B (12:53)

These are the cyber security headlines for Monday, March 16, 2026. I'm Steve Prentice. Payload Ransomware group claims breach of Royal Bahrain Hospital. The ransomware gang has added the healthcare facility to its Tor data leak site and has published images as alleged proof. The group claims to have stolen 110 gigabytes of data with a release date of March 23rd. If no ransom is paid. The Royal Bahrain Hospital serves patients from Bahrain, Oman, Qatar, Saudi Arabia, and the United Arab Emirates. Payload ransomware is a, quote, relatively new cybercrime operation using a double extortion model that combines data theft and file encryption. End quote, Canadian food.

A (13:44)

Okay, so a couple things. One, like, you know, as if the middle east didn't need some extra problems, right? Bahrain Hospital, which I guess is the leading healthcare facility in the area, been around since 2011. Really quick when I see this screenshot, if you're listening on audio only, the already has screenshots of the Royal Bahrain website. This is kind of bananas to me, only because doesn't this. To me, this looks vibe coded. I don't know. Again, when you use AI enough, you start to see trends and patterns and stuff. Like the thing on the left looks like kind of a breach portal, but the one on the right, just like those large graphics and the color scheme very much looks vibe coded. So I don't know if these guys are vibe coding things, but they mentioned it's a new ransomware threat actor on the scene. But the technique they're using, the double extortion, like, that's if you've been here for a minute, right? Like Nick Dixon, if you just showed up on the cyber security scene and you're like, oh, double extortion. Are we innovating it up in here? No. So in the world of ransomware, even though it's called ransomware, you got to take a step back. Just like business email, compromise can happen a bunch of different ways. Denial of service commonly gets associated with network bandwidth overwhelming. But it, you know, a. A wiper malware is still denial of service, right? Ransomware can happen in many ways. There's basically three forms of ransomware. Not the ransomware works, but like there's three ways that it would be classified as ransomware. Number one, they encrypt your files and they ransom a key back to you. We have your data. We have your data. And the only way you're going to get your data back is by purchasing the key. We have your child or loved one, and the only way you're going to get them back is if you purchase freedom for them. Okay. Traditional ransom, which is how it originally started, which is why I got the name. Number two is Data exfiltration. They don't even touch your systems. You're still operational, you're still cooking, you're still producing widgets and baubles and whatever. But they have a copy of your data because it's digital, right? It's just a control C, control V. I'm simplifying, but you get my point, right? And then they say, we have your data. If you don't give us money, we're going to release it or you can purchase it back. And this one's much more like stealing your kid or your wife or something and then giving it back. And then the third one is actually, you don't see it very often, is where they do a network bandwidth overwhelmed denial of service attack on the business. And they will not stop hammering that business unless you pay a ransom for them to stop. And this is the equivalent of like a bully taking you by the wrist and punching you in the face with your own fist and being like, stop hitting yourself, Stop hitting yourself. Stop hitting yourself. Unless you give them like five bucks and then they're like, okay. And they, you know, they. You stop hitting yourself. Right? Those are the three forms of kind of impact that can be realized from a ransomware attack. So if you do two of them, encryption and data exil, then it's double extortion. So like, that's all that means. Now, they said the Payload ransomware gang is new on the scene. This is true because we haven't heard of them. But at this point in life, I would assume that this ransomware threat actor is a retread of an existing threat actor or some type of amalgamation of other existing threat actors that you know are on the scene simply because. Do you remember like again, Nick Dixon, Adidi? I do, like making mid-80s to mid-90s references. It's no different than when like in, in World Wrestling, like professional wrestling, like two people might be like a tag team, like Macho Man, Randy Savage and Hulk Hogan. But then like they split up and then all of a sudden like Hulk Hogan becomes like a member of nwo. And I know I'm crossing business units or whatever, but my point is like, they just, it's the same human bringing the same experience and knowledge and they're going to do it in, you know, under a new group's moniker. That's it. Nick Dixon, squad member, 18 minutes into his first time and he's like, you know what? I'm all in. Hell yeah. Thanks, Nick Dixon. Enjoy the show. All right, so this. Oh, okay, okay. Again, I don't Research or prep for this show. So as you can see, you know, when the story only has, like, a few paragraphs, it's tough to get in here. Very standard stuff. Tor leak site. If you were a security researcher, you might look at the ttps for payload ransomware and see if they map to another existing threat actor that's kind of gone dormant. If we are interested, you can see. Oh, they don't have the. The. They don't have the. The wallet here. All right. Tldr. This sucks. The final thing I'll say about this is whether it's Bahrain or, you know, Provost, UT Healthcare is definitely in the crosshairs for ransomware threat actors. It's just patient safety takes priority over cyber always. And then healthcare is a very complicated IT infrastructure, so they become a little bit more porous and easier to compromise. All right, as always, Roswell UK is in there offering up additional insights. Thanks.

B (19:32)

Roswell UK retailer Loblaw confirms data breach. Loblaw, one of Canada's largest food and pharmacy retailers, said.

A (19:41)

Hold on. Wait a minute. I think Nick Dixon's got me inspired. Hold on. Can I. Yes. I'm giving five gifted subs. Nick Dixon, thanks for pushing me over the edge. Let's cook. All right, there we go. Five gifted subs. Throwing them out to the community. Chris Cahall, Joseph V. Oliver Branch, Olive Branch, Radish, and Nubian Queen. Welcome to the squad. Love it.

B (20:09)

Recently discovered that, quote, a criminal third party accessed basic customer information such as names, email addresses, and phone numbers, end quote. The company confirms that passwords, health information, and credit card data were not compromised, nor was its financial services arm, PC Financial. No group has been identified as behind this breach.

A (20:34)

All right? So, I mean, just goes to show you, even when you think you, you know, know a thing or two about a thing or two, like, the largest pharmacy and retailer in Canada, Loblaw, First I'm hearing about it, and I know you Canadians are probably like, oh, my God, like, Loblaw, save Loblog. Not. Hold on one second. I'm just gonna make. This is pro. Oh, my God. Where's the. Where's the oh, my God mods? Where's the video of the guy who's, like, screaming, oh, there he is. Like, this is my. This is. In my mind. This is what all the Canadians in chat are doing. They're like, no, leave Loblaw alone. Leave Loblaw alone. Okay? I don't know if you guys feel that way about Loblaw, but in my mind, you do. Like, Mounties, maple syrup. And Loblaw. All right, so loblaw gets hit 2400 stores. Big retail thing. Retail is not immune. Certain threat actors will go after retail. I would say it's not in the top five. Five as far as like, industries to get targeted by cyber threat actors. Manufacturing, healthcare, state and local government, education maybe. And then maybe we can throw in retail. All right, Criminal third party access data customers such as names. Okay, hold on one second. All right, so this, this story seems to have been written a bit before it was ready. This is like pulling a cake out before it's fully baked. They don't know how many customers are affected. They don't know what ransomware gang was involved. And they're notifying hundreds of employees of the incident. So it looks like it was just employee information, which, you know, obviously sucks. This is a nothing story. Okay, this is weird. So check this out. This is weird. In a brief. This doesn't make any sense. In a brief data breach notice, the company said it discovered a criminal third party, which just basically means a cyber criminal, not insider threat. Access basic customer information like name, email, phone number. Okay, so this, what, this is a pretty. Like, but like, this is a pretty low stakes cyber incident. Name, email and phone number. Like, I mean, you can get that. You can get two of these three things out of a phone book. You know what I mean? Like public information like name, email and phone number is kind of like open source intelligence. So I'm not really changing my underwear because name, email and phone number got data breached. I'm not saying they, they don't have to like respond to this, but passwords and health information weren't compromised. Financials weren't compromised. Here's my thing. Here's what confuses me. I think this is a. I suspect that. Oh, oh, never mind. This is annoying. So really quickly. I know Nick Dixon, you're a new. A new first timer here. And Adidi and I hate when stories do this. They must have some like minimum word count that they have to submit to their bosses or something. This last paragraph says Loblaw's data breach comes just as Starbucks begun notifying hundreds of employees. So, like, they throw in a paragraph about Starbucks as data breach. Like Starbucks is notifying employees Loblaw's customers were impacted. Again. It happens every once in a while. This is a. This is like the most milk toast, you know, having a hot dog or chicken nugget meal story. This, this is nothing. They don't know what happened. They don't know who did it. It was name Email and phone number compromised

B (24:55)

New York cyber regulations for water.

A (24:57)

I listen, I'm gonna make a prediction, bold prediction. By the end of this show, not by the end of the day, by the end of this show, you will forget this story. That's how, that's how. Basic ban like be like, like this story. Well, I don't want to say that, but.

B (25:17)

Organizations launch in 2027. Proposed last July and recently approved. The new rules include mandatory cybersecurity training for certified operators, incident response plans, reporting requirements, and a designated cyber lead for larger water utilities. The state of New York has created a $2.5 million grant program and is offering technical assistance at no cost. The goal is to have regulated water organizations create and test response and recovery plans that ensure continued operations in the event of a cyber attack.

A (25:55)

All right, well, welcome to Simply Cyber's daily cyber threat brief where I pop the balloon. The. I popped the balloon on, On like what actions are taken versus like what the reality is. Really quick. It looks like there was a question in chat about the water, about the retail story. I can't even remember it now. Someone asked, is it because retail cares the most about losing money to a cyber event? Now, I mean, I wouldn't, I would argue retail doesn't lose, lose the most money to a cyber event. Manufacturing probably does. I mean, go look at the Land Rover Jaguar data breach incident like the other day. I mean they were down for like two months. They lost like hundreds of millions of dollars. A retail business has usually brick and mortar a storefront. Right. So they can still sell product even if they're kind of. If there's a spill in aisle four. Right. I mean, this is a perfect on brand analogy. If there's a spill in aisle four and you, they put the gates up and you can't walk down aisle 4, aisles 1 through 3 and 5 through 15 are still open for business. You know what I mean? If one of the registers goes down, you could still go through. So I don't think that that's the case necessarily in this incident. Now, now, as far as this one, New York's water wastewater, I have, you know, friends who have worked in water. Many of you in chat also do too. Here's the deal with water wastewater. Those organizations, they can be private sector, you know, kind of water authorities, but for the most part, as far as my awareness goes, Municipality water is typically like a non profit kind of organization. Right? Yeah, there's, there's your Fiji waters and your Dasanis, but that's not what we're talking about, we're talking about I flush the toilet and you know, waste disappears. Right, that we're talking about that. So having these regulations in place is great. Having them test cyber attack incident response in recovery is great. But, but I think what you're going to find is, and this is the problem with public sector in general, public sector doesn't pay well. I mean, just to put it plainly, right, like if you work in public sector and you want to make more money, you don't get a promotion, you go work in private sector, which means they have to backfill you. I am not saying anyone that works in public sector is not qualified. What I am going to say is a lot of times they are asking people who work in public sector to do multiple jobs because, you know, there's multiple roles that need to be filled. They're typically not paid well, which means they're going to go get another job, which means they're not going to backfill you. With an unqualified person, it just means a lot of the tribal knowledge, a lot of the ramping up and figuring out what the hell is going on isn't going to be there. And the new hire has to figure that out. So water, wastewater, and it extends beyond that, just like state and local municipality does have a problem. Now, I, I love this and I look forward to seeing how the state of New York does this because the, the reality is one of the most important things you can do is tabletop exercises, which is what they're talking about. They didn't say the term tabletop exercises, but it's what they're talking about. Adrian Santa Bria is in the chat. Ladies and gentlemen, Adrian Santa Bria. He's right there on the stream. Hold on one second, let me say hi to this guy. Adrian Santa Bria, welcome to the party. All right, there we go. By the way, Adrian Santa Bria from Enterprise Security Weekly. He's going to be my guest on Simply Cyber Firesides. He's the guy who's talking about IPv6 and ARP poisoning the entire network. And the talk, the title of Adrian's talk when he comes on Simply Cyber Firesides is going to be very hot. Take here. AI is not coming for your job. AI is not coming for your job. So if that tickles your fancy, if that piques your interest, if you are Leonardo DiCaprio with a coconut drink and an umbrella and you're saying you have my attention, then Adrian Santa Bria is who you want to talk to. Anyways, the reality Is whether it's water, wastewater, retail, healthcare, whatever. The tabletop exercises are incredibly valuable. And. And it sounds like the state of New York is actually going to be forcing these entities to do that. Let me tell you why really quickly. And this is. This is a deep. Oh, look at that. Some type of Google Ad thing I did in 2024. Nice. Thanks, Google. Here's the reality. This is NIST Cyber Security Framework. I have this tattooed on my lower back. I'm. I'm joking. That space has already got a tattoo. Listen, it moves from left to right. Identify and protect is on the left, left of boom. Before bad happens, no matter what, you start a business today, you can do all the identify and protect, right? Detect, respond, recover is when bad happens on your network. Threat actor exploits bad creds, misconfiguration, zero days, whatever. How do you detect the compromise then? How do you respond to it? How you do. How do you recover back to a known good state? The reality is, and this is straight facts, and if anyone wants to argue with me on this one, I will gladly fight you. Most organizations get the identify and protect part really good. Like, if you were to look at, like, a spider chart, the identify and protect would be really high. Like, it would be like, oh, we're. We're very mature on our controls. And detect, respond, and recover are typically immature. Not really well done. Not really where it needs to go. Right. So when you do tabletop exercises. Yes. You are validating in a controlled setting that you are able to detect a problem when it happens, you're firing off those atomic red team axiomatic attacks and saying, yes, EDR detected it. Yes, Wade Wells in the Sock detected it. No, Jerry didn't see it, or no, security onion didn't catch it. And then you fix that. That way when real attacks come in, and then, oh, I don't know. With tabletop exercises, you do response. Why would I do a response? I have backups. I know what's up. You would do a response because. Listen, Kevin, just because you're the senior IT guy who's been here for 45 years, do you know what? Do you like to take vacations? Do you, tough guy? Well, then, guess what? You're on vacation. Hey, Carl, you've been here for 15 minutes. Where are the backups? Oh, I don't know. Oh, so what ends up happening is then, now we've got to wait for you, Kevin, to come back from vacation and get back up and running, right? No. Or we're quite aware, Kevin, that you show up Late on Monday, leave early on Friday and you mail it in on Wednesdays and we're looking to replace you. So no, we don't want all this tribal knowledge baked into your, you know, gray matter. All right. I get a little passionate about tabletop exercises. All right. For real. Also, I had something else I was going to talk about and I, I got, I got like overwhelmed. I don't even know what's going on. All right, let's keep cooking.

B (33:35)

Digital CONFIRMS breach. More news from Canada, the Canadian business process outsourcing giant Telus Digital.

A (33:44)

Oh yeah, Marcus Kyler screaming all caps. Jerry, you got a tramp stamp. Yes, I do. I have multiple tattoos. I know I look, I mean I used to wear button down shirts and I had to wear a suit to work and stuff way back in the day. But all this is not exactly what you would think, but yeah, I have multiple tattoos including one across my lower back. There is a story there, there is a story.

B (34:08)

Telus has confirmed a security incident in which threat actors may have stolen nearly 1 petabyte of data from the company as a result of a multi month breach. As the digital services and business process outsourcing arm of the Canadian telecommunications provider Telus, the company provides customer support, content moderation, AI data services and other outsourced operational services to companies worldwide. This makes them as well as other business process outsourcing companies attractive targets due to the amount of customer and corporate data that they hold. This breach which actually occurred in January is attributed to the Shiny Hunters group.

A (34:51)

Wow. Okay. I mean literally if I had 50 bucks to bet on this, I would have said Salt Typhoon, I would have said Salt Typhoon but it's Shiny Hunters. Shiny Hunters is part of the, the new wave, the new wave of threat actors. This is the, the jun, the youngs who are Shiny Hunters lapsis and scattered spider as, as the notable ones. I'm sure there's like other like fringe ones that are coming up but These are the 18 to 25 year old threat actors that are very aggressive. Vishing V ishing is kind of their bread and butter. Initial attacks vector where they call help desk, get creds reset then log in, tell us digital. You know I, I don't know what Canada did but the stories today are very like pointing, pointing out how Canada is getting slapped around. So you know to all those up in yellow knife, I feel for you, mad love for you. Do I have like a love button? I guess this one? Yeah. So telecommunication company, as they point out in the story they have a ton of customers with lots of sensitive information. Which is why China, via the Salt Typhoon Advanced Persistent threat actor went after the United States telecommunications sector last summer or the summer before. And then you know, South Korea got smacked, Japan got hit. So you know, the, the, the telecommunications sector's been getting jammed up lately and it's because of all the sensitive data. Now Shiny Hunters is not really, that's not their game, remember. Just because, listen, just because you get your data stolen, right? The threat actors action on objective. Like the reason the threat actor is doing the thing they're doing varies from criminal to criminal. Now Salt Typhoon is China and it is espionage based. And they are just laying groundwork, right. They're setting all sorts of Ford operating base type stuff presumably. Right. That's what I would do if I was China. Breaking into infrastructure, doing all these things and then you know, waiting. Same with Russia and the Solar Winds attack through Orion back in. What year was that? 2024, 2022. Go look up SolarWinds Orion, Russia. It's, it's, it's the top, top three hack of all time. Top three, arguably number one. I'm not ready to fight anyone for that. Stuxnet Bangladesh. B Stu Net, U.S. israel. All right, so it's, this isn't just China, Russia or bad guys show us. And Israel, you know, basically did a incredibly sophisticated attack to knock out the Natanz uranium enrichment facility in Iran back in like 2014 or something. North Korea's Bangladesh bank heist is sick. And then Russia Solar Winds attack. All right, so what, what does all this to mean? Shiny Hunters. All they want is straight cash, homie. Straight cash, homie. Thank you, Randy. So they don't care about espionage or any of that crap. They're just all about the Benjamins. So you know what I like to do in this particular case is this dollar symbol. Shiny Hunter said they began extorting in February. They want $65 million. Jesus Christ. $65 million, bro. All right, sure. You know Steam games don't go on sale often enough. You know what I mean? We need our $65 million. How much is Telus worth? So the next thing I always like to do is Telus communications annual revenue because at this point it's just going to turn into simple math. Okay? Telus Corporation strong operating revenue in 2024 is $21 billion Canadian, which is, I mean, hold on, 21 Canadian to USD only 15 billion USD. So you know what I mean like do the math. Like if, if you had $15 million in revenue, which by the way is revenue. That's not profit. I don't know if they're going to get 65 million, but it's not that much of a percentage of the revenue of the company. So what I always like to do, and this is something that may have changed over the last couple years, what I always like to do is say 1 to 3% of annual revenue is where the starting line is for threat actors, if they know what they're doing, to ask for a ransom. Because if. If the threat actors ask for like $1 billion, the. The victim's gonna say, sucking heck, dude. No. Like, get out of here with that noise. Just like, if you're trying to sell your 1987 Ford Escort and you got it on the front of your driveway with a sign says for sale $90,000, no one's gonna be taking that seriously. So you got to start somewhere reasonable. I think 1 to 3% is typically where they go.

B (40:00)

Huge thanks to our sponsor, Adaptive Security. This episode is brought to you by Adaptive Security, the first security awareness platform built to stop AI powered social engineering. Deep fakes aren't science fiction anymore. They are a daily threat. So here's a quick tip. If your voicemail greeting is your real voice, switch it to the default robot voice. A few seconds of audio can be enough to clone you. Adaptive helps teams spot and stop these AI powered social engineering attacks. And you can learn more@adaptivesecurity.com that's the two words. Adaptive security. Together.com.

A (40:44)

all right, everybody. So I was gonna play. I'm joking. I was gonna play like I got five on it. Just because Sierra Montgomery's got me thinking that in chat when she says you got 10 on it, you got five on it. Let's get Keith. All right. Hey, first timers. We don't do this every day, but when we do. Oh, yeah, let that wash over you. Feels good, doesn't it? All right, everybody, welcome to the mid roll. I want to say shout out to the stream sponsors again for making this show awesome. I get to get up every weekday morning, slam an entire French press to my dome, and come yell at this microphone. And you guys, I love it. Thank you for your energy. Thank you for enabling me to have a vehicle for my passion for cyber security and service. Shout out to the stream sponsors. Threat locker, anti siphon. I almost said threat actor, Threat locker, anti siphon and flare. Now, every single day of the week has a special segment. Funky Monk is here. Oi, oi, oi, Funky Monk. It's been a minute. Good to see you funky monk. One of our Australian birds. All right, guys. Hey. Every single day of the week has a special segment. And Mondays is a really nice one. It's the Simply Cyber Community Member of the Week. So what does this mean? Well, I. I am well aware, well aware that it takes a village to have a robust, rich and, you know, valuable community. And I'm not. Guys, I'm not an idiot. Like, I'm not. I'm not obtuse. I'm not one of these, like, oh, like I'm the center of the universe. No, I'm very aware of how awesome all of you are. So on Mondays, I get an opportunity to recognize one of you. We've been doing this for years, by the way. And Threat Locker, who I partner with, longtime sponsor, they see the value in this too. So they sponsor this segment, which basically. What does that mean, Jerry? It means because of Threat Locker's approach to application security, deny by default. I get to give a hundred dollar Amazon gift card to the Simply Cyber Community Member of the Week. I used to give out merch or a gift card. I'm still happy to give out merch. It's just more complicated. So anyways, I want to introduce you to your Simply Cyber Community Member of the Week. Now, he's actually relatively new to the community, but his impact has been felt and has been immediate. Ladies and gentlemen, may I introduce you to Robert Wetze, AKA Bow Tie Security. He's got the bow tie on. It looks like it's a death Star bow tie. This guy, Robert, okay, From both Bowtie Security. I met him at Zero Trust World for the first time. Okay. Incredible guy. He has been, when I say active in the Simply Cyber Discord server. That doesn't properly convey it. He is giving like 500 word responses to questions. He is following up. He is. This guy's all about service, all about mentorship, all about giving back. He's a maker. If you're into 3D printing. He plays magic, which was not influencing in him becoming the Simply Cyber Community Member of the Week. But just say hi to Bow Tie Security and say what's up to him in the discord. I'm telling you, this guy is one of the reels. All right, so Robert, I'll get with you. We do a lot of DM in me and Robert. So I'll get him the Amazon gift card. But everybody else. So just get ready. Marcus Kyler, you're the drum major. Please let us go. Everybody, the words are la la la la. Just give into it. Let it Wash over you in an awesome way. Feel it. Feel it. So good. So nice. All right, let's finish strong, everybody.

B (45:24)

Poland's nuclear Research center targeted Poland's national center for Nuclear Research. NCBJ says hackers quote, targeted its IT infrastructure, but the attack was detected and blocked before causing any impact. As the main government nuclear research institute specializing in nuclear physics, reactor technology, particle physics, and radiation applications, it provides technical and scientific support for the country's nuclear power program. The center's director stated that the cybersecurity incident did not impact the operation of the Mriya reactor, which continues to function safely at full, full power start.

A (46:05)

All right. You know, nuclear is coming back into the in vogue. Like it's 1951. Everybody's talking nuclear, by the way. I don't know, some people say nuclear, some people say nuclear, nuclear, nuclear. I don't know what was the word the other day that I couldn't say correctly? Do you guys remember that? I was trying to say. Anyways, Poland's national center for Nuclear Research kind of getting hacked. Okay, now I want to point out something very clearly. One, their nuclear plant was not compromised. Poland's okay, there isn't going to be some type of nuclear meltdown. This is not Chernobyl, by the way, the HBO miniseries on Chernobyl. Phenomenal cinema. All right, so they do some research up there, okay, no big deal. So pulling nuclear facility makes energy and they do research. None of it was impacted. All right, let me take a hot minute here and explain something to everybody. I want to point out a key term here. Hackers targeted its IT infrastructure. Now they detected and blocked it. Okay, so two, two things. Two things right away to point out. Number one, the IT infrastructure was targeted, okay, in specifically energy, but you can find it in other industries. There is it and there's OT. Now most of us think it. Oh, there's a computer, there's a phone, there's a Cat 5 cabling, there's a router, there's a switch. A lot of us think of it as like all there is. There's just it. There is also ot, which is a subset of like, technology that you will find in organizations. And OT is typically cyber physical systems. So think of OT as like. Think of OT as like something that opens event or closes event, something that, you know, adjusts the temperature up or down, something that adds a little bit of lie to the water mixture, something that spins at 33 RPM and then you can move it, the OT so it revolves at 31 RPM, okay? Physical interactive systems. That's what OT is. Or industrial control systems. ICS. So otics is not I T. Right. You're not running Windows 7 on a. A machine that vents gas into space. Okay, all right, so now that we understand IT and ot, they targeted the IT infrastructure, which again, going back to Colonial Pipeline. When people lost their collective minds on the east coast of the United States because they thought that we weren't going to have gas for a minute, the IT infrastructure of Colonial Pipeline got hit. Not the OT the fuel pipeline was never in danger. It's just people got all caught up in a panic. All right? And if OT Is interesting to you, there's an entire subset of knowledge out there it's tough to get into. But the people in the OT space are awesome. I just want to offer this up. Mike Holcomb is pretty much your on ramp to support an education within the I O T I C. S space. This guy is awesome. I love myself some Mike Holcomb. If this guy. As far as I'm concerned, this guy doesn't pay for beers when I'm around. Okay? This guy. I love this guy. So if you want to learn OT ics, go to mikeholcombe.com all right? Now, what's the other thing? And this one, again, I don't research or prep for the show, so I just. I just. I'm gonna take a lap myself. All right? If anyone here is a big hockey fan, Elliot Matice knows what I'm talking about. I'm just gonna go down the bench and take fist bumps from everybody. Ding, ding, ding, ding, ding, ding, ding. Okay, why am I taking a victory lap here? Why am I taking fist bumps? Because Poland was targeted by attack and they detected and blocked it before any damage was caused. Do you know why? Do you know how. Do you know how Poland was able to do this? I don't work for the Poland national center for Nuclear Research, but I can tell you, I can tell you with high levels of confidence, looking at the NIST CSF really quickly here, do you see how they were able to detect and respond really quickly before any impact was there? Do you know why? Going back to what I said 20 minutes ago, because they probably did tabletop exercises, they probably worked through purple teaming exercises. They probably did the things to make sure that they can detect and respond and recover in a timely way to minimize impact. That's the job, everybody. We're paid. Listen. This is a hill I will not die on. I refuse to die on this hill because I know it's A. It's like pissing into the. It's. I'm sorry. It's like peeing into the wind. It's just going to blow back on me and I'm not going to win. We shouldn't call our industry cyber security. What is this a hot take? We should call our industry Cyber Resiliency because that's actually what we're getting paid to do. You're not going to stop everything. You can't secure the thing and make sure that it's impenetrable. We will always have risk. What we're paid to do is make sure that while bad is happening, we're able to continue critical mission operations. Were able to reduce impact to a level. Bed is basically like not a problem. Dude. When you go camping in the woods or you go for a walk in a park or something like that. Right. You got bugs all over you. Yeah. You could not go for a walk in the park. Sure. That's one way to address the risk of getting bug bites. But you can also spray yourself with anti bug stuff. You. Okay. So that's a protection layer. You can still handle that. You're going to reduce down the likelihood of getting bit by a bug. You don't eliminate it. Right. You could wear a net on your head. Right. These are different controls you can implement. It doesn't mean a mosquito isn't going to bite you on the ankle where you didn't spray. And you don't have a net. You're just maintaining the resiliency of the walk in the park. Yes. You're still going to be able to walk. And getting bit on the ankle doesn't take you down like a gazelle getting taken out on the Serengeti. But it's not awesome. It's cyber resiliency, not cyber security. Again, it's a hill I'm not trying to die on. Simply Cyber community members, please don't try to pick up the banner on this one. It's just. It's a personal thing.

B (52:54)

A data breach hits employee portal. This incident was detected on February 6 as an unauthorized intrusion to the Starbucks Partner central portal. This is used by Starbucks employees who are called partners and manages their personal information, payroll and benefits data. A subsequent investigation found that hackers accessed Starbucks Partner central accounts after obtaining user credentials through a phishing attack that leveraged fake websites designed to mimic the portal. This incident affects nearly 900 Starbucks employees of the more than 200,000 Starbucks workers in the United States.

A (53:36)

All right. Detected on February 6th. Very special day in my world. Unauthorized Access to partner central accounts, online portal. All right, so someone's creds got compromised. Let's see, Let's see. Hackers got user creds through phishing and. Okay, whatever. So, okay. Oh, all right, so there's. There's a couple things here. Number one. Number one, users aren't hacking in. They're logging in. Welcome to 2026. Have multi factor authentication credentials, please. Again, I don't know if this Starbucks employee portal had MFA and the threat actor was able to fish creds and session tokens, but it sounds like no. So I'm gonna. I'm gonna ding you one time. I feel like playing you're so dumb is a little harsh for them. So if you don't have multi factor authentication, get out of here. Okay. Number two, near and dear to my heart. Like, I. Again, I would get a main attorney's general office tattoo on my lower back if I didn't already have one. But the main attorney's general office is like, basically, not all heroes wear capes, okay? The main Attorney General's office is, like, the leading advocate for bringing light data breaches. Like, lots of businesses don't want to bring to light that they're suffering data breaches, but they do have to disclose when individuals are compromised. And if a single main citizen gets wrapped up in a data breach, oh, you better believe the main Attorney General is going to climb, you know, Mount Mount Washington or whatever it is. I don't even know what mountain is out there in Maine or New Hampshire. I know there's a big one. I think. I think I've been to it anyways, and they'll scream it out. So way to go, Main Attorney General's office. You rule. And then, I mean, whatever. Like a threat actor logged in. Sounds like maybe they logged into some type of manager's account. Who could see different people. This, I swear to God, if this wasn't Starbucks. This isn't even a news story like this to me. To me, okay? And I know certain people were affected. To me, this is a nothing burger story. Starbucks hacked. Ooh, not really. Starbucks. I would argue Starbucks wasn't hacked. Like, somebody gave up their creds and some threat actor logged in. This is the equivalent of someone, like, going to your mailbox and taking out a piece of mail and opening it like news at 11. All right, by the way, can we just. For a second, I don't know who made the decision at Starbucks, but I went to my Starbucks recently and they, like, remodeled it. It used to feel like A second living room, like you could. I. I did a lot of my PhD dissertation research at the Starbucks near my house. I went there recently. It felt like a bus station. Like, it's just like one long bench and you, like, order and you sit down and there's like a monitor to tell you, like, when your order is up. It feels way less personal. It feels way less comfortable. I'm not going to go back. I don't know who made that decision at Starbucks. Like, maybe they're making more money from, like, mobile orders or whatever. But you know what? As far as a place I want to go, sit down and chill out. I'm done with you. You're dead to me. I'll still drink the coffee.

B (57:09)

Better Leaks to replace Git Leaks as Open Source Secrets Scanner, this new open source tool called Better Leaks can scan directories, files and git repositories and identify valid secrets using default or customized rules. For some context. Secret scanners are specialized utilities that scour repositories for sensitive information such as credentials, API keys, private keys, and tokens that developers accidentally commit in source code. Since these are actively searched for by threat actors, this new utility made by the same team that created git leaks, is clearly intended to be an improvement.

A (57:51)

Okay, so this is a good guy tool or good person tool. Okay. And this is a bar chart. You know, you know how I feel about infographs. This one's all right. The. The lower the bar, the better. Okay, so what they're saying here is the better Leak scanner can scan a data set in two minutes. That would take get leaks 11 minutes or get leaks version two five minutes. So basically, the larger the data set, the more time it takes. This one can do it twice as fast as any other competitor right now, this is provided by a Keto security. I don't know if this is a open source tool. It seems like it would be, but here's my thing. If you're using get repositories, whether publicly or for internal private, you know, like your company uses a get repo and stuff like that, there's no reason you shouldn't do this, okay? It is open source. It's got the open source MIT license, so you can do it. It's got real contributors, so it looks like from Royal bank of Canada, Red Hat, Amazon, which would mean that it's going to be supported. Here's the deal, okay? Especially with Vibe coded, okay? There's no reason, if you're using get large instances, small instances, whatever, there's no reason you shouldn't have this scanner scan your repos either. Set it up to scan daily. Have it set up to scan before commit is made into. Into the, you know, main branch. What you should not do is not be looking because Vibe coded apps AI like developers who don't know any better. Like, and I use the term developers in quotes because now my, you know, my aunt Dorothea is a developer and all my love to aunt Dorothy. I love Aunt Dorothea, okay? She's like a second mother to me. But. But she's not. She shouldn't be Vibe coding apps. All right, so the, the explosion of credentials, API keys, tokens, etc, people putting keys accidentally into things. It happens. I'm not saying you're wrong or stupid or anything like that. Sh happens, okay? Things happen. So guess what? Here's a tool that you can use to make sure that bad doesn't happen. This, this, this is basically all day long a identify control, right? Identify is usually associated with asset inventory and stuff. This is identifying secrets in your source code before you make them public. There's no reason not to use it, so go use it. Let's go.

B (60:34)

Apathy possibly killing momentum for tougher telecom security rules. Despite the fact that just two years ago, Chinese hackers were found to have compromised at least 10 U.S. telecoms, quote, giving them broad access to phone data affecting nearly all Americans, end quote. Those in charge of bolstering the country's cyber defenses state that constituents struggle to understand why this should be a concern, thus depriving policymakers of the public pressure needed to protect the nation's telecommunications cybersecurity. Some officials speculate that cyber attacks that expose sensitive data and US companies routinely collecting and selling data have left Americans, quote, numb to data theft and data for profit. So additional breaches feel like just another drop in the bucket, end quote. Have you joined?

A (61:25)

Yeah, 100%. I really quick update on the Starbucks story. James and Quiggin reporting that the Starbucks portal did have MFA and the threat actors were able to steal that session token. Two things there. One, congratulations Starbucks, you're doing it correctly. Number two, you know, public service announcement reminder to everybody that MFA is not bulletproof. It doesn't stop everything. And that is today is the more, you know, squad members you can go ahead and drop that emote. All right, listen, we're a couple minutes over. I do want to get the jawjacking, but this is, this is a real story, guys. This is actually compounding several things all at once. Salt Typhoon is an incredibly sophisticated, incredibly effective Chinese based, nation state sponsored threat actor. This Isn't xenophobia. This is just reality. This is what's up. They are hyper effective and they have compromised telecommunications businesses of like major telecoms in the United States and other kind of western philosophy countries. Now what does that mean, Jerry? Like my cell phone still works? My Internet works? Yeah, yeah, yeah, that's fine. Okay, two things. One, if all the traffic, all the communication is passing through these telecommunications provider, it's kind of like having your finger on the nerve center for all communications, right? So you could have integrity concerns, you could have confidentiality concerns, number one. Number two, guess what? And by the way, I'm not suggesting this is going to happen. I'm just hypothetically throwing this out there. Okay? If you wanted to cause mass chaos, if you wanted to partner as part of some type of coordinated attack or effort, one of the first things that would be really, really powerful is, is to knock out all communications of the target. Go look at when Russia invaded Ukraine. There's a reason that Elon had to fly Starlink over Ukraine to give him Internet service because Russia took out the Internet to begin the assault on Ukraine way back in 2022. So if salt typhoon is all up in the business and they have one major lever they can pull down to shut it down like John Taffer and Bar Rescue, wouldn't that be nice? Again, I'm not saying that that's what they're doing. I'm just saying think about it. Now the problem is every single day we do the show, there's like data breach, data breach, data breach, Starbucks data breach, bank of Canada data breach, Telus communication data. So everybody just kind of equates the same level of impact, regardless of organization, regardless of threat actor, regardless of everything. People are becoming numb to it. And it's 100 true. It's a day that ends in. Yeah. The problem is, and it doesn't help that the United States is like doing all this crazy stuff right now from a federal perspective with Iran and Venezuela and Ecuador and all these freaking things. But, but, but there's so much going on, it's like, it's like straight up total chaos. So something like this, where these moves are happening, they get lost in the noise, right? That like, it's like the, it's like the churn of the propellers behind the boat, it's just all mixed up. And it's very difficult to grab that one thread that's like a higher priority and pull it out and make sure policymakers, legal, people, representatives, officials are able to see that one very important thread. And Call attention to it. Because we're humans, man. We can only focus on so many things at once. And unfortunately, right now, the current climate of everything, there's a lot to go on. All right, all right. Check it out now. All right. Wow, what an hour. That was a fast hour. All right, I want to say quick shout out to all you. Thank you so much for taking checking the show out. We're a few minutes over. Somebody call Nick Barker and apologize. I want to say shout out to the first timers. Nick. Nick Dixon, who signed up as a squad member. Love it. And Adidi. And we had another first timer and I'm sorry, I forgot who it was. If you were here for the first time, this was pretty much a standard episode. So if you like what you saw, number one, come back tomorrow, 8:00am Eastern Time, every weekday morning. And number two, bring a friend. We love doing this. We love helping people. It's all about good times up here in the Simply Cyber community. Don't go anywhere because. Jesus, I told you I threw a caboose on the value train. We're double caboosing it. There's unheard of. This is unprecedented. Nobody's talked about the double caboose since 1971. Right during the Philadelphia incident. We're double caboosing it from 9am to 9:30. I'm gonna do a different show and I'm going to answer all your questions. So if you have any questions about career cyber industry tools, techniques, tips, people, ics, ot, Mike Holcomb, Adrian Enterprise Security Weekly. Whatever it is, I'm going to do the best I can to answer it because that's what I'm all about. Support, inclusion, empowerment. Thank you so much for coming. Don't go anywhere. I will handle the transition. I'm Jerry from Simply Cyber. Until next time, stay secure. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions. Questions about the cyber security field. Live, unfiltered and totally free. Let's level up together. It's time for some Jawjacking. All right, what's cracking, everybody? I am Jerry Guy. As you can tell by the glasses, I'm cool coming into Jawjacking. Jawjacking is a 30 minute AMA show program, whatever you want to call it, where I answer questions to the best of my ability. Many of you might be coming directly from the Daily Cyber Threat Brief hosted by that nerd, Dr. Gerald Dozier. Oh, this cyber security framework. I'll fight people for cyber resiliency. Shut up, nerd. We're all about good times up in here. Drop your questions in chat with a queue, and I will answer them. Looks like we got one coming already. Hot off the griddle from Space Tacos. Hey, Jerry, when will Team SC have the chance to finally meet the Aunt Dorothea you so frequently speak of? I don't know. I don't know. Aunt Dorothea is up in Massachusetts. She doesn't travel that much. But I do love my Aunt Dorothea. I. I'm gonna send her a clip. She is just. You want to talk about a person who just gives and gives and gives of herself? She is an angel walking the earth. I love myself some Aunt Dorothea. All right. A lot of people talking nerds. I saw Cyber Risk Witch. Looks like she adopted a puppy somewhere. In chat, I saw that double caboose. Also the name of Jerry's tram stamp. Oh, my God, that's so funny. Yes, yes. So I did just as a. To close the loop on that. Lower back tattoos became very popular in mainstream society around the year 1999. Like, the summer of 99 is where that tattoo became popular. In the fall of 1998, during wrestling season or 1997, I, like, lied about my age to get a tattoo. 97. I wrestled. And you would wear singlets, right? But when you weren't actively wrestling, you would take the top of the singlet and peel it down so you would just basically be wearing shorts. And I was like, you know, all the rest, like, we were, like, kind of shredded. Now, granted, I weighed, like, 119 pounds, but I was a shredded 119. And the cool thing is your lower back tattoo would. Would rest right above where the singlet peeled down. So it was badass. So a lot of us on the team had those tattoos. And you know what? Those guys are still walking around on the earth with a lower tattoo. Could never have predicted that that tattoo would take off in the direction it did. So, yeah, James McQuiggin, you don't know that. I have two tattoos, and I actually want to get a sleeve done. I've been talking about that for too long. I should just go do it. All right, if you got questions, put them in chat. I know we have a special lot. Aditi says, what is about dd? You'll have to be more. You'll have to put more context to your question, because I don't know what what is about is asking, but I will answer your question. All right. Hey, Jerry, how about just a pretty pre recorded message from Auntia the next time you visit the fam okay, maybe I'll do that at J. Mutu. First timer in chat. Welcome to the party in 26. What does it. What does work look like for someone in grc? All right, so great question. If you guys don't know grc, governance, risk and compliance is considered an, you know, a. An area within cyber security that's blowing up. All right, so when we talk about roles in cyber security, there's blue team roles, SOC analysts, incident responders, digital forensics. A lot of people think of that. They're the operations people watching the wire. Then there's red team, pen testing. They break into stuff. Okay? Those are operations. GRC is the interface for the business. GRC stands for governance, risk and compliance. And what we do in grc, and I'm a big GRC dork, is we look at. We basically interface with the business. So the. The simplest way to put this is the business is required to comply with certain things. Hipaa, pci, whatever, right? Gdpr. You are making sure that whatever we're doing on the cyber side is work in it is compliant with whatever regulations. That's number one. Number two is governance. And this is where you're working with the business to educate them and help them understand, like, how do we work here? And a GRC person has to serve the business, not tell the business how it's going to be. So what's the tone of the business? How is what's important for cyber? And then risk is the most important part. This is where you get paid straight cash, homie. Great cash, homie. Risk is. Listen, there is. I made a reference earlier in the show about like, going for a walk in the park. Say you have dogs. J MUTU I don't know. Let's say you have dogs and you want to go for a walk in the park, right? You're gonna bring bug spray. You're gonna bring, you know, a water dish so the dogs don't get thirsty or whatever. You're gonna do things to prepare to have a good experience and be able to execute the mission of going for a walk in the park. Okay? So you can do that many ways, right? You could bring a Yeti cooler with like 6, 000 bottles of water in it. You could bring one Nalgene bottle. You could have a camel backpack, right? There's many ways to bring water. The Yeti cooler with 6,000 bottles cost $10,000, right? The camel backpack is 100 bucks. The little water bottle is five bucks, right? Well, maybe the camel backpack is all you need. The analogy model is not enough. So you allocate a little budget for the camel backpack. So basically you're only going to get so much budget. So how do you choose where to spend that money, what controls to do, which controls give you the biggest risk reduction? Okay, so that's, that's what risk is and that's why we interface with the business. Of course we do a lot of speaking, a lot of educating, interfacing with the human side of the business. So what does work look like for someone in grc? Now that I've laid this out, a typical GRC person, number one, you won't get called into incidents. So that's the best part. If you work 9 to 5, you're working 9 to 5 now you might have to go on travel for audits, go to like facilities, go to site locations. Some of you know this, I know J Mutu knows this. Like I used to have to travel for like six weeks a year to go to Antarctica, go to New Zealand, Chile and all these other things. Like you're not going to go on Monday, 9 to 5, go to Chile and then fly back. Right? Like it's. So for the most part though, it's nine to five, no big deal. Number two, work in grc, you're doing a lot of communicating. So like dude, I'm telling you right now, one of the biggest things you can do to be effective in GRC is being able to communicate effectively. And this means like speaking to executives at the executive level, talking about finances, talking in short bursts, right? Like they don't want a huge diatribe. Talking to technical people. I know grc, you don't have to be super technical. But if you're talking to an engineer, explaining what they need to do and you aren't technical, the engineer is just gonna, it's gonna sound like the teacher and Charlie Brown. Like they're not gonna listen to you. So you have to be able to speak technically and then end users, right? If you're talking about next level zero day hacks and end user is going to turn off, right? Aunt Dorotheas of the world aren't going to hear you. So you got to be able to communicate effectively. So final way to answer this, what does work look like for someone in GRC? You work 9 to 5, you're typically building a cyber program. You're going through audit cycles. So like every six months, maybe you're auditing, maybe you're interfacing with third parties who are coming in to do auditing, you're writing policy, you're enforcing the policy, you are running tabletop exercises, you're going to sites, you're sitting in the finance teams meeting for the first five minutes and educating them on a cyber attack. And also you are staying current on the top cyber news stories of the day. This is why I do the daily Cyber Threat Brief. It's not like, oh, look at me, like, literally, I would do this if I didn't have a podcast. Because it's so important to stay current @j mutu. Let me know in chat. Please reply. I'll look. Please reply and let me know if that answers your question. All right. James McQuiggin, you have a tattoo. Yes, I do. Nick Dixon, first timer. Welcome to the party. Jerry, Love the show. In your professional GRC experience, have you used FAIR or anything similar to quantify? I'm familiar with fair. Yeah. So I have not used fair. I've studied fair. FAIR is the. It's an acronym. It's one I don't know because it's like one of those ones that everybody just says fair. But let me show you this. It stands for Factor Analysis of Information Risk. It's by the FAIR Institute. I, I know people have used this. Steve Cardinal has used this. Fair is great. Fair is great. So normally thank you, Nick Dixon for the question. If you can study FAIR and implement it, it's awesome. Here's what I would tell you about FAIR and any risk assessment based framework. In my opinion, if your business has like nothing, nothing in place, right? Like you're or you're very immature from a program secure program SEC security program maturity, right. Then FAIR is like killing a mosquito with a cannon. Like you should just first get the big things. You don't need a FAIR analysis to know you should put MFA in place. You don't need a FAIR analysis to know that you should have either managed detection and response like an outsourced SoC or that you should have an in house SoC and P and people in logs going to the SoC, right? It's when you get to like the maturity level. 1 of 5, 2 of 5. Where a risk assessment methodology makes a lot of sense in FAIR is phenomenal. You do have to go get trained in it, by the way. I don't know about other quantified ones. I will say when you study like cissp, you will learn the ALE Risk Assessment Methodology. Annualized Lost expectancy. To me, to me, this ale, again, this is like a, it's probably a question on a CISSP in my opinion, okay. Talking about, you know, loss expectancy and Percentages and stuff. Okay, here's my thing. I never signed up for this. I never subscribed to this. And this might be a, like a spicy hot. Take the. The ale. Annual loss expectancy. That is a framework and a formula that doesn't map to cybersecurity. Explain to me, work with me on this one. Just as a quick example, what is the annual loss expectancy of losing email for 48 hours? You can't, you can't quantify that. You can say, oh, if like, this manufacturing line goes down and it makes $100 a day, and when it's down for five days, we lost $500. Yeah, you can do that. Tell me how much if we lose access to email. You can't. It doesn't really work that way. So to me, like, fair is good. The basic ones are not good. And if you have a comment in chat. GRC pros, we have the GRC Mafia here. By the way, if you're a squad member and you identify as GRC Mafia member, go ahead and drop that squad emote in chat. Next question. All right. I thought you're getting your sleeve done in Simply Cybercon. I know. Well, maybe we're talking about maybe having a tattoo. I said simply Cyber 2026. I think Mrs. Ozier doesn't think I'm gonna get the tattoo done, but I'm going to. It's happening. Legrat calls me Professor Tramstaff. Okay, let's see. Do you know LinkedIn wasn't streaming again? Oh, my God. No, I didn't know. Dude. LinkedIn, dude. There's been some talks at the. In the Simply Cyber office around moving to Riverside Studio Restream. You are getting close to being yeeted. All right, let's see. Scrolling chat. Put a queue in front of it. D verse is trying to move into grc. Get in here. Plenty of room. If you are trying to target grc, I would recommend. Unless you're going to try to move internally at an organization, I would recommend looking into CMMC readiness roles. Cmmc Charlie Michael. Michael Charlie. In the United States. Jerry G. CTI Resources after Wade Wells course. For someone wanting to transition from sock to cti, oh, man, that's a good one. Foreign. I'm kind of blanking on CTI resources, honestly. I mean, it's not really a resource, but like getting familiar with Miter attack framework, getting threat feeds. Like Alien Vault has like a free threat feed you can get into. Basically kind of like get like fill the tub up and get in the water. Like instead of Studying how water is wet. Like fill the tub up and get into it. Meaning subscribe to these threat intelligence feeds. Let it wash over you. Get familiar with Dan Reardon. Is taxi and sticks still being used? Like get familiar with those things and then I would even, I would start reading if you can like, like threat intelligence reports as they become available. Being able to write threat intelligence reports would be valuable. You know who's another one? It's. There's a, there's a simply cyber community member called CTI J who's all, you know, all up in this and he would be a great resource as well. So those are my thoughts on cti. Going from sock to CTI is a very real transition path, right? Like going from GRC to cti. It's possible you can matrix from any role to any role in cyber, But SOC to CTI is definitely a, a well established path. Rich464 I'm from Canada. We had two of those breaches from major companies across the board. Cyber and IT jobs have been cut back like crazy. Any top tips? Talking to leadership about the major gap. Well, anytime you're going to talk to leadership, rich, talk straight cash, homie. Straight cash, homie. You know, and here's the thing. I like to, I like to modify behavior with honey instead of vinegar. Meaning instead of being like, hey guys, like you know, we've look, we're gonna get hit because you guys aren't taking this seriously. You could be like, hey, like just want to call your attention to, you know, like this Telus community telecommunications hack. It cost them $65 million, right? Because of the, the Shiny Hunters ransom is $65 million. So I mean you have a number. You could say, hey, this company suffered a data breach, potentially $65 million. And chances are the threat actor, it didn't say it in the story. It was like a nothing story. Remember Rich? But it. Shiny Hunters is known for doing vishing. What? Okay, so this is going to be like a level 7 or hold on. This is like a level 60 Paladin World of Warcraft move. Okay, I didn't play World of Warcraft, so if that didn't make sense, here's what I would do. Okay? And again, I don't lie. So this is true what I'm about to say, but it is very much taking advantage of a lot of things. Shiny Hunters definitely hit that Canadian telecommunication company. Shiny Hunters definitely asked for $65 million. Shiny Hunters definitely has TTPS. Now the story did not say that they used vishing. It didn't say it. But what I would do is I would go look through Shiny Hunters ttps. I would find a TTP that is related to an area that you, Rich, would like to get addressed at your organization. So, like, let's say you don't have mfa, for example, right? Well, if one of Shiny Hunter's things is logging into compromise credentials, which. Which it is, then you could say, hey, listen, this. This Canadian company suffered a upwards of 65 million dollar cyber attack because they were con. Their. Their security was similar to our security. So it could have been us. And the threat, the criminal would have been successful. Now, I don't want us to lose $65 million. What I would propose is, you know, for $200,000 or $80,000 or whatever, we could implement this control that would prev. Like if the same attack happened to us, it would be unsuccessful. Right? Or maybe you want to hedge that a little bit and say if the same attack happened to us, the likelihood that we would be a victim is very low. Right? Always leave a little room there. And honestly, with mfa, chances are you already have it in place. It's not a financial expense, it's a. It's a time and human resource expense. Great question, Rich. Hopefully that answers your question. All right, continuing to scan chat. I got five more minutes of ama. Holy crap. Tom Landrin out of Buffalo passed the PMPT yesterday. Hell yeah, dude. Way to go, Tom. Love myself some Tom. He was at Simply cybercon. Tom, I hope you can come on down to simply CyberCon 2026, which, by the way, if you guys didn't know, since I'm awful at marketing. Simply CyberCon 2026 is up. You can register. We already got people registering. You can book your hotel room. We're doing it two days. It's at Folly beach this year. Much more of like a retreat type event. We got talks, workshops, panels, activities. Whoo. It's gonna be spicy. All right, let's keep cooking. All right, cool. At J. Mutu saying thanks, Jerry. That was really helpful. Love it. All right, let's continue. How to measure anything in cyber risk. Yes, I actually, I have read that book, David Hoffman, and it is good. So I. I agree with David Hoffman on that one. Legrat's maturity level. Seven of nine legs cyber program goes to 11. Drink. All right, low pro is here. Good to have you. Better late than never. Continuing to look through chat. Remember, I'll be at RSA next week in San Francisco doing the show live from a hotel or an Airbnb. Sierra Montgomery says if an attacker steals cloud creds. What controls can stop them from moving laterally across the environment? Well, there's a bunch of different ones you can do network segmentation, you know, basically preventing the endpoint they've compromised from being able to see into other areas. You can use least privilege. So maybe they're not able to use those creds to kind of like access any other resources. Those are like protection controls. Sierra. From a detection control, you can have conditional access, which is like Azure Active directory or Entra ID has conditional access, which means, yeah, the creds work. But you can't log in between 6pm and 6am right Eastern time, for example. Or you're only allowed to log in from the United States, or you're only allowed to log in from this IP address. I mean, so multi factor authentication for sure too, right? If they have cloud creds and they, they try to log in but they don't have the second factor, that would slow that down as well. Yeah, I think those are, those controls are the ones that come immediately to mind. What top of beginner friendly projects would you suggest to get into Sock analyst or blue team? A DTR first timer. Beginner friendly projects. So number one, you can stand. Okay, so, all right, so here's the number one. Okay, this is beginner friendly. I think it would cost like 50 bucks, but I love this one. I'll give you a free one and. And I'll give you a paid one. My God, bro. All right, check this out. This is Eric Capuano and Whitney Champions site or landing page or whatever. They offer a course. Where is it? All right, so hold on. This, this is tough. I haven't gone to the website in a minute here. Okay, so you want to be a sock analyst. Okay, a dt. You want to be a sock analyst, Right, Perfect. This course right here, I'm gonna drop a link to it. Okay, there's Eric and Whitney right there. This is the course you want. Okay, this one right here, I'm gonna drop a link. 50 bucks. This is easily the, the best 50 bucks you could spend. Okay, check this out. A DT. Why can't I tag you? All right, well, so you want to be a sock analyst. Check this out. Why is this good? This is good because one, you stand up a vulnerable Windows machine. Two, you stand up an EDR platform called Lima Charlie on another machine. Three, you actually run attacks. See, they work. Then you do detection engineering. You configure attack detections in a sim. Then you rerun the attacks and see them get detected. You literally do sock analyst work. Like advanced tier 2, tier 3 sock analyst work. It's phenomenal. Eric and Whitney, they run the CTF at the blue team village at defcon or they have in the past. Eric and Whitney are. You want to talk about people who exhibit the Simply Cyber core values of support, inclusion, empowerment. Eric and Whitney, all day long, they, they. They like live and breathe, all that stuff. I love it. Eric Capuana was my first guest on Simply Cyber, you know, way back in the day when he was well established. And I. I was not. I'm gonna drop a link to this guy right here. This is him on LinkedIn. Huge fan. If you want, please connect with him. This would be. I'm gonna pin this on chat. This would definitely be like, if you're interested in anything blue, red, blue team, differ, sock analyst, whatever. Eric Capuano must follow. And he's not gonna send you a bunch of crap. Okay? He's not. He's not like that. He's legit. Okay, Aditi, I hope that helps you. All right, we're at 9:31. Let me speed run the rest of these questions. Twitch is a platform. I can't do Twitch. The problem, tj, is Twitch. Like, you have to be all in in Twitch in the way that it works. Or you can't. Or you can't. And I just can't. Okay, so continuing to scrub chat here. All right. Hey, by the way, Sierra Montgomery, others, Tom, Code Brew. I see Phil Stafford. I see a lot of you answering questions and providing guidance to questions in chat. Thank you. Thank you, all of you. I try to answer all I can, but, you know, obviously it's much more valuable when more people are offering good answers. Just want to say finding your page has been insightful, informative, and very helpful. T Strong. Let's go, dude. I hope you have a great day. All right, is anyone else going to rsa? I will be there. I think you were asking the general chat. Nick Dixon, if you were brand new to grc, what NIST pubs or any other frameworks would you start with? What projects do you do show potential employers you can do the job. Great question. And because it's grc, I'm going to give it a little bit of extra Number one, Nick Dixon. I don't know if you're an industry plant or not, but when you're talking this special publications. Oh, be still my heart. I. I'm not going to get it tattooed, but I heart NIST across my knuckles. So you want to get familiar with the SP 800 series. Oh, my God. Hold on one second. For real. We're talking this. Give me one. Hold on. Oh, yes. Oh. 837. 53. 30. Oh. Oh, my God. Did it get hot in here? Is it just me, everybody? Wow. All right, so listen, Nick, Nest 837 is definitely number one. You want to get two 800. Oh, my God. Bruh. 837. Start here. Risk management framework. Then 853 would be the next one. And that's the security control catalog. Start with those two and you'll be off and running. And then just. Honestly, just spend. Like, pour yourself a nice glass of pinot noir, open this web page, put it on the tv, and just have yourself a Friday night. Oh. All right, let's continue answering the questions. I. I really got to get going, though, because I gotta go. I want to go spend some time in the house with family. Oh, a clop tattoo. All right, looks like we're all caught up, guys. This has been absolutely delightful, spending my the Monday morning with you. To all of you who answered, thank you very much. Shout out to bowtie security, our simply cyber squad member of the week or simply cyber community member of the week. Everybody will be back at 8:00am Eastern Time tomorrow morning, Tuesday, March 17th, for episode 1089. You guys are awesome. Yes. Shout out to Nadine. That is right, Sierra. Guys, keep killing it. I'm Jerry from simply cyber. Until next time, stay secure. See ya.