The Summer Show - 2025, (pt 2)

Show Notes

Part 2 of this summer break episode takes a bit of a light hearted look at the cyber security industry predictions that become the norm in late December and early January.  Eight or nine months later, how accurate where they? Take a listen, there are a couple surprises.

The conversation uncovers a few ongoing challenges with the cyber security industry, from the digital divide associated with aging to organizational shifts away from engineering principles. 

A book by security pioneer Bruce Schneier is mentioned late in the show and Doug managed to mangle the title twice, but did read, and does recommend the book. 

Transcript

Announcer: This is the Caffeinated Risk Summer Show with your hosts Tim McCreight and Doug Leece.

Doug Leece: AI is going to write. My next perfect pretext, I'm not believing that, but a human breaking into the mailbox can figure out a compelling pretext and steal money from the company. Yep. So I'm not as worried about AI as an attack surface versus ai. Right. Knee, a test harness to go hit 50 clients. Yeah. And one of them's gonna bite, and you just watch who enables, you know, I'm sure they've got the equivalent of call centers that are just waiting for the next person to lose a token, and they get in their mail and the minute they're on, it's like, great, gimme the briefing of what this company is, and off they go.

Tim McCreight: Yeah, I'm not as involved in the coding aspect of it. For me, it's different, you know, you talked about image creation or can I find support materials to help out with presentations or, for me, I look at it, can I do some additional research on, you know, some of the, the work I'm doing, it is fast, it is far easier than me hunting around, you know, Google search looking for images.

But when you, when you create that extra finger or you can't spell the company name, like, I don't know how many times I've had to explain to it. No. Tail craft is TALE. Not t and and and security is S-E-C-U-R-I-T-A, not two T's, not three Y's like it is. And I actually have done this, I've attached the image that they, that's been provided to me by the engine, said, please review this image and provide the appropriate spelling.

And it came back with even worse spelling. I'm like, oh, mother God, this suggests like I'm, now, I'm dealing with a 5-year-old, so like, you know what? I got this I'll, I'll go play in Canva and I'll build my own damn image. And, and I get that there are parameters. I get that there's limitations, but. I think you nailed it.

There's an element of speed and efficiency of time. Not necessarily of all resources, but of time. Larger volumes of work effort can be done in a faster period of time, but the human, I think so, has to be in at the end of that equation. To make sure that the data, the information, the diagram, the code is still fit for purpose.

It's still gonna work. And you know, to your point earlier, Doug, I'm not going down some rabbit hole that I'm like, Jesus, what the hell are you doing with this? Like, this isn't what I asked you to do. So we will always, I think, have to provide that check and balance to it, because if we don't, I'm what I'm afraid we're gonna run the risk of is and, and now I'm generating, you know, tweets for president of the United States.

I'm just saying. Right. That's the fear. Right. So. 

Doug Leece: All right. Well let's finish off with something fun or more fun. More fun. Yeah. More fun than the, yeah. AI sucks. No, it doesn't suck. It's got its place. It has its place. Yep. I think Blind Faith is a good band, but not probably a great approach to running your business.

Yeah. Agreed. You and I are both ISC og. Mm-hmm. You're actually ahead of me. Yeah. 

Tim McCreight: Yeah. That's, that's frightening. 

Doug Leece: You have a four digit number, right? 

Tim McCreight: No, I have a, I have a five, but it's in the early twos like it is. Yeah. And we were still doing it on paper and there was 84 of us. Yeah. Oh yeah. Yeah. I remember writing it in Montreal.

That's a long time ago. So. 

Doug Leece: I had to fly to Vancouver to do mine. Yeah. And you had to wait, what, two months to even find out if you passed and, 

Tim McCreight: and you got it in the mail, like, yeah, actually send it through the mail. I'm like, seriously? Alright, so yeah. 

Doug Leece: Yeah. So yeah, that's how far we go back. Boys and girls.

Yeah. To ISC squared. I still have a lot of faith in that organization. They're probably one of the first and, uh, because it's now. The summer show, we like to do everything backwards and weird, so we're gonna do our predictions for 2025. Just like training an AI model. So let's go find some other predictions and see how they did.

Yeah, and we'll use that to infer ours for the next three months or four months that are left. Yeah, so we went to the ISC Squared top five predictions for 2025, and again, zero disrespect for the organization or the people doing the work. It is really hard to predict the future. If we could, we would be on a beach somewhere.

Yes. We wouldn't be doing a podcast. Yeah. Well, we might, but probably not. Probably just be on the, so number one was AI starts giving security teams the upper hand, and I think you and I both agreed that it can speed up the work, but it doesn't replace Yeah. A security analyst in the. 

Tim McCreight: Exactly. I mean, what it may do is it may, it may be able to find, or if you give it the right profile, it may be able to find false positives far faster.

Absolutely. Or it may be able to adjust more data far quickly. Absolutely. Mm-hmm. I think. And don't me wrong, it's, it's going to continue to get better over time because like any LLM, your security tools, when they start patching into the AI engines, they're gonna start learning and, and understanding more where it's gonna start running.

The risk of, is it, if it starts comparing what it saw in advance of an event and then use it again six months later, if you've put controls in place, then now you're gonna get, potentially get alerted on something that you've already got a control in place to block. That would be interesting to see if that timeline works in the next year or so.

Doug Leece: You mean like if you had a detection engineering practice, you could understand when you put in controls, there you go. Just like saying, Hey, can you do it and spell it this way? Yeah. Hey, can you now consider the threat with this new control? 

Tim McCreight: Yeah. 

Doug Leece: But then of course you'd have to have your controls inventory.

Tim McCreight: Well, that's, that's okay. So that's the only, that's, that's the downside of all this is I still gotta be able to manage my controls. Right. So, yeah. 

Doug Leece: So we're going down the sadness path again, so we're gonna, 

Tim McCreight: yeah. Alright. So. 

Doug Leece: All right. Security vendors and threat actors will experiment with AI agents. Well, yeah.

I think that's legit. I think everybody's experimenting with them, but, you know, draw a circle around, experiment. I don't think anybody's gonna say, yeah, I trust this.

Tim McCreight: Yeah, 

agreed. No, I agree 

with you. Absolutely. 

Yeah. I, I, yeah, I would be afraid if that happened, right. To be honest with you, I would be really afraid, 

Doug Leece: as much as I'd like to give vendors a hard time.

There's a joke I often use a hardware eventually fails and software eventually works. And people laugh that when the first time they hear it and then they reflect and they get sad and they go, he's right. And security tools are just software at the end of the day.

Tim McCreight: Yeah.

Doug Leece: So of course they're gonna get it wrong a lot.

And so doing that at scale, and I think that's the other thing that people don't get. Well, this is 99% effective. So you realize on 10 million a day. Yeah. That means this many still get through. Yeah. Oh yeah. Well, how many do you have? A billion. 

Tim McCreight: Billion? Yeah. Yeah.

Doug Leece: Oh, crap.

Tim McCreight: Yep.

Doug Leece: So I'm still looking at a thousand of these things.

Uhhuh. Yeah. Yep. We're 99% Good. Well, great. I need to get to the 99 9 guy now. Yeah. It's like, oh. It doesn't exist yet. Why is that? And so we can go down machine learning theory all day long, but it's like, yeah. Doing it with that level of precision at the scale that we have to deal with just 'cause of the volume.

Tim McCreight: Mm-hmm.

Doug Leece: It's, it's next to impossible. So I'm actually happy when this stuff works. Roughly like the advertised. Yeah. Maybe I'm just getting mellower as I age. I give them less of a hard time. It's like, yeah, I hear you. This is hard. So they're gonna try and use these tools? I think so. I don't think it's. The experimenting.

I'm doing the experimenting I'm seeing, I don't think it's ready to fully replace anybody doing anything. No, no. You know what? It sure does help. We are using stuff like that now everywhere. All of us are, have our own little recipes, so it, it's creeping in. 

Tim McCreight: It is this.

Doug Leece: All right. Number three, fewer organizations will make ransomware payments. I'm not sure 

about this. 

Tim McCreight: I struggled with this as well. 

Doug Leece: Okay? 

Tim McCreight: And don't get me wrong, the data. Points that were provided by it. And you can see the decline in payments from 22 onwards. And, and I have heard, like I have heard of insurance providers who are no longer offering to pay or at least pay a portion of the cybersecurity.

Um. Payback or whatever the, the payout would be if you did pay for the ransomware, right? So they're making it more difficult to cash in on the policies. But let's be honest, it has been that way for a decade now. Cyber insurance premiums have gone up. The requisite number of forms you need to complete to actually qualify for a cyber security or cyber insurance is.

horrific. Been through enough of them. The demonstration of the controls, it's the equivalent of a SOC two audit now for almost every insurance company. Mm-hmm. So, yeah, absolutely. I, an insurance organization is not there to pay out. Mm-hmm. But let's be honest, it's there to generate revenue and, and shareholder value.

So if it can find opportunities to reduce payments to clients, if you were unfortunate enough to be breached and you paid a ransom, they're gonna leverage that to see if they can stop payments. So I get it, but what do you think? Do you think that. Organizations are still gonna pay if they don't have the controls in place, that they don't have the recovery if they're not resilient in their approach.

What do you think? Would they, are you think they're still gonna pay? 

Doug Leece: I think it's, I think it's gonna depend Okay. On what it is, how much money they have. A lot of, a lot of things. It's like it now just becomes another loss event. And the organizations that have made investments in resilience mm-hmm. Have.

You know, there's, there's a few organizations I know out there like yourselves and Brekade and many others that are working with companies to help them understand themselves. Just like, let's pretend this happened. It hasn't yet, but we should sure start thinking about it in real terms. Mm-hmm. And what exactly would we do?

You know, you've been in those rooms sometimes when the, the realization that. Darn, this would've worked. 

Tim McCreight: Yeah. Yeah. 

Doug Leece: Hey, can you give us six months and come back? Yeah. Because we're, we got some work to do. I think the companies that have taken these tabletops and, uh, resilience analysis to heart and really done something, I think they still might get hit, but there's like, yeah.

We kind of got prepared for that. Yeah. And you know what? This isn't pleasant. We don't want to do this, but we've, we've done this, and I'll shout out to my former brothers and sisters over at Suncor. Mm-hmm. You know, they got hit with one of the largest cyber attacks to hit a major Canadian business ever.

Mm-hmm. Like one for the record books. And they not only recovered, they had a record year. 

Tim McCreight: Yeah. They bounced back better. Right. They bounced back better. 

Doug Leece: Yeah. Yeah. So I think that yes, fewer organizations are gonna make ransomware payments. I think this is where we gotta be as professionals. Great. So the criminals already know this too, and they're already working on their next way to steal and hurt you.

Tim McCreight: Yeah. And, and that's, that becomes the trick, right? 

Doug Leece: Don't get soft. Right? Like, 

Tim McCreight: yeah. And, and, and don't think that, that, you know, the threat or a threat has been reduced. 

Doug Leece: Oh, we're good. 

Tim McCreight: We're, we're good. Ransomware's going down. We're good. Remember you and I fought. Toll, we fought cell fraud and then toll fraud and then other types of fraud.

Yeah, in the nineties and the two thousands. So when that peaked and we watched it 'cause we fought it. So when that peaked and we went through all that, what came up next? Well, the first sets of malware and then DDOS and then, and now it's ransomware. There will always be a new thing because you know, to your point, the cyber criminals on the other side have a business to operate as well.

Their goal is to find another opportunity to generate a reliable stream of revenue. 

Doug Leece: So I'm gonna make a prediction here. 

Tim McCreight: Alright. It's August, but all right. I'm in. Yep. 

Doug Leece: Crime will continue and criminals will evolve their techniques. 

Tim McCreight: Yes, sir. I like that. Okay. That I can, I can stand behind that one. I'm, I'm good with that, 

Doug Leece: that, that should hold.

Tim McCreight: Yeah, I'm, 

I'm good, 

Doug Leece: but I'm not putting 

a timeline on it. 

Tim McCreight: Yeah. 

Doug Leece: Alright. Passwordless authentication will become the norm. 

Tim McCreight: I just. I, I honestly don't know. Is it there now? Are we even close to there now? 

Doug Leece: Okay, so another true story. 

Tim McCreight: Okay. 

Doug Leece: Went to Ottawa, my one week of summer vacation. Went with the fair one. We went out to Ottawa.

A friend of hers was getting married. And you know, as you do as a couple, you're walking around, like browsing around in bookstores and stuff. And we're at this kind of upper end stationary store and they've got these cards and books and stuff like that. And I actually took a picture and sent it back to my team and like, this is why we can't have nice things.

And it was not one but two books, like a little pocket one that would fit in your purse and then a slightly larger one that would sit on your desk. And it was a notebook for storing passwords and account numbers. 

Tim McCreight: Oh, for God's sake. Hmm. 

Doug Leece: Oh, it was lovely bound. It was beautiful and, and you think about it, who's gonna buy this?

You know, people that are less apt to do things digitally. They tend to be older. Guess what? Older people tend to have more money than younger people. They tend to live in nicer houses where people break in and steal stuff. 

Tim McCreight: Yeah. '

Doug Leece: cause they're now vacationing somewhere. Mm-hmm. If I'm breaking into a house as a criminal or whatever, and I'm looking around for things to steal, you know, I go through the jewelry box.

I shouldn't know all this, but nevermind. That's another story. 

Tim McCreight: I'm a little worried. Yeah, I'm a little worried. Yeah. 

Doug Leece: And I look around and I see on a nice oak desk, a book that says passwords and other accounts. 

Tim McCreight: Yeah. 

Doug Leece: Good god. 

Tim McCreight: Yeah. 

Doug Leece: I'm grabbing that right, because the younger criminal is definitely gonna know.

There's probably something here. And they get back from their vacation and their bank accounts drained. Yep. Because they left it in clear text. So I think that, yes, some of these password authentication things are there, but when you see stuff like a book like that, I know why they did that because there's a lot of people that are incredibly frustrated with trying to navigate digitally through all this authentication mess.

Tim McCreight: Yep. Yep. 

Doug Leece: So putting it in a book totally feels right and normal to them. Mm-hmm. I'm just gonna keep this book safe. Yeah. Until you lose it. Yeah. And then you're screwed. Yeah. But seriously. You put a label on top of it that said, please steal me. 

So yeah. 

Tim McCreight: Wow. If I bought both password books, do I have to now sync them both when I'm working?

Like I just, um, I just wanna ask right. Do I, is the, is the desktop one the primary and I just bring the second one? I just, 

Doug Leece: this is my mobile one. 

Tim McCreight: Yeah. This is the mobile password management tool. And I sync it every day when I go home oh I just .... No, but you know what, you bring up a, you bring up some really good points.

'cause it is. Yeah, I, and I've watched my family members, like, you know, my, my in-laws, my mom, my brother, and others. As you know, everyone's getting older, and you're right, the frustration's there. They, they, they, they know that there's a world on the internet that they want to be part of, or they wanna be part of social media, but then they have to have a password and it, it's liter is at the same password as everything else.

Well, I can't tell you my password, so that's a yes. All right, fair enough. And, and, and I appreciate that there are a lot of workforces that are going towards this path. There is technology out there, but. When will we get to a standardized approach to passwordless authentication? Because that's gonna be the, the difference.

You can create fancy UXs all you want, but if I can't have that consistent look and feel, and if I can't have that consistent approach, or I, I, I have, I, it's not a separate experience to me to go from a platform to the next one, to the next one. If I can get to that space, then I think this will have a greater chance of being successful.

But right now, everyone, and, and you know this, everyone who's in this business wants to make their money too. If theirs is just a little different than the platform before, they may come to our platform instead. 

Doug Leece: Yeah, 

Tim McCreight: Terrific, but what that does is now I'm creating the same virtual frustration as I have already in place because the experience is different.

Technology may be fantastic. It, it removes the ability or the requirement for you to memorize a password. But if that experience is different from platform to platform, the human being's not gonna register it, or they're not gonna accept it, or they're not gonna follow through with it. 

Doug Leece: Yeah, and I, I've been evangelizing this for a long time.

Identity is the new perimeter and it always has been, right? Give me the code or I'm gonna shoot you as going back to the Roman times, right? 

Tim McCreight: Yeah, yeah. 

Doug Leece: I don't know how you make an identity that works in the digital environment that your grandmother can operate. Yeah. And it's dangerous when your grandmother's sitting on 500 grand at her bank account.

Tim McCreight: Yeah. Or, or you know, the Yeah. They, they've just moved their investments over to another bank or whatever. Yeah. It is, it's frustrating and it's, it scares me, uh, with, with my family. It scares me because mm-hmm. They are trying to be part of a digital society as well, and it, it's, 

Doug Leece: Well, we took the analog one away from them.

Tim McCreight: We did. 

Doug Leece: They have no choice. 

Tim McCreight: Yeah yeah. And you know, when my mom is talking about things like, you know, at 85 years old, I, I'm looking at getting, you know, like, what, you have one of your smartphone things? And I'm like, oh, for God's sake, no, just stick with the flip phone. It's because I wanna go back to a flip phone because I know that I know some of the perils of having a, you know, a computer in your hand.

Doug Leece: Yeah. Yeah. All right. Speaking of computers, 

Tim McCreight: Uhhuh, 

Doug Leece: This is the fifth and final prediction and again, we're not cheering or debating or negating anything like this is a legit prediction. The first undisputed casualty caused by a cyber attack in the next three years. And this is 2025 they're predicting it's so between now and 2028.

And if you wanna primer on this for anybody that wants and will throw it in the show notes, it's a book by Bruce Schneider called Click Here to Kill Anyone. Yep. Or Click Here to Kill Everyone, I think it is. Yep. And I don't think it's as farfetched as people make it out to be. I think attributing this to somebody evil went behind the keyboard and did something, that's gonna be a little harder to prove, but I'm not so sure it hasn't happened already and we just haven't recognized it.

Tim McCreight: Yeah, or it hasn't been documented right. I think that that becomes a concern. We've got so many aspects of our life that are managed from a cyber perspective, whether it's your health records or prescriptions. I recently, you know, uh, had an operation and all of my records were, you know, brought in front of me on a tablet before I went in for the operation.

And that's like, okay, terrific. Then it, you know, before the medication set in to go to sleep, I'm like, wait a second. Is that I, is that pad secure? Like just a second, right? 

Doug Leece: Yeah, yeah, where, where has that iPad been before it got my medical records. 

Tim McCreight: Yeah and then I, then I'm asleep right. And I woke up, fair enough, right. I get some of the catastrophic results as well. Like, don't get me wrong, when, uh, the centrifuges in Iran were targeted. Yes, that was a purely, you know, nation state based attack. I see it. If it, if I was gonna take out an electrical grid. Yes, absolutely. We can see that as well. Oil pipelines are the same.

We all feared these things where we were in critical infrastructure. But the question becomes, how would I understand that those, the desk would be directly attributed to, you know, like you mentioned, Doug, somebody pressing a key on a keyboard and knowing that that was the end result of the action.

That's, I think that's gonna be the hardest thing for us 

Doug Leece: Yeah. 

Tim McCreight: Is to accept that someone used a cyber, you know, weapon to cause a human death. That's gonna be hard when that's published, proven and attributed. The examples that were given, you know, for what we saw, the three or the three or so that were given were they were, they were, um, potentially disputed or potentially discussed, but there was the, a causal link was there. The issue then becomes is what if I can actually show that no, as soon as Tim press that, that enter on the keyboard, he knew exactly what was gonna happen to Doug on the other end of it. Right? 

Doug Leece: Yeah. And I think as we're designing systems going forward, we need to be asking ourselves, what about when this fails?

What are the, what are the possible failure modes? And that's standard engineering practice that goes back forever. And most of that was learned by mistakes and secretly, I'm jealous that I don't have a little iron ring around my pinky finger too. But then I think about it, you go, you know, the reason that they put the ring there is because it makes noise when you put your hand down and it's to remind you.

Tim McCreight: Hmm. 

Doug Leece: That you have an obligation to do things because it could impact life, it could impact a business operation and everything else. As security professionals we're part of that equation, and if we're looking at a design, we need to be asking, how can this fail? Not because we're the department of no, but because everybody else has been pressured just to ship it.

Yeah, I don't know whether we're giving the engineers the time that they need to do that work because it's expensive and there's a chance of, yeah, this is actually a really bad idea. Well, we've already told the investors we're gonna release this next month, so Yeah. Yeah. What can you do to make it safe?

You know, and you got a bandaid and then some kid figures out a way to send five characters down the the wire and it bypasses the bandaid and suddenly you've got a security vuln and it's like, no, you had a design flaw. 

Tim McCreight: Yeah. Yeah. 

Doug Leece: And, and you stuck a bandaid on it and then somebody figured out how to take the bandaid off.

Tim McCreight: Isn't that frightening? 

Doug Leece: And you're acting like it's a thing. It's like, no, you screwed up way back there. Yeah. But how do you fund research and development when everybody's saying, I need a quarterly return? 

Tim McCreight: It's interesting and, and you and I both know this, probably the most difficult but rewarding relationship that cybersecurity professionals can make is with the engineering teams in any company they work with.

Doug Leece: Yes. 

Tim McCreight: And, and you and I have had those, you know, discussions and have created those relationships and it took time to demonstrate that there was this level of acceptance for the work that we do and a detailed understanding of how we're gonna help out that engineering group. And I think that's where, if we can establish stronger bonds and grow greater relationships, we get a chance to be an advocate for the work that they're doing.

If the engineers are saying there's an issue and we agree with them, here's the path that we'd like to take to reduce the risk facing the company so that when you do release the product, even if it is a quarter late. We can at least reduce the risk of you being, you know, literally bankrupt by lawsuits in the next six months or so.

Wouldn't that be, uh, isn't that an acceptable outcome of waiting to launch a product that isn't quite yet production ready?

Doug Leece: It's gonna be an interesting year, but I think my prediction will hold. 

Tim McCreight: I, I think you're right. Yes, sir. I agree. 

Doug Leece: I don't have a lot on the other, on the other ones, so I think with that, we'll. We will wrap it up and see how the year ends. 

Tim McCreight: Absolutely.

Thanks for listening to the latest podcast from Caffeinated Risk. Make sure you visit our website, caffeinated risk.com to stay up to date on what we've been working on. Our website has bios of our podcast guests posts about topics we're passionate about, and even a library reference material we find valuable in the work we do every day.

And don't forget to subscribe to Caffeinated Risk on your favorite podcast service. This way you'll be notified when we release our next podcast and you can listen to our previous guests just in case you missed them. Thanks so much for listening to Caffeinated Risk.