B (5:14)

Cool.

A (5:14)

Run grc. I love it. All the GRC people are letting the mafia know what's cracking. GRC Mafia. If you're a squad member and you identify as a GRC person, publicly drop that GRC Mafia emote in chat. I Certainly do. I. I'm, I'm the guy in the front waving like the oversized, ridiculous flag that says grc. I'm also the guy who's probably gonna get picked off first by the SecOps people. They're like, Take down that GRC nerd. All right, guys. Every single episode is sponsored. Thank goodness, because it's a tough one to sell to my wife and kids if I just came out here and screamed for an hour in, in a, in a studio in the back instead of supporting my family. So. Shout out to the stream sponsors links in all the descriptions below. First sponsor is Flare. Flare. Cyber threat intelligence platform makes it easy for you to get insights for your organization to see if you have compromised credentials, see if you have targeted individuals, VIPs, lookalike domains, whatever the threat actors are doing, whether it's in telegram channels or dark Cyber web forums on the Dark Web, Flare gathers that information. Step one and step two, they put it in a very, very snappy, easy to interface interface, which makes it super easy. If you want to see how powerful this threat intelligence platform can be for you, it like really quickly. If you don't understand the value that threat intelligence can bring to your cyber program, this is an amazing opportunity. You can sign up for a two week free trial. You get instant. Well, you have to get verified that you're not a criminal. But once that's happened, you get instant access to this platform and you are off and running. There's no on ramp. It's like literally instant value. You will see it immediately and understand how threat intelligence can help you. Go to Simply Cyber IO Flare now and sign up link in the description below. Also want to say shout out thank you to Anti Siphon training. Anti Siphon training. Disrupting the traditional cyber security training industry by offering high quality, cutting edge education to everyone, regardless of financial. Regardless of financial position. Today there is still time. This starts I think at 11am chat. Can I get a confirmation what time this webinar starts today? Hold on. Maybe if I hit the register button. Is this closed? All right, hold on. This looks like it's closed. So too late. Too late's the cry because it's not available anymore. So let's talk about what you can do. Oh, nice. This is a classic Wade Wells. Ooh, Wade Wells is back in action. Ladies and gentlemen, join Wade Wells and Anti Siphon training on Wednesday, May 6 to learn how to turn cyber headlines into action with Wade Wells. This guy's basically telling you how to take the daily cyber threat brief and make detections out of it. He's a detection engineer superhero and I gotta tell you, he's been laying low for a little bit. He's a good friend of mine. He's a great friend of the simply cyber community and he's just a really cool dude. San Diego's on San Diego's own Wade wells register for this free one hour webinar. I am actually going to register to support my friend Wade. Hold on one second. How do I register? All right, well, I'm gonna register after the stream ends. That way you guys don't see all my creds. But yeah, come on down. I'll be there supporting Wade. I hope you can join us. Plus oh my God. Value add. Yes, please. Thank you. You know what else adds value to your organization? Application security denied by default. But that's so hard, jerry. Well, it's not hard with threat locker. Did you know threat locker has cracked the code on application denied by default app security. And not only do they do it on the endpoint, which is where it's super valuable now they've migrated up into the cloud. That's right. Giving you amazing defensive posture before bad happens. Let's hear from threat locker. Since I got this snazzy video roll and then I'm gonna melt your face, I didn't see any first timers. So you guys know what the deal is. I want to give some love to the daily cyber threat brief sponsor, Threat locker Do zero day exploits and supply chain attacks. Keep you up at night. Don't worry no more. You can harden your security with threat locker. Worldwide companies like jetblue new trust threat locker to secure their data and keep their business operations flying high. Threat locker takes a deny by default approach to cyber security and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their U. S based Cyber Hero Support Team. Get a free 30 day trial and learn more about how threat locker can help prevent ransomware and Ensure compliance. Visit threatlocker.com Daily Cyber. All right. And I would be remiss to not say every day of the week has a special segment. Friday is dad jokes Friday. James McQuiggin at 35,000 has us loaded up with dad jokes. So catch those at the mid roll. Sit back, relax. Let's get into the news.

C (10:36)

From the CISO series, it's cyber security headlines Foreign

D (10:42)

these are the cybersecurity headlines for Friday May 1, 2026. I'm Steve Prentiss, critical cPanel and WHM bug exploited as zero day experts are warning about a critical CVE numbered authentication bypass vulnerability in cPanel, which is a Linux based web hosting control panel as well as WHM and WP Squared. The bug is being actively exploited in the wild. Hosting provider Known Host, which uses cPanel, said it noticed successful exploits in the wild on the very day the vulnerability was disclosed. CPanel released a Fix on Tuesday after receiving pressure from hosting providers. According to Rapid7shodan Internet scans show that there are approximately 1.5 million cPanel instances exposed online, end quote unquote. But there is no data on how many are vulnerable to this particular bug. Swiss police arrest suspected members of all

A (11:48)

right, so check it out. There is no question to me this is a bit of a hot take, right? But I suspect AI is at play here. Oh thank you Dan Reardon. Dan Reardon just reminded me of a dad joke that Mrs. Ozier told me that I'm going to share with you guys at the mid roll. Listen, cPanel, a couple things here back up, right? Number one, cPanel is an interface to kind of administer, in my experience, kind of a website on a Linux box, right? So say you have some VPs out on the Internet somewhere and it's managing your website or whatever and you, you could have some cPanel as kind of think in my, in my experience and I've only used cPanel a little bit, cPanel is kind of like a WordPress admin interface. Like you can do the things that you need to do for a website or for a Web app through cPanel as an administrator and it's browser based and you log in and everything like that. Now of course, since it's like an admin console and by the way, if anyone has a different take on C panels, drop it in chat. Like I said, I've only used it a few times but it's very popular, it's widespread, it provides admin access, it's browser based, it's Internet facing typically. And when there is a vulnerability like a zero day, it doesn't matter how sweet your creds are, threat actors are going to punch through it. Now I think it was AI because a vulnerability came out and then like 15 seconds later there was an act of exploitation in the wild. So see there, someone had a zero day and was already ripping through machines possibly. Or, and, and 15 seconds is hyperbolic. I'm exaggerating to make a joke, but like it was same day. So either that or someone took the vulnerability. Excuse Me the patch, reversed it, flipped it, rubbed it down and then oh, they had an exploit. Oh, okay. Which is what I think happened. AI is changing the game. I don't know how you're going to fix this, honestly. Because in a perfect world you would be able to communicate to all the people who are running cPanel or whatever technology responsibly and discreetly without the threat actors finding out. That way you have a window of time to remediate before exploitation happens. And we do have things like that right now in this world called it's tlp. If you've ever heard of traffic light protocol red or amber or clear. These are supposed to be information sharing channels that are closed groups to allow for this kind of communication. So imagine if you will some medical device is like straight up getting popped and you know it's pushing drugs into someone and, and it's causing patient harm. Okay. There is a health care ISAC that would allow people that have been pre vetted to get communication from Medtronic or Crestron or Phillips Healthcare, whatever, it doesn't matter where you could get that information to them and say hey, take care of this. And then maybe a week later it makes public news. But the problem is the threat actors in 2026 are pretty good at lying so they're able to get into those channels too. So there isn't really a great example short of sending a human to the hospital or wherever, which is completely impractical. So tldr. Well the bigger picture here is that AI is making from patch to exploit the, the window of time you have to patch is greatly reduced. Okay, now it's if you're running C panel, you've got to patch this. Ah, you gotta patch it. The other thing that they mentioned and is very, very important to note here and if you didn't know, now you know is they said Shodan shows a million C panels out there. Now I don't know off the top of my head what the Shodan command is for C panels but. Oh this is perfect. Dan. But, but, but Shodan basically scans the Internet like Google every day looking for stuff and fingerprints, everything. So when you have something that is an Internet facing asset with an admin panel, you don't have to guess where these things are. You literally go on Shodan and look them up. So what can you do as a practitioner today? Well, you can do two things. Number one, go to Shodan and scan for your Internet facing IP address range and see if you have C panels. Number two, if you do have C panels and this is perfect. Dan Reardon just dropped this in mod chat. Watchtower Labs, who I secretly really, really like. It might be more obvious. It might be, this might be public knowledge. I really like Watchtower Labs. They have a detection artifact generator that will on GitHub, which is free, which will allow you to test to see if your instance is vulnerable. This is effective. They don't call it this, but this is effectively a proof of concept. A proof of concept exploit typically will show you that it can be exploited without detonating a malicious payload. Right? It pops a calculator or it just, you know, whatever writes, writes, you know, a pop up on the screen like a JavaScript alert or something. Anyways, what I would recommend, here's what I would do. Number one, if you have these C panels, get with the application owner, okay? And tell them they have to patch this immediately. Now in parallel, because maybe you're not going to light a fire under there, but in parallel, I would check out this Watchtower C panel authentication bypass checker thing and run it. If it comes back and says it's not vulnerable, well then you can email back your person and say, hey, I've got some additional insights. It looks like we're not vulnerable. Patch on schedule. Or you get the notification. You can then send them a screenshot and say, listen, I just proved that this thing is vulnerable. It's Internet facing. We are going to get hit if we don't get our crap together. And then finally, so we talked about protection, we talked about remediation. Final part, don't sleep on this one because it's important. Final part, there must be some indicator, Dan, are there indicators of compromise on this? There must be. Look, find out whatever the indicators of compromise are, meaning artifacts that would be created after somebody exploits this and go look in your SIM for those artifacts. Because just because you're hearing me talk about it right now and you tell your application person to fix the thing and you do the detection to see you are vulnerable. Someone may have exploited you just now. Ju. Like, like Fat Joe leaning back, Lean back. Exploit. Exploit, right? So like you have to see if the window of exposure was realized by a threat actor. And then now you've got a bigger pro. You have an, you have an incident, right? So you got to clean that up. So don't just assume like you patched it and you're going to call it a day. You're going to get Wade Wells on the phone and go grab some tacos because San Diego, they take Happy hour at 11am out there, you got to do it. So protect, validate, and then do detection, which is called threat hunting, by the way. Threat hunting. All right, let's go. Also, who had Fat Joe on their bingo card? Am I right?

D (19:47)

Black Axe group. These arrests made in conjunction with German police, followed house searches across several Swiss Cantons. The 10 suspects believed to be members of this Nigerian.

A (20:00)

All right, so Gibb, what does say you just exploited yourself during the test. That is true. So you could even confirm that you are able to, like, those indicators are compromised. They should appear from you doing the detection generation. So obviously, if you're exploited before, you should have historical artifacts too that you can kind of sync with. So. Very nice.

D (20:22)

Gang are aged between 32 and 54 and are accused of carrying out romance scams and money laundering operations. The gang itself, Black Axe, is regarded by law enforcement as, quote, a highly structured transnational criminal organization with a global presence. End quote. Authorities believe the group has about 30,000 registered members worldwide and describe it as highly organized. HHS.

A (20:50)

Yeah. Hello. Captain Obvious here. Like, no one. You don't have an organization of 30,000 people and not have it highly organized. All right? So, dude, I gotta tell you, for anyone who kind of like. And I'm. This is like a bit of a straw man are. Oh, this is a bit of a strong man argument. But like, some people will say, like, oh, these, you know, African countries are less developed and less advanced than, you know, United States or quote, unquote, first world countries. But hopefully this is a slap in the face to wake you up. Nigeria has been getting massive I. T. Infrastructure and growth over the last five years or so. Nigeria, Ghana, among other countries. I mean, Nigerian was the original romance scam, the 419 prince scam. Like, I've got all this money, but I can't get to it. Open a bank account and help me get my money like they've been doing. Nigeria has been doing like social engineering, individual fraud since, like email came out. All right, like, like 1998. All right, so now they got that they are advanced 30,000 people. Law enforcement. Thank you, regulators.

B (22:22)

It was.

A (22:24)

I do hope. I do hope that, you know, basically the Swiss and the German law enforcement arrested 10 members allegedly of this Black AX Network. Hopefully it's 10 high ranking members and not 10, like money mules or something like that. Because, like, what, you know, whatever. Yeah. So, dude, I'll tell you this. Like, first of all, good, good, right? Law enforcement is going hard on these. The United States stood up like a tiger team or whatever. You want to call it in November 2025 to take down and just disrupt these large scale fraudulent scam enterprises. We covered in the news yesterday, in case you weren't here, they took down some of these Cambodian based, you know, call center scam places. Now they're going after this Nigerian black AX1 good, get them all. Burn them to the ground. It's not okay. It's not okay to commit fraud. I don't care what country you're in. I don't care what your situation is. It's not okay. It's illegal. You're, you're ruining other people's lives to enrich yourself. All right, now, there's not really anything for you to do here. Again, these aren't really targeting organizations. These are targeting individuals. So yay. Like, yay for us. Like the aunt ortheas of the world, your friends, parents of the world, they're not falling for this. They do mention romance scams, which is absolutely deplorable. I will point out this. If you're looking to educate in your community or in your family, elderly people, let's say. And I know 60 and older is not elderly, okay, Just bear with me. I'd say 60 to 65 and older people who are like Gen X boomers, like more boomers. They are a target population. And, and let me tell you why it's a perfect storm. Number one, they don't really understand technology too well. It's fine. Number two, they're older, right? So their brain isn't, you know, firing as strongly. Again, I'm not saying everybody, I get, Jack Lalanne was killing it at like 90. I get it, okay? I'm just saying on balance, number three, they typically have money because they've worked, built a nest egg, retirement, whatever. And then four, the final piece of this disgusting puzzle is that a lot of times older people, especially elder people, are rich, rich targets for companionship. And I mean, I don't know how it happens in other countries, but in the United States that is not uncommon. To put your grandparent, put your elderly parent who's lost their spouse or whatever, you put them in a home and you feel good about yourself. Oh, they've got three meals, they've got a nurse taking care of them, they get help going to the bathroom. It makes sure that they get their medicines every day. I'm the best child ever. My parent is taken care of and no one ever visits them. They just sit there in their room basically waiting to die. And it sucks. And these threat actors know it. And they will call them and they will pretend to be their friend and, and they will befriend them, develop a emotional bond with them, and then they will griff the living hell out of them until they're penniless and then they'll crinkle them up, throw them away. I'm telling you right now, it's grow. I get it, I get it. You visit your, your, you visit your grandparents once a quarter, once a month. You know, you should, but you didn't. I get it. I'm not saying anyone here is terrible. I'm just saying on balance, this is what happens is, and that's what makes them a prime target. If you're interested in learning more about how unbelievably complicated the romance scams are, look at this. ABC News did this amazing report on ransom exc. I mean, oh my God. Why they type ransomware romance scams. I, I'll leave this to you as a, like, as a homework assignment or if you'd like to dig, dig deeper. Listen, I know, I'm sorry, it is, it is terrible. What I just said is not, is not, it's not good what I just said. But I also, dude, some truths are hard to listen to. Just because it doesn't sound good doesn't mean we don't say it out loud. I'm gonna call my, my uncle today. I probably should have called him sooner than that, you know what I mean? I, I, so anyways, look at this. ABC News. Oh my God. Not Australian broadcasting. Look at this. I'm gonna drop this. This is from February 2019, seven years ago. 43 minute documentary. Meet the scammers. Breaking hearts and stealing billions of dollars. And I'm just gonna show you this really quickly. This news report went into a village in Ghana and talk to them. Their entire village is in on this romance scam. The older guys, they have scripts. They train the youngs, like the 14, 15, 16 year olds on how to execute the scripts. They hand, they hand off Personas and they make tons of money and they see nothing wrong with it. So these are the criminals. Our family and loved ones are the victims and we have to educate them. And, and by the way, law enforcement is taking action to help us with this. So thank you very much.

D (28:16)

Ponders government posture for protecting.

A (28:18)

I'm going to link this ABC News video. Like I said, It's 40, 43 minutes long. It's an excellent documentary on romance scams and I think it'll really give you an insight on how these operations actually work. Like I don't know why these Ghana guys did this, but they gave ABC News unfiltered complete access to their entire operation.

D (28:42)

Data centers. This question revolves around whether to designate data centers as a standalone critical infrastructure sector, given that they are regularly targeted. A hearing was held Wednesday to contemplate whether the federal government currently has the right setup for defending them. Some industry witnesses and experts at the hearing of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection suggest that data centers be given their own standalone designation, especially in light of the boom in the building of such facilities across the country. This would follow a move already taken by the UK New PI all right.

A (29:22)

Hey, by the way, for all the people in chat who are sharing their own personal experiences of loved ones getting scammed for. I saw Luke talked about 25 grand or 45 grand. Someone else. 25 grand. Like, that's. It sucks. It sucks. And it also further underpins that this isn't some theoretical threat. This some maybe, you know, attack. Like, this is what's happening, man. All right, well, the good news is, since I went so long on the other stories, I'm only going to take a minute on this one. Congress in the United States is thinking about spending money to make data centers critical infrastructure. I got two things on this one. Number one, if there was ever. To me, this is like a thinly veiled. These AI companies are making ungodly amounts of money. Tech oligarchs are secretly kind of running things, and they need data centers because that's, you know, you gotta, like, data centers is like the, the, the illegal drug that a junkie needs. Like, AI needs the data centers and. But they're really expensive. How the hell can we get someone else to pay for it? I've got an idea. How will you. How about we pass legislation that makes taxpayers pay it? So if I had to guess, since I'm just a schlub citizen, this will get moved forward. It will get passed. And you and I will be investors in a data center that we will get no returns on. Also, not to get super political, but looking at other things that the government is suggesting that we pay for. I don't know if anyone else saw the great state of South Carolina's own Lindsey Graham yesterday talking about. I can't wait, can't wait to pay for that ballroom. Super pumped that they're reallocating taxpayer funds to cover that. That's great.

D (31:20)

Yay on Backdoor uses tunneling service to steal browser and cloud credentials. Researchers from security firm Securonix have Disclosed details of this stealthy Python based backdoor framework called Deep pound door that is D E, P sign or hashtag door, D O O R. Deep door that comes with capabilities to establish persistent access and harvest a wide range of sensitive information from compromised hosts. The batch group.

A (31:53)

All right, Python. Dude, Python's a great language if you're looking to learn a programming language to get started, Python is where I would start. This one is a backdoor using tunneling services. Okay, so guys, real quick, there should be. I'm going to guess there's an infograph on this one. There should be. This is. This is C2. This is data exfil. This is not new. This isn't like we have not invented. This is not innovating. Guess what? We already have a wheel. This is not a new wheel. All right, so let's see what they do. Do we have an infograph? No, but we do have some, some source code that's all sorts of, you know, obfuscated. Right. So they're using TCP tunneling for C2. Of course. Whatever. All right, so why wouldn't you listen? I. I don't know. Hey, are there Deb and Grady? You. You're trained pen tester. If there's any other Tyler Ramsey, if you're awake in here, like, isn't all Daniel Lowry, I think is in here, Like, I'm sorry, isn't all C2 over TCP? Like, maybe I'm wrong. Why would you use UDP for C2? Don't you want to make sure that the data you Excel is accurate and correct? Don't you want to make sure the cred you get is accurate? Who the hell is using UDP for C2? And by the way, really quick for everybody in the chat who's like, what the hell is this guy saying with all these acronyms at the transport layer of the OSI stack, right? There's. There's a bunch of protocols, but the main ones are TCP and udp Transport control protocol and user datagram protocol. You don't need to know what those mean. Just TCP and udp. The big difference is UDP is connectionless. It doesn't care if you've ever streamed video and it's gotten pixelated. It's because it's coming over udp. You're not getting all the packets. That's what pixelated is. The data is not there. TCP is connection full. You have to. You ever heard of a three way handshake? It establishes it that way. If you send data and it doesn't come through. You can say, I didn't get all the data and the sender can send it again to make sure you get it all. If you're. If I'm stealing CRA credentials, I don't want assword 1, 2, 3. I want password 1, 2, 3. You picking up what I'm putting down? Whoo. So, okay, everybody, here it is. It is dad Joke Friday, so the UDP jokes are flowing in. I love it. Thank you. So anyways, I. Whatever. New Python backdoor. So what does this mean for me and you? If you are a pen tester, maybe you want to look into this. But if, for the most part, SecOps people, we want to look for this back door. But by the way, can I just point out the obvious? When you have a Python backdoor set up and exfilling data out of your environment, you've already been compromised. The initial infection has already happened. You. This is post exploitation. Your EDR failed. Your awareness training failed. Your. Your. Your protection mechanisms failed. You've got. You got to get it sorted out. You have an incident going on. My guy. We need a My guy sound effect, by the way. I don't know what it would be, by the way, as just a deep cut since I'm feeling kind of silly today. This is like a very, very deep cut. But when I think of My guy and having a sound effect. Do you guys. This is like a wicked early. This is like one of the very, very, very first viral videos ever on the Internet. It was. It wasn't even YouTube. It was Ebomb's World. The guy with the creatine who's like, jaeger bomb. Jaeger bomb. Jaeger bomb. And he's like, not now, chief. I'm in the zone. Like, that video. I feel like there's a sound bit from that video that should be the My guy sound effect. Anyways, like, whatever. Find the IOCs. Be careful. They don't talk about what the initial infection is, do they? Initial? No. They don't even tell you in the story.

D (36:19)

So whatever is distributed via a fishing campaign, although it is not known how.

A (36:25)

Oh, my God. I said it doesn't even tell you how. And then immediately, Steve Prentice is like, it's in. It's in the. It's in the freaking fishing campaign. Ah, bro. Jesse Johnson, cosmic cowboy with the assist. Guys, this is it right here. Not now, chief. I'm in the zone. Oh, my God. Such a yesteryear. Devin Grady knows this one. Guys, here's your little ounce of wayback Machine. Today we'll get a sound effect for this thing. Jaeger bomb. Jaeger bomb. Jaeger bomb. By the way, Jager bombs make me puke. Just so you know. So don't, don't think you're doing me a solid in Vegas if you buy me a Jaeger bomb. Because I will drink it because you bought it for me. But then I will immediately throw up.

D (37:08)

Widespread the malware distribution has become. The attack chain is noteworthy in that the core Python implant is embedded directly inside the dropper script in a way that reduces the need to repeatedly reach out to external infrastructure, thus minimizing the forensic footprint.

A (37:25)

All right. I mean that's kind of cool. It's normally initial payloads will reach like initial payload will do the thing and then it'll reach out and pull down second stage for actual infection. In this case, it's baked in. Yay. Like

D (37:42)

huge. Thanks to our sponsor, Guard Square, attackers are treating your mobile app like an open book. 63% of security leaders recently detected app tampering, cloning, or unauthorized modifications. When your code runs in an untrusted environment, you need runtime, self protection and code hardening to keep attackers out. Address tampering before it starts. Learn more@guard square.com that is G A R D S Q U A guard

A (38:16)

square.com oh yeah, get me an IPA. TJ knows the the score here. All right, let's see what can we guess we'll do? Actually you know what, I don't even know if this is going to flag a. I don't know if this is going to flag a freaking copyright strike. It probably will, but. No, you know what? I'm not going to do that. I'm not going to do that. Here we go. All right guys. Hey, we are at the mid roll. I'm saving the copyright strike so everybody at home can enjoy the dad jokes of the week. Thank you again to the stream sponsors who enable me to bring this show. And you know what, another thing. Threat locker, anti siphon flare. Can I just tell you another thing about the stream sponsors? I have such a good relationship with these sponsors. Not only do they sponsor obviously, but they never get into my business about how I run this show. I have complete autonomy in how I do this and it's because of that, you know, you get the show, you get and I love it. So thank you. All right guys. Every day of the week as. Did we get any first timers? If you're here for the first time, drop a hashtag. First time in chat, let me know hey, remind me of. Remind me at Cyber career Hotline if you guys want to hear. I have a story about Zambuca on Christmas Eve2019. I had a tough guy contest around a fire pit on Christmas Eve 2019 with a bottle of Zambuca. I won. I won. But did I really win, ultimately? I don't know. All right, guys. Hey. Every single day of the week has a special segment, and Fridays is dead. Joke of the week, presented by James McQuiggin. At 35, 000ft, this dude brings the dad jokes. You enjoy him. So let me drop. Hey, straw hat sex. First timer. Okay. Welcome to the party, pal. All right, guys, let me give you the dad jokes. I do not read these jokes in advance, so you can enjoy them with me. James says, seeing it as it's May 4th on Monday, and that's May the fourth be with you. A Star wars reference. James says, what do you call a potato that has turned to the dark side? Jesus. What do you call a potato that has turned to the dark side? They are Vader tots. Vader tots. Drop that on your children today. That's hilarious. If Annie is short for Anakin and Ben is short for Obi Wan, and Chewie is short for Chewbacca, what is Luke short for again? Annie for Anakin, Ben for Obi Wan, Chewie for Chewbacca. What is Luke short for? Luke's short for a stormtrooper. Oh, all right. That's a reference to the. When they rescue. Rescue Princess Leia. She says, aren't you short for stormtrooper? Finally, James says, what kind of cars do Jedis drive? What kind of cars do Jedi drive? Jedis, they can do, like, flips and stuff, but, you know, they do need transport to get where they're going, but they prefer Toyotas. Toyotas. Oh, hold on. Sorry, misfire there. I just. All right, so. All right. Hey, and then I've got one for you really quick. I'm gonna do my best to tell it. This one's from Mrs. Ozier. Although if I butcher the joke, she will. She'll. She'll disavow that this is her joke. All right, guys, I. Nadine. My wife's name is Nadine. Nadine, the other day was on Instagram, and she's like, oh, cool. This is a fun fact. And I'm like, I like fun facts. Give me a fun fact. And she's like, did you know. Like, you know. You guys know koi fish? Like the Japanese cool fish? Koi fish. She said, do you know that koi fish actually travel in packs of four and I, I never noticed that. I was like, actually, I never noticed that. But now that you bring it up, it's interesting. She's like, yeah, they, they travel in packs of four because if there's a predator, which a lot of times koi ponds don't have predators in it, so you never really get to see this. But if there's a predator that enters it, the A, like so of, of the four koi fish, right? Like the aoi, the B koi and the seoi will run this way and then the decoy will stay. The A, B and C koi go this way and the decoy will stay. All right, all right. All right, guys, let's get back to the news. Thank you very much. Don't go anywhere, by the way, because at the top of the hour we're going to do cyber career hotline, helping people out with their career.

D (43:18)

Almost half of UK businesses pwned last year through phishing. According to the UK government's latest Cybersecurity Breaches Survey released yesterday. Thursday, 43% of businesses and 28% of charities reported a cyber incident. In the past year, this translates to approximately 612,000 UK businesses and 57,000 UK charities. And these numbers have not improved since the last report. The report states that phishing is the most successful penetration technique at the especially impersonation emails that pose as tech support and which send employees to fake login pages. Malware, ransomware and unauthorized access all trail some distance behind. The report says.

A (44:06)

I mean, dude from the office of if it's not broke, don't fix it comes, you know, the best attack vector ever. Fishing. This is why. I don't know. If only there was, if only there was some way to stop phishing. If there's only what? I, I, I, I don't, I don't know if there was ever anything that could ever help curb phishing success. Oh, oh, I know. How about end user awareness training? How about educating people on what fishes look like? How about telling them not to run PowerShell through a command prompt? How about telling them that the fact that they won tickets to the Masters is completely unrealistic and no, they didn't. I don't know, just an idea. Also, I'm being, I'm being harsh, of course. Like there are fake it, you know, jobs, fake developer jobs. You know, people are in a hurry, sales engineers thinking they're getting a deal, finance people getting fake invoices to pay. There's a Lot of ways to do it, but dude, it's it. Ever since email came out, it has been the number one attack vector like I've seen, you know, depending on whose report you read, like a company that sells email security gateways will tell you like 150% of attacks come from email. A normal kind of unbiased report will still say something like 70 to 75% involves some type of fishing communication whether it's email, phone call, calendar, invite, whatever. So like you've got to educate your end users. Half of UK businesses pwn last year and this like, by the way this is not like a great Britain issue. This is like to me, if anything this is just a microcosm of a larger macro problem. I bet you a lot of U. S businesses were pwned through fishing last year, okay? So don't, don't look at this and you know, slam your, you know, your, your ice house beer in the back of your Ford 350 diesel and be like ah, America, don't fall for fish. No, like this is a problem that everybody falls for. Okay? This isn't, you know, if you drink tea and have your pinky out kind of thing, it, you fall for fishes. Okay, I'm not even gonna read the story like dude, just it's we all know what a fish is. Stop. Although I will tell you, I, I work at the citadel military college if you didn't know. And I teach freshmen and these 18, 19 year olds I sometimes I'll ask them do you guys know what efficient email is? Because I, I assume it's obvious and a lot of times they will not know what a phishing email is. So don't make any assumptions that your user population knows what these fishes are. Number one thing to tell you is consistently consistency, consistency, be consistent, tell people once a week what a fish is and if they get like oh my God, ey roll, I know what a fish is. Great, you've done your job. You're looking for that eye roll but just remember someone has to hear it for the first time. The first time

D (47:24)

North Korean attacks use AI inserted NPM malware. Researchers at reversing labs are warning of malicious code in an NPM package as a dependency to the project by Anthropic's Claude Opus large language model. The package in question is validate SDK v2 which is listed on NPM as a utility software development kit for hashing, validation, encoding and decoding and secure random generation. However, its real functionality is to plunder sensitive secrets from the compromised environment the package, which shows signs of being Vibe coded using generative artificial intelligence, was first uploaded to the repository in October of 2025. Reversing Labs has named this malware campaign prompt Mink and has linked it to North Korean threat actor famous kma.

A (48:21)

All right, so North Korea continuing to expand their offensive security capability right now they said that this is tied to a, a North Korean threat actor group called. What? I didn't even hear what they said. KMA or something like that. I, I don't know where it is in the story, but they have Lazarus, they have Kum Kumar, Kim Suki, they have others, and they're just continuing to increase this supply chain attack on NPM or Pypi or GitHub. This is not new, but it is highly effective, which means threat actors are going to continue to push on this. Now this attack started in October 2025, so don't be like, oh my God, 2026 is the year of Vibe coded malware. No, no, no, no. It's been a thing for quite some time. It's going to just get more effective. All I can say is, number one, if you're running or if you have run this validate SDK v2, you know, obviously you've got issues. The, the fact like I wouldn't even like as, as a practitioner, like I'm not getting wrapped around the axle that this is Vibe coded AI. I don't care that it's vibe coded AI. Like the, the problem is what is the workflows around using these open source software projects and how can we reduce the risk of those. So again I, this is me like kind of whiteboarding over here with you guys. But I, I don't. Phil Stafford might have an answer on this one is fill in the chat. There's got to be a way for like AI can write this malware. So I feel like AI can quickly review the software to see if there's anything kind of sussy sus about it, right? So right now if you download a package, right, like scanning it visually, you can do that. But chances are unless it's like gross obfuscation or super obvious comments about being malicious North Korean glyphs or whatever, like you're not going to see that it's malicious. So if you can use AI to scan code and tell you, give you at least a better level of confidence, that might be a solution. But like, you'd have to build it in your pipeline. A lot of times with these packages you're not real. It's not like you're going to NPM and like right click, download and now you got a file and you're putting it in a folder and you're opening in an ide. A lot of times you're just saying like, I mean, I'm not familiar with NPM in this way but from like, from a Python perspective you're typically saying like pip dash r requirements txt enter And PIP is just downloading all of the requirements that you need and you're not looking at them, you as a developer or as a, you know, a hacker if you will, hacking together some code. You're just trying to get your thing to work and you'll pull down all these dependency files so you're not even going to look at them. So in my mind, the pipeline, we have a bigger issue here. The pipeline needs to include some type of like validation or, or sniff test if you will, of the packages being brought down. And I'm willing to accept an extra 10 minutes, right, which is outrageous in the world of like, you know, command line pulling down binaries and stuff like that. I'm willing to have 10 minutes, dude, like pip, install requirements, let's go and then I'll go get coffee or I'll go to lunch, whatever. At least I have some level of assurance that the frigging software I'm pulling down isn't North Korean malware. You know what I'm saying? But this is a bigger problem that has to be integrated into workflows and in developer pipelines and stuff like that. So anyways, what I would suggest, again, this is like turning the cruise ship around. It's not easy, it's not, you don't, it's not like turning around like a, you know, a. What do they call those frigging things? John Boats. We're not just whipping a UE in the middle of the pond here. This is turning a cruise ship around. You have to talk to your developers, you have to talk to your researchers, you have to talk to your engineers. They'd probably be excited about trying to solve this problem. By the way, as a card carrying nerd, I can tell you solving a problem of that, this, of this technical nature is quite exciting and it would be quite satisfying. So but you've got to do it or you're going to. To me, to hopefully this doesn't get flagged or something but to me this, what's going on with supply chain and developers and all these malware packages, to me it sounds an awful lot like having a. I'm going to Try to say this without saying any keywords that might get me flagged, but imagine having a device that a sheriff in the Wild west would probably have in a holster and then spinning the barrel of that thing, or whatever they call the thing where the, where the, the incremental units that get deployed from that device go out. But only having one out of the six possible containers that would hold the element that would be entered in there and spinning it. You're picking up what I'm putting down. Like, you may not get infected today, tomorrow, next week, but eventually spinning that thing, you're gonna get one. You're gonna take a hot one at some point. Also, I just thoroughly enjoy trying to explain that concept without using any of the keywords. I feel like that's like a, one of these evening night adult games where like, you can't say the word, but you have to describe it.

D (54:09)

Ilya Ramirez takes over as top House cybersecurity Democrat. The Illinois representative is taking over as the top Democrat on the House Homeland Security panel's cybersecurity subcommittee, replacing former Representative Eric Swalwell after his resignation. She is a vocal critic of the CISA cutbacks and the current administration's Department of Government Efficiency initiative led by Elon Musk. But she's also expressed criticisms of US Cybersecurity under the Biden administration, including of Microsoft's role in the Solar Winds breach light.

A (54:46)

All right, I haven't been following this too closely. I don't know why Eric Swalwell resigned. All right, so, Delia Ramirez, welcome to the party, pal. Welcome to the party. Space Tacos and TJ right on top of the welcome, I guess because she's a first timer. To the, to the, to the role. I love it. I love it. Delia Ramirez, you are welcome at the Simply Cyber Live streams. Let's see, so she's relatively new. She's been in Congress for four years. All right, so she's a champion of cesa. She's all, she's all pissed off openly about the CESA budget cuts. All right, she is by. She is balanced, though. She has. She's had some public criticism of the Biden administration and how Microsoft handed Solar Winds. I don't know. I mean, let's see, whatever. Oh, Swalwell had allegations of sexual misconduct and that's what resulted in his resignation. Nice job, dude. All right, so it seems like she's going to be a champion of cesa. We'll see how it goes. I don't know. I don't think a lot of things are moving until November or, you know, whatever, I guess.

D (56:32)

January 27th LLM bug exploded 36 hours after its disclosure. Attackers quickly exploited this critical CVE numbered flaw in the Light LLM Python package to access and modify sensitive database data via SQL injection. And this happened just days after it became public. This vulnerability is an SQL injection in the proxy API key verification process that lets attackers access and potentially modify database data. The attacker does not need valid credentials. By sending a specially crafted authorization header to an API endpoint, they can manipulate the query executed by the database. Researchers working for the Sysdig Threat Research team have observed the attacks in the wild.

A (57:21)

All right, so a couple things. One, I want to say welcome to the party. Towel to Mid Mad Chimpanzee 549. Welcome to the party. I'm sorry, you guys were welcoming him to the party and I was like, oh, you must be talking about new, new representative Delia Ramirez. So my bad. But Mad Chimpanzee, I hope you get value from the show. All right, so two things. Number one, Light LLM, this is the second time in like three weeks Light LLM has been involved in like big bugs, big exploits. I think Light LLM was involved in that team PCP Trivi vulnerability Scanner nonsense not too long ago. So guess what? Light LLM, you busted. You burn me once, shame on you. You burned me twice, shame on me. I, I would rip this thing out of my environment if I could and just find an alternative, right? I mean, what, what's the worst could happen? The alternative gets exploited. Don't worry, Light alum's got you covered there. They say hold my beer. All right, so, so basically this is you can send a malformed packet to the API and it's going to process it and allow you to have the, the friggin AI run whatever prompt you wanted to. Now it says SQL Injection, which is weird because I thought they said malform packet to an API. Let me take a look. Daniel Lowry is on it. Say. All right, so it's a SQL injection in the proxy API key verification process lets attackers access and potentially modify database data. All right, so if you think that SQL Injection can happen in 2026, here's evidence that it can. SQL injection is one of the top 10 most. The OS top 10 categorizes like the top 10 vulnerabilities on web apps, like things that shouldn't exist in web apps. SQL Injection is like number three on that list. And it has been, you know, it's been bumping around over the years. But it's always been there. You don't need valid creds as you often don't do in SQL injection. There you go. So this is a cool. There's a lot of like great juicy details in here. Who's the, who's the security researcher that discovered this? Is. They have a blog post on this one. Yep. Sisdig had did a report on it. Here it is. I'm gonna drop a link to the sysdig one to me with security research. I always want you to go to the blog post of the security researcher. They're the ones who did the hard work. The news outlet reporting on it. They're doing their job. But. But the juice is always at the blog for the security researcher. Yeah, look at this. We got all the juicy bits, technical details showing. Look at, you can see union select API key. They got the SQL injection. So if you're interested in learning what SQL injection is, this looks like a good one. Now what do you got to do today? Let me see. Do they have. Is there a patch, bro? All right, so here we go. Like, like any really legit blog post they offer indicators of compromise. How can you verify whether or not your light LLM instance has been compromised? You can use that here. And then how do you fix it? Number one, you got to patch it. Ah, you gotta patch it. Number two, you gotta configure it to be restricted to only what needs to happen. Thank you very much. And then number three, it says inventory. Yes. You could have these things run around in your environment because you got some slap happy researcher who's basically knows enough to be dangerous. This is an example of that. Knows enough to be dangerous. This requires no authentication and if it's a API endpoint that is Internet facing, you better believe it's going to get cracked open. So get on that. Great job sis.

D (61:31)

Dig if you have some thoughts in the news from today or about.

A (61:34)

All right, here we go. All right. What's up everybody? We just did the show. We did the thing. I hope you enjoyed it. Mad Chimpanzee, our first timer. Hopefully other folks who are were first timers this week are still with us and enjoyed it. If you did, I hope you did got. Oh my God. What are we doing here? I hope you got value from it. We do it every single day at 8am Eastern time. If you liked it, tell a friend. If you didn't like it, tell me why and we'll see if we can't remediate it. But don't go anywhere because we Have a hidden show. That's right. This is a show that doesn't really have like a start time. I mean, it doesn't have an official separate channel or separate show. This right here is the underground and you're here for it. Welcome to Cyber Career Hotline. For the next 30 minutes, we're going to be answering all your questions. So get them in chat. You can see. Give what dropped a Q in here. We're going to get that going in just a hot second. I'm Jerry from Simply Cyber. If you got to get out of here, have a great weekend. Otherwise, let's go. Oh, by the way, I think today. I think. Hold on one second. Oh, no, you can't see my personal calendar. Hold on. At 1:00 clock today, I believe on the Discord server, we have. Let me stop this music really quick. At 1:00 clock p. M. Today on the Simply Cyber Discord server, we do it the first Friday of every month. We. We're going to do another AMA session, but it's not streamed, it's not recorded. It's much more intimate. Come on down, Simply Cyber. If you're just on the Simply Cyber Discord server, you will get a ping at one o' clock that we're live. I have a. I have a lunch appointment at 11:30, so I'm going to try to get back here as best I can. By the way, casually Joseph and other Charleston people, it's at Rancho Lewis, which is Chef's Kiss. I can't wait. All right, I'm Jerry from Simply Cyber. Let's go get started on Cyber career hotline. I'm Dr. Gerald Osher. This is the Cyber Career Hotline. If you're building a career in cyber security, this show is for you. Let's get into it. All right, everybody. Welcome to Cyber Career Hotline. I am your host, Jerry Guy. Coming hot off the heels from the Daily Cyber Threat, hosted by that nerd, Dr. Gerald Dozier. My guy. Why am I wearing the same shirt as that nerd? This is a cool shirt. It reminds me of the 80s run DMC. Not something you walk around puffing your chest out about, talking about information Security awareness training, you dork. That's right. I'm different. I'm edgy, I'm cool. This is Cyber Career Hotline on Fridays, which means only one thing. We're doing a panel. Ladies and gentlemen, we've only got one panelist in here. If you have access to the DM chats and you want to come on for the panel, we. You know phone lines are open. Ladies and gentlemen, it's been a minute since we saw our friend, but he's a long time Simply cyber community contributor. Ladies and gentlemen, Fleetus post in the third. Hey, Flatus.

B (64:46)

Good morning everyone. Happy Friday.

A (64:48)

How you doing, dude?

B (64:50)

I'm living the dream over here. Living the dream.

A (64:52)

All right. Fleet is posting the third. Living the dream. Fleet is just because it's been a minute, we have a bunch of new timer first timers. New or new New people. Give us, give us 30 seconds on what your perspective is. That way people know that they're not asking pen testing questions of you.

B (65:09)

Sure. So I am approximately a 20 year IT cyber defense professional, worked in regulated utility financial software development and now work for an additive manufacturing company who produces commercial 3D printing software and printers.

A (65:24)

That's right. And his boss is my old boss, so we share that in common and Solid. Solid dude. All right. Hey, we got another panelist coming on. If you enjoyed the dad jokes of the week, you know, maybe you did let him know, but if you didn't let him know for sure. Ladies and gentlemen, James the Quicken at 35000ft.

C (65:44)

Good morning everybody.

A (65:46)

How you doing, James?

C (65:48)

Oh, you know, living the dream and surviving the nightmare.

A (65:50)

I love it. James, thanks for the jokes of the week. They were excellent.

C (65:54)

Oh, and the follow up from Mrs. Ozier. Ah, really nice chef's kiss. You guys will have a good dad joke. The decoy.

A (66:02)

I will let her know. She, she will, she'll be happy to hear that. All right, so we got some quite. You got something Fleetus.

B (66:09)

So I was gonna say, James, I actually used that joke when we were down in Puerto Rico because of the koi pond that was right there beside the place we were staying at. So that was when he started. When he started that joke was like, that's a good one. This is gonna land well.

A (66:21)

Oh, I love it. All right, Zach with a little bit of constructive feedback saying he has a problem in my face. Hopefully the glasses help mask that. Zach, I appreciate your feedback. Plus Zach sharing some huge news on LinkedIn publicly yesterday. So if you didn't see Zach, maybe you share it in chat or I'll bring it up and we can put the spotlight on him. He hates having the spotlight on him. So if he's going to call my face ugly, we, we're going to bring up his LinkedIn post and celebrate him. Gib. What says? Where's the sweet spot for educational security reminders for the end users? What topics? Business, email, compromising, phishing, Smishing, fishing. Now, what's interesting, Gib, what is number one, I'm a huge GRC dork, so this is like in my wheelhouse. Number two, this guy right here, this is his specialty. And Fleetus runs a program of his own right now and does this. So let's, let's actually do a panel on this one really quickly because I'm sure we all have different hot takes on this one while I pull up Zach's post. Go ahead, Fleetus. Answer the question, please.

B (67:28)

Yes. So it's knowing your audience. It's actually knowing where your audience is, what their objectives are. So for those who've heard me and the preacher James has done something similar, is we have to start with the business. We have to speak business first and then speak our tech. So any educational material has to be tied to how it's going to impact their job. So when I'm talking to financial folks, I want to steer them into that. Accounts payable, this is what you should look for. This is how you interact with accounts payable. When I get to marketing, this is how you can safely use chat, GPT or copilot to produce your materials for R and D. This is how quad code, this is how MCP servers work. You have to tailor the communication to what they're doing. And then if you're talking to your executives, show the roi, tell them what the return on investment is going to be. If I stop a BEC attack, which is roughly a million dollars, whatever your number is for your industry, or if a social engineering attack, this is what it's going to save. So they want to see the numbers like metrics, KPI. So your key performance indicators, your R and D teams just want to understand how to securely do something with an MTP server. Your marketing team, your talent team, just give them tips and tricks of how to interact with PDFs, because they are all going to interact with a PDF in some way, shape or form. It's an invoice, it's a marketing material, or it's a resume.

A (68:52)

James, give us some love.

C (68:56)

What's that saying?

B (68:57)

Go.

C (68:58)

Beatings will continue until morale approves. Well, it's all about. It's all about the carrot, not the stick. You're gonna have folks that are gonna push back. You're gonna have folks that be like, why can't the firewall stop the phishing emails? It is as fleet as we're saying. It's all about making it relatable. Put it in their words, put it in their business terms, put it in something that they can relate to. For me, my favorite analogy is the front door. You know, nowadays we've got video cameras on front doors and when that doorbell rings, if it's not the Amazon guy, a friend coming around, or the pizza being delivered, I am checking that video camera because I want to do a little more, see who it really is before I take any action. Gotta do the same thing when it comes to, you know, the business email compromise, the, the phishing, the vision, the voice fishing, the, the deep fakes and everything else. You got to be a little more skeptical, got to do a little, maybe take an extra moment, especially if you're not expecting it and certainly if there's a link involved or some sort of action you've got to go through and just verify that it's legit. And if you're not sure, then ask or report it in. Hopefully a lot of your organizations have that capability to report that sweet spot for the education. Again, know your audience. Just like Fletus was saying. You know, maybe it's once a week, once every couple weeks, but do different media types, videos, newsletters, lunch and learns. Whatever, whatever it takes to get out in front of your audience.

A (70:29)

I love it. James, just from a programming note, can you tap the microphone that you think you're speaking into?

C (70:35)

Hang on.

A (70:41)

You just tap the microphone.

C (70:42)

Well, this, does this sound better?

A (70:44)

I think it does, yeah.

C (70:45)

This one here?

A (70:47)

Yeah, that's hot now. All right.

C (70:49)

I was going off the MacBook. Sorry.

A (70:50)

No, it's all good. Hey, great question, Gib. What? Hopefully everybody got value from this. I will just add really quick high level things. I, I send weekly emails to my end users and they're usually three sentence emails. I and I, I, I include a little video because people are curious and they like to. People don't want to work, right? Like, I know, like I'm, this is a super oversimplification, but if they get a work email that has something entertaining in it and their boss walks by, what are you doing? Well, I'm watching the video. Jerry said I'm blowing. But like it's not work. It's, I mean it's work class classified as work, but it doesn't, it's, it's entertaining. So like they can do the thing and you get a lot of traction with that. All right. Oh, really quickly, let me just share this. I just, I just dropped this in chat. We're going to go ahead and pin it. We do like to celebrate our own, our own wins here in chat. Let me go ahead and do this. Let me do this. Let me do this. For those who didn't catch this, our very own Zach Hill. Where is it? Our very own Zach Hill published yesterday, in an effort to remain true and authentic to himself and to the entire IT community, he's thrilled to announce he's joined Network Chuck Academy. So there you go. If you if it's IT career questions in chat, feel free to let them know how you feel about that. I'm super pumped for, for you, Zach. Congratulations and look forward to all the amazing things that you'll be able to do over there with Chuck and his team. All right, Warham says anyone have an experience using platforms like DRAA to automate audit evidence collection? Collection. Fletus. Are you, have you done any GRC engineering? Like, are you integrating any products?

B (72:41)

I have, but I haven't used this product. So a lot of the stuff that I've done is the policy of code. So I put it into my IAC to collect the information versus just collecting screenshots during an audit. We produce JSON files for the auditor to parse and they're like, what do I do with this? I was like, well, either you write a little Python script or you go find a piece of software that can graph out what you're looking for from this JSON. Or we just gave them access to, as a reader to all of our pull requests so they could see the firewall changes that were pushed, they could see the code changes, who approved them, how they were approved to get the change management evidence. But from a product point of view, this was all homegrown. Using policy as code through cloudformation and terraform.

A (73:27)

Thank you very much. And just so everybody knows, I will be having some GRC engineering. How you can do it. Content coming out on Simply Cyber probably in late May, early June. I'm very excited about it. I'm working with a woman named Ashley Pierce. You can go pull her up. She's got some really great fundamental GRC engineering, but like practical, hands on, like, like, like running code and, and pulling things and checking, you know, is an AWS S3 buckets incorrectly configured and stuff like that.

B (74:00)

Yeah, another little teaser here. I am writing a technical GRC workshop for Continuum Con 2026 that I will be putting on.

A (74:08)

There we go. Fleet is posting the third dropping bombs. I love it.

C (74:12)

Good stuff.

A (74:13)

I feel sometimes. Kai Cipher. I feel sometimes the return on investment referred to as ROI is more qualitative than quantitative. When you're required to quantify what's the best way to do that when all you have to do is go off qualitative information. James, how do you make this argument?

C (74:34)

That is certainly a challenging question right there. Yeah, I mean, when you've got. I'm having to think about this one.

A (74:43)

Yeah. I mean, I could take a stab at. I was just trying to share the, the love.

C (74:47)

I appreciate that.

A (74:48)

Yeah. No, no. So I'll take, I'll take a cut at that. If all you have is qualitative information, what I would recommend is start pulling industry reports that are, you know, from verifiable, reputable sources. Verizon data breach incident report, IBM X Force report, the Mandy and M Trends report. You can start having these best of breed statistics and then you can almost use like a fair model approach where you can't say 72% of things are this, but you can say we have a 58 to 74 chance if we do what we're currently doing of suffering a cyber attack which will result in between 300 and $800,000 of damage within the next 12 to 18 months. So like, basically you can quantify within st statistical ranges instead of trying to hit it directly on the dot. So for ROI, you could say, you know, hey, if we invest $100,000, the perceived return on the investment is between 200 and $300,000 based on this data point. This data, this data point. When you are making this argument to the cfo, cio, CEO, what I just said, have that on, like, this is more detailed on how to communicate to that audience, but have that on a backup slide. If they ask the question, you want something very, very simple, like super basic, like you're talking to like a third grader. And I know that sounds like I'm insulting the executive people, but it's not. They just want to know instantly how did you, like, what is this and what does it mean to me? You provide all that and then if they say like, where's this coming from or what, what does that mean? You can just go to the slide behind and be like, you can see here, here and here, but don't put that up front. No one cares in the room that like you're able to like do calculus unless they want you to. To see that level of effort. James, now that you've had a minute, any thoughts?

C (76:38)

Yeah, what you said. Yeah, yeah. I mean, you're dealing with the, the quality of the, the substance of it versus having actual numbers, you know?

A (76:53)

Yeah.

C (76:53)

Getting the different reports, looking at ways that you can validate the, you know, the program that you're going to implement. So, I mean, security awareness training is, is kind of one of those prime examples where you're doing risk avoidance more than anything else.

B (77:10)

And how do you, how do you,

C (77:11)

you know, show an ROI on that? Granted, yeah, you can go get your Verizon data breach report and go, look, this is how much it costs. Costs for us if we get breached. If. And a lot of the time, the risk appetite of your executives and your leadership is a lot more than what we think should be taken. But, you know, that's why they're, they're that executive level. But yeah, if you can go through and show that. But a lot of the time it's just a matter. Also, once you've shared it, they still may be willing to take on the risk. And you need to make sure that they are willing to take on the risk and they sign something that states, yep, we know about this and we're accepting the risk.

A (77:48)

Yeah. And Fledus, you recently did something like this. Share that with the audience, please.

B (77:52)

Yeah, so you, you kind of stole a little bit. But I went to the CFO and I asked for the weighted cost for a specific line of business. Like, what is our weighted cost for these employees? And then we were doing a rollout for cmmc, so we knew what it would cost to do the deployment, and then we knew how many users would be in this environment. So we took the math and said, this is what we need to deploy. This is the licenses we need. This is the qualitative. And then we went back to the sales team. What do you have in the pipeline? Do I have enough sales to justify the spend to build this environment? So let's just say to keep Our number simple, 1% of the business was coming from them. We do. Let's just keep our math simple. $100,000 of 1% is nothing. So it doesn't justify the cost. Well, if it's a million dollars in the pipeline, 1%, I can justify that. So we take the numbers of what's already in the pipeline or confirmed deals to justify the spin to build a dark room or an enclave for the CMMC world.

A (78:48)

Yeah. And let me share one other thing, because this is a, this is a lesson that I didn't learn until late in my career. Okay. Do not try to be, be real with yourself. Don't try to back into something. Don't be like, you know what I think we need? I think we need dlp. So let me go find statistics that support that argument and let me back into an roi. That should shows why this is. Be objective, do the work. You might find that it's actually a terrible investment to invest in DLP and like, you could spend that money elsewhere. So, like, I just, because I remember younger in my career being like, oh, like, I know what, we need this now. I want to find every type of thing that, that is biased, that can help me achieve what I'm trying to achieve instead of trying to be open and realize, like, listen, I don't know everything. So let me go gather data and use that data to help me make an informed decision that I can then bring to the business. Because if I take it away from me, just I'm the smartest guy in the room and be like, what can I do? What can help this business the most right now? And if I, if I treat it like that's the goal, then you're going to get better results and obviously the ROI is going to prove out itself in the long run. Just a hard truth of me being a knucklehead when I was younger in my career, Berg says, what resources do you recommend to learn skills? To become a SOC analyst, building a home lab, but other sources, there's so many out there. Fleetus, you've dabbled. You've got blue under your fingernails.

B (80:24)

So this is a tricky, tricky question. And the reason I say it's a tricky question is we've talked about it in news articles today. There are certain tools you need to understand, but there's really more process and procedure you need to understand. Like, how do I get a piece of data out of my sim? Is it kql?

C (80:42)

Is it.

B (80:43)

Am I inputting stuff? Do I have a SIM anymore? Am I just doing API calls? Am I looking at data lakes? Where are you getting your source of data from? So understanding the environment you walk into makes it very hard. And then more and more companies are doing AI socks. And what I mean by this is they're bringing in mcps, they're bringing in frontier models, and they're doing tokenization to triage that. Level one, level two. So those skills that you used to have of how do I open a packet, how do I look at an email header? You don't do as a SOC analyst anymore because that's automated into your SOAR platforms, or it's automated into your new AI agents that are being deployed. And again, depends on your environment. Heavily regulated, not there yet. You're still going to open an email header. You're still going to crack into a DLL every once in a while. And figure out why it wasn't signed and why it's alerting. And that's where the DLP or the white listing or allow listing comes back in from your SOC analyst. But it really depends. So really, it's just being curious. I did a talk last night for a cyber range for some students, and I just talked about the continuous learning. That's what you need to do as a SOC analyst. Learn, learn, learn. Come to Jerry's show, go to other places. Find out what tools are being deployed both by the adversary and by you. Because it's tool heavy now, and most of it's script heavy. It's automation. It's engineering. We're not opening up things by hand anymore because humans aren't meant to do that. We get fatigue. We. We're not consistent for a full eight hours anymore. Where an agent is a 1 and 0. It runs 365 days. Snow, rain, holiday, not. It doesn't care. You care. You get annoyed. You get hungry, you get tired.

A (82:28)

100% easy does it says, how to measure anything in cyber is a good book. That is true. Let me go ahead. I've got it pulled up on screen. I. I actually own this book. It's from Hubbard and Searson. Come on, where is it? Yeah, like, basically, this is what it is. They just so you know, they have several books on how to measure anything in. And it's like, it's like a series of books. This is a great one. If you're looking to basic, I would say, listen, if your cyber security program is. Is exists, but it's immature. This is a great book. Okay, and, and let me just clear, clear the air on what I'm saying. If, if your cyber security program maturity is like a one and a half million, maybe a two out of five. This book can help you. If you have nothing, this book's not going to help you. All right? You. You have. You have foundational problems. You do not need to, you know, upgrade to venetian blinds in your house. You need to put a foundation underneath the house. All right? So don't, don't, don't get ahead. Don't get over your ski tips on doing metrics and whatnot. James, Cyber risk, which has a question.

C (83:37)

Hey, bring it, Cyber.

A (83:40)

Hold on. I'm trying to like. Restream is testing my patience, bro. All right, well. Oh, here we go.

C (83:46)

We're gonna have to reboot Restream now.

A (83:49)

Gonna have to do something. She said she wants to get into AI governance.

C (83:53)

Smart.

A (83:53)

She's. She's asking if there's any Certs out there, I'd like you to expand on this. Can you talk about the Certs for sure, to answer her question. But also bigger picture on moving into AI governance.

C (84:04)

Yeah, AI governance is kind of where that, that Hansel's hot right now.

B (84:09)

Oh yeah, here we go.

A (84:11)

That Hansel so hot right now.

C (84:15)

AI is constantly changing. Technology wise, you know, we're doubling every six months, practically every six, seven months. Right. So the governance is what has to be there to be able to oversee all that. So there's a lot of, There are certifications out there. I haven't looked into them yet to see what's out there. What I've been looking at is where to get education, where to learn. I, I think right now with regards to certifications, it's kind of AI governance, I feel, is still in its, its infancy, you know, governance overall. Sure. Yeah. There's, there's a variety of different governance certs, whether you've got the ISACA one, ISC2's got one, and you can look at those. But AI overall, there's a lot of free AI governance. Looking at the different governance standards that are out there. NIST, ISO, AI. UC has got one, CSA's got one. I have a slide on all of them. But basically there's a variety of different ones that are out there. Look at those and learn and understand those. And then there's a lot of free AI governance courses through different universities. I think Stanford's got one, there's one out of Oxford. You know, look at doing those free courses along with understanding the different standards, understanding grc, and you're off to the races.

A (85:40)

Yeah. Just as a quick follow up, Rogue Cyber says C Risk. I think he's saying in response to what we're talking about. C Risk was developed in like2010, maybe2009.

C (85:52)

Yeah.

A (85:52)

So, like, I don't think that it, you know, unless they've updated it to include AI. This, I wouldn't say C Risk is good for AI governance.

C (86:00)

No. But for governance overall.

A (86:03)

Okay.

C (86:03)

The base you're talking about, the foundation, your Venetian blinds is your AI governance.

A (86:09)

No, no. Oh, yeah, yeah. Okay. Okay. I like it. All right.

C (86:11)

See what I'm putting down there, Jerry?

A (86:12)

Yeah. I'm picking it. I smell what you're stepping in. James Fletus looking for Certs for ir. Give me a lead for Pocket Pixel.

B (86:21)

So the easiest way to go there. And I'll let James, because it sounds

A (86:25)

like James got excited there for a second.

C (86:27)

I discovered something else that's what it was.

B (86:31)

But again, I'm going to say it depends. Are you on prem? Are you cloud? What are you doing? For simplistic reasons, Comptias got their Cysa. Sans has a few anti Siphon has some of their trainings. You can go out there. They're not all certifications, but at least it'll get you comfortable. Level Effect is another company that I partner with has been pushing out stuff. Little teaser. They now have a virtual internship program where you can actually go through a program. Do labs get graded? Have a virtual internship that allows you to practice.

A (87:03)

Is Mike Small involved with that?

B (87:05)

I don't know if Mike's directly. I've been working directly with Anthony on it. So. So I'm not sure how well it's being built out, but that's been deployed. So we've got a virtual lab. I'll let you do stuff there. So that's a place. And then to be frank, get industry specific. So go get, go learn Microsoft's. Go learn AWS's cloud specific if you're gonna use their incident response tooling, learn how to use Sentinel, learn how to use Security Hub inside of AWS and certify in their products. Get, get those certs will help you just as much as a traditional GCIH from Sans or the CYSA from Comptia. And there's if you really want a basic overview. I'm not saying it's a good ir, but even the CC cert just to get your hand around the domain. The certified Cyber Security with ISC2

A (87:55)

James. Oh, wait, no. You. You found a new feature or something so you were all amped up. All right, thank you, Fleetus. That was good. I haven't even read this question from Reynard. After a pen test is completed and the report is sent to the client who helps remediate and implement fixes. Is that part of Pentax package? Is it in the company? So I'm co owner of a pen test company, so I'll just speak to that really quickly. It we the pen testers typically will tell you what's going on. They can offer some suggestions. They don't know your business operations, operations and processes and budget and all that other stuff. So they can't really tell you do this, this and this. And if they tell you do this and it's like oh, patch it. And then you come back and say we can't do that. And they say oh, patch it. Then they don't know really what they're talking about and they're they're just regurgitating what Google told them to say. And it's, it's not. But, but I will tell you at CairoSec, the pen testing company that Tyler Ramsby and I have, if you patch it within I think we say three months, we will come back and rerun at no cost to validate that you've closed it correctly. All right, so Fletus, you basically fell out of your chair because of ptsd. So go ahead and take this question.

B (89:10)

So again, coming from the cyber defense side, when you get that report you're immediately like what can I get out of this? What does this need to say? Like, because there's informational alerts, there's low, medium highs, criticals. And then to Jerry's point, I have to understand what I'm going to put into my executive summary. I'll go to my previous job. We were, we sold software so that means I had to give this executive summary and my STA package, which is my security trust and assurance package. Can't tell you how many calls I get on when are you going to remediate this? And I'm like I can't. They're like, well it's in your package. I'm like, but I can't. This is a vulnerability in the product in which we are using. We are waiting on the vendor and getting a GRC analyst who's just an auditor. Nothing against that. They don't understand that sometimes it can't be patched in my SLAs, my service level agreements, so that gets hard. The remediation is usually all internal. Most of the time it's your infrastructure team, it's your cloud team, sometimes it's the security team or mix. Occasionally you have to source out. You bring in a statement of work and you bring in someone to fix it if it's a very critical environment. So. So like for my enclave, I'd probably bring in a third party to fix it. If it was my Iot network or OT network I'd probably bring in an OT specialist because my engineers don't have time to fix it because it has to stay at 24. 7 365. Finding maintenance windows is the other problem. Sometimes you can't fix something because Your shop runs 24, 7365 and it can't be rebooted. And sometimes you have to reboot to get these fixes or I have to take it offline and harden it by adding a new access control list. So I think I saw it three times in the chat, it depends. It can be anyone and everyone. And the timeline can be one day or three years. And to Jerry's point, most of the time you get a retest within three to six months if you can fix it. Not all the time. And if you miss your retest now, you're paying to retest it at month seven through 13.

A (91:03)

He said three to six months, not 36 months. Just to be crystal.

B (91:07)

Three to six. Three, two, six.

A (91:09)

Yeah. Also, I want to point out this is a thing that a lot of people don't talk about, and I think it's just because it's the reality of business versus, like, what you think pen testing is. A lot of times when you're going through the project kickoff or pen test, the CISO like, has problems. A lot of times they know where the problems are and they've been saying for a year that they need help or they need budget or they need whatever. It's a priority. And the business is like, whatever. So, like the, the, the pen tester is kind of given some insights, right? Like, you would never finalize a pen test report without running through a draft with, with the client on, hey, here's what we're looking at. Here's what we're thinking. They've given you insights, right? It's not fraudulent, by the way. Like, this is real. But I'm just saying it's not like you're not going to. You might find something that they didn't know about, which is great, that's good value. But a lot of times too, like, it is reinforcing the agenda of the ciso. So that is something also to keep in mind. James, you got something on this?

B (92:21)

I was going to say that real quick. I have steered a pen tester to an environment. I have steered them somewhere. It's like, I need you to go look over here. I'm not going to tell you what I want you to find. I just need you to go look over there. Because I've been looking over there and I know there's issues. And the internal voice is like a whisper. You're going to be like a lion when you come roaring.

A (92:38)

Yeah. And it does. It's not fair. It's not fair that you've been saying it over and over again and no one ever listens. And then. And someone outside says it and all of a sudden there's traction. Just accept it as reality and keep moving forward. James, you got any thoughts? I know. Vc. So the only thing, the only thing

C (92:56)

I was going to add would Be you know looking at you know, you've got your blue team, you got your red team but your purple team. There are some organizations out there where they do the pen test and then work with you to remediate the issue rather than just hand you the report and go good luck, see you in three months. Not I'm being a bit facetious on it but when you've got an organization like Scythe Bryce, you know, friend of the community, Bryson board, that's what his organization does is they go in and then they also do other testing but they'll go in, do the assessment and then provide you steps to remediate and then work with you on that.

A (93:31)

All right, so this is great. We're just a bit over time. We're all caught up on questions which is phenomenal. Fletus, I know it's been a minute since you've been on the stream. Where can people get I heard you speaking at continue con or doing a workshop. You got some other things. Where can people get more Fleetus I know Fletus is someone who does a lot of mentoring so if you've liked what you've gotten here there's more of it to share your pump your pump your stock.

B (93:56)

Yeah so still teaching for App State so feel free to pick my brain about it's run their AI cyber security class and I'm figuring out the first time how to take a 15 week course and turn it into a five week course this summer. This is not going to be fun for me but I'm getting there. Yeah so still doing speaking engages as I said I spoke to a cyber lead group last night. It was fun. They had students from 15 to about 25 are trying to get in. We talk on AI and the human side of it last night which was a fun talk. I'm starting to pick my channel back up again a little bit more with more AI and GRC topics and AI governance. So feel free to check out stuff there and then I will be publishing more LinkedIn but right now that's the only speaking engagement I've done. Most of them have just wrapped up and I'm going to try to make it back here more regular now as my Friday mornings have cleaned up a bit little. A little bit.

A (94:46)

So you mentioned your YouTube channel. How what is that YouTube channel?

B (94:50)

You're gonna ask me Michael, you always ask me and I never just put it for you.

A (94:55)

People want to know. People want you know it's one day you gotta, you gotta. Here, let me show you what it Looks like everybody.

B (95:02)

I typed it out. It's. It's easy to type my name but there we go.

A (95:06)

So it's simply YouTube.com@fleetis posting Fleetus, you YouTube. So if you want some of that. He does lives, he does all sorts of mentoring. The coffee, the coffee talk, he's bringing that back. So this is what it looks like. Go sub. You can see I'm subscribed because I'm a big fan of Fletus and he is crushing it. James, pump your stock buddy. What we got?

C (95:30)

Just got back after working the past week on on the cruise. Had a lot of fun yesterday. Great questions. I'm glad to hear the Internet worked. But yeah, the, the next week I'm heads down dealing with a new client with the vc. So work real excited some other fun projects and hopefully next week make an announcement with regards to apparent security. I will be at Hack spacecon next week. I believe it's a. Yeah, Hack spacecon next week. Week after that is gonna be besides Tampa. So I'll be there with stickers and looking forward to seeing, seeing everybody there.

A (96:05)

I love it. So James McQuiggin at B sides Tampa. Approach him, get a sticker, say hi, maybe ask him for a dad joke. He will be ready at the ready. I want to remind Everybody that at 10am if you are enjoying this AMA style, Daniel Lowry does a live stream. He's a friend of the community. He, I, I would say he's a community member actually and he is going to be doing Daniel cybercast IRL OWASP top 10 LLM misinformation. So he's getting right into the details, into the weeds. It is a fun, engaging stream. You'll enjoy it. There's lots of Simply Cyber community members over there. I'll drop a link right now in the chat that goes directly to this live. So here cybercast irl. Go ahead and pin that and grab it and go. Enjoy guys. I want to say thank you to fleetus and James McQuiggin. Thank you all for being here, asking great questions, supporting each other. Remember we're going to be doing a live at the discord channel around 1pm today so come hang out with that. I'm Jerry from Simply Cyber. Until next time, stay secure.