October 23, 2025 • 25 mins
What’s the weakest link in your world—an old router, a forgotten Windows box, or that “anyone with the link” setting you meant to change? We unpack the real vulnerabilities hiding in small businesses, nonprofits, and home networks, then share a clear playbook to find them early and fix them fast without enterprise budgets.
We start with the quiet culprits: end‑of‑life operating systems, abandoned firmware, and default passwords that ship on printers, cameras, and routers. You’ll hear why isolation, segmentation, and least privilege are lifesavers when replacement isn’t an option. From ransomware on aging desktops to misconfigured cloud shares that leak donor lists, we connect everyday scenarios to practical countermeasures like MFA, strong crypto, key rotation, and simple access reviews.
Then we go deeper into application and web risks—SQL injection, XSS, CSRF, race conditions, buffer overflows—and how attackers exploit timing and input validation gaps. We break down supply chain threats, where a compromised plugin server can Trojanize an entire customer base, and show how to vet vendors with a software bill of materials and clear service level terms. You’ll also get a workable monitoring routine: weekly vulnerability scans (credentialed and non‑credentialed), reputable threat feeds like IBM X‑Force and Abuse.ch, and dark web awareness for leaked credentials.
To round it out, we map a no‑nonsense remediation loop: discover, analyze, fix, verify, repeat. Learn to use CVE identifiers and CVSS scores to prioritize by risk and business impact, spot false positives and negatives, and handle patches that break production with rollbacks and compensating controls. Along the way, we share a memorable bug bounty story that proves anyone—even a kid—can help make the internet safer. Subscribe for more practical cybersecurity, share this with someone running on “set it and forget it,” and leave a review telling us the one update you’re making today.
Interviews with Tech Leaders and insights on the latest emerging technology trends.
Listen on: Apple Podcasts Spotify
Art By Sarah/Desmond
Music by Joakim Karud
Little chacha Productions
Juan Rodriguez can be reached at
TikTok @ProfessorJrod
ProfessorJRod@gmail.com
@Prof_JRod
Instagram ProfessorJRod
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_01 (00:27):
Hey, welcome to Technology Tap.
I'm Professor J.
Rock.
In this episode, finding theweak spot: probability
management for real people.
Let's tap in.
(01:05):
Welcome back to Technology Tap,the show where we bridge
everyday life and cybersecurity.
I'm your host, Professor J-Rodd,and today we're going hunting
for weak spots.
Every business, every nonprofit,every home network has them.
The forgotten laptop in the backoffice, the old Wi-Fi router,
the spreadsheet that should bepublic, or like that movie War
(01:27):
Games, that phone number thatnever got disconnected.
In cybersecurity, that's what wecall vulnerabilities.
The cracks attackers look forbefore breaking in.
So grab your notebook and maybea cup of coffee and let's learn
how small organizations andordinary users can manage
vulnerabilities just like thebig leagues do.
(01:49):
The hidden cracks.
Picture a small auto repairshop.
They use an ancient Windows 7desktop to print invoices.
One morning, every file nameends with dot locked.
The screen reads, pay$600 inBitcoin to restore your data.
That's ransomware.
And it's a symptoms of poorvulnerability management.
(02:10):
Operating systemvulnerabilities.
An old operating system stopreceiving patches.
Once Microsoft ends support,which it just did for Windows
10, every newly discovered bugbecomes a backdoor that never
locks again.
For big companies, patching is aroutine.
For mom and pop stores, updatesfeel risky.
What if it breaks my software?
(02:31):
But not updating is worse.
Legacy and EOL systems.
A community clinic is stillrunning a Windows XP radiology
viewer camp patch.
Solution isolate it.
Put it on its own VLANs,disconnect the internet access,
and control who can touch it.
Legacy doesn't mean doesn't haveto be vulnerable, it just needs
(02:52):
boundaries.
Firmware and virtualization.
Always check vendor supportpages.
If none exists, replace it.
Or what you can do is call yourISP saying that your packets are
dropping, that every time youconnect to the internet, it
(03:13):
drops and they'll send you a newrouter for free.
Virtualization 2 isn't immune.
Misconfigured hypervisor leakmemory or credentials between
guest VMs.
Zero Day Vulnerabilities.
A zero day is a flaw discoveredby criminals before the vendors
knows and exist.
In 2021, a small accounting firmwere hit via zero day in their
(03:35):
remote desktop gateways becausesomeone left the service open to
the internet with defaultcredentials.
Zero Day reminds us thatsecurity is a race.
We can't patch what we don'tknow, but we can prepare with
segmentation, logging, andbackups.
Misconfiguration and humanerror.
(03:58):
They share documents in GoogleDrive and want transparency.
One volunteer clicks.
Anyone with the link can view.
Weeks later, donor informationsurfaces on a local Facebook
group.
That's cloud misconfiguration.
No hacker genius is required.
Just click in the wrong menu.
(04:18):
Default settings.
Printers, cameras, routers shipwith admin password as a default
login.
Attackers scan the internetlooking for them.
Change default always.
Cryptographic slip ups.
A small law firm upholds clientcontracts to a site using an
outdated SHA-1 encryption.
Encryption is only as strong asits algorithm.
(04:40):
Decommission weak ciphers androtate keys regularly.
Rooting and jailbreaking.
At a local phone repair shop, atech roots Andrew phones to
speed them up.
Rooting disabled security layersinviting spyware.
Explain to staff why convenienceshould never outweigh control,
plus it avoids the warranty onit.
(05:02):
Misconfigurations aren't flashy,but they cause more breaches
than zero days ever will.
Applications and cloudvulnerabilities.
Next up, a family-owned gym withan online sign up.
A member reports weird pop-ups.
The web the developer finds droptable members in the log.
Classic SQL injection.
(05:24):
Common app bugs, raceconditions.
Two users booking the same yogaslot simultaneously.
Both confirm attacker exploitstiming like that to manipulate
data.
Buffer Overflow.
Too much input crashes theprocess.
Malware writes the overflow toexecute code.
Malicious updates.
An attacker compromise a pluginserver, everyone who updates
(05:46):
downloads the Trojan.
Web vulnerabilities, cross-sitescripting, malicious code in a
comic field, and comment fieldsteals cookies.
CSRF users tricked into clickinglinks that change settings.
Teach clients validate input,sanitize output, patch plugins.
(06:09):
Cloud example.
A local bakery uses a free cloudbackup.
The vendor goes back rump anddeletes all data after 30 days.
Always read the SLL, enable MFAas multifactor authentication,
SOA service level agreement, andencrypt before uploading.
Supply chain risk.
A neighborhood MSP installs aremote management tool.
(06:32):
Months later, attackers exploitthat vendors updated server.
Not every customer inherits theinfection.
Vet suppliers request softwarebill or materials list.
Scanning the surface.
How do we find these issuesbefore bad actors do?
Vulnerability scanner.
A local library runs OpenVASweekly.
(06:53):
It reports outdated Apachemodules and missing patches.
Credential scan logs in fordetails.
Non-credential shows whatoutsider sees, schedule both.
Threat feeds.
Think of a threat feed like aneighborhood watch.
Sites such as IBM XFORS orAbuse.ch publish new attack
(07:13):
signatures.
Every small IT team cansubscribe to free feeds or use
built-in tools like MicrosoftDefender Threat Intel.
Deep and Dark Web Awareness.
The deep web includes privatedatabases.
The dark web requires Tor.
Analyst monitoring for leadcredentials.
For instance, that coffee shoployalty app that stores
(07:35):
passwords in plain text.
Vulnerability identificationisn't paranoia, it's
maintenance, like checking tirepressure before road trip.
Testing and validation.
Now we've tested the defenses.
Penetration testing.
Community college often hostsfree pen testers for local
nonprofits.
(07:56):
Students under supervision rungray box tests.
Black box is outsider, white boxis full access.
Bug bounties, a regional creditunion, offers gift cards for
responsibly reported flaws.
Bug bounties turn curiosity intocollaboration instead of crime.
(08:19):
This is a story about a kid forApple FaceTime.
Look it up.
I tell the story in my classroomwhere he found a bug and they he
ended up getting a bounty fromApple.
Auditing.
Quarterly audits ensure policymatch reality.
Are firewalls rulesundocumented?
Are admin counts still activeafter resignation?
(08:42):
Testing isn't about blame, it'sabout learning before the
adversary does.
(09:14):
Analysis and Remediation.
Discover, analyze, fix, verify,repeat.
CVE and CVSS.
Every public flaw gets a CVE IDand a CVSS score.
Example A router floor with aCVSS of 9.8 is critical.
Prioritized by risk and businessimpact, not fear.
(09:36):
False positives or negatives, ascanner flags an OSMB port, but
it's already blocked by afirewall.
That's a false positive.
Or another misconfigured NAS,that's a false negative.
Cross-check locks, trust, butverify.
Remediation steps, patch orupgrade.
(09:57):
If not possible, segment orapply compensating controls or
document exceptions, or four,rescan and confirm closure.
At a local daycare, patchingbreaks attendance software.
They roll back, contact thevendor, apply the patch once
fixed, demonstrating smart riskmanagement.
(10:17):
Alright, now it's time for thequestions.
I have four multiple choicequestions, comp Tia style
multiple choice questions.
I will read each one, then I'llgive you the four choices.
Read again, four choices again,give you five seconds.
Hopefully, you get four out offour.
Question one Which of thefollowing best describes a zero
(10:38):
day vulnerability?
A a flaw that has that has avendor patch available but isn't
installed.
B a flaw unknown to the vendorwith no fix yet released.
C a misconfiguration in cloudstorage permissions, or D an
outdated encryption protocol.
I'll read it again.
Which of the following bestdescribes a zero day
vulnerability?
(10:59):
A a flaw that has a vendor patchavailable but isn't installed.
B a flaw unknown to the vendorwith no fix yet released.
C a misconfiguration in cloudstorage permission or D an
outdated encryption protocol.
I'll give you five seconds tothink about it.
5, 4, 3, 2, 1.
(11:21):
The answer is B.
A flaw unknown to the vendorwith no fix yet released.
A zero day is exploited beforethe vendor can issue a patch,
leaving zero days to respond.
Now, a zero day is verydangerous, and this is one of
those things that you have tomonitor what's going on on the
(11:43):
internet, right?
Because if there's a zero dayand there's a and it's a patch
release for the zero day, thenyou quickly have to install it.
Because if now you'reinvulnerable, you're vulnerable.
This happens a lot with phones,guys.
And there's a lot of people, Iknow because my students tell me
that do not like to update theirphones.
(12:04):
They have this thing where, oh,if I update my phone, my
battery's gonna die, blah blahblah.
Okay, do what you want, but youare leaving yourself possibly
exposed to a compromise.
And you don't want that.
And if you want to, especiallyif you want to be cybersecurity,
you have to be in that mindsetof update, update, update.
(12:24):
What Apple likes to do is andread it the next time it comes
up with an update.
It doesn't have to be anemergency update, it can be like
a regular update.
It'll say, We have a new emojisout plus some security updates.
They say that because they theytease you with the emoji, but
they really want you to installthe security updates.
(12:44):
And there's times where they'llthat you see on the news where
they'll say, Oh, Apple or Chromeor Windows, I've seen this in
the last two or three years,wants you, needs you to update
right away.
I think the last one was Apple,and then the time before that
was Chrome.
I think during COVID, maybe,where they they had a flaw, they
discovered a flaw, a zero day,and then they released a patch,
(13:07):
and they were telling everybodyto update their Chrome like that
day.
So, you know, those are thingsthat you as a cybersecurity
person, student, have to payattention to, and you know,
don't waste time, don't youknow, don't have the mindset,
well, well, I'm not gonna updatemy phone because my phone is
gonna kill my battery.
(13:28):
No, even if it kills yourbattery, you gotta update.
So, all right, question two.
During a vulnerability scan, anorganization discover several
findings that aren't actuallyexploitable because the affected
service is disabled.
What does this represent?
A a false positive, b a falsenegative, d benignal alert or or
(13:54):
d fake news.
I'll read it again.
During the vulnerability scan,an organization discovers
several findings that aren'tactually exploitable.
Because the affected service isdisabled.
What does this represent?
A false news, a false positive,b false negative, C benign
alert, or D false news?
I'll give you five seconds.
(14:16):
Think about it.
Five, four, three, two, one, andthe answer is a false positive,
a scanner incorrectly labeledinactive components as
vulnerable.
Alright.
Did we get two out of two sofar?
Hopefully we have.
Next, a local retailer wants toknow which discover
(14:38):
vulnerability should be fixedfirst.
Which framework helps rankseverely from 0 to 10?
A CVSS Common VulnerabilityScoring System.
B CVE Common Vulnerability andExposure and Exposures C ISO
27001 or D PCI DSS.
(14:59):
I read it again.
A local retailer wants to knowwhich discover vulnerabilities
should be fixed first.
Which framework helps rankseverity from 0 to 10?
A CVSS Common VulnerabilityScoring System.
B CBE Common Vulnerability andExposure C ISO 27001 or D PCI
(15:21):
DSS.
I'll give you five seconds tothink about it.
54 3 2 1.
Well, one of the things that youcould eliminate right away is
PCI DSS because it doesn't sayspecifically his credit card.
So that one is gone.
So you're left with three ISO227001.
(15:43):
Doesn't fall into this category.
So you're left with A and B andthe answer is A.
Common vulnerability scoringsystem.
Quantify severely so teams canprioritize remediation.
Alright, did you get three forthree?
Let's go four for four.
What is the most effective wayfor small business to protect
against configuration errors incloud storage?
(16:06):
A use default settings providedby the vendor.
B review access control andenable least privilege
permission.
C disabled all encryptionoption.
Or D share files publicly fortransparency.
I'll read it again.
What is the most effective wayfor small business to protect
against configuration errors andcloud storage?
(16:29):
A use default settings providedby the vendor.
B review access control andenable lease privilege
permission.
C disable all encryption optionsor D share files publicly for
transparency.
So let's so what is he trying todo?
For small to protect againstconfiguration errors, right?
(16:49):
Obviously, it's not D, right?
You're not gonna share filespublicly for transparency.
And it's not C, you're not gonnadisable all encryption options,
right?
The keywords to protect against,right?
So you're not gonna disableencryption options.
You never ever use the defaultsettings provided by the vendor,
(17:10):
right?
All the default settings need tobe changed, right?
Admin password or admin admin isusually the default username and
password.
So the answer is B review accesscontrol enable least privilege
permission.
Least privilege reviews preventsaccidental accidental public
exposure of sensitive data.
Hopefully you got four out offour, right?
(17:33):
If you did, congratulations.
That's what's up.
You're almost ready to take thesecurity plus exam.
But let me let me piggyback onthe on the zero day, which I
think it was important.
Now, if I remember the storycorrectly, it was a kid who had
a Fortnite.
This is when Fortnite first cameout.
(17:54):
He was a member of a Fortnitegroup, and him and his friends,
his buddies, created a groupFaceTime Fortnite group.
Where they, you know, when theyplay, they would call each other
via FaceTime.
Right?
That's what kids do.
I don't know.
This is this is like 10 yearsago, maybe less.
(18:15):
I was a high school teacher, soit was maybe yeah, less than
about six, seven years ago,eight years ago, maybe.
And what happened is he calledhis friend via FaceTime, and
then he accidentally calledhimself.
His friend did not pick up thephone.
(18:37):
But I think because of that bugthat he called himself, if I'm
getting the story right, heturned on his friend's mic
without his friend realizingthat it turned on.
So he can hear his friendtalking.
And this is like a 13-year-oldkid, right?
This is not a grown adult,13-year-old kid.
(19:00):
He can hear his friend talking,but his friend did not know that
his mic was on.
You know what kind of securityimplications that is?
Imagine if you're able to dothat to a president, member of
Congress, anybody, CEO of amajor company, right?
(19:22):
If you were able to do that toWarren Buffett, right?
And you can listen to all hisstuff that he's doing, though
how to make money the way hedoes, that will be amazing.
But it's also a huge securityrisk.
So he I think he told his mom,and his mom emailed uh Apple
like a few times.
It took a quite a few times forthem to them emailing Apple for
(19:47):
then Apple to actually respondback.
And when they did, you know, themom said, Hey, this is what's
going on, and they tested it,and they ended up giving the
kid, I think they gave him 30grand for finding that.
And I think they set up acollege fund for the kid because
he was only 13, so that when hegoes to college, you know, they
(20:10):
you know that that money isalready paid.
Hey, if you're that kid, man,reach out to me, Professor Jrod,
J R O D at Gmail.com.
I would love to talk to youabout the zero day thing from
Apple back in the day.
So yeah, the kid ended up, youknow, making making some money,
and and you know, or if you knowthe kid, if anybody knows the
kid, but yeah, he ended upmaking money, you know, and
(20:32):
people this this is stuff peopledo this bug bounties for a
living.
I don't know if there's youknow, if if there's do this for
a living or they do this as aside hustle, it could be a great
side hustle.
I don't know if it if you wantto do this for a living, but
definitely is a great sidehustle for bug bounties.
So, what it what did Apple endedup doing?
(20:52):
For a while, Apple shut downgroup FaceTime, they had no
choice.
Like they like on the fly, theydidn't know how to fix it.
So to remediate that, which is azero day, that's a zero day.
Uh to remediate that, theydisabled group FaceTime for
everybody for a bit, and thenthey fixed it, right?
(21:15):
Put it, sent the patch, right?
Tested it, sent it to everybody,right?
They ask you to install it, andthen they put on they turned on
group FaceTime.
But yeah, that's that's crazy,right?
That that he does that, and justjust from that kid accidentally,
you know, calling himself,that's what triggered it.
(21:38):
So you gotta be careful, andagain, guys, when they ask you
your phone, Windows, Chrome,whatever it is that you're
using, your your even your smartTV, right?
Your Xbox, you good, you gamers,right?
You gamers are diligent when itsays, Hey, we have an update for
your Xbox.
(21:58):
Oh, you're right there,downloading that and update up
uploading that and installingthat patch right away.
And when they say, Hey, we founda bug in Xbox or PS5 or whatever
you're using, you're quick to dothat.
So be as quick to do this whenit's your phone, when it's an
app, when it's your computersystem, right?
(22:20):
If it's Word, Office, right?
All these things that we use,all these products that we use,
guys.
We and that's the and if younever heard the first episode of
my of this podcast way back in2020, it's titled Why We Update
Our Devices.
This is why.
Right?
We need to keep our deviceupdated to protect ourselves
(22:43):
from the bad guys.
Because the bad guys are outthere, they don't matter how
small or how big your companyis.
If you are vulnerable, it isit's just it's not a question
of, you know, it's only aquestion of when when they hit
it.
Now, I know small businesses, alot of them don't care about
cyber because it's an expenseand they don't care, but until
(23:04):
they get hacked, right?
It's like a lot of people don'tcare about backups until their
thing crashes, their hard drivecrashes, or their server
crashes, then they're like, ohmy god, I should have backed up.
Right?
So that's a that's a problemthat we still as IT people, we
still need to work on.
We still need to, you know, weneed to work on that stuff.
(23:25):
All right, we covered a lottoday.
From forgotten routers tocommunity bug bounties.
Vulnerability management isn'tabout paranoia, it's about care.
When you patch that system,update that router or train that
intern, you're not justprotecting data, you're
(23:45):
protecting jobs, paychecks, anda peace of mind.
Right?
And this kind of like leads tothe thing that I like to tell my
students that they don't like mesaying it, is like every now and
then you see somebody doingsomething at work, you have to
tell.
You know, you have to be asnitch.
Even I mean, that's a bad word,but you have to tell because if
(24:06):
you don't, it could affect yourmoney, it could affect your job,
it could affect you getting apaycheck that week, it could
affect you, you know, stillhaving a job.
So keep that in mind when yousee somebody doing something
they're not supposed to.
All right, thanks for listeningto Technology Tap.
I'm Professor J-Rod.
Stay curious, stay cautious, andabove all, keep tapping into
(24:29):
technology.
This has been a presentation ofLittle Cha Cha Productions, art
by Sarah, music by Joe Kim.
We're now part of the Pod MatchNetwork.
You can follow me at TikTok atProfessor Jrod at J R O D, or
(24:54):
you can email me atprofessorjrodjrod at gmail.com,
you can do it.
Hey, welcome to Technology Tap.
I'm Professor J.
Rock.
In this episode, finding theweak spot: probability
management for real people.
Let's tap in.
(01:05):
Welcome back to Technology Tap,the show where we bridge
everyday life and cybersecurity.
I'm your host, Professor J-Rodd,and today we're going hunting
for weak spots.
Every business, every nonprofit,every home network has them.
The forgotten laptop in the backoffice, the old Wi-Fi router,
the spreadsheet that should bepublic, or like that movie War
(01:27):
Games, that phone number thatnever got disconnected.
In cybersecurity, that's what wecall vulnerabilities.
The cracks attackers look forbefore breaking in.
So grab your notebook and maybea cup of coffee and let's learn
how small organizations andordinary users can manage
vulnerabilities just like thebig leagues do.
(01:49):
The hidden cracks.
Picture a small auto repairshop.
They use an ancient Windows 7desktop to print invoices.
One morning, every file nameends with dot locked.
The screen reads, pay$600 inBitcoin to restore your data.
That's ransomware.
And it's a symptoms of poorvulnerability management.
(02:10):
Operating systemvulnerabilities.
An old operating system stopreceiving patches.
Once Microsoft ends support,which it just did for Windows
10, every newly discovered bugbecomes a backdoor that never
locks again.
For big companies, patching is aroutine.
For mom and pop stores, updatesfeel risky.
What if it breaks my software?
(02:31):
But not updating is worse.
Legacy and EOL systems.
A community clinic is stillrunning a Windows XP radiology
viewer camp patch.
Solution isolate it.
Put it on its own VLANs,disconnect the internet access,
and control who can touch it.
Legacy doesn't mean doesn't haveto be vulnerable, it just needs
(02:52):
boundaries.
Firmware and virtualization.
Always check vendor supportpages.
If none exists, replace it.
Or what you can do is call yourISP saying that your packets are
dropping, that every time youconnect to the internet, it
(03:13):
drops and they'll send you a newrouter for free.
Virtualization 2 isn't immune.
Misconfigured hypervisor leakmemory or credentials between
guest VMs.
Zero Day Vulnerabilities.
A zero day is a flaw discoveredby criminals before the vendors
knows and exist.
In 2021, a small accounting firmwere hit via zero day in their
(03:35):
remote desktop gateways becausesomeone left the service open to
the internet with defaultcredentials.
Zero Day reminds us thatsecurity is a race.
We can't patch what we don'tknow, but we can prepare with
segmentation, logging, andbackups.
Misconfiguration and humanerror.
(03:58):
They share documents in GoogleDrive and want transparency.
One volunteer clicks.
Anyone with the link can view.
Weeks later, donor informationsurfaces on a local Facebook
group.
That's cloud misconfiguration.
No hacker genius is required.
Just click in the wrong menu.
(04:18):
Default settings.
Printers, cameras, routers shipwith admin password as a default
login.
Attackers scan the internetlooking for them.
Change default always.
Cryptographic slip ups.
A small law firm upholds clientcontracts to a site using an
outdated SHA-1 encryption.
Encryption is only as strong asits algorithm.
(04:40):
Decommission weak ciphers androtate keys regularly.
Rooting and jailbreaking.
At a local phone repair shop, atech roots Andrew phones to
speed them up.
Rooting disabled security layersinviting spyware.
Explain to staff why convenienceshould never outweigh control,
plus it avoids the warranty onit.
(05:02):
Misconfigurations aren't flashy,but they cause more breaches
than zero days ever will.
Applications and cloudvulnerabilities.
Next up, a family-owned gym withan online sign up.
A member reports weird pop-ups.
The web the developer finds droptable members in the log.
Classic SQL injection.
(05:24):
Common app bugs, raceconditions.
Two users booking the same yogaslot simultaneously.
Both confirm attacker exploitstiming like that to manipulate
data.
Buffer Overflow.
Too much input crashes theprocess.
Malware writes the overflow toexecute code.
Malicious updates.
An attacker compromise a pluginserver, everyone who updates
(05:46):
downloads the Trojan.
Web vulnerabilities, cross-sitescripting, malicious code in a
comic field, and comment fieldsteals cookies.
CSRF users tricked into clickinglinks that change settings.
Teach clients validate input,sanitize output, patch plugins.
(06:09):
Cloud example.
A local bakery uses a free cloudbackup.
The vendor goes back rump anddeletes all data after 30 days.
Always read the SLL, enable MFAas multifactor authentication,
SOA service level agreement, andencrypt before uploading.
Supply chain risk.
A neighborhood MSP installs aremote management tool.
(06:32):
Months later, attackers exploitthat vendors updated server.
Not every customer inherits theinfection.
Vet suppliers request softwarebill or materials list.
Scanning the surface.
How do we find these issuesbefore bad actors do?
Vulnerability scanner.
A local library runs OpenVASweekly.
(06:53):
It reports outdated Apachemodules and missing patches.
Credential scan logs in fordetails.
Non-credential shows whatoutsider sees, schedule both.
Threat feeds.
Think of a threat feed like aneighborhood watch.
Sites such as IBM XFORS orAbuse.ch publish new attack
(07:13):
signatures.
Every small IT team cansubscribe to free feeds or use
built-in tools like MicrosoftDefender Threat Intel.
Deep and Dark Web Awareness.
The deep web includes privatedatabases.
The dark web requires Tor.
Analyst monitoring for leadcredentials.
For instance, that coffee shoployalty app that stores
(07:35):
passwords in plain text.
Vulnerability identificationisn't paranoia, it's
maintenance, like checking tirepressure before road trip.
Testing and validation.
Now we've tested the defenses.
Penetration testing.
Community college often hostsfree pen testers for local
nonprofits.
(07:56):
Students under supervision rungray box tests.
Black box is outsider, white boxis full access.
Bug bounties, a regional creditunion, offers gift cards for
responsibly reported flaws.
Bug bounties turn curiosity intocollaboration instead of crime.
(08:19):
This is a story about a kid forApple FaceTime.
Look it up.
I tell the story in my classroomwhere he found a bug and they he
ended up getting a bounty fromApple.
Auditing.
Quarterly audits ensure policymatch reality.
Are firewalls rulesundocumented?
Are admin counts still activeafter resignation?
(08:42):
Testing isn't about blame, it'sabout learning before the
adversary does.
(09:14):
Analysis and Remediation.
Discover, analyze, fix, verify,repeat.
CVE and CVSS.
Every public flaw gets a CVE IDand a CVSS score.
Example A router floor with aCVSS of 9.8 is critical.
Prioritized by risk and businessimpact, not fear.
(09:36):
False positives or negatives, ascanner flags an OSMB port, but
it's already blocked by afirewall.
That's a false positive.
Or another misconfigured NAS,that's a false negative.
Cross-check locks, trust, butverify.
Remediation steps, patch orupgrade.
(09:57):
If not possible, segment orapply compensating controls or
document exceptions, or four,rescan and confirm closure.
At a local daycare, patchingbreaks attendance software.
They roll back, contact thevendor, apply the patch once
fixed, demonstrating smart riskmanagement.
(10:17):
Alright, now it's time for thequestions.
I have four multiple choicequestions, comp Tia style
multiple choice questions.
I will read each one, then I'llgive you the four choices.
Read again, four choices again,give you five seconds.
Hopefully, you get four out offour.
Question one Which of thefollowing best describes a zero
(10:38):
day vulnerability?
A a flaw that has that has avendor patch available but isn't
installed.
B a flaw unknown to the vendorwith no fix yet released.
C a misconfiguration in cloudstorage permissions, or D an
outdated encryption protocol.
I'll read it again.
Which of the following bestdescribes a zero day
vulnerability?
(10:59):
A a flaw that has a vendor patchavailable but isn't installed.
B a flaw unknown to the vendorwith no fix yet released.
C a misconfiguration in cloudstorage permission or D an
outdated encryption protocol.
I'll give you five seconds tothink about it.
5, 4, 3, 2, 1.
(11:21):
The answer is B.
A flaw unknown to the vendorwith no fix yet released.
A zero day is exploited beforethe vendor can issue a patch,
leaving zero days to respond.
Now, a zero day is verydangerous, and this is one of
those things that you have tomonitor what's going on on the
(11:43):
internet, right?
Because if there's a zero dayand there's a and it's a patch
release for the zero day, thenyou quickly have to install it.
Because if now you'reinvulnerable, you're vulnerable.
This happens a lot with phones,guys.
And there's a lot of people, Iknow because my students tell me
that do not like to update theirphones.
(12:04):
They have this thing where, oh,if I update my phone, my
battery's gonna die, blah blahblah.
Okay, do what you want, but youare leaving yourself possibly
exposed to a compromise.
And you don't want that.
And if you want to, especiallyif you want to be cybersecurity,
you have to be in that mindsetof update, update, update.
(12:24):
What Apple likes to do is andread it the next time it comes
up with an update.
It doesn't have to be anemergency update, it can be like
a regular update.
It'll say, We have a new emojisout plus some security updates.
They say that because they theytease you with the emoji, but
they really want you to installthe security updates.
(12:44):
And there's times where they'llthat you see on the news where
they'll say, Oh, Apple or Chromeor Windows, I've seen this in
the last two or three years,wants you, needs you to update
right away.
I think the last one was Apple,and then the time before that
was Chrome.
I think during COVID, maybe,where they they had a flaw, they
discovered a flaw, a zero day,and then they released a patch,
(13:07):
and they were telling everybodyto update their Chrome like that
day.
So, you know, those are thingsthat you as a cybersecurity
person, student, have to payattention to, and you know,
don't waste time, don't youknow, don't have the mindset,
well, well, I'm not gonna updatemy phone because my phone is
gonna kill my battery.
(13:28):
No, even if it kills yourbattery, you gotta update.
So, all right, question two.
During a vulnerability scan, anorganization discover several
findings that aren't actuallyexploitable because the affected
service is disabled.
What does this represent?
A a false positive, b a falsenegative, d benignal alert or or
(13:54):
d fake news.
I'll read it again.
During the vulnerability scan,an organization discovers
several findings that aren'tactually exploitable.
Because the affected service isdisabled.
What does this represent?
A false news, a false positive,b false negative, C benign
alert, or D false news?
I'll give you five seconds.
(14:16):
Think about it.
Five, four, three, two, one, andthe answer is a false positive,
a scanner incorrectly labeledinactive components as
vulnerable.
Alright.
Did we get two out of two sofar?
Hopefully we have.
Next, a local retailer wants toknow which discover
(14:38):
vulnerability should be fixedfirst.
Which framework helps rankseverely from 0 to 10?
A CVSS Common VulnerabilityScoring System.
B CVE Common Vulnerability andExposure and Exposures C ISO
27001 or D PCI DSS.
(14:59):
I read it again.
A local retailer wants to knowwhich discover vulnerabilities
should be fixed first.
Which framework helps rankseverity from 0 to 10?
A CVSS Common VulnerabilityScoring System.
B CBE Common Vulnerability andExposure C ISO 27001 or D PCI
(15:21):
DSS.
I'll give you five seconds tothink about it.
54 3 2 1.
Well, one of the things that youcould eliminate right away is
PCI DSS because it doesn't sayspecifically his credit card.
So that one is gone.
So you're left with three ISO227001.
(15:43):
Doesn't fall into this category.
So you're left with A and B andthe answer is A.
Common vulnerability scoringsystem.
Quantify severely so teams canprioritize remediation.
Alright, did you get three forthree?
Let's go four for four.
What is the most effective wayfor small business to protect
against configuration errors incloud storage?
(16:06):
A use default settings providedby the vendor.
B review access control andenable least privilege
permission.
C disabled all encryptionoption.
Or D share files publicly fortransparency.
I'll read it again.
What is the most effective wayfor small business to protect
against configuration errors andcloud storage?
(16:29):
A use default settings providedby the vendor.
B review access control andenable lease privilege
permission.
C disable all encryption optionsor D share files publicly for
transparency.
So let's so what is he trying todo?
For small to protect againstconfiguration errors, right?
(16:49):
Obviously, it's not D, right?
You're not gonna share filespublicly for transparency.
And it's not C, you're not gonnadisable all encryption options,
right?
The keywords to protect against,right?
So you're not gonna disableencryption options.
You never ever use the defaultsettings provided by the vendor,
(17:10):
right?
All the default settings need tobe changed, right?
Admin password or admin admin isusually the default username and
password.
So the answer is B review accesscontrol enable least privilege
permission.
Least privilege reviews preventsaccidental accidental public
exposure of sensitive data.
Hopefully you got four out offour, right?
(17:33):
If you did, congratulations.
That's what's up.
You're almost ready to take thesecurity plus exam.
But let me let me piggyback onthe on the zero day, which I
think it was important.
Now, if I remember the storycorrectly, it was a kid who had
a Fortnite.
This is when Fortnite first cameout.
(17:54):
He was a member of a Fortnitegroup, and him and his friends,
his buddies, created a groupFaceTime Fortnite group.
Where they, you know, when theyplay, they would call each other
via FaceTime.
Right?
That's what kids do.
I don't know.
This is this is like 10 yearsago, maybe less.
(18:15):
I was a high school teacher, soit was maybe yeah, less than
about six, seven years ago,eight years ago, maybe.
And what happened is he calledhis friend via FaceTime, and
then he accidentally calledhimself.
His friend did not pick up thephone.
(18:37):
But I think because of that bugthat he called himself, if I'm
getting the story right, heturned on his friend's mic
without his friend realizingthat it turned on.
So he can hear his friendtalking.
And this is like a 13-year-oldkid, right?
This is not a grown adult,13-year-old kid.
(19:00):
He can hear his friend talking,but his friend did not know that
his mic was on.
You know what kind of securityimplications that is?
Imagine if you're able to dothat to a president, member of
Congress, anybody, CEO of amajor company, right?
(19:22):
If you were able to do that toWarren Buffett, right?
And you can listen to all hisstuff that he's doing, though
how to make money the way hedoes, that will be amazing.
But it's also a huge securityrisk.
So he I think he told his mom,and his mom emailed uh Apple
like a few times.
It took a quite a few times forthem to them emailing Apple for
(19:47):
then Apple to actually respondback.
And when they did, you know, themom said, Hey, this is what's
going on, and they tested it,and they ended up giving the
kid, I think they gave him 30grand for finding that.
And I think they set up acollege fund for the kid because
he was only 13, so that when hegoes to college, you know, they
(20:10):
you know that that money isalready paid.
Hey, if you're that kid, man,reach out to me, Professor Jrod,
J R O D at Gmail.com.
I would love to talk to youabout the zero day thing from
Apple back in the day.
So yeah, the kid ended up, youknow, making making some money,
and and you know, or if you knowthe kid, if anybody knows the
kid, but yeah, he ended upmaking money, you know, and
(20:32):
people this this is stuff peopledo this bug bounties for a
living.
I don't know if there's youknow, if if there's do this for
a living or they do this as aside hustle, it could be a great
side hustle.
I don't know if it if you wantto do this for a living, but
definitely is a great sidehustle for bug bounties.
So, what it what did Apple endedup doing?
(20:52):
For a while, Apple shut downgroup FaceTime, they had no
choice.
Like they like on the fly, theydidn't know how to fix it.
So to remediate that, which is azero day, that's a zero day.
Uh to remediate that, theydisabled group FaceTime for
everybody for a bit, and thenthey fixed it, right?
(21:15):
Put it, sent the patch, right?
Tested it, sent it to everybody,right?
They ask you to install it, andthen they put on they turned on
group FaceTime.
But yeah, that's that's crazy,right?
That that he does that, and justjust from that kid accidentally,
you know, calling himself,that's what triggered it.
(21:38):
So you gotta be careful, andagain, guys, when they ask you
your phone, Windows, Chrome,whatever it is that you're
using, your your even your smartTV, right?
Your Xbox, you good, you gamers,right?
You gamers are diligent when itsays, Hey, we have an update for
your Xbox.
(21:58):
Oh, you're right there,downloading that and update up
uploading that and installingthat patch right away.
And when they say, Hey, we founda bug in Xbox or PS5 or whatever
you're using, you're quick to dothat.
So be as quick to do this whenit's your phone, when it's an
app, when it's your computersystem, right?
(22:20):
If it's Word, Office, right?
All these things that we use,all these products that we use,
guys.
We and that's the and if younever heard the first episode of
my of this podcast way back in2020, it's titled Why We Update
Our Devices.
This is why.
Right?
We need to keep our deviceupdated to protect ourselves
(22:43):
from the bad guys.
Because the bad guys are outthere, they don't matter how
small or how big your companyis.
If you are vulnerable, it isit's just it's not a question
of, you know, it's only aquestion of when when they hit
it.
Now, I know small businesses, alot of them don't care about
cyber because it's an expenseand they don't care, but until
(23:04):
they get hacked, right?
It's like a lot of people don'tcare about backups until their
thing crashes, their hard drivecrashes, or their server
crashes, then they're like, ohmy god, I should have backed up.
Right?
So that's a that's a problemthat we still as IT people, we
still need to work on.
We still need to, you know, weneed to work on that stuff.
(23:25):
All right, we covered a lottoday.
From forgotten routers tocommunity bug bounties.
Vulnerability management isn'tabout paranoia, it's about care.
When you patch that system,update that router or train that
intern, you're not justprotecting data, you're
(23:45):
protecting jobs, paychecks, anda peace of mind.
Right?
And this kind of like leads tothe thing that I like to tell my
students that they don't like mesaying it, is like every now and
then you see somebody doingsomething at work, you have to
tell.
You know, you have to be asnitch.
Even I mean, that's a bad word,but you have to tell because if
(24:06):
you don't, it could affect yourmoney, it could affect your job,
it could affect you getting apaycheck that week, it could
affect you, you know, stillhaving a job.
So keep that in mind when yousee somebody doing something
they're not supposed to.
All right, thanks for listeningto Technology Tap.
I'm Professor J-Rod.
Stay curious, stay cautious, andabove all, keep tapping into
(24:29):
technology.
This has been a presentation ofLittle Cha Cha Productions, art
by Sarah, music by Joe Kim.
We're now part of the Pod MatchNetwork.
You can follow me at TikTok atProfessor Jrod at J R O D, or
(24:54):
you can email me atprofessorjrodjrod at gmail.com,
you can do it.
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.