A

All right, what's up, everybody? Welcome to the party. Today is May 6th. It is Wednesday. Mike. Mike. Mike. Mike. Mike. Mike. Mike. Mike. Mike. Mike. Mike. What day is it? Home day. What's up, everybody? You are at Simply Cyber's daily Cyber Threat Brief podcast, coming to you live from the Buffer Osier Flow Studio. I'm your host today, Dr. Gerald Ozier. And if you're looking to stay current on the top cyber security news stories of the day while being entertained, educated, and most importantly, getting insights you won't get anywhere else, well, then you're in the right place. So grab a cup of coffee, get comfortable. We got a great show for you. All right. That's right, everybody. Good morning. I hope everybody's having a fine week. We are at the midway point of the week, which is exciting. Always. Time flies and as you get older, it seems to go a lot faster, if you know what I mean. So what do we do here, everybody? If you're a long timer, you know the deal. But let me just break it down for you. I basically slug coffee until I hulk out and then just flip out passionately about cyber security. I love cyber security. I love educated and I love lifelong learning. I love community. And many of the Simply Cyber Community people who are streaming in chat right now, or if they're just in gold white knuckling on their steering wheel, screaming at brake lights in front of them, we are all here to level up and support each other. Support inclusion and empowerment is the mission statement. The core values here at Simply Cyber. We're going to go through eight stories. And the good news is the bad news is, depending on how you look at it, we're going to go through them. You'll get the headlines like you would get anywhere else. But then I, with my 20 plus years of experience, plus many members of the Simply Cyber community will give additional insights and value. Sometimes I indicators of compromise, sometimes recommendations, sometimes just straight up support like Preach. But of the eight stories I know, zero that are coming down the pike because I do not research or prep for the show. Do you know why? Ain't nobody got time for that. That's right. Ain't nobody got time for that. Plus, it's authentic, it's raw. I don't know what's going to happen. You got to tune in. Who knows what's going to go down? All right, guys, if you are here for the first time, I do want to say holler. Holla. Holler. Every episode could be somebody's first episode. Every single person who's above me right now. Rhonda Rummerfield, ad tech, James Quick and Code Brew Etc. They had a first episode at some point. We've done this for 1100 episodes. Five years. Ish. And everybody's a first timer sometimes. So don't be shy. You're in good company. Drop a hashtag first timer in chat, hashtag first timer in chat and we will welcome you with sound effects emotes. Just digital hugs. It's glorious. What's up, guy named 303. Good to see you. So our first timers in chat holler at us and squad members. You know what to do. If you see a first timer, welcome them with the standard protocol that we execute here at Simply Cyber's Daily Cyber Threat Brief. Also, every single episode of the Daily Cyber Threat Brief is worth half a cp. So all you gotta do is say what's up in chat. We are improving this process this week. I I Today's the day, y'. All. I was working through some stuff. James McQuicken knows what's going on. Dealing with some, some administrative work. Oh. Start your own business. It's glorious. Make your own hours. Yeah, okay, that is true. But your hours are typically much more than 40 a week and you have to deal with contracting and finance people and accounts payable and ugh. So it is a problem. But I think we got it sorted out. So say what's up in chat. Grab a Screenshot for your CPEs and once a year, count up the CPE screenshots. Divide by two because it's a half a CPE for each day. The I am an instructor. This I'm a qualified instructor. I've got the receipts to prove that I know what I'm talking about. And this is an instructor led webinar. When you boil it down, at the end of the day. All right, so first timers, CPEs. Format of the show. Cup of coffee. Let's drink, everybody. Drake. Oh, so good. Oh, that is a liquid infograph I just drank right there. Holy jeepers. All right, guys. Every single episode of the Daily Cyber Threat Brief is sponsored. Thank goodness. Allowing me to bring this show to you in all its glory. I want to let you know about Flare. Flare's threat intelligence platform is awesome. Lazaro Rivera, 34 months, almost three years. Amazing. Good to see you, Lazaro. As always. Guys, Flare's threat intelligence platform. It's a game changer. If you want to listen. Number one, Flares threat intelligence platform can help you figure out if your organization has already been compromised. If you're being targeted, whose accounts have been compromised, what endpoints have malware on them, all because they go on the dark web and actually scrape, you know, cyber criminal forums. They do some bespoke type of work. Also malicious telegram channels, all of those things. And what it ends up doing is coming into a nice easy to access platform that allows you to query it. So because this is a, you know, SaaS product, a subscription based product, you get to really pay incredibly. The amount of value you get and the amount of intelligence you get access to versus what the cost is is lopsided. It's asymmetrical. If you want to see what I'm talking about, this threat intelligence platform is bomb. I know several of you in chat have signed up and used it. I have signed up and used it. Which means I'm speaking from firsthand experience, like a testimonial. It's true if you want to check it out yourself, two week free trial, no strings attached. They're not going to harangue you. You just sign up, they vet that you're not a criminal and then you get access to the full product suite. Figure out if it's good for you. I think it's phenomenal. The insights alone are worth the price of admission. Go to Simply Cyber IO Flare. Simply Cyber IO Flare in a browser right now. Check it out, all the links are in the description below. Michael Carnell coming in from Musc. Hey Michael, hopefully everything's good. You and Lori, the old Musc crew. Love it, love it, love it. He works there, Eric. All right guys, check it out. Anti siphon training. Disrupting the traditional cyber security training industry by offering high quality, cutting edge education to everyone regardless of financial position. And today, today is the day y'. All. I've got a double shot for you. Anticast free one hour webcast. 12 to 1pm today Eastern Time. You want to turn the daily cyber threat brief into even more value into actionable intel. Watch the show with me in the morning. Then make actionable intel impact for your organization. Wade Wells is going to show you. I don't know exactly what Wade's going to be doing, but if I had to guess, it is developing detections and alerting criteria for your organization. SIM or EDR tooling or whatever, wherever you can put detections in to stop bad from happening or be made aware that bad is happening. Wade is a one of one special kind of guy. Love myself some Wade Wells. He's a good friend of mine also. He's a very accomplished practitioner and I have it on Good. I have it on. Good sound intel. James McQuiggin will be involved with part of this experience. So you don't want to miss this. Get there early. Little Wade Wells, little James McQuigan. I'll be there in chat as well. Actually, let me just confirm that because my calendar is nightmare fueled dystopian wasteland. I will be there. Hello, I'll be there today so we can do a simply cyber takeover of Wade Wells is total turn cyber headlines in action. I'm drop a link in chat. Go ahead and register. It costs 0 to register. 0 to register. So I don't know like what's the hold up? Give that a shot. Finally want to say Threat Locker. Thank you Threat Locker for your enterprise enterprise grade quality solution that makes deny by default application security actually possible. If you want to like literally just have approved apps run, which means malware that got developed tomorrow won't work. Side loaded DLLs that get developed tomorrow won't work. It doesn't matter. Behavior based doesn't matter. Signature based doesn't matter. It's either on the approved list or it's not running, which is incredibly challenging to pull off in an enterprise. Threat Locker. Crack the code. They do it at the endpoint. Now they do it at the cloud as well. Let's hear from Threat Locker and then Michael Carnell, I need you to sit back and relax because I'm about to rip the top off this puppy and and let it fly. I want to give some love to the daily Cyber threat brief sponsor Threat Locker. Do zero day exploits and supply chain attacks. Keep you up at night. Worry no more. You can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cyber security and provides a full audit of every action allowed or blocked. Risk management and compliance onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about how Threat Locker can help prevent ransomware and Ensure compliance. Visit threatlocker.com Daily Cyber. All right everybody, we are ready to lock and load. Get ready to lock in. Let me just expand this. Guys. I got to tell you a couple things. One, my inner vibe. The coffee has officially took off. The chat is popping. Jesse Johnson, the cosmic cowboys here. Cyber risk witch is doing the hellos. I didn't see any first timers, but let me just let you know my inner monologue. This right here. I know you youngs May not know, but this is Animal from the Muppets. He is basically almost elemental. And he is just a live wire. He's like an exposed electrical wire. High voltage. This is my inner monologue right now. This is how I feel. I am ripped and ready to go and bring the news to you. So do me a favor, sit back, relax, and let's let the cool sounds of the hot news wash over all of us in an awesome wave. Let's go. From the CISO series, it's cybersecurity headlines.

B

These are the cybersecurity headlines for Wednesday, May 6, 2026. I'm Rich Trofolino. Video game platform hit by supply chain attack. Researchers at ESET documented a campaign by the North Korean aligned threat group Scarcroft to install a backdoor on targeted Windows and Android devices. This targeted the gaming platform sqgame.net popular with ethnic Koreans living in China's Yanbian region that borders Russia and North Korea. Since late 2024, the gaming platform distributed Trojanized components for Windows and Android games to install the bird call backdoor. Malicious Android apps are still being distributed by the platform as of this recording. Scarcroft has a history of targeting North Korean defectors and human rights activists.

A

Yeah. All right, so this is interesting. You know, for the most part, we don't have. As far as I know, we've done the Worldwide Wednesday several times. We don't have any Eastern Russians, North Koreans in the chat. Maybe some Chinese citizens, I don't know. But for the most part, we don't. So if you were just to kind of like, check this story out in an RSS feed, you'd be like, all right, all right. Video game platform hacked. You have my interest because I'm a video game player. Oh, wait, this is a game I've never heard of, primarily played by ethnic Koreans in living in China. So this doesn't apply to me. I'm on to the next story. But wait, you would be wrong. You would be wrong because let me tell you what's up. Yes, this is a game that most of us don't play. But the bigger picture here, abstracted if you will. And let's look at what's happening. So there is a population. North Korea is an authoritative regime. Kim Jong Un rules. It doesn't matter what his intelligence level is. He's got an iron fist around North Korea and, you know, the way the citizens are and everything like that. So that's what's up. There are people who do not want to live in that kind of world. There are People called defectors that will defect out of North Korea. There's people who try to go into North Korea to rescue people. There are investigative journalists trying to report on some of the, you know, atrocities or civil rights abuses or just civil liberties infractions going on in North Korea. When you run an authoritative regime, you don't want people to know about that type of stuff, right? So you use the power that you have access to. People in power want to stay in power and they'll use that power to stay in power. So in this instance, we have a power regiment, okay, an authoritative regime. But this could be anything. This is why it's an abstractable lesson. You have someone in control and in power who has been able to almost filter on a targeted population that they're interested in. In this case, it's individuals who are playing that game. Now granted, there are probably people who play that game that are not defected North Koreans or investigative journalists. You're not going to get it perfect, but I'm sure the North Korean regime doesn't care about those people. It's just like, okay, there's a large enough population using this game of people we're interested in so we can target it to get some value, some roi. Now, by using this and using the back door, you get a couple things. Number one, you get access to those targeted population systems. Two, when you have access to those systems, you can, you can obviously wipe them and do other malicious things. But that's not what North Korea is doing here. They're likely trying to commit espionage, which is not super in North Korea's playbook, although they have stolen military rocket technology from Russia in the past. So they do, they do dabble in espionage, but they're probably sitting there and trying to steal information and figure out who is speaking to who in order to uncover the network of people. Who is the ringleader, who is the person helping get people out of North Korea, who is the person giving anonymous tips to investigative journalists. And then, and then that's intel, which would then be operationalized or actionable, which, which means basically not good for those people, right? Rounded them up and make them disappear kind of thing. Unalive type stuff. So don't, don't sleep on it just being, oh, it's a video game, not my, not my swim lane. Right? Think of it this way, if you like. So if you're working at an organization, right, or you work for an NGO or non profit or something that is helping a specific marginalized demographic, think about when you do your threat modeling and this is the final point I'll make before moving on. When we do GRC work like a, an entry level GRC analyst might be like, okay, this cyber security framework, here are the controls for low baseline, moderate baseline or whatever. Let's implement them and see what happens. Right, we'll just, we'll see what we can do and get most of the controls in place and that's fine. But we're doing GRC mafia type things up in here, which means what you really need to do is look at what are your threats. Yes, we're all at risk of ransomware, we're all at risk of business email compromise, but if you work in manufacturing, you might have a different type of threat actor who wants to do the ransomware whose TTPs are going to be different than if you work in healthcare. 8 base vs lockbit vs medusa vs Akira vs shiny hunters we got vishing over here, we got zero day VPN exploitation over there, so you can't block all the things. You're not the little Dutch boy with AI fingers where you got 75 fingers and you can plug every hole. You got 10 fingers, 50 holes. So which 10 do you plug? GRC Professional. Allow me to give you the answers to the test. What you do is you look at what threats are most likely to impact you, then you map that to the controls. That would reduce the risk of those threats being successful of exploiting your environment. And then you stick your ten fingers in there and oh by the way, if you can bake a bunch of detections in place for the things that you can't stop. So if they do happen, you can unplug a pinky and jam it over here with the quickness. Mean time to detection is a metric we care about in cyber security. Meantime to remediation, also super valuable, but meantime to detection. Giddy, giddy, giddy up on that.

B

Leading llama could expose your data. Researchers at Sierra disclosed a heap out of bounds read issue in Ollama, the popular open source project for running local ll. This bug impacts Ollama's GGUF model loader with a maliciously crafted GGUF file that could open the door to memory access and leak API keys and tokens. This is exfiltrated with Ollama's built in model push feature. The entire attack chain requires three unauthenticated API calls and is possible because by default Ollama launches without authentication and listens to all network interfaces. The vulnerability was patched in version 0.17.1 US gets more early LLM bro.

A

All right, so Olama deployments, there are open source LLMs or you know, LLM models you can download. I believe Olama is, is one of them. Phil Stafford, John B. Correct me if I'm wrong, I know that Llama is. You can download a bunch. So Olam is one of them. All right, so when I was doing my open claw experiments, I thought of using a localized LLM because I was burning through Claude credits just to have the freaking AI, you know, tell me like what I had to do that day. Not very good use of resources, this one. If you're running it locally, there is a heap out of bounds which is like a buffer overflow kind of related bug. It's a, it's a, it's a memory, It's a memory permissions in memory of where you're allowed to access and everything like that. Typically when you, typically when you exploit out of bound memory issues, you're basically able to take take control of the instruction pointer and move it to be able to start executing shell code or cradle that you've developed or whatever, start pointing at functions in memory. It depends on a bunch of factors, but at the end of the day it allows remote code execution because you take over control flow of the processor. All right, so what do you get if you get all this? Well, if I own your machine, I get, I can read your sensitive information, what is sensitive, your prompts, the replies, most important API keys and tokens in my opinion. Right. Obviously if you have baked in secrets to give your AI bought the ability to like read your email or log into your stuff, that's going to be compromised. You know, this is not something you want. It doesn't look like they're able to execute your. It's just a read type thing. So it's a breach in confidentiality. Obviously it's going to suck for you if your API keys get burned because then you're going to have to process them. If you're doing AI for some type of sensitive internal project or whatever and you, you rolled your own simply for more security, this could be a problem. Here's my thing, really quickly. It does require no credentials, so that's a problem. Here's my thing, really quickly. I'm not even going to look further into the story. Here's the deal. If you are running Olama. Well, first of all, do they have a patch? Let me see if there's a patch. All right, so it doesn't say you can patch it. So recommendations? No. Remediation? No. All right, so I don't know how you're supposed to fix this thing if you're running olama. It says 300000 instances, which is small considering how many people are using AI. Okay. The vulnerability was addressed in Ollama version 0171. Orgs are advised to fix as soon as possible and restrict network access to their deployment. Ah, you gotta. Patrick. Okay, right here, listen. This right here is a number one, okay? And I'm not talking about. What was the name of the guy who was like the leader and Escape from New York. Oh my God. Hold on. This is a. This is definitely a late 80s reference. Escape from New York. Bad guy. I. I know the President was the bad guy, but there was like another bad guy. Not this guy. What was his name? The Duke of New York. Holy crap, that was 1981. If you're looking for a great action movie this weekend, Escape from New York. Kurt Russell, Snake Blisskin. Oh yeah, dude, this thing is a jam. I might watch this this weekend. You want to. You want a throwback to like good action that didn't require CGI or AI? Check that out. Anyways, the Duke of New York was a number one. He made everybody say that you can patch all your things. But guys, do you see where it says restrict network access? The. The system won't allow me to highlight that. If you are running your own LLMs, you can do it on prem, or you can do it in a VPS or virtual private server up in the cloud. Okay, listen, listen, listen. This is literally the first thing you should do. It's the first thing I did. Okay? So I feel strongly about it. That system should not be Internet facing you. You should. Yes. If it's in the cloud, you need to be able to access it from the Internet. But may I recommend, I don't know, having a remote into it first before you can execute anything. Having a, a proxy in front of it, having a VPN in front of it, making it not public IP addressable. So you have to log into some platform and then go in having super hard creds perhaps, I guess, like, yes, this problem is patched today and you're fine today, but you have no reason to have this thing Internet facing. We have like network segmentation, network access controls. Like this has been solved for 25 years. You don't need to do it that way. Either you don't understand how to deploy technology and you're basically a child playing with your dad's handgun, or you do know and you're, you're lazy like, either way, they're not. Either of them don't come out with good outcomes. All right, so if you're gonna put it on the Internet, don't make it Internet facing. If you're gonna do it inhouse, put it behind something simple. It's use firewall rules at a minimum. At a minimum. Make it so only your IP address can make an inbound connection to it at a minimum. All right, Just. So many people, dude, I. When I was doing the Open Claw stuff, I saw so many videos of people like how to deploy open Claw. And it was just like, run this command, you're done. Print six figures a week. And you're like. I'm like, oh my God, dude, so many people are going to get crushed by this access.

B

The U.S. commerce Department's center for AI Standards and Innovation announced it reached deals with Google, Microsoft and XAI to give the US Government early access to upcoming models to test and improve security on critical systems. This matches similar deals in place with Anthropic and OpenAI. Since 2024, the Government center has tested over 40 models so far. This comes as sources from both the Wall Street Journal and New York Times report that the Trump administration is considering an executive order that would create a program for the government to review new AI tools prior to release.

A

Yeah, of course. All right, I hate to be a peckerhead. Listen, I'm going to be. Do me a favor. Tinfoil hat. Tinfoil hat. If you're a squad member of tinfoil hat. Okay, listen, number one, here's the story. Large, big tech companies are thinking about giving the US government early access to AI tools. That's the story. That's the story. Okay, so I've done my job as far as reporting on the news to you. Okay, now, tinfoil hat. Because this is how I feel right now. Are you kidding me? This is a tinfoil hat, by the way. The tinfoil hat. For those who are uninitiated to what it is. As you can see the spamming of the tinfoil hat, it's basically where I'm about to give a hot take. That is subjective, grounded in just my life experiences and theories, etc. There are biases, there is limitations to what I'm about to say. But listen, AI is moving ridiculously quickly. I would like to think that the US is wanting early access to these models so they can make sure that they're making policy and regulation around the safe use of it. Okay, now let me tell you what I really think. Historically, since the dawn of time, okay, the military has always had access to bleeding edge technology. It's how we stay dominant. It's how we secure the borders. It's how we dominate our adversaries. It's how we impose oursel in our will on others. So we are the, you know, alpha dog in the room or whatever. Roman Empire. Who doesn't love the Roman Empire? A Roman Empire they developed like the Caesar cipher to be able to communicate securely. The Roman Empire developed, I mean, they didn't really develop it, but if you want to know why the Roman Empire was able to expand so wildly, it's because of their technology. It wasn't really technology per se, but it was around their processes and protocols to basically be able to get to where they're going and, and then immediately establish a fort. Like they could, they could show up at like 3 o' clock on a Saturday, look across, see a bunch of, you know, whatever, insert, you know, Visigoths or freaking Celtics, like German Germanics, insert, whatever, pop. By the time Sunday morning rolls around, there's a freaking fort built there. That kind of advantage is huge. So, so if I had to guess, AI is a weapon. It, it is super powerful and using the ability to test it seems awfully useful to the US government. So you're saying the US government gets access to private sector technology before anyone else. Okay, got it, got it, got it, got it, got it, bro. I just, I just want everyone to like realize for a hot minute here too, for a second, okay? I love, I love high fantasy, I love science fiction, you know, dystopia. I don't love dystopia, but like that style of story and whatnot. You realize that the tech companies have almost as much power as countries now, right? Like the CEO of big tech companies are, are very powerful. Elon Musk is an individual and he has his own space program. Elon Musk has his own Internet. International Internet Service Provider service. There's countries that don't have space programs, there's countries that don't have Internet. My guy, you know what I'm saying? Jeff Bezos has his own space program. What are we doing? It's crazy, dude. So these guys have wicked unbelievable resources. Companies worth more than countries and it's just a lot of power consolidated in non, you know, effectively non democratic systems. So anyways, as I mentioned, the case is the US is going to be getting in front of tech. I think I, hopefully I'm glad it's taken three years for people to realize that we need to regulate this stuff before, you know, it's Too late. I'm a huge, huge dystopian, AI Future kind of guy. I don't bring that energy to this group here because I don't want to depress anyone.

B

Australia launches CYBER Review Board the Australian government announced the formation of the Cyber Incident Review Board, which will independently review major cyber attacks in the country. These will be no fault reviews that focus on systemic lessons to apply to the industry rather than culpability for individual organizations. Telstra CISO Narel Devine will chair the group. The board will be modeled after the now defunct U.S. cybersafety Review Board, established by the Biden administration in 2022 and disbanded by the Trump administration.

A

Okay, so Australia, Australia doing Australian things. Very cool. All right, so the Cyber Incident Review Board was kind of like the, you know, the National Traffic Safety Board. Like the people who go after airplane accidents and then try to reconstruct what happened and then impr. Imp. Improve upon those lessons. Australia is trying to do that with cyber now. I always crap on Australia. I love Australia. I've got one of my closest friends, lives in Brisbane, married an Australian, has kids and everything like that. Great guy, great. You know, so I know people from there. Roswell, you. I mean, Richard Duff. We've got some Aussies in the simply cyber community, but they've had some major data breaches in the last couple years. Major, like their main telecommunic communication provider got hit, their main like financial person got hit, their main healthcare group got hit. So yeah, it's great that they're doing this. The fact that it's modeled after a disbanded US version means nothing. The United States is in very divisive times and you know, there's a lot of political like cutting of things out of spite and like defunding so you can allocate resources to other agendas that are important to people in power. If you live in Australia, there you go, you got this going on for you. Yay. This, this is like, this is, I don't want to say this is a nothing burger because this is great for Australia, but for the most of us, we're not doing anything different today because of this story.

B

And now a huge thanks to our sponsor for today, Vanta. Risk and regulation ramping up and customers expect proof of security just to do business. Vanta's automation brings compliance, risk and customer Trust together on one AI powered plat. So whether you're prepping for a Sock 2 or running an Enterprise GRC program, Vanta keeps you secure and keeps your deals moving. Learn more@vanta.com CISO

A

all right, All right, everybody. Holla, holla, holla, holla. Guys, I want to say thank you so much for being here. I hope you're having a great day, great show. I want to say thank you to the stream sponsors. Threadlocker, Anti Siphon Flare. Thank you all. Thank you all so much for being here. I hope you guys are having a great stream. Any first timers who are lurking in chat, I hope you're having a great stream. Guys, every single day of the week has a special segment and I want to share with you that on Wednesdays, it's the way back Wednesday. I'm 46. Technology has changed a lot over the years. So I just grab an old piece of tech and some of us nostalgia get nostalgic over it. Some of us can't believe it happened. It's always a fun one. I've got one for you. Okay, so check this out. My uncle, My uncle had many, many businesses, okay? And one of them was satellite tv. All right, I just want to share this with you. This is crazy, dude. Like, many of us just do streaming service. Many of us have Netflix and whatever Internet into our house. Dude. In the, in the 80s and 90s, my guy like this, like this was like if you were wealthy, you were. If you were wealthy, you had this in your yard, you would have this like large, like 15 foot satellite dish. Looked like you were a news station reporting live. And these things were hideous. Like, if you were particularly cool, maybe you had a, like a clear one like this right here. Hold on one second, let me. Now, obviously DirecTV came out with the smaller dish in the 90s, but for a minute there, guys, people would have these large ass, 10, 15 foot satellite dishes and. And you would have to like, you would get satellite tv. You'd have to like connect to the satellite. I just want to share one more thing because of that. I remember, I remember this because this was crazy at the time. See if I can. If you guys don't remember because my uncle had the satellites, you could do this. At one point in the, during the Olympics, they had three different channels to watch the Olympics and you had to subscribe to the Olympic triple cast to watch and you could switch between the feeds and they were all coming on different satellites and stuff like that. Dude, it was wild. It was. Satellites were so wild and now they suck, right? Obviously if you have no, no regular service or no Internet. But like, I don't know, I feel like even then people just get Netflix and streaming service. So anyways, that's your way back Wednesday. Where is it? Where is it? Where is it? Where is it? Where is it? There it is. So, guys, I don't know. Does anyone remember that? Do you have any thoughts about. There you go. Tech grant says there's somebody in Canada who can pick up North Korea. Anyways, just sharing a little fun with you guys. Let's say our la la la la's. Oh, yeah. If it, if it stormed, forget about it. Here we go. Here we go. Here we go. I. All right, guys, let's finish strong, shall we?

B

UK sees a jump in romance scams. The report fraud unit for the City of London police reports that romance scams increased 29 in 2025 to 10,784. These resulted in 102 million pounds in losses, which with an average loss of 9,500 pounds per scam. Although some scams reached into the millions of pounds, almost half of all losses came from people aged 55 to 74, with men reporting more scams, but women suffering larger losses on average. These scams followed the familiar playbook, using fake profiles on social media to build a relationship with the victim before requesting money for a variety of purported emergencies. Romance scams accounted for just 3% of overall fraud losses in the UK Romance scams make up a much larger percentage of cyber losses in the US with almost $1 billion paid in 2025.

A

All right, dudes, $280,000 a day to romance scams in the UK alone. All right, this is gross, and I don't know about you guys, but listen, If I made 200,000, $280,000 a day, I would keep doing that, right? Sheesh. If I made $28,000 a day, just one tenth of that, I would do it every day. Like, that's insane amounts of revenue. So what do we need to do about this? Romance scams have been around for a long time. They're obviously super, super disgusting because they prey on vulnerable people. And, and there is a high emotional entanglement involved with it. Now, a couple things they said in the story that many of us already knew, but it's important to reiterate. Mostly targets individuals 55 to 70. It also targets both men and women. And the interesting fact is it's more men than women, but the women get hit for larger amount. So, like, the women get victimized greater, but there's more men who get victimized as a population. Okay, all right, guys, I, I, I'm not gonna go into the whole, the whole thing. I went into the other Day. And if you, if you're a regular of the show, you know how I feel about this and about, you know, putting your, putting your elders in like a home and just kind of like shoving them over there and feel like you did your part because they're taken care of, but then you just disconnect from them. Older people, older people are thirsty for connection. Older people are thirsty for companionship. You have someone who's been married, whatever, and then their partner dies. You have someone who's like living with their kids and then their kids push them into an old age home. People are thirsty for. We're humans, man, we're social creatures. So because of that, when you get a note from someone who's like, oh, hey, like I'm into all the things you're into, I love you. It feels good. You want more of it? It's a dopamine hit. Criminals know this. Criminals are jerks. Criminals don't care about your Aunt Dorotheas and your Uncle Paul's of the world. Criminals want to abuse those individuals. So think about it that way. Like if you want to make it personal, think about somebody that's between 55 and 70 that you care about. Everyone right now, here's a thought exercise. Everyone here knows somebody who's older that they care about. Now imagine them being abused by some scumbag somewhere in the world. You know, it doesn't feel good, does it? No. So you can do something about it. You can tell them, hey, listen, just be aware that, you know, someone reaches out to you about stuff like this. It could be a scammer, okay? I know it. I, you know, like, you just got to break it down. And I want to point out the real here because most of us are logical and rational individuals. And a logical ration individual would be like, oh, this person's not really into me. I am done catfish style. However, I know of several real cases, including ones that I've been personally involved with. Not, not like as the victim, but like, I was brought in as a consultant on where the individual was being told by their family, this is a criminal, they are stealing your money. And the individual, it was a female, was so wrapped around the axle by this criminal that she did not want to admit it, she refused to admit it, that that was the reality, and she just continued to send money. That family had to take her legal rights away from her to stop herself from doing that. Okay, like, it gets crazy. Furthermore, and this, this is true in romance scams on any level. Not just elderly, but just another reality. That you should be mindful of. A lot of people, you know, they give the money, give the money, give the money, and then they realize it's a scam or it's a crime. Many people who fall victim to romance scams are deeply shamed. They are deeply shamed. They do not want to publicly admit it. They do not want anyone to know that they were that gullible or that stupid or that, you know, vulnerable to fall for something like that so they don't tell anyone. Which causes its own set of problems. This looks like a simple little thing. Some jerk send you a love letter, you fall for it, send them money. Oops. I figure it out. End of scam. That is not what it is. It is not. This is not a third grade case study. This is a much more advanced crime with real victims. And honestly, just a. You know, since I've already thrown a wet blanket on top of you, I might as well kick some sand up your shorts and have you walk around and feel that abrasion. A lot of. Not a lot, but there are more than a few notable cases of people who take their own life because they are so crushed or so screwed financially after becoming victimized by something like this. So there. It's real. Real stakes with real consequences. Please, this is one that needs to be educated. Educated. Educated. Right?

B

Threat Actor finds a way to make compliance worse. The Microsoft Defender research team discovered a phishing campaign using fake compliance related communications as lures. The campaign ran in mid April, targeting 35,000 users across thousands of organizations, primarily in the U.S. the emails used slick enterprise style HTML templates for authenticity. Subject lines use time sensitive lures, often citing conduct policy reviews and urging recipients to open attachments to review case materials. The messages also included green pow box encryption banners and showed cloudflare captchas when clicking through malicious links just to make everything seem legit. Ultimately, these led to phishing pages trying to harvest Microsoft Google credentials.

A

All right, so this is one for everybody. I mean it's only 35,000 emails, so maybe it didn't affect many of you, but the, the campaign concept is a solid concept. So an opportunity here to educate your end users before they run a second wave. Okay, it is a. Is there an actual picture of the email? Looking for the picture of the email. No, we just got some crappy. Okay, here. Here is it. All right, so number one, it looks legit. Employee conduct review, notice of conduct review. So it's basically scaring you with potential job loss. It seems to be coming from corporate compliance. It has Security things encrypted, verified by Pawbox High Trust Certified, which is a healthcare standard. But okay. Also notably, it has an internal notice banner saying it was issued through an authorized internal channel, giving further legitimacy. Now I do want to point out, number one, this banner right here might be added just with code. So it's completely fraudulent. But there has been examples of threat actors who are able to basically get it on Microsoft Azure instance and then email from within to make it look like Microsoft is emailing you. So there is a way to send internal and kind of get these banners. So this, this banner is not an end all be all legitimacy. You just got to tell people this is, this is one to send out to the workforce. You could even send this picture and say, hey, here's an example of a phishing email. In fact, if you wanted to, you could send this screenshot and just make the title of the email like, check this out, right? And then just say like right at the top of the email like, hey, below is a sample phishing email that's working right now. Look at it and then show them this. And then, you know, at the bottom say like, you know this looks real you, like you may have fallen for it too. Others have just know that you know any type of like email that comes in talking about salary raises, performance reviews, anything, if your man, anything kind of about your job, if your manager has not discussed this with you in advance, treat it as suspicious. Do not click on it. Okay? Crazy. And then tldr, it's a. It's stealing credentials. So obviously multi factor all the things, right? If they get your email and password or username and password. But you have multi factor, you could potentially not be compromised. This is also why you don't reuse passwords. This is why you don't reuse passwords, because if one gets popped, you're screwed.

B

ProtonMail adds PQC, the privacy forward company announced that it's rolled out support for post quantum encryption across its email platform, including users on its free plans. This will deploy as a complement to its existing RSA and ECC encryption. Users must opt into PQC by using new encryption keys, be using the latest Proton apps, and doesn't support PQC on end to end encrypted forwarding yet. ProtonMail also announced compatibility with OpenPGPv6 and said it's collaborating with the wider open email ecosystem to ensure quantum safe mail can operate across all providers.

A

All right, I mean, this might be, you know, something that I end up having egg on my face. Proverbially speaking in the future, like guys with AI and all that's going on right now and the just the current state of society, like post quantum encryption is not something that I'm like super geeked up on. And it's so much in fact that just as a quick aside, I actually had a company reach out to me to, to work with them that is doing post quantum encryption type stuff. And I actually declined the opportunity because I was like, I just can't, I just can't. But hey, listen, ProtonMail, listen, if you're using a third party service provider for your mail, whether it's Google, Workspace, Gmail, Microsoft 365 and you're using Exchange online prem if you're not managing your own mail servers and the mail service provider wants to roll out post quantum encryption, I'm all for it, dude. Let it fly. As long as I can continue to get my email and my users in my environment can get email. Go for it dude. Encrypt all the things. I don't care if it is transparent and seamless to me. But you're adding security. Yes. If you're asking me to pay an extra dollar per user for post quantum encryption, I'm not paying for it. I will, I will stick with what I got. This is another. Guys, this is getting back to the opening of the show where I talked about threat modeling, okay? And the Dutch boy with the ten fingers, right? If post quantum encryption is one of like or you know, basically compromise of confidentiality and integrity because of not using post quantum encryption resistant encryption algorithms and a threat actor gets a quantum computer and is somehow able to break your security of your email. Here's my thing. Like that's not one of the 10 holes I'm going to cover up as the Dutch boy doing a cyber security program because look at the threat landscape. What emails am I sending that I'm worried that somebody with the resources to have a quantum computer is going to spend it to break into my email. Like the level of sensitivity of my emails versus the cost of like someone being a nation state and doing quantum encryption, like it's just not there. Now ProtonMail is huge on privacy, right? So say you're some, you know, say you're running a criminal operation, right? Obviously now your threat model changes because you have law enforcement wanting to get in, right? So I, I'm not a criminal, so I don't sweat that, right? So you've got to do the threat modeling. It's like if anything today's, you know, More, you know, ha. Knowings have to battle GI Joe is you've got to do threat modeling to decide where to spend money and what controls to implement. Okay so hey, for those using Proton mail, giddy up. A lot of post quantum encryption tech is coming to mail right now. Let's go. Doesn't affect me though.

B

The AI transformation paradox. Microsoft released its 2026 Work Trend Index report. One of the top level findings is that 65% of workers fear falling behind if they don't adapt to AI. But at the same time, 45% of workers feel safer focusing on current workflows than redesigning them for AI. Only 26% of respondents said their leadership is consistently aligned on AI, opening the door to potential shad AI proliferation. 16% of respondents were identified as frontier professionals, those that use multi agent systems to rethink workflows. The biggest use case for AI was analysis and reasoning used by 49% of chats. Interactions accounted for 19%, producing work 17% and gathering information with 15% of chats.

A

All right, so no surprise here. This is a. Even though AI is a, you know, paradigm shifting technology, the story here is human nature. Listen, AI is here, it's available, it can, it can revolutionize your efficiency. Study are showing that a lot of people aren't using it because guess what, they have to learn something new or because they're uncomfortable with it. So they'll just keep doing what they're doing. That's not going to work out for most people by the way, in my opinion, in my humble opinion, if we're going to turn this into a Reddit post, if you're not adopting AI right now, if you're not learning AI, you will be left behind. You will not be competitive in the market, period. Because all the people using AI, and I'm not talking about AI taking your job, I'm talking about people using AI to do their job are much more productive than people not using AI. And I know that that's anecdotal, but I use AI right now. I'm telling you, it is a freaking force multiplier. I know lots of people use an AI, they are crushing it. If you stick your head in the sand and be like, oh no, no, like I've been doing this job for 10 years, I know what I'm doing. I don't need to, I don't need to invest in AI, I don't need to rethink how I work. Okay, you do you, but you're going to be a one legged man in A butt kicking contest pretty soon. It's not gonna, it's not gonna. You're not going to be a champion. Right. What is it. Like the oneeyed man in the land of the blind is the king? Yeah. You can be a one eyed person in the land of the blind and be the best person ever. You can see all the things with your one eye, but AI is like giving everybody four eyes. So now you're a one eyed person running around. Everybody else has got like, you know, splinter cell level vision going on. There's a throwback video game. All right, so that's the deal. Also, no surprise, they're saying most people use AI for like, you know, reasoning and logic, kind of talking through stuff. Yes, yes, yes. The power users out there, the Phil Staffords of the world, they are using AI for all sorts of things. I do want to say I've seen some crazy uses of AI. I'm not going to bring it up here because it's a little, not suitable for work, but I have seen several. Again, I, I don't investigate it thoroughly so I don't know if it's true or not, but the people are using deep fakes to create attractive women that don't exist and then setting up only fans. I've seen full tech stacks where like literally they have the woman doing the thing and then the people who like message in AI reads the messages and then responds, you know, within the hours that the woman would be awake. And it's like, it's almost like romance scams on steroids, you know, so I've seen those type of things. It's crazy.

B

CYBER ATTACK HOLDS HIGH SPEED RAIL Taiwanese Authorities arrested a 23 year old student for interfering with the Tetra communication system used by the country's high speed rail network. The suspect allegedly used a software defined radio to send a general alarm signal that triggered emergency braking on nearby trains. This resulted in four trains being halted for 48 minutes on April 5. Local reports say that the radio system used by Tetra has not had any parameters of its verification system rotated since it was deployed 19 years ago. It's also possible that the transmissions weren't encrypted at all or used Tea1 encryption which has a known backdoor since at least 2023. The suspect faces up to 10 years in prison, remember.

A

All right, from the F around and find out desk. We have a student hacking a train. Guess what dude, Not a good move. Oh, my only crime was curiosity. Yeah, well, I mean when you hit the emergency brakes and people get Injured, not a good look. To radio. So that to me, if anything, like, yes, the guy stopped the train, caused probably serious injury to people as well as a significant amount of impact to lots of people's lives. Right? So you're trying to get to work, you're trying to get home, you're trying, you know, whatever you're trying to do, people doing their things and you screwed it up. All right. I would like to point out this feels like it's an attack on operational technology. Very vulnerable to use a radio to communicate commands without any type of verification or authentication. This is a lot like ot think about those. Oh my God. Pipeline in Alaska. What is this thing called? The ice road. Truckers was on it. There's a road. Yeah, this right here. By the way, I do want to point. I, I, if you guys are ever interested, I can show you. I actually got to go to, I, I went to the northernmost part of the United States and I was like north of this and got to see this pipeline and stuff like this. So this is the Trans Alaskan pipeline. I know that the story's about a train, but allow me to abstract it so everybody can learn. Okay? So yes, the train got stopped, but okay, whatever. What, what do we need to be thinking about is what the risk is. This is the Trans Alaskan pipeline. This thing is huge, like thousands of miles. Okay? You're not going to have some engineer walk the fraking thing. So what you're going to have is these radios every so often, like right here. Okay, I know this isn't a radio, but bear with me. Every so often checking in and it's got sensors going into the pipeline. What's the current temperature inside the pipeline? What's the current viscosity of the fluids push pushing through. Is there any issues? Right. By having these sensors, you know, wirelessly communicate back to some kind of central motherboard, engineers are allowed to see the entire pipeline in real time. Now that communication and, and obviously the, the engineers can communicate back and close something, you know, slow down the flow, turn up the heat, turn down the heat, vent some gas out to release pressure, right? Do all the things that two way communication is done over radio. So if you are and it's operational technology because it's impacting cyber physical systems. So if you're running something like this or anything, you have to make sure that the way that you're communicating with it is somehow verified or authenticated or anyone can communicate with it, which can lead to catastrophic problems. All right? I mean, just to put it in A finer point on this. This knucklehead was able to stop the train, hit the emergency brakes. What if this was a Spider man movie and it went the other way? What if this knucklehead was able to accelerate the train to 300 miles an hour and have the train fly off the tracks? Right. This could. Like, what if it blew through a station and just ran through people? Right? Like, there's a. There's a lot of much more catastrophic, dangerous things that could have happened besides the brakes being thrown. So when we think about these systems, don't just be like, oh, it works. I don't. Like, oh, what's the big deal, Jerry? The engineers were able to vent it. Who would do anything? It's out in the middle of nowhere, Alaska. Yeah. Until there is a problem. And then what are you going to do? Like, oh, I guess we'll get it next time. No, knucklehead, we've got a bunch of oil pissing all over the Alaskan wilderness now. Because you didn't want to spend the time to secure the technology in the first place. All right, I. I don't know why I just got mad at a straw, man. I do want to say beautiful country. Beautiful country. Alaska is like, basically an undeveloped country up there. If you live in Alaska or if you've been to Alaska, yes, the, you know, the Anchorage archipelago area is a bit more developed, but for the most part, I, when I was in Alaska, dude, I felt like it was like the equivalent of just like free country. All right, guys, I'm Jerry from Simply Cyber. This has been the daily Cyber Threat Brief. I hope you've enjoyed it. I certainly have. Stay tuned because we've got Cyber Career Hotline coming up. Hold on one second. We got a lot for you. As always, the value train is going strong. We've got Cyber Career Hotline coming up in just a minute. And then after that, at 9:30am it's time for two cyber chicks. Erica McDuffie and Jack Scott. Season 8 Episode 6 if you've been applying to jobs, guess what you're going to learn about why AI is quietly rejecting you at 1:50am talking about the brutal truth of AI hiring. This is a must catch episode of Two Cyber Chicks. You're gonna. You're gonna get value here. Two Cyber Chicks. I'm gonna drop a link in that. I'm gonna pin it. But for right now, let's go to Cyber Career Hotline. Hold on one second. Well, I'm looking for Cyber Career Hotline. Where are I, bro? Whatever I got too many things going on. There we go. All right, I'm Jerry, your chat. Till next time. Stay secure. I'm Dr. Gerald Osher. This is the Cyber Career Hotline. If you're building a career in cyber security, this show is for you. Let's get into it. All right, what's up, everybody? Welcome to Cyber Career Hotline. I'm your host, Jerry Guy coming hot off the heels from the Daily Cyber Threat Brief hosted by that nerd. Oh, my God. Dutch Boy and fingers. Grc Mafia. What are you talking about, nerd? I'm joking. It's me. I didn't see any first timers in chat, so it's all us long timers. Here's the pro. Here's the format for the next 30 minutes. If you have questions, I will do everything in my power to give you an answer that has value and is impactful. If I don't have an answer, I will try to get somebody that has value a a valuable answer. Yes, Roswell, uk. It is a deep fake of me doing the intro deliberately. Hey, Zenith. So Zemif asked a while ago. I want to share with everybody. This was a direct response to ZMIFs. So just so everybody know. Oh, my God. Just so Everybody knows, on May 22nd at May 22nd at 2pm, we'll be doing a quarterly state of simply Cyber. We're due for one. If you're interested in the community, if you're interested in the bigger picture of things. I do, I do these meetings quarterly. I miss Q1. I'm busy. But it is a state of simply cyber. So if you're interested in having input on where we're going, how we're going, what we've done, what you can expect from me, I do serve this community. So I do do these kind of transparency, quarterly meetings. Come on down. Have some fun. Of course. Final thing before I answer questions, so if you got questions, drop them in chat. Simply CyberCon 2026 is coming and CFP opened. CFP opened yesterday or May 4th, right here. So if you're interested in speaking at Simply Cybercon, CFP is open. Come on down. I can't promise honorariums at this time, but if we get enough money, some of the first money is going to go to the speakers. Again. There's a speaker dinner, speaker gift. That's a given, but just let everyone know. Also, there's only 11 speaking slots, so it will be competitive. We're going to do a blind panel review of submissions. So it's not. There's no favoritism. All right, go to simply cybercon.org for all the information you need. All right, so looking for questions in chat, who should be responsible for building access controls? Physical security should own that. And you as a cybersecurity professional, J.T. gorman can be a consultant on that. So you can help them understand it. But ultimately, physical, the physical security department, the security officers, it depends on the size of your organization. Right. If you're a small business, then you own it. But if you're like a large hospital, typically physical security facilities would own that. Zach Morrison, I have a first rounded interview for Hope Destro. Any interviewing advice? Okay, Zach, 100. Be ready to answer the question. Tell me about yourself. Keep it to 90 seconds. Make sure everything you say is true. It's about you, but it is directly related to your, you know, professional capabilities to be able to deliver on a help desk role. All right, good luck, too. By the way, Zach, super pumped for you from last week's headlines. Which one has stuck with you? I'd have to go back and look. Roswell uk. I mean, there's so much going on right now. I, you know, I definitely, I don't know. The mythos thing, I'm still very interested in on the mythos anthropic stuff. Question for Chad. I'm just highlighting it for people on replay too. If anyone has a Kia EV9 vehicle, what do they think about it? Bruising hacks wants to know. All right, if you have questions, put them in chat with the queue up in the front and I will give my ability my best to answer them. Continuing to look through chat. All right, let me go down here, see if I can. All right, continuing. All right, so bonus story. Where's the Palo Alto thing? I'll bring it up. DJ BAC wants everybody to know. All right, hold on. DJ B SEC has posted this on social media. It's a big story. Critical Paulo ALTO Network Vulnerability CVE 2020 60300. It's a critical buffer overflow vulnerability in the Pan OS software. It's being actively exploited in the wild. DJ B has a so hot infographic

B

that Hansel's so hot right now.

A

All right, so what I'm going to do is if you run Panos, here is a link to DJ B sex LinkedIn post. Go check it. I'm actually going to pin that in chat. And if you're listening on audio only or on replay, Google CVE 2026 0300. That's the CVE 20260300 to get that information. Thank you, DJ B Sec. All right, all right. Oh, so Zach Hill's coming at me about Star Trek. Okay, you go ahead. You enjoy that. Enjoy your ferengis for Fredo Fred on. Can you tell the community why Dr. Gerald Ozier, a man who loves science, tech, and continuing education, doesn't like Star Trek? I felt like all of that is there. I'm curious to know. No, no, don't get me wrong. I do love science, technology, continuous education. I love the premise of it. I just. I just don't. I don't know. I just don't. Like. I guess maybe, like, I watch the Star Trek movies, and it's okay from a science fiction perspective. I'm just not. I guess I'm just not into the Star Trek universe. You know what I mean? That's it. I'll leave it to other people. Question. If you got. If you got on as a sock too, and no one was implementing Mythos there, would you try to get the conversation started? Hold on. What? So you're saying if you go to an organization as a sock analyst and they're not using Mythos, would you try to get it started? Do you even have access to Mythos right now? I thought Mythos was only open to a few people. I guess what I would say is, whether it's Mythos or whatever, AI, I would definitely be getting the conversation started on using AI to help Purple Team test, to help, you know, validate controls. To help. Yes. All the things Gib what says is going to techex a good place to network? It seems more like an expo, not an RSA or B sides. I have my free ticket, which makes me think I'm the product. I've never been to Tech X. I've never heard of Tech X. Let me see. All right, I just googled it. Tech X is a premier enterprise tech conference designed for CIO CTOs. I mean, I. I would go to it. If you have a free ticket, I would go to it. Remember, like, most of those conferences, they're going. I mean, listen, Gibb, like, they're gonna sell your email to the sponsors. All the people that have booths there are paying to be there, right? So you are the product in that capacity because you're the target demographic for the businesses that are trying to sell the product at the conference. Now, you gotta head on your shoulders. That's. You know what I mean? Like, you can decide what's going on. If you want, use a disposable email address or, you know, an alias. I I would go, why not? It's a great opportunity, talk to people. It's not like here's my thing as far as I can tell. It's not like a time share. Like if you have to go there and sit through like a four hour webinar, you can, you can keep your ticket. GSTER Sib says. What are your thoughts on GRC job as a consultant versus a full time staff? I've done both. I've done both. I mean this is a complicated question because you can take it in a number of ways. What I'll say is if you're a full time in house GRC analyst, you can develop relationships with the workforce and your message will carry stronger when you're trying to educate and modify their behavior to take less risky actions. If you're a consultant, you're going to be seen as somebody from the outside. So you're one of them, not one of us. So your messaging might hit differently. As a consultant you will be able to go to many different businesses and see many different instances. So it'll make you a better professional because you'll get a larger data set of different ways to do things. Whereas if you're doing it full time in house, you're kind of seeing like one way to do it. And there might be some bad habits that are there, there might be some not best practices, there may be budget constraints, etc. You might have an organization that doesn't have a very serious commitment to cybersecurity and that could make you jaded versus the consulting role. Now full time staff, your W2, you show up and you half ass your job, you still get paid a full 40 hours consulting, you got to kill the work, right? Someone's got to kill the work. I. E. You got to go win a contract and then if you do a crappy job killing, executing on the contract, guess what, you're not getting another one. So now you have to over perform. The benefit is you can charge higher rates. I had a conversation with James McQuicken yesterday. My, my bill rate just, you know, being real with everybody, my bill rate is 250 an hour. So if I come and do GRC consulting for you, it's $250 an hour. Which if you do the math, which I have to do the math. Where's the calculator? 250 times 2080 is $520,000 a year. So if you hire me as a consultant, it's a half a million a year. Now if you hire me full time in house Staff, it's not even remotely that high. You probably could get me for like 200 grand, right? So half the value. So from a business perspective it cost way less if you're an in house staff versus a consultant. But when you're a consultant you have to charge higher premiums because you're literally just cash only. It's straight cash homie. Straight cash homie. I'm responsible for my own health care, my own retirement, my own loaded rates and stuff like that. Also you can just terminate the contract, right? I mean obviously you could just fire a W2 employee too. But anyways, hopefully that answers your question. Did something come through here with a green bar. Z 27 months says hey Doc. BSides312 in Chicago May 16th. It looks like to be fire. Just want to let team know. So hey, if you guys are in the Chicago area, I know some of you are, go check that out. I don't want to dox anybody but I know several of you are in that area. So check out BSides312 in Chicago on May 16th. All right. J JT Gorman says what should be the process for obtaining user credits for new laptop? Should this involve seeing set a temporary password for the user when signing in. So I think what you're. Are you saying like remote worker, you send them a machine and then you know what's the password? There's a couple different workflows. I mean I definitely think, I mean if you can bind the machine to active directory and then have it set to change the password on initialization and then make. You could do it a couple ways, right? And then you could have that person's manager verify that they got the machine and that they have authenticated and you can look in ad that they have changed it. They won't be able to use the machine without changing it. That's one way to do it. When I worked at the National Science foundation you had to call in and, and like verify your identity and then the person on the phone would give you their p, give you the password. In some instances you had to physically go to an office where you would then be given the password after providing identification. So it depends on your workflows, what your budget is, how distributed your workforce is. But yeah, temporary password is a good, is a good practice. Stop it. Zach Hill Cork is definitely. Come on man, are you serious? Are you trying to trigger me? Cork? All right. A guy named 303 is in my camp. I agree. Star Trek the Next Generation. How about Star Trek One Dimensional? Like they could have done so much more. Like I said, I did think the Borg was a compelling character. T. Murphy says is a good idea to self audit in a CSF as an IT manager. Are there free resources that can help provide visual scores and improvements? So T. Murphy, if you have the bandwidth and I'm assuming you don't have a cyber security person at your organization or else they would be doing this. Yeah, I think it is beneficial to do NIST csf. If you go to NIST Cybersecurity Framework, they do have workbooks and stuff like that. As far as visual scores and improvements, what I would do if it were me like a spider graph is a good one. A bar chart where like here's your current state and here's your ideal state is a good one also depending on what. And by the way, T. Murphy, you can use AI to basically say here's a spreadsheet. You can use Google Notebook LLM, here's a spreadsheet. Make me some visual infographs that convey this information. Again, I like the bar, I like the either a spider chart or a bar chart of where you are and then where you need to be. Also. I don't know what industry you're in. T. Murphy it but NIST CSF has these things called profiles. You can look for a profile some, some that are industry specific. I think there's a manufacturing one, I think there's a healthcare one that can give you some kind of like generalized goals that you should be setting. Also I want to point something out that a lot of like junior people new to the industry don't realize. Nest CSF you can have between a score of 0 and 5 for each of the categories. Let me bring up a visual for everybody here. All right, look at. So here's a spider chart as an example that I was talking about to, to T. Murphy it. Okay. And you can see here like if you're, if you're looking on stream right now or if you're listening just, we're looking at a spider chart. And in the spider chart there's a green line, a purple line and a blue line. Okay. And what we're looking at here is well the center is zero and the outer ring is five. Right. So maturity score goes from zero to five. Now I, I wouldn't use the lines the way they are using but what, what I'm about to say is like you could say that the green line is your currency state and the blue line is your ultimate target or desired state. Now one thing a lot of people don't know and it's worth pointing out is that just because five is the highest level that you can get on a CSF score does not mean that you are trying to get a 5 on all of them. This isn't like a video game where you're trying to max out every category and build like the ultimate Balers Gate 33 character or, or you know, Madden Football character. Because to get to a 5 is very expensive and very progressive as far as like how proactive your information security program is. And for a lot of people maybe a 2 is is good enough, maybe a 3 is good enough. So first you got to figure out what is your desired out. Like if you had an infinite money, infinite resources, what would be your ideal cyber security posture that your organization can maintain? That's also reduces risk to acceptable levels. Once you have that team Murphy then self audit and figure out where you are and then obviously where you are and where you want to be is called the gap. And how do you close the gap and in which order do you do it? That's what's up. But yes I would 100% audit yourself against NIST CSF because two reasons. One you're going to see where you have some glaring problems and that's where you should focus first. And then two, if you decide to mature your cyber security program, it's a phenomenal starting point. 9:24 this is cyber Career hotline. Phone lines are open. If you got a question, put it in the chat. I'm here to help. Hopefully you guys have enjoyed my answers to my the questions. Cyber risk witch coming in hot. How do you align AI governance when it spans multiple pillars like it legal compliance, data privacy, etc. Yeah, great question. I mean what I would say is you have to for me like look at AI kind of agnostically like what is our general attitude here with AI? Are we willing to adopt it? Are we willing to have trials pilots? Are we gonna is co pilot approved? Is Claude approved? What, what's the best practices? So then for governance, you know if you wanted to you could have not a committee but you could say okay like, like I t what are your needs legal what's your needs etc Right, but I mean an AI that reads legal documents and then an AI that reviews data sets for privacy infractions and stuff, they're all, they're all kind of just AI tools doing a thing and producing an outcome. It gets a little different when you get into agents for sure and non human identities. But I don't think you need to really get, get. I, I, I guess what I would say Catherine, is like I wouldn't necessarily compartmentalize it. Like this is the AI policy for it and this is the AI policy for legal and compliance. What I would say is like how are we, what's our position on allowing the use of AI here for people to execute their role at the organization? And sure there's going to be all sorts of, you know, nuances and gray areas and things that require additional review insights like you know, are we, are we putting data into other platforms that use AI? Can they train on our data? Are we using AI in house? Are we using AI to make decisions like those kind of like agnostic conversations? Is what you need to have around AI governance less about like AI is allowed to be used for it for this case, but it's not allowed to be used in legal for this case. Right. At least in my opinion. Once you get the overall umbrella of governance then you can double click down and start making more policy for individual situations. But just be careful, you don't want policy to be so brittle that it doesn't really have effectiveness because it's like so specific and niche. Oh my, you guys with your Star Trek continuing to look through chat for everybody. By the way, great question, Cyber risk witch. Definitely appreciate it. Okay J. Gold, come on bruh. Don't, don't, don't do that. Don't do that. What are your favorite GRC tools? Thoughts on Drata versus Fanta? Well, I mean I, you don't want to ask me about Vanta. I don't, I don't, I don't like Vanta. I haven't used Drata. What I would say is GRC tools are, I think GRC tools in general are valuable. I do believe I'm firmly in the camp. This is a philosophical position. I'm in the camp that we are moving towards GRC engineering and you need platforms like that to be able to help you automate and visualize your overall GRC program when you start implementing engineering concepts and automation, orchestration, real time inventory feeds and etc. So yeah, I, whether it's Strada VA or insert solution that's developed tomorrow, I do think, I do think that they're important. But don't, don't like try to over complicate it. Like a spreadsheet is a great way to start. Okay. Until you figure out what you're doing. Ad Tech says 500k a year is not that much if you're paying insurance and running the business. Yeah, 100 plus by the way, guys like I. I just get being real for you. What happens when a client doesn't pay? I've had clients not pay me. It sucks. And if you have staff, you got to pay them. So if your client's not paying you, but you have staff, you have to pay that. Guess where the money comes from, Right. It's. You're taking on risk. That's why it costs more money. Stirs spurs says, what are your thoughts on S bomb and using it to identify volume packages faster? Yeah. So academically speaking, S bombs are beautiful. They're the solution. They're the answer. I can figure out whether or not there's peanuts in my recipe. Right. Software, bill of materials for everybody who doesn't know is kind of like the ingredients on the side of a packaging. It tells you what software is inside of your solution. I love the idea. Conceptually, it is not really. It's. It's a very difficult thing to implement correctly because, yes, the S bom could say, you know, oh, these 15 technologies are involved in this product. But then those 15 technologies might be built on, you know, a combination of technology. So the S bomb isn't going to drill in to that. So now you got to go to each of those 15 technologies and see what their S bombs are, if they have them, until you get to the axiomatic individual components that comprise the pieces that comprise the pieces that comprise the solution that you bought. So S boms are great in theory, really crappy in practice. At least from what I've seen, some people are doing it well, but for the most part, it is not a widespread solution. What should the response be for people failing phishing campaigns? What I would not do is make them do training, because that doesn't do anything. I've had people fail, fail, fail. It's a tough one, man. What you can do is, you know, with anything, it's carrot and stick. So you could start rewarding the people who don't fail and make a big deal. Give them, like, money or access or whatever. Is about to go off. If you're looking to get. If you're interviewing for jobs right now, this is a banger of an episode for you guys. I think that's your question to come back tomorrow, James, and we're going to answer it. A wonderful Wednesday. Thank you all so very much. Simply sappercon. Org.