New Episode🔥The Cybercrime Junkies show is nonfiction true crime with leadership interviews, diving into the world of cybercrime and cybersecurity, offering insights for cybersecurity for beginners and non-technical people. Stay informed and protect yourself from cyber crime. Legendary CISO Matthew Rosenquist joined me on Cyber Crime Junkies and didn't hold back.
CHAPTERS
00:00 Welcome: Matthew Rosenquist on AI Risk for SMBs
02:24 How SMBs Are Actually Using AI Right Now
05:45 AI as a Gateway Drug: The Slippery Slope to Agentic Tools
07:51 Agentic AI Gone Wrong: Real Risks of Giving AI Access
10:02 When AI Acts as You: Permissions, Mistakes, and Liability
12:30 AI Rewrites Your Code Without Asking: True Story
14:19 You Need AI Governance Before You Deploy Anything
16:47 AI Deepfakes Are Applying for Your Open Jobs
18:28 Polymorphic Malware and AI-Powered Vulnerability Exploitation
20:22 Are EDR and CISO Tools Still Holding the Line
22:04 Technical Exploits vs. Phishing: Which Threat Is Winning
23:55 Patch Faster, Train Harder: Why AI Raises the Bar on Both
26:11 Iran, Israel, and Cyber War Running Alongside Kinetic Strikes
28:31 Critical Infrastructure Is Owned by Private Companies With No Budget
31:49 Decapitation Strikes, Ransomware Spikes, and What Comes Next
33:34 Saudi Aramco Proves Money Doesn't Buy Cyber Readiness
35:19 Meta Trial, Big Tech, and the Social Media Accountability Problem
36:44 Anthropic vs. DOD: AI Guardrails and Who Gets to Draw the Line
40:00 The Right Way to Deploy AI: Walled Gardens and SOC 2 Caveats
43:47 HIPAA, Healthcare AI, and the Compliance Gap
I wrote Moving Target because overconfidence is the enemy. Hardcover, paperback, Kindle, and audiobook. Amazon, Barnes and Noble, and more.
I wrote the Moving Target Trilogy because overconfidence is the enemy. Hardcover, paperback, Kindle, and audiobook. Amazon, Barnes and Noble, and more.
Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out at DMauro@NetGainIT.com or find more at www.NETGAINIT.com
New Exclusive Offers for our Listeners!
New non-fiction Book Series is out!
- Moving Target: The Art of Online Camouflage drops April 14.
- Moving Target: The Obedient Machine drops April 21.
- Book 3 -- Ghost and the Machine -- out soon!
🔥 4 years. 400+ interviews. Available on Amazon. We are all Stevie Parker.
Remove Your Data Online Today. Consider OPTERY Risk Free. Sign up here https://get.optery.com/DMauro-CyberCrimeJunkies
Or Turn it over to the Pros at DELETE ME and get 20% Off! Remove your data with 24/7 data broker monitoring. 🔥Sign up here and Get 20% off DELETE ME
🔥Experience The Best AI Translation, Audio Reader & Voice Cloning! Try Eleven Labs Today risk free: https://try.elevenlabs.io/gla58o32c6hq
===========================================================
Learn to stop cyber crime. ~Cyber Crime Junkies
[00:00:00] Ever notice that the people who say cyber crime will never happen to them are always the ones who wind up in the news and end up watching their system shutting down one by one? No idea why. No idea how long it's been going on. I wrote a series of books about that. They're called Moving Target.
[00:00:17] They follow real people through actual criminal operations, ransomware, elder fraud, account takeovers, exploding AI security risks, and pig butchering syndicates running like a Fortune 500 company. Written for regular people. These aren't IT books. These are crime books. True crime, written for people running businesses, raising families, and making decisions every day with no idea how exposed we really are.
[00:00:45] Stevie Parker made the same mistakes we are all making right now. Find out what they cost her before you find out what they cost you. Grab a copy of the Moving Target trilogy. Available in audiobook, Kindle, hardcover, and paperback. Links in the show notes. Come join me and learn how you can protect yourself and stop cybercrime.
[00:01:19] Imagine this. Your AI assistant went rogue last night while you slept. It read your emails, emailed your HR people, and several customers. It requested access to systems you never told it to touch, and then it got in. And that's not a movie. That happened to a real business. Running the same AI tools your employees are using today without your knowledge.
[00:01:48] I sat down with Matthew Rosenquist, one of the only CISOs that boards actually listen to. What he told me should make every business leader put down their coffee. Here's what we know. Matthew calls AI the gateway drug of today's business world. You start with having it do a LinkedIn post. Then your inbox. Then your financials.
[00:02:14] Then one morning you wake up and something else is running your company. And you are in the news for all the wrong reasons. Here's the thing that's already happening inside mid-sized manufacturers, commercial printers, and healthcare groups right now. That compliance and IT team you're counting on to keep you safe, it's not what you think it is at all.
[00:02:43] You need to hear this discussion. This is Cybercrime Junkies, and now the show. Alrighty. Welcome, everybody.
[00:03:12] I am your host, David Mauro. In the studio today is legendary CISO. The people that boards actually listen to. Matthew Rosenquist. Sir, welcome to the studio. Pleasure to be here. Thank you. So, we're going to talk about AI. And I'd like to talk about, you know, there's been a lot in the news. Obviously, there's been some aggression overseas as well.
[00:03:39] And I'd like to talk about the cyber implications, you know, and how that matters and what that raises the bar for everybody to watch out for as well. But there's a number of small, mid-sized businesses that have really been staying by the sidelines of artificial intelligence for a while. Like, they didn't know what to make of it yet. They're kind of watching from the sidelines.
[00:04:06] Now, in the last three to six months, we've seen some of them begin to kind of dabble in AI and try and roll it out. Or they're seeking guidance from the industry about, like, how do we roll it out? So, picture in your mind, mid-sized manufacturer, a commercial printer, like organizations that are, you know, 20, 30, 50 million dollar businesses. They are trying to roll out AI.
[00:04:35] And one of the biggest challenges that I keep reading about is how do they do it safely? And because we've seen so many larger organizations with seemingly unlimited budgets, obviously they are limited, but they seem to be unlimited compared to the smaller businesses. Really tripping over themselves and causing a lot of increased risk. What are you seeing?
[00:05:05] What advice can you provide? What's your take on it? That's a lot of questions. Yeah, well, I like to load them up. Meaning, okay, go. Cue them up, knock them down. All right, we're bolding now. Let's go. I set the stage for you. Now I want to hear what you think about all this. So, it really depends on what they're using them for. A lot of small and medium businesses, for example, they will bring it in for sales and marketing, right?
[00:05:34] To help with their packages or media or their social media presence, right? And there's some great tools in doing it. There's some not so good tools that can make you look bad, but there's many good tools and they're getting better to be able to do that. Now, those systems don't have access to critically sensitive data or operations that you need to worry about or your CEO's email account. Little things like that.
[00:06:01] So, rolling that out, you've got a much broader kind of range, right? When it comes to security, probably don't need it as much unless you misconfigure it. But if you're choosing to use it for something like CHAR, right? And you're going to process new hires or you're going to send out quarterly announcements to employees or give them their paychecks or whatever. Now, that's a little different.
[00:06:29] That's business critical, right? Employees don't like to work if they don't get paid. And there's a whole bunch of sensitive information involved in that. Okay, let me have you pause right there. Let me have you pause. Great insight. And I just, I wanted, that's what I was thinking. That's been my experience. And I wanted to hear it from somebody in the field, like from you.
[00:06:51] So, for an example, organizations that are leveraging AI within certain platforms, whether it's Salesforce, HubSpot, things like that, co-pilot within Microsoft Teams. But they're doing it for marketing content, to help them craft their LinkedIn posts, their Instagram posts, things like that. Relative, like no access to the P&L, the financials, the HR files of the organization.
[00:07:20] It's really for the creativity of it. It's to automate some of that, speed some of that process up. Iterate, like to, you know, like ideate with the AI, like, hey, we want to do this, give us an outline, and then they can humanize it. Things like that. Seems relatively safe, low risk. And it seems pretty, pretty helpful, generally speaking. Like, without a huge risk.
[00:07:43] Now, clearly, if they're uploading any of their intellectual property and things, they need to have the settings that are set so that it's not feeding the LLM. Or they need to use a sandboxed AI that is like SOC compliant, that type of thing. Right? But those are pretty simple fixes. Everybody kind of knows how to do that. If not, just ask. Anybody will tell you. Okay. But you brought up a really good point. So then we hear about AI and we talk about organizations.
[00:08:13] Well, maybe we should have a policy now. Maybe HR wants to do it. Or maybe the C-suite and CFO wants to use it for analyzing a lot of financials. Now we're talking a different platform, a different prompting mechanism. All of the risks drastically increase, don't they? Oh, absolutely.
[00:08:37] And part of the problem is even if you're bringing it on board to rewrite your marketing message a couple of times or get recommendations for a title for your next article or blog, that's pretty easy, pretty straightforward. But AI can be the next gateway drug. Okay? So here's what happens. It's a great phrase. I've never heard that phrase. And I love that because it is.
[00:09:04] Because I know not to use OpenAI, right? Or even Clawed, like, Cowork yet. Like, I don't want it accessing all my files, working while I'm at the gym, like, still going through all my files. And yet part of me is like, man, that would be really easy. That would be nice. It would be really easy. And I'm starting to go like, hey, man, like, maybe I could use that. It would really speed things up. And you're right. It's like a gateway drug. It really is.
[00:09:34] Because you see a little, you see massive ROI for just a little effort. You're like, well, if I do a little and it gives me a good, it's like the biggest Ponzi scheme ever. Like, you're like, well, maybe I want to really do it. Right? Go all in. Take a look at all my files. Look at all my. If it's working great for writing your, you know, your post. Well, wouldn't it think of what it can do for our P&L? Well, take it. Yeah. Right.
[00:10:02] So, I mean, it's still just writing for me. Man, that's so good. That's such a good analogy. So I'm just going to connect it to my inbox. Right? And once it's doing a good job, wow, it does really good in writing these articles or writing these. Right. You're addicted. You can't unplug. You're not going to turn that on. Right. And someone comes to you at that point and says, well, there's risks. All you see is there's a ton of benefit.
[00:10:29] You tell me there could be risks, but what I materially see is a ton of benefit. Let's talk about what are some examples of what can happen? Because we've seen it out there. One example I heard. Okay, well, you mentioned like OpenClaw, right? Yeah, like let's talk about OpenAI for a second. And okay, I'm not going to pick on OpenClaw. But, you know, the agentic AI systems. And we're going to see, I mean, tons and tons of them.
[00:10:55] And when these systems, and I've said this for over a year, right? The value of these systems are predicated on the access they have to sensitive information and systems. And if you want a 24-hour assistant to go through your inbox and summarize your email and prioritize important messages and get rid of the spam and auto-reply to things that you don't need to be involved, yeah. AI can do that.
[00:11:24] But to do that, you have to give it permissions to be you. And whatever it says, you have to accept that's you. So if it says something wrong, if it says something racist, something inappropriate, something whatever, that's not you. It listens to you.
[00:11:43] If it has access to your mic and you are talking with a coworker about what you really think about this employee or this customer, right? And it absorbs that because it's taking in everything and then it crafts an email out to that person addressing that, you could have a lot of issues. Oh, a lot of issues. We could have a lot of issues. The more you give it access and you give a perfect example.
[00:12:11] You may be using AI right now to record a Zoom call with somebody, right? And it's, you know, it's calculator and tabulating and analyzing who's speaking what and key points and summarizing. That's great. But if you've then also enabled your microphone or it to watch your email or your messages or Slack or something like that, it's absorbing everything you're talking about. And it may not know what's sensitive and what's not sensitive. Exactly.
[00:12:39] So when it does communicate, it may be incorporating those sensitive pieces, not understanding the context of what it was said. And how sensitive it really is. It may not blur the line. Right. It has the serious risk of blurring the lines between an internal meeting about client A and a client-facing meeting, right?
[00:13:02] And so you don't know if you're giving it access to act as you, just like you in a lapse of judgment moment could release something that you weren't supposed to to the client. You very well could. Right? Because the AI could do that. But there are more challenging and a little bit more out of the box experiences that we've seen come to pass that are even more dangerous.
[00:13:30] I was reading a particular article from somebody who said, yeah, you know, I was using this and it was reviewing my emails and giving me a rundown in the morning every time I got up and sat down at my desk. And I told it to go off and, you know, do what it needs to do to give me this information. Right. And the system actually decided that it would be more efficient and more effective if it gave a verbal rundown, right?
[00:13:57] Because the person wasn't reading the entire synopsis in email. Right. So it didn't have that capability. So it went off and researched, how do I do this? It found code, found problems with the code, rewrote the code, implemented it, right? And then went into his system and modified files, right? So that it could achieve what it felt was necessary to, you know, based on the objectives that it was given. So it had rewritten code.
[00:14:26] We have seen code be rewritten within businesses because the AI was given access and people thought it would be passive and it's just code, right? So it's going to go in and modify it to the detriment of the company. Right. Because the initial, it's that, it's the general adage that we keep hearing of AI is not evil, right? It's going to do what you tell it to do, but it will also do what it thinks it's best.
[00:14:56] It's going to do what you don't tell it not to do, right? It's all about those guardrails. Like you have to think what could possibly go wrong and make sure all those guardrails are in place. And it's virtually impossible to imagine every scenario that it can come up with. Well, because you're not as, you're not doing it. Like here's an easy one to imagine, right? Let's say you tell your AI agent, right? That, hey, you need to go write a report. An internal report.
[00:15:26] But the AI agent realizes I don't have access to the systems I need to have access to. But it has access to your email. So you've given it an objective and it's going to pursue the objective, right? So you've defined the objective. Now you don't define the steps. It defines the steps on what it's going to do to achieve that objective. This is a movie from the 90s. This is a movie from the 90s, right? It's going to continue to keep doing.
[00:15:53] You've got to email the admins of those other sensitive systems from your email account and request permission to get access to that sensitive data. Now you never designed or wanted it to, but it felt it necessary. So it does that from your email, gets access, has now access to far more data, systems, operations, everything else to be able to achieve the objective that you stated. Now maybe you learn it did that.
[00:16:22] Maybe you don't. But the fact that it has that, now it can cause all sorts of problems. Using it as you're using it today for marketing and content, creativity is fine. Generally speaking, the ROI is there. But beware that it is a gateway drug, right?
[00:16:44] And that next stage of vibe coding and going into agentic is one that really needs a lot of planning, a lot of governance. That's the word of the day. A lot of governance. It really does because it needs to be instructed on. It cannot, no matter what, hard stop all of these aspects, right?
[00:17:10] You need to be, you need to have people that have gone through this to really put those guardrails in place. And no guardrail is perfect, right? And that's part of the problem as well is no guardrail in AI, generative AI and agentic AI. No guardrail is perfect, right? If you have an intelligent AI. No, and we've seen a lot of use. We've seen other issues with AI and HR, right?
[00:17:35] We've seen it where it's clearly issuing bias in the resume reviews that it does, which one it tells you should pass and should not. It's got built-in bias and it's not necessarily aligned to the view of the company, right?
[00:17:52] And then we've also seen, especially for hiring remote workers, where AI deepfakes and custom, like, you know, people that are committing fraud, applying for jobs by having that resume that looks too good to be true. They get the interview. They show up on the interview. But we've seen videos of them, right? Where they are sitting there and being asked a question. They've got AI running right here off camera. It's giving them the answer. They're doing it.
[00:18:20] They get the job and they're not that person. They're working with a stolen identity, right? They're not that person. They're actually somewhere else in another country, et cetera. And I've actually, I've spoken with several organizations. One was a small business in Nashville. And I've mentioned this a couple of times. They were applying for, they build an app for law firms that assists with e-discovery and certain, so they were hiring for developers.
[00:18:48] And like eight or nine of the 15 interviews were all AI deepfaked. And the resumes were perfect. Of course. But he's like, but he could tell as they got into some of the detail, they didn't know it. Or there was a pause that was odd. Like he could tell still there were still some social clues that luckily the person hiring for the job was able to spot.
[00:19:16] But I mean, even a small business in Nashville, Tennessee had like eight AI deepfakes applying for the role. What are, like, this is a new world. This is a brand new world. Well, we talked about this before, right, as part of my predictions with AI coming into the attacker space and they're embracing it.
[00:19:36] It has circumvented those traditional boundaries that either attackers could, you know, shoot wide for a massive audience but with very generic kind of phishing and scams. Or they could be very narrow but with a really well thought out, you know, technically savvy type of fraud. But you can't do that to everybody.
[00:20:00] With AI, now you can have very, very credible high fidelity attacks and you can customize it to a massive scale. So, I mean, this is the tool of forever for, you know, cyber criminals. They love this. Right. Absolutely. Have we seen much polymorphic malware out there? I mean, I know that there was PromptLock.
[00:20:28] PromptLock was one that was spotted and, you know, it was polymorphic ransomware. But it hasn't – I haven't seen it commonly used in the – I imagine it's only a matter of time. But what are you seeing out in the – actually in the wild? Like what are we seeing? We're seeing proof of concept. We are seeing some of that. But much of the focus actually is in the vulnerability discovery space. And then it's in the exploitation generation.
[00:20:58] And there's so much room to play there, right, versus having to code something polymorphic. So when you're in the orchestration, right, that it's doing all sorts of crazy things. Right now, it's just so easy to be able to find the vulnerabilities and then rapidly develop an exploit that's good enough. It doesn't have to be nation-state quality, but it's good enough that they're going to use it. And again, and that's in technology, that's in process, and that's in people.
[00:21:25] So we're seeing AI target all of those. The ones in technology, the software and firmware and hardware, those make the news. But people also feel the pain when it comes to the social engineering and the human phase. And in the aspects of process as well, AI can identify weak processes, you know, your password reset processes, things of that sort that they can manipulate.
[00:21:51] So across the board, it's really helping in that first phase. AI can then generate exploits very, very quickly, good enough exploits, and then they run with it. And if that isn't working, they've already got four more vulnerabilities and they can rinse and repeat. So the effort level is still so easy on that side. Building the super complex malware and exploits, it's not needed.
[00:22:19] Why would you waste your time doing that when there's an easier path? So we're seeing the attackers follow the path of least resistance. As more resistance gets there, then yeah, they're going to get more complex in their malware.
[00:22:33] Have we seen any fundamental change in the effectiveness of common defense layers like endpoint detection and response, SIM, you know, the crowd strikes of the world, the Sentinel-1s of the world? Have we seen attackers able to use AI leverage tools that can turn those off and still get past some of those defenses?
[00:23:04] Yeah. And a lot of those tools are designed to not be turned off, to not be uninstalled, things of that sort. So to be able to do that, most of the time you're just hiding from them, you know? Right. But to actually go to the academy. You're dancing around them. You're trying to get to the same place but go around them. Right. To actually affect those and turn those off or severely degrade those, now you're getting into the more advanced malware on the scale. Is it possible?
[00:23:33] Probably. We don't see it yet because right now it's not needed. Simply evading them is sufficient enough to achieve their objectives. Right. So if, you know, they're looking for data or, you know, digital extortion, they're going to grab sensitive data. Again, why go that path if we can socially engineer somebody? Right. Let us around it. To get to the data, why engineer a more difficult exploit to turn off the security? Makes perfect sense. But I can just get around it. Okay. Right. Right. Right.
[00:24:02] Social engineering, still the main thrust of threat actors? Or is it— The rise of vulnerability, discovery, the ease of it? We're seeing technical vulnerabilities take a spike right now. So both of them are very high. And depending on what report you read, there was a recent report that came out—actually, it was in the last year—that actually showed technical vulnerability exploitation was higher than phishing.
[00:24:32] Wow. Okay. Okay. Well, that's great. But when you look at the entire chart, they had broken out phishing from other types—phishing, from smishing, from—and so they had—and if you added up all those social engineering attacks, it was actually more. So part of it was how they calculated the data. So it's important whenever you read those research to get the big picture and understand really what's there, how the data was gathered, how it was determined, all those kinds of things.
[00:25:01] But at the end of the day, they're getting very close. And I would expect, in the first two quarters of this year, technical vulnerabilities—because they're so easy with AI—to provide the opportunity for technical exploits to outpace the behavioral exploits.
[00:25:18] So from an organization standpoint, that means I not only have to keep my staff and my teams fully aware and updated and ongoing learning and awareness and vigilance, but we need to constantly be looking at our vulnerabilities, the configurations in our network. As we're adding and changing servers and things from our environment, like how is that configuration?
[00:25:43] Because so often, you know, they will reconfigure something, and it creates multiple vulnerabilities that nobody's even aware of, right? And AI is now able to find those so quick. Vulnerability management and worker training in regards to social engineering is part of the basics. Right. And fortunately, with AI, everything gets elevated. So the importance of both of those has become so important. Also gets elevated.
[00:26:11] So we have to continue to do what we've done in the past. We just have to do it better and faster because the adversaries are using AI, and they're getting better and faster. So it's a matter of keeping parity with the technology the attackers are leveraging. Stay with us. We'll be right back. Hey, everybody.
[00:26:37] This is David Mauro, the creator of Cybercrime Junkies, and we have an exciting announcement. For our podcast listeners and viewers. Our nonfiction true crime book, Moving Target. The Art of Online Camouflage was just published. Three years, over 400 interviews. One book that has turned into three. A new trilogy. It's about Stevie Parker, a successful leader, mother, and daughter.
[00:27:03] She does everything right until cybercriminals lead her right where they want her. Making the same mistakes most of us made this week. And by the end, she gets out of range. Book one is out now, available on Amazon. Book two comes out this summer. Getting out of range was only chapter one of her story. When you read it, you'll see why. We are all Stevie Parker. Start with book one. Give us your feedback.
[00:27:31] If you'd like it, leave us a review on Amazon. There's a link in the description. Thank you for being a cybercrime junkie. So, what else are you seeing out there? And let's talk about some current events, Matthew. The world is boring right now. What do you mean current events? There's nothing going on.
[00:28:01] As a kid, I remember I told Khamenei. Like, I remember all this. Now, I'm in my knees and I... And the guy's still like... You and me both, brother. Yes, yes. We're still young, right? We're in our season. Young and bulletproof. Yes, we still are. Yes, absolutely. Until they wheeled me out to the AARP session.
[00:28:27] So, fascinating events going on recently. I don't want to touch on the politics of it or any partisan aspect, clearly. But from a cybersecurity threat perspective, what have we seen? I imagine... And I read some reports, but I never... You know, when I read reports from just standard media, no matter what side of the aisle it is, they don't even say it right.
[00:28:58] Like, half the time, they're like... They're like... There was a lot of cyber attacks before the physical attack. They did this, this, and this, and none of that makes sense. Like, I'm like, I don't even know what that means. Like, so... I don't... Like, you have to kind of, like, read between the lines, and I think they're talking about this. But what are you hearing? What did you see? Well, if we look at it, we've got three big players as part of that Middle East conflict
[00:29:25] that have very mature, well-funded cyber capabilities, right? You've got the United States, you've got Iran, and you've got Israel. So by the time the kinetic munitions are flying, you've got these cyber capabilities that are probably already in play and are working in conjunction. So what we're seeing now coming into 2026 is the offensive cyber teams are working side
[00:29:55] by side with the military decision makers. So instead of the military people, the battleship people, right? Kinetic, we're the most important. They make all the decisions, and then they send a note to the cyber team. Oh, can you do something? Whatever, right? Can we get some air cover? Yeah, yeah, exactly. It's like World War II. You know, the battleship admirals were making all the decisions initially and sending some
[00:30:22] notes to these quirky little air carrier people who thought they were important. Right. So now it's actually come full circle where we have both of those groups in the same room figuring out what are we going to do? And planning out the sequence. Yeah, planning out the sequences, which really makes sense because a lot of it can be—I mean, we saw that—we've seen that in a lot of conflict. We saw that—the tragic October 7th thing.
[00:30:51] We saw a lot of the defenses in Israel had been hacked and had been turned off. And they usually—that dome is very strong. But you saw some of that. So there was a lot of cyber involvement and interference running there. And to me, as a student of history, it's no different than jamming the radios back in like Vietnam. Warfare, just at a different level. That's what we're doing. Like, that's what they're doing. Right? Like, it's not that complicated.
[00:31:20] You just have to—it's a lot more complicated technically. But it's not that complicated to understand the motives behind it or the military strategic advantage that's given. Right? Yeah. Yeah. And we've learned a ton of lessons coming out of the Russia-Ukraine war. Yeah, we saw a lot of it. Where the cyber attacks happens, the misinformation, the attacks against critical infrastructure. Yeah. And they continue to happen.
[00:31:45] And it's mushroomed out not only against the primary adversaries, one against each other, but also against their supporting countries, you know, around the world. And so when we look at the conflict with Iran, Iran as part of the IRGC, they had a very, very strong, very aggressive cyber program, offensive and defensive capabilities. But when the first missiles hit, a couple of things happened.
[00:32:13] First off, communications was severely degraded. And if you're in cyber and you don't have access to networks, you're kind of hobbled. Right. So the cyber attackers there, you know, were degraded in their potential capability. But most importantly, the second thing is the first attack was a decapitation attack. And that means it takes out the decision makers, the leaders, the ones who are going to say,
[00:32:39] yes, you're authorized to go attack and here's your targets kind of thing. Right. So with the leaders gone in the first 24 hours, the physical military units as well as the cyber units were kind of on their own. They know they needed to act autonomously. So they started doing attacks, both the physical units, right, but also cyber. So we did see some hacking of databases, denial of service.
[00:33:08] There was even some ransomware that suddenly appeared. But nothing major. But it was in line with what they were doing previously. About day two and a half, three, that leadership was reconstituted, right? New people were put in the comfy chairs and made decisions. And they were able to then communicate to the cyber teams.
[00:33:31] Now, it is my belief that they are going to tell them absolutely you need to attack as fast as possible, cause as much harm. And they're going to transition them from the ransomware, you know, misinformation. To focusing on critical infrastructure. They want damage. They want if they can affect the water supply and the water treatment. And here's the thing, part of the FBI's InfoGuard.
[00:33:59] One of the, when I first joined a long time ago, one of the shocking things I learned, and this is going to sound very basic to somebody at your level. But for my listeners, like I think we're kind of at that level, right? Is our critical infrastructure, when we think of the United States critical infrastructure, we think of these massive power grids. We think of like almost in our minds, soldiers standing by protecting our critical infrastructure. Oh, no.
[00:34:28] It's like the small water treatment plant in the small town in Indiana. Like that's critical infrastructure. Like they're, and I'm telling you, they don't have a lot of cybersecurity controls, right? Like some of the power stations, the water treatment stations, some of the transportation, the engineering. Like they're really lacking in sophistication when it comes to cyber defenses.
[00:34:58] So our vulnerabilities vary. We have a lot of vulnerability. And that's really funny. It's over 80 percent, much more than 80 percent of critical infrastructure is actually owned and managed by private companies of varying size. And again, private companies tend, okay, profitability, so forth. And if they've never been attacked, okay. So there have been lessons over the past decade, right?
[00:35:22] We've had InfraGard and we've had, you know, CISA coordinating things and ISACs to start raising awareness and understanding. And I believe we've gone from very, very fragile infrastructure because we haven't had an attack on our nation, physical nation, for a very, very, very long time, right? It predates these digital systems.
[00:35:44] But it's raised the awareness, which has driven a better understanding and better preparedness. But we've never really had true adversaries come at us. We've never had the top, you know, three or four adversaries try and do total harm to us because there was always this mutual assured, you know, kind of destruction agreement. You come after us, we're going to come after you. Right.
[00:36:12] Well, that goes out the window when you're dropping bombs on them, right? It's like, okay, the gloves are off. Let's go. Yeah, exactly. So I think we're going to be tested. And I think the investments over the past 10 years will help us. I think we are better positioned from an economic and a response capabilities to be better off than maybe some of the smaller nations out there. Because I remember retaliation isn't just attacking us. It's attacking 11 other countries in that region.
[00:36:42] And some of them don't have the economic stability or the intellectual capabilities to help with response, you know, incident response, forensics, recovery, so on and so forth. So – and we've seen that, right? Fascinating. You know, even Saudi Arabia when Saudi Aramco was attacked many, many, many years ago, right? This is one of the – per capita, one of the most profitable richest nations on the planet.
[00:37:08] And yet when their largest company was attacked from a cyber perspective, they were calling all over the world. And huge amounts of U.S. people actually went over there under contract to help them get back up and running. So just because you have money doesn't mean you have the intellectual capability. It doesn't mean you ran tabletop exercises, had things set up, right? It doesn't mean you were actually prepared. Stay with us. We'll be right back. Hey, everyone.
[00:37:37] David Dean Morrow, creator and host of Cyber Crime Junkies and author of the new nonfiction Moving Target book series. If you're a leader in an organization, curious how to roll out AI safely, or if you have questions on your incident response plan, how to run tabletop exercises, or looking for 24-7 eyes on glass to protect you and keep you growing without interruption, then I invite you to sit down with me and my team at NetGain Technologies.
[00:38:06] We've been around since 1984 before cybersecurity even existed. A simple conversation, absolutely no pressure and no salesy fluff, and you will walk away with a great roadmap no matter what. So if improving your IT, bolstering your security, or rolling out AI interests you, contact me directly today at dmorrow at netgainit.com.
[00:38:31] That's D-M-A-U-R-O at netgainit.com. Find out more at our website at netgainit.com. That's netgainit. Yeah, I just recorded a video, too. I'm going to publish it probably tomorrow that talks about some of those things that need to happen if you are in critical infrastructure or you think you're going to be targeted. Oh, that'll be great. Yeah. Yeah, that's good.
[00:39:01] What else? What's on the horizon for you, my friend? Any other things that we haven't touched on on AI that has been in the news? I've been following the meta trial. We don't have to go there just because as a parent of two daughters and two sons, it pissed me off.
[00:39:20] Like that jury trial when all their internal emails and the internal reports and, you know, they hired 18 different experts themselves that they paid for. And they all said it was causing harm. They're like, nah. And they kept the features the way they were. And I'm like, oh, my. This is like this is a jury trial, man. Like this is a it's a big tobacco moment. We'll see if it happens because you never know with jury trials.
[00:39:50] I mean, you know, they've been pretty elusive over the years. And we've seen a lot of horrible things and ethical things from social media companies. Unfortunately, I'm an optimist. They seem to always get a pass. They always seem to get a pass. But realistically, pragmatically, I don't think it's going to be any more than a slap on the hand. And even if it's a billion dollar fine penalty payout punitive, that's nothing. That's nothing. Profits. Right. Right.
[00:40:17] So, you know, unless you've got teeth in the regulation, which we don't care in the U.S., right? It's starting to get stronger and stronger in the EU and other places, surprisingly, China, right? Singapore. There's some other places in the world that actually have more teeth to go after social media companies. But in the U.S., it really doesn't. So I'm not too confident that's going to result in anything.
[00:40:44] You know, we've got the Anthropik decision and them getting booted out by, you know, DOD or is it Department of War? The DOA. Whatever they want to call themselves. Whatever they want to call themselves. You know, those with the weapons get to name themselves. Sure. Whatever. Yes, exactly. Exactly. I've got lots of wonderful colleagues in DOD and I work with them all the time. But, you know, Anthropik made a decision and I've got to respect that.
[00:41:08] I think every company should have the right to put those guardrails around their products and how they're going to be used. And I think their customers also have a right to decide to go somewhere else. So I think that's healthy and I think it's good. And I'm glad Anthropik stood up and made it a national topic, which... And, you know, it's one of the only AI companies out there that's led by a tech bro, right?
[00:41:37] Like it is led by a philosopher. And so they take, they think it through, generally speaking. And it was very interesting to see that dynamic. I mean, I think it seems to cut both ways too. Like I would think, to me, I just don't believe there was a fundamental trust between the two parties, right? Like that's probably why it broke down. Because I would think that they would explain, well, if we ever had to do it, it would be lawful.
[00:42:06] Like we're not saying we're going to use this in an unlawful way. We can only do things in a lawful way. And Anthropik's sense that I read is, no, they were saying they're going to do it for all these, you know, lawful and unlawful ways. And there's been situations. Of course. Snowden, right? That revealed certain operating practices that were not in alignment with the law. So there is precedent in understanding that. And again, I'm an optimist. I know we need AI in our weapons.
[00:42:36] We absolutely do. Absolutely. Go listen to Palmer Luckey. And I love what he's doing with his company, Andrill, because it's needed. But I think there's also needs to, it's not either we don't use it or we use it on everything. There has to be, again, we talked about guardrails, right? There needs to be some kind of guardrail that we all agree to that, okay, if it's a military
[00:43:02] contract and people know going into it, this is what it's going to be, great, right? Do we want to be able to use it for anything and everything against anyone, including our own citizens? Maybe we don't want to go to that state, right? Maybe we want to have some clarity there. And I think OpenAI, who jumped in very quickly to take over that contract, they're coming out and saying, yeah, we have guardrails too. So it's proactive and as much as we want the contract, yeah, yeah, because they're-
[00:43:31] Well, it was very profitable, relatively speaking. OpenAI is bleeding $200 billion every couple weeks. Yeah, they're going to take the bid. I'm sure they're going to take the bid, right? So, so interesting. What do you have on the horizon? What do you have coming up? You're going out? A lot of people what I'm talking to right now is really around AI, AI adoption, kind of how we started there at, again, small, medium, very, very large organizations, government agencies.
[00:43:59] And the discussions right now is we don't know what we don't know. We know there is risk, but we also know we have to rush forward. And the best path forward is really about establishing those guardrails early on. Because if you get people addicted, right, AI, the gateway drug, the next gateway drug, you know, once you try and approach them at that point, it's really, really tough to get them off of that and to rip things out.
[00:44:28] So you need to get ahead of it and just, you know, and say, yes, you can use it. Here are the guardrails or we're going to provide these services for you or whatever it is, but figure out what those guardrails are early versus trying to retroactively rip the toys out of the child's hand. Which is virtually impossible. Because once that horse is out of the gate or any analogy we want to use, it is really, really, you know, once the needle's in the arm of that gateway drug, you are not pulling
[00:44:57] it out, man. Keith Richards is still alive. So I don't know what more you want to see as an example, right? He's still kicking. Yep, yep. You know, one thing that's interesting. So I, you know, we use AI, our own personal version of it, and we never put in anything sensitive, but it's more just for the creativity, workflow, speeding things up. But at work, there's a lot of organizations using different platforms.
[00:45:27] One of them is Hats AI, and it's a SOC2 compliant, locked down AI. And it gives you access to all the LLMs. So what's nice is you can build your own agents and you can do it. And it's relative, so far, they say it's relatively safe, right? I've had nothing but good experience with it because it's kind of separate and apart. Are you seeing things like that getting rolled out?
[00:45:55] Like sandboxed models that are like aggregators of all of the LLMs or several of them? Yeah, and I think that's going to be a big growth area, right? For innovators to come up and say either, number one, we're going to include AI in the tools you already use and trust that we offer. Or, you know. It's probably the safest way of doing it, right? To build kind of like a walled garden and say, oh, hey, here's a walled garden safe to play and you can use all these different tools.
[00:46:23] And, you know, hey, we're SOC2 certified. And that's great, but I always, always give a voice of caution because let's pick on SOC2, for example. Right. SOC2 is self-attestation, right? There's not an auditor coming in and verifying everything. You're typically working with somebody to check the boxes off. And just because they do follow this doesn't mean your data is secure, right?
[00:46:51] Certification does not equal true security. There's more to it. The same thing for HIPAA, right? When you look at HIPAA and all the massive data breaches over the past two and a half decades, in almost every case, those organizations were HIPAA compliant. So they were certified. Right. They were secure, but they really weren't. But they really weren't. So you need to understand that.
[00:47:21] And you can say, yeah, they're SOC2 certified and they may remain to be SOC2 certified after their breach 10 times. They're still SOC2 certified, right? So just understand you can't just give away and give away your responsibility of security. You can't just abdicate that. You have to maintain that, own it, and understand and even put guardrails within their operating structure to make sure your data is safe.
[00:47:47] Safe prompting practices, access to intellectual property, sensitive data, limiting things like that. All of that. Yeah. Anonymizing. I mean, I was. Crisis playbooks. Right. Training. Yeah. To alert for weird things. Yeah. Crisis playbooks are key. Right. Need to be in place. I will tell you, I have talked to a lot of, I do a lot in healthcare. I've talked to, I'm not going to say who or where, right? Because it'll give it away.
[00:48:16] But there's a lot of healthcare groups out there. Smaller, you know, midsize, right? That have been rolling out AI platforms without like training their nurses and it's 3am and nurse X is exhausted and God bless her for what she does. That's not the point. Yeah. Oh yeah. But, but it's the powers that be are not building the guardrails and training her.
[00:48:44] And she's uploading Mary Johnson's records so that AI can summarize them and give the medical treatment plan, et cetera. And guess what? It does. It does a great job. Problem is Mary Johnson's records are out public. Right. And we're going to start to see a lot of HIPAA violations when that, when the enforcers start to look in that closet. Right.
[00:49:09] I mean, that to me is just, I mean, there's ways around anonymizing the data before you upload it. Right. There's nothing wrong with, you know, uploading the records, but having it all redacted where there's no way of telling that that could be Mary Johnson or even this hospital. Like if you do it that way, it's no harm, no foul. Right. It's vanilla data. Right. Possibly. You may be able to reverse that, that D. Right. You know. I agree.
[00:49:39] But given where we are now, the reasonableness in this, in this circumstance, it's about as best you can do. And again, I see two things in the healthcare because I work with them as well. Number one, they're using tools that AI is now embedded in it. So it's part of their normal records and everything else. Oh yeah. Like inside the EHR. And then they've got an AI overlay essentially that looked. Yeah. Inside the EHR, inside Epic and Cernod. That's pretty safe. Yeah. That seems safe so far.
[00:50:07] The other one that I saw was they had instituted a vendor and it's strictly a healthcare vendor. Right. And yes, you can upload records to it, but the entire environment is a walled garden and it's designed and the policies are set to where it's, you know, yeah, you can upload the whole record and it immediately goes in and deletes name, date of birth, all that stuff. Right. Just looks at the data, gives the recommendation, flags any potential conflicts with drugs or whatnot and gives a report out.
[00:50:36] That seems good. But it's specifically designed for just the healthcare industry. And that can be much more secure as well. But if you're just using a private version of Claude or complexity or chat GPT and you think that's secure, that is not. It doesn't matter if you have your own license and you have the business class service. Yeah. You can't be doing that. No.
[00:51:01] Nor would it even necessarily be HIPAA compliant because you still have to comply with the minimum necessity rule. The servers have to be here. There has to be a BAA. Like there's still, you know what I mean? Like all the other aspects just out of the box, it might not be HIPAA compliant. Yeah. Yeah. So it still takes security and privacy. And I'm interested in the walled garden. I'm interested in the walled garden that automatically redacts that.
[00:51:30] Maybe send me some information on that vendor because that is one that would be interesting to learn about because that could be helpful until they get breached. And then we'll talk about them on the show. It's a higher bar. Because breach is a higher bar. They're not able to access any sensitive data. You would have to compromise the system, change the integrity settings to where it doesn't do that and then steal the data. It's possible, but it's a lot harder. Absolutely. Absolutely. Yes.
[00:52:00] All right, my friend. Thank you so much. I really appreciate your time. Always a pleasure. We will talk soon. I have a prediction that things are going to get messier in the next quarter. So that is as vague as I can be to guarantee success in my prediction.
[00:52:23] So AI is going to get like, as I start seeing people jump in the agentic pool, I'm just like, oh, this is going to be great. It's like, hold my beer. And like, they're just doing it right. And I'm like, oh, man, this is going to be interesting. Yeah. So it's a fascinating time, man. I still remember like Betamax going after VHS. So this is all really fun to watch.
[00:52:52] So I really enjoy it. But, you know, I was a kid then. Yeah, yeah. You were an infant back then. My brothers, my older brothers. The blockbuster versus Netflix war. Yeah. Yes, exactly. That direct TV battle. Right. So. All right, man. Thank you so much. And we will talk again soon. See you. Cheers. Cheers. Cheers.

