A

All right, what's up everybody? Good morning. Welcome to the show. Welcome to Simply Cyber's daily Cyber Threat Brief podcast. I AM your host, Dr. Gerald Ozer, coming to you live from the Buffer Osier Flow Studio. This is episode 1043. If you are looking to level up as an absolute boss in the cyber security industry, as a practitioner, staying informed on the current information threat Intelligence agency is going to be incumbent upon you being successful. And that's what we do here every single day at 8am Eastern time. And we're going to do it today alongside you. We're going to go through the top stories. I'm going to go beyond the headlines.

B

Giving my expert opinion and analysis based on my 20 plus years of experience.

A

And the Simply Cyber community right above me is going to be sharing their insights, thoughts and etc on these topics as well as building community and sharing wins together. I hope you stay with us. We're off and running on a beautiful Friday morning. Let's go. All right, everybody, what's up? Yep, we're going to be going through eight stories today. I do not know any of those stories. I don't research or prep for these stories. Honestly, I don't got time for that. Ain't nobody got time for that.

B

That's exactly.

A

Hey, I want to say welcome Back to Chris Greg 9104, first time back.

B

In a long time.

A

Chris, great to have you. Welcome to the party, pal. And for everybody else who might be here for the first time in a long time or the first time ever, allow me to say welcome to the show. I hope you have a great experience. We have a certain style of doing.

B

The show, a certain way of approaching cyber security.

A

A lot of great Simply Cyber Community members in here. Long timers. Sound off though, if you are a first timer, drop a hashtag first timer in chat. We love welcoming our first timers. Basically we just want you to know that you're welcome here. We're trying to as best we can in a digital world, in a virtual environment, you know, make the circle a little bigger, give you a little, you know, come on over here, like make you feel comfortable.

B

That's the point of the hashtag first timer.

A

So go ahead, drop that. We have a special sound effect, special emote. Now what everybody gets Shakira, Williams, Carrie, Dennis, Keith, Jay, Brock and more. It's cpes for days. So continuing professional education credits. Every single episode of the Daily Cyber Threat Brief is worth half a cpe. And the way that you get it is just by being here, absorbing the Knowledge engaging in the conversation. What you do not necessarily must do, but I'm strongly suggesting you, as a former auditor, take us say what's up in chat. Hey, hold on. We're going to talk to Cyber Sasquatch in a second.

B

Hold on.

A

We got a bunch of people, huh? All right, so first timers, Cyber squat. Cyber Sasquatch coming over from Spotify. Chris on a like. Welcome to the party, pal. Welcome to the party. Great to have you first timers here, Chris. I hope you enjoy our Cyber Sasquatch. I hope you enjoy the full immersive video experience today with us. But anyways, as far as capturing your CPEs, say what's up in chat, right? Like TGIFO can.

B

Can K canes.

A

Right.

B

Cyber Sec JS celebrating that win last night.

A

Grab a screenshot but include the episode title which has the unique number 1043 as well as today's date. It's not a coincidence that we set it up that way. I do it literally to make it as simple as possible for you to get credit for being here.

B

I know it.

A

I know people dunk on me for like being a mess and like audio issues and stuff, but I genuinely try to make this show as easy to consume and as easy to derive value from as I possibly can. Now, all value does not have to come in the form of cyber security knowledge. No, no, no, no. You can enjoy some rib tickling on Fridays because our friend James McQuiggin at 35,000ft, this guy right here who's in.

B

Chat, by the way, so if you.

A

Like his jokes, you can thank him@James McQuigan. Every Friday we get a. A collection of dad jokes that we roll off and I don't look at them in advance, just like the meme of the week. So when I'm reading them, I'm getting the joke with you at the same time. So very much a community driven episode. I look forward to this. But we do that at the mid roll. Before we get into it, let me say shout out and love to the stream sponsors, those who enable me to bring this show to you. Starting with Area, a new sponsor for 2026 drive secure AI adoption across your organization. Guys, listen, this is a common problem that many of us are dealing with. Your leadership team is demanding AI automation and with all due respect, they may not even know what they're asking for. They're just like, AI, AI, AI all the things we need, AI. And you're like, jesus, calm down. Like we're gonna get there, okay? Your employees are using it, you see it in the logs. Tools aren't approved. There's shadow AI tools all over the place. Your security vulnerabilities are increasing. You, you don't even know if you have compliance. Risk marketing's using one tool, sales is using a different tool. It's, it's literally the wild west. You know it and I know it. Like let's be real. You, you yourself are probably using a collection of AI tools that went through no approval process, just like all the other one people in your organization. But listen to me. What if AI became an advantage instead of a risk for your organization? What if you could use AI in an actual controlled, governed way? What if you could innovate and be secure? You don't have to pick one or the other, which is very cool because that's what Area delivers. A unified platform that combines AI security, governance and orchestration. So you don't have to choose between innovation and protection. You could take control today, turn your AI stress into AI success. Ready to embrace enterprise AI and actually get your arms around it.

B

Kind of manage that risk.

A

Finally, visit Area Enterprise AI Platform for.

B

Secure and scalable solutions.

A

To see the platform in action, go to area.com. i'll make it easy for you. It is simply cyber IO simple/AI r I a. So they spelled area but with AI in the word.

B

Okay, so I've made a redirect because.

A

If you use my redirect it has like the tracking stuff on it so they can see that you came from simply cyber. And we can represent like a bunch of bosses. Speaking of being a boss. Oh my God. Roswell uk. Joke of the day. Two sheep walk into a bar. Hey listen, if you are looking to learn from one of the industry's best.

B

Active defense and cyber deception course from John Strand is just a few weeks away.

A

January 19th. There's 10 days left to register. Guys, I'm telling you, I have taken this course. I have a full breakdown video on my YouTube channel about this course. It is excellent. Honey tokens, Honey potato, Hacking back, venom versus poison.

B

And all with John Strand's unique style of teaching.

A

Hands on practical applications. You get a vm, you get labs.

B

It's awesome.

A

Go check it out right now. You can take it for $0 if you want. John is all about it.

B

Don't sleep on this opportunity guys.

A

I love this class and if you have the bandwidth, I would recommend it. Also I want to make a quick note. A lot of people have to take time off from work for training. Oh no. Anti siphons got you sorted out. Listen to this. Training starts at 11 Eastern, ends at 3 Eastern so you can get into work, have your coffee, do your emails, have your morning scrum, train, train, train. Eat lunch through the training. At the end of the day, any fires that you need to put out, you still got a couple hours. Of course I'm talking East coast time zones, but that's what's up. Anti Siphon training inspiring me. You may notice that simply Cyber Academy's workshops and trainings are similarly lined up.

B

Because I think it's such a cool.

A

Way to do it. All right, let's hear from Threat Locker really quick and then we're off and running into the news. Let's do this baby. I want to give some love to.

B

The Daily Cyber Threat Brief sponsor Threat Locker. Do zero day exploits and supply chain attacks keep you up at night.

A

Don't worry no more.

B

You can harden your security with Threat Locker.

A

Worldwide.

B

Companies like JetBlue Trust threat locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cyber security and provides a full audit of every action allowed or blocked for risk management and compliance.

A

Onboarding and operation is fully supported by.

B

Their US based Cyber Hero support team.

A

Get a free 30 day trial and learn more about about how Threat Locker.

B

Can help prevent ransomware and Ensure compliance. Visit threatlocker.com Daily Cyber.

A

All right, and if you're wondering how I feel right now with this large cup of coffee, this smile on my face and it being Friday everybody, right here. This is a visual representation of my vibe. Oh, let it wash over you in an awesome wave. Let's get to work. Let's crank, let's cook and let's have a good time. Sit back, relax and let's let the cool sounds of the hot news wash over all of us in an awesome wave. I'll see you for the jokes at the mid roll.

C

From the CISO series.

D

It's Cybersecurity Headlines.

E

These are the Cybersecurity headlines for Friday, January 9, 2026. I'm Steve Prentiss. Microsoft to enforce MFA for Microsoft 365 admin center sign ins Starting in February, Microsoft will quote, start enforcing Multi Factor Authentication for all users accessing the Microsoft 365 admin center. End Quote. MFA requirements actually started one year ago in February 2025, but as of February 9th of this year, Microsoft will block those without MFA enabled from signing in to the Microsoft 365 administrative portal. This will affect a number of admin center URLs used by IT administrators to manage Microsoft 365 accounts. These specific addresses are listed in the show notes to this episode.

A

All right, I guess today is going to be a meme day, so let me, let me show you what, what I'm thinking when I, when I hear this right here.

B

All right, let me.

A

Yeah. Okay. This is my vibe when I see this coming in. Okay. Microsoft 365 requiring MFA for Admin Center Login here's my vibe for this one. Dude, I've been doing MFA since day one on mic. You have to be an absolute donkey to not have MFA on the admin portal of your Microsoft 365 instance. Are you kidding me? What are you up to? Oh, unless you accidentally fell over like you're, you like had too many drinks on New Year's Eve, you had a credit card in one hand and a keyboard in the other and you're just bumbling around all wasted and you like fell forward, put a credit card in like some type of paid P point of sale system and like accidentally click clacked and signed up for Microsoft 365. That is the only scenario where not having MFA configured on your admin portal is acceptable. I absolutely love this dude. Listen, couple things. Number one, Microsoft has been say what you will like. The Microsoft recall thing was ridiculous. They have made some choices in the past that don't necessarily align with security best practices, but on balance, on balance they have been pro security for a number of years. In fact, they are the ones who have been championing getting rid of passwords al together for probably like six or seven years. And this is just another brick in the wall. Frankly, I would. I'm stunned that this wasn't already required. I live in the real where, you know, when you sign up for things like this, you just automatically enable mfa. It's not even a thought. It's part of your setup workflow. The fact that this isn't required until now is stunning, but I am super pumped. I do believe you'll have to fact check me on this, but I think Google Workspaces requires the admins to have MFA enabled by default.

B

This is just.

A

This is again like let's normalize mfa. And you know, if you are running a mock, if you're running a Microsoft 365 instance, it is worth telling you here that you should listen that because I, I want to provide actual functional information for practitioners. If you're running Microsoft 365, validate whether or not MFA is required for admin logins right now. And if it's not, you should let your workforce know your IT counterparts know. Hey, listen, MFA is going to be required, so you need to enroll now just to avoid any situations where you're not able to access. I'm assuming that when Microsoft switches over and IT becomes required the first time an admin logs into the portal and it will require them to go through an MFA workflow, I would imagine. Also note it doesn't say it here, but what MFA options are available? Can you do a phone number, a text Message? Hardware token, 6 digit PIN, Microsoft Authenticator. This is a real conversation for GRC professionals, guys. You can't just say, turn them all on. Right. Some of them become best friends.

D

Yep.

A

Some of them are not okay. Some of them are okay. Some of them are preferred. You need to walk through what the all the options are and then come to a consensus with it with help desk, with everybody. We got a $10 super chat coming.

B

In here from Fred on.

A

Thank you, Fred. What did the auditor. Okay, it's a joke. Why did the auditor bring a ladder to a CMMC con? Because it going on a higher level. By the way, Dr. Ozier, I disagree. You saying you're a former auditor? GRC mafia. Always an auditor. Yeah, man. All right, all right. I love it, I love it, I love it. All right. You know we got the tattoos, right, Fred, like once it's. Once you're in the. Once you're in the club, you're in the club. You're not. You're not getting out of the club. You know what I mean? All right, also since we're talking about Microsoft Authenticator, okay, so Michael Fink over on LinkedIn says it's Ms. Authenticator. Yeah, here's the thing. It he says it's Authenticator. Okay? I mean that's definitely an option. All I'm saying is. All I'm saying is that Microsoft offers several different MFA options. Multifactor for. For real is like two factor authentication, right? You can have three factor four, factor five, factor six, seven. All the kids in car line are flipping out in the back seat right now. But like, typically multi factor means two factors.

B

Okay?

A

We're not doing the nuclear launch codes where you got two keys and both guys have to turn them at the same time. We're just logging into Azure. Okay, so even though you only need two, there are like six options, right? Hardware token, authenticator, app phone call, you know, all these different ones. Microsoft's got a couple oddball ones too that I forget because they're all oddball ones, but you can turn them all on and allow your workforce to select the one that they want or have multiple options. That way, if it's a six digit PIN, but they left their phone in the bedroom, they have the option to use the hardware token that they wear on a necklace around their neck or whatever. It's just don't choose all of them for the sake of laziness. Choose the ones that, that are appropriate for your organization and you know, in agreement with your risk profile. For example, if you allow phone calls to be made, I have seen that be violently abused by threat actors with great success. Okay, here's how it works. I get your password. I say call the phone number. The phone call comes in. The victim picks up the phone because it's two in the morning and they wake up and it says you're trying to log in. Press 1 to accept and 2 to deny. And they're like H2. Threat actor logs in again, press 1 or 2. 21 or 2. 22 1. Hey, guess what? The phone call stop coming and I can go back to sleep. That literally has happened to me in one of my previous roles. It was a physician. I don't want to get into it, but that's something to give consideration to. And don't come at me with, well, you could have compensating controls and if there was like three different denying of logins that it disables the account. Yeah, yeah, you can do that. But then the physician comes into work in the morning, they can't work. We, we can, we can cut this thing all sorts of different ways. Also, I've been informed 6, 7 is 2025 and I'm like old. So don't do that anymore. Okay?

B

All right. All right.

E

Patches ISE Security vulnerability after POC release. This is in response to a public proof of concept exploit in identity.

A

I'm sorry, really quickly on the MFA stuff, I forgot to mention this yesterday. Cyber Shittingami and I work together. Oh no. Oh no. Well, that's interesting. That's interesting, man. Okay, so check it out. Just as a quick aside, we talked about MFA yesterday, right? MFA and making the shirt. Well, Cyber Shin and gummy whipped this up and I put it in the merch store and I ordered two shirts. I sent one to me and one to him and now the merch store doesn't have it. So I'm assuming this has happened in the past where it gets like, like they won't print it because of copyright. Like they're afraid that this is violating.

B

Copyright and they won't print it.

A

So Cyber Shin and Gummy and I might be getting the only, the only versions of these MFA shirts, but we're.

E

Working on a Wu Tang shirt services engine. ISE and the ISE passive identity connector. ISE pic rated as medium severity with a CVSS score of 4.9. This vulnerability quote resides in the licensing feature and could allow an authenticated remote attacker with administrative privileges to gain access to sensitive information. End quote. It was discovered by Bobby Gould of Trend Micro Zero Day Initiative. Cisco said there are no workarounds to address this flaw, nor are there any indications that it has been exploited in the wild.

A

All right, so not exploited in the wild. That's great. We love to hear that. That doesn't mean you get to punch out early because it's Friday. Go hit up the taco bar and get a couple takates with lime juice.

B

Hot sauce and black pepper on the.

A

Rim called an ashtray here in Charleston at Mex 1 Cantina. And they are delicious. You don't punch out early and start getting after the tacos and the, the Mexican loggers because this is a CVSS score of 49 and we haven't seen.

B

Any exploitation in the wild.

A

Oh no, no. When you're talking Internet facing devices that have security capabilities, you do want to be somewhat reasonable about it. Now this particular one has a three hundredths of 1% chance of being exploited in the next 30 days and a 4, 9 out of 10. So if you ran this on a vulnerability scanner, you wouldn't even scroll down far enough to see this one.

B

Frankly.

A

It is a, it does require an authenticated user, but they can be remote. Oh, okay. So here's why it's so low. You need an actual admin account and you can need to authenticate into it to gain access to sensitive information. Bro, listen. Spoiler alert. Spoiler alert. When you log into a console with admin privileges, you have access to sensitive information by default. That's what an admin account is. So I'm sure you get to do some fancy things in here with your admin privileges. But like, dude, the whole point of getting admin on a box is because you're the captain now, right? Like, so I, I hate to poo poo this story, but like, if a threat actor gets admin account and logs into your Cisco Identity Services engine, the phone calls coming from inside the house, they're the ones driving the car at this point. Like they, they, they own you. You know what I mean? So there's a proof of concept exploit out right now. Sure. That could be weaponized a bit. I will say, if this gets chained together, if there is a vulnerability that allows an unauthenticated attacker to get on the box, then another vulnerability that allows privilege escalation, and then this one, well, then you got yourself a. You got yourself a full turkey dinner right there. Right when you're chaining these events, it's not just one. It's not just a side dish of potatoes. O Grottin. You got the turkey, you got the stuffing, you got everything going. And then all of a sudden, the.

B

The threat actor is the captain now.

A

All right, it's Meme Friday. There we go. Look at me, look at me. I've got privileged access on your identity services engine. I'm the captain now.

E

Illinois state agency also obviously just patch it breaches itself. The Illinois Department of Human Services, IDHS has revealed that it inadvertently exposed personal information belonging to more than 700,000 state residents by posting it on the open Internet, where it remained for as long as four years before being taken down last September. The information consisted of PII and was left on the open web, quote, after agency officials created planning maps on a mapping website to help direct resource allocations, end quote. The data exposed in the breach is protected health information under the Health Insurance Portability and Accountability act, otherwise known as hipaa, Microsoft Exchange.

A

All right, so, okay, this. This is a data breach. Okay, this is a phi data breach. And if the year was 2013, somebody probably would get fired. But it's 2026. Somebody put an Excel spreadsheet essentially on the Internet, and it had sensitive data. No one noticed it. It sat there for four years. Mara Levy's getting out of here, I'm assuming, based on Marcus Kyler's take. So see you later. Mara Levy. Mar Le. Can't stop partying. Partying. Okay, so listen, an Excel spreadsheet. Someone discovered it. It's off and running. The thing I want to tell you about this is two things. One, as a practitioner, whatever your organization is that you're protecting, like threat hunting, you're typically looking for compromises in the environment. But you can also look for misconfigured systems like vulnerability analysis, right? Kind of proactive vulnerability analysis. Look for misconfigured devices, look for new devices that stood up. I always talk about Shodan Monitor. Shodan monitor. Let me show you this. I always, like, I should get a.

B

I should get Shodan to sponsor the show because I love Shodan Monitor, or at least get a T shirt right.

A

Shodan monitor right here. Network monitoring made easy. Not a sponsor. It's just a service that I love you. You basically set it up, you give it your Internet facing IP address range and you know, Shodan does what Shan does. It scans the Internet over and over and over again. And guess what? If something new pops up in your IP range, they notify you. So Carl and Accounting, Carlin Accounting stands up some, you know, a Netflix server or Plex server or an Xbox 365 or a Microsoft access database facing the Internet, you get made aware of it. Now you're not going to cat catch this Excel spreadsheet or whatever but you know like you should, you should integrate if it depends if your information security program is mature enough. Okay. If your information security program is like a maturity level 2 or higher on a scale of 1 to 5 for the NIST CSF cyber security framework, by the way, I'm going to be making every effort to spell out acronyms to help people because some people, a lot of people don't know the acronyms that we're using and a lot of us senior practitioners just use them like they're, they're the word. And I feel like it, it prevents people from access to information and knowledge.

B

Okay.

A

So anyways, I'm going to be trying.

B

To do that more often.

A

Yeah. If you can go, you know, perusing around your. If you're maturity level two or more, you have some cycles to be able to go look for these things. Go look at SharePoint, go see what is available to non authenticated users on the Internet. Have a special like sock puppet account or something and you know, jump on the guest wireless network in the lobby or in the waiting room or wherever it is or get on your mobile, WI fi or whatever. Just do see what the Internet sees and you might be able to uncover these things. This sat there for four years, right? I grin Grayn Jesus. Criminy dude. Deben, I don't know why I I butcher your name every day. I'm sorry dude. So Deben Grady, Rhonda Rummerfield. They were in a audience for a talk I gave to a small group of people in the state of South Carolina up in Columbia last year and I basically did this. I kind of went OSINT hunting on the state of South Carolina's website essentially. If I was going to attack the state of South Carolina, how would I do it? And I was uncovering all sorts of sensitive information that I could weaponize. And as soon as the talk was over, the Chief of like SC Kick, right? He came up to me, he's like, I had no idea this was here. We, we're going to get this taken care of on Monday. This was a Saturday and wouldn't you know it, he literally did just that. So a bunch of stuff got scraped off the state of South Carolina's Internet public facing website around contracts and contract information, contact information. So the information's out there. Guys don't think that all the soft targets and all the easy things have been picked clean. People add things every day, so do your best. Like whatever this is, this sucks for the state of Illinois, but like this is just like again a day of the week, like in 2026. This doesn't make, I mean I guess it does make the news, but for.

B

Real, this is not a big deal.

E

Online outage blocks access to mailboxes. This outage, which started Wednesday evening, intermittently prevents users from accessing their mailboxes via the Internet mailbox access as Protocol 4, otherwise known as IMAP4. Microsoft says the issues were caused by, quote, a code conflict that introduced an authentication misconfiguration. End quote. Details on regions and how many users were impacted were not immediately released.

A

All right, so they said code conflict.

B

Not clothe conflict, right? I'm joking, I'm joking. Okay.

A

I'm just trying to soften you guys up for the jokes of the week here, guys. Microsoft Exchange, it's used by Anyone that runs Microsoft365 for their backend environment. Email wasn't delivered if you were using IMAP4. I guess, I don't know, some type.

B

Of code configuration thing.

A

One of the great things about using cloud is that when there's a problem, you know, Microsoft can deploy a team of engineers to fix the problem all while you're asleep. So you're not even really getting sweaty about it. The problem with cloud is that you have no control over taking action and fixing things when they break. You're just kind of at the whim of them. Of course, Microsoft's a Fortune 5 company, so they have infinite money cheat codes to be able to do these things. It was a misconfiguration. Guys, guess what? Engineers. Engineers make mistakes. Okay. Also, quick note, I want to say shout out to Mad Hat. I don't know if you guys like mad hat. The YouTuber. I love his content. I think he's very dialed in to like the meta of cyber security and working in the industry. He mentioned in a post on his Discord server about Carl from accounting. I don't know if it's a spurious hit that we both do that, or if Mad Hat is a secret lurker of the simply cyber community. But if you are in chat, Mad Hat, holler at your boy. I love myself some Carl from accounting. All right, let's keep cooking, yo.

E

Huge thanks to our sponsor, Hawks Hunt. A small tip for CISOs. If you are unsure whether your security training is actually reducing phishing risk, check out what Qualcomm achieved with Hawks Hunt. They took their 1000 highest risk users from consistent underperformers to outperforming the rest of the company, driving a measurable human risk reduction and earning a CSO50 award. See the Qualcomm case at hawkshunt.com qualcomm that is H O X H-U-N-T.com qualcomm.

B

All right, all right, all right.

A

All right, y'.

D

All.

A

Hey, we made it to the mid roll. Hope you guys are having a great show. Definitely appreciate all of you. Good morning to you too. Rogue Cyber. Good to see you.

B

Chris Shirk saying Mad Hat is great.

A

He really is. He's actually got a video that I wanted to make a react video on. He's got a video on the different reality of different roles in cyber security. He does include grc. And you know, it's, it's funny because.

B

It'S true what he says.

A

Hey, thank you all for showing up here.

B

Cyber Risk Witch.

A

I'm right there with you on a happy Friday threat locker, anti siphon flare and area show sponsors allowing me to bring this show to you in all of its meme glory. Let's just take a quick second and talk about Flair, guys. On January 29th, Flair is running their Flare Academy webinar. It's absolutely free to attend. It's a two hour webinar, 11am to 1pm get inside the life of a ransomware operator, guys. You cannot get access to this type of information anywhere else short of making a sock puppet account and then infiltrating a ransomware threat actor operation, which I don't know about you. I manage risk for a living. I have a wife and kids. I have a life that I really, really enjoy. I love simply cyber. I, I'm not interested in running up with a, a s' more skewer and just poking a threat actor in the butt and being like, hey, hey, I'm also a threat actor. Hey, tell me how your, how your life is. No, no, no. But I can attend a two hour webinar where I get a curated breakdown of the life of a ransomware threat actor, which will allow me to better understand for threat modeling and threat landscape of what I'm trying to protect from heck. Yes. And I also want to remind everybody I will be attending this. You can see here. Thank you for registering. I, I, I save this just so I could show you all.

B

Thank you for registering.

A

I will be there. And if you guys want, I am. We had a little bit of a surge yesterday for it. Let's do a watch party. We can get in the Discord server and and jam together. Or we can be in YouTube chat or wherever we want. But if you're interested, let me know. I'll get some information around where we.

B

Can do a watch party.

A

I think this Simply Flair has their own Discord server, so maybe we just do a takeover of their Discord server. But I'm super excited about this. Honestly, this is literally a topic I.

B

Can'T get access to any other way.

A

Every other day, every day of the week has a special segment. And Fridays is James McQuiggin at 35, 000 feets. Jokes of the week. Get ready to tickle your ribs, everybody. If you got knees, get ready to slap them. All right, no holds barred. I do not read or research any of these jokes in advance. So just like the stories. Oh, thanks, Real Kyle.

B

Kyle, I look forward to watching it with you.

A

Shakira Williams is at the watch party. We'll have to get like glasses made.

B

Or some type of thing.

A

Okay, here we go, guys. James McQuicken coming at you.

B

Hot.

A

These are. Did you hear about jokes?

B

Okay.

A

Zmif Zemif. Did you hear the joke about immortality? Did you hear the joke about immortality? It never gets old. Oh, it's a good one. It never, ever gets old. Hey, cyber risk witch. Did you hear about the joke about the walnuts and the cashews? Guys, you, you've got to hear this joke about the walnuts and cashews. It's absolutely nuts.

B

Okay.

A

All right. Hey, find the true two. Tj. Did you hear about the two thieves who stole a calendar? Guys, I don't know if you heard about this. It didn't make the major news, but it was in some of the RSS feeds that I read those two thieves who stole a calendar. Listen, they each got six months. They each got six months. Very serious. Very, very serious. Okay, now, Roswell uk. I don't know if you heard about the bread factory burning down. Guys, the bread factory burning down. It, it was awful, right? So there was like the Land Rover ransomware attack that screwed their business up. And then there was the bread factory that burned down. Their business is absolutely toast. Oh, I feel so bad for them. And finally, Code Brew. Code Brew. Did you hear about the T. Rex selling guns? This is wild. This is a wild story. This was actually a plot point in Jurassic park, the first one that they never explored. It's in the Director's Cut. There's a T. Rex selling guns. He's mostly a small, small arms dealer.

B

Oh, my.

A

That one's my favorite. T. Rex is a small arms dealer. Very nice. Very nice. All right. Hey, guys, I hope you enjoyed those jokes. I certainly did. James McCragan Every Friday, ladies and gentlemen. All right, let's get back and finish strong. We do have a panel jawjacking at.

B

The end of the. Or the top of the hour, and.

A

I don't want you to miss that. Those are good jokes, James. That put a smile on my face. The. The endorphins are flowing through me like the force.

E

OpenAI Prompt injection problems keep festering. We have covered a number of stories about the seemingly permanent problem of prompt injection in recent weeks. Now, security researchers at Radware say they have identified several vulnerabilities in OpenAI's ChatGPT service that allow the exfiltration of personal information, end quote. These flaws were identified in a bug report filed on September 26th of last year, was, and were reportedly fixed on December 16th. But the problem still seems to evolve. The current issue surrounds an indirect prompt injection attack called Shadow Leak that, in short, allows malicious instructions in a Gmail message, for example, to get ChatGPT to transmit a password without any intervention from the agent's human user. The successor to shadowleak, dubbed Zombie Agent, has evolved to circumvent the fixes and defenses being put up. A link to a more complete description of these attacks is available in the show notes to this episode.

A

All right, so couple things here, definitely, to point out, number one, like, again.

B

Well, I've actually got several things to share with you.

A

Number one, like, this is an example where AI, you know, OpenAI chat GPT, lots of people are using it. Okay, like area.

D

The.

A

The. The. The sponsor. One of the sponsors, area. Like, this is what they're. They're kind of addressing, frankly, because everybody in your organization is using Chat GPT. I have Chat GPT on my phone. I have it. You know, people use it all over the place. There's no governance around it. And you got to remember the developers of the models, they don't really. It's a. It's a black box, it's an opaque box. They don't actually know how it's going to come up with the answers and take action. Right. It's a, it's almost like a non deterministic model because of that, an AI, you know, they're configured to be like sycophants and serve you and help you get whatever it is you want. So if a threat actor is able to do prompt injection and essentially get it to leak secrets, the AI is going to do that. And it's not exactly trivial to solve that. So that is part of the problem or not problem. This is part of the risk that you are accepting when you start allowing AI, you know, proliferating across your organization and you know, having this AI tech sprawl, which again is why you should have your arms around it in general. Again. It would do me.

B

Hold on.

A

It would do me.

B

Stop. Jerry.

A

There's a pinned comment on the YouTube chat right now that goes a redirect to the area that AI platform that.

B

Is one of the sponsors and that.

A

I'm literally excited to share with you. It goes a long way if you click the link and just give the site a sniff, maybe even try it.

B

Out if you're curious. Okay.

A

If this is a problem that you're dealing with. Felucci with five gifted subs. Dude, thank you very much. We just become best friends. So here's the problem. Here's another thing. So now, now that I've given you your, your daily dose of AI knowledge, let me tell you another problem that is super common even before AI. This is a problem that happens at businesses that develop software or if you're a consumer of software and there's a big vulnerability and there's a quick patch. We've seen this many times. A lot of times developers will treat the symptoms, not the root cause. If you want to do vulnerability management correctly from a software developer perspective, you need to actually look at what is the root cause problem. So when you put on band aids and you fix these things, it, it can sometimes just cover up the initial problem, but the threat actors can reverse the patch. Threat actors can see the problem wasn't solved and then they can exploit it again and again. I almost think that this happened with log 4J and the initial fix for that. If anybody knows examples in chat, it, it literally happens, not all the time, but oftentimes there'll be like a big, big problem and a quick fix will come out and then it turns into like not a really good fix and.

B

Then Threat actors exploit it again and.

A

It'S more egg on the face of the software company. All right, so tldr, if you're interested in security research, kind of blog post and personal branding, bug bounty and stuff like that, AI is blistering hot. Just from an SEO perspective, AI is going to play really great. If I was, if I was good at business, I would do much more AI content on Simply Cyber. But I serve who I want to serve and I do it the way I want. GRC interview Q A But don't sleep on AI security research. Doing prompt injection, finding these vulnerabilities, getting it published. Okay guys, AI is not going anywhere. You and I both know that, right? So why not turn your attention to research on it also? Again, if you've got all the sprawl in your environment, be aware that you.

B

Are taking on this risk.

A

Educate your workforce around what's okay to put in AI, what's not okay to put in AI? Because guys, here's the reality.

B

I want you to think about this.

A

Once someone takes an Excel spreadsheet with sensitive information and puts it into CLAUDE or Chat GPT and says, hey, can you summarize this? That data is gone. It is in OpenAI's databases and guess what? You don't have any control over it anymore. I promise you, unless you're some slick cat who has a local instance of chat GPT, soon as you give something over, it is over and done with, you have no data governance and you've just basically made an irreversible decision. I'm actually really excited. Just as a quick aside, I'm. I'm working with a company called protegrity that actually solves that exact problem. I actually have a demo with them.

B

Next week to check out.

A

Much more technical of how this solid solution works. But that's coming in February. You guys will see that. But there's just a. A bunch of cool stuff going on. But yeah, from a GRC and data governance perspective, educate your workforce because you can't control them. Dumping all sorts of sensitive data into.

B

An AI tool and then it's gone.

E

CESA adds two actively exploited flaws to its Kev catalog in adding these vulnerabilities, both of which can allow for remote code execution. CISA warns that both are now being actively abused by attackers. The first is a code injection flaw in HPE OneView, which is used to centrally manage servers, storage and networking infrastructure. It has a maximum severity CVSS score of 10.0. The other is a long patched Microsoft PowerPoint code injection flaw with a CVSS score of 8.8. Despite having been fixed in 2009, it has been included in the Kev catalog because unpatched or unsupported systems are still being successfully targeted. Fishing as a service attackers exploit number one.

A

I appreciate the disdain in vitriol inside.

B

Of Steve Prentice's voice when he talks about a vulnerability from 2009 being exploited.

A

I don't know if you guys caught that, but there was definitely some tude attached to his language there. All right, so CISA's known exploited vulnerability catalog, commonly referred to as the KEV catalog. This is a list of actively exploited vulnerabilities. Now, really quick taking a step back from a macro view, why would you want to know about the KEV catalog? Well, let me tell you this. If you've ever run a vulnerability scanner in a real environment, you get tens of thousands of vulnerabilities. And unless you want to be apathetic and absolutely just break down from exhaustion and cry yourself to sleep, you're not going to close all those vulnerabilities. So then how do you prioritize them? Do you just sort by severity? Well, guess what? Who chose that severity? The vulnerability management company did or the scanner company? Not you. So those vulnerabilities aren't necessarily 100% accurate on order of execution. Well, welcome to the KEV catalog, which will tell you these vulnerabilities are actively exploited. Just because you leave your car unlocked at the mall doesn't mean your car is going to get broken into. Now, if the Kev catalog says that the Citadel Mall has a huge uptick in activity of people's cars being broken in, and you go to the Citadel Mall and you leave your car unlocked, well, guess what. Your likelihood value for your risk calculation has just accelerated into the top right bright, pulsing red quadrant, and you're probably going to get your glove box ripped through. You're picking up what I'm putting down. That's the value of the K catalog. It can help you better prioritize your open vulnerabilities in your environment. Just because you have a vulnerability doesn't mean you're exploited. All right? That those two things you dude, all day, every day. We're living leave la vida loca up in this piece with open vulnerabilities. Just some of them aren't necessarily super bad, right? I mean, obviously, if you can manage.

B

Your risk, you want to, but like.

A

In all reality, guys, like every one of us at a business has open vulnerabilities.

B

It's just it's unavoidable.

A

Okay, so this one's from 2009. Seriously dudes, if you are running a PowerPoint 2009 version, you need to reevaluate.

B

Your life choices, frankly.

A

Like, what are you doing there? Like, I, I know of examples where someone made like some custom Microsoft access database tool that like ran a business and they put it on a computer and they're like, don't touch this. In fact, the guy who wrote it died and they're just like, we don't know his login or anything, we don't know how this works. Just don't touch it. Just leave it there. Okay, that's an example. A PowerPoint. Come on man, what are you doing? Why are you the, like, why are you the anchor being dragged behind the bus? So whoever found this, shout out to you if you're running HPE one view, also a vulnerability.

B

This 2009 one is ridiculous though. My God, here's my thing, guys.

A

It's like people are like, oh my God. Like you go to Black Hat and it's like next level zero day stopping hackers before they even think of an exploit. And it's like, no, no, you don't have to do that because we have Carl and finance running PowerPoint 2009 because he likes the clip art options. All right, yeah, look at this one. If you are running, if you're running PowerPoint 2009, you have a 76 chance of getting exploited in the next 30 days. And the vulnerability is a 98 percentile, which means it's one of the worst vulnerabilities. Okay. Probably trivial to exploit. They talk about it being exploited in the wild. Guys, threat actors have had 16 years.

B

To work on this. I bet you Claude code could rip up a, a shell code or something to pierce this thing.

A

Do me a favor, if you find I, I, I normally empathize with end.

B

Users, but for this one I'm going.

A

To take, I'm going to take a little bit of liberty. If you find PowerPoint 2009 in your.

B

Environment, first patch it.

A

Ah, you gotta patch it. Then take the computer from that end user and hand them a speak and spell and tell them that's their new computer. And if you, if you youngs don't.

B

Know what a speak and spell is, let me show you. Here it is.

A

Rogue cyber knows what speak and spell is. And all you olds like me know what it is. Here you go. Hey, thanks for being, thanks for working. Here. Here's your company issued computer. Go ahead and give that A shot.

E

Figured email routing to spoof internal emails. According to a report from Microsoft Quote, phishing actors are exploiting complex routing scenarios and misconfigured spoof protections to effectively spoof organizations domains and deliver phishing emails that appear superficially to have been sent internally. End quote. They are using a wide variety of phishing messages related to phishing as a service platform such as Tycoon2FA. These include messages with lures themed around voicemails, shared documents, communications from human resources departments, password resets or expirations and others leading to a credential phishing. End quote. The report suggests setting strict domain based message authentication reporting and conformance protocols, deploying reject and SPF hard fail rather than soft fail policies, and properly configuring any third party connectors.

A

All right, all right, here's the deal guys. It again. I like to pretend, not pretend. I like to kind of have. Well just based on my career. Like when I read these things and.

B

Think about these things, I'm thinking about it from a GRC perspective and a CISO perspective.

A

Okay, so this is the second story in like two weeks where a major cloud based solution that many, many, many, many like the the great majority of businesses use. Last week it was Google Workspace. This week it's Microsoft 365 where threat actors have figured out how to effectively send phishing emails from inside the domain.

B

Right?

A

So it comes from at simply cyber IO or it comes from at you.

B

Know, your business dot com, whatever your business is.

A

Okay. Or dot gov. If you're running Microsoft 365 they have a technique. Now what are you going to do about this?

B

Two things.

A

Number one, for free, you can educate your workforce. And I absolutely would do this again. I love making very specific one thing to learn, awareness, training, messaging for my workforce. If you ask someone to read something.

B

That'S long, they're not going to.

A

If you try to tell them five things, they might remember one. So just tell them one thing and have them remember this in this particular one. Listen, my aunt Dorothea or my Carl's in accounting. They don't care about D Mark D. Kim spf. They don't care about misconfigured routing. They don't compare. They don't care about Tycoon2FA phishing as a service, malware services, they don't give a, they don't give a crap about any of that.

B

Okay, sorry about that kids.

A

But what they do need to know is just because it says at your domain.com no longer means that it is definitively safe. You need to let them know, hey listen, threat actors are able to make it look like it's coming from inside. Also, if a criminal gets access to someone inside's account and emails from them, it's going to look like their email. So just read the email and if something feels off about it, question it. That's all I would say. Hey listen, if something feels off about an email, question it. Call the person who sent it to you. Right? Also, from a CISO perspective, doing dkim, dmarc and SPF is not free, okay?

B

A lot of times you have to pay for a service.

A

At least the couple times I've implemented it at my organizations, I've had to pay for services. Whether you got it as a bundle package or you have to pay for it, I don't care. Put in dkim, dmarc, spf, those three controls, they. Yes, it's like set it and forget it. Okay? You set it and then it's in place. Okay.

B

It.

A

Occasionally you have a little bit of wrinkles, but they can be sorted out. The amount of risk you're going to be reducing by implementing dmarc, dkim and SPF is high. And what I would say is you're going to need budget for this. It's not prohibitively expensive. Like couple, like, like less than ten.

B

Grand if I remember.

A

I think we use like Cisco has.

B

A dmarc, dkim, SPF service that I used once and it was like 10, 15 grand or whatever.

A

It doesn't matter. What like getting compromised once is gonna cost more than I just lost.

B

Discord just crashed on me.

A

It's going to cost you more than one compromise. So don't be, don't be short minded. Don't you know it's not even that.

B

Much in the grand scheme of things. Okay.

A

Also they mentioned here configuring SPF for.

F

Hard.

B

Hard breaks, not soft breaks or whatever. Hold on, what's the actual word they used?

A

Hard fail.

B

Excuse me?

A

Spf hard fail rather than soft fail. All right, so make sure you're doing that. Also, when I hear hard fail versus soft fail, it makes me think of.

B

Hold on one second.

A

All right, so DJ B sec is saying that he has done dmarc, dkim, spf, all for free. So there are free options. I guess I'm just bougie and use a service. Okay. Also, I don't know why, but we are doing a lot of memes today. So when I think, when I think implementing hard fail over soft fail, here's what I'M thinking, oh yeah, brother, you want to make sure that you're configuring that SPF for hard fail. None of this soft fail up in here. Oh yeah.

E

Veeam patches a critical RCE flaw in backup and replication. This patch, one of many released by the company, addresses a vulnerability with a CVSS score of 9.0 that allows a backup or tape operator to perform remote codec execution as the postgres user by sending a malicious interval or order parameter. A Veeam tape operator is, quote, a limited VEEAM backup and replication user role designed to manage tape based backup operations without full administrative privileges, end quote. The vulnerability was discovered during internal testing.

A

All right, so I was inviting a.

B

Bunch of people to the studio here for the jawjacking panel, so I wasn't listening.

A

Plus, I was just letting that macho.

B

Man Randy Savage wash over me in an awesome wave.

A

All right, so Veeam has a massive RCE flaw.

B

RCE is remote code execution.

A

CVSS is the vulnerability scoring system, right?

B

So it's the common way that we talk about how bad a vulnerability is.

A

And veeam is a massive, super awesome.

B

Enterprise grade backup and restoration service.

A

I've, I've worked in environments with Veeam. Veeam is super good. Okay, so not a sponsor, but I, at least in my experience, I, I.

B

Found Veeam to be excellent.

A

Looks like they released a patch. Ah, you gotta patch it. Listen, if you're using Veeam in your environment, you personally are likely not responsible for it. You likely have an IT person who owns the backups and the Veeam stuff.

B

Make sure that they patch this.

A

Listen, backups especially where ransomware is the.

B

Number one threat you need to worry.

A

About, backups are incredibly important and Veeam is very good at taking backs up backups up and allowing for, you know, speedy restoration of systems when they go.

B

Down, or you got to restore from them or whatever.

A

So don't screw around with this. This is one that you want to treat as a priority system, a critical system. If you haven't already done like a business impact assessment or a, you know, critical application inventory, you should, you shouldn't.

B

You should and you should include V minute.

A

Remember, imagine if you will for a minute that everything in your organization blows.

B

Up right now, right?

A

Let's just pretend everything goes completely lame, right? And it's just done. What do you restore?

B

First reasonable question, is it active directory?

A

I don't know, is it the Veeam servers? Is it an identity service engine? Is it the erp, solution, I don't know because it's very specific to your organization. And I'm going to let you know right now, if you don't know what order to restore it in, you could spend 14 hours restoring the ERP server because that's where you make straight cash, homie, for your business. And then discover that there are dependency servers that the ERP server needs, like.

B

Say active directory, right?

A

And it none of it works. And then you have to spin down the ERP server and go restore ad. I'm not saying one way or the other. Maybe I know some things, maybe I don't. But hypothetically speaking, maybe you're the Land Rover Jaguar company that was down for.

B

Like six weeks, this manufacturing thing recently.

A

Maybe it was because they didn't know what order to restore their systems in. And Jaguar Land Rover is a international multi facility business and you know, IT infrastructure. I'm telling you, if you don't know the order to turn things back on, it's, it's very, very problematic. So for this Veeam one included as a critical system and then secondly, it's, it's your backup, man. You do not want this to get messed up.

B

It's too important an enterprise resource.

A

All right, that's gonna do it for that. All right, guys, I hope you had a great show. Shout out to all of you for being here today. I certainly had a good time. It's Friday, so Friday vibes all up.

B

In this piece as I showed you at the beginning of the show.

A

This is my Friday vibes right now. Oh, yeah, just let that, just let.

B

That cook for a second.

A

Oh, feels good. Now don't go anywhere unless you have to. Then we'll see you later. But don't go anywhere because we are about to do a jawjacking. What's jawjacking, Jerry? Well, I'm glad I asked. Jawjacking is a 30 minute. Ask me anything that we do every single day at 9am Eastern time for 30 minutes. We love helping people, but we can't do one on one in DMS. It's just too time consuming. So we created this show. You ask questions, you get answers. And what's special on Friday is that it's not just me up here. It is a panel of amazing Simply Cyber community members with probably a collective 200 years of professional experience. So we're going to answer all your questions. We're going to have a good time. I'm Jerry from Simply Cyber. If you got to go, peace out, have a great weekend. Otherwise don't go anywhere. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field live, unfiltered, and totally free. Let's level up together. It's time for some Jawjacking. All right, what's up, everybody?

B

Welcome to Jawjack, and I'm your host, Jerry Guy.

A

Let me go ahead and start bringing the panelists on. I only see one member in the.

B

Panel, but I had a couple people ask me if they wanted to join. So.

A

The panel will increase, I assume.

B

As the show goes on.

A

But ladies and gentlemen, long time favorite.

B

Of the show, Fleetus, post in the third. Hey, Fleetus.

C

Good morning, everyone.

A

Oh, Fleetus.

B

That's an interesting camera angle. You look like the Colossus.

A

You're just like, ah.

C

So I'm on my phone. I. I will give you. I'm in Vegas for ces. So you're on my phone because the hotel Internet just crapped out.

A

Okay, no problem. How is ces? I've never gone, but I always get.

B

Geeked up about, like, the new tech drops.

C

So it's. I will say it's something you want to do once. Okay.

A

How does it compare to, like, Black.

B

Hat as far as, like, size, scope, all that?

C

So this is a large event. It's in the convention center as well as the Venetian Expo, but from a cyber point of view, it's lacking.

A

Okay, all right.

B

I mean, is it just like PlayStation 6 and like, how much.

A

Let me ask you this. How many AI robots are running around in demos?

C

A ton.

D

A ton.

B

Okay, I figured as much.

C

Okay, so they've got, they've got the, they got the new EV cars, the new electronics. You've got all the up and going eco. Let's just say economy based AI stuff. And then you got the new general stuff as well.

A

Any.

B

Before we get into answering questions, is there any.

A

Anything noteworthy or kind of silly or.

B

Outrageous that you've seen that you can share with us?

C

So Lenovo, Motorola, Nvidia just announced some new AI technology that they're rolling out. They had a keynote at the Sphere, keynoting all their CEOs as well as some of their CEOs, and then finished out with Gwen Stefani. So it was a good event.

A

Oh, my God. Yeah.

C

If you haven't gone to the Sphere, you should. It's a 4D experience.

A

So I have been to the Sphere.

B

I can't believe they had the keynote at the Sphere. That's amazing.

A

The Sphere is a very Cool experience.

B

It's like a. It's. It's.

A

I don't know, it's kind of like Omni Theater plus Plus. I don't know if you guys have.

B

Ever been to a dome Omni Theater. There's one in Boston, so I've been to it a few times, but.

A

Very cool. And then a Gwen Stefani concert just, like, thrown in.

B

Okay, she did.

C

She did like eight songs. Holy crap.

B

That's like a pretty decent concert.

A

All right, well, I guess simply Cybercon's got goals here.

B

We'll see if we can get Gwen Stefani in, you know, 2035 for everybody.

A

All right, so Fleetist, let's get some questions going. Faron.

B

Jest says, where's the best place to.

A

Learn about NIST 853?

B

I mean, this guy.

C

This guy named Jerry.

A

Yeah, I mean, I'll talk your face off about NIST853, but like, really, honestly, the best place to learn about NIST.

B

853 is to just go download NIST 853 special publication and read it twice.

A

Once just to like, let it wash over you, and then the second time.

B

Just read the control catalog.

A

People get confused about what 853 is. 853 is literally just. If we boil it down at its base, it's just a dictionary of all the available controls that we currently know about that you could implement to reduce risk. Now don't get confused. You can't implement every single control. You could try to implement every single control, but you're going to find out that you're going to. Either it's going to be too expensive.

B

And you're not going to have enough budget to implement all those controls.

A

The controls will be actually not reducing any risk at all because, like, it's.

B

Controlling something that you don't even have in your environment. So it's not even an issue, you.

A

Know, so, so that, that's why it's.

B

It's a catalog to help you pick and choose instead of trying to figure it out on your own.

A

Okay, let's see.

B

Do you want to add to that felitus or no?

F

No.

C

That's a great synopsis.

A

Cryptic Rose. Is there someone who is always here for jawjacking? Dude, Restream is like tricky here. Is there someone who's always here for.

B

Jawjacking that can ask. That can ask my questions? I would leave them in advance as I get focused on cloud.

A

All right, so CryptoGrows is asking for a proxy person. I don't Know, Cryptogros, like, you can ask in Discord or, you know, you can. I. I don't. I don't know.

B

I mean, you could certainly ask someone. I'm not really sure.

A

We got a couple more panelists coming.

B

On, so let's go ahead and introduce them. We'll have a full board here.

A

Ladies and gentlemen, James McQuiggin at 35, 000ft, the dad joke of the week guy. What's up, James?

B

How you doing?

F

I'm doing all right. Coming to you at sea level today.

A

Sea level. All right, so he's at zero feet. Sea level is. Is he's got his galoshes on so he doesn't get his feet wet.

B

Very nice. I love the jokes today, James. Appreciate that.

A

We also have Tuesday.

C

Yeah, I almost put that shirt on this morning. I almost put that shirt on this morning.

F

Yeah, well, yeah, I. This was sitting at the top of the clean pile, so I just grabbed it. I was like, I'll put it on.

B

So, yeah.

A

Isn't it funny how when you get.

B

Older, it's like less digging for that shirt and it's just like, this is.

A

Okay, let's go with this.

F

It smells good. Yeah, yeah, yeah, yeah.

A

All right. Hey, we got Tuesday Jawjacking host Eric.

B

Taylor from Barricade Cyber coming on. What's up, Eric?

A

Good to see you. You're on mute.

F

He's on mute there, bud.

A

Here.

B

That or he's miming.

A

All right, as he gets. As he gets that fixed.

B

We got another question here.

A

Air Force, four and a half years.

B

Got a master's training, operational experience.

A

All right, so, rwd, you got a pretty good resume here.

B

Hopefully passing CIS on Monday.

A

I think your audio is working because.

B

I can hear you click clacking now.

A

We'll be one or two years away.

B

From being CIS P. Is the training experience addressed with ISC2?

A

So, I mean, here's what I think. So if you don't know, CISP requires.

B

Five years of professional experience. Two things to keep in mind.

A

One, ISC Squared wants you to be a cisp, right? You have to earn it. But they want you to be a CISP because guess what? They get annual maintenance fees and they make money off of you. Okay? So I'm not saying you lie, but I will say that you don't need five years of, like, I was a.

B

Cyber security engineer sitting in a sock.

A

If you're a sysadmin and you're doing patching and maintenance and stuff like that, architecture that will count if you worked help Desk and you're doing password resets and MFA rollouts and stuff like that. That counts. So there's a lot of creative ways to define your five years of experience.

B

So that's what I would say about that.

F

Hey, Jerry.

A

Yeah, go ahead.

F

To add to that, as a CISSP and very much involved in the ISE2 family, I know a lot of folks, there's a fun argument, ISE squared or ISE two. But. But I've been brainwashed well enough now. But with ISE 2, you have a master's degree. That counts as one year of experience. So with whatever you've got two and a half, you get your master's. So that's one year. That's counted two and a half years. So that's three and a half. You might be able to work in the training, but the idea is you're showing excellence and experience in any of the common bodies of knowledge that are in with the cissp. So as Jerry was saying, whether it's networking or it's dealing with, like, domain admin or risk management, those kind of things, grc. So if you're able to allocate those and align that, then you're good to go. If you're still one or two years away from your CISSP, or maybe a year at that point, one of the things to do is they're certified in cybersecurity, They're CC cert. It's designed for people you're not breaking in, but it's a good way to get. Get into the ISC2 family or community or whatever, and get exposed to the different things that are available to you as an ISC2 member. So get your CC, and then when it comes around for your. Your CISSP, it's a lot easier. And if you need someone to endorse you, give me a call.

A

There we go.

B

I like it. You gotta add to that as well.

C

Most of the domains cross into what you probably have already doing. If you just sit down and map the task you've done, you're probably closer to six months just from looking at your question.

F

Yeah.

A

Yeah. All right.

B

Hey, we had some audio issues there.

A

But I do want to welcome Eric.

B

Taylor from Barricade Cyber to the panel. Hey, Eric, how are you doing?

D

Good, man. Sitting here below sea level. So, as always, looking up to James McQuiggin.

A

I love it. Great to have you.

B

Cyber Sasquatch, who is first timer to.

A

Daily Cyber Threat Brief Video, a regular.

B

Spotify listener, Cyber Sasquatch. After we answer your question, I'd love for you to comment what your thoughts were about the video experience.

A

Fleetus Cyber Sasquatch got hired into internal.

B

Information security officer role at a company.

A

That never had it. Sounds like leadership's much more about pointing to like, oh, look, we have cyber over here. But like, culture isn't really digging, it can't really make any impacts.

B

What do you recommend Cyber Sasquatch does? Fleetus.

C

So this is a trick question. If you're saying they've never had it, they're wanting you to still be the technician who just happens to have a title that they can point to. So be comfortable putting your hands back on keyboard, be comfortable making recommendations. And I'd love to get Eric and James point of view from the different sides being on sales and then the entrepreneur they have. You're going to be asked to give opinions that you may not know that you're the only person. So be comfortable saying, I don't know, but. And then go research it and come back because you have to remind them. Cybersecurity is like a city. You're the janitor all the way to the mayor. And if you're asked to be the only person, you're not going to know every answer when they ask, but you will know it with a little bit of research, a little bit of time and a little bit of resources.

B

Eric, you want to comment?

D

Am I able to go full dolphin?

A

Well, I mean, you know, keep it.

B

Within simply cyber policy.

D

Yeah, you know, you know, Disney room conversation type of thing. But yeah, this one to me screams potential fraud. And I'll say, why? And this major tinfoil hat when you start looking at people on LinkedIn and other social media platforms and filling up your email with spam, everybody's a freaking expert that when you start really digging into them, they may have had three months of experience doing what they're claiming to do. You know, everybody's an AI security expert. Everybody's this, everybody's that. And kind of what Fleetus was talking about a little bit, really drill into them, don't be shy. Right. If they do not say, like Leah mentioned, I don't know, or my current understanding or the way that I was taught, or the way that I believe X, Y and Z is this. But I will go further, research it and come back to you with a more informed answer. Show them the door and never let them come back in. There's too many. I'm sick and tired of the influencer and the professional who really do not know what is going on. And just do your Due diligence. Make sure you're getting somebody in there that could actually guide you. You're you and or your business is about to spend a lot of money on consulting to get a path and we've all been scammed. I mean, take a look at website designers. I'm not trashing website designers, but it's one of those that, that you always get them in mobile app designers. They're always flooding your emails, especially if you're in a position of power. Fleetus laptop screen fell or whatever. But the, the, you know, you get that. So do your due diligence. Make sure you're with somebody who actually knows their field and can guide you and your business to the other end of it. Just be careful is what I'm saying.

B

Yeah, I'd like to comment on this one because I actually have friends who have been put in this position and stuff and I've kind of, I've been hired as like the first person to bring cyber security to a business and level it up. Listen, if they're not going to change.

A

Like you've got to remember this number.

B

One Sasquatch, number one, you're there to advise, right?

A

You can, you can, you can do.

B

All the work, you can make all the changes, but at the end of the day you're there to advise the business and if their risk tolerance, you know, whether it's consciously decided or unconsciously decided is high, like they're allowing a high risk, then that's fine. You've just, you've got to educate them on what we're doing here. Personally, if it were me, again, I'm biased. I've seen this work is I would take a current assessment of the current situation where your risks and whatnot, come up with a plan on how you're going to address those risks and then bring them to them and say, hey listen, we don't have multi factor authentication implemented anywhere. This is a massive risk. Here's several examples. I mean there's a story earlier this week of 50 global companies that got breached because they didn't have MFA and some jack wagon stolen info stealer and just credential stuff.

A

So you don't have to say all those words, just say, listen, like we are going to suffer an attack, highly likely if we don't do this. It's up to you though.

B

It's going to cost X amount of money or take this amount of time or we're going to have to hire another person.

A

This is what we're doing here. And oh, by the way, make it.

B

Relative to business and money.

A

Like, we're not going to be able to.

B

If someone wants to acquire us or if we want to get into certain markets, they're going to ask us about these things and it's just not going to be good.

A

Again, you may have been hired less.

B

As a officer and more as a technician.

A

Like, hey, go, go patch things.

B

Go turn the dials and make sure things are good.

A

And that's fine.

B

You can do that too.

A

But just know that culturally, if this is how they are, it's going to be an uphill battle and you'll probably.

B

Not going to get super mature as an organization.

A

What I would say is take every advantage.

B

You have to level up yourself as a professional, get as much experience as you can. Because this is one of those situations.

A

Where if you have a breach, saying.

B

I've been telling you this for a year isn't going to change the fact that they're going to be like, you are the reason that we had the breach. Right.

A

So not saying you're going to get.

B

Fired, but just be the CEO of you.

F

Okay, James, man, how do I follow up with all that awesome advice? The only thing I can think of, and this is kind of one of my early lessons, is when it comes to cybersecurity, we need to be a business enabler and look at the impact for the organization. You know, it's not a matter of, okay, yeah, we got to check the box on this just so that we can be compliant. It's, you know, the security aspects you're advising, what's the impact to the organization? Okay, we're doing checkbox, we're doing security awareness training once a year. Well, that's great. How much do you remember from your security awareness training? You know, what's that impact? If you can address that with the organization, align what it is that you want to do cyber security wise with the business goal, the mission, and try to align it to that. For me, that's kind of something that's been able to work or kind of try to shift the mindset, but you are dealing with that checkbox mindset, working at power plants for so many years and having compliance of NERC sip, you know, that was all the plant manager wanted to do. Did we check the box? Yep. Okay, good. Moving on. It's like, oh, you know, so you're, you're dealing with a culture which is going to be difficult, but working it in with the business can help. Work it along.

B

This is just a follow up from sasquatch he says the environment's disgusting.

A

I don't know what that means. I don't know.

B

It means if you're running Windows XP or it's just filthy, or the attitude is gross, they get uncomfortable with your questions. You know, make sure you have empathy. Make sure that you're assuming positive intent. Right? You can't. I mean, even if they're pissing you off, you can't come at them that way or you're gonna.

D

I gotta, I gotta follow up if I make. Because I misread the question and I went on a complete different tyrant.

B

Yeah, I didn't know what you were talking about.

D

Yeah, I misread it. I misread like you're hiring somebody. You're. You're the one that was hired to do this. So let me re. Let me go on a different tangent. The. I didn't have enough coffee before I jumped in here. My apologies. When you are talking to any organization, there's three different types. Literally I will say in simplicity, it's a 40, 40, 20 rule. 40% of the businesses only care about operations. 40% of the organizations only care about their data. The other 20 actually care about both. So when you're talking to them, find out what they really care about. Are they operations, the AKA we want sprockets built and we don't care about anything else or no, we have data that is very important to us that we need to be protected. Sprockets can be broken for a little bit, but we need to make sure our data is properly protected. And there are some companies that will say no. Our data in our sprockets are crude, critical to do this. Find out what that organization is and what they value and then you can drive the proper conversations. Because yeah, if they don't care about data and you're talking about drive encryption and DLP and all this other stuff, you must be going down a back street road and look at, you know, envision a deer because those business owners and are going to deer in the head, like look at you. Because they don't care. And this is something I had to learn a couple years ago, right? And I made the analogy of a, you know, you walking up to a person with a burning house and you're just running in, you're grabbing that data, you're just grabbing the pictures, you grabbing the table, you grab. But you left the critical stuff to burn because you didn't know what was important and what was critical to that business. And that shifted into this. So find out what's important to that organization, then you can make meaningful change.

B

Shakira has a question. Yeah, go ahead.

C

I was gonna say this is where like DRBCP comes in. Find out what their critical crown jewels are. What is the return to operations, what is the turn? And that's where you preach, that's where you talk business. Hey, I just lost Oracle today. Today. What do you want to do about that? Hey, I, I just lost SAP. That's a half a million dollar a day. What do you want to do about that? And then you move on because you're now speaking business acclimate versus tech acronyms. You don't understand.

D

Yeah, very good. Sorry. If I can, hopefully I'm, I don't, sorry. One good exercise that businesses need to do and unfortunately with my industry that I'm in, in recovery efforts, most businesses do not go through this exercise is let's say hypothetically the building burned down or was hit by a tornado or hurricane and you're leveled. What is the process that business has to go through to start production, start recovery efforts? Whatever it is, those things need to be documented and then from there you can be able to expand a lot of stuff. That's like one of the first five things a business do and nobody's doing that. Sorry, I'll be quiet.

A

It's good and real.

B

Kyle. Kyle does share Sasquatch that CIS controls IG1 is a great place to start. I mean that's like, to me that is your, your basic, you know, number one starting place. If you're going to try to start putting a framework together in a life cycle and, and matured and be able to show consistently to leadership, like where you are, where you're going, how, what they can expect. That's good. Shakira had a question. James. Now, James Aquigin goes to like, you know, 75 conferences. I'm not even exaggerating, like 75 conferences a year.

A

Shakira wants to know how do you.

B

Find out about cyber events and conferences and Fleetus? I'm going to bring you off camera until your camera comes back here, buddy.

F

So conferences and events, you know, wow. I think a lot of it started, you know, going to one and then discovering all the other ones that were out there. You know, for me, when it comes to presenting, there's a platform called Sessionize where a lot of conferences put out, you know, call for papers and that kind of thing. There are websites that are out there and I'm, I'm, I'm blanking on which ones they are because, because I haven't checked it in so long. But there are websites that keep track of all the different conferences. But I would look at B sides, you know, depending on what kind of conference and event you want to go to. If you want to go to the small homegrown type ones, you know, Simply Cybercon, Wild West Hack Infest, B Sides in your local area, you've got the big ones like rsa, Black Hat and defcon, where it's tens of thousands of people and it's a whole lot of people. So for me, there are websites that I go out and check. I'd have to dig up the one that tracks all the other cybersecurity and different conferences that are out there. But you know, Google search, CactusCon is another local good one as well, Gurkhon. But yeah, for me, a lot of it is through word of mouth, through connections I see from folks on LinkedIn. They post, they're speaking somewhere, they're attending an event. But yeah, I should put together a list and maybe have it on a website of all the different events. But I know that there is sites out there. But yes, Jesse Johnson, you're absolutely right, my friend. Simply Cybercon is the only con. But you know, if you're not available when Simply Cybercon is happening, then, you know, Wild West Hack and Fest is.

B

A good one to go to.

F

Depending on what you're looking for and what you're. Who you know, if you're looking on the CISO level or you're looking on the practitioner level, you know, top digital forensics in 2026.

A

Yes.

B

This is a list that Eric provided. Now this is specific to digital forensics only. So if that's where you want to go, this is a great resource. I'll drop it in chat. But you know, I think word of mouth and sharing, I've heard there's a.

A

Lot of like, like even simply Cybercons.

B

A bit more of an obscure conference, like maybe 100 people, 130 people.

A

But it's really, you know, it's really well liked.

B

I mean, obviously it's our conference, but you wouldn't hear about it in like the Talking Heads and, and stuff like that.

F

So infosec-conferences.com is a good one and there's another one I'm gonna have to try to dig it up, but there's another one that's out there as well. But infosec conferences.com is another one to check out as well.

B

Goat in the Machine says, does anyone have a crosswalk file for CMMC V2 to 853, I cannot find one online. If you can't find one online, Goat in the Machine, make one and then share with everybody and you will be awesome.

F

I was gonna say ucf.

B

The. The.

F

Not the university, but there's a service that allows you to look at all different.

A

Yeah, that's a paid service though.

F

That is a page.

B

I mean, I would just say CMMC 2.0 is basically 800 171. So look for crosswalk of 171 to 53.

A

It's definitely out there. And honestly for me, like the first.

B

Thing I would do is go into AI and yeah, that's what I was gonna know, what controls are in place.

A

Just remember CMMC V2, it's pretty much.

B

800 171, which is like 25, 26, 27 controls from 853. And then you got to remember Goat in the Machine. There's like three different tiers of CMMC compliance levels. So depending on what you're trying to do, I think you could whip this up pretty quickly.

D

Honestly, I think CMMC of Awesomeness has something like that. I'm trying to dig it up, so bear with me a second. I'll drop a link if I can find it.

B

Okay. Shaft TV S dub says going through the interview process soon for Microsoft Insider Risk Analyst position. Very cool.

A

How should I prepare for this interview?

B

I've been healthcare enterprise tech support for six years.

A

All right, Insider Risk analyst. James, you wanna, you wanna go first.

F

Going through the interview processing for ms.

A

I thought you were prepared. You were nodding. I thought you were like, yes, I have thoughts on.

B

I was listening along.

F

Yeah. So I needed been healthcare in a break.

B

So.

F

Yeah, I mean, when you're preparing for this interview, ironically, and you just kind of hit on the head before there. Jerry is using AI. I know folks have been using AI for prepping for interviews, you know, having IT ask you questions and then working through that response. You know, put in the job description, put in requirements and that kind of thing. That's kind of a cheating answer. But AI is a tool and that might be one way.

B

Yeah, no, that definitely is a good option. You can certainly, you know, test yourself. I mean, another thing that's like worth doing is taking the actual position that you apply to, like the actual job posting, and then put that in AI, put your resume in AI and say.

A

Hey, what are three things where like, I can really speak to my experience.

B

That would align to this role?

A

That would be pretty good. Honestly, for any job, whether it's insider.

B

Risk or GRC auditor.

A

One thing that I strongly recommend and I love doing is for this particular.

B

Position, find a recent story of some substance where insider threat was an issue, right?

A

And talk about and think about like.

B

Or learn and understand how did the attacker execute that insider threat attack, how was it detected, how was it managed.

A

How what could have been in place to limit the ability for the actor to do it or limit the the impact of that insider threat. There's been a ton of them, right? Rivian stole allegedly battery tech from Tesla. Volkswagen stole a bunch of people from General Motors. Like there's like you know, way the whole thing with Waymo, right? Like I don't know if you saw the Uber Netflix documentary but like Uber.

B

Was trying to buy self driving tech.

A

From Google by hiring their people. So there's a ton of great examples. The people interviewing you. If you choose a major story, the people interviewing you are going to know the story themselves and you're gonna show that you understand what insider risk is.

B

And how it really can be manifested. Instead of some textbook answer of like.

A

Oh dlp, like yeah, okay, whatever. But like let's talk in real. All right, all right. That's what I think about that. By the way, best wishes to you, man.

B

I hope you crush that interview.

E

Yeah.

C

The other thing, and I'm surprised James didn't mention this is find out what the company exposes. What OSINT can you do? Have you look at have I been pulled? How many of their email addresses have been leaked and then say hey Sally, you might want to go look at Bob's account. He showed up in 20 different repos. Have you reset his corporate password recently? Like just give them something like that. And they may not know about the resource, they may not know about what's being sold even just in yellow pages to be honest on the web. And that's a great way in an interview to at least get them talking to you because you've done a little recon and a little bit of OSINT about the company.

A

Perfect. All right, there we go. I would strongly recommend you don't o.

B

Sent the person who's interviewing you and then be like, I know where you live.

A

Like don't, don't do that. That definitely is not going to win them.

B

That's like that. Also.

D

Georgia dogs, I mean, oh, set them a little like, oh, I see you like the Braves or the Phillies or whatever, you're the favorite football team or their, their wine or whiskey. I mean do a little bit, but I mean don't try to Figure out where their house is and go knock on a door. I'm here for my interview. Oops.

F

Oh, okay. Never mind.

A

Yeah, James, so we talked. Fletus is at CES Fleetus right here.

B

Is at CS in Vegas right now where they show all the new tech and AI and stuff.

A

EK Burger.

B

Picard says people are testing headsets for.

A

Audio input to AI instead of keyboards.

B

Security thoughts of everyone talking to their AI in the office.

C

Yeah, so probably the same thing.

B

Jesus.

A

All right, we got some hot takes here. Fleetus, go ahead.

C

So during that keynote, one of the biggest thing Lenovo and Motorola kept pushing was their pennant. It could be a necklace or a pin that says, I see what you see, I hear what you see, but only with your consent. That last statement is completely false because just because I give you consent doesn't mean Jerry or anyone else in the room. And I leaned over to my colleague, I'm like, you're not walking into a government building. You're not walking into my office wearing that pennant, those smart glasses, all this AI tech that's in glasses, pennant, your smartwatches. If you're a government contractor, you're not getting anywhere near a skiff. You're not walking in my building, you're not walking into a healthcare provider and saying, oh, I'm going to take notes today with this necklace of mine and I'm going to ask it to give me a summary of what you just talked to me about. So that's the biggest thing that I think everyone is like, let's help the person, but let's ignore the organization.

F

The privacy rules. Yeah, yeah. What kind of privacy rules rules are we going to start breaking? You know when you need two person consent in some of these states to being recorded.

C

To James's point there, I can't tell you what James is going to tell me. So you start recording. James just started talking about R D or James just started talking about Phi or he talked. I can't control what James says to me. That's where AI is not smart enough to say, oh, I need to turn off. This is sensitive, this is private, this is confidential.

D

Yeah, over the holidays, you know, I was talking to my brother in law, big massive sales dude. I mean he's massive sales dude, just crushes it where he goes. He was talking to me about because he's, he's got one that hooks onto the mag sensor on the back of the iPhone. It's really, really cool tech. Like he doesn't do anything sensitive. So I was actually sitting next to him and I was on a call and everything, and the AI, what? He was on a teams call, and it accurately depicted who was talking and there was new people. Like, he was doing a discovery call and identified who the client was, who their needs were, and all this other stuff. I'm like, this is really freaking cool tech, don't get me wrong. But he's like, yeah, man, it all saves in my phone and stuff like that. I'm like, really saves everything locally. Nothing gets sent to the cloud. He's like, no, no, no. I'm like, exactly. How do they make the improvements to make the algorithm better? And that's where you got to be like, if you're just talking to Bob sue about baseball and, you know, your local knitting club and stuff like that, that's fine, right? But if you're on a lot of our calls, especially in my industry, and I know James does a lot of potential, you know, IP conversations, intellectual property, and, you know, other companies sensitive, and I'm sure Cletus and Jerry does as well. I don't know too much about their dynamics, but, you know, if you're having these conversations, you can't have these AI assistants in there with you. Right? And I understand you want AI to help you, make you better. You want them to take your notes, give you your cliff versions, your action items. Who's taking responsibility for things? This is all great, but what is the situation that you're currently discussing? And, you know, they miss all saying local, but I guarantee you, they've got to train these models to be better. And how are they doing that now?

F

Kind of on the.

C

It's just metadata, Eric. It's just metadata. It's all anonymized.

D

I'm gonna go jump out the window.

C

I will.

B

We'll flip.

F

I'll flip this here. This is my little plot. This is.

D

Yes, that's it. I.

F

Recorder. It's not on. See, it's not on. It's not lit up. So I'm not recording. But what I like to use it for, because as Jerry was saying, I go to a lot of conferences, this thing is great for as long as I'm not somewhere where they don't allow recording, but recording of presentations. And it makes it a lot easier. I'm still taking notes, but then I've got. If I've missed something or whatever else, I can take pictures, but I've got a recording of the presentation, and then I can go back and review the notes and look at stuff. And so in a public environment, setting it's great. But in our office environments, in our. Where things are confidential, then, yeah, as you know, as was saying, yeah, certainly not getting into government facilities. I went and toured. It was funny, I went and toured the Denver Mint last month. And if you're curious, yes, they give out free samples. I got a free penny sample when I went on the tour. But as we walked in, there's treasury police standing there. And I asked the guy, I said, have you ever had anybody walk in with one of those, you know, like meta glasses or, you know, lenses, because they don't allow any photography. So you're talking about a controlled area, secure area. And he goes, no, but we've had people try and walk in with, you know, their personal handguns into here and that's always fun. And I was like, oh, geez. But it wouldn't. The level of awareness, you know, of, you know, and I know a lot of police and a lot of FBI and government folks that are really smart, but would they catch somebody wearing, you know, metal glasses with little lenses on it and see, or I would just put them in my pocket and then once I'm by security, then I put them on. You know, we gotta deal with that. But I think that comes from the culture of your organization. You know, where you can record those things out in public, that's one thing. But inside your boardrooms and everything else. And I gotta imagine this is like Alexa 15 years ago. You got board members and CEO, CEOs coming back going, oh my God, this is great. I want it in my office. And all the security people like, nope, I can see this being something similar. It's great. It can record all my meetings. But if they don't have that awareness that culture is not the organization, everyone's just going to be, you know, wanting to implement it and not really think of the security aspect.

D

So James talking about that for one second and something businesses and everybody need to have start having a discussion about. We was literally on a matter last week and they don't want AI in their environment at all. At all. Like, no, you don't want it. Very, very sensitive. A lot of intellectual property stuff.

B

Like co pilots integrated.

F

Yeah.

D

You could disable. You could disable that.

F

You can disable it.

B

Yeah.

A

Anyways.

D

But anyway, so one guy, and we have. They're having a very serious conversation like how do we navigate this? And it reminded me when you said the meta glasses, they actually went and bought a pair of the meta glasses and they have a legal supply prescription or I should. It's not legal, illegal. They had their optometrist or whatever put their, their prescription lenses in there. So it was required. He had to have glasses, right. To read. So, you know, so if you're outfitting your glasses or taking the lenses out and putting them in the meta just so you could have them as an everyday wear.

A

Yep, yep.

D

That impacts your job and being able to work. So how is your company going to navigate that? I mean, naturally you're just going to say you can't use those, you got to use a standard one. But it opens up a lot of different conversations that you really got to start thinking about.

B

Really quickly. Goat in the machine. I tagged you in chat, but Eric did provide this resource here that is this crosswalk. It has CMMC stuff. Looks like it's got some 853stuff in there. Go ahead, check that out and make that resource work for you. Hopefully. Next question's coming in from Pocket Pixie. Pocket Pixie says that she wants to be a cyber Security manager and wants to know what to do next and then suggest try Hack me. So first of all, I'll say Try Hackby is not going to help you become a cyber security manager because cyber security manager is more of a business role.

A

Right?

B

You're managing people, you're managing project, you're managing budget, you've got human issues, which is like my, I love people, I love educating, I love community and support. But handling human issues is like my least favorite thing when it comes to business. You know, I do the best I can, but it's, it's, it can be problematic as far as becoming a cyber manager. Pocket Pixie, two things I would say, number one, it really depends on where, what you have done already in your career. So let's just assume that you're working as an engineer or an analyst. You're like workforce type stuff and you want to get promoted up to manager. The best things you can do, I mean obviously get an mba, like that's like a easy, not easy, but that's like a lazy answer, right? Like that's going to help you learn all the business things and be able to get in there.

A

I would say if you want to.

B

Be a manager, you know, first of all tell the CISO or whoever the director is over the information security office that you have interest in them, interest in that role and ask them if they can help you take on tasking over the course of the next year. That can give you experience and exposure to management type things. You know, it's basically that I like.

A

Honestly, I don't think it takes that.

B

Much development to be a manager.

A

Right.

B

I mean, you're just, you're basically just making sure that people have what they need to do their job. And then, you know, especially if you're a middle manager, you're told what to do, and then you tell them what to do, and then you basically just make sure that they can do it right. Fleetus, I know you're not. I know you've managed a lot like you want to.

F

Yeah.

C

So you're, you're preaching this. And if James has heard me say this, especially when I did his podcast with him, you got to be bilingual. You got to speak business first and then speak tech. And if you don't know the tech, go learn the tech. I'm not expecting you to put hands on keyboard and put an ACL or install the ELB or alb. But I need you to know what those mean. I need you to tell me when I say cloud service provider, what, what that means for me or I say application security, you go hire those talent, but you also need to translate it. And I think, Jerry, you've mentioned this in the past. If the CEO walks into the elevator, you don't say, I push firewall rules. You say, I'm here to block and tackle and I'm here to save X amount of dollars, which gives the return on investment ROI speaks to the CEO or the cfo, not I push blocking and tackling rules in a firewall called acls. What's an acoly? They don't care what an ac.

A

I keep bad guys out so we.

B

Can keep making money.

C

The other thing, too is if you, to Terry's point, if you don't know what you don't know, say I don't know, but use the but statement. But this is how I would figure it out. This is how I've applied this, both personally, professionally, and this is what I can do for you if you give me the opportunity. And to Jerry's point, you're going to find the role before you find the title. 99% of the time, someone's going to give you a task and you're going to excel at it. Oh, Fleetus is the next manager. Let's give him that role.

B

Or.

C

Hey, James, you. You talked to that CISO last week. Can you give my name over there? I think I'm qualified now. Let's have this conversation through that networking, that connection, even if it's not internal.

B

There you go. Thank you very much. And Pocket Pixie wish You well on your career, your career journey. Cyber Sasquatch, who was on Spotify only today was his first day on the video. I, I just wanted to bring this up because this actually warms my heart. This makes me feel good. This might be the best compliment I've gotten in a long time. He says that the Show's half a CPE, but the lie feels like 100 CPS. Thank you.

A

Definitely good.

B

I mean Cyber Sasquatch, the reason this makes me feel so good is because this is the mission of the community and the show and simply siren why my why? So I'm super pumped that you share that. Thank you.

A

Eric Sheldon says he's got 14 years.

B

Help desk and wants to complete EC Council's awareness and mastering bundles and would they qualify him for SOC analyst roles.

A

And more, you know, more to a.

B

More generic question, is Sock the standard starting point and should I expect a pay cut? A lot of lot to unpack there.

D

You want to get that out of here, Fleetus for those old people. If you don't have six seven. Yeah, he was doing a six, seven. Anyway. I mean, dude. I say dude loosely. Sorry, I just don't know what you are. But anyway, the, I mean you got 14 years in help desk. You're. You're already ready. You know, EC Council, I'm not going to go down a massive rabbit hole, but depends on who you talk to. They have very negative connotations around them in some of their training, you know, tcm and there's other people much more educated in that space. I went and got the ECA to ethical certified hacker when I was first starting out with pen testing and stuff like that. Again, nobody really cared that I had it, so. And I don't think it's really going to. If you're going ech, you're going for a company like Black Hills or something like that, you're going full pen testing route. You don't go down ECH for that or anything the E Council does. But you got 14 years, you're ready for SOC. Maybe even sock two, right. I don't know really what your experience is. What you actually been doing in help desk, you know, is it just been 14 years of end user support? I doubt it. Right. You probably have some sysadmin, you probably have some network admin, you know, price of firewall stuff, things like that. So, you know, you probably already know how to look at logs. You already know what looks, right, what looks like malicious activity and know how to investigate it. So I say you're already ready, dude. And just go for it. If that's what you feel called to do, go do it. Go shoot your shot. You're there.

B

Yeah. And as far as pay cut, I mean, obviously that depends on what you make now, but I think a SOC analyst, 1, depending on where you are, city, state, location, size of the business, what industry I think you could probably get, I think 60 to 75 is probably a fair estimate. I mean, is anybody on this panel want to fight me about 60 to 75 for starting? Okay, so. So that's what I would recommend for that.

A

James Cryptic Roses says if you only.

B

Have five LinkedIn messages a month.

A

Right.

B

So he's we're gonna cap it here.

A

How would you use them strategically to.

B

Land a cyber job? And what's the most effective way to ask for help or referrals?

F

Wow, five LinkedIn messages. Well, strategically land your first cyber job. Hopefully you're looking at organizations that you know and you can find somebody that works there or maybe the hiring manager and you're going to reach out to them or maybe the CISO for that particular organization. You're effectively what you're doing. I mean, if you're using the LinkedIn in mail, you know, you're effectively cold calling these people and depending on their availability, you know, will depend if they respond back to you or not. My thing, what I would probably do is look at that organization, look at the people that are there, see if anybody's posting and comment on. It's kind of a long game, but comment on their posts because then you can start building rapport and a connection with them. You might start seeing more of their posts. If you got a CISO or a CTO or people that are working in the SOC or working whatever that are posting on LinkedIn, go find them with that organization that you're doing. You could send those in mails in. But I know personally, when I get in mails, if I don't know you, I'm like, I'm already because of my mindset and what I do, it's like you're at arm's length already. Do I know you through somebody? Can I verify? Yes. I know we're trying to talk about trying to land a job and do it that way, but I think I would try to go through the comments and asking for help on referrals. If you don't know them, it's very limited that they're going to be able to give you a referral. You know, I know me personally. If somebody comes to me And I've just met, I've spent five minutes talking with them at a conference and then they come to me asking for a referral. I'm like, well, you know, we only just met and chatted. I don't know your work history, I don't know your work ethics. And you know, can I effectively refer you for a position? You want to build that rapport? It's a long game. It's not something Jerry and I were chatting yesterday. It's not something you want to start networking in the day, you know, when you don't have a job or you're trying to get a job, you want to be networking and playing that long game to, you know, in the, the time comes around and you want to find a new job that you've got those connections, you can go out and start reaching out and chatting with those people. So I would, to simply answer the question, connect with the people through comments and conversations. If you start to build up a bit of rapport, then maybe hit them with that LinkedIn in mail.

B

I want to answer this question since I, I do a lot of this also. Just fun fact. Next, I think next Tuesday, Mike Miller and I are running a one hour free workshop. We're calling it Skill Stream. So it's a brand new Simply Cyber program called Simply Cyber Skill Stream. It's monthly. If you go to luma.com simply cyber you'll see it, you can register for it for free. And it's all about making your LinkedIn profile epic. So Crypticrows, I would recommend you attend that talk. I want to comment on this one. Listen, here's a bit of a hack. Okay, so one thing that you didn't say, like here's what I would do. I would be working on something right? Personal, like working on AI, working on.

A

Security research, building a audit tool, whatever.

B

It is, your personal branding thing, right?

A

Whatever you want to do.

B

Start a YouTube channel, make a video, have a website, put links to it, whatever, whatever, whatever.

A

Your five LinkedIn posts, I would make them all value add posts where you're like, look at what I'm doing. Here's how, like this CMMC crosswalk to NIST853. You don't even have to have developed it.

B

Eric just dropped it in chat. Here's a list.

A

You know what would be super valuable? A LinkedIn post of what it is, why it's valuable, how to use it, where is it?

B

Boom.

A

All that now.

B

And make it look good and you.

A

Know, not word wall. I like to use emojis to break.

B

It up visually digestible. There's a whole game to making these posts more effective as far as, like, engagement goes, but that's a side thing anyways.

A

Then if, say, I'm into, like, Fleetus.

B

Like, I want to work with Fletus, right?

A

I could do like.

B

And Fleetus works at manufacturing.

A

I could, I could do like a CMMC 2.0 profile or this CSF manufacturing.

B

Profile type post, and here's how to do it.

A

And then in the post, say, here's value, here's value. Here's value at Fleetus. What do you think based on your manufacturing experience? Fetus might not even know who the hell I am, but he's like, dude, look at this guy. This is cool. Let me say something.

B

And then now you're inviting them in.

A

Instead of just jumping in their DMs and be like, bro, what's up?

B

So I think there's an opportunity here. If you're being strategic, giving yourself five swings at the pinata a month, I think delivering value is incredibly important. Plus, you're going to expand, you're going to grow.

A

People are going to repost your stuff.

C

Share, comment.

B

Like all that crap, which is going to give you amplification, which is going.

A

To get more people to see you.

B

You're going to start demonstrating that you are an authority, for lack of a better term, in this space. And then people, you know, and by.

A

The way, when they.

B

When you go to a job interview, I promise you they're going to look you up on LinkedIn. Wouldn't it be nice if you're doing all this crap and they're like, holy crap, he's been talking to Fleetus.

A

I know.

B

Please let me call. All right, anybody else want to comment on this?

C

Yeah, just. Just quickly recapping what you guys said. It's. And I think Brew for hacks had it. It's a lifestyle change, you taking 15 minutes each day to comment on me. Jerry James, I don't care who you comment on. And then the next week you repost something I put or you repost something else, I'm gonna see your name. So to Jerry's point, when you tag me, I've already seen you show up because you're putting value proposition Shameless plug. Go watch James Azai podcast that we did about, about a year ago now or six months ago, and then go out and just look at my Food for Thought series. I put out questions that I just want you to think about. I don't care if you respond, but the people who do respond, I see them. So at some point, if you apply, I've seen your name and I always tell people it's not who you know, it's when you know them. So if I just saw you Eric comment last week and then you apply Eric's top of mind. We're, we're humans. Our page file fills up quickly and we purge it. But if I just talk or saw Eric, Eric's on top of mine. I'm going to say hr. If Eric applies, give them to me. If James applies, let me see this. As a hiring manager, I go to my HR team and say, hey, if any of these people, or let me just see them all. But I'm going to go look for some of these people, especially if they said, hey, I'm interested in that in mail. And then they commented on my LinkedIn.

B

Awesome. I love it. Great question. Fun question to end on.

A

I do want to point out really.

B

Quickly or share this. I had mentioned this a moment ago, but this is that luma.com simply cyber website where you can basically get, you can register for these events, the Skill stream, the Thursday Firesides, all of these things.

A

It doesn't, you know, it basically puts.

B

A calendar invite on your calendar and tells you about it. So that's what's going on here, is starting your own business. This is Bryson Bort going to be giving us education. If you don't know Bryson Bort, he's a juggernaut in the industry. AI governance with Jason Rebels who's amazing. Here's that personal branding one with Mike Miller and then we actually have a paid workshop. We're doing monthly paid workshops through Simply Cyber Academy. These are multi hour deep skill learnings and there's one that I'm doing, I'm doing the first one so we can work through the kinks, if you will. Four hour workshop on basically setting up your YouTube channel, finding content that you get excited about and doing the things I just told you about on LinkedIn with the content that you're developing. So go to luma.com simply cyber for that.

A

Let's go around the horn and find.

B

Out what people are want to share.

A

Or what get excited about.

B

Fletus go first people.

A

What do you got coming up? Where can people get more Fleetus?

C

So again, my Food for Thought series, I've done it approximately 38 months now. It's hard to reflect that I've been posting a question Monday through Friday for just over three years now. I video blogged this for the last 13 months. So I've turned those questions into a video blog. So if you just want a simple 3 to 5 minute digest of me or question, check it out. Lastly, I have a publication coming out with Black Hills in their survival guide. It should be coming out here this month or next month around soc, IR and business continuity. Take a time to read through that because we talked about that early in this call. Dr, bcp planning, excuse me, is more imperative than most organizations think about. They don't know their rpo, their rto. They don't know what their crown jewels are until someone says that's your crown jewelry. And by the way, I need it back up yesterday. So think about that. Challenge yourself, go into your meetings and ask your questions. If we lost X today, what would we do? That's my, my challenge for you. Go ask that question, what is X? Figure out what X is for your organization.

B

All right. Some homework assignments from Fleet is post in the third Eric.

A

Where can people get more Eric?

D

Just follow us on LinkedIn. We're freaking killing it I think over there. Just we got a lot of stuff coming up, so I just appreciate being here.

B

Eric Taylor or Barricade Cyber on LinkedIn?

D

Either or we're cross posted.

A

All right, very cool. Are you doing the Fortify series still?

D

We just ended episode 10 yesterday so Kimberly can fix it is going through and we'll be editing everything but everything's coming up on the YouTube stream. So YouTube.barricadecyber.com to find all of our playlists.

A

All right, there you go.

B

So get some barricade on LinkedIn and YouTube.

A

I love it.

B

James McQuiggin at 35000ft.

A

Besides the dad jokes, where can people get some James McQuiggin or what's coming.

B

Up for you that you want to share?

F

So yes, you can find me on LinkedIn. James McQuiggin or Jay McQuiggin I think but you can search the name. I do have my own website, jamesmquiggin.com I'm, I've got YouTube channels out there. I got more dad jokes out there and yeah, so that that's the best way to reach me and just working on some fun new projects going forward.

B

I love it.

A

I love it.

B

And like I said, James goes to like 75 conferences a year. He speaks at most of them.

A

So there is an a load of.

B

Content on YouTube of James speaking at conferences. I've even partnered with him on talks at Wild West Hack Investing. So if you're looking to get some more of James McQuiggin in your life. There is a enough to train an AI model up of James McQuiggin out there on the Internet, So.

A

All right, guys, I'm gonna be wrapping it up. Great show today. Solid week, everybody. It's hard to believe that this is.

B

The first week back in 2026. It feels like we're three months into the year already.

A

I had a great show. I want to say thank you to.

B

Eric, James and Fleetus for joining us on the panel. We really do enjoy doing the panels on Friday. Go to luma.com/cyber. Check out the upcoming content we have for the channel. And remember, every single Weekday morning at 8:00am Eastern Time, we are crushing it. I'm Jerry from Simply Cyber. Thank you, Chat. Thank you, panel. And until next time, stay secure.