April 16, 2025 • 48 mins
Bob Carver, cybersecurity thought leader and CEO of Cybersecurity Boardroom, joins Leonard Lee of neXt Curve and Debbie Reynolds of Debbie Reynolds Consulting LLC on the reThink Podcast to talk about the cybersecurity priorities for consumers and enterprises for 2025. This is the first time for Bob on the show. Debbie and Leonard were anxious to get a sense of what is top of mind for Bob as he look forward into the year and beyond as AI-infused and -augmented cybersecurity threats and attacks challenge us all.
Bob, Leonard, and The Data Diva hit on the following topics:
- How Bob got started in cybersecurity (2:00)
- Top security concerns according to Bob (5:20)
- The problem with smarter and more capable infostealers (8:00)
- What do you get when you combine AI with cybercrime? (10:58)
- The future of cybersecurity - AI versus AI (14:30)
- Introducing Agent Smith (15:50)
- Deepfakes, the other exponential cybercriminal enabler (16:50)
- The biggest cybersecurity challenge: awareness and hyperbole (22:34)
- Bob's view on solutions for consumers and enterprises (25:32)
- Micro-segmentation: obscuring for security (27:31)
- Privacy, an important factor in cybersecurity and trust (32:50)
- The consumer and enterprise mindset shifts needed (38:50)
Connect with Bob Carver on LinkedIn and at www.cybersecurityboardroom.com
Connect with Debbie Reynolds at www.debbiereynoldsconsulting.com
Hit both Debbie and Leonard on LinkedIn and take part in their industry and tech insights.
Please subscribe to our podcast which will be featured on the neXt Curve YouTube Channel. Check out the audio version on BuzzSprout - https://nextcurvepodcast.buzzsprout.com - or find us on your favorite Podcast platform.
Also, subscribe to the neXt Curve research portal at www.next-curve.com for the tech and industry insights that matter.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Leonard Lee (00:09):
Hey everybody.
Welcome to this next CurveRethink podcast episode of our
Security and Trust series, wherewe break down the latest tech
and industry events andhappenings into the insights
that matter in the very fastmoving landscape of cyber
security and trust.
And I'm Leonard Lee, executiveAnalyst at Next Curve, and I'm
(00:30):
joined by my co-host and very,very, very, very good friend.
Debbie Reynolds of DebbieReynolds Consulting, LC Hey,
Debbie.
Debbie Reynolds (00:41):
Hey, Leonard.
Nice to see you.
Nice to see Bob.
Awesome.
Leonard Lee (00:44):
Good to see you.
Yes.
And speaking of Bob, our veryspecial guest, Bob Carver, CEO
of cybersecurity boardroom, and,cybersecurity thought leader
extraordinaire And prolific andLinkedIn sharing his insights.
It's really great stuff.
I love following your stuff,Bob, and it's really great to
(01:05):
finally have you on our show.
And I know Debbie's also.
Equally, probably as excited asI am to have this, chat with you
and hopefully it'll be one ofmany in the future.
So I'm,
Bob Carver (01:17):
I'm excited to be here.
Leonard Lee (01:19):
Yeah.
Great.
before we get started, pleaseremember to like, and share,
react to the, comments in thisepisode and what we share here.
Also.
Subscribe here on YouTube andBuzzsprout to listen to us on
your favorite podcast platform.
Opinions and statements by myguest and including my co-host
Debbie, are their own and don'treflect, those of next curve.
(01:41):
And we are doing this, providean open forum for discussion and
debate.
On various, technology topicsand cybersecurity and trust
topics.
So we hope you find the programinformative and fun.
So before we get started, Bob,share with our audience a bit of
your background and who you are,even though I think everyone in
(02:04):
the cybersecurity domain knowswho you are, but maybe expand
your.
Audience hereby right.
Tapping into the next curveaudience.
Bob Carver (02:13):
Yes.
I've been doing cybersecurityfor over the past 25 years.
Originally, was working in thefinancial world and, started in
the nineties, one of my firstprojects was building a key
management center, Gado, a ES 256 encryption.
That, ended up, encryptingtraffic.
(02:33):
it was moving money between,fidelity investments and some
major financial institutions,I'm sure that system lasted
probably many millions, hundredsof millions of dollars, probably
worth of transfers before it wasretired.
But anyway, little by little, Ijust, started, dabbling in,
security over, at, fidelityInvestments volunteered.
(02:54):
there was very few back in thenineties and even the early two
thousands of full-time securityfolks.
So it was the IT guys that justvolunteered to help out with the
security.
So that's what it started.
And anyway, after I'd been therefor a while, there was a
position opened at VerizonWireless.
what happened is, I say that Iowed my, career at Verizon
(03:17):
Wireless due to the Paris Hiltonhack here.
Account got hacked at T-Mobileand the management in their own
wisdom of Verizon Wireless said,we may ought to hire some
full-time people to do thissecurity stuff.
Yeah.
Wow.
And anyway, I was picked out of,literally hundreds of people
(03:40):
that they interviewed and Iended up being employee number
one to start things.
they had some people that werecontractors that started, but
anyway, I've been doing, thisfor, like I said for some time
and, went through a lot of majorchanges in technology over time
and and just seeing all thecraziness and also.
Not only the, in the defensivepart, but to see the threat
(04:02):
actors getting better andbetter.
So yeah, that's the short bit.
So,
Leonard Lee (04:07):
yeah.
No, that's fantastic.
And I'm sure our audience isgoing to appreciate, The
insights that you bring on bothsides, right?
Of, what you're observing fromthe threat perspective, but
also, how you see solutionsevolving.
And, we'll, we'll get into allof that as we have our
discussion, We're really excitedto have you on, as I said.
So why don't we start off with achat around what are some of the
(04:29):
things that are top of mind interms of.
Threat trends, and it seemslike, there are some that have
been in play for quite sometime, but then there's.
Also seems to be additionalthings being layered on top of
the existing stuff, but thenalso new vectors and areas that
(04:49):
are starting to form.
And so, Debbie, I haven't spokento you in a while, so love to
get your take as well.
But one of the things that I'mobserving is the velocity is
just accelerated.
It seems to have, at least inthe last.
Six months and just by lookingat both of your posts and what
(05:09):
you're sharing on social, it,looks like things are just
picking up and I don't thinkthat's a good thing.
But what are, I am sure you haveplenty of things to share, but
what are some of those thingsthat have been top of mind for
you guys in the past, let's say,six months?
Debbie Reynolds (05:31):
La Ladies first, or in that, that Bob.
Oh, guess first, right?
Yeah.
I want Bob's thing.
Oh, okay.
Bob Carver (05:39):
Yeah.
it's mind boggling, the velocitythat's going on.
Yeah.
North Korea, they're probablythe world experts on being able
to break into cryptocurrency,sellers and, and, networks and
to be able to siphon off allthose Bitcoin or Ethereum
recently too.
Matter of fact, I had just soldoff the last of my,
(06:01):
cryptocurrency a few monthsback, before everything started
going downhill, which I was gladto get out.
one of the concerns I had toowas the security, I didn't get
in for the longest time becauselike, how am I gonna really be
able to secure this well.
Yeah.
And so that, I didn't get in fora long time.
And then even then, I had a callfrom a friend of mine.
(06:25):
They said, oh, I have thisfriend, and they just lost
$300,000 worth of Bitcoin.
And it was due to one of themajor wallets that is very
popular out there.
And, I don't know if they didn'tkeep up the updates or it just
continued to have onevulnerability after the next.
And a matter of fact, it was thesame wallet that I was using.
(06:45):
And, anyway, just to see thatsort of scary thing happening.
But the other thing is to see, alot of the info steeler and
just, Anyway, I was talking toyou earlier, Leonard and Debbie
too, I think, about going tosome of these LLM sites and some
of my security stacks showingup, spyware and info stealer.
(07:06):
I.
Domains that somehow got intothe mix luckily I have some
fairly decent security, thatended up blocking these domains,
or at least warning me of whatwas going on.
And, that's a concern too,because once an info stealer
gets into your network or yourcomputers, Basically everything
you log into, they have theusername and password and they
(07:31):
can pretty much, replicate whatyou've done.
the only thing that might helpis if you have, good multifactor
authentication.
But, and I've known some people,I've recently wrote, I did a
video last week talk about likesmall businesses getting
compromised and stuff.
And these businesses, like thein gets in there.
They could lose their entirebusiness, their banking
(07:53):
accounts, all their email, allunder control.
Their phone may be under controland, it's scary, So, can we back
up for a moment?
Leonard Lee (08:03):
What is an info stealer?
I mean, quite honestly, it is abit of a new term for me.
Sure.
what is it
Bob Carver (08:10):
Info Steeler basically sniffs out all your
logins.
All your login, at least that'sthe primary, result of it.
So all your logins, yourusername and passwords.
they'll also check, to see, isthis your bank?
I.
domain Is this your emaildomain?
(08:31):
This is, your password domain ifyou have a password manager,
And, they'll, grab all thatinformation that is used to be
able to take over your account.
Leonard Lee (08:43):
Wonderful.
Look, look at you, Deb.
Debbie.
You look pained.
What is, yeah, you, you've beenholding a grimace this whole
time as he, Bob is describinginfo dealer.
Debbie Reynolds (08:57):
It's,
Leonard Lee (08:58):
it's
Debbie Reynolds (08:58):
scary.
You.
Yeah, it's horrible.
Yeah.
Terrible, terrible.
yeah, there was actually a storyabout this in the news.
I, you may have written aboutit, Bob, about the guy he worked
for Walt Disney.
Oh, yeah.
Yeah.
A bad actor was able to Yeah.
Take over his, yeah.
His password manager.
Yeah.
(09:18):
And his password manager had hisper personal stuff and his work
stuff in it.
Right.
So they were able to get intohis Disney accounts and do
stuff, and then he ended upgetting fired and they stole
like.
Yeah, a lot of money from hisbank accounts
Bob Carver (09:31):
he's trying to get his job back now, but, what
happened is he thought, hethought he'd be, smart and,
download, LLMI think on hislocal machine, and I think he
got it from GitHub.
And after he downloaded that andinstalled it.
That's when things started goingbad.
(09:52):
evidently there was some sort ofinfo Steeler type code in that
LLM he downloaded locally.
And his endpoint security didnot, pick that up.
Leonard Lee (10:03):
Object.
Yeah.
Bob Carver (10:05):
And yeah, it took not only took out his entire,
everything that he wasassociated with, but the, the
threat actors that did take overhis machine made it look like he
had, been stashing some childporn.
so it would be a highprobability that he would be
fired, that the FBI would getinvolved on and on and on.
(10:26):
And then, but the thing is, isthat I think they got into other
parts of Disney too, based on,his, access that he had at
Disney at the time.
So, um, yeah.
Wow, that's nice.
Very, very, very scary.
So that's why when, I hearabout, the spyware and info
stealer, Malware.
It's scary.
Leonard Lee (10:45):
Yeah.
And, this is something that, wetalked earlier about RSA, to,
you know, RSAC or the RSAconference That the conference
was started to become veryconcerned about last year.
'cause you know, in the prioryear everybody was high on
(11:06):
generative ai.
They were excited about itspotential to be a tool to help
combat, the existing problemswith cybersecurity and threats.
And then that tone quicklychanged, last year, right?
What you guys are describinghere in this scenario with
Disney is exactly what they wereconcerned about.
(11:26):
Mm-hmm.
I think they saw the writing on the wall.
A lot of practitioners andvendors actually saw the writing
on the wall and said, this stuffif it gets into our networks,
into our corporate environment,it can go exponential, right?
It's actually a tool that canaccelerate an attack beyond,
anything that, a non gen AIenabled, intruder and attacker
(11:50):
could institute.
in our environment andultimately on our business,
right?
So it's really interesting thatyou're bringing that up because
it seems that a year ago thattone change was completely
appropriate
Bob Carver (12:04):
and
Leonard Lee (12:04):
the thing,
Bob Carver (12:04):
I think, to emphasize something here,
important point of this, one ofthe reasons he was.
Putting the LLM, downloading itand installing it locally was
due to some privacy concerns ofbeing, putting prompts and, all
their information into the onethat's out in the cloud.
So they were trying to protect,from a privacy standpoint, he
(12:26):
was going the right direction.
But the thing is, is the, itbackfired.
It sort of backfired.
Yeah.
End up exposing things.
It's ironic, more things in thelong run by going locally than,
if they would've stayed in thecloud.
But anyway, but the thing islike sort of implying what you
(12:47):
were going, talking to, Leonard,there is that, individual AI
agents could be rolled up intothese systems.
Yeah.
All of a sudden they could beused.
It's almost like going down abad alley and then getting
attacked by entire gang.
Just all by yourself, you know?
if all those AI agents were,defined to do bad.
(13:11):
Well, they would tear you apart.
Leonard Lee (13:13):
Yeah.
And that, that's the problem.
agentic AI is something that'sbeen more of a recent trend and
pivot in the general AInarrative, but last year it was
brought up as being a potentialvehicle for.
threat expansion, attackexpansion, everything along the
lines of what you're talkingabout right now.
Right.
So I think, the communityoutside of cybersecurity is
(13:37):
about a year and a half behind.
Mm-hmm.
The cybersecurity industrythat's looking at what the
potential is for thesetechnologies to actually.
it's already been a asymmetric,like, Debbie, you always talk
about how it, the, therelationship or the, the fight
is asymmetrical, right?
it increases that asymmetry, butin the favor not of the
(14:01):
cybersecurity practitioner.
Actually, the attacker.
Right.
And so that's the dilemma.
Bob Carver (14:09):
one thing that's interesting, IWI had the
opportunity to speak at severalconferences way back in 2018 and
2019, I was at a conference inDublin, Ireland.
That was the first time I hadalways had this in the back of
my head, but to publicly notjust my close network, but
publicly say to, severalthousand people, get ready.
(14:32):
the fight in cybersecurity isgonna be AI versus ai.
It's just a matter of time.
This was 2018.
It was the first time I saidthat publicly.
Then I brought that same messageto the International Monetary
Fund twice.
In 2019, one time in front of190 countries and the other time
was a little bit smaller, butstill countries from all over
(14:53):
the world.
And, anyway, it was just.
people were sort of deeringheadlights.
the audience in the EU was alldefinitely cyber folks.
The IMF is more, monetary folks,you know, bankers, economists,
that sort of thing.
Leonard Lee (15:06):
yeah,
Bob Carver (15:06):
And so now we're actually seeing a result of this
happening.
A genetic AI that could end upbeing, the attacker.
I liken it too much to, theswarm attack drones in the air,
where you're busy trying tofight off, each one on an
individual basis, but it'sdifficult to fight'em all.
(15:30):
Every single one.
At the same time.
Leonard Lee (15:34):
Right, right.
Bob Carver (15:35):
That's the type of, if you have a visual reference,
I would say, tho those attackswarm drones, it would be very
much like that in, in a cyberrealm.
Debbie Reynolds (15:44):
Well, it's like the matrix with, you know,
fighting, what's the guy's name?
Agent.
Yeah.
The agent like Yeah.
That's what it's like.
Yeah.
Yeah.
I'm, I agree with you.
I was.
going to say AI agents or justAI in general and how people are
using it for attacks, right.
I'm super concerned because, youknow, these agents are, are,
(16:05):
would reportedly know more aboutyou than maybe a typical person
would know or would.
Typically be known about you inpublic.
And so that's enough to create asituation where they can maybe
send an email or do something onyour behalf and fool someone to
give them some information orsomething like that.
(16:25):
And when we're thinking aboutagents.
You know, think about agents,right?
With s Yeah,
yeah.
Multiple.
So like, you may, like, they mayhave a a hundred agents and then
there's no Yeah.
No guarantee that even the onesthat you sanction will not go
wrong.
Right.
They have your, you know, theymay have your, flight
information or your bankinformation and they're only
supposed to, book flights foryou.
(16:47):
But who's to say they wanna bookflights for somebody else?
So, yeah.
Well, I wanna share.
Leonard Lee (16:53):
Yeah, Debbie, you and I, we've had discussions
about deep fakes for actuallyyears now.
It's incredible years.
But, I was just at the NAB showand I kind of did a no-no, I
actually consented to have myimage used in a demo.
And the demo, after about aminute, pumped back an
advertisement that, had mylikeness.
(17:17):
Whoa.
Yeah,
and I was.
Astonished, number one, howquickly they're able to
replicate, or create that deepfake.
although, you know, o obviouslythe vendor was thinking, Hey,
we're doing this for fun.
This is something that fansmight engage with or a creator
if they, licensed someone'slikeness.
(17:40):
They could create content usinggenerative.
Techniques, without having tobring that individual into the
studio, et cetera, et cetera,But you flip that and it's
astonishing how these deepstakes could very easily, fool
(18:02):
most people.
Yeah.
Right?
And, our voices, our likeness,they're on the internet.
And then there's also the darkweb that is open, And so when
you have these agents and these,generative AI architecture is
what, what you might call.
(18:22):
Rag architectures, for cyberattacks, basically, connecting
to an indexing or creatingembeddings of you in a vector or
a graph database, and then usingthat information or that corpus
to institute intelligent orreasoned attacks on you.
(18:47):
With deep fakes.
A deep fake layer.
Super scary.
And it's not like this istomorrow.
This is like today.
Bob Carver (18:56):
Yeah.
Leonard Lee (18:56):
This is maybe even yesterday.
And I don't think this is partof the public discourse enough.
it's actually quite frightening.
Bob Carver (19:08):
What, there's several things there.
I mean, one of the things that alittle concerning is that there
are several, many financialinstitutions started doing the
voice recognition as part of theidentity.
And it's like when that firstcame out, I go, oh boy, I don't
know about this.
But we'll go back and about ayear ago, I think in Hong Kong,
(19:30):
it, there was a company takenfor over a couple hundred
thousand dollars, through a deepfake, and it was done with a
video and that sort of thing.
And then the most recent one youprobably remember was, Ferrari.
Somebody was trying to imitate,the CEO of Ferrari and he was
trying to.
get some major money from Harry?
(19:52):
Yeah, yeah, yeah, yeah.
Remember that?
Yeah, yeah.
Yeah.
It's interesting, you know, itstarted out with, using a phone
number with WhatsApp.
That they didn't recognize, butthey had his picture with the
Ferrari logo and that sort ofthing.
And then, they had some sort ofvoice changing technology that
was able to imitate his,Southern Italian accent.
(20:13):
It was very similar to hisvoice.
Luckily one of the.
Upper management that was goingto, eventually have to approve
this money transfer.
He said, He said, you know, I'mgonna have to have you prove
exactly who you are here, right?
Because, oh, you, you know,you're calling from a different
number.
(20:34):
I'm not familiar with that sortof thing.
And there was, there wereseveral things that didn't quite
add up and he said, you know, wehad a conversation, you and I
last week, and you recommended abook for me to read.
Oh no, that what, what was thetitle of that book?
When that happened, all of asudden the, the line went dead.
(20:57):
Oh, wow.
The actor, the guy, the bad guyhung up.
he'd been had there he couldn'tfool'em anymore, but he fooled
them all up to this pointthough.
Yeah, it was like, I think theyhad gone on for.
An hour back and forth withmultiple people in the
organization
Leonard Lee (21:15):
That's true.
Bob Carver (21:15):
they had everybody fooled.
When it went to a personalconversation that was happening,
the week before the guy couldn'treplicate that it just shows
that companies and even familiesneed to have some way of,
authenticating, people, beyondthe normal means.
Yeah.
Beyond a normal voice.
A normal video.
Leonard Lee (21:36):
and it is ironic that the mechanism for doing
that is the most archaic thingthat you can think of.
It's the most non-digital thing.
Yeah, exactly.
You know, that's really.
Depressing.
So, yeah.
Anyway, Debbie, do you haveanything?
Go ahead.
You have another depressingthing to share with our
Bob Carver (21:58):
audience?
Oh, I'm sure.
I have lots of different things,unfortunately.
matter of fact, I am, I'm calledout regularly on LinkedIn.
It's like, can't you share somegood news for a change?
Oh, really?
Yeah.
Oh my goodness.
Leonard Lee (22:11):
well, no, you know what?
For those people, I think if youhave a solution, it's a great
opportunity for you to say thatyou have a solution.
Sure.
I mean, that's why I tell a lotof folks, because our, our
biggest challenge right now islack of awareness and hyperbole.
Right.
Yeah.
Right.
Some, a lot of folks thinkingthat certain technologies are,
are something beyond what theyactually are.
(22:33):
And then the other is certaintechnology topics or issues or
risks that are just simply notknown.
And so for enterprisepractitioners, but also
increasingly for consumers, it'simportant to.
number one, have that awarenessof some of these issues that
we're already talking abouthere, but then number two, to
also not hyperbolize certaintypes of technologies that
(22:58):
simply are not gonna deliver onexaggerated expectations.
Right?
None of those, I think thingsare good, right?
So, I mean, even for thispodcast, we invite.
Anyone, if you have a solution,it's not like we know
everything.
No.
If you have a solution, give usa call or share.
And then we'll kick the tires onit.
(23:18):
if it's great stuff, we would,be more than happy to share the
story of a solution.
Which we'll get into in a littlebit so that.
Demi's not has that sourpussface on her.
Yeah.
Debbie.
I don't want through the wholeepisode because she's hearing
all this disturbing stuff.
Bob Carver (23:39):
I think the main thing is just to get the word
out so people have awareness tobe able to Exactly.
Protect themselves.
That's the main thing.
Leonard Lee (23:47):
Yeah.
Debbie, any, any other,depressing.
Cybersecurity topic?
You wanna No,
Debbie Reynolds (23:53):
pretty much, I think you pretty much covered
it.
I, I'll say though, the thingthat I always tell people, the
three things I always note inthese situations is almost like,
and I'm dating myself and I'msure Bob, you know this back in
the day, but remember, SaturdayNight Live when they had this.
Skit where, it was someone atthe door and they like say
(24:15):
candygram or something.
There was always like a shark.
Right.
Oh, I remember that.
Yeah.
So
Bob Carver (24:19):
that's unfortunately that's, I know if Leonard
remembers that, but maybe he sawsome reruns, but
Debbie Reynolds (24:24):
Yeah.
But yeah, that's what reminds meof, so no matter how people try
to get to you, they're trying todo the same thing.
Yeah.
They want to create a disturbingsituation that make you do
something that you wouldn'ttypically do.
Yes.
They create a sense of urgencyand they want you to take an
action.
Yeah.
So if you don't do any of thosethings, that'll help you no
matter what you do.
Bob Carver (24:45):
Yeah.
I think we all have to slow downand listen.
Mm-hmm.
And try to make sense ofwhatever.
Is going on.
and you're right, that sense ofurgency a lot of times is used
by different threat actors andscammers, to try to get people
to, do something really quick,you might be better off just to
think about it for a while.
Debbie Reynolds (25:07):
it off
Bob Carver (25:08):
later.
Debbie Reynolds (25:08):
Yeah.
It's so urgent.
I just don't do anything.
So I was like, okay, well what'sgonna happen?
Bob Carver (25:13):
Yeah, exactly.
Leonard Lee (25:14):
Oh, geez.
Okay, so now let's move on tothe bright side of life.
Bob Carver (25:21):
Okay.
I hope,
Leonard Lee (25:24):
Okay.
So it looks like some peoplehave reacted to your posts, Bob.
Yeah.
And, let's talk about likesolutions.
I mean, the bright side of life.
Yeah.
And hopefully the other side ofthe asymmetrical equation here,
I.
But what are some of thosethings that you see, emerging or
in play right now that look likethey could be viable solutions
(25:47):
either for, enterprises orconsumers?
Because again, I agree with you.
Consumers is increasinglyimportant.
'cause now they're becoming a.
vulnerability to businesses.
Mm-hmm.
Because their vulnerabilitiescould then be a way for A threat
actor to actually compromise abusiness as well as our
customers.
(26:07):
So what are some of those thingsthat you see that are promising
in terms of solution?
Bob Carver (26:11):
Sure.
I did post something.
I mean, this is sort of the goodand the bad, but, there was an
article I found that talkedabout a lot of the common VPN
solutions for consumers theywere sending off a lot of their
data to advertising.
Agencies and so they were notonly, basically.
(26:33):
they were supposed to help withprivacy and that sort of thing.
But then they were sucking downall your data from your web
history and sending it off tothese ed agency type groups.
And, some of the common names.
Some of'em were like Nord, VPNfor a while, express VPN was
doing it.
But they finally are backing offI think, because consumers.
(26:54):
discovering this, but it alsogave that same article that I
had posted, gave a lot of thecompanies that supposedly did
not do any of that type ofthing.
so it was good knowledge justfor the general public to know
which VPN to buy now.
I don't think VPNs are theultimate solution for security
and may even be sometimesquestionable, even on the
(27:17):
privacy end, although they'readvertised to be that way a lot.
one of the advisory boards I'mworking on now, they've
developed a hardware.
Microsegmentation platform andOh, wow.
Yeah.
And, I don't know the pricing,how solid is, and I think
they're doing it more for,medium to large size businesses
(27:42):
right now.
But it's not, I don't think it'sgonna be a huge cost, like a
small little gateway.
And what it is, it almost actslike a VPN because you're hidden
behind this microsegmentation orsort of like a firewall type
thing?
Yeah.
Behind the gateway.
But this gateway, you can'tdiscover this gateway with the
normal pen testing methods.
(28:04):
It's, it, there's nothing there.
Or, or at, at the worst caseit's this, oh, there was
something there, but it's notalive.
Like, can security you meancan't do it?
Security.
Okay.
Security.
Yeah.
Security by security.
By security, yeah.
Which is great.
Exactly.
Yeah.
Exactly.
Exactly.
So people can't get to you.
Yeah.
And then, you log in throughthere and then it also logs you
(28:26):
into a cloud instance, which isalmost sort of like a similar to
a sass e type situation.
but you can set it up to protectyou, where you allow only
certain users, only certainports, only certain ips, and you
can even do geolocation blockingand nobody can see your traffic
except for the people thatactually run this I think the
(28:48):
traffic just, overwrites itselfafter a certain amount of time.
So, that's something that I findvery interesting and it'd be
interesting to see if they getthis available eventually to
consumers.
But right now I think that, likeI said, they're gonna, do it
from medium to, large.
Organizations, they have it forindividual endpoint, like where
(29:10):
you can do either wifi orethernet or you can set up a
gateway to make your own littlemini network.
Or now they're going to.
A full blown switch where thewhole switch can be set up with
all of these micro segments andyou can totally control, set up
the, configurations to totallycontrol all the traffic going in
(29:34):
and out and from one to another.
considering a lot of companieshave, a certain amount of crown
jewels, they wanna protect.
this is, it's already, beencertified at FIPs one 40 dash
two, So that means pretty muchthat most.
Pen test guys aren't able tobreak into it.
(29:55):
Yeah.
So, anyway, I think that'sinteresting.
I think it's gonna be good for,iot.
I think it's gonna be good forot.
OT and it's gonna be good for alot of manufacturing that are
stuck on xp, windows XPplatforms that are, full of
holes.
So, yeah.
I think it's could be excitingthing.
And also, I don't know ifthey're gonna do consumers right
(30:16):
now.
I think it's more gonna be midto large, commercial
enterprises.
Yeah.
Yeah.
If somebody gets a hold of asystem and they have admin pro
privileges, they escalate to aadmin privileges.
The microsegmentation that'sbuilt into an os, it's toast.
It's done.
You know, it's the same thingwith, you know how the threat
(30:37):
actors take down, endpointsecurity.
Yeah.
So they take down the endpointsecurity, they take down the
micro-segmentation.
It's like game over.
Yeah.
anyway, I'm pretty excited aboutthis.
yeah.
Leonard Lee (30:48):
I think it's totally cool, actually, in, the
study I did, for off comps.
Now going on almost seven yearsago, we brought up
microsegmentation for, and thisis a tough context Sure.
For that, for mec, that beinglike a big Sure, missing piece.
But I like.
this, notion of bringing it toconsumers because, we have a
(31:10):
crap ton of stuff connected toour network.
Imagine being able to bring zerotrust capabilities To a
household.
And not just within the homeextending that sort of a
consumer sassy model, if youwill.
That's super interesting.
Bob Carver (31:27):
I have one in my home network.
Leonard Lee (31:31):
I'm sure Bill Pew does as well.
Bob Carver (31:33):
Yeah, yeah, probably so.
But anyway, yeah, it's, I lovethat idea.
It's exciting and, yeah, I cansee some great things and I
remember meeting somebody ablack hat years ago, he said,
hold on, hold on, hold on onesecond.
One second ahead.
Debbie smile.
Leonard Lee (31:47):
This is, I'm sorry.
She's smiling.
Does look on her face.
Bob Carver (31:52):
It's all good.
Okay, go.
Leonard Lee (31:54):
Go ahead Bob.
Bob Carver (31:55):
to block that.
Oh.
I met somebody at Black Hatyears ago and he had set up his
own VPN and what he did is heset up a cloud instance and, had
the microsegmentation andeverything Uhhuh and he put
everybody's traffic.
through a big mixer, in thiscloud.
So even if somebody could getinto that cloud instance, they
(32:17):
wouldn't be able to tell whosewas what But this is sort of the
same sort of thing, same sort ofprinciple where this is gonna
connect this device, hardeneddevice, Hardware device or micro
segmentation connects to cloudinstance and the cloud instances
rero you to other parts ofwherever you wanna go.
Debbie Reynolds (32:35):
Yeah.
I'm much in favor of sharingless, so that helps less data or
information go out.
Bob Carver (32:40):
Yeah.
And so, nobody really can get tomy computer when I'm connected
to that.
Leonard Lee (32:45):
Well, I don't think we would expect any less from
you, Bob, so,
Bob Carver (32:49):
Yeah.
So anyway.
Leonard Lee (32:52):
That's fantastic.
Bob Carver (32:53):
another thing that was in the news recently was, a
lot of these Androidapplications that are, we're
again, sharing data with allthese data entities, advertising
entity, whatever.
Sucking down and, and not beinga hundred percent, revealing in,
in what they're doing with allthe data, transparent with all
(33:14):
their data that they're grabbingoff of your phone.
The same thing with iPhone.
And even there, there's times,you've probably seen, you can't
always, change the settingswhere it's like, no, I don't
wanna share my data with you.
You know?
Leonard Lee (33:27):
Yeah.
You can opt out.
Bob Carver (33:29):
It's not always available to opt out,
Leonard Lee (33:30):
Yeah.
a lot of these examples you'rebringing up a privacy is such a
big factor.
I mean.
And the reason why I say that isbecause you've brought up the
issue with, the freemium admodel and the business model
that it is and that unfair tradethat Debbie always talks about.
(33:51):
Right?
Yeah.
And the risks that.
imposes, or creates for not onlythe consumer or your customer,
but for the enterprise itselfultimately.
Right.
And it's like this, whole chainof risk, everyone talks about
chain of thought.
Let's maybe we coin a new termhere as the chain of risk.
Bob Carver (34:14):
Yeah.
Leonard Lee (34:14):
Right.
It's just no single instance ofvulnerability or compromise.
it tells the whole story.
it's that whole cascading effectall the way to, the enterprise,
right?
The service provider that youhave to consider.
So it's just something that Ijust kind of.
Notice from our conversation.
Bob Carver (34:33):
One of the things that I do, and I recommend a lot
of people to do this and peoplecan do this themselves, fairly
easily, by a couple of plugins.
and I generally don't recommenddoing plugins on browsers, but,
you block origin.
And the other one is privacybadger.
Which is from e, f, F.
Yeah.
they, those two and Debbieprobably, she knows of those and
(34:56):
probably maybe amuses them, butthey, they block a lot of the
advertising and tracking.
But I also do it on a domainbasis, Through DNX.
Oh, okay.
blocking all these ads andtracking.
it's usually at the veryminimum, 10% of all the traffic
that goes to and from mycomputers.
Our, a either ads or tracking10% is just on the low end.
(35:21):
It's probably been as high as 12or 13% of the traffic.
So that's how much of this stuffis going on and, it's sort of
scary, but I mean it,
Leonard Lee (35:33):
yeah.
Bob, how are you such a popularperson?
Like, so stressful.
I don't think well out listeningto you, man.
This is like crazy.
Bob Carver (35:43):
The advertising people aren't very happy with me
saying anything like this, but,
Leonard Lee (35:49):
I don't think they're happy with any of us
right now.
Debbie Reynolds (35:52):
Right, Exactly.
You have to eat your vegetablesand take the medicine, I guess.
Bob Carver (35:59):
Okay.
But anyway, it does break somewebsites, unfortunately.
I just have to weigh how bad Iwant to go to some of those
webinars.
Leonard Lee (36:06):
Yeah.
Well, you know, that's why thework that, Debbie's doing, IEE
and
mm-hmm.
You know, in trying to establish a standard for.
privacy or, or transparencyaround privacy and privacy
practices like what Debbie and Icall like the privacy first,
principles of just Right.
Anything right.
Of like business or economy,right?
(36:28):
Sure.
That's why that's so important.
But again, I think we suffer theproblem with, folks not.
Having the awareness of therisks and the issues related to
just trading your privacy forfree stuff.
Mm-hmm.
there's A very wide and deepening ocean that needs
to be transferred because atrisk of all of this is trust at
(36:49):
the end of the day, becausegoing back to the beginning of
our conversation, the tools thatthe threat actors, are now
equipped with asymmetricallyenable them to do exponential
damage, right?
I mean, when they talk about theexponential benefit of ai.
It really, applies to themmm-hmm.
(37:09):
Today at a scale much greaterthan anything that cybersecurity
practitioners can institute.
Yeah.
To countervail that growing.
Of course.
Bob Carver (37:18):
And I know Debbie's talked about these before in the
past.
I know.
I mean the, Automobile marketand any more recent automobiles,
the amount of data is justincredible, that they suck down
off your system.
the only thing that, frustratesme is you have no way to
mitigate that, easily.
(37:39):
They don't, you know where on myhome network, anything that goes
through my home network.
I can take care of a lot of thatmyself, exactly with settings.
But you're Bob, I ex, well,Roku, example, I have a Roku box
that I bought several years agofor my old tv.
Just looking at my logs on theDNS logs, one of the Roku
(38:03):
domains is one of the topblocked domains out of thousands
of domains.
It's just a big chatter box.
It is just constantly.
Sending information out to theinternet and to the people you
know, to feed on this stuff.
But they must be, a little bitdisappointed because I have
thousands and thousands ofblocks as they keep on retrying
(38:24):
and we want this information.
It's like, no, you don't get it.
Leonard Lee (38:28):
Okay.
Bob, I think we're gonna have tocut you off because you're, you
know, Debbie smiling for just amoment when we actually remind
her that she's grimacing andthen she goes straight back to
grimacing.
So this is like not healthything that have going on here.
Yeah.
so let, let's do this.
(38:48):
both you, Debbie, and Bob, sharesome of your perspective on what
you think, enterprises need todo in terms of mindset shift
going into this year.
you know, obviously Bob, this isyour first time on, so really
interested in your thoughtsthere, but Debbie's constantly.
Tuned into the vibe of what'sgoing on with enterprises and
privacy.
(39:09):
And I think it is all becomingso interrelated.
This is like what Debbie and Ihave been talking about for
years now.
This isn't y thing, this is whatwe've been talking for a long
time.
Trust, privacy.
And security are all comingtogether.
They're different.
Mm-hmm.
And that's like the, actually the first order of
awareness that needs to bebridged.
(39:30):
But when they come together, youneed to start to understand how
they're interrelated and howthey're all coming together
because of actually.
the morphing nature and theevolving nature of cybersecurity
threats.
Right.
But what is that mindset shiftthat you would say that
enterprises need to make, goingforward into this year?
(39:54):
so mm-hmm.
Both of you that please shareyour thoughts.
Bob Carver (39:58):
You wanna go Debbie first
Debbie Reynolds (40:00):
Oh, sure, sure.
I'll go first.
Well, two things.
One is that I think companiesneed to educate employees and it
not just about company stuff,but about personal stuff, right.
Protecting themselves in thedigital realm because even in
this Disney example, right, sothis guy's probably using his
(40:21):
home stuff, maybe he understoodwhat he was supposed to do at
work and he did all that stuff,but there were some gaps there
between what he was doing thatmaybe could have helped him and,
not hurt his work.
'cause we see people, they can'tprint at work, so they send a
document to their.
Home email address, theshenanigans kind of goes on and
on.
(40:41):
So being able to educate peopleabout just cyber safety or
digital safety as a whole, notjust at work, I think is, you
know, bridge that gap.
And then also I.
Companies need to talk aboutfuture risks, right?
Emerging risk, talking aboutthis, a agentic stuff.
So can't just be like, oh myGod, this terrible thing
(41:02):
happened.
You know, Johnny got hit by acar last week.
you have to talk more about,these are things that are out
there now.
Yeah, these are things that areemerging.
Here are the possibility ofthings that can happen if we
don't do x.
YZ.
So it can't just be reactive, ithas to be more proactive and we
have to have more imaginationand explain to people mm-hmm.
(41:23):
What these future risks couldlook like.
Leonard Lee (41:27):
Yeah, that's awesome.
Bob Carver (41:28):
Bring back, bring it back to the real world.
Yeah, yeah, yeah.
I think, one of the big thingsis to be able to, expand their
understanding of the breadth anddepth of the risks that are
going on.
Yeah.
(41:49):
The next step is to be able to have the visibility
and context.
Into the network to understandsome of these, threats that
could be going on in thenetwork.
so many of these threatsnowadays use a combination of,
uh, traditional malware, butthey're also living off the land
(42:10):
where they use.
Traditional processes thatwhether on a, windows or a Linux
box, and they just use thosetraditional commands.
And of course, the endpointsecurity and the network
security don't see those asbeing a threat because it's
like, oh, those are the commandsthat the everyday cis ad admin
(42:30):
uses anyway.
So it's not a problem.
So they do, they do needadditional, Visibility into
those type of processes.
yeah, I think we, need moremicrosegmentation.
I think this microsegmentationthat's done in a hardware
probably could be a boon for alot of companies, It, OT iot
(42:54):
are, are actually, I mean, I I'msure there's ways you could
figure out how to even do thatin the cloud if you did it
right.
yes.
So, I can see that sort ofthing.
The other thing is going to thenext level of.
Machine learning and neuralnetworks to be able to make
understanding of what's going onon all those endpoints and
what's going on on the networkflows, whether it's to and from
(43:15):
the internet or east west, youknow, a lateral movement in
those networks to be able tohelp understand, what's going
on.
So those are a lot of, thebasics that, uh.
I'm concerned about.
Leonard Lee (43:28):
Yeah.
Well, I'll add one additional,oh, please.
This has something to do with,the title of your company
actually.
Yeah.
addressing board pressure onemerging technologies, whether
there's generative AI or gentechai, especially agent AI now,
because I think now there'sthis, yeah.
Huge, deluge of agentic ai,Kool-Aid being pumped into, the
(43:52):
techno verse, right?
Right.
That needs to be addressed.
And no doubt, you know, the kindof board pressure that you
always hear practitioners talkabout, that needs to be
addressed.
And part of that is gettingexperts like Debbie.
Yourself, Bob.
and I'll include myself.
There you go.
(44:13):
All, any of us as you should.
Yeah.
Yeah.
to help alleviate that pressure.
it's incumbent on the, actuallyit's a fiduciary duty of a board
member to know what the hellthey're talking about when it
comes to these things becauseit's so serious and, to check.
Any expectations that are beingbuilt on the hype side of,
(44:35):
emerging technologies againstthe cybersecurity realities and
the threats that, and risks thatthey, not only potentially, you
know, present, but do presentbecause usually the threats are
ahead of.
The actual business value in anyof these technologies that we've
already discussed.
So, yeah, that's the only thingthat would add.
(44:57):
And so with that, hey, greatdiscussion.
Smile Debbie, please.
She usually smiles Bob.
Don't get the wrong impression.
Bob Carver (45:06):
I've seen Debbie smile before.
I know.
She smiles.
Debbie Reynolds (45:09):
Bob knows I smile.
Bob knows I smile.
Bob Carver (45:14):
I I probably was just being a downer to No, no,
no, no, no.
Okay.
Okay.
That's okay.
It's all good.
Debbie Reynolds (45:22):
I a glare in my eyes, so I'm more squinting.
Sorry about, uh, good one.
Good one.
That was a nice
Leonard Lee (45:28):
pivot there,
Debbie Reynolds (45:29):
Debbie.
Leonard Lee (45:31):
But hey everyone, thanks for tuning in and I hope
you found the discussion,insightful and helpful.
And, Bob, Debbie.
thanks a lot for jumping on,love doing this with you guys.
And Bob, hope to have you onagain.
so really quickly, why don't youexplain to our audience how they
can get in touch with you.
I know that, you've started yourown thing, so Share with our
(45:54):
audience.
Bob Carver (45:55):
Yeah, my main platform is LinkedIn.
I mean, I'm on X Twitter too,but, LinkedIn is my main focus.
And just look for me, I mean, ifyou just, do Duck, duck go, or
Google and Bob CarverCybersecurity, the LinkedIn link
comes up right away.
So I'm on the first severalpages of, all the search
(46:16):
engines.
So LinkedIn puts me out there.
Leonard Lee (46:20):
Oh yeah.
Cybersecurity boardroom folks.
And then how about you reallyquickly share with.
Our audience, how they can getin touch with you.
Debbie Reynolds (46:29):
Sure.
So you can always type in,Debbie Reynolds, data Diva on
LinkedIn, and my name will popup.
You can also go to my website,debbie reynolds consulting.com.
I have a lot of videos and otherI.
Stuff that people can take alook at.
yeah, so a actually we weretalking about boards.
I did a speaking engagement lastweek for the National
Association of Corporate Boards.
(46:50):
it was really interesting,'causewe ended up doing A-A-A-A-W-S
hosted, like a tabletop thingwith boards and we were talking
about implementing this new aiand it was pretty cool.
But.
it was funny because I wastrying to tell people before you
go into this AI stuff, you haveto think about the privacy stuff
first.
And a lot of people just didn'twanna do that and so we kinda
lost points for not forgettingit the wrong way.
(47:12):
So think about the privacy stufffirst.
call me if you need me.
But this help, I think it'd begreat.
Bob Carver (47:20):
Love that.
You slow us down, dude.
You're slowing us down.
Leonard Lee (47:22):
Yeah.
there is nothing sustainableabout dangerous or poorly
executed innovation.
Innovation needs to be safe.
I think people need to beconscious of that.
going back to what you werementioning before, Bob, about
the early days of online bankingand financial, you know?
Yeah.
A lot of people weren't thinkingabout security back then.
(47:44):
some of it was quiterudimentary.
And then look at how it has hadto evolve, right?
pretty remarkable, where weneeded to go.
So, um, yeah.
With that, please subscribe toour podcast, which will be
featured on the Next CurveYouTube channel, and check out
the audio version on Buzzsproutor find us on your favorite
podcast platform.
Also, subscribe to the nextcurve research
(48:06):
portal@www.next-curve.com forthe tech.
And industry insights thatmatter.
we will see you next time again,Bob, thanks for jumping on,
Debbie.
always a pleasure.
All right, take care.
Hey everybody.
Welcome to this next CurveRethink podcast episode of our
Security and Trust series, wherewe break down the latest tech
and industry events andhappenings into the insights
that matter in the very fastmoving landscape of cyber
security and trust.
And I'm Leonard Lee, executiveAnalyst at Next Curve, and I'm
(00:30):
joined by my co-host and very,very, very, very good friend.
Debbie Reynolds of DebbieReynolds Consulting, LC Hey,
Debbie.
Debbie Reynolds (00:41):
Hey, Leonard.
Nice to see you.
Nice to see Bob.
Awesome.
Leonard Lee (00:44):
Good to see you.
Yes.
And speaking of Bob, our veryspecial guest, Bob Carver, CEO
of cybersecurity boardroom, and,cybersecurity thought leader
extraordinaire And prolific andLinkedIn sharing his insights.
It's really great stuff.
I love following your stuff,Bob, and it's really great to
(01:05):
finally have you on our show.
And I know Debbie's also.
Equally, probably as excited asI am to have this, chat with you
and hopefully it'll be one ofmany in the future.
So I'm,
Bob Carver (01:17):
I'm excited to be here.
Leonard Lee (01:19):
Yeah.
Great.
before we get started, pleaseremember to like, and share,
react to the, comments in thisepisode and what we share here.
Also.
Subscribe here on YouTube andBuzzsprout to listen to us on
your favorite podcast platform.
Opinions and statements by myguest and including my co-host
Debbie, are their own and don'treflect, those of next curve.
(01:41):
And we are doing this, providean open forum for discussion and
debate.
On various, technology topicsand cybersecurity and trust
topics.
So we hope you find the programinformative and fun.
So before we get started, Bob,share with our audience a bit of
your background and who you are,even though I think everyone in
(02:04):
the cybersecurity domain knowswho you are, but maybe expand
your.
Audience hereby right.
Tapping into the next curveaudience.
Bob Carver (02:13):
Yes.
I've been doing cybersecurityfor over the past 25 years.
Originally, was working in thefinancial world and, started in
the nineties, one of my firstprojects was building a key
management center, Gado, a ES 256 encryption.
That, ended up, encryptingtraffic.
(02:33):
it was moving money between,fidelity investments and some
major financial institutions,I'm sure that system lasted
probably many millions, hundredsof millions of dollars, probably
worth of transfers before it wasretired.
But anyway, little by little, Ijust, started, dabbling in,
security over, at, fidelityInvestments volunteered.
(02:54):
there was very few back in thenineties and even the early two
thousands of full-time securityfolks.
So it was the IT guys that justvolunteered to help out with the
security.
So that's what it started.
And anyway, after I'd been therefor a while, there was a
position opened at VerizonWireless.
what happened is, I say that Iowed my, career at Verizon
(03:17):
Wireless due to the Paris Hiltonhack here.
Account got hacked at T-Mobileand the management in their own
wisdom of Verizon Wireless said,we may ought to hire some
full-time people to do thissecurity stuff.
Yeah.
Wow.
And anyway, I was picked out of,literally hundreds of people
(03:40):
that they interviewed and Iended up being employee number
one to start things.
they had some people that werecontractors that started, but
anyway, I've been doing, thisfor, like I said for some time
and, went through a lot of majorchanges in technology over time
and and just seeing all thecraziness and also.
Not only the, in the defensivepart, but to see the threat
(04:02):
actors getting better andbetter.
So yeah, that's the short bit.
So,
Leonard Lee (04:07):
yeah.
No, that's fantastic.
And I'm sure our audience isgoing to appreciate, The
insights that you bring on bothsides, right?
Of, what you're observing fromthe threat perspective, but
also, how you see solutionsevolving.
And, we'll, we'll get into allof that as we have our
discussion, We're really excitedto have you on, as I said.
So why don't we start off with achat around what are some of the
(04:29):
things that are top of mind interms of.
Threat trends, and it seemslike, there are some that have
been in play for quite sometime, but then there's.
Also seems to be additionalthings being layered on top of
the existing stuff, but thenalso new vectors and areas that
(04:49):
are starting to form.
And so, Debbie, I haven't spokento you in a while, so love to
get your take as well.
But one of the things that I'mobserving is the velocity is
just accelerated.
It seems to have, at least inthe last.
Six months and just by lookingat both of your posts and what
(05:09):
you're sharing on social, it,looks like things are just
picking up and I don't thinkthat's a good thing.
But what are, I am sure you haveplenty of things to share, but
what are some of those thingsthat have been top of mind for
you guys in the past, let's say,six months?
Debbie Reynolds (05:31):
La Ladies first, or in that, that Bob.
Oh, guess first, right?
Yeah.
I want Bob's thing.
Oh, okay.
Bob Carver (05:39):
Yeah.
it's mind boggling, the velocitythat's going on.
Yeah.
North Korea, they're probablythe world experts on being able
to break into cryptocurrency,sellers and, and, networks and
to be able to siphon off allthose Bitcoin or Ethereum
recently too.
Matter of fact, I had just soldoff the last of my,
(06:01):
cryptocurrency a few monthsback, before everything started
going downhill, which I was gladto get out.
one of the concerns I had toowas the security, I didn't get
in for the longest time becauselike, how am I gonna really be
able to secure this well.
Yeah.
And so that, I didn't get in fora long time.
And then even then, I had a callfrom a friend of mine.
(06:25):
They said, oh, I have thisfriend, and they just lost
$300,000 worth of Bitcoin.
And it was due to one of themajor wallets that is very
popular out there.
And, I don't know if they didn'tkeep up the updates or it just
continued to have onevulnerability after the next.
And a matter of fact, it was thesame wallet that I was using.
(06:45):
And, anyway, just to see thatsort of scary thing happening.
But the other thing is to see, alot of the info steeler and
just, Anyway, I was talking toyou earlier, Leonard and Debbie
too, I think, about going tosome of these LLM sites and some
of my security stacks showingup, spyware and info stealer.
(07:06):
I.
Domains that somehow got intothe mix luckily I have some
fairly decent security, thatended up blocking these domains,
or at least warning me of whatwas going on.
And, that's a concern too,because once an info stealer
gets into your network or yourcomputers, Basically everything
you log into, they have theusername and password and they
(07:31):
can pretty much, replicate whatyou've done.
the only thing that might helpis if you have, good multifactor
authentication.
But, and I've known some people,I've recently wrote, I did a
video last week talk about likesmall businesses getting
compromised and stuff.
And these businesses, like thein gets in there.
They could lose their entirebusiness, their banking
(07:53):
accounts, all their email, allunder control.
Their phone may be under controland, it's scary, So, can we back
up for a moment?
Leonard Lee (08:03):
What is an info stealer?
I mean, quite honestly, it is abit of a new term for me.
Sure.
what is it
Bob Carver (08:10):
Info Steeler basically sniffs out all your
logins.
All your login, at least that'sthe primary, result of it.
So all your logins, yourusername and passwords.
they'll also check, to see, isthis your bank?
I.
domain Is this your emaildomain?
(08:31):
This is, your password domain ifyou have a password manager,
And, they'll, grab all thatinformation that is used to be
able to take over your account.
Leonard Lee (08:43):
Wonderful.
Look, look at you, Deb.
Debbie.
You look pained.
What is, yeah, you, you've beenholding a grimace this whole
time as he, Bob is describinginfo dealer.
Debbie Reynolds (08:57):
It's,
Leonard Lee (08:58):
it's
Debbie Reynolds (08:58):
scary.
You.
Yeah, it's horrible.
Yeah.
Terrible, terrible.
yeah, there was actually a storyabout this in the news.
I, you may have written aboutit, Bob, about the guy he worked
for Walt Disney.
Oh, yeah.
Yeah.
A bad actor was able to Yeah.
Take over his, yeah.
His password manager.
Yeah.
(09:18):
And his password manager had hisper personal stuff and his work
stuff in it.
Right.
So they were able to get intohis Disney accounts and do
stuff, and then he ended upgetting fired and they stole
like.
Yeah, a lot of money from hisbank accounts
Bob Carver (09:31):
he's trying to get his job back now, but, what
happened is he thought, hethought he'd be, smart and,
download, LLMI think on hislocal machine, and I think he
got it from GitHub.
And after he downloaded that andinstalled it.
That's when things started goingbad.
(09:52):
evidently there was some sort ofinfo Steeler type code in that
LLM he downloaded locally.
And his endpoint security didnot, pick that up.
Leonard Lee (10:03):
Object.
Yeah.
Bob Carver (10:05):
And yeah, it took not only took out his entire,
everything that he wasassociated with, but the, the
threat actors that did take overhis machine made it look like he
had, been stashing some childporn.
so it would be a highprobability that he would be
fired, that the FBI would getinvolved on and on and on.
(10:26):
And then, but the thing is, isthat I think they got into other
parts of Disney too, based on,his, access that he had at
Disney at the time.
So, um, yeah.
Wow, that's nice.
Very, very, very scary.
So that's why when, I hearabout, the spyware and info
stealer, Malware.
It's scary.
Leonard Lee (10:45):
Yeah.
And, this is something that, wetalked earlier about RSA, to,
you know, RSAC or the RSAconference That the conference
was started to become veryconcerned about last year.
'cause you know, in the prioryear everybody was high on
(11:06):
generative ai.
They were excited about itspotential to be a tool to help
combat, the existing problemswith cybersecurity and threats.
And then that tone quicklychanged, last year, right?
What you guys are describinghere in this scenario with
Disney is exactly what they wereconcerned about.
(11:26):
Mm-hmm.
I think they saw the writing on the wall.
A lot of practitioners andvendors actually saw the writing
on the wall and said, this stuffif it gets into our networks,
into our corporate environment,it can go exponential, right?
It's actually a tool that canaccelerate an attack beyond,
anything that, a non gen AIenabled, intruder and attacker
(11:50):
could institute.
in our environment andultimately on our business,
right?
So it's really interesting thatyou're bringing that up because
it seems that a year ago thattone change was completely
appropriate
Bob Carver (12:04):
and
Leonard Lee (12:04):
the thing,
Bob Carver (12:04):
I think, to emphasize something here,
important point of this, one ofthe reasons he was.
Putting the LLM, downloading itand installing it locally was
due to some privacy concerns ofbeing, putting prompts and, all
their information into the onethat's out in the cloud.
So they were trying to protect,from a privacy standpoint, he
(12:26):
was going the right direction.
But the thing is, is the, itbackfired.
It sort of backfired.
Yeah.
End up exposing things.
It's ironic, more things in thelong run by going locally than,
if they would've stayed in thecloud.
But anyway, but the thing islike sort of implying what you
(12:47):
were going, talking to, Leonard,there is that, individual AI
agents could be rolled up intothese systems.
Yeah.
All of a sudden they could beused.
It's almost like going down abad alley and then getting
attacked by entire gang.
Just all by yourself, you know?
if all those AI agents were,defined to do bad.
(13:11):
Well, they would tear you apart.
Leonard Lee (13:13):
Yeah.
And that, that's the problem.
agentic AI is something that'sbeen more of a recent trend and
pivot in the general AInarrative, but last year it was
brought up as being a potentialvehicle for.
threat expansion, attackexpansion, everything along the
lines of what you're talkingabout right now.
Right.
So I think, the communityoutside of cybersecurity is
(13:37):
about a year and a half behind.
Mm-hmm.
The cybersecurity industrythat's looking at what the
potential is for thesetechnologies to actually.
it's already been a asymmetric,like, Debbie, you always talk
about how it, the, therelationship or the, the fight
is asymmetrical, right?
it increases that asymmetry, butin the favor not of the
(14:01):
cybersecurity practitioner.
Actually, the attacker.
Right.
And so that's the dilemma.
Bob Carver (14:09):
one thing that's interesting, IWI had the
opportunity to speak at severalconferences way back in 2018 and
2019, I was at a conference inDublin, Ireland.
That was the first time I hadalways had this in the back of
my head, but to publicly notjust my close network, but
publicly say to, severalthousand people, get ready.
(14:32):
the fight in cybersecurity isgonna be AI versus ai.
It's just a matter of time.
This was 2018.
It was the first time I saidthat publicly.
Then I brought that same messageto the International Monetary
Fund twice.
In 2019, one time in front of190 countries and the other time
was a little bit smaller, butstill countries from all over
(14:53):
the world.
And, anyway, it was just.
people were sort of deeringheadlights.
the audience in the EU was alldefinitely cyber folks.
The IMF is more, monetary folks,you know, bankers, economists,
that sort of thing.
Leonard Lee (15:06):
yeah,
Bob Carver (15:06):
And so now we're actually seeing a result of this
happening.
A genetic AI that could end upbeing, the attacker.
I liken it too much to, theswarm attack drones in the air,
where you're busy trying tofight off, each one on an
individual basis, but it'sdifficult to fight'em all.
(15:30):
Every single one.
At the same time.
Leonard Lee (15:34):
Right, right.
Bob Carver (15:35):
That's the type of, if you have a visual reference,
I would say, tho those attackswarm drones, it would be very
much like that in, in a cyberrealm.
Debbie Reynolds (15:44):
Well, it's like the matrix with, you know,
fighting, what's the guy's name?
Agent.
Yeah.
The agent like Yeah.
That's what it's like.
Yeah.
Yeah.
I'm, I agree with you.
I was.
going to say AI agents or justAI in general and how people are
using it for attacks, right.
I'm super concerned because, youknow, these agents are, are,
(16:05):
would reportedly know more aboutyou than maybe a typical person
would know or would.
Typically be known about you inpublic.
And so that's enough to create asituation where they can maybe
send an email or do something onyour behalf and fool someone to
give them some information orsomething like that.
(16:25):
And when we're thinking aboutagents.
You know, think about agents,right?
With s Yeah,
yeah.
Multiple.
So like, you may, like, they mayhave a a hundred agents and then
there's no Yeah.
No guarantee that even the onesthat you sanction will not go
wrong.
Right.
They have your, you know, theymay have your, flight
information or your bankinformation and they're only
supposed to, book flights foryou.
(16:47):
But who's to say they wanna bookflights for somebody else?
So, yeah.
Well, I wanna share.
Leonard Lee (16:53):
Yeah, Debbie, you and I, we've had discussions
about deep fakes for actuallyyears now.
It's incredible years.
But, I was just at the NAB showand I kind of did a no-no, I
actually consented to have myimage used in a demo.
And the demo, after about aminute, pumped back an
advertisement that, had mylikeness.
(17:17):
Whoa.
Yeah,
and I was.
Astonished, number one, howquickly they're able to
replicate, or create that deepfake.
although, you know, o obviouslythe vendor was thinking, Hey,
we're doing this for fun.
This is something that fansmight engage with or a creator
if they, licensed someone'slikeness.
(17:40):
They could create content usinggenerative.
Techniques, without having tobring that individual into the
studio, et cetera, et cetera,But you flip that and it's
astonishing how these deepstakes could very easily, fool
(18:02):
most people.
Yeah.
Right?
And, our voices, our likeness,they're on the internet.
And then there's also the darkweb that is open, And so when
you have these agents and these,generative AI architecture is
what, what you might call.
(18:22):
Rag architectures, for cyberattacks, basically, connecting
to an indexing or creatingembeddings of you in a vector or
a graph database, and then usingthat information or that corpus
to institute intelligent orreasoned attacks on you.
(18:47):
With deep fakes.
A deep fake layer.
Super scary.
And it's not like this istomorrow.
This is like today.
Bob Carver (18:56):
Yeah.
Leonard Lee (18:56):
This is maybe even yesterday.
And I don't think this is partof the public discourse enough.
it's actually quite frightening.
Bob Carver (19:08):
What, there's several things there.
I mean, one of the things that alittle concerning is that there
are several, many financialinstitutions started doing the
voice recognition as part of theidentity.
And it's like when that firstcame out, I go, oh boy, I don't
know about this.
But we'll go back and about ayear ago, I think in Hong Kong,
(19:30):
it, there was a company takenfor over a couple hundred
thousand dollars, through a deepfake, and it was done with a
video and that sort of thing.
And then the most recent one youprobably remember was, Ferrari.
Somebody was trying to imitate,the CEO of Ferrari and he was
trying to.
get some major money from Harry?
(19:52):
Yeah, yeah, yeah, yeah.
Remember that?
Yeah, yeah.
Yeah.
It's interesting, you know, itstarted out with, using a phone
number with WhatsApp.
That they didn't recognize, butthey had his picture with the
Ferrari logo and that sort ofthing.
And then, they had some sort ofvoice changing technology that
was able to imitate his,Southern Italian accent.
(20:13):
It was very similar to hisvoice.
Luckily one of the.
Upper management that was goingto, eventually have to approve
this money transfer.
He said, He said, you know, I'mgonna have to have you prove
exactly who you are here, right?
Because, oh, you, you know,you're calling from a different
number.
(20:34):
I'm not familiar with that sortof thing.
And there was, there wereseveral things that didn't quite
add up and he said, you know, wehad a conversation, you and I
last week, and you recommended abook for me to read.
Oh no, that what, what was thetitle of that book?
When that happened, all of asudden the, the line went dead.
(20:57):
Oh, wow.
The actor, the guy, the bad guyhung up.
he'd been had there he couldn'tfool'em anymore, but he fooled
them all up to this pointthough.
Yeah, it was like, I think theyhad gone on for.
An hour back and forth withmultiple people in the
organization
Leonard Lee (21:15):
That's true.
Bob Carver (21:15):
they had everybody fooled.
When it went to a personalconversation that was happening,
the week before the guy couldn'treplicate that it just shows
that companies and even familiesneed to have some way of,
authenticating, people, beyondthe normal means.
Yeah.
Beyond a normal voice.
A normal video.
Leonard Lee (21:36):
and it is ironic that the mechanism for doing
that is the most archaic thingthat you can think of.
It's the most non-digital thing.
Yeah, exactly.
You know, that's really.
Depressing.
So, yeah.
Anyway, Debbie, do you haveanything?
Go ahead.
You have another depressingthing to share with our
Bob Carver (21:58):
audience?
Oh, I'm sure.
I have lots of different things,unfortunately.
matter of fact, I am, I'm calledout regularly on LinkedIn.
It's like, can't you share somegood news for a change?
Oh, really?
Yeah.
Oh my goodness.
Leonard Lee (22:11):
well, no, you know what?
For those people, I think if youhave a solution, it's a great
opportunity for you to say thatyou have a solution.
Sure.
I mean, that's why I tell a lotof folks, because our, our
biggest challenge right now islack of awareness and hyperbole.
Right.
Yeah.
Right.
Some, a lot of folks thinkingthat certain technologies are,
are something beyond what theyactually are.
(22:33):
And then the other is certaintechnology topics or issues or
risks that are just simply notknown.
And so for enterprisepractitioners, but also
increasingly for consumers, it'simportant to.
number one, have that awarenessof some of these issues that
we're already talking abouthere, but then number two, to
also not hyperbolize certaintypes of technologies that
(22:58):
simply are not gonna deliver onexaggerated expectations.
Right?
None of those, I think thingsare good, right?
So, I mean, even for thispodcast, we invite.
Anyone, if you have a solution,it's not like we know
everything.
No.
If you have a solution, give usa call or share.
And then we'll kick the tires onit.
(23:18):
if it's great stuff, we would,be more than happy to share the
story of a solution.
Which we'll get into in a littlebit so that.
Demi's not has that sourpussface on her.
Yeah.
Debbie.
I don't want through the wholeepisode because she's hearing
all this disturbing stuff.
Bob Carver (23:39):
I think the main thing is just to get the word
out so people have awareness tobe able to Exactly.
Protect themselves.
That's the main thing.
Leonard Lee (23:47):
Yeah.
Debbie, any, any other,depressing.
Cybersecurity topic?
You wanna No,
Debbie Reynolds (23:53):
pretty much, I think you pretty much covered
it.
I, I'll say though, the thingthat I always tell people, the
three things I always note inthese situations is almost like,
and I'm dating myself and I'msure Bob, you know this back in
the day, but remember, SaturdayNight Live when they had this.
Skit where, it was someone atthe door and they like say
(24:15):
candygram or something.
There was always like a shark.
Right.
Oh, I remember that.
Yeah.
So
Bob Carver (24:19):
that's unfortunately that's, I know if Leonard
remembers that, but maybe he sawsome reruns, but
Debbie Reynolds (24:24):
Yeah.
But yeah, that's what reminds meof, so no matter how people try
to get to you, they're trying todo the same thing.
Yeah.
They want to create a disturbingsituation that make you do
something that you wouldn'ttypically do.
Yes.
They create a sense of urgencyand they want you to take an
action.
Yeah.
So if you don't do any of thosethings, that'll help you no
matter what you do.
Bob Carver (24:45):
Yeah.
I think we all have to slow downand listen.
Mm-hmm.
And try to make sense ofwhatever.
Is going on.
and you're right, that sense ofurgency a lot of times is used
by different threat actors andscammers, to try to get people
to, do something really quick,you might be better off just to
think about it for a while.
Debbie Reynolds (25:07):
it off
Bob Carver (25:08):
later.
Debbie Reynolds (25:08):
Yeah.
It's so urgent.
I just don't do anything.
So I was like, okay, well what'sgonna happen?
Bob Carver (25:13):
Yeah, exactly.
Leonard Lee (25:14):
Oh, geez.
Okay, so now let's move on tothe bright side of life.
Bob Carver (25:21):
Okay.
I hope,
Leonard Lee (25:24):
Okay.
So it looks like some peoplehave reacted to your posts, Bob.
Yeah.
And, let's talk about likesolutions.
I mean, the bright side of life.
Yeah.
And hopefully the other side ofthe asymmetrical equation here,
I.
But what are some of thosethings that you see, emerging or
in play right now that look likethey could be viable solutions
(25:47):
either for, enterprises orconsumers?
Because again, I agree with you.
Consumers is increasinglyimportant.
'cause now they're becoming a.
vulnerability to businesses.
Mm-hmm.
Because their vulnerabilitiescould then be a way for A threat
actor to actually compromise abusiness as well as our
customers.
(26:07):
So what are some of those thingsthat you see that are promising
in terms of solution?
Bob Carver (26:11):
Sure.
I did post something.
I mean, this is sort of the goodand the bad, but, there was an
article I found that talkedabout a lot of the common VPN
solutions for consumers theywere sending off a lot of their
data to advertising.
Agencies and so they were notonly, basically.
(26:33):
they were supposed to help withprivacy and that sort of thing.
But then they were sucking downall your data from your web
history and sending it off tothese ed agency type groups.
And, some of the common names.
Some of'em were like Nord, VPNfor a while, express VPN was
doing it.
But they finally are backing offI think, because consumers.
(26:54):
discovering this, but it alsogave that same article that I
had posted, gave a lot of thecompanies that supposedly did
not do any of that type ofthing.
so it was good knowledge justfor the general public to know
which VPN to buy now.
I don't think VPNs are theultimate solution for security
and may even be sometimesquestionable, even on the
(27:17):
privacy end, although they'readvertised to be that way a lot.
one of the advisory boards I'mworking on now, they've
developed a hardware.
Microsegmentation platform andOh, wow.
Yeah.
And, I don't know the pricing,how solid is, and I think
they're doing it more for,medium to large size businesses
(27:42):
right now.
But it's not, I don't think it'sgonna be a huge cost, like a
small little gateway.
And what it is, it almost actslike a VPN because you're hidden
behind this microsegmentation orsort of like a firewall type
thing?
Yeah.
Behind the gateway.
But this gateway, you can'tdiscover this gateway with the
normal pen testing methods.
(28:04):
It's, it, there's nothing there.
Or, or at, at the worst caseit's this, oh, there was
something there, but it's notalive.
Like, can security you meancan't do it?
Security.
Okay.
Security.
Yeah.
Security by security.
By security, yeah.
Which is great.
Exactly.
Yeah.
Exactly.
Exactly.
So people can't get to you.
Yeah.
And then, you log in throughthere and then it also logs you
(28:26):
into a cloud instance, which isalmost sort of like a similar to
a sass e type situation.
but you can set it up to protectyou, where you allow only
certain users, only certainports, only certain ips, and you
can even do geolocation blockingand nobody can see your traffic
except for the people thatactually run this I think the
(28:48):
traffic just, overwrites itselfafter a certain amount of time.
So, that's something that I findvery interesting and it'd be
interesting to see if they getthis available eventually to
consumers.
But right now I think that, likeI said, they're gonna, do it
from medium to, large.
Organizations, they have it forindividual endpoint, like where
(29:10):
you can do either wifi orethernet or you can set up a
gateway to make your own littlemini network.
Or now they're going to.
A full blown switch where thewhole switch can be set up with
all of these micro segments andyou can totally control, set up
the, configurations to totallycontrol all the traffic going in
(29:34):
and out and from one to another.
considering a lot of companieshave, a certain amount of crown
jewels, they wanna protect.
this is, it's already, beencertified at FIPs one 40 dash
two, So that means pretty muchthat most.
Pen test guys aren't able tobreak into it.
(29:55):
Yeah.
So, anyway, I think that'sinteresting.
I think it's gonna be good for,iot.
I think it's gonna be good forot.
OT and it's gonna be good for alot of manufacturing that are
stuck on xp, windows XPplatforms that are, full of
holes.
So, yeah.
I think it's could be excitingthing.
And also, I don't know ifthey're gonna do consumers right
(30:16):
now.
I think it's more gonna be midto large, commercial
enterprises.
Yeah.
Yeah.
If somebody gets a hold of asystem and they have admin pro
privileges, they escalate to aadmin privileges.
The microsegmentation that'sbuilt into an os, it's toast.
It's done.
You know, it's the same thingwith, you know how the threat
(30:37):
actors take down, endpointsecurity.
Yeah.
So they take down the endpointsecurity, they take down the
micro-segmentation.
It's like game over.
Yeah.
anyway, I'm pretty excited aboutthis.
yeah.
Leonard Lee (30:48):
I think it's totally cool, actually, in, the
study I did, for off comps.
Now going on almost seven yearsago, we brought up
microsegmentation for, and thisis a tough context Sure.
For that, for mec, that beinglike a big Sure, missing piece.
But I like.
this, notion of bringing it toconsumers because, we have a
(31:10):
crap ton of stuff connected toour network.
Imagine being able to bring zerotrust capabilities To a
household.
And not just within the homeextending that sort of a
consumer sassy model, if youwill.
That's super interesting.
Bob Carver (31:27):
I have one in my home network.
Leonard Lee (31:31):
I'm sure Bill Pew does as well.
Bob Carver (31:33):
Yeah, yeah, probably so.
But anyway, yeah, it's, I lovethat idea.
It's exciting and, yeah, I cansee some great things and I
remember meeting somebody ablack hat years ago, he said,
hold on, hold on, hold on onesecond.
One second ahead.
Debbie smile.
Leonard Lee (31:47):
This is, I'm sorry.
She's smiling.
Does look on her face.
Bob Carver (31:52):
It's all good.
Okay, go.
Leonard Lee (31:54):
Go ahead Bob.
Bob Carver (31:55):
to block that.
Oh.
I met somebody at Black Hatyears ago and he had set up his
own VPN and what he did is heset up a cloud instance and, had
the microsegmentation andeverything Uhhuh and he put
everybody's traffic.
through a big mixer, in thiscloud.
So even if somebody could getinto that cloud instance, they
(32:17):
wouldn't be able to tell whosewas what But this is sort of the
same sort of thing, same sort ofprinciple where this is gonna
connect this device, hardeneddevice, Hardware device or micro
segmentation connects to cloudinstance and the cloud instances
rero you to other parts ofwherever you wanna go.
Debbie Reynolds (32:35):
Yeah.
I'm much in favor of sharingless, so that helps less data or
information go out.
Bob Carver (32:40):
Yeah.
And so, nobody really can get tomy computer when I'm connected
to that.
Leonard Lee (32:45):
Well, I don't think we would expect any less from
you, Bob, so,
Bob Carver (32:49):
Yeah.
So anyway.
Leonard Lee (32:52):
That's fantastic.
Bob Carver (32:53):
another thing that was in the news recently was, a
lot of these Androidapplications that are, we're
again, sharing data with allthese data entities, advertising
entity, whatever.
Sucking down and, and not beinga hundred percent, revealing in,
in what they're doing with allthe data, transparent with all
(33:14):
their data that they're grabbingoff of your phone.
The same thing with iPhone.
And even there, there's times,you've probably seen, you can't
always, change the settingswhere it's like, no, I don't
wanna share my data with you.
You know?
Leonard Lee (33:27):
Yeah.
You can opt out.
Bob Carver (33:29):
It's not always available to opt out,
Leonard Lee (33:30):
Yeah.
a lot of these examples you'rebringing up a privacy is such a
big factor.
I mean.
And the reason why I say that isbecause you've brought up the
issue with, the freemium admodel and the business model
that it is and that unfair tradethat Debbie always talks about.
(33:51):
Right?
Yeah.
And the risks that.
imposes, or creates for not onlythe consumer or your customer,
but for the enterprise itselfultimately.
Right.
And it's like this, whole chainof risk, everyone talks about
chain of thought.
Let's maybe we coin a new termhere as the chain of risk.
Bob Carver (34:14):
Yeah.
Leonard Lee (34:14):
Right.
It's just no single instance ofvulnerability or compromise.
it tells the whole story.
it's that whole cascading effectall the way to, the enterprise,
right?
The service provider that youhave to consider.
So it's just something that Ijust kind of.
Notice from our conversation.
Bob Carver (34:33):
One of the things that I do, and I recommend a lot
of people to do this and peoplecan do this themselves, fairly
easily, by a couple of plugins.
and I generally don't recommenddoing plugins on browsers, but,
you block origin.
And the other one is privacybadger.
Which is from e, f, F.
Yeah.
they, those two and Debbieprobably, she knows of those and
(34:56):
probably maybe amuses them, butthey, they block a lot of the
advertising and tracking.
But I also do it on a domainbasis, Through DNX.
Oh, okay.
blocking all these ads andtracking.
it's usually at the veryminimum, 10% of all the traffic
that goes to and from mycomputers.
Our, a either ads or tracking10% is just on the low end.
(35:21):
It's probably been as high as 12or 13% of the traffic.
So that's how much of this stuffis going on and, it's sort of
scary, but I mean it,
Leonard Lee (35:33):
yeah.
Bob, how are you such a popularperson?
Like, so stressful.
I don't think well out listeningto you, man.
This is like crazy.
Bob Carver (35:43):
The advertising people aren't very happy with me
saying anything like this, but,
Leonard Lee (35:49):
I don't think they're happy with any of us
right now.
Debbie Reynolds (35:52):
Right, Exactly.
You have to eat your vegetablesand take the medicine, I guess.
Bob Carver (35:59):
Okay.
But anyway, it does break somewebsites, unfortunately.
I just have to weigh how bad Iwant to go to some of those
webinars.
Leonard Lee (36:06):
Yeah.
Well, you know, that's why thework that, Debbie's doing, IEE
and
mm-hmm.
You know, in trying to establish a standard for.
privacy or, or transparencyaround privacy and privacy
practices like what Debbie and Icall like the privacy first,
principles of just Right.
Anything right.
Of like business or economy,right?
(36:28):
Sure.
That's why that's so important.
But again, I think we suffer theproblem with, folks not.
Having the awareness of therisks and the issues related to
just trading your privacy forfree stuff.
Mm-hmm.
there's A very wide and deepening ocean that needs
to be transferred because atrisk of all of this is trust at
(36:49):
the end of the day, becausegoing back to the beginning of
our conversation, the tools thatthe threat actors, are now
equipped with asymmetricallyenable them to do exponential
damage, right?
I mean, when they talk about theexponential benefit of ai.
It really, applies to themmm-hmm.
(37:09):
Today at a scale much greaterthan anything that cybersecurity
practitioners can institute.
Yeah.
To countervail that growing.
Of course.
Bob Carver (37:18):
And I know Debbie's talked about these before in the
past.
I know.
I mean the, Automobile marketand any more recent automobiles,
the amount of data is justincredible, that they suck down
off your system.
the only thing that, frustratesme is you have no way to
mitigate that, easily.
(37:39):
They don't, you know where on myhome network, anything that goes
through my home network.
I can take care of a lot of thatmyself, exactly with settings.
But you're Bob, I ex, well,Roku, example, I have a Roku box
that I bought several years agofor my old tv.
Just looking at my logs on theDNS logs, one of the Roku
(38:03):
domains is one of the topblocked domains out of thousands
of domains.
It's just a big chatter box.
It is just constantly.
Sending information out to theinternet and to the people you
know, to feed on this stuff.
But they must be, a little bitdisappointed because I have
thousands and thousands ofblocks as they keep on retrying
(38:24):
and we want this information.
It's like, no, you don't get it.
Leonard Lee (38:28):
Okay.
Bob, I think we're gonna have tocut you off because you're, you
know, Debbie smiling for just amoment when we actually remind
her that she's grimacing andthen she goes straight back to
grimacing.
So this is like not healthything that have going on here.
Yeah.
so let, let's do this.
(38:48):
both you, Debbie, and Bob, sharesome of your perspective on what
you think, enterprises need todo in terms of mindset shift
going into this year.
you know, obviously Bob, this isyour first time on, so really
interested in your thoughtsthere, but Debbie's constantly.
Tuned into the vibe of what'sgoing on with enterprises and
privacy.
(39:09):
And I think it is all becomingso interrelated.
This is like what Debbie and Ihave been talking about for
years now.
This isn't y thing, this is whatwe've been talking for a long
time.
Trust, privacy.
And security are all comingtogether.
They're different.
Mm-hmm.
And that's like the, actually the first order of
awareness that needs to bebridged.
(39:30):
But when they come together, youneed to start to understand how
they're interrelated and howthey're all coming together
because of actually.
the morphing nature and theevolving nature of cybersecurity
threats.
Right.
But what is that mindset shiftthat you would say that
enterprises need to make, goingforward into this year?
(39:54):
so mm-hmm.
Both of you that please shareyour thoughts.
Bob Carver (39:58):
You wanna go Debbie first
Debbie Reynolds (40:00):
Oh, sure, sure.
I'll go first.
Well, two things.
One is that I think companiesneed to educate employees and it
not just about company stuff,but about personal stuff, right.
Protecting themselves in thedigital realm because even in
this Disney example, right, sothis guy's probably using his
(40:21):
home stuff, maybe he understoodwhat he was supposed to do at
work and he did all that stuff,but there were some gaps there
between what he was doing thatmaybe could have helped him and,
not hurt his work.
'cause we see people, they can'tprint at work, so they send a
document to their.
Home email address, theshenanigans kind of goes on and
on.
(40:41):
So being able to educate peopleabout just cyber safety or
digital safety as a whole, notjust at work, I think is, you
know, bridge that gap.
And then also I.
Companies need to talk aboutfuture risks, right?
Emerging risk, talking aboutthis, a agentic stuff.
So can't just be like, oh myGod, this terrible thing
(41:02):
happened.
You know, Johnny got hit by acar last week.
you have to talk more about,these are things that are out
there now.
Yeah, these are things that areemerging.
Here are the possibility ofthings that can happen if we
don't do x.
YZ.
So it can't just be reactive, ithas to be more proactive and we
have to have more imaginationand explain to people mm-hmm.
(41:23):
What these future risks couldlook like.
Leonard Lee (41:27):
Yeah, that's awesome.
Bob Carver (41:28):
Bring back, bring it back to the real world.
Yeah, yeah, yeah.
I think, one of the big thingsis to be able to, expand their
understanding of the breadth anddepth of the risks that are
going on.
Yeah.
(41:49):
The next step is to be able to have the visibility
and context.
Into the network to understandsome of these, threats that
could be going on in thenetwork.
so many of these threatsnowadays use a combination of,
uh, traditional malware, butthey're also living off the land
(42:10):
where they use.
Traditional processes thatwhether on a, windows or a Linux
box, and they just use thosetraditional commands.
And of course, the endpointsecurity and the network
security don't see those asbeing a threat because it's
like, oh, those are the commandsthat the everyday cis ad admin
(42:30):
uses anyway.
So it's not a problem.
So they do, they do needadditional, Visibility into
those type of processes.
yeah, I think we, need moremicrosegmentation.
I think this microsegmentationthat's done in a hardware
probably could be a boon for alot of companies, It, OT iot
(42:54):
are, are actually, I mean, I I'msure there's ways you could
figure out how to even do thatin the cloud if you did it
right.
yes.
So, I can see that sort ofthing.
The other thing is going to thenext level of.
Machine learning and neuralnetworks to be able to make
understanding of what's going onon all those endpoints and
what's going on on the networkflows, whether it's to and from
(43:15):
the internet or east west, youknow, a lateral movement in
those networks to be able tohelp understand, what's going
on.
So those are a lot of, thebasics that, uh.
I'm concerned about.
Leonard Lee (43:28):
Yeah.
Well, I'll add one additional,oh, please.
This has something to do with,the title of your company
actually.
Yeah.
addressing board pressure onemerging technologies, whether
there's generative AI or gentechai, especially agent AI now,
because I think now there'sthis, yeah.
Huge, deluge of agentic ai,Kool-Aid being pumped into, the
(43:52):
techno verse, right?
Right.
That needs to be addressed.
And no doubt, you know, the kindof board pressure that you
always hear practitioners talkabout, that needs to be
addressed.
And part of that is gettingexperts like Debbie.
Yourself, Bob.
and I'll include myself.
There you go.
(44:13):
All, any of us as you should.
Yeah.
Yeah.
to help alleviate that pressure.
it's incumbent on the, actuallyit's a fiduciary duty of a board
member to know what the hellthey're talking about when it
comes to these things becauseit's so serious and, to check.
Any expectations that are beingbuilt on the hype side of,
(44:35):
emerging technologies againstthe cybersecurity realities and
the threats that, and risks thatthey, not only potentially, you
know, present, but do presentbecause usually the threats are
ahead of.
The actual business value in anyof these technologies that we've
already discussed.
So, yeah, that's the only thingthat would add.
(44:57):
And so with that, hey, greatdiscussion.
Smile Debbie, please.
She usually smiles Bob.
Don't get the wrong impression.
Bob Carver (45:06):
I've seen Debbie smile before.
I know.
She smiles.
Debbie Reynolds (45:09):
Bob knows I smile.
Bob knows I smile.
Bob Carver (45:14):
I I probably was just being a downer to No, no,
no, no, no.
Okay.
Okay.
That's okay.
It's all good.
Debbie Reynolds (45:22):
I a glare in my eyes, so I'm more squinting.
Sorry about, uh, good one.
Good one.
That was a nice
Leonard Lee (45:28):
pivot there,
Debbie Reynolds (45:29):
Debbie.
Leonard Lee (45:31):
But hey everyone, thanks for tuning in and I hope
you found the discussion,insightful and helpful.
And, Bob, Debbie.
thanks a lot for jumping on,love doing this with you guys.
And Bob, hope to have you onagain.
so really quickly, why don't youexplain to our audience how they
can get in touch with you.
I know that, you've started yourown thing, so Share with our
(45:54):
audience.
Bob Carver (45:55):
Yeah, my main platform is LinkedIn.
I mean, I'm on X Twitter too,but, LinkedIn is my main focus.
And just look for me, I mean, ifyou just, do Duck, duck go, or
Google and Bob CarverCybersecurity, the LinkedIn link
comes up right away.
So I'm on the first severalpages of, all the search
(46:16):
engines.
So LinkedIn puts me out there.
Leonard Lee (46:20):
Oh yeah.
Cybersecurity boardroom folks.
And then how about you reallyquickly share with.
Our audience, how they can getin touch with you.
Debbie Reynolds (46:29):
Sure.
So you can always type in,Debbie Reynolds, data Diva on
LinkedIn, and my name will popup.
You can also go to my website,debbie reynolds consulting.com.
I have a lot of videos and otherI.
Stuff that people can take alook at.
yeah, so a actually we weretalking about boards.
I did a speaking engagement lastweek for the National
Association of Corporate Boards.
(46:50):
it was really interesting,'causewe ended up doing A-A-A-A-W-S
hosted, like a tabletop thingwith boards and we were talking
about implementing this new aiand it was pretty cool.
But.
it was funny because I wastrying to tell people before you
go into this AI stuff, you haveto think about the privacy stuff
first.
And a lot of people just didn'twanna do that and so we kinda
lost points for not forgettingit the wrong way.
(47:12):
So think about the privacy stufffirst.
call me if you need me.
But this help, I think it'd begreat.
Bob Carver (47:20):
Love that.
You slow us down, dude.
You're slowing us down.
Leonard Lee (47:22):
Yeah.
there is nothing sustainableabout dangerous or poorly
executed innovation.
Innovation needs to be safe.
I think people need to beconscious of that.
going back to what you werementioning before, Bob, about
the early days of online bankingand financial, you know?
Yeah.
A lot of people weren't thinkingabout security back then.
(47:44):
some of it was quiterudimentary.
And then look at how it has hadto evolve, right?
pretty remarkable, where weneeded to go.
So, um, yeah.
With that, please subscribe toour podcast, which will be
featured on the Next CurveYouTube channel, and check out
the audio version on Buzzsproutor find us on your favorite
podcast platform.
Also, subscribe to the nextcurve research
(48:06):
portal@www.next-curve.com forthe tech.
And industry insights thatmatter.
we will see you next time again,Bob, thanks for jumping on,
Debbie.
always a pleasure.
All right, take care.
Popular Podcasts
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com