0:00

From the CISO series, it's

0:02

cybersecurity headlines. New

0:08

York Times source code stolen using

0:10

exposed GitHub token, angry

0:12

club penguin hackers allegedly steal Disney

0:15

data, and NHS out for

0:17

blood after a cyber attack. These

0:19

are some of the stories that my colleagues and

0:21

I have selected from this past week's cybersecurity headlines,

0:24

much like a skilled arborist. We're

0:26

pruning, we're supporting, we're encouraging, we're roping

0:28

things off, we've made it all nice

0:30

and tidy. Now for some insight, opinion,

0:32

and expertise from our returning guest, Janet

0:34

Hines, the CISO over at ChenMed. Janet,

0:36

thank you so much for being here.

0:38

It was a thrill to have you

0:41

on last time. So happy to have

0:43

you back for this week's news. Thanks

0:45

for inviting me. I'm very happy to be here. Can't

0:48

wait to dive in. But yet

0:50

we must wait because we have to thank

0:52

our sponsor for today, Vanta, compliance

0:54

that doesn't suck too much. Now before we

0:57

jump into the news, remember, we are on

0:59

YouTube live. It is a video platform. I

1:01

guess if you're not familiar with the site,

1:03

youtube.com, be sure to check it out. You

1:05

can also check out CISO series.com, hit the

1:08

events drop down and look for the cybersecurity

1:10

headlines week in review image. Click on that.

1:12

You'll also be able to watch us there.

1:14

And if you're there, you can contribute comments

1:16

in our chat. We love to

1:18

get your questions. We love to get

1:20

your opinions on stuff, even challenging what

1:22

we're saying as long as it's constructive and

1:25

in a good spirit. We love to

1:27

have it. So thanks to everyone that shows

1:29

up each and every week. I already

1:31

see CCL making everybody feel welcome. Always good

1:33

to have folks there. So without further

1:35

ado, let's get into the news. First up

1:38

here, the New York Times source code

1:40

stolen using exposed GitHub token. The

1:42

announcement reads basically all source code belonging to the

1:44

New York Times company, 270 gigabytes. That

1:47

was the headline to an ad placed on

1:49

a 4chan forum post, referring to data stolen

1:51

from the New York Times GitHub repositories in

1:54

January 2024. Stolen

1:56

data included IT documentation, infrastructure tools

1:58

and source code. allegedly

2:01

including the always popular

2:03

wordle. Later this week, we

2:05

also found out it contains the PII for

2:07

an unnamed number of video freelancers who had

2:09

worked for the news outlet. The

2:12

Times described the incident as when

2:14

a credential to a cloud-based third-party

2:16

code platform was inadvertently made public,

2:18

which also sounds like a horrible

2:20

setup for a rom-com. So Janet,

2:22

it seems that a great deal

2:24

of data is being inadvertently made

2:26

available through GitHub repositories. That's the

2:28

point of a repository to make

2:30

data available and readily accessible. I'm

2:32

curious from your perspective, why does

2:34

this continue to happen, especially from

2:37

presumably someone we would think is

2:42

a large company, The York Times is a big giant company,

2:44

and should companies and organizations tighten up

2:47

their procedures around GitHub? So

2:51

first of all, I think that my, maybe

2:53

now that I found out that wordle was part

2:55

of that, I hope my first word guess isn't

2:57

exposed to everybody. I

2:59

play wordle every day. But

3:01

seriously, having your code

3:04

base exposed or stolen is very

3:06

significant to any company. And

3:08

I think the word inadvertently is sort

3:10

of a common theme, right? Nobody's

3:12

really, well, not nobody, but most

3:14

people aren't looking to just say, here, here's

3:17

access to everything. So

3:19

certainly secure software

3:21

development lifecycle, securing

3:24

the keys and the ability to

3:28

get into these repositories is really important. I

3:30

think some of this inadvertently

3:32

comes from convenience

3:35

and kind of that we've always done it this way and

3:38

not really not understanding the true

3:40

impact of some of these kind of

3:43

conveniences that have been used in the

3:45

past and probably should be stopped. We've

3:48

certainly seen GitHub and kind of Microsoft

3:50

in general Trying

3:53

to at least perception wise to double down

3:55

on security, the other whole, secure by Design

3:57

initiative GitHub. Part of Microsoft, certainly part of

3:59

that. I am true. So

4:01

it seems like we've moved beyond

4:04

a little bit. V. Very

4:06

calm and eight of us bucket left exposed

4:08

unencrypted. You know, sitting up in it at

4:10

this still sorry so crop up fights. It

4:12

seems like we're having a similar kind of

4:14

moment now with get up of that that

4:16

kind of becoming the next version of that

4:18

Is this? just? ah you know we have.

4:21

We have procedures waiting to catch up to

4:23

use cases. In this case. I

4:26

think so. An alpha thing said that it's

4:28

the same. Stuff

4:30

different. Platform frame israeli the out

4:33

of the exposure of somewhere whether it

4:35

out s three buckets wary of probably

4:37

and asleep pretty easy because once ever

4:39

discovered that people didn't really. Say

4:41

understand how to configure them Riots in

4:43

are more by right I mean it's

4:45

Care. Manner A was gone after and

4:47

now they're finding these other places that

4:50

have similar vulnerabilities that the well that

4:52

and you know it's. A someone a

4:54

plan for some sporting out of his

4:56

make. April's. Someone.

4:58

Else pointed out wrong name's yeah would get

5:00

lab same thing. It's not like my point

5:02

is not just a particular thing being targeted,

5:05

it's it's hey where. Can we go to

5:07

get that information and and maybe the securities

5:09

acetate. And. Of. The

5:11

Zebra that Cecilia appreciate that just such

5:14

as to get up issues or does

5:16

that mean of the biggest fisher in

5:18

the pond right now Or next up

5:20

here Angry Club Penguin Hackers allegedly steel

5:22

Disney data Fortune not be only side

5:25

of the New York Times data breach

5:27

it was or it also hosted a

5:29

link to internal Club Penguin Pdf A

5:31

breach by all that not only contained

5:34

old information about Club Penguin be popular

5:36

multiplayer online game that said Shuttered and

5:38

Twenty Seventeen or irreparably also contained information

5:40

as recently. As this month,

5:42

about Disney Plus corporate strategies,

5:44

advertising plans, links to disease

5:47

internal web sites as term

5:49

developer tools Helios and Come

5:51

unicorn on allegedly stored on

5:53

Disney's Confluence server. So. ironic

5:55

regina club penguin would make a

5:57

great name for cybercrime just throwing

6:00

this out there. We have Bolt Typhoon, I

6:02

guess, Club Penguin, maybe out there as well.

6:04

But in this case, it seems to be

6:06

a breach that went horribly wrong for Disney

6:09

when the attackers inadvertently stumbled upon all this

6:11

other much more serious

6:13

and relevant data, right? 2017 data, I'm sure

6:15

there's horrible things you can use it for.

6:17

But last month's Disney Plus data, a little

6:20

more valuable. I'm curious, what lessons can Disney

6:22

and other organizations take from this? Well,

6:25

certainly, I'm sure Disney's going

6:27

through a lot of like, you know, what went wrong,

6:29

as we, you know, people do when

6:31

there's any kind of an incident. And we

6:34

can get in the word inadvertently is in there. I also did

6:36

agree I did when I first read the story, not being a

6:38

gamer thought that was the name of a gang,

6:40

if you will call it that fiber crime gang. Yeah,

6:43

I was like, I hadn't heard this one yet. Then

6:45

I was like, read it twice to get get the

6:47

gist. But yeah, I mean, it's

6:49

this one was more really, I think not knowing

6:51

the details, not certainly not having talked to anybody

6:53

about it seems like it has to do with

6:57

not having things like that. And so who knows, maybe this

6:59

club penguin game was kind of a, you know, an M&A

7:01

they did, or, you know, and they just brought them into

7:03

the fold without doing proper security assessments

7:05

in advance, giving, you

7:08

know, having a flat network. These are all

7:10

just my, you know, things that people in

7:12

my line of work would think of when

7:14

you read these stories, right? Nothing's confirmed or

7:16

validated. But yeah, it's

7:18

again, it's like not thinking through what,

7:22

you know, I always say we

7:24

build systems to run, we don't build them fail. So what

7:26

are the failure points? Right? How do you figure out what

7:28

your failure points are? And, and

7:31

CCL again, hire the bad guys, right? They'll they'll,

7:33

they'll show you they'll show you all your failure

7:35

points for sure. Yeah, it's like only you could

7:37

trust them. Yeah,

7:40

have a have. It would

7:42

be great IT infrastructure admins, right? Yeah,

7:45

like, yeah, the, the, this

7:48

is one of those stories where yeah,

7:50

the postmortem feels like it's way more

7:52

interesting than the actual attack in terms

7:54

of like how, how those two get

7:56

conflated over time. And yeah,

7:59

the idea of of not

8:01

only knowing what data you have, that's a

8:03

very popular conversation we're having now and when

8:05

we're living in an age of data minimization

8:08

regulation, but also just like who

8:10

else has keys to

8:13

things that are out there, right? That you don't even realize

8:15

and trying to get a handle on that. Certainly

8:18

not an enviable position for sure. So

8:21

if we get more updates on that, any more details

8:23

on that, be sure to keep tuned to cybersecurity headlines.

8:25

We will carry an update to that as relevant. Next

8:28

up here is something we're definitely keeping tabs on

8:30

NHS out for blood after a cyber attack. The

8:33

UK's National Health Service, that NHS is

8:35

still suffering the fallout from a cyber

8:38

attack on the pathology service provider, Synovus.

8:41

The NHS launched a call for type

8:43

O blood donors as these universal donors

8:45

make it faster to match for blood

8:47

transfusions. Impacted hospitals have also requested medical

8:50

student volunteers to mitigate the biggest impacts

8:52

to patient care. The independent

8:54

sources say two of the UK's largest

8:56

hospitals canceled over 200 emergency and lifesaving

8:58

operations as a result of this disruption.

9:00

That was earlier this week, so I'm

9:02

sure the blast rate is for this

9:04

as expanded even further.

9:07

But, Janet, hardly a week goes by without

9:09

another story about either hospitals or healthcare

9:11

facilities being targeted and attacked in

9:14

some way, disrupting some form of

9:16

operations. But here we see tangible

9:18

results in the form of blood

9:20

shortages and staffing issues to cover

9:22

patient overload. This ongoing story

9:24

does not seem to be getting much traction, I

9:26

guess, when we're, obviously in

9:29

the UK, much bigger story, but this

9:31

is a major hospital, like impacting a

9:33

large developed nation. Do you

9:36

think political powers that be should

9:38

be making more of an issue of

9:40

this on the level of critical infrastructure?

9:42

Yeah, that's exactly where I was going,

9:44

right? The healthcare is obviously a critical

9:46

part of the critical infrastructure and

9:49

the very human part of it as well. So

9:52

learning from this that patients

9:54

are affected, emergency and

9:56

life-saving surgeries were canceled or had

9:58

to be deferred. elsewhere and then

10:00

I think I read something about folks

10:03

who were recently diagnosed with cancer can't

10:05

really start their care related

10:07

to that so it's really really significant and

10:10

you know we read about health care

10:12

attacks on health

10:14

care in the US as well and

10:17

I think to

10:19

answer your question I think it should be more of

10:21

an issue because it is critical infrastructure and

10:24

you know the government is doing

10:27

some things but I do think that it

10:29

would be if it was given

10:32

if the light was signed on a little bit brighter there'd

10:35

be more done right there's a more hope well

10:38

and I hope but you know the

10:40

thing we learn from these attacks is

10:42

just how wide again kind of the

10:44

the software supply chain conversation right post

10:46

solar winds completely changed the idea of

10:48

there is such a supply

10:50

chain for health care when we're talking about like processing

10:52

insurance claims in the US when it comes to

10:54

if you had told me a hack on a

10:57

lab pathology provider would have had this kind of

10:59

impact I like I like as just as a

11:01

everyday person I would have no idea that the

11:04

kind of disruption that this could cause I'm so

11:06

just kind of getting a broad public awareness to

11:08

say like no no this is a enormously complex

11:11

chain to give you the thing at the hospital or

11:13

at the health care clinic and we need to be

11:15

like holistic like looking at that as a as

11:17

a as a imperative

11:19

when it comes to security because

11:21

these organizations are vulnerable to

11:24

to having an outsized impact perhaps when there

11:26

is any kind of disruption yes

11:29

definitely thinking that you know these

11:32

kind of news stories really

11:34

provide us the the you know incentive

11:37

if you will to look at what

11:39

who do we rely on and for what right

11:42

and then see where that where that impacts us

11:44

downstream I mean that's just any company in any

11:47

industry should be doing that but the critical infrastructure you know

11:50

much more of a focus and

11:53

Christian Emory in our chat says definitely a

11:55

challenging story from a cyber perspective but impressed

11:58

to you know kind of call on people

12:00

to, hey, get blood donors out there for the

12:02

universal donor stuff. And yeah, kudos

12:05

to people stepping up to try and help everybody

12:07

out and the volunteers too. I mean, those are,

12:09

you know, medical students famously not exactly have a

12:11

lot of spare time. So to be asked to

12:13

volunteer on top of that, you

12:15

know, kudos for doing that. Yeah,

12:18

and one of the other comments also, I

12:20

think from Christian was about non-tech workarounds, but

12:22

you know, there's also the thought of having

12:24

an optional tech, right? That plan

12:26

B could be technical as well, right? And so, you

12:29

know, why are we relying on one supplier for something

12:31

when we maybe should have two? Yeah,

12:34

for sure. And a lot of that goes

12:36

to the, I'm sure the uniqueness

12:38

of the UK's health service

12:40

as, you know, and this

12:43

is the other problem is that no healthcare system is

12:45

a monolith even in the US, the UK. That's

12:48

the other issue too, is best practice in the

12:50

UK might not apply to our much more privatized

12:54

healthcare sector here in the US as well.

12:56

So healthcare famously

12:58

extraordinarily difficult. So,

13:02

but yes, definitely something that we will

13:04

be keeping an eye on, whether it's legislation in

13:06

the UK, EU, elsewhere in the

13:08

world, and certainly in the US, we will be keeping tabs

13:10

on that from a cyber perspective as

13:12

well. Before we move on to our next

13:14

story though, we have to spend a few moments with our

13:16

sponsor for today, Vanta. Whether

13:19

you're starting or scaling your security program,

13:21

Vanta helps you automate compliance across frameworks

13:23

like SOC 2, ISO 27001, and more.

13:28

With Vanta, you can streamline security

13:30

reviews by automating questionnaires and demonstrating

13:33

your security posture with a customer

13:35

facing trust center. Over

13:37

7,000 global companies like Atlassian, Flow

13:40

Health, and Quora use Vanta to

13:42

manage risk and prove security. Our

13:45

listeners get $1,000

13:47

off at

13:50

vanta.com/headlines. That's

13:52

vanta.com/headlines. All

13:57

right? our next story here, Pure Storage Hacked

13:59

via Snowflake. Space on Wednesdays. Every

14:01

security for me Indian warned that threat

14:03

actor named U C. Fifty Five Thirty

14:05

seven. Less. Catchy name.

14:07

Their guys is systematically compromising victim

14:09

organization data through snowflake and attempting

14:12

to extort them. Snowflake.

14:14

As a multi cloud our data warehousing

14:16

platform. A date, one hundred sixty five

14:18

organizations who use it have been potentially

14:20

exposed. Minion. Said the three

14:22

primary factors cause a compromises or lack

14:24

of multifactor authentication very to rotate credentials

14:27

and a lack of network allow list

14:29

to limit incoming snowflake traffic to trusted

14:31

sources distorts provider pure storage reported Tuesday

14:33

it's to become a victim of these

14:36

breaches the company said of the and

14:38

are the company said analytics data was

14:40

impacted would strong emphasize that know customer

14:42

data was compromised although given with on

14:45

in these are high and storage arrays

14:47

that could be subversive beta surgeon at

14:49

all three of these compromise factors lack

14:51

of multifactor failure to rotate credentials are

14:54

you know the the black of allow

14:56

lists ah appear to be like a

14:58

process. Human origins are problems here and

15:00

in a basically just things coming from

15:03

inside the house. I'm curious as a

15:05

C so what are your thoughts about

15:07

the use A Internal issues I guess

15:09

for lack of better term stupid snowflake

15:12

have done more to to you know

15:14

but I guess. Police. At

15:16

least in terms of the Emma Fe or as it's is

15:18

it unfair that to really put the burden on them. You

15:22

know, I'm a little on the fence on the

15:24

fun part of me as you know these these

15:26

larger companies and there's many of them out there

15:29

that don't require am I saying this? Where

15:31

we are today. As I

15:33

don't know if enough because. The. Customer acquisition or

15:35

oregon our lack of interest and for some

15:38

trying to keep their used frictionless. Access Again

15:40

yeah making it can mean yes it's a

15:42

sudden seem like as an excuse for it anymore.

15:44

It's not the and all right Mf A is

15:46

not the and all there's other ways. ah.

15:49

Enough. Or courses other his back

15:51

as get in spite of certainly enough

15:53

quiet sit down a bit. Ah, and

15:55

the other two are you know, rotating

15:58

credentials and I'm you know. Limiting

16:00

who going on, Here the ip

16:02

addresses that everything of allah texas to come from and don't

16:04

want anything else and those are just. You know, their

16:06

table stakes at this point? To Re: I

16:08

mean, I think that's what we can more

16:11

easily do. And as companies and you

16:13

know this on kind of a if you haven't

16:15

heard the about this one too much as kind

16:17

of an interesting one because. The.

16:19

Companies that are in Ball or The Hundred Sixty

16:22

Five Companies mandy and identifies as. A

16:24

Their credentials. Were

16:26

found in other ways and some of them I think

16:28

they said their electoral as told us twenty twenty so

16:30

there's no rotation their it affects proper credentials. And Twenty

16:32

twenty And it works today. Now. That's

16:35

the same on them. so it's a Cisco.

16:37

I think it's the other shared responsibility at

16:39

in Oh and this one, but it's also

16:41

a I Do kind of stand on the

16:44

side of. We should just require multifactor.

16:46

At this point there should be any option.

16:48

You know the big the email systems. In

16:50

a sentence email compromises that happen. same thing

16:52

like it's it's a be required as soon

16:54

as an Msc into their banks. Now I

16:56

am he added to be alive. Would go was

16:58

just away Allies it's like were to see. felt like

17:01

wouldn't. Wear seatbelts long ago, you know, and

17:03

we'll bounce. Around and car and that we learned

17:05

that was bad. so. If you know they require

17:07

people are. Yeah, let's do

17:09

it. At least Snowflake has learned

17:11

be twenty three meal us and of

17:13

don't blame your customers are like explicitly

17:15

they're making made you do it which

17:17

is nice butcher at least not for

17:19

like openly for people under the bus

17:21

or so can replace a good done

17:23

good marks your marketing team or to

17:25

com steam learned well of us. Are

17:29

next A pure White House report highlights

17:31

increase in federal sex. New. white

17:33

house report reveals that eleven us federal

17:35

agencies reported a nine point nine percent

17:37

increase in cyber security incidents and twenty

17:40

twenty three totaling over thirty two thousand

17:42

ceases those com an incident was improper

17:44

use we are usage while fishing a

17:46

malicious emails so be largest year on

17:49

year increase significant bridges included raise more

17:51

attacks on affirmative health and human services

17:53

repeated data exposures at the treasury it's

17:56

an successful fishing of an employee at

17:58

the office of inspector general According

18:00

to the official White House release, the report

18:02

is being used as an

18:04

outline for the administration's cyber investment

18:07

priorities. Improper

18:09

usage here means the system was used in

18:11

a way that violated the agency's acceptable use

18:13

policies. I'm shocked that that number isn't

18:15

in the six digits or something like that, but that's

18:19

just the ones they caught, I guess. The

18:21

report stated that agencies have the capability to

18:23

detect when security policies are being violated, but

18:25

not the ability to prevent it from actually

18:27

happening. I

18:30

got a couple of questions on this. Speaking

18:32

as someone who immediately gets hit with a

18:34

$45 fee, the instant a bank account goes

18:37

into overdraft, like everybody does, I know the

18:39

technology for taking instant action exists,

18:41

like there is a cause and effect thing

18:43

there, at least for my

18:45

financial institution. Is it acceptable for more

18:47

than 32,000 cybersecurity incidents to

18:50

happen, especially given the number

18:52

of agencies the government employs for cybersecurity?

18:55

I was actually shocked to see that in the report, too. I thought

18:58

that was interesting. It's

19:00

almost like we can't do anything about it. We'll throw our hands

19:02

up. We can't do anything about it. You

19:04

can. You really can. Have you

19:06

tried? Yeah. Can we help you

19:08

see how to do it? The

19:14

report's being used to outline their

19:16

future investments. I

19:19

read that, too. I read their

19:21

investment priorities. It's

19:23

hard to see the exact alignment. I

19:27

think that they

19:29

got some explaining to do a little bit there. They

19:33

have a lot of employees.

19:38

Their numbers are bigger. When you look

19:40

at numbers, it'd be interesting to see maybe percentages, because

19:42

that may put it in perspective for companies

19:44

that are smaller, because it does sound like an

19:46

awful lot. The

19:50

problem with automation is it scares

19:52

people. If

19:54

you turn on automation to shut off

19:56

or reset a password or take

19:59

down a server or whatever automation you want to put in

20:01

place, it'll stop something from happening. And

20:04

like normal business, right? And so that's scary to

20:06

people and that, you know, trying to weigh the

20:08

pros and cons of, you know,

20:10

is the automation correct? Yeah.

20:12

Well, and also the reality that like inevitably

20:14

any automation requires scaling up before you like

20:16

gain any of that. Like, you know, like

20:19

I know that that is not a trivial

20:21

effort to make, right? To say, Oh, just

20:23

throw some automation at us. You

20:25

know, that is oblivious

20:28

CEO 101, I guess. But

20:30

the idea of, you

20:34

know, when it comes to acceptable use policy

20:36

violations, I mean, like that sounds not great,

20:38

but it might be connecting a device over

20:40

Wi-Fi that's not supposed to be there or

20:42

something like that. Like that's the kind of

20:44

thing we're increasingly seeing in our in cybersecurity

20:46

of being like, OK, this is this is

20:48

where we need that just in time awareness,

20:50

right? As opposed to the annual, you know,

20:52

quarterly stuff like that. And and

20:54

to me, that would be like, OK, if we can

20:57

just like scale that down at all by like letting

20:59

people know as soon as they break that policy, it's

21:01

like, oh, you reuse that password again or just anything

21:03

like that instead of having

21:05

it be, you know, oh, here's

21:07

our name and shameless in the quarterly

21:10

drudgery, you know, drudgery of security

21:12

awareness training, you know, would

21:14

be a lot better space. Again, I

21:17

know there are a lot of reasons why it is

21:19

hard to move quickly with the government. Same thing with

21:21

health care. But, yeah, that

21:24

it seems like try something might be a good

21:26

idea. Yeah, I agree. Do

21:28

something. Please,

21:31

please. You

21:33

know, here's some tax dollars. Do something.

21:35

Next up here in our last story

21:37

for today, email scam caused Massachusetts town

21:39

four hundred forty five thousand dollars. The

21:41

town of Arlington, Massachusetts is admitting

21:44

to being the victim of a social engineering attack.

21:46

According to a statement from the town

21:48

manager, Jim Feeney, town employees started receiving

21:50

legitimate emails from a vendor involved in

21:52

a project focused on rebuilding a local

21:54

high school. However, Cyber criminals

21:57

had compromised some town employee user

21:59

accounts or monitor ring email correspondence.

22:01

Criminals. Then sent messages from an

22:03

email that appear genuine requesting a change

22:06

in their payment method. from check to

22:08

electronic funds transfer to Janet We chose

22:10

the story not single out or linked

22:13

in Massachusetts but to shows just how

22:15

easy it is for social engineering specialists

22:17

move laterally with and and organizations. We've

22:20

seen a lot of municipalities be getting

22:22

hit with a variety of cyber are

22:24

I live just outside of Cleveland able

22:26

to set a cyberattacks? What are your

22:29

thoughts about this incident. I'm

22:31

this is unfortunately having all of our

22:33

fry the small towns are getting hurt.

22:36

Small medium sized sounds are getting hit

22:38

em and that's proving. honestly. Ah,

22:40

more file scissors, cyber attack or as I

22:43

it I'm. This is looks like to be looked

22:45

to be a or says he looks to be

22:47

a stay doesn't seem a compromise. The guy the

22:49

bag I sat there and. Much

22:51

as what happens, you know, Probably.

22:54

Thousands of are hundreds of thousands of companies

22:56

at this point. Where are they just sit

22:58

there and lots and something really interesting comes

23:00

up like a bank account or authentic. Have

23:03

a financial transaction or contract negotiation

23:05

or whatever. And then they say

23:07

jump in and take over to the

23:09

point of you know, blocking the real

23:12

Ama emails from coming in a differing

23:14

the email mail forwarding. Price of all

23:16

sorts of things are happening. This blurb: Didn't seem

23:18

compromises and and efsa I mean I'm

23:20

gonna go back to am I pay

23:22

rates. Lot of a

23:25

smaller. Minutes. Follow these

23:27

companies system. Bother. Them

23:29

of I pray that are innocent. Required famous

23:31

Some some require a Satanic. In fact,

23:33

That same like basic hygiene. And.

23:37

And then of other isn't process bar

23:39

that reading. talk about as you know

23:41

who. Cool. First that famous like what's

23:43

what's April process to it requires the

23:45

two signatures, two sets of eyes. You

23:47

know there's all sorts of ways this

23:49

can be as educating accounting departments, the

23:51

or accounts payable departments anybody else to

23:53

do with. You. know pan out money says

23:55

keeping them educated on it and and sharing

23:57

these stories so that they see our really

24:00

happening. It's not like something my security person is just

24:02

paranoid about and, you know, bothering me

24:04

about. So yeah, real real stories help. Yeah,

24:07

as David Peach says in our comments, you know,

24:09

classic BEC and points kind of to your point

24:11

about hygiene, you know, more awareness is part of

24:13

the answer. And I'm glad you said part, David,

24:16

because yeah, that is, you know, we there

24:18

are there are wide, this is not something where there's

24:20

a silver bullet to, to kind of fix

24:23

any of this. But honestly, in the in

24:25

the milieu of municipal cyber attacks that we've

24:27

seen just even over the last couple of

24:29

months here, I mean, just

24:32

financial loss is almost the best case scenario at

24:34

this point, as opposed to like city services getting

24:36

shut down, you know, not being able to pay

24:38

utility bills, and they'll worry about things getting shut

24:41

off and stuff like that. Like, this is horrible.

24:43

And that that is a I'm sure that is

24:45

a lot of money to do that

24:47

organization, especially when you think you're, you're doing, you know,

24:49

your civic duty, hey, you're helping out of high school.

24:53

And to lose that money, you know,

24:55

devastating, I'm sure. But yeah,

24:57

it's in

24:59

this day and age, unfortunately, like, I

25:02

don't want to say best case. But I guess it could have

25:04

been a lot worse if they have all your email, right? Yeah,

25:07

I mean, I had a town like that recover from a half

25:09

million dollar loss to go to the tax to go to the

25:11

taxpayers. Yeah. Yeah, that's a big

25:13

shame of it. Yeah. Yeah. It's not just

25:15

the town itself. It's the people all

25:17

the people. All

25:19

right. Well, thank you to everybody that's

25:22

been communicating in our chat having some

25:24

really great points. Like I said, David,

25:26

Peach, CCL, Christian, Emery all getting involved

25:28

in here. And, and

25:31

again, that just makes it way more fun. So

25:33

if you have been on the fence about joining

25:35

us for a week in review show, we're here

25:37

every Friday at 330pm Eastern. Join us on YouTube,

25:39

subscribe to the CSO series YouTube channel, and

25:41

have some fun with us. Before we get out

25:43

of here, Janet, was there any story there was a thumbs up

25:46

or an eye roller for you something you reacted strongly to in

25:48

the lineup this week? I

25:50

think that the one that kind of because it hits

25:53

a wide group of people is the whole

25:55

snowflake. It's not

25:57

really a snowflake, but snowflake account zero. It's

26:00

just like adjacent. Yeah, yeah, that's a

26:02

good way to put it and problem primarily

26:04

I think because You

26:07

know or tech people might people let you

26:09

snowflake or tech people and shame on us

26:11

for you know Not

26:13

doing not doing the basics The

26:17

people that were probably building someone else about

26:19

doing the basics got caught doing

26:21

the exact same thing probably at that point

26:23

probably Yeah, well, thank you

26:25

so much Janet Heinz the see so

26:27

over at Chen Med really Phenomenal

26:30

I really enjoyed our conversation today

26:33

Where can people find you online if they

26:35

want to see more mature you're doing and

26:37

writing? So I'm of course on LinkedIn

26:39

as is the rest of the planet and

26:41

I also I also have a website to Janet

26:43

Heinz calm Which you know, I've got some

26:45

more information about me and what I you

26:48

know my activities So feel free to go

26:50

there as well Janet Heinz calm very

26:52

very cool We have the link to both of those in

26:55

our show notes. Thanks also

26:57

to our sponsor Vanta compliance That doesn't

27:00

sock too much visit them at Van

27:03

ta comm slash headlines. Thanks again to

27:05

all of our audience again We can't

27:07

get everything up on screen, but we

27:09

really do appreciate everybody that's participating Like

27:11

I said, just makes it more fun

27:13

Remember to come back next Friday for

27:16

another great interactive day of information starting

27:18

with Super Saver Friday Where our topic

27:20

will be this is kind of on

27:22

everybody's lips hacking generative AI Anxiety

27:24

an hour of critical thinking about how to

27:27

create constructive outlets around this technology That's at

27:29

1 p.m. Eastern 10 a.m. Pacific. That's followed

27:31

by another weekend review show like I said

27:34

330 Eastern on Friday And

27:38

if that's not enough for you and I'm

27:40

not saying it should be you can get

27:42

your daily news fix through cybersecurity headlines Every

27:44

single day gives about six minutes. We'll get

27:46

you all caught up until the next time

27:48

we meet. I'm rich. Dravolino Reminding you to

27:50

have a super sparkly day Cyber

27:55

security headlines are available every weekday head

27:57

to see so serious calm stories

28:00

behind the headlines.