welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly embellished truths
about corporate cyber security programs we're ranting we're raving and we're
telling you the stuff that nobody talks about on their fancy website and trade show giveaways all to protect you from
cyber criminals and now here's your hosts mike rotondo zach fuller and lauro
chavez hello and welcome to the first episode of the cyber rants podcast in
the year 2022 welcome back everybody good to have you
and today we are going to be talking about a new year and a new you
but actually that's not really what we're talking about because i think you're outstanding the way you are
there's always room for improvement but what we're really talking about is what are we
going to be doing what should we be doing what should we be thinking about this year in 2022 maybe we'll throw in
some predictions who knows we're just gonna run with it and go from there we're not scripted we're just going for
it so before we dive into that though mike why don't you kick us off with the headlines we didn't get away get weight
watchers or jenny craig is a new sponsor or something please well you'll you will have to wait for
the commercial to uh to see that should find out all right
so we're starting out with the seven most impactful cyber security incidents of 2021 this is put together by dark
reading obviously the most impactful cyber security incident that of 2021 is the one that impacted you directly
but this is what they put together uh log 4j became public on december 10th
has taken the number one spot as every year 2021 had its share of other big data breaches and security incidents
that impacted many organizations 1291 breach incidents were publicly reported
through september 30th according to itrc that is 17 higher than the 1108 breaches
disclosed for all of 2020 but breachers weren't the only concern analysis of the nvd national
vulnerability database showed that more vulnerabilities four hundred 18 nine have been disclosed so far this
year than in previous year today with nine in ten of them easily exploitable so the top seven are log four j
colonial pipeline reach the casa breach the exchange proxy login print nightmare
both of which are microsoft excelion intrusion ftp which
basically hit was one breach of one application and hit many and then they put in the florida water utility hack i
don't know if i would have included that but that's what they put there elephant beetle spends months in victim networks
to divert transactions i found this kind of interesting financially motivated actor dub elephant beetle is stealing
millions of dollars from organizations worldwide using an arsenal of over 80 unique tools and scripts the group is
very sophisticated and patient read nation state spending months stand studying the victims environment
financial transaction process and only then moves to exploit flaws in the operation the actors inject fraudulent
transactions in the network and steal small amounts over long periods leading to an overall
theft of millions of dollars if they are spotted they lay low for a while and return to a different system my only
comment on this is didn't that happen in office space and in one of the superman movies with her two prior
yeah that's right still a penny half a penny fractions of a penny you're taking money from the crippled children's jar
not to prop up cyber criminals here but elephant beetle is an excellent name for something like that
and that's just that's just way to go outstanding we've we've seen a bunch of names that were just garbage but that
one that was that was good doesn't the elephant beetle eat elephant poo i don't know anyways whatever
they're huge and a crazy looking like they they kind of want to make you throw up a little bit
so welcome to the new year microsoft releases emergency fix for exchange gear 2022 bug that didn't take
long microsoft has released an emergency fix for a year 2022 bug that is breaking email delivery
on on-premise microsoft exchange servers as the year 2022 rolled in and the clock
struck midnight exchange admins worldwide discovered that their servers were no longer delivering email after
investigating they found the mail was getting stuck in the queue these errors are caused by microsoft exchange checking the versions of the fit
fs antivirus scanning engine and attempting to store the date in a signed int 32 variable
so happy new year from microsoft uh apple ios vulnerable to home kit door
lock denial of service bug apple homekit is a software framework that lets iphone and ipad users control smart home
appliances from their devices a novel persistent denial denial of service vulnerability named door lock was
discovered affecting ios 14.7 through 15.2 the trigger to trigger door lock an
attacker would change the name of home kit device to a string larger than 500 000 characters upon attempting to load
the large string a device running a vulnerable ios version will be thrown into the manual service state with a
forced reset being the only way out of it however recycling device will cause all stored data to be removed and only a
couple if you have a backup now to make matters worse once the device reboots and the user signs back
into icloud account linked to the homekit device the bug will be re-triggered just use a key right
exactly yeah exactly yeah when i was uh now that's a that's a tangent but anyway uh
multiple vulnerabilities in google chrome could allow for arbitrary code exception execution
uh multiple vulnerabilities have been discovered in google chrome the most severe which would could allow for arbitrary code execution
successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser
depending on the privileges associated with the application an attacker could view change or delete data the problem
with this is the it's found in the latest version of chrome and they haven't updated it yet so well the other
important thing here i think about this one is is it's based on the privileges that the browser's running in right so
if you've got everybody being admins then the privilege is going to be in the admin shell right so you
that's another great reason not to be giving all of your employees admin admin permissions
any of your employees unless they absolutely have to have it um t-mobile commer confirmed sim
attacks led to breach t-boneville has confirmed grudgingly a data breach that was caused in part by
swim sim swapping attacks according to a statement from the company the tmo report of blog tracking t-mobile
internal document obtained uh reports showing that some data was leaked from a subset of customers some individuals had
the customer customer proprietary network information leaked which includes information about a customer's
plan the number of lines phone numbers billing account et cetera others had their sim swamp swabs some
were victims of both the cp and i leak and the sim swaps when pressed for comment by zd net
t-mobile refused to go into detail about the attack and would not say how many customers were effective well it makes me wonder if that was um
in a direct correlation to some of the 2.2 billion in cryptocurrency that was stolen last year
um we've seen that happen with with sim swapping before definitely and why does it always seem like it's t-mobile
getting sim swapped what are they doing internally that the other companies aren't that's allowing for this
i mean i'm sure that happens i know it happens elsewhere but they it seems like they're the worst offenders
yeah it does i think they just have the i think they have the highest employee base that will accept bribes
[Laughter] you could be [Laughter]
somebody are not representative of silence actors [Laughter]
this show is not sponsored in any part by at t or verizon
yeah which which have also had sim swapping problems in the past right but uh you know you never know which of your
employees are going to fall victim to the hey would you uh push this couple buttons
for me team g-mobile the word or the wordpress of cellular service there you go
yeah that's great yeah seriously all right and then on to log 4j log4j
flaw attack reveals remaining levels remain high microsoft warns of course microsoft microsoft has warned windows
and azure customers remain vigilant after observing state-sponsored and cyber criminal attacks pro attackers
probing systems for the log j log4j log shall flaw through december microsoft said
customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments
log4j was disclosed by the apache software foundation on december 9th log 4 shell will likely take years to
remediate because how wide the error logging software component is used in applications and services
microsoft warns that customers may not might not be aware of how widespread the log4j issues
is in their environment and you really need to patch that as quickly as possible now there's some additional
log4j headlines i just didn't bring them out uh log4j highlights need for
a better handle on software dependencies log 4j flawhunt shows how complicated the software supply
chain really is and this will really help ftc warns legal action against businesses who
failed to mitigate log 4j attacks i'm not sure what they're going to do i mean this is a
morphing vulnerability that continually gets exploited threatening legal action from the from
the federal government is pointless in my opinion so um
so that's a headline additional headlines on log4j uh there's other headlines that we did post like a year
of microsoft bugs the most critical overlooked and hard to patch um cyber security trends for 2022
fbi warns about ongoing going google voice authentication scams and google docs commenting feature exploited for
spear phishing so there's a lot going on check out the web page for the
uh headlines with that laura for the log for shell i've i've really kind of been watching
the github community and there's just been a huge uptech since mid-december on
new exploit types new exploit frameworks for this so you know certainly be vigilant be vigilant
about that and i know there's just a bunch of security professionals that have just spent christmas
fixing this right so just you know it's it's the solarwinds 2020 christmas all over again
so stay stay vigilant for log4j it reminds me of the uh christmas of new
year's of 1999 for those of you old enough to remember it where i spent my new year's eve in a server room waiting
for the world to die yeah yeah i was in the military we were we were viciously upgrading to windows 2000
so yeah i remember those days all right so for exploits this week uh i've got a
couple that i want to talk about um first first and foremost is beyond trust okay if you're not familiar with them
they're an authentication gateway and they have a reflected cross-site scripting unauthenticated
uh for their um for your you're essentially your portal in so so beyond
trust i'm not quite sure how they've answered this but uh you know some of the uh you know some of the exploit nerds
have figured out that you could do some some uh reflected cross-site scripting uh with that appliance login so
if you're using beyond trust and you've got one of the um you got one of the appliances on board or using the portal make sure that you're you're following
along their guidance on on how they're going to mitigate this the other one i want to talk about is
the emerson uh dyksell xweb500 it's it's it's an environmental control unit
and a lot of big corporations are kind of using these emerson devices to you know do control
uh temperatures in in various and this is all across the industry i t this is manufacturing this is food
right so keeping food cold and stuff like that and there's an arbitrary file right vulnerability with the x web 500 so if
you're if you're running emerson x-web for environmental control take a look at that and make sure that you you
don't need to upgrade and then last but not least if you are a fan of telegram
specifically if you're a telegram user on a windows based device make sure you're looking out for the purple fox
root kit this is pretty cool just in the fact that it's it's being
like uh it's being chunked so they're using they're using fake telegram installers and fake telegram updates to
deploy this rootware and then once it's on your device well it's you know it's like nanocortex or
pegasus or anything else you're going to be able to get a lot of passwords out of your browser's
password saved locally anything like that so the the root codes out there on github for all the nerds that want to go
check it out uh please do um and you know don't don't use it against any of us okay but uh yeah the the threat
author uh has the uh the kit available on github he wants you to join his community in order to get the license
for it but then i found another place where they were cracking the licenses for it so um
this is it's just it's going to be a mess so you know if you're if you're using telegram just watch for those bogus installers that are going to be
coming down all right with that zach what are we talking about today tell me it's comic books that are going
to be out in 2022. we could certainly talk about that i was just going to say regarding telegram my morse code's a
little rusty so it's been a few years since i've used one of those but
that's not what we're going to talk about either today we're going to talk about the year ahead and what we have
in store what's going on predictions if any so
i'm going to uh say let's take a quick commercial break while i polish off my crystal ball here
and then we'll dive right back in want even more cyber ants be sure to subscribe to the cyber rants podcast get
your copy of our best-selling book cyber rants on amazon today this podcast is brought to you by silent
sector the firm dedicated to building world-class cyber security programs for mid-market and emerging companies across
the us silent sector also provides industry-leading penetration tests and cyber risk assessments visit
silentsector.com and contact us today so 2022
it's going to be a good year i think but i think there are some predictions in cyber security just like anything else
we will make advances and i'm guessing you know i i can't foresee the future i
don't claim to but i would i would assume there's going to be more cyber attacks probably more vulnerabilities
maybe more than we've ever seen just maybe i'm going to predict i'm going to predict more wordpress and
microsoft vulnerabilities i feel like new age nostradamus here you know really
really getting into it but um yeah wordpress google repeat offenders
right we're going to see some apple some microsoft some cisco
it's just the way it goes it's the way it goes yeah absolutely the log4j uh you know i
think is gonna persist through this year i mean that's that's really kind of my accurate prediction well i mean aside
from the aside from the things that we know are gonna come out vulnerabilities right but um i really think this log for
shell is gonna is gonna wreak havoc for you know probably the majority of this year because
of all the changes that are happening and all the places that well like you were talking about mike you know software component control is
just terrible right i mean when we do web application pen tests we see older versions of
bootstrap older versions of jquery these components a lot of the developers are just you know if it's if it's working
it's working and they're not they're not updating them and so i think that's what's really made of this log for shell
situation really bad is that a lot of software companies have high turnover rates and they don't know what they
don't know and so they don't know where they have these java based logging pieces that are that are gonna you know
kind of be a direct impact for this this law enforcement so i i see that probably wreaking havoc through the summer
unfortunately uh and maybe even um and maybe even you know kind of
kind of morphing into a different style of attack using the same weakness right so right when you
think you got it patched they'll find another way to leverage um the logging piece from apache against
you so that's that's kind of i guess that's my real crystal ball prediction for 20
and i think part of the problem is and back in the olden days uh when i started in it you would steal
code from any place you could to prop up your to fix holes in your code
yeah that's right because of that you don't have component control yeah but i mean in your day i mean you were
stealing code in the form of clay tablets so i mean it was
clay clay tablets are the original non-fungible tokens hey those paper
discs that we use in those rooms that had to be cooled to 54 degrees
still would be great when you had a mainframe with a hundred
megabytes of space you know how can you complain that's that's big that's big time man big time
power powerful power what did what if bill gates say that you would never need more than what was it like three hundred
dollars 40 megabytes that's right that's crazy that makes sense makes sense to me
yeah really need it or do we want that's the question right technology was also
remembers technology was also supposed to make people less busy and
free up lots of time in people's lives yeah remember that yes that's what that's what technology
especially with the the invention of uh and and the progress of computing power
uh everybody's life was going to be easy simple and just a breeze we're going to be able to sit back and relax but um
i don't think that's the case i don't think that's the case i don't think 2022 is going to bring that uh for us either
you know unfortunately i don't think this is the year where that that actually goes into effect um i think it's probably 20 25 then then we get to
sit back and relax but for now we're [Laughter]
everybody will be using linux in 2025 right yeah yeah
okay so so here here's another here's another one right so let's talk about the security industry as a whole i i
certainly see that because of all these types of attacks that are happening and you know a lot of changes in in this
in the cyber security space um i think there's going to be a an uptick in the uh in the inquisitory realm of doing
business with new tech companies right so that that security questionnaire is going to become i think a little more
used uh starting now in the future uh just because of you know the lack of
trust right from tech companies that have been through ransomware or been through malware or been through
third-party um you know breaches because they're doing business with a third party that they didn't check
um a lot of that's happened in the last couple years and so i certainly see a ramp up and we've kind of already started to see it already with some of
our clients um a lot more questionnaires are coming out and they're becoming more frequent and they're changing the
methods that they're doing it so they don't they don't just want a um they don't want you to answer the questionnaire right it's it's becoming
where they're going to uh they're starting to actually have zoom meetings or you know whatever webex
meetings whatever right but they're having these these kind of meetings um with the client and then actually asking
them as an auditor would in a sock too or anything else right asking to demonstrate evidence and they're asking
for screenshots of these um of these policies and screenshots of configurations because it's it's hard
because you can answer anything you wanted a questionnaire right and if you have a security guy if you answer the questions right you know your security
your or your you know your governance um you know risk person may say okay yeah you know they answered these pretty
right we're going to go ahead and give them a you know a passing score so the business could be you know can go ahead and move forward with the sale um that's
that's gonna stop they're they're gonna get to the point um probably starting you know mid this year where
um they're actually gonna be doing more of these kind of uh you know video based uh inquisitions for your cybersecurity
posture so that you're having to not only answer the questionnaire but you're also having to demonstrate evidence in a
meeting with a risk team that's asking you very specific questions or the service that you're providing so you
know i certainly see that uh you know starting to ramp up this year for sure
yeah i got two comments on that so you're starting to see an industry that's springing up that's kind of a middle industry that
is the communication point from or facilitators of communication between the company that needs the service and
the service provider and they're doing the review and providing data back to
you know the company that's required that needs the service the problem with that is a a lot of the
auditors don't know anything and b you're not able to communicate they are looking at it in a black and white check
the box methodology as opposed to looking at that you know i've run into this we're not seeing complicate compensating
controls being taken into effect we're not taking we're just seeing a black and white check the box pass fail
so that industry needs to mature because otherwise we're going to have lots of problems um yeah you get a false sense of
security right a false sense of risk with with things like that happening and and you know not not not all auditors
don't know anything i mean you just you know the book smart auditors are really hard to deal with because they they can't
translate technical controls very well because they've never engineered anything right and so they're you know and typically that's a low
level you know you know they'll bring in like you know kind of interns and things like that to conduct these kind of questionnaires and you're right mike
it's it's kind of scary because it's going to give companies a false sense of risk that may that may come back
unfortunately right well they're trying to create these clearinghouses too where it's automated where you upload all your data to these
clearing houses with all your security controls and then you subscribe to the service and it'll
you know provide you a score on each vendor well you know if one of those gets breached
that's huge for one uh for two you know there's no
justification there's no communication there's no why are you doing it this way well this is why we justify doing this
why we have these compensating these 10 compensating controls in place that completely mitigate this risk
and that's that's where we're losing the ability for small companies to be able to
facilitate their security and be able to communicate it to potential clients
and i think that's going to become a problem it'll be interesting to see too what happens with the
compliance requirements and regulations audit requirements i mean we've seen over the last couple years of course
demand for things like sock 2 and iso audit going through the roof i think that will continue to increase but i
also think that um some companies i just want to get out i love it's my favorite thing ever the
sock 2 it's it is the it's the jam but uh sock two audits you got it i mean
you got to have them now as a as a service provider you know any type of technology service um it's basically
become an environment is your favorite part of stock to the fact that it takes a whole year is that is that what it is that makes it your
favorite is it i love people and reading their documentation
well you know this is a good you know just a segue uh you know an opinion in the data hoarding
right that you're talking about these third-party clearinghouses right and you know we've got we've seen just a terrible amount of
companies that are saying send me all your policies to review okay well you know you want to do business with me i'm
a small company i'm going to send you all my policies but now i'm violating my own policies by not sending you a
security questionnaire because now you've got all of my documents you've got my you've got my architectural
diagrams you've got my data classifications um you know and so what what what do you
do with that are you just sticking it on an internal sharepoint site where everybody in your company has access to it and so it makes this kind of like a
weird gray area and my advice to companies that are getting the security
questionnaires and they're saying send me your acceptable use policy like how about no how about how about you do what
all of the the highly intelligent companies are doing and they're just scheduling a meeting and they're asking to see your acceptable use policy making
sure that it's got the right stuff in it right like you know you you've you've dated it and you've checked it
and they can take a quick screenshot of the front page for and to basically ascertain that they've reviewed the
acceptable use and it does meet minimum requirements right you don't need to send them this 14-page document that
they're going to stick on an internal sharepoint site that everybody's going to have access to and they're going to forget about it right they're gonna
because this is for a sales process so the the risk team's gonna grab all your documents they're gonna throw it in a
pile and they're gonna move on to the next company next thing you know you've got 150 gigs of random company files
that you probably shouldn't have so you know my advice to anybody listening out there that's doing this
security questionnaire stuff be smart about it okay don't be a data order if you need to review a company's
document set do it do it in a zoom meeting do it in a webex meeting do it you know do it in person
um anything is better than you know you know uh accidentally becoming this data order of sensitive files on behalf
of some other organization right well you're also then liable right yeah absolutely
so why acquire additional liability yeah exactly exactly and then you know now you're
responsible to answer the the company's questionnaire because you've got their documents set so
you know taking other people's documents is like no honey i won't post these new pictures of you if we break up
[Laughter] revenge pride revenge compliance
that's that's elite leaking out to the dark web yeah look how crappy these documents
are this company failed me and i posted all their security policy well you know another i don't know if
this is there's another right it just showed up in my crystal ball just now but it'll be interesting to see how many
uh audit firms and how many other firms that are compiling massive amounts of
data from other companies about their security programs and how many attacks are are targeted toward those types of
companies right because that's the gold mine for a cyber criminal right not only
not just not just the the critical systems like we saw you know with microsoft exchange and solarwinds and
such but um getting the the inside scoop on many companies information security programs through
one breach yeah yeah absolutely probably happen it probably will yeah no it's it's yeah
you know it's not a crystal ball it's a that's an ice that's a ball ice cube in your scotch whiskey so let's just be
straight here okay zach does not have a real crystal ball he's drinking whiskey with a spear ice
cube in it and he's staring into it so and i said as i say that as i say that i
i regret saying that because if and when it does happen um i just hope i'm not a suspect this is
just these are assumptions right you know that that's kind of the problem with cyber security predictions right
you say oh this type of organization is going to there's going to be a big breach well that's just yeah i mean you
could throw it you could close your eyes and throw you know a dart at a map and you're
going to hit somewhere that gets breached i mean that's that's kind of this so we uh we are not profits here we we do not
you know this is this is just just off of assumptions and there's plenty of garbage out there on the internet that
said you know all the predictions for 2022 uh we don't claim to be that right i mean and some of those things are good
so there's some good information out there and interesting stuff but um let's just instead be proactive and be
prepared for what what could possibly come up against us right let's do that just like
in combat you know you're not going to try to predict every single possible outcome
you're going to try to predict the most likely occurrences planned for those and then have lots of different you know
contingencies emergency plans for all the other stuff that could go wrong
so that's relevant because i mean this this is cyber warfare we are in a cyber war we have been in the cyber war for 20
plus years so i mean i think that's that's an accurate statement zach that you got to just kind of predict for
what's going to happen to you and and what organization you know what space you're in right um
well i was going to say is we created our own battlefield right we by adopting all these latest and
greatest tools we've left behind some of those tried into practices that
still work and would prevent a lot of this for example off-site offline backups how many
companies don't do that that everything's online and they get corrupted and they get to you know
simple things like that um i worked at a very large company and they were like well we back everything
up to these to the sand in another location i said what happens if there's corruption and they're like well we just restore from
back up by this corruption travel and they're like oh yeah and i'm like well then you don't really have a backup solution do you no
and a lot of the breaches we've seen um you know in 2021 you know the recovery times were
horrible largely because these companies believe they were backing up enough and they were they absolutely were not
backing up at all as much as they needed to and so i think you know most of the outcomes from some of the breaches that
we've um we've had some first-hand you know kind of experience with one of those outcomes is a
highly frequent backup highly frequent well and then test the backups test your
restore i can't tell you how many times i've asked the client how long is a full restore tape i don't know we've never tried it
yeah yeah that's a that's a very common answer so yeah i know that's that's a huge point is
2022 if you're not backing if you think your backup methods are are adequate just
take another look at them okay and and play the part that malware's eradicated your whole organization how long is it
going to take you to recover you know and and if you're using kubernetes you know yeah i understand that's that's different but for for
maine for you know for like mainstream i.t stuff that's still kind of happening in a large majority of the
organizations that are out there you're probably you might believe your backup
methodologies are sufficient i i i i just beg you to please please review
your backup methods because we yes and test them because we've we've
had lots of organizations that we've you know kind of investigated that believe that they had enough um backups
to recover quickly and that that was not the case um it's it's taken some organizations over a month to recover
from some of these uh from some of these attacks so yes sir good point mike
i'm pretty sure with our hundreds of millions of listeners out there that somebody is going oh crap i need to do
this right now if that's you if you have that feeling in the pit of
your stomach don't wreck your car if you're listening
a doctor telling somebody they have cancer you know and it's it's like oh not a good situation to be in but uh
but okay so let's stare back into zach's um in whiskey crystal ball and the one the one
other prediction i'll say is that cyber insurance is going to get a little more fierce and competitive in the next year
to two years more expensive and more expensive in what you know it's not going to be like oh you know your
company your cyber insurance client's going to cost you 100 a month no they're going to be actually sending you
they're they're going to be sending you questionnaires saying okay what does your security posture look like today and those answers are going to directly
and affect your your pricing and your coverage um because they're they're they're
liable right i mean if a breach happens they have to spend ton of money to send people out give you money to help you recover
so you know just like car insurance they're gonna start looking like well how bad of a driver are you okay well
you've had like six duis yeah i'm not gonna give you the you know you're not gonna get full coverage engines for a hundred dollars a month i'm sorry right
um so you know the i think that's that industry is gonna going to change quite um
quite a bit and and it might even happen sooner than we think because they're taking all of the liability to
cyber insurance companies and they're going to start looking at their losses and saying okay what do we need to do to make sure these companies are actually
in a good place before we start insuring them and so you know you think about that right so i think a lot of these
cyber insurance policies are gonna you're gonna change and um i believe we had a good podcast episode of that in
last year right um yeah with tony robbins yeah yeah with tony robbins absolutely so yeah if you didn't hear
that go back and listen to it that that was a lot of good information for for everybody who's um you know you know
jumping into cyber insurance uh to try to get that to cover to cover their businesses for for ransomware and cyber
attacks and those sorts of things well and one of the things that's going to pop up is going to be some kind of shadow system
like you know the credits credit reporting where the insurance companies are going to get together and say this company's not terrible this company's
not insurable so you can go shop to 20 different companies and they may do a look up to this and go you're not
insurable you know based on our initial analysis yeah absolutely it i think we need to do
is create kind of like uh kind of like carfax right create create cyber facts
and you get you get a black eye it goes on your on your report there and and uh
um not to say that that you know past occurrences are what's the what's all the the investment
legal jargon past past
yeah future outcomes or results not to say that but yeah it would be interesting to see i think that
something like that that's very very feasible for something like that to
pop up which um could be good and bad i think the downside to that is that more and more companies there's already i
mean we know so many companies cover up their breaches and never say anything never report anything but um that could
that could make that worse if well look at that that we talked about in the news i mean yeah their their attorneys basically gag
everybody right i mean home depot is a great example that that hack had been in place for you know almost a year and
then they didn't report it until six or seven months after they remediated the situation um you know and that was probably
largely because they were scared their stocks were gonna go down if they said anything about it so they wanted to make sure before they announced anything that
they had it all under control because they didn't want to tank their value um and so yeah you see a lot of this kind
of i don't want to call it underhanded but i mean it kind of is right i mean your responsibility is to report it i mean especially if your incident
response plan say you need to report out to your customers in 24 hours clearly some of these companies are not
doing that and i largely believe it's like you know attorney base you're telling them no they don't say anything yet well we'll let you know when
anything yeah now the other thing that i see that's kind of detrimental is there are companies out there and i'm not
going to name them but that do the scans of of your ips and they they list out
all your vulnerabilities and it's available on the internet for you to pull that down and get a score
and it's not necessarily indicative of anything that you're doing right yeah sometimes i don't even have your right
ips yeah and then yeah and they have to you have to pay them to have them rescan and pay them to have that data removed
it's basically extortion right yeah and what about honey pots honey nets and all that i mean how you
know they can't take it stuff like that into account a smart company could have a bunch of vulnerabilities from the
outside perspective right but that it could be there for a reason you know um
it just uh yeah some of that some of that stuff well it's it's the cyber security gold rush right and that's
there's there's another prediction for you um the more money is going to flood into the cyber security market causing
people to create things that aren't really moving the needle in terms of reducing risk but are
very um much you know just endeavors that are made to
um you know pump up a certain stock or create a bunch of uh
investment dollars and let people cash out for high rates of return and ultimately not
protecting more organizations and on top of that though i do think the consumers
of cyber security and cyber security services are going to start doing their research more i think they're going to
get smarter um i think they're going to start seeing that these companies that um just roll up a bunch of you know
little it companies or something like that into one and then slap on the cyber security label i think they're going to
realize okay these this isn't actually what we need or these certain tools that maybe they provide a
nice dashboard but they're not actually helping to mitigate risk these aren't the answer for us and maybe
we need to get back to the human element um
right that'll that more more word about that stuff we'll we'll get out and um the market will be
better educated over time going back here it's the maginot line of cyber
security yeah and there's no technology that's going to solve your problems right there's a lot of cool marketing
stuff that's happening to make you think that something might save you and unfortunately there's not a technology
that's going to be a a qualified human that's actually looking at the issues for you so you know keep that keep that
well it's things like you know requiring a film right and fem die i get it i understand why we need it
and there's certain companies where you just got to have it however if you're a small company and you get some kind of femme module and you employ your
environment who's going to review all that data all the positives and false positives and everything else you got to have
resources to do that right so then you're looking at outsourcing things like that and that's things to keep in
mind i mean it's a great tool but you know what are you going to do how are you going to manage it buying the tool by itself isn't going to solve any
of these problems yep now feminism i have like huge heartaches about right and i think we talked about that in the
book um they they seem to be meaningful but it's just it's a lot of you know it's
like painting for gold right and i mean you you may have hundreds of tons of paper to pull out a one gram nugget and
it's it's you know it's very maintenance intensive it's very false positive
um remediation intensive and most importantly it takes people to look at this data
build tickets go track it down just to find out that you know somebody you know didn't change their password on their phone and you know the
phone's trying to log into the exchange server with the previous password it's like oh my god we're getting hacked and
that's you know just not the case it's just you know you know you know bob employee bob just you know forgot to
change his password on his phone and you've you know how many hundreds of thousands of dollars in man hours have you spent to find that out right is that
really is that really um you know beneficial to the organization so you know i completely agree with you on fem
it's it's certainly it certainly has its use in the industry and it certainly has purposes for
certain computing systems in certain companies but it's not for everybody and it certainly takes a lot of tuning right
i mean it's it's a big undertaking to put in something like that you just can't plug it in and be like okay watch this system um
none of that works that well why do i have a terabyte of log files also
yeah that nobody's looked at you know what i mean and so but but they'll sell you that right oh plug this in it'll it'll stop anybody from you know
modifying the computer or modifying this and they don't tell you you know what i suggest is if you're thinking about sim or
whatever product download the manual you know i'm not going to say rtfm because all my engineers out there know that but
look at that look at that deployment guide the administrative guide and and figure out if you're going to be able to
do that with one it person you have already that's you know 110 utilized so
you know don't don't don't jump into it just because some framework says you got to have it okay there's certain well certainly
other things well gentlemen we have um we've we've predicted a lot here and maybe
maybe one or two of those things will come true but probably more but i think i think a lot
of what we're talking about here is just the the natural progression the natural evolution of what
is going on in the cyber security world and uh we sprinkled in some good information about tidying up your
cyber security program this year um so a lot of good discussion and we will certainly have more in the coming weeks
but our time is passed up here and uh i do want to give you guys both an
opportunity to leave us with any final remarks before we close it out
i'm sure people are i'm sure our listeners are about done at this point so have a wonderful drive to work
yeah and uh we'll talk to you next week yeah add something to the risk register
you know what i mean yeah check your backups test your backups there you go well my scotch is about
empty here so time to sign off thank you everybody for listening and have a wonderful new year
hope your year is going well already um lots to lots to do this year but lots to
look forward to as well so keep plugging away keep improving
always get better and by all means reach out through linkedin through our website
cyberrantspodcast.com which as mike said you will also find all the links to the news articles that
he talked through and a bunch of other good information previous episodes all that good stuff so thank you for
listening be sure to rate the podcast comment let us know your thoughts and
share your ideas for future topics with us thanks a lot and have a great day thanks everybody
pick up your copy of the cyber ants book on amazon today and if you're looking to take your cyber security program to the
next level visit us online at www.silentsector.com
join us next time for another edition of the cyber rants podcast
[Music] you
