On the 12th day of Christmas, my CISO gave to me 12 employees training, 11 encrypted emails, 10 scans of scheduling, nine threats of hunting, eight logs of leaping, seven patches pending, six tokens rotating, five backup drives, four phishing filters, three VPN tunnels, two firewalls strong, and a multi factor authentication key. The 12 days of cyber Christmas. Welcome to cyber security today, the month in review. I'm your host, Jim Love. This is our end of year program.
So this is more like a year in review than a month in review. And we've got a great panel. Our guests today are Terry Cutler, head of Cyology Labs in Montreal. Hi, Terry. How are you? I'm fabulous. I'm fabulous. David Shipley, head of Beauceron Securities from Fredericton. Thanks for having me. and welcome back Laura Payne of White Tuque my friend. How you been?
I am here and willing to show my face to the world again after about three days of Being down and out with whatever's going around right now, but i'm happy to be back Thank you. You've made it back to the other side. Yeah, your voice sounds great. Okay, so let's get started. I've asked each one of you to bring two stories that really hit you from this year So who wants to jump in first? Sure, I'll go for it first. The first thing I want to talk about is around universities.
Two years ago, University of Windsor was, hacked. And, they disrupted their IT systems, including their email and other online learning platforms. So what happened was the cyber attack led to a wide range of IT outages. they didn't have enough security measures in place to know there was a hacker in there. And of course, they didn't have their preparedness, in place. to get the hacker out once he's been detected.
So what we're seeing now is a lot of universities are still being hacked into and they're not finding out, how the hacker got in there, why he got in there, what did he take? There's still a lot of lingering questions that are happening. So they need to start looking at more holistic solutions that don't rely on logs. Because a lot of times, a lot of organizations are just collecting logs. So they're just collecting event data.
And then they realize, oh man, it looks like we had a cyber attack seven months ago. You didn't detect it all this time, so we need to start minimizing the monitoring of the stuff. Make sure the IT guys are receiving the proper alerts. Do your penetration test because the penetration test will, set off alarms on purpose to make sure the IT guys are getting the proper alerts. But a lot of times people will say, Oh, I'm running vulnerability scanning. What's the difference?
Like a vulnerability scanner, for example, if we take a layman's terms of a house, layman's terms will say, Hey, Jim. Your door is unlocked, you better make sure you check that out, but a pen test is going to kick that door in and show you what was in there, take it and show you how it was done and then show you how it can be avoided in the future And in a lot of cases that they realize, Oh my God, our backups didn't work for the last two months.
Has anybody else noticed that the Cutler has gotten a little more violent. This pen test is going to kick your door down, buddy. I do have a question for you, Terry. And this seems to be a problem is we have this. We will have an attack, people will notice there's an attack, they'll pull themselves offline, they'll restore. How the hell do you get hackers out of your system? Okay, so here's a real example.
We had a case with a ransomware attack where the attackers noticed there was an attack going on, they started wiping all the machines and reinstalling them into the same Active Directory environment. They didn't give it a new network name, they didn't start from scratch basically. So they restored into the old environment, but the golden keys to Active Directory have already leaked.
So now they can still gain access through back doors, through back channels to get right back in and take full control yet again. And this goes back to your other thing about configurations and this is, I don't think people appreciate this open Active Directory, get somebody who knows what they're doing to configure it. Do not open it. Do this is professional work, don't try this at home.
I've chased the one, that's the reason I ask you this, we chased a hacker around because I inherited a setup where somebody had learned to do Active Directory by reading a manual, save us some money, put it all together and it was on. That same in that same scenario, we had to rebuild the environment for them in parallel. And then when we went to connect the data over right using their laptops, all of a sudden, our new environment got reinfected again. Like, how is this possible?
We're using like the latest and greatest. EDR technology that this should never have happened. Fine. Start over. Goes and plugs up the data, plugs up his laptop, brings the data over, get ransomed again in a new environment. How the hell is this possible? It's because the IT guys laptop we're using didn't have the EDR agent on it. So what happens there is that because he's connected to the new environment.
The EDR won't pick up the ransomware attack on his laptop, which was connected to the old environment. And then just because you have EDR on all the systems, except for one, you can still get ransom because that guy doesn't have the protection. your point about persistence inside of networks and how, I think it's getting harder to kick out really good teams once they're in the British Columbia government is in a multi year rebuild from the ground up journey. to try and kick the Chinese out.
The U. S. telcos, they got their clocks cleaned, which may go back quite some time, to Terry's point about people going undetected, they are still actively trying to kick the Chinese out. A reminder that my favourite letter in APT is P. For persistence, penetration test thing. Yeah. it's, what is the Sesame Street? We're brought to you by the letter P. Yeah, exactly. Brought to you a letter P for persistence. Speaking of the letter P, Laura was going to say something.
Jump in Laura. Oh, I could say lots of things. Wow, we take a world tour with that one. I always bring the pain. I think it's a fair point. It's really hard. I do feel. sympathy for university environments. They are some of the earliest networks that were set up. They have some of the longest standing legacy systems hiding out in there. They have some really interesting research going on in there. So they're always a juicy target and they have.
Tens of thousands of not necessarily very ethically trained young individuals hanging out in there that they have to give access to, who come from all over the world. And it's just, it's not an easy task. Businesses who think they have a hard job, go talk to Campus IT sometime. So yeah, then that's where I cut my teeth, right? That's the, that was my journey. And at UNB was running the cyber security team for a university. And it's a laugh and a half.
The University of New Brunswick, for example, because it was 1 of the 1st on the Internet, Terry, this will give you a shiver down your spine. Every single device had a full. Class B IP address on its own. Merry Christmas. We didn't need to do that. We had IPs for everybody. So that was, the scope of the challenge, but it's interesting, this municipality, university schools and hospitals, but I heard someone referred to as the mush sector in Canada, which I thought was relatively clever.
They're the ones that are getting hit the hardest. And they're the ones in 2025, they're going to continue to be hit the hardest. What's your thoughts on Bill 194 that's coming out or is that the Ontario one? Yep. Yeah. Great for Ontario, a whole bunch more for the rest of the country. It's basically a kick in the pants to municipalities to, Hey, it's time to get, you need to, it's mandated now. You got to get your cybersecurity, at least the basics in place to protect yourselves.
The only thing I will say to the defense of the municipalities, the universities, the schools, and the hospitals, particularly the hospitals, is they need money to do this The point that Laura was making is the foundational part. That is still the burning dumpster fire and then there's the tooling and then there's the scale and the collaboration challenge, right? We've some really good things in Ontario, like Orion, which is the network group.
That connects all the schools and universities together. They started doing things like shared CISOs and collaborative defense and benchmarking. Canaries been doing the same thing nationally. So there's elements of hope, but what they need is money. And what I don't think is going to happen in Canada in 2025, because we've got to keep the powder dry between tax breaks that really don't work and possibly battling tariffs. I don't think any more money is coming to help these areas and that's.
But this is a thing that, whether you're a state in the United States or a province of Ontario, all these states want it, they'll stand up and say, this is our territory. Municipalities mean nothing. We are the authority. Guess what guys, when you're the authority on healthcare, when you're the authority on education, when you're the authority on municipalities, You're responsible for how they roll this stuff out. This is why I hate this.
We'll pass legislation to make the municipalities do this. Really? So yesterday you were responsible for them. Now you're passing laws so that these independent places can take responsibility. You can't suck and blow at the same time. And I think that this happens in the states and it happens in the provinces and it's, Disastrous it's going to cost money. Yeah, I was going to say your mush factor there.
All four of those are exactly fit into that problem of the responsibility and accountability is being passed down, but the funding is not, so what do you do if you're in the position of being one of these companies or these organ is not, it's not a company. It's an organization, university, hospital, civic thing. What are you, what should you be doing this year or thinking about this? So we're deep into universities, hospitals, and municipalities.
Those are our clients and they all have a common theme where they're still lugging. Legacy technology. Again, we're still seeing Windows XP. We're seeing, because sometimes Windows XP, it's embedded into a device that cannot be upgraded. You need to actually physically change the box, change the unit in order to upgrade it. And that could be hundreds of thousands of dollars. So you need to start segmenting off these, Old devices onto a network.
So this way, if ever a breach does occur, they won't traverse to another network. They won't compromise the whole place. And that's what you're seeing. Some municipalities that got hacked in 2019. I didn't even know it until four years later, five years later. So when they do the forensic recovery, they're like, Oh, my God. Hey, they were in here in mid 2019. You just found out about this now. So the average time that a hacker staying undetected is 286 days is the average still.
So they stayed way longer in this than why never. These guys are above average. Yeah, exactly. Yeah, so it's unfortunate like Laura mentioned, to get budget to lock all these environments down and get proper expertise. So we've got to find ways to get around that. And Laura, this is your bailiwick do you have a lot of organizations that must be suffering from this?
What do you, what are you telling them in all honesty, with what you can, with all honesty sounds like, what do you tell us the lies? No, when you, because they're, these are real challenges and they don't have to do everything. What do you, what can you tell them? I think it's always interesting there. Money is definitely part of it. It's also then freeing up people's time and focus to get the job done and starting where you can.
I think a lot of cases to there is, a lot you can do with what you already have, but working with what you have also means Yes. Like you need the time to actually build a plan and think about it and be able to get around to doing it. If you can't get money, then you got to move on to the next best thing and work with what you have. A lot of the things are configuration changes, right? Like even so setting up segregated networks.
Most of the devices that are going to be sufficient grade to be operating in the environments that we're talking about, have the wherewithal to be configured to segregate networks. It's just really hard to do a lot of it in a timely fashion. So I think that's a lot of what we focus on is. Okay, let's take what are our top priority items because they're the most important to do. How do we get. Attention and priority on that, so you can actually focus and get meaningful.
Work done and fix that area, to where it's good enough so that the next thing on the priority list can now get tackled. David any suggestions from you, for from your former life ? What would you have done differently? Everything right. Yeah, so much. The basic network hygiene, most of these organizations don't have, response teams. They don't have 24 by 7. They don't have the mandate to, and it gets really complicated in universities that have what's known as decentralized or hybrid IT.
So all of a sudden different faculties are all running their own little servers, their own little it setups, their own help desks. And ultimately universities, one of the biggest issues is leadership interest in buy in investing in change in the change management process, in doing things differently. Good luck getting that attention next year as budgets are slashed as faculty are cut because of the international student enrollment changes here in Canada.
It's really hard, and to the teams that are in the trenches in 25, I wish you the best of luck. Perfect example you bring on that. So in healthcare, especially here in Quebec, there, there's a huge change that's just happened with, Sante Quebec, where they took over, they slashed all the external consultants, they cut everyone's overtime, which means if a server goes down, the IT guy is not allowed to touch it until the following day. So overtime has to be justified.
So there's an onslaught happening in their prime time. I'm glad they're trimming the fat from their system. Cause the God knows what the healthcare system needs is less nurses, right? Yeah. They have to trim over a billion dollars. For next year, but the one thing just because we're end of year and we have to have some hope in this Laura and Terry, you've talked about it. There are things you can do some segregation.
You can do creating these lists and I'll tell you, I'll just share two things with our audience. You may not have the budget, but talk to one of these professionals, talk to people that's free advice. Sorry for you guys. Sell your services. But the fact is under the marketing, they will come in and talk to you, but a whole pile of things get a list and at least start because, and this is the killer in cybersecurity for me is because you can't do everything. You don't do anything that's deadly.
You're better off doing one thing off that list that you talked about Laura and maybe knocking another thing off, everything you do is for the good. That's just my sunshine advice. There's one area of hope. One thing that, when I was most budget constrained, I found that our risk management office in the university had pockets of dedicated funding for specific risks. And I was able to get, I think it was like 50, 000 in funding for a project outside of the normal it budget.
By showing the risk office, this is going to be bad. So sometimes you can find money inside your organization creatively and think about that. Prepare a risk analysis, and just put it out to people. Cause I always tell this to people is, people, we go in and we argue as if we want the right thing to do. And that's one thing. But as a younger man, I did that. Now I'm looking at people saying, how much risk can you take? I can deliver whatever level of risk you're willing.
I think you need to get started. You got to put the basics in place just to get started, right? I've had calls from individuals that have called me two years after they saw me presenting at an event, for example. I'd be like how'd you hear about me? I saw you presenting at this event on how hackers are getting in. It's two years later, like what took you so long? Oh, we didn't know how to get started. I'm like, oh my God. These guys can't be the only ones thinking like this.
So that's why I built the whole program that's free on how to get started, and then you can bring us in after the heavy lifting's been done. And you can't say I would echo that than free. Yeah. I would echo that. I'd rather work with somebody who's figured out what they, what they're ready to, that they're ready to work. They don't have to have done it all, but they got to be ready to get down and get into the work.
If I have to sell you that security is important, we're probably not ready for a conversation. Yeah. and people, should go talk to different vendors, different suppliers, because they'll supply this stuff for free. But they're not doing it only out of the goodness of the heart. Part of it is a marketing piece, but also is they don't want to get involved until you understand what has to happen. There's nothing worse.
Getting yourself into a contract and the person has no budget, no ability, and no knowledge of what they have to do. Nobody wants that type of thing. I'll share a story of what's happening right now in our industry. So you have a lot of MSPs, managed service providers, that now because they offer a cybersecurity tool, All of a sudden now they're a cyber security firm. So now they've come up by the hundreds at a time, right?
And all of a sudden now this one company has been working with their IT guy for 19 years. It's, Jim, our great uncle, who does their IT. And he doesn't know what he's talking about. So we can come in with what's called an attack surface report. We can show you what the hackers can see about your business from the outside and show you all the weak points. And it'd be totally free. We're there. to gain your trust, show you, we can help you by actually helping you with this report.
And then, we can look at paid engagements later on, but there's ways to get started for free. And we know what David does. Laura, do you guys, how do you guys go out to market like that? What's your, how do you talk to people? I think it's a lot of meeting people where they're at. So for us it's having the conversation, whatever the reason is that they heard about us usually is, the, that opening point of, what do what's keeping you up at night?
What's gotten you so worried that you finally picked up the phone or sent me an email or whatever it was. And we go from there and there's sometimes it's straightforward, right? Let's say it's a startup SAS product and they, finally twigged that, Oh, maybe we should find out what a patent, what our weaknesses are. Maybe we should get a pen test on this or something before we get hacked, now that we're collecting all of this information. And you go, okay, that's a great starting point.
let's do that. And then we'll go from there. Sometimes it's everybody who's bought a file sharing program this year. Yeah. Sometimes we're trying to land a big corporate client, that's often a great starting point as well. Okay. So now we always knew we needed it, but now we have to have it. So that's okay. I can work with that.
I'm happy to chat with you change the conversation from, yeah, I know you have to have it for your business drive, but let's make this worth a lot more to you than just a check box on a survey that you're filling out in a vendor onboarding form, right? And that's fun. We're with you Laura now. So what's your story? What's every one of you has brought two but what's your story for today?
Oh, I thought, this is a good time to do a little recap on what's developed in quantum, which is almost as bad of a buzzword as AI these days. No, it got worse when we got to the alternate universe in quantum. But I digress. Let keep going. Yeah. So I think two things to highlight from this year. So one is the readiness aspect of it, right? Things have progressed, quite a bit in the sense that this is the year that we now have some approved algorithms. There's three that NIST has approved.
There's a fourth one. I think they said they were going to do it by the end of the year. They've got a few days left before they blow that deadline. So it's still certainly possible. But having the approved algorithms should mean that there is, the next stage of work happening, or it should have already really been starting to happen because it's not like what was going to be approved was a secret.
But really now, from the traffic that traverses the Internet perspective, it's all about getting the certificate authority and browser forum, the work that they need to do to establish the protocols so that we can actually implement these algorithms in a meaningful way for all of the, asymmetric key exchange that happens at the beginning of every session on the internet right now. So look forward to that in 2025.
Maybe CAB seems to be more busy penalizing interest right now than it is actually getting ready for a quantum. it's a meme that always appears in my mind of the scene from, Harry Potter, where McGonagall is admonishing Harry, Hermione, and Ron. It's like, why is it always you three? And Entrust is usually one of the three that's getting beat on for some kind of thing. It's like Avanti, Fortinet Entrust this year. It's like, why is it always you?
So back up on this for Laura, for those of us who aren't, who don't live in this world. we don't all live in a crypto land. Occasionally I dabble in crypto. it's we're not talking Bitcoin in this case, by the way, but this is this the upgrading of. Algorithms for to be quantum safe. Is that what you're talking about?
Yeah. So the next step, the algorithms are the the really math, the like, super nerdy stuff that has to happen first, where we, theoretically decide, okay, this is how we're going to encrypt things in the future. And, the next, the step to making it reality is then those algorithms have to be translated into the protocols of how the things that talk to each other will actually, do the exchanges and everything. So that's the next step.
And then people can get to work on coding it and actually setting up infrastructure Eventually it turns, it gets to the point where people go to a website, like the C, the certificate authorities we mentioned, and you go and you say you want a certificate and you give it your parameters and a credit card and you get a file that you put on your website. Magic happens when people visit and they get a little lock that's closed. And yay. So we're, you can tell we're still a few steps out.
, you bring up a good point, Laura, because a lot of times when we do the assessments, we still see a lot of older protocols that are still active, a little older encryption. So when we come in there let's say they still had, TLS 1. 0 still turned on, we can come in there with a, Windows 7 or Windows NT, which will force it to go old school and then, maybe bypass some things.
How, where do you see other problems happening with these older protocols that have to do backward compatibility, especially with devices like, like old, what's the word like, legacy technology? Yeah, and I think that's where it's going to be really critical for as part of readiness is people need to start looking at okay, where are they using crypto and anything legacy had better be within your realm of control. So I'm going to start with that. You better know why you're allowing it.
And if it's just because you have a very distributed wide base of general public who uses your service or whatever it is, and you have to stay legacy ready. That's actually a pretty false narrative in this case, because the general public is actually a lot more modern technology than most companies. So I think. The true risk of legacy is still like internal and generally within people's control. So then the next thing is to look at, okay where is this happening?
Is it happening over the internet? Can you get it off the internet? If it still has to stay legacy for whatever reason, at least then you're minimizing your exposure to network sniffing your data being trapped and then decrypted, down the road when they can do that. So I think that's that's the short version is minimize your exposure. If you have to keep legacy.
and keep it in your own networks, but yeah, if you're keeping it, if you're open to all the protocols because you feel like that's like inclusive technology, you don't need to do that. The iPhone is still staying up to date. If somebody is running an iPhone three, they probably won't be for much longer. What's interesting about Laura about, the whole quantum issue and the risk of, Q day, right?
That day where all of a sudden it arrives, but we don't actually have a calendar day, so we can't plan and predict for it the same way that we could, Y2K, for example, or the next Linux one, which is what, 2032 or something. We, we don't have a date in the sand. We just, we have this, it's coming, it's going to happen. And what I'm concerned about is.
NIST has approved these new, quantum resilient, algorithms and there's no rush on the long list of change management staff for organizations to get done. They look at past initiatives like IPV6 or Y2K and go, ah, those were all overblown. And because there's no date in mind and no compliance regime otherwise. Q day drops and it's just a mad scramble. And then we would get this kind of unpredictable system instability.
The internet in the best of days is bubblegum, sweat, tears, and a lot of prayers. And now we're going to introduce quantum, upgrades, to make the algorithms more resistant, the other part that's interesting is what 20 years, where everyone relied on the defense of it was okay. Cause it was encrypted. And sadly, not every breach can use that defense, but I think I'm going to fess back up now and go now the crypto has been broken, it's easily broken.
We're going to have to go clean up, or they're just gonna be like, it's in the past, it's buried and it becomes the digital version of love canal. Actually so Dave, here's the thing. Here's a comment I got last week from a company. Oh, our data is already out there somewhere. Why do I care about protecting it? Yeah, I got that comment. You could do that.
But this thing about the quantum piece, and I just want to introduce this because there's a lot of, and I'll talk about the hype around quantum right now. And as a person who's written a science fiction book about quantum, I will tell you that the basis that I based it on was not the quantum processors. It's the people out there using quantum. Programming and simulating quantum, and they're going to come closer.
There's a lot of very clever people who are working with quantum programming in traditional computer settings. And I will remind everybody that in 2019, Google said we've got this thing, and it'll take a billion years to calculate or whatever. I'm exaggerating, obviously. And then IBM said, hold my beer.
And that's what I would be watching for is that we can get into the science fiction of quantum, and then we can get into the reality of quantum, which is there are smart people working at cracking these algorithms and you at least need to be aware of that. Yeah. I'm never going to bet against the ingenuity of humanity, right? That's a losing bet where we're a clever little gang and we are eventually going to crack this.
What I think is interesting is also the vulnerability that we have as humans. To poor risk management, that the less defined the risk, the more we're more likely to have the optimism bias. it's not going to happen. Not going to happen right now. Not going to happen to me. We got plenty of time. procrastination is probably going to be a problem. You don't have to tell this guy he goes there. I think just to circle back to a previous kind of question around there are comment, right?
There's no set date right now. So there will become a set date. They will be the ones who ultimately end up setting the date because they will tell everybody most likely this is what will happen, but we'll have Q day and they will say, great, all your certificates as of X date. Are no longer going to be valid. So crack to it. Everybody go rotate your certs.
And everybody will have to rotate their certificates, or they will give you your open lock, and everybody will cry over their open lock in this. But, there is still some compliance in the space. And, it's not what I think is maybe the ideal way to practice, but we do get forced rotations. Not necessarily for great reasons all the time, but, there have been a few of them and a few noteworthy ones.
So organizations have had a taste of what it takes to do a mass rotation of certificates when an authority is no longer trusted by the browsers. And, guess if you want to be a sober lining kind of person, which I often am say thank you for the opportunity to exercise my crypto agility. Oh, I'm going to memorize that crypto agility. That's the Merriam Webster cyber word of the year. It'll be a t shirt in Shipley's, new store for all of these great memes. I don't get credit for it.
You can thank the vendors who work in that space, who, provide the certificate to asset management for. What they've been trying to preach to the choir, being the people who work in the space for years. But, yeah. So over to you, Mr. Shipley, what's your story for the year here, or at least your first of the two. Yeah. So story of the year for me is change healthcare. We are now more than a hundred million people affected, in dollars.
It's risen from a $1.6 billion impact cyber event to now two point, 7 billion plus US or in Canada now 4.1 billion. Thank you. Sinking dollar produced counting, which give us a little bit of rundown. So in winter 24, one of the big ransomware groups, Alfie, hit change healthcare through an insecure, device, no multi factor authentication, username and password, apparently it was a low level support account.
Amazing failure on segregation of duties, failure on segregation of network, failure on all kinds of badness, but change healthcare is really critical infrastructure for. Hundreds and they've got thousands of different medical organizations, particularly running the pharmacy billing, software. So when this went down, it included U. S. military, right?
So everyone's prescriptions is in the wind, the ability to do billing, it through massive chaos throughout the financial aspects of the U. S. healthcare system, had a very nasty appearance in front of the U. S. Congress, about it. and now I believe ranks as the most expensive. Healthcare cyber security event to date. And if you're wondering what my meme image, it's the image of Homer and Bart saying, this is the hottest summer ever.
It's the hottest summer so far, because I think we're going to continue to see this and it ties closely to a theme that we're seeing happen more and more, which is if you can find that one vendor that has massive market penetration, and you can kick it You can make a lot of money. So change healthcare paid the, ransomware gang 22 million. They stiffed their affiliate. They just pulled a little exit scam. So no honor among thieves.
Some people believe a second payment happened that's not been definitively proven, but that was 22 million. my second, segue on this theme is CDK, which controlled more than 50 percent of the SAS market for auto dealers in North America. Got itself, ransomware hard crippled, everything from large multi chain dealerships to small spots. it's probably triggered one of the largest business interruption insurance claims working through the system. Hi, everybody paying business insurance.
they paid 25 million to an attacker. this is just part of that. And then lastly, you made the illusion earlier, Jim, about file transfer. every single major file transfer vendor has already been hit, but then we had Clio, get hit, as well. So it's just the single points of failure are getting squeezed. I know it's on the radar of intelligence community members. Clio your the, they were hacked by your favorite Klopp. Was it Klopp that got that?
Yeah. So Klopp, the, and for those listening to this, why are they my favorite because literally like from the school of branding Klopp actually refers to a bloodsucking tick, which I think is probably the most honest branding of a ransomware gang possible.
Yeah, so Klopp. But Klopp got Clio, nevermind, we're not going back to the letter P here, but Klopp got Clio, but they've, now they said they're going to wipe their site and they're just going to focus on all of the accounts they got from Clio. If I was a CISO there and I'd been using that service, I wouldn't be sleeping. No, it's bad news bears. And, the fundamental lesson about all of these, breaches, these file transfer systems is yeah.
There was usually some dumb old day, SQL injection, some other coding issue, et cetera. Sure. And that's what everyone's focused on and the big obsession with bad vendor. we should be able to sue you and hold you accountable, et cetera. All of us who were using file transfer systems as data warehouses gotta own that, right? that's why it's going to be so big and so bad is that these systems were meant to be a subway, not a data warehouse.
And that's where process, again, I'm sticking with letter P. I think we're going to see a lot more of that happening in next year. They're going to go after the bigger targets, more supply chain type of attacks, bigger bang for the buck. Yeah. the biggest one, the supply chain to get cleaned was of course Microsoft, with the Russians and the Chinese and, we had a scathing CSRB report, on that and a change in culture.
On the positive side, because I do want to lean, look into 2025 with a win, the fact that they've aligned executive compensation, other things to try and actually get better at security fingers crossed. It's better than just sweeping it under the rug. But imagine if Microsoft really does get its clock clean. If a Google got workspace, got its clock clean. What if a telco in the United States? Oh, sorry. That happened. Yeah. No, we've now learned the telcos are actually less important.
And this is what's interesting. The telcos are less important to the day to day functioning because the spying didn't actually interrupt the flow of data. But if you take down one of these big, critical cloud providers, we are in the hurt locker. And I think that in the second part of the 2020s, this next five year, like if we avoid that, it'll be by a grace of God because these are now the too big to fail and nobody is paying attention.
I still think the next world war three is going to be digital. That's it. the free or die hard for those who have never seen it, it's based on hacking. So where they took down the power grid, they took down the banking system, traffic systems. I'm surprised something like this hasn't happened yet or that's being prepared for, these systems are all online, like you got to protect the entire critical infrastructure.
Right now Russia has brought down some U. S. systems, water systems that in Romania they, the dress rehearsal was there. These systems that we have that are sitting in all of our communities that supply our water. And our basic services are all open. As a matter of fact, I'm going to rerun my hacker goes through a city piece for over the Christmas period. People should take a listen to it. That was done a year ago, how you could wander through and find anything from camera to camera.
And sorry, I talk about my novel again, but one of the things happens in novels is the, getting into this infrastructure. I didn't make that up. I got that from local hackers who were telling me just how easy it was to get into civic systems. You were going to say something Laura, I can see it. Oh, I don't know. I feel like it's gone. Whatever it was. Sorry. It'll come back. Jump in what it does. I'm going to go back with my story in this.
And that is when I started in it, 150 years ago, when we had Abacuses. We used to do those and punch cards. The, we worried about shadow I. T. Because people were buying all these mini systems there, and the main frames were there and they were doing all this stuff. People were bringing minis. They would do this stuff. The, this well, then we got the cloud.
And all of a sudden, everybody's bringing cloud systems in and, we all thought of that as a control issue from I. T. We never thought of it as the cyber security nightmare. It is because, people could be going well I didn't do it. That was our cloud system vendor that did that. We've we crossed that line with A. I. Now we're going to see the biggest movement of shadow I. T. In history.
Everybody in and their dog is going to have ChatGPT, Gemini, Clode, Meta, on their computers that they're working with all the time. And those systems are going to be up and running. Intrinsically linked to our businesses and very few people have a strategy to deal with that. I am an optimist about AI. I believe we should be experimenting with it. I believe we should be doing things with it. I believe that if companies don't keep up with it, they will be left behind.
And I'm not one of these guys who makes these dramatic things, but if you're not, if you're not understanding AI in your business, you're going to be in But if we do the doctor, no thing. And say, we're not touching, keep it out as cybersecurity professionals, we're going to get killed because they're going to bring it in anyway. And, just, I'm going to do a show on APIs in January, just because I want to talk about, we're moving a lot of data around between these things.
Has anybody looked at the security of it? Forget that the model learns, I get that part of it. Everybody freaks out about that. I'm talking about, how are you transporting this data through this little integration program that you downloaded off the internet that is going to connect all these things? Has it got security on it? Those are the things that I think would keep us up at night. Remember back in the day, it's Oh, we have to secure big data. It's we can't even secure the small data still.
Yeah it's like you said, it's not so much about the model learning. It's about how does, how do the boundaries actually get put in place and enforced? And there is not a lot of transparency. I think even companies that try to share information about what they've done do a poor job of communicating. And I think it's also. Just add it to the list of things you're supposed to investigate and check out and risk assess and really understand what you're doing.
And, I think people are understanding fatigued that one I'm taking credit for. That's good. Copyright it now. Cause on this t shirt factory. Yeah, but we're just tired of having to bother and care so much. It's it, the magic works. Why do I have to understand how the magic works? Can I just enjoy the magic? And we know that's dangerous, right? And security people, we know that's dangerous.
We've seen that in all the forms of magic that have shown out there, there were air quotes on that for anybody who's just listening that have shown up over the last, 50, 60 years that These computers have been doing their thing more than that, who's counting? It's But it's overwhelming now to really keep track of things. Don't have a solution. I have a lot of respect for how hard it is to let anything in at this point.
Yeah. And my suggestion to everybody is talk to people, get out and talk to people about what they're doing. And we've had a big thing, not a blaming thing. Not a trying to find out what you're doing. Try and get educated on what they're doing. And, because if you go out with your little security hat on and say, I'm here to check to make sure you're not doing any of this stuff. They're gonna lie to you. Sorry. But, every CISO knows this. They're going to lie to you. Do you use AI?
No. And there's stats on this. People don't admit they're using AI to their company because they don't want to get laid off for one thing or the, but they're not going to tell you the truth about it either. So you've got to get up and get and have a chat with them and talk to them about what they want to do and how that's going to affect things. And I think if you're not doing that you're going to suffer from a security point because you're not going to know what's going on.
I think the most important thing that we need to compliment AI in 2025 is HI, human intelligence. And what I mean by that is critical thinking skills. And understanding what problems do you seek to solve with this and how can I help you? So instead of being the department of no, like you said, Jim, it's the department of know how to help you do this, know how to use these tools so that you know how these tools work and what they can and they can't do.
One of the things that still irritates me greatly this year is the completely bogus claims that these are actually thinking. Rationally, that they're not just stochastic parrots repeating what they've been trained on or learned or the statistical probability of word following word in given context. And, there are companies out there that are continuing the charade that artificial general intelligence is coming tomorrow. Maybe. But it's certainly by no means guaranteed.
And so it's still being overhyped. Interestingly enough, like within my own company, we've been using co pilot now for six months for our development team. And I asked my my CTO, I said, what's been the productivity improvement because I'm pretty excited, like he's it's not another developer, David. What do you mean? I was like you're hoping for a 25 percent improvement in the capacity of a development team, and it's nowhere near that, but it's not.
So it's helped us with some automation of some scripting and some things. But it's also slowed us down sometimes because it's taken some people down some rabbit holes. Huge potential. I've used it for some things for writing but it is not yet self aware. It's not Skynet. It's not the panacea. So I'm going to argue with you there, David, because as the AI guy here have your guy call me. I'm three times as productive, maybe four times as productive.
And I can track it from AI because I focused on the small and I've gotten rid of the small stuff and the steps that are there. People, you don't need artificial general intelligence. It think about it as an alien form of intelligence. We wouldn't wonder when it's just good at things. It does find the things that's good at it, that it's good at. Stop trying to make it into a person and find the things that's good at and use it for those.
And you will find that you can generate incredible productivity gains, but. Again, if you're sitting around waiting for it to become another person, you can talk to him by the way, you can talk to it if you like. And if you have no friends like me, it's good, but they launched therapist GPT now. Oh yeah. But this is what I'm saying is that but the issue here for me in the cybersecurity realm is this is coming. It's in your shop now.
It has, and forget, like I said, forget the art of the Terminator thing, forget that stuff, just wonder about somebody, and I'll just go back to this, somebody downloaded a little program to knit together four or five of these things, and it comes off the internet, and I don't know how secure it is. And it's running in your shop now.
And we'll just say this, Microsoft continues to push the co pilot what we would call spyware recall as the thing and I think it's continues to bark up a tree that's going to be more pain than it's worth, right? Like I don't need an AI to tell me what was on my desktop. Three days ago, or to capture my credit card as I'm entering it in, doing my holiday shopping. So I think your point, Jim, about finding the small things that can do well and leveraging that.
Yes. But do we need it to try and replace our brains? Absolutely not. And can it be a replacement for pure human creativity and a well trained developer? No. Can a helpful developer solve overflow? Sometimes. It can do the dumb stuff. And we all know that 80 percent of our work is dumb stuff, right? No, but you would think about it. How much time do you spend looking for a document? You spend at least an hour to an hour and a half a day.
That's if you're on average, you might be better than everybody. Fix that. Don't try and don't try and get this is what, sorry, I'll get on a soapbox, but it's don't try and make it think for you. Free up the people and let them think, let them have a few minutes in the day instead of being overclocked all the time, doing tasks to actually draft Laura's list. And say, what are the 10 things we want to do? Wouldn't you like an afternoon to do that? That's what you want to get back.
I'm just not so inspiring. Okay. Lightning round, Terry, you got another story quickly? One minute. Sure. Let's talk about the the federal credit union breach. So that leaked over 240, 000 records, everything from social insurance numbers. Credit card data financial details. They obviously didn't have the proper network security monitoring in place, security measures.
And because of that, they were able to stay undetected for a long time and move around the network laterally without any detection at all. They also didn't have MFA in place to lock down more sensitive environments, more sensitive systems. And what's really important here, and this goes to any environment, is around employee training. They need to get awareness training into the latest hacks and scams that are going around.
Because it just takes, hackers aren't trying to waste time trying to hack your firewall and get detected. When all they have to do is send a crafty email to one of your employees, have them click on a link, and now they become an insider. So you need to have all these systems in place to, to know there's a hacker in there, and you better have a good response plan to get him out. Good stuff, yeah. Laura, got another story?
Yeah. So FinTrack had a incident that took them offline back at the beginning of March. They did get themselves squared up to get a number of the large institutions back to reporting status quickly, but it took months and actually, I think there are still some aspects of the service that are not fully functioning and available yet to allow the smaller organizations that also have a very important role. role to play in reporting potentially suspicious transactions. That's what FinTrack is for.
It's reporting suspicious transactions. So just things like that, right? It flies under the radar. Most of us don't have any concept of what FinTrack is or does, but it's a really important part of the services our government provides that help Keep us safe and help keep bad guys in check and find when bad things are happening. And and that's a service hugely impacted and still really not up and running a hundred percent after months of of work on it.
It's just just another one of those things that happens and goes bump in the night that we.
Should pay attention to I think Laura's got a really important point on this particularly as we headed 25 because you know As Canadians know there's an unhealthy level of attention now being paid by the incoming president on all things, Canada Part of it has started with a kickoff of a potential trade war related to tariffs Because of concerns about fentanyl labs and illegal border crossing, but the United States has been on Canada since 2019 About money laundering.
One of our largest banks just got a whopping fine for knowingly participating in facilitating and money laundering and proceeds of crime and the key infrastructure for allegedly, did you say allegedly, I think it's a, you are an individual at this point. So I'd go allegedly facilitating. Yes. Or the fine has been levied. So it's probably a bit beyond alleged at this point. I'm going to go with the fine.
The fines there has been fined for doing this and this is the worst possible time for to have systems and processes for watching this stuff go down and it's worth noting that in Canada, they just increased the fines for money laundering on the financial system in the update by, I think a factor of 40. So it's on the Canadian radar to get on this. So I think Laura, that's an excellent point is even the critical parts that are supposed to be keeping an eye on the criminals.
Are getting kicked by criminals and nation states. Yeah. Okay. That's keep a good thought And that's so in terms of the other stories, I guess this is more just a the 2024 stinky and I will give the acknowledgement to to this. You're going to give the stinky out. Okay, if you're gonna give the stinky out, I want the runner up because I agree with your stinky, but I want to give, submit the runner up that before you do that. My runner up for stinky is AWS.
I have read one too many times about their, what is it? Their your co responsible for security. And then this year, as I pointed out in the program, I went on to provision a server using the backend of AWS. I have a high school education folks. I'm not a total idiot. I might be partial, but I'm not a total idiot. I've actually provisioned Linux systems and things like that. I got to tell you, I could not figure out the security model. I'm sitting here, nothing makes sense.
You do this, then you do this, then you do this and there, and you just drift through it. And so the message I would like to give to AWS is if everybody's got these unsecure buckets. Because they don't secure them. Maybe you should hire a UX designer , because either all of your customers are idiots or your designers are. Take your pick. So that's the runner up to the stinky for me is that stop blaming people for bad security. When you have a bad interface on your security.
And there, there ends my sponsorship for AWS ever. So how do you follow that? For me, the drum roll for the stinky goes not to a hacking group or an errant vendor, but to Canada's house of commons for failing to pass bill C 26 before they left for the year, because when they amended another law they actually invalidated half the law. They did a numbering sequence. So there's a bit of human error in this story.
So it was actually at the Senate level where the Senate caught this and in order to correct it, they had to amend the bill. The thing that all of us had said. Don't do it. Just pass it because it's better to have a law in the books and improve on it. Then if you amend it, it's going to go back to the house, which is just about to fall apart. And this is before the finance minister, Kamikaze, the prime minister in our country. So it's even more dysfunctional now.
So yeah we yet enter another year without a federal. Critical infrastructure, cybersecurity law to help. And this comes after years of telecommunications hacks in the United States pipelines, almost going boom in Canada and all kinds of other badness continuing in the world. So the stinky this year goes to parliamentarians for not getting this right. And leaving Canadians holding the bag. How do you disagree with that? Yeah, that's it. So thank you very much guys.
This is, this has been our year end program. Thank you, Laura Payne. Terry Cutler, David Shipley. Thank you for being our panel all year. I hope you'll have you back in the new year. I'm hoping actually in January that we can do a start of the season type of program. And we'll be able to take a look forward in the new year and some of the things that we want to be doing.
And I'd like to actually, Challenge the panel to for us to focus on what are the things that people could be doing that they practically can do within their budget and their means in, at that point without having to open a bake sale or something like that to fund cyber security. . This is the final show of the season.
I said, we'll, I'll be back probably the Monday after the first week in January, back in doing the daily news in early January, as I said, we're going to be asking our panel to come back and take a look at the new year. Going forward. David Shipley, I've got to nail you down. I really want to do another research episode. Cause I think those are. A lot of fun and been very possible. Very positively received by our audience out there.
And I'm going to say the thing that I know some people may react to, something as Jon Stewart said on the today's show, the seats are free. You can stop listening. I'm going to say Merry Christmas to everybody, but. And not because I'm afraid of saying happy holidays, but a lot of our audience celebrates other things.
They celebrate Hanukkah, they celebrate Eid, and so for those of you who want to say happy holidays, go to town, say happy Eid, say whatever, just wish everyone the best in this season. And that's my message to everybody. Merry Christmas to everyone except our ransomware gangs, Chinese APT teams, and that Carter forum that quoted me in Russian. So yeah, I'm gonna wish them a Merry Christmas so that they don't have to turn to criminal enterprises anymore and they can go and live an honest life.
And for Terry, Happy doorstop pentest gooning. Thank you all. Nightmare. Merry Christmas to all you guys. Have a great New Year, and we'll see you in the New Year.