, like, I don't know, I guess. Here's my hot take on this one. Okay, here's my hot take on this one. Number one, the N8N SaaS application has definitely already fixed this. I don't even need to look it up. I'm telling you, it's. I have highest confidence they fixed this. Number two, if you rolled your own and you're running N8N locally, it's highly likely it's not Internet facing. It's highly likely you don't have a gaggle of users logged into it. And even if you had 10 users or whatever, like you're running it for your own researcher dev team, the chances of one of them exploiting this is low. And if they did, what do they get? Like, it's your team's N8N instance. Oh, way to go, Johnny. Yeah, yeah, yeah. You played a prank, like, whatever. All right, so to me, the only reason this is in the news is because it's N8N and everybody walks around like six to midnight because, oh, N8N and AI. But it's just whatever breach.

B (55:32)

The blockchain security company ledger says that a breach at its payment provider Global E resulted in leaked customer information.

A (55:39)

N8N is not. I don't know if you're talking to me, cryptic roses or not, but N8N is very popular. A lot of people using it. I'm trying to use it.

B (55:47)

This included Names, contact data, order details, and amounts paid. Ledger was quick to point out that nothing related to financial data or cryptocurrency wallets were impacted. Global east started notifying impacted customers as of January 5, warning them to be on the lookout for targeted phishing attacks. Based on the information, Ledger is specifically warning customers about any scams involving devices shipped to their addresses. Looking for access to crypto wallets, Mike.

A (56:14)

All right, let's see what this is about. Hold on one second. I did update that URL, so I'm fixing this right now. There we go. Find out about the life of a ransomware operator absolutely free. Put it on your calendar, guys. No reason not to. If you can't attend, you can't attend, but whatever. Plus, it helps the channel, right? Because you used my link. Crypto wallet. Shop ledger confirms customer data lifted. SNAFU is not quite the term I want to use. If someone steals my money. If someone steals my money. SNAFU is not like, oh, hey, no, let's see. Blockchain security biz. Ledger says customer info was stolen, and it's going to be used in phishing exercises. Passwords. Ledger recovery phrases unaffected. Okay, so here. Okay, whatever, dude. This is another hot nothing. Here's the deal. If you're doing crypto anything, you have NFTs, you're a crypto trader. You're just in gold, right? And you're going hard into the paint on Bitcoin. Whatever it is, you have to protect it. It's a digital asset, okay? So you shouldn't be screwing around with cryptocurrency and not understand that this. If you're using Ledger and you're. You're. They got hacked. The. The ability to get into your account to steal your money, to steal your wallet, all that. It's not possible. Okay? All they got was contact information. So, again, this is one of those ones where it's like, o the sky saw on him. But in reality, it's like, they got the phone book of people who use this service. Now, that doesn't mean that you shouldn't be concerned. It just means that now you're a target for phishing. They may pretend to be Ledger and reach out to you and say, hey, your account was used in a recent attack. Click here to reset your password. In reality, you're getting compromised. But at the end of the day, your customer population or you as an individual, your workforce, your Aunt Dorotheas. I don't care who you're talking to, you should always be vigilant that you're gonna get phished. Phishing is like the number one attack vector. It's been, it's been used for years and years, decades. And it still works. So why not continue to use it? Threat actors are going to use it. They just have a little bit more information to make the pretext more believable. So do your best practices, do the things you're supposed to do, and don't fall for fishes. Shamiria Gonzalez, 28 months, Blue Badge and friend of mine and if you are a woman and you would like to engage with other cyber security female professionals, Shamaria is heavily involved in the women's only channel on the Simply Cyber Discord server, which I literally never go into because I am not a female. But I know she's doing some good stuff in there because she told me. She shares that she has an internal interview this morning for a senior technical program manager for engineering security and compliance. Super excited, yet nervous. You know what, Shamira? The nervousness just is. It's the excitement, it's the energy. I hope you absolutely go in there and crush it. Let's go. Shamiria, wishing you the best on that. Absolutely. All right.

B (59:40)

Microsoft sees misconfigurations used to spoof domains In a blog post, Microsoft warned that since May 2025, it's seen an increase in threat actors using complex routing and exploiting misconfigurations to spoof domains in phishing messages. The company was quick to point out that this does not represent a vulnerability in its direct send mail flow method for exchange. Most of these messages are using the Tycoon2FA phishing as a service platform and using lures like business invoices to be paid or spoofing Microsoft messages asking users to refresh a soon to be expired password to steal credentials. Microsoft recommended setting strict DMARC reject and SPF hard fail policies and reviewing third party connector integrations to avoid these spoofed messages.

A (60:24)

All right, so here we go. I literally just screamed about this. Phishing is the number one attack vector. Not because it's cool, not because, you know, it's easy. Literally because it works and it's continued to work and threat actors will continue to use it until it doesn't work and then they'll move on to the next thing. Guys, remember this really quickly, please. As a cybersecurity professional threat actor, this isn't the 90s. This isn't Johnny Lee Miller and Angelina Jolie and hackers where they're trying to one up each other with elite level hacks or attacks. These people are Criminals, they care about results. They care about straight cash, homie. They care about getting paid. So if they can send a phishing email and get you to do something stupid and then they take over and get money out, if they can convince you to download an Android app, if they can call you on the phone and get you to send them a 500 Best Buy gift card, then fine. They don't get awards for coolness of hack. They get awards for successfully compromising businesses and people. So fishing is going to continue to reign supreme. Now, in this instance, you know, I guess Office365 or Azure Infrastructure has routing and misconfiguration issues. If engineers configure it that way, that threat actors are able to compromise the barrier. The barrier, the hurdle to get over for threat actors continues to get lower as, as a service, services continue to spin up. Right? So on the dark web. Ooh, the dark and spooky web. Fishing as a service. So my aunt Dorothea, who I love to talk about, she will be the first one to admit that she's not, you know, uber technical. She might be able to use fishing as a service and get it spun up. Tycoon2fa. Sure, whatever you want to call it. Tycoon2fa today and then it's, you know, brain rot2fa tomorrow and then it's grow a garden2fa the next day. It doesn't matter. Okay. The fact is it's a phishing as a, as a service service that basically reduces all the barrier to entry for less sophisticated threat actors. They're going to send emails. As I just flipped out about Educate your workforce on phishing emails. Configure your email security gateways correctly so they emails don't even get delivered to your threat actor. I mean, to your victims. Excuse me. Additionally, as they said in the story, yes, spend the money, configure dmarc, dkim spf, have these things not get delivered. Okay, simple dmark, dkim spf. Not free, but worth it. I also want to point out, as we covered yesterday in the news, dkim and SPF can be bypassed using Google. The Google's got this problem right now with being able to do internal apps and send emails through redirects and stuff like that. Listen, unless you take someone's computer, unplug it, put it in a safe, throw it over a boat in the middle of the ocean, there's no silver bullet. MFA is great, it can be bypassed. Dmarc, dkim SPF is great, it can be bypassed. Okay, you're not looking to go to zero risk. You're looking to get as low a risk as you possibly can for the amount of money, time and people you have to throw at the problem. Which again, is why GRC has a job. Because we are the people who decide where you spend that money, where you put those people. What is the priority for project work to get done today and. And this month? If someone would please put together a what the f is a GRC video, we might be able to better understand that. I think someone's working on that. Not sure when it's going to release, but I promise you I'm involved with that video and it's going to be delicious. Let's keep cooking here.

B (64:33)

Remember, if you enjoy our live stream, live events and other activities.

A (64:36)

Nope, nope, nope, nope, nope, nope. We are at 9:05. Just a couple minutes off, off, off schedule here, but let's do this. All right. Hala, hala, hala, hala. Guys, I hope you had a great show. I appreciate it. No first timers today. If you were a first timer, but you just didn't say it in chat. Welcome to the party, pal. Welcome to the party, pal. I appreciate you allowing me to Red Hulk out on mfa. It is a. It is a button for me. It's. It's a button for me. It's a button for me. Okay? I just. It just pisses me off. There's no reason to have MFA on some of these Internet facing things. Listen, a switch in your environment. Yeah. You don't need mfa. Right. The network admins can log into the switch and it's not a big deal. I'm not. I'm not ridiculous here. I'm Jerry from Simply Cyber. Don't go anywhere because we are going to be pivoting to Jawjacking, a 30 minute AMA show where you ask questions, we give answers. Thanks for being here. Episode 1041 until next time, stay secure. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field. Live, unfiltered and totally free. Let's level up together. It's time for some jawjacking. All right, what's up, everybody? Welcome to the party. I am your host, Jerry Guy, straight kicking it. And I got Pele here answering your questions. Maybe you're new here. Maybe you're coming. Oh, stop it, Zach Hill. It is not your first time. Listen, maybe you're coming from the Daily Cyber Threat Brief hosted by that nerd, Dr. Gerald Ozier, PhD. Please more like MFA freak. Am I right, guys? This is all about good times. Let me put the chiron on so we can remind people who just show up and are like, what's this guy doing? If you got questions, throw them in chat. I will answer them to the best of my ability. This is also annoying me, so I'm gonna fix this really quickly. On stream. You get to see how the sausage is made really quickly and let's do this. Cool. All right, so what are we doing here? You got questions, I got answers. Shamiria, this is. This is six, seven. This is. I don't know what this is. This is like I do this dance. I don't know. I don't know. How would you recommend pivoting from server admin to security? Austin asks the question, let's bring it up on stream. Hold on one second, hold on. I'm flagging questions here. Pivoting from server admin to security. Simple As a server admin, start focusing on a couple things. Number one, how about configuration? Go get a CIS baseline for whatever the server operating system is that you're responsible for and begin to configure it in a more secure, hardened way. Spoiler alert. You can't just apply all the CIS baselines or else the machine's not going to be functional. Do that also. Make sure that you're patching your things and doing that appropriately. Then if you can expand your scope maybe to your entire server IT infrastructure, you can begin to have standards. You can begin to document these things. You can begin to identify, have yourself identified and seen by leadership and other people on your team as the si, as the security person. Just start doing it. Okay, so configuration, Proper configuration. Run vulnerability scans to find misconfigurations. Use Shodan Monitor to see your Internet facing assets and see if there's problems there. Document things and then just start taking credit for it. Simple as that. Dude, you're actually in the best position to make that pivot. All right. Roswell says my beard's turning gray. Should I diet? I don't think so. Gray beards is a sign of experience. I don't know. I. I wouldn't. I mean, I'm just not big on, I guess. Vanity Gunslinger Punslinger says, how would you implement mfa as a potential interview question? Well, I mean, the first thing you have to ask if that's the question is where are you talking about implementing it? And then if you're talking about implementing it more like the general workforce, user accounts. Well, then it depends obviously on what. Here's My thing with any interview question, what I like to do is. This question is a fine question. How would you implement mfa? What you need to do is start to define this question. Listen, whoever asked you this question just made it up, right? So they aren't thinking through this whole work scenario. So then you have to say, and again, that's what I like to do. Okay, yeah, I'd love to help you implement mfa, but I need to understand more. What, what, where are we implementing it? Where would you like to implement it? Oh, we want to just implement it on our workforce, right? Like our emails and access to cloud systems. Okay, okay. What kind of environment are we? Are we in Azure? Are we on prem only? Are we Azure Active Directory Hybrid? Like, I need to understand more because I could just give you an MFA solution, but it may not be the best solution. It may be cost prohibitive. It may conflict with controls that we've already implemented in the environment. So let me understand and appreciate that. But if I'm just going to answer it generically, let's assume that you have an Azure environment. What I would definitely do is take advantage of the Multi Factor Authentication solution that comes native to Entra ID or Azure Active Directory and roll that out using the Microsoft Authenticator app. This is going to make sure that your workforce, or basically your budget doesn't have to pay for additional tokens, hardware tokens or whatever in order to roll this out. Now, another thing, with any type of question, normally your answer is going to address 80% of the problem. You make sure that you call out that 20% fringe stuff, right? Like, because it's going to show your level of knowledge and depth. Right? So how would you implement mfa? All right, we're going to do Microsoft Authenticator all over the place. Your email, we're going to do single sign on federated authentication to cloud systems, etc. But I want to call out really quick. We will have to earmark and make sure that we have budget for hardware tokens because there will be some population of the workforce that refuses to install the Microsoft Authenticator app on their devices. Is that, is that going to be a problem here? Are we going to make a policy that says you install the MFA Authenticator app on your own phone or you're fired? Are we going to issue phones to individuals? Are we going to buy hardware tokens to address that population that refuses to install an app on their own personal device? Let me get a better understanding. And by that point they're like, all right, bro, you get it. Let's go to the next question. Okay, so hopefully that helps you also. Since you asked the question, I feel like this is a good time to point it out. Talking about interviews, this video is like low key blowing up for me, which I'm super pumped about. The remaining, you know. All right, so right here, this is. This is Shamira Gonzalez. This is the individual that, the community member, the practitioner who's getting that senior technical program director interview in a few minutes. Here, this video right here, you could see I'm interviewing. Excuse. I. I'm interviewing her, basically. Can I get a share link, please? Jesus. I'm interviewing her in this video. Here, check this out. GRC interview. Here's my thing, guys. Here's my thing. Foreign. Nobody ever gets feedback on a job interview. Did you ace it? Did you sync it? Did you crush it? Did you fail? You like, hey, can I get some feedback? And it's just crickets or you just get ghosted. That is bull crap. And that's a problem that I wanted to fix. So this video series, I've made several videos. They're going to be released weekly. Okay, this video series, I ask one question, this question right here. Your organization's identified 50 high risk findings from a recent assessment. You have budget to fix 15. What's your approach to doing this? Now Shamiri is looking to break in. Jesse Johnson has been doing it for two, three years. We got his answer. And then Erica McDuffie gives her answer and she's like a senior, like 10, 12 years. Each of their responses are great. And you could see here, I pause during their responses and I give just in time, real time constructive feedback on their responses. I've gotten a lot of great feedback from people about this video and how helpful it is in destroying job interviews. So if you got your resume tight and you're getting interviews, but you're not getting job offers, this video is designed to help you. All right, let's keep cooking here. Hold on. All right, I'm looking at questions. Good to see you, ab. All right, you got to put a Q in front of it if you want me to answer it. With all recent tech layoffs, what's a good strategy for re entering the cyber industry with all the competition? Hey, if it was me, if it was my son coming home from College, I think GRC work around CMMC in the United States and basically 800171 readiness assessments is going to be huge. The government defense industrial base is requiring businesses to be CMMC quasi 800171 compliant, which means they're going to have to do readiness assessments and get stood up. That means GRC professionals are going to have to help them. That's going to be a huge cottage industry. So that's what I would tell them. Again, I know acronyms flew through that answer. C. Charlie, Michael, Michael, Charlie. Go look it up. NIST 800171 go look it up. I'm telling you I've already seen a bunch of work coming out for career questions shares a response to the question about server admin to Cyber Zach says if you're an admin position, start pivoting small tasks to lean into security. Okay, cool. That actually sounds similar to what I said, which is great. What do you think is possible control to put in place? Please put a Q in front of your question. So I know I just saw this one. What do you think's possible control to put in place regarding insider threat? We have RBAC and least PRIV in use looking towards things that may be put in place around behavior. Behavior changes. Okay so so okay so if you can, I mean conditional access, I guess you say rbac which is role based access control. You can go further granular with conditional access just because I work in engineering and I have access to the blueprints. Maybe I shouldn't be accessing those blueprints between the hours of midnight and 6am Maybe I shouldn't be accessing those blueprints from Cambodia. That's a little bit less of an insider threat. There are tools in place natural Dave, that can show you large data moves, right? So like if John in engineering typically does typically like moves this amount amount of data like you know, whatever 10 gigs a day, right? He's moving blueprints back and forth and then you detect that his user account is moving a hundred gigs. That could be an X fill, right? Also you want to if you can see where if they're moving things from like to to sites that don't normally make sense like Dropbox Box, Google Drive, stuff like that. Things that are outside your normal operations. You would have to use detection engineering in order to implement this, right? So get with a detection engineer you'd have to have a SIM because you're basically going to have to start looking at network telemetry and logs to be able to detect the anomalous behavior. Okay, hopefully that helps. And this is a great question. If anyone's got another answer to this, drop it in chat. Let's go. Onyeka says what's your recommendation for switching from software testing to cyber I mean, this is kind of similar to the server admin as you're doing software testing. You know, don't just text test for. Here's what I would do. I wouldn't just test for functionality. I would start testing for like OWASP top 10 or using you know, Burp Suite or whatever to check for like normal software flaws. Look at your dev, you know, if it's less of a SaaS app and more of a FAT app, go look at your DevOps pipeline, look at the controls around those and then start documenting them. Start, basically start helping. By the way, I just got to let everybody know, when you do something like this, whether it's a software engineer or a server admin you're doing, you will be doing extra work. Okay? So don't think that like you're going to just like continue to do what you do and not take on. You're doing extra work, but you're investing in yourself. Okay? So what I would do is start looking at the security elements of your job DevOps pipeline, having good environments, right? Like dev test prod, making sure that you have good practices around those. Security testing for input validation, user authentication, cross site scripting, looking at code repositories and the access to that. Is everyone that has access to GitHub supposed to have it? Do you have MFA? Right? There's a whole bunch of different things you can look at from a software, an application security perspective from the code base, right? Think about the whole stack, right? The like the OSI stack, you could be looking at the code base and looking at the functionality of the application itself and security there you could be looking at the network layer. Does it make sense from a network perspective? Can people touch it when they're not supposed to? The code base. The actual FAT app is an Internet facing. Is the server underneath running services? It shouldn't be. That could lead to attack and compromise. Do you have a good deployment of app server in the DMZ and then database server in the back end, right? Are you doing load balancing to prevent denial of service or you know, overburdening the server itself? Then look at the physical layer who can physically go touch the physical servers. Is it cloud based? Is it on prem? Does your data center have good controls? And all you got to do is frame it within the context of protecting the software of the system and you can go buck wild in any direction you want. All right, I'm gonna do a Ric Flair for that one. All right, continuing. If you have a question, put a Q in chat. I Hope guys, I hope for sure you're getting value from this stream. I literally do this deliberately to deliver value to you. I cannot help people one on one. It's just I don't have time for sucks to say that, but it's the reality. So what I like to do is this. I call it mentoring at scale. The Realist 2001 says in a cyber PM role, which is a program manager, project manager with a SOC background, which is security operations center, which is like a defender for five years, looking to pivot into threat hunting to be more hands on. Any suggestions if I should go this path and if which steps, course certs etc? So as far as I know, I mean if you have a SOC background, you are in a good position to be able to go into threat hunting. Just so everybody's on the same page. SOC analyst or working in a SOC is looking at network telemetry, looking at application server logs to detect anomalous behavior and then go investigate it. Is it a bad problem? Is it a, is it a false positive? Do you call your end user? Do you reimage machines? Do you smash the oh crap, everything's gone to crap button? That's what a sock does. Okay, Thread hunting is going into the environment and looking for bad that you don't have detections for. Right? Remember like the best way to explain threat hunting is say you have your house, right? Everybody lives somewhere, apartment, a house, a double wide, whatever, it doesn't matter. Wherever you live, you let's just pretend you put an alarm on your front door. So someone opens your front door, it goes beep beep or you get a notification on your phone, whatever, your ring doorbell goes off. Okay? That is a detection. And if you're at work and someone enters your house through the front door and it goes off, you have a detection. You can now respond to it. Maybe it's a false positive. Maybe Amazon's dropping a package off and it went off. Maybe a burglar broke into your house and that's a true positive. Fine, but let's pretend for a second that you don't have any alerts or detections on your windows and a burglar busts through your window off the fire escape threat hunting and is going into your environment and going around and looking to see if there's someone in your environment to go look at the window and see if there's something weird with it. Okay, so just, just so we're clarifying and defining what these things are for people who don't know. Now as far as threat hunting goes, as far as I know, there are no certs for it for courses I do know. And Dan Reardon, correct me if I'm wrong, KC7 has pretty good training. Like hands on practical training. I know. Let's Defend has training. I know Hack the Box has that CDSA path which is pretty good. More around soc. If anything, I think a lot of homegrown training would be perfect for me. Realist2001 My first thought if I was trying to do what you're doing is I would go, I would set up a lab, right? Then I would get red canaries, atomic red team. I would not set up any alerts. And then I would fire off some, you know, atomic attacks. Then I would go use threat hunting to go find where those attacks appear. And then a part of threat hunting also is like being able to tell a detection engineer or write a detection. You would be so much more valuable as a candidate if you can both do threat hunting and develop the detection to detect the threat that you hunted and discovered. So that's what I would do. Akil George says threat intel is good. Yeah, that's another great thing. I mean going to Matrix Miter attack framework and looking at the ttps of different threat actors and going hunting for those that you're probably not going to find them in your lab environment. But that's a great way to do it. Especially since you're in a PM role. You're not necessarily going to have access to systems and go poke around in them. So you will need a home lab. That's what I would suggest. And by the way, everybody in chat who also answers the questions that are on stream, thank you, I appreciate it. Guys. I don't know everything, right? I literally. I know what I know and I know a lot. And I know, I know I. I know I don't know also a lot. Okay, this is getting comfortable with imposter syndrome. So any answers people provide is definitely appreciated to help the person asking them. I'm continuing to scroll Chat natural. Dave says what do you think is possible control to put in place regarding. Oh, you already asked that. Tony. Jack, CMMC is so hot that Hansel's so hot right now. Thank you. All right. Canary tokens are awesome. Rhett Retto Rhett Original film says I work for a small cyber company. I'm now doing four different jobs I didn't sign up for. Yeah, yeah. Welcome to IT and cyber. Okay, so I would. Here's the thing. You're definitely valuable to your company. Your boss knows It. I would ask for. I would ask for a raise for sure. At a minimum, I would ask. I would try it, right? So it depends what you make. Here's the deal. If you're gonna go for raise, you absolutely must have objective facts to bring. And don't just spring it like, say you have a weekly meeting with your boss. You can't be like, all right, yeah. And that's what I worked on this week, by the way. I want to raise. Like, I. I would recommend. Again, this is just my strategy. If anyone else in chat has an idea, let me know. Small company. I get it. Maybe this is a little overshot for a small company, but what I like to do is document. Hey, listen, here's my job, right? But I want to point out that I also do this, which is this job, and this, which is this job, and this, which is this job. And I'm fine doing it. I'm great at it. Thank you for the opportunity. You have to make it a crap sandwich, by the way. Okay? If you don't know what a crap sandwich is, a crap sandwich is compliment. Crap, compliment. The crap is where you're asking for a race, okay? You're basically sell. You're. You're doing sales right now. Okay? So anyways, hey, like, here's. Here's. I'd love to have a meeting with you. I'd like to discuss my current role. That's what, like, make a separate meeting for. I'd like to just. I'd like to discuss my current role and get a better understanding of it and make sure. Make sure you're. You're making it about them. I want to discuss my current role, and I want to make sure that I'm delivering value to you and the company. Simple. Okay? Then you get in there and you say, hey, here's what I'm doing. Here's what I'm doing. Here's what I'm doing. Here's what I'm doing. Now, I know my job is just this job up here, and I'm really grateful for the opportunity to do these. All these other jobs, but I got to tell you, I don't feel my compensation maps to the work that I'm doing. So what I would like to ask for is I. I would like to. I would like to ask you for a 10 raise. And I feel that this does align with the work I'm doing right now. If they say, oh, hey, we just don't have the money, don't take anything personal. Hey, like, at a minimum, ask them if they can go ask about it, if you have a good manager, they'll go ask. Okay? If you have a crap manager, they won't. If it's a small business, the person, if the person who's like owns the business is the one you're talking to, they know damn well whether they can do this or not. So just say, hey, listen, I really believe, you know, I, I be confident. Okay, I'm not being confident when what I'm doing right now. But just say, hey, here's all I'm doing. My current salary is this. I would, I want to request a 10 pay raise just for all this work I'm doing. I find, I believe it's reasonable and fair. What do you think? Now here's an important part of any sales. When you say, what do you think? Or what are your thoughts on this? Do not speak again until they speak. Do not speak again. You will absolutely torpedo yourself if you speak again. Let, even if it's an awkward silence, let that baby cook. Okay, what do you think? Now they're either going to say, sure, let me look into it.

B (88:54)

Sure.

A (88:54)

I believe, you know, you are doing great work. Hey, let's wait until next fix fiscal cycle. Hey, you know, cash flow's tight. We're not going to be able to do it. Whatever it is. That's it. They've made their decision. Thank you very much. Now you'll have your own decision. Rhett Original films of, you know, are you going to go somewhere else and get more money? Are they going to be able to help you get more money? If they say we can't do it right now, you can even say, hey, I mean, is there a, is there a timeline where we can do this? Is there a path between here and me getting this pay raise that you see? Make it. Don't give them a yes or no answer. Do not give them a yes or no answer. Give them an opportunity. Give them an out. Basically give them an out. Give them an open ended question, hey, I'd really like 10% more for all this work I'm doing. How do you know? What are your thoughts about this happening? Right? Don't say do I get it? Yes or no. All right, I went long on that one. But when it comes to money, it's such a taboo topic. People don't really talk about canary tokens for dlp. Canary tokens are great. Yeah, I love canary tokens. Get some canary tokens also. I mean, since it seems germane, since we're talking about insider threats. Don't Sleep on this, dude. You could take this class for $0 or, you know, 25 bucks. Four days, 16 hours. This class is all about cyber deception, active defense. It's more about threat actors getting in your environment, screwing with them, but certainly going to cover insider threat. I'll drop a link to this in chat. This is super cool. Tell them simply, Cyber sent you too. We always raid anti siphon trainings streams because it's awesome. Carrie says, new to cyber, new AI consultant. Where should I start to get into cyber? I mean, I guess the easy answer. I'm gonna hit the easy button on this one. Carrie, go here. Oi. Top 10. This is where I would go, Carrie. And good luck. Next question. Nikos says, hey, Jerry, how's the vulnerability course coming along? Ugh, dude, it's. I filmed. Here's the thing. I have filmed all the lectures. I have gigabytes of video on my hard drive. It's just hard. I mean, it's hard. It's hard to find time guy. I haven't touched it. I did reach out to Nessus and I did confirm with them that I can use Nessus vulnerability scanner in the course. Yeah, it's just hard. It's hard, man. I don't have an update. I wish I had an update. I would love to get it out. When you learn new tools or, oh my God, show up on screen. When you learn new tools or attacks that don't use often, how do you make sure you don't forget them? The only way to do that is continue to use them. I mean, there's probably more tools that I've forgotten than I, you know, that's the only way to do it. It's called getting rusty, right? When you, when you haven't used a tool in a while. But honestly, I feel like the question is, why don't you want to forget about it, right? Is it because you're going to use it in a job or sell it, right? Like I was a software engineer. Hold on, am I frozen? I was a software engineer early in my career. Like I probably couldn't. Like, if you look at my code now, it looks like. It looks like a hack job, right? So I'm not going to continue to develop fat apps in Java just to keep my Java sharp, right? Because I'm not going to use Java ever again. So the only way to do it, uni, is to practice at it and if you want to make it fun, come up with, you know, use cases and ideas on order to use it. But that's the Only way to do it. What's your recommendation for raising awareness for threat intel to high school students? If it were me, I guess it is me. What I would do is I would show them threat intelligence coming from the dark web, right? I feel like high schoolers, like, like any end user, you have to make it sexy, you have to make it cool. You have to make it so hot that Hansel's so hot right now, right? If you show them Miter attack and talk about, you know, some obscure ttp, right? Like, hold on one second. Like, if you show them an isec, you know, email alert, tlp, Amber, and you're like, oh, look, there's a uptick in activity and manufacturing attacks, a high school is going to be like, lame. But if you're like, hey, look, here is, you know, criminal activity and then, you know, using an info stealer, right? Not trying to convince these kids to join the dark side, but effectively, like showing them behind the curtain, showing them how the magic trick works. I think that that would be the biggest way. Also, I would tie it to something that high schoolers care about. I honestly, my kid is not. My kids are not in high school, so I don't know what high schoolers care about, so I'd have to look that up. But based on, I mean, actually, I will tell you this based on a report I saw recently when high schoolers were asked what their career aspirations were, being a YouTuber was the number one, being a tick tock star was number two, and then being a doctor or nurse was number three. So I don't know if Zach Hill was intending to have this much influence on the youth and the generation of Tomorrow on becoming YouTubers with all the success he's had, but that's what they're doing. So if you can maybe tie it to that show, you know, show YouTube channels being stolen or Instagram accounts being hacked, stuff like that show, you know, I don't show them how to do it, but like, again, you're talking about threat intelligence, but you have to tie it to something they care about, like any other end user. All right. Lucky says any other daily or routine content you would recommend other than that nerd from last show? Let me see. So not so much daily routines, but I mean, there are some newsletters I subscribe to, like Mike Prevett's Return on Security is a weekly. That's pretty good. It looks at the fight. You know, I don't know if you guys, if you follow me on the daily cyber threat brief and you've known it for a while. I, I'm telling you, follow the money. Look at the health of companies. Look where money is going. Money is a very strong indicator. Mike Prevett Security on investment does show you these things. It shows you where investments are going and all sorts of things within the cyber industry, which is very telling. Also, I like SISA and CESA's got a newsletter that basically comes out with like Kev updates and stuff like that, so you can be made aware of vulnerabilities being exploited out in the wild, stuff like that. So it's, it's less of like, I mean, I guess it's routine, but it's not like daily. Adrian's looking to pivot into GRC outside of NIST and other frameworks. Should I pursue SEC Plus? Yeah, for sure. SEC Plus. Zach Hill just released a video on CompTIA. SEC plus has great marketability, so that'll help cloud cert for sure. If you want, I would look at Azure. AZ500 would be a good one. If you want to get into GRC though, you say outside NIST, but I'm telling you, NIST 800171 is smoking hot. Uni says what mental habit made the biggest difference between you as a beginner and you as an expert? You know, honestly, this is going to be kind of a. I don't know how people feel about this answer, but empathy, empathy is a big one. When I was more junior in my career, I would just be like, do the thing. Why don't you do the thing? Why don't you understand the thing?

B (97:34)

Put.

A (97:35)

Change your password. Why is your password suck? Put MFA in. Why? Why aren't you using mfa? Move. Especially when I was doing like server administration, it's like, oh my God, like, just get out of the chair and let me do it. You're so stupid. Right? And then I got empathy. You begin to understand, like, this person's just trying to do their job. This business is just trying to make money. This partner is just trying to maintain or patch this piece of equipment that they sold you. When you have empathy to understand what the other person's trying to accomplish and what their focus and perspective is, you can actually make way bigger impact by being able to relate to them and understand them and get them to buy in on things, whether it's stakeholders and getting them to buy. Because listen, I don't patch systems. It patches systems. I don't get to pick my budget. I have to beg for budget, right? So in order to. If you just tell people like, oh, because I said so. No one gives a damn about that. If you can have empathy and understand them, it will unlock a lot of things in your career. All right, Cryptic says you talked about Osin training. Holy Shoes. It's 9:40. This is my last question. I gotta go. You talked about OSINT training by anti siphon. Could you direct me to where it's found? Oh, sure, sure, sure. The osint training. It's. It's. It's a one out. Oh, wait, that's threat locker. Hold on. So I go to anti siphon training, live training calendar and I go here. Where is it? What the crap? Hold on. It's. It's a Michelle Khan training. It's supposed to be. Hold on one second. Maybe it's in February. Zach, where's the Michelle Khan training? He definitely. He's definitely got an anti cast coming up. I don't know why it's not on the calendar, but January 21st. It's this one right here. Who asked that question? Cryptic Rose. It's this one right here. This is a one hour training with my good friend Michelle Khan, who is an absolute legend at Osin. Free. Go take it. And if you can, I mean, obviously, tell them Auntie Simply Cyber sent you. But tell Michelle Jerry sent you. I. I really am a huge, huge fan and a good friend of Michelle. He's such a great person. All right, everybody, I gotta get out of here. It's time. Thank you so very much for being here. I'm Jerry, your chat. Until next time, special shout out to Zach Gill, Justin Gold, Dan Reardon and others who jumped in here. Cheddar Bob down Louisiana. IT Career questions, Code Brew Shamia. Good luck crushing that job interview, everybody. I'm out. Peace.