00:01
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:11
Welcome to CyberSound. I’m your host, Jason Pufahl, joined today by fellow Vancordians, Steve Maresca and Brian Brehart. I always like to introduce this and see if I can make you squirm a little.
Steven Maresca 00:24
Thanks. Hi.
Jason Pufahl 00:26
So today, today we’re going to actually introduce a new, a new potential segment, I think maybe we’ll do it, quarterly, I don’t know that we have a frequency necessarily. It’s all but, credit where credit’s due, this is Brian’s idea. And I think the idea was, let’s do a, what’s hot or not style segment in, I think we’ll typically have a couple of items that maybe have a little bit more meat on their bones that we might spend a couple of minutes on, I think we’re going to try to run through a 20 item ‘Hot or Not’ quick takes list at the end. But the but the idea really was, you know, in the spirit of trying to provide information, and in a way, maybe debunk some of those things that seem really, really hot or popular news that may or may not ultimately feel that important, and just have a brief discussion around them. So we’ll give this a go. We’ll see where things kinda end up. Brian, thanks for the idea. I think it’s, I think it’s a fun one. So we’ll see.
Brian Brehart 01:27
I got a million of them.
Jason Pufahl 01:28
I know, no shortage. So I think the first one is, and I’m gonna I’m gonna kick it over to Steve real quick,
Steven Maresca 01:35
A phrase that left my mouth and I regretted immediately.
Jason Pufahl 01:39
It’s hot!
Steven Maresca 01:40
It’s the Risk Management Minute.
Jason Pufahl 01:42
it’s hot. I like it.
Brian Brehart 01:42
I love it.
Steven Maresca 01:43
I am so sorry. In any case, this is about firewalls being compromised, which has been not new. It’s been frankly, a pain for a long time for multiple years, but particularly Reaching a fever pitch, maybe in the last six months, eight months. Here’s what to think about. Your firewalls contain identities for helping people to authenticate to the VPN, they have certificates for getting, you know, things protected. Those are worthy targets if you’re an attacker, if you have a firewall like Palo Alto, Fortinet, FortiGate, you know, anything else, it doesn’t matter what the vendor is, assume that they’re being targeted, assume that they’re being attacked, and that there is possibility it can be compromised, what they’re trying to do is pull off secrets, pull off configuration, modify it so that they can get access and do some more work in your systems. What do you do if that happens? Well, you have to reset passwords, you have to make sure you rotate certificates. And you know, consider what access is afforded to internal systems once that has been compromised.
Jason Pufahl 02:48
So what makes this hot? Is it Is there an uptick in vulnerabilities?
Steven Maresca 02:53
I wouldn’t say there’s an uptick in vulnerabilities. There’s an uptick in weaponized and weaponized vulnerabilities and true impact, we’re seeing more entities being compromised in this fashion than we have historically. That’s it. So be safe.
Jason Pufahl 03:10
Any, any comment on that, Brian?
Brian Brehart 03:12
You know, I agree with everything Steven just said, it’s it’s not an uptick in vulnerabilities we have, you know, kind of the same amount. But yeah, it’s it’s just it does seem like they’re getting more bold, the the threats against these vulnerabilities, and they’re kind of taking advantage of them a little more. So, yeah,
Steven Maresca 03:34
One dynamic to also keep in mind, as you know, there might be a vendor advisory, it might have some mitigations. Make absolutely sure that if you apply mitigations, you go back and check the advisory, because sometimes two weeks later, they don’t work. And that actually is the reason some of the entities we’ve worked with actually have been compromised in those firewalls. It’s, you know, unforced errors and the vendor side of the equation.
Jason Pufahl 03:58
So in spite of doing the right thing, exactly, solving, yeah. Okay. That’s how it goes. So our second topic is, there’s new federal security incident reporting obligations. I know, Brian and Steve, that you both have had conversations with existing customers around some of these obligations. It’s interesting to me, so I feel like I put this in the in the lukewarm category, because I feel like there have been reporting obligations. So what’s changed here that makes this hot to you? Or is it a not?
Steven Maresca 04:29
I think it’s, it is not a not. I think it’s maybe something that will make people wince, I don’t know if that means it’s hot. But this is the Critical Infrastructure Act of 22, Cyber Incident Reporting, CIA as an acronym, it was put into place in March 22. But it’s been frankly a slow roll for getting it deployed since that time. It’s been in comment period up until June 3rd, 2024. So it’s about to become real. This has come to us from customers that are not considered those with critical infrastructure, so they’re trying to interpret whether they have reporting obligations, the new change here is that, you know, within 72 hours after an incident has likely occurred, it needs to be reported, if a ransom payment is made, it needs to be reported within 24 hours. And it authorizes CISA to request information and compel close in compel information disclosure. That’s kind of the meat of this act. And most entities need to know that unless you’re classified under federal rules for critical infrastructure, it probably doesn’t affect you doesn’t mean that you shouldn’t behave as though it does. It’s more of a, you know, best practice to report aggressively, as soon as you haven’t yet.
Jason Pufahl 05:45
It’s more doing the right thing rather than being obligated.
Steven Maresca 05:48
Exactly. But types of entities covered are, you know, chemical processing plants, manufacturers in critical health safety industries, power generation, power transmission, state local entities, some educational facilities, some not all, generally speaking, public essential health services, and so forth. There’s a huge list, we can publish an article on our site, we’ll maybe make that a little clearer. But the point is, it may impact your organizations, worth checking.
Jason Pufahl 06:20
Third one and this one, actually, I have to say this one seems a long time in the making, it feels hot, because it may be as a decision, but reported, I believe, I believe today or yesterday. I actually have to be careful because I actually because I have to be careful of language, because then Google won’t actually allow us to promote our podcast. So I’m going to say there has now been a decree that we can no longer sell Kaspersky in the United States as of September 2024. I believe it’s September 29th is the specific date of 2024. Yeah, I mean, that’s hot. And I say that’s hot, because I’ve been in a variety of conferences where Kaspersky speaks, and of course, right, the elephant in the room for them always is you’re a Russian owned company, what’s the risk if we were to actually purchase you, they always redirect that to talk about the quality of their technology with, frankly, that I think their technology is good. I think you agree with that. But there’s always been the underlying concerns around can the tool be weaponized, can it be used for something malicious? I think the language in the statement that was made was that there the software can be used for something malicious? I think it’s I don’t know that there’s any evidence that it has been used for anything malicious. Right. So it’s really, I think, a mechanism to protect, theoretically protect us against the potential threat in the future.
Steven Maresca 07:48
And, you know, the basic termination is that it’s considered a risk by the US government, therefore, any government aligned entity that still has Kaspersky as a software platform needs to make migrations die. Generally speaking, you know, there aren’t going to be penalties for organizations that do still use Kaspersky, or renew. But just be aware of that aspect. This is not necessarily new. Many, many organizations migrated away from Kaspersky in the 2014/2016 timeframe. It’s kind of a seven year slow burn, but this is an enforcement action, which is a new ratcheting up of activity.
Brian Brehart 08:31
Yeah. And it started, you know, in 2017, when it was banned from government computers. And then there have been other, you know, other governments throughout the world who have enacted similar nationwide bans. So yeah, as far as like hot or not, it’s a smolder to now we got kind of like a bonfire.
Jason Pufahl 08:55
Yeah, to hot, right? Yeah. But that’s a fair way to put it right. It definitely, definitely sit there for a little while, kind of keeping things warm. And now, now it’s official. Alright, Brian, you you are up, you’ve got a list that you want to walk through. So we’ll see how that works. This works.
Brian Brehart 09:12
Okay. I’m a huge fan of that magazine, Wired, and they have this thing called Wired, Tired and Expired. So this is kind of where I got it from. So we’re going to have a list of 20, we’re going to, I’m just going to run through them. Minimal, you’re just going to say is it hot, or is it not? And we’re gonna start with the I would say the second big thing happening in the world. Generative AI. Is it hot or not?
Jason Pufahl 09:39
It’s it’s lava hot, obviously.
Steven Maresca 09:43
And will consume all the water and cooling capacity of data centers worldwide.
Brian Brehart 09:47
Yes, it is hot. There is no doubt about it. Scripting automation, is it hot or not?
Steven Maresca 09:54
I mean, welcome to 1997 and 2005. If you’re slow on the uptake, I guess.
Jason Pufahl 10:01
Yeah, maybe. Yeah. Maybe if you’ve never touched a system before, it’s hot, but not.
Brian Brehart 10:06
Well, I mention this because it’s, there was a whole like, do you have Python scripting? You know, so in in, in most job descriptions so but I think with now with generative AI, yeah, no, it’s not.
Jason Pufahl 10:22
Yeah it’s squarely not, and even without it, it should be squarely not. Right. Yeah.
Brian Brehart 10:27
Right. Social media.
Steven Maresca 10:33
That caused both Jason and me to have a very painful sigh.
Jason Pufahl 10:40
I’m going to I’m going to, I’m going to say hot. Yeah, I think I think there’s enough change in the space. That that there’s always news about your what you should share and how risky it is for you. So I will put it hot because of that, not because it’s new technology, but because the risks that people have around it.
Steven Maresca 10:59
The only way I’m going to agree there is because people are irritated about it. But I think mostly it’s cooled substantially in the last five years ever rightfully so.
Brian Brehart 11:08
Yeah, I’m with Steven I, I listened to a podcast called Offline and they talk about they do polling, and they talk about how like, kids are just leaving with the exception of TikTok. They still love TikTok. So okay, on that note smartphones, hot or not?
Steven Maresca 11:28
Oh boy.
Jason Pufahl 11:29
Not. I mean, they’re largely unchanged for 10 years, right, shorter, maybe some improved apps.
Steven Maresca 11:37
But we have 3D binocular cameras now. That’s just pretty sweet.
Jason Pufahl 11:43
Oh, you gotta weigh in on it though.
Brian Brehart 11:44
Next time. We’ll do smartphone add ons. This one I love because I love making fun of this thing. The metaverse.
Steven Maresca 11:55
Second Life, I mean,
Jason Pufahl 11:57
That’s, that’s not hot. But I will say the metaverse. It’s hot for those that can wrap their head around what it what’s the potential is, but I think for most people, it’s not it’s not clear enough what the possibilities are.
Steven Maresca 12:17
I think there’s a great deal of venture capital being thrown at a wall to see what sticks and a lot of it simply most of it doesn’t.
Jason Pufahl 12:24
But something will, so maybe it’s smoldering, it will be it will be it’ll be hot, but maybe not quite yet.
Steven Maresca 12:31
I’ve been hearing that since like 1994.
Jason Pufahl 12:34
Sure, I’m an optimist.
Brian Brehart 12:35
I’m a I’m a firm not because if it was going to fire it would fired by now. And I think to Steven’s point about Second Life, that never really took off, so.
Jason Pufahl 12:49
So we need to circle, we need to run this one back in a year, then to see where, if we’re hot or not.
Brian Brehart 12:55
Yeah, while we’re on the subject, meta, Meta Quest VR.
Steven Maresca 13:02
Nope.
Jason Pufahl 13:05
No, hot. I’m going hot. The folks that I know who used them, they use them privately, but they love them. They love them for exercise there, they find them immersive, the price point isn’t that high, it’s a really interesting gateway into that type of product. You’re not wearing them on the street. I get that but I think I think they’re hot.
Steven Maresca 13:31
I’m not good for the bruised chins.
Jason Pufahl 13:34
Alright then yeah, there you go. I think I’m obviously more bullish than you guys.
Brian Brehart 13:40
Yeah you are. Well, while we’re on that, the Apple Vision Pro, which you technically should be able to walk down the street with.
Steven Maresca 13:50
I’ve been interested in such things. I never, I don’t own any such device, but they’re close. I mean, I think you mentioned a certain fiasco Brian earlier that’s worth invoking. Right?
Brian Brehart 14:03
Yes, yes. If if we all recall the the horror that was the Google Glass which I will say when it came out I was total hot total. But then you came to realize oh, there’s all these privacy issues and you know, as that poor gentleman who got physically assaulted, you know, by a customer in store so I think I think AVP and stuff like that will become once they kind of make it smaller, and they realize I think it’s potential beyond I think it’s a a a kin a cinder right now. But I think when we use it in terms of industry, I think you’re gonna see a real big thing for it.
Jason Pufahl 14:52
So let me just say, I think, so I do think I think they’re, they have the potential to be hot if the application, is if you can get the application out there. So the one use case that excites me, that somebody brought up is they potentially have the ability to translate languages in real time. So you imagine walking around another country and having that as a capability. That would be hot. But otherwise, I think the privacy issues and I think the general, the way it separates you from other people is still too much of a challenge and too much of a hurdle. And people will not have a hard time getting over that.
Steven Maresca 15:30
Yeah I mean look, this, this type of technology has existed for a really long time, augmented reality and so forth. We’re talking 30 years, it’s just miniaturization and localized processing that’s been the problem. Right? That if it works, yeah, we’re good.
Brian Brehart 15:45
And, and comfort, like, you know, as we talk about the uncanny valley of it all.
Jason Pufahl 15:52
Hey Brian, I’m gonna call the quick audible, because I think in the interest of time, we were supposed to just say hot or not, and we all want to have opinions. Yeah. Why don’t I think, for the fun of it, let’s jump down to the last three and cover them?
Brian Brehart 16:07
Yeah, let’s do that. The last three are online privacy.
Steven Maresca 16:12
Always hot.
Jason Pufahl 16:13
So hot. Yep. But I’ll admit, is it hot for us as security and privacy professionals and not that hot for a lot of other people?
Steven Maresca 16:24
I think people I think people’s interests are increasingly so.
Brian Brehart 16:28
Yeah, yeah. Okay, Caitlin Clark.
Jason Pufahl 16:35
Admittedly hotter than expected. Entered the WNBA with a bang, I think it’s been outstanding for the sport in spite of maybe people’s negative reactions to some of the to her entry into sport. I love it. Solid hot.
Steven Maresca 16:53
Who is Rebecca Lobo, Elvis? I need to crawl out from under a rock. I’m sorry.
Jason Pufahl 16:58
You do. Yeah. Only the most widely known female athlete right now.
Steven Maresca 17:05
I have two girls. I’ll catch up soon.
Brian Brehart 17:08
Yeah, she I’ve been watching WNBA, and one the stadiums are packed full. Full. Yeah. And they’re coming. So the the, what are they called? The infection? The virus? I can’t remember Indiana’s team. But it’s like a it’s like a disease and fever and the fever.
Jason Pufahl 17:28
Not the next day. It’s not that the DNA infection.
Brian Brehart 17:32
The fever. They’re coming to Chicago because we played on their pond twice. And I looked for tickets and they’re starting starting at $275.
Jason Pufahl 17:43
So yeah, so you can’t deny right, that positive impact.
Brian Brehart 17:46
And I bet you I can get a Bull’s game for less than that. Okay, the big one, the big one, even bigger than generative AI. Taylor Swift.
Jason Pufahl 17:57
You know, amazingly still hot. Like, I love I have to admit, I love her music. I can’t figure out how to I’m not gonna deny it. I’m not gonna deny it on air. I’m gonna tell good or shout it out.
Steven Maresca 18:10
I’m just gonna say marketing and business genius more than anything else.
Jason Pufahl 18:13
Sure. But damn, she can pack a stadium and she’s been doing it for 1989? Was that her, right, the first one. So all along?
Brian Brehart 18:24
Well, now you’re getting a little far afield from my expertise about,
Jason Pufahl 18:28
I might be wrong. Does anybody know? Does that sound right?
Steven Maresca 18:31
We’re just proving that we’re a little.
Jason Pufahl 18:34
Is that the year she was born? So that probably was first album, an album called 1989. So I thought she had an album called 1989?
Steven Maresca 18:43
We should we should stop while we’re ahead.
Jason Pufahl 18:47
I’m 53 years old, I’m doing my best for Taylor Swift.
Brian Brehart 18:49
I will. I will agree she’s had and, and for all the reasons for what you know, it’s filling stadiums, marketing, she’s, I give her credit for that. You know, I had to look up what Taylor’s version meant. And you know, to her credit, she took possession of all of her creative works. And I think that was huge. I think that’s huge just in the industry, I think because she’s Taylor Swift. She took advantage of her status and said, I’m doing this and hopefully this will open the door for other artists do the same thing. So yeah, she’s hot.
Jason Pufahl 19:26
Yep. And for a long time, and I don’t force I don’t foresee it stopping.
Brian Brehart 19:31
Yes, that’s it. That’s it. I hope we can do this again, though, because I think it was great.
Jason Pufahl 19:36
Actually. It’s honestly so we’re, I’m looking for your more. How do we make this a little lighter? How to make it more fun? I think this is a great personally, I think is a great segment. And so I’ll end with you. If anybody has feedback, I’d love to hear it because I thought it was a darn good idea.
Steven Maresca 19:54
I’m a grumpy old man.
Jason Pufahl 19:57
Anyway, Brian, thanks for that. Thanks for joining and thanks for the idea. I think it’s a good one. And maybe we want to add even a tiny bit more substance to the first part around tech that people have to be a little bit more wary of because you know, the security industry does a great job selling products. I think it’s our job to say these are, these are legit. And these are ones you might want to think twice about. So yeah. Yeah. Yeah. All right, Steve, thanks, everybody who’s listening, appreciate as always listening and hope you found this one enjoyable.
20:25
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn. And remember, stay vigilant, stay resilient. This has been CyberSound.