Security Now Episode 1068: The Call Is Coming From Inside the House

Live from Zero Trust World 2026
Date: March 5, 2026
Hosts: Steve Gibson & Leo Laporte

Episode Overview

This special live episode, recorded at Zero Trust World 2026 in Orlando, dives deep into the evolving threats to cybersecurity, focusing on the shift from perimeter-based defenses to tackling internal vulnerabilities. Steve Gibson and Leo Laporte reflect on their decades-long journey in security, analyze the rise of extortion-driven attacks fueled by cryptocurrency, and discuss why internal threats—often caused by social engineering and user mistakes—are now the critical frontier (“the call is coming from inside the house”). The episode is rich with anecdotes, practical tips, and a candid assessment of modern enterprise security challenges.

Key Discussion Points & Insights

1. Evolution of Cybersecurity (04:13–10:39)

• Reminiscing about the early days of firewalls & perimeter defense.
• Noting how cyberattacks have shifted focus—from curiosity-driven viruses and DDoS attacks to financially motivated extortion and ransomware.

Quote:
"Early on, it was all about protecting the perimeter... things have changed quite a bit."
—Steve Gibson (10:16)

• The critical influence of cryptocurrency in transforming mischief into organized, profitable cybercrime.

Quote:
"The most pivotal defining change was the emergence of cryptocurrency because it was the ability for bad guys to extort and for there to be a way for them to get paid."
—Steve Gibson (11:21)

2. Extortion & The Economics of Attacks (11:45–13:49)

• Attackers don’t care about data per se; their motive is extortion.
• Social Security numbers and personal data are already compromised; the leverage is in the threat to release or withhold it.

Quote:
"You have extortability, right? And so this tremendous pressure is motivating endless cleverness.”
—Leo Laporte (35:00)

3. The Futility of Chasing the Perimeter (13:49–20:43)

• Defending IT budgets: It's hard to “prove a negative” (i.e., your team’s effectiveness is invisible when everything works).
• Despite improved perimeter defenses, authentication is a continual weak point.
• Recent critical Cisco SD-WAN breach as an example of authentication failure ("CVE 10" severity).

Quote:
"I've been saying for a while now on a podcast that authentication doesn't work. If it did, we wouldn't keep over and over and over seeing serious problems with authentication failing."
—Steve Gibson (17:13)

• Why relying only on authentication, rather than supplementing with IP/packet filtering, is risky.

4. Layered Security — Simple but Crucial Steps (19:31–25:14)

• Simple IP filtering can greatly reduce exposure.
• Even professionals like Steve and Leo admit to near-mistakes and ongoing log-in attempts on their personal networks.
• Port obfuscation isn’t a silver bullet, but it reduces opportunistic attacks.

Quote:
"Security through obscurity doesn't work. But you said, no, you should still use [non-default ports]...It just cuts down on opportunistic attack."
—Steve Gibson (24:53)

• Importance of fail2ban, regular port scanning, and whitelisting to bolster internal network defense.

[Main Segment] The Internal Threat: Social Engineering & Endpoint Vulnerabilities

(30:36–46:25)

1. The Human Element — Social Engineering Evolution

• Attackers increasingly exploit users through sophisticated social engineering as technical barriers harden.
• The Lapsus$ and "ShinyHunters" groups hire individuals (prefer women’s voices) to run realistic, manipulative calls to customer service for SIM swaps and account takeovers.

Quote:
"They're hiring women and paying them a lot of money...to place social engineering calls, calls with a woman's voice. Under the logic that will be more convincing."
—Steve Gibson (31:35)

• Even experts are vulnerable; near-misses and phishing attempts recounted by both hosts.
• Internal accounting departments are prime phishing targets through invoice fraud.

2. Zero Trust & Network Segmentation

• The "final frontier" is not evil employees, but regular users making mistakes.
• Traditional "big switch" network architecture leaves internal systems overly open; lateral movement is too easy post-breach.
• App whitelisting, though painful, is a powerful mitigation.
• Shadow IT (unauthorized software) is a risk vector; enterprises must restrict what runs internally.

Quote:
"The call is your employees. Let's be frank, right?...The final weakness...is not somebody who's maliciously attempting to do something, but somebody who makes a mistake."
—Leo Laporte (33:33–39:53)

3. Principle of Least Privilege: Theory vs. Reality

• Hard to practice: “Try telling the CEO he can’t surf the web the way he wants.”
• Engineer for the inevitability of endpoint compromise—plan what happens if any device is suborned.

Quote:
"Ask yourself what happens if any endpoint in the enterprise is malicious? Does it have too much privilege?"
—Leo Laporte (42:08)

• Network segmentation, departmental restriction, and controlling lateral movement are essential.

[Solutions & The Future] Technologies & Cultural Changes

(43:19–50:30)

1. Zero Trust in Practice

• “Zero Trust” is more than a buzzword: it means treating every endpoint, connection, and user as untrusted by default.
• Requires continuous authentication, segmenting internal networks, and restricting access by department or function.
• Users will need cultural buy-in as security often means jumping through “hoops” (e.g., re-authentication, loss of convenience).

Quote:
"It seems like, though, if you really implement true zero trust, that would be easier in the long run. The hard thing is the social thing...super gluing their USB ports."
—Steve Gibson (43:19)

2. Authentication’s Next Act: Biometrics & Passwordless

• The likely future: Pervasive biometrics (fingerprints, iris scans) for seamless but strong continual authentication.

Quote:
"Where we're going to end up being is pervasive biometrics within the enterprise—iris or fingerprint or a thumbprint on your keyboard..."
—Leo Laporte (44:40)

• Passwordless technologies are improving the user experience and security.

3. AI: Defensive Ally or Uncharted Threat? (46:25–50:46)

• AI is still in its infancy for security—“we're at the 1% point.”
• Potential for AI agents monitoring endpoints to warn users against phishing, shady URLs, suspicious activity in real time (like a smart, local, privacy-respecting “nanny”).
• Still evolving: AI coding assistants may reduce vulnerability creation, but need domain expertise to avoid subtle errors.

Quote:
"Having a local AI which is looking over their shoulder all the time...keeping them from pasting something on their clipboard into the run dialogue and hitting enter...and says, whoops, hold on a second."
—Steve Gibson (48:15)

• Predicts AI will become a key line of defense against both external and internal threats.

Notable Quotes & Memorable Moments

• "What could possibly go wrong?" – The duo's long-standing catchphrase, echoing through multiple segments (07:37).
• “You do. You have extortability” — Leo Laporte, on why every company is a target (34:58).
• “Ask yourself what happens if any endpoint... is malicious?” — Leo Laporte (42:08).
• “The call is your employees. Let's be frank, right?” — Steve Gibson (33:33).

Timestamps for Important Segments

• [04:13] Introduction & Host Bios
• [10:39] The Rise of Extortion & Ransomware
• [13:49] Defending IT Budgets & The "Proving a Negative" Problem
• [17:13] Why Authentication Fails & The Cisco SD-WAN Breach
• [24:53] Port Security & The Power of (Some) Security Through Obscurity
• [30:36] Where Is The Biggest Threat? (Social Engineering, Internal Mistakes)
• [33:33] “The call is your employees” — Social Engineering, Invoices, Human Mistakes
• [39:01] Network Segmentation & Least Privilege Challenges
• [43:19] Implementing Zero Trust & Cultural Pushback
• [44:40] Biometrics & The Future of Authentication
• [46:25] AI: The Next Security Layer (AI Nanny Concept)

Closing Thoughts

Steve and Leo urge organizations to face the new reality: Perimeter defenses are necessary, but no longer sufficient. Real security means re-engineering internal trust, reducing user and endpoint permissions, and supplementing human vigilance with technical enforcement—security must be “zero trust” all the way down. Continuous adaptation, layered defenses, and in the near future, assistance from AI “watchdogs” are the best path forward.

"Keep an eye out for agents that keep your employees from making mistakes. I think that's going to be serious work."
—Steve Gibson (50:34)

For More

Find all Security Now episodes & show notes at TWiT.tv/sn, or subscribe in your favorite podcast app.