SN 1068: The Call Is Coming From Inside the House - Live From Zero Trust World 2026

[00:00:00] It's time for Security Now. That's Steve Gibson in the flesh! Leo! I'm Leo Laporte. We're live in Orlando, Florida for Zero Trust World. Steve's presentation, The Call Is Coming From Inside the House. An extra security now coming up and... Oh, we better get going. We're on. This episode of Security Now is brought to you by ThreatLocker. ThreatLocker's Zero Trust platform blocks every unauthorized action by default,

[00:00:27] stopping known and unknown threats, including VM-based malware that evades traditional antiviruses, ring-fencing constrains tools, and remote management utilities preventing lateral movement or mass encryption. ThreatLocker works across all industries, supports Mac environments, delivers comprehensive visibility and control, and provides 24-7 US-based support. Trusted by JetBlue, Heathrow Airport, the Indianapolis Colts, and the Port of Vancouver,

[00:00:54] and recognized with G2 High Performer and Best Support for Enterprise, Summer 2025. Peer spot, number one in application control. Get app, best functionality and features 2025. Get unprecedented protection quickly, easily, and cost-effectively. Visit ThreatLocker.com slash TWIT to get a free 30-day trial and learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. That's ThreatLocker.com slash TWIT.

[00:01:23] Podcasts you love. From people you trust. This is TWIT. This is Security Now, Episode 1068, recorded live Wednesday, March 4th, 2026, at Zero Trust World 2026. The call is coming from inside the house.

[00:01:46] Welcome back, everybody. It's time to close this out. This is our final main stage session of the day. Security Now, the call is coming from inside the house.

[00:02:14] So, for years, we've built stronger perimeters, better firewalls, better detection, better external defenses. And, we got pretty good at it. But the next frontier isn't outside. It's inside. Some of the biggest breaches in recent years didn't happen because the perimeter failed. They happened because internal systems were overturned. Too much access.

[00:02:43] Too little segmentation. Policies built on assumptions instead of verification. Zero Trust was born to solve exactly that problem. And there are few voices that are more respected in this space than the hosts of Security Now. Steve Gibson, founder and CEO of Gibson Research Corporation, has been programming since 1970

[00:03:09] and brings decades of deep technical insight on modern internet security. His passion for low-level computing and secure system design is legendary. And Leo Laporte, founder of This Week in Tech Network, has been hosting and shaping tech media since 2005, bringing clarity, context, and conversation to millions of listeners worldwide.

[00:03:35] Today's session is a live recording of the Security Now podcast. And yes, it will run a little bit longer by design, followed by a meet and greet in the Solutions Pavilion. This is our final session. And this will be a strong finish. Zero Trust world, are we ready? I want more of those guys. Zero Trust, are we ready? Yeah! Ladies and gentlemen, Steve Gibson and Leo Laporte!

[00:04:13] Hey everybody, great to see you. Thank you for coming. This is Steve Gibson. We got some people. Yeah, let's sit down, Steve, and we're gonna talk. So, I never on Security Now have I gone through your full bio. Thank God. So, I decided to ask AI who you are. Uh-oh. So, get ready. And if I say anything wrong... It's gonna be hallucinating. You got... Did you start writing software when you were 13 years old?

[00:04:42] Okay, well, they got that right. PDP-8. That's right. For Data General. It says Data General. See, that's a lie. For DEC. DEC. Close. Okay, close. When he was 15, Steve got a job. High school student working... A summer job working at the Stanford AI Research Lab. SAIL. That's pretty amazing. And at the SAIL lab, you were working on speech synthesis. And this is what? 1975? This was in...

[00:05:12] Very early. 70... No, 70. Like 71. 70. Very early. Yeah. The speech synthesis he worked on ended up as part of Texas Instruments' Speak & Spell. Did you ever... When you were little, did you have that thing? You pressed the button. If anybody remembers those things. A. B. C. He also wrote a light pen application for the Apple and the Atari, right? Yep. Hardware. I'll skip the ad agency part.

[00:05:42] Nobody cares about that. He... Now, he in 1985 founded GRC, the Gibson Research Corporation. And one of the things that I first became aware of, Steve, was your InfoWorld column, which I loved, in 1986 Tech Talk from 1986 to 1993. Steve wrote about technology in an accessible, fascinating way. He's always been a little bit of an iconoclast, kind of an outsider banging at the wall of technology.

[00:06:12] And I loved that. In fact, I started writing for InfoWorld because of you. So, thank you for that. Now, when you were... In 2001, when you were working in security, you got mad at Microsoft. I do that frequently. You may remember that in Windows XP, they released something, a capability to use raw sockets, which meant you could impersonate any address, right?

[00:06:41] So, the big problem was that, as we know, Bill Gates wanted to compete with the source and CompuServe. So, he created... What a good idea. ...the Microsoft network, MSN. And that was going to be dial-up modems and things. And then, he got surprised by the internet, which was not what he expected to have happen. So, they had Windows, but it was like with a modem.

[00:07:06] And so, they got a TCP IP stack and stuck it on Windows and put it on the internet. So, this was Windows on the internet. And this predated NAT routers. We didn't have NAT routers then. So, my company... I thought, oh, the internet's happening. Let's put our machines on the internet. And it turned out that other people had Windows and all of their C drives were shared on the internet.

[00:07:35] It was freaky. I mean... This gave rise to a slogan that we often use at Security Now. What could possibly go wrong? And so, this was the genesis of Shields Up. I created Shields Up to show people... Your ports are open. And so, that was my first annoyance. How many of you have used Shields Up to secure your networks or secure your router at home? I use it every time I set up a new router.

[00:07:59] And so, its genesis was that Microsoft just stuck Windows on the internet, which was the original upset. And then, as you were saying, they produced... They took an operating system, Windows 2000, which was more enterprise-oriented, and they created XP.

[00:08:19] But because they took the network stack from 2000 to XP, consumers were going to have the ability to generate raw data on the internet, which was going to create a DDoS nightmare. In fact, you did get DDoSed by a raw socket attack shortly thereafter. You also got a lot of hate, not only from Microsoft, but people in general said, well, you're all worried about raw sockets. Three years later, with Service Pack 2, Microsoft said, oh yeah, maybe you're right.

[00:08:49] Well, and there was no firewall in Windows until... That's... They introduced it in XP, but it was disabled by default until Service Pack 2. So, I first met Steve. I'll give you an idea of how long ago it was. He had just written a program called Trouble in Paradise, which was able to diagnose the click of death on a zip drive. Do you remember zip drives? Yeah, that's... Yes. Who could forget? And we had him on the screensavers, the TV show that I was doing.

[00:09:17] This was probably 1998, talking about the click of death. And we've been friends ever since. We first got together to do a podcast 21 years ago. We've been doing this show. This was your idea. You and I were doing some TV. Up in Canada, in Toronto. Because you had Tech TV and Call for Help. Right. And during our break, we would do four programs in one day. And between... Like they had to rewind their tapes or something.

[00:09:46] And so, between that, you and I were just talking and you said, hey, how would you... What would you think about doing a podcast about security? And I said, a what cast? And this was very early on. You were also concerned that there wouldn't be enough material. Oh, we're going to run out of stuff to talk about. 21 years later, the show isn't getting shorter by any means. It's getting longer. We're going to do a short version of Security Now today. Don't worry. I promise we'll get you to the cocktail party in time. Steve proposed...

[00:10:14] Actually, over this 21 years, we've seen big changes in security. Early on, it was all about protecting the perimeter. It was all about firewalls, as you mentioned. But things have changed quite a bit. And I think it wasn't so long ago, maybe last year, where you started to say, you know, there's a different issue at hand. And this is where the title, the call, the threat is coming from inside the house. So, yes. The... One of the...

[00:10:43] Again, we've been doing this for 21 years. I remember early in the podcast talking with you about the fact that there were viruses, you know, I mean, there was mischief being conducted, you know, DDoS attacks, people were, like, you know, getting pushed off the internet. But there didn't seem to be a purpose. There was no reason for it. It was just, you know, bored... For the laws. Yeah. I mean, it was just to see if it could happen.

[00:11:11] I think that probably the most pivotal defining change was the emergence of cryptocurrency. Hmm. Because... Because it was the ability for bad guys to extort. And for there to be a way for them to get paid.

[00:11:31] That turned this from, you know, hobbyist hijinks to, you know, foreign state actors having a motivation. You may remember in the early days they were asking for you to go down to the drugstore and buy cards that you would then mail to them.

[00:11:55] Not the best way to extort, but as soon as you could do it anonymously with crypto, everything changed. Everything changed. And so, I think what we've seen is that, you know, one of the things I wanted to make sure I shared today was to... For everyone to understand that the bad guys don't care about the data that they're taking, right?

[00:12:21] I mean, you and I, after that most recent data breach last year, we looked up our social security numbers. Oh yeah, the data broker breach. Yeah, yeah. The personal data is out there. It's already escaped. But the value of cryptocurrency is that it allows extortion.

[00:12:44] And if bad guys are able to get into an organization's network and maybe cripple their machines, but certainly exfiltrate their data, then they have something that they can ransom. And in the same way that a kidnapper doesn't want the entity, the person they've kidnapped, that person's a liability to them. You know, the value is extortion. Right.

[00:13:12] And so, one of the things that has changed, and we heard this 20 years ago, nobody would want to attack us. You know, why would anyone want to attack our enterprise, our organization? It is for the sake of extortion. Right. It is so that they can say, we've got your data.

[00:13:34] You may have a backup of it, but you know, what's it worth to you for us not to tell the world or to leak the personal and business data that we have stolen from you? Right. So, they have the means. They have the motive. The motive is extortion and payment. Yeah. The opportunity, it's really up to these guys to keep them from getting the opportunity. Is that right?

[00:14:02] I think so. And one of the other issues, I think, for anybody who's doing IT security is, you know, the famous expression is it's not possible to prove a negative. It's how do you get credit for your organization not being attacked? How do you demonstrate that it's because you have the budget that you have for IT and the equipment that you have and the staff that you have?

[00:14:32] You know, there's certainly there's profit pressure in any enterprise. And so, when the guys who are controlling the purse strings look around for where they can cut, they're like, well, we haven't had any problems with our IT. Everything's going great. Right. So, let's cut there. And it's like, wait a minute. The reason everything is going great and you haven't had any attacks is that we've been able to keep the defenses up.

[00:15:02] We've been able to, you know, purchase expensive network gear that, you know, even though the old stuff was still working, it was now no longer being serviced. And we know that there are probably vulnerabilities there. So, it's crucial that we continue to fund this enterprise of keeping the network safe. I suspect that you all know. I'm seeing heads nodding out there. It's like, yeah. It's like, yeah.

[00:15:31] Do you think though that that's changed a little bit? I mean, for the longest time there was this incredible pressure on IT to do more with less to be secure. But I think with all these breaches and all the issues that are coming up, do you think organizations are starting to understand, no, no, this is really...

[00:15:46] I think there's much more traction that's available now for the security side to say, you know, would you like our enterprise's name on the board of shame of, you know, of outfits that have been breached? There's that wonderful site. Do you remember what the name of it is? Oh, in real time. In real time. Every day would show you the breaches that have happened today. It was usually a dozen, 20 breaches in a single day.

[00:16:16] In the morning, not so much, but then in the afternoon. Yeah. You don't want to be on that list. No. And I hope that business leaders are realizing that the best way not to be on that list is to take IT seriously. Right.

[00:16:31] And so, when we were thinking about what it was we wanted to say today and came up with the title of this, my sense is from what you and I have seen over the last couple decades is that we are getting much better about protecting the perimeter. Not 100% yet. There's still a way to go.

[00:17:00] One of the issues, I think, is that there is a pain associated with increasing security. Always, right? Yes, always. There is a convenience versus security trade-off.

[00:17:18] And one of the biggest problems that we see is it would be possible to further increase, for example, perimeter security. I've been saying for a while now on a podcast that authentication doesn't work.

[00:17:39] I mean, if it did, we wouldn't keep over and over and over seeing serious problems with authentication failing. Cisco just had a 10.0 authentication failure in their SD-WAN product, which enterprises use to interlink satellite offices. And as we know, you have to really try hard to get to 10.0. CVE of 10 is hard. That's like Nadia Comaneci.

[00:18:08] That's perfection. It's easy to do and it's not a low probability attack. You just figure out how to do this. Is that one in the wild? You just cut right through. Oh, yeah. It's in the wild. The Australian signals director discovered it. And then all of the various security organizations around the world started screaming about it. So at one point it got so bad with breaches that we stopped reporting them.

[00:18:38] They were boring to our listeners. There was no point. Everybody is being breached. It was like, oh, okay. Every day there's another breach. That's not news. No. And so an example in this SD-WAN breach is a perfect example where it was an authentication failure, some bug in Cisco's system.

[00:19:01] There was allowing bad guys and they were, in this case, Chinese state-backed attackers, probably located in China, getting into enterprise networks through this authentication failure. So I asked the question, why could someone in China get a connection? Why? Do you want people in China trying to connect to your SD-WAN? No. Right.

[00:19:30] So put a firewall rule in front of it. Right. Because you know where the entities are that you do want to have connecting. Everybody else should be locked out. Right. But it's, you know, whoa, what if their IP changes? That way, you know, then we wouldn't be able to connect. Again, some lack of convenience in trade for much greater security. You should probably whitelist, not blacklist, right? You know what IP addresses are. Oh, yeah. It ought to be.

[00:20:00] Yeah. It ought to be a blanket. You are, no packets come in unless it's from this IP, this IP, this IP, or that. It's that same idea, right? Yes. It is. Exactly. And so even though we've gotten way better at securing our perimeter, we could still get a lot, there's still a long ways to go because, again, we all understand the notion

[00:20:29] of multi-layered security. Unfortunately, too many people are just assuming that authentication works at the order. Still. Still today. Yes. Otherwise, we wouldn't be seeing these breaches. Right. And so you think that part of it is, and we talk about this a lot, that there's the impression that, well, it's nation state hackers that have the sophistication to do this. We aren't going to be the target of a nation state hacker, so we're probably okay.

[00:20:58] People assume their threat model they don't have to worry about. We are financing North Korea. That's the problem, right? Yes. Because there is a motive for that because of hard currency. Yep. Yeah. And we saw the number a couple of weeks ago. It was a huge amount of money that is flowing to North Korea because their hackers are good,

[00:21:23] and they're jumping on problems as soon as they occur, and our border defenses are still not what they could be. Right. Because it is much less convenient to do that. Right. I mean, I guess if I had one thing I would urge everyone to do, it would be to assume that authentication doesn't work because that's what we see. We see example after example after example.

[00:21:50] And so if you assume it doesn't work, then take the responsibility of what happens if it fails. Imagine if bad guys could connect to your enterprise VPN, then what? Well, the simplest protection is simple IP address filtering. Right.

[00:22:19] Because most enterprises aren't like residential consumers whose IP will change, but even there it doesn't change much. I mean, it is my entire defense. I have three nodes, two places I work from, and GRC's facility in what used to be a level 3 data center, but they've been purchased about 12 times since then. So I don't even know what they call them. Who owns them now? No one knows. I don't know. But my IPs don't change.

[00:22:49] My entire defense is that I have IP address filtering in all three locations. Right. So they can only talk to each other. And I have, yeah, yeah. And within that, of course, I'm authenticating. But, you know, I look like just a black hole to the rest of the world because for that simple expedience of using a firewall in front of those three locations. Yeah, you would think they are saying, well, we're going to route it through Africa so you

[00:23:18] won't know it's China. But it's funny. I still see all the time on my home network, Chinese logins, one after the other, trying to get through the NAS or getting. You actually told me I set up my SSH server, which is now off. So I don't get any ideas. And I set it up with port 22. And I thought, well, they can use Shodan or they can find the port. So why use an obscure port? And security through obscurity doesn't work. But you said, no, you should still use.

[00:23:48] There's, in other words, it's not a silver bullet. There is no silver bullet. But you shouldn't also make it easy for them. Right. So, right. And I had port 22 open and you immediately, all these Chinese attacks. If your goal was to give everyone a better sense of this. If your goal was to have SSH as a global service. Which is a mistake to begin with.

[00:24:16] Then you'd want it to be on port 22 where the globe would know to look for it. Right. And if you want to run a web server, that's got to be on 443. It's got to be on 80 or 443. Yeah. And emails got to be on 25 and so forth. The only places you should use default ports are where default users who don't know specifically where your service is would go to look. Right. Otherwise, why leave it in on the default port?

[00:24:43] Yes, it's not going to protect you from someone who's going to scan all your ports. But it's trivial to put it somewhere else. Right. So, why not? Right. So, it just cuts down on opportunistic attack. It's layers. You've got to do a lot of things. I would. And I would use them all. Yeah. I mean, just so many. And so that, you know, yes, maybe something's going to be fragile and break occasionally.

[00:25:07] But again, even though you're not going to get credit for not being attacked, you get to sleep at night. I've learned so much doing this show. Remember, we used to talk about Hitachi or Hamachi, not Hitachi, Hamachi, which then got sold to log me in and we stopped using that. And the tail scale and WireGuard and all of these techniques. It's one of the reasons I love doing this show because I learn so much for it. This is kind of a special edition of Security Now. We usually do the show on Tuesdays.

[00:25:34] We usually spend a couple of hours at least talking about attacks, what's happening in the world, the latest security news. Have any of you ever listened to Security Now? Is there just a few of you? Okay. All right. The entire front row has listened to the show. The rest in the back are going, I don't know. It's just, where's the free dinner? So good. We're doing a special version of this. We're going to pause for a moment because we have a commercial break.

[00:26:03] Thanks to our great sponsors here at ThreatLocker who brought us out for the event. We really appreciate ThreatLocker and they've been a great sponsor for us. And they're all the way into 2026. We're very happy to have them. We'll come back. And when we come back, we're going to talk about remediation, what you can do to protect yourself in this kind of new world. Because, well, we'll talk about what that call coming from inside the house is. It's not a babysitter sitting downstairs and a bad guy upstairs.

[00:26:32] It's something else. This is Security Now. Hey, everybody. This special episode of Security Now is brought to you by, guess who? ThreatLocker. We're here right now at Zero Trust World, where ThreatLocker is hosting some of the brightest cybersecurity experts for the sixth year in a row. I got to tell you, this is a great conference.

[00:26:52] Zero Trust World provides crucial education and training to support IT professionals, along with full session access, hands-on hacking labs, meals, and after party, even the opportunity to take the Cyber Heroes certification exam. Be sure to check out this exciting interactive three-day event that happens every year to get hands-on cybersecurity training, expert insights, and more.

[00:27:17] You know, ThreatLocker's Zero Trust platform takes the proactive deny-by-default approach you want. That's the key. Deny-by-default blocks every unauthorized action. Unless you explicitly permit it, it doesn't happen. And that protects you from both known and unknown threats. ThreatLocker's innovative ring fencing constrains tools and remote management utilities so attackers just can't weaponize them. They don't get lateral movement. They can't do that mass encryption ransomware thing.

[00:27:46] ThreatLocker works in every industry. They've got great 24-7 US-based support. They work on Windows. They work on Macs in every environment. And with ThreatLocker, you get comprehensive visibility and control. Just ask Emirates Flight Catering, a global leader in the food industry, 13,000 employees, and happy ThreatLocker customers. ThreatLocker gave them full control of apps and endpoints, improved compliance, and delivered seamless security with strong IT support.

[00:28:14] The CISO of Emirates Flight Catering said this, quote, The capabilities, the support, and the best part of ThreatLocker is how easily it integrates with almost any solution. Other tools take time to integrate, but with ThreatLocker, it's seamless. That's one of the key reasons we use it. It's incredibly helpful to me as a CISO. ThreatLocker is used by enterprises and infrastructure companies that just can't go down, not even for a minute. Companies like JetBlue, they use ThreatLocker. Heathrow Airport.

[00:28:44] The Indianapolis Coats, the port of Vancouver, they all use ThreatLocker. ThreatLocker consistently receives high honors and industry recognition. They're a G2 high performer and best support for enterprise summer 2025. Their peer spot ranked number one in application control. They got GetApp's best functionality and features award in 2025. Visit ThreatLocker.com to get a free 30-day trial and learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance.

[00:29:12] That's ThreatLocker.com slash twit. And we'll see you next year, please, at Zero Trust World. Now back to the show. This is Security Now. We're coming to you from Orlando, Florida. We're here at the ThreatLocker Zero Trust World Conference. We thank ThreatLocker for bringing us here. Steve Gibson and Leo Laporte, a really nice crowd. They're about, I think they told me there are 1,800, 1,900 people here learning about security.

[00:29:41] I did a hacking lab earlier. I didn't realize this, Steve. They have, I just asked Heather, something like 900 laptops for these labs. You haven't gone into one of the labs. No. If you've done the labs, right? It's really cool. I want to do the Metasploit one. It was jammed. There was nowhere to get in. But they have laptops for everybody. They can come in. They can sit down and do these hands-on workshops, which is really, really cool. I learned how to hack the web today.

[00:30:10] It was fun. So that's really cool. And there have been some wonderful speakers. So we're really pleased we could be here. I hope we can do this again next year. And I hope we'll see you all again next year. So let's talk about, given that the world has changed, incentives have changed, the means are clear. Where is the biggest threat right now?

[00:30:36] So we've pretty much covered keeping the bad guys out at the network level. Authentication cannot be relied on. Packet filtering is so dead simple that I can't, you know, that if there's any way it can be used, it should be used. I run fail band. So if people try to log in too many times, it just boots that IP in.

[00:31:00] I mean, just assume that authentication is a weakness and engineer yourself so that you're not worried about that. So the thing that we've been seeing in the last couple years is a, because I think in general things are getting better in terms of the secure perimeter, is the bad guys going around the perimeter.

[00:31:30] The shiny lapses hunters group. That's social engineering primarily. The social engineering. Yeah. You know, we talked last week they're trying to hire women. They are hiring women. Yeah. And paying them a lot of money, $500 to $1,000 up front to place social engineering calls with a woman's voice under the logic that that will be more convincing.

[00:31:56] The customer service rep is going to say, oh, you poor lady. We were talking last week about, I remember there was a hack where a woman called, she said, my husband's out of town. And she had a recording of a baby crying in the background. And it's all to get the customer service rep whose job is customer service to do the SimJack. To make a mistake. To swap the Sims, to make a mistake. To make a mistake. They're very good. The shiny lapses hunters is pretty amazing what they can do.

[00:32:24] And you had an instance in the last couple months. You don't have to talk about that. And I did where, where I didn't click the link. I did. But, but it, it was like, it was reasonable looking. You know, Jeff Jarvis did the say, texted me this morning. He got a text from AT&T and he clicked it.

[00:32:53] You know, I, I, I was offered free headphones. I thought, well, that's a good deal. And I started to go through the process till I realized that it was a website in the Philippines. And I was trying to give them my credit card number. Uh, so, and we're presumably relatively sophisticated. We're aware. The problem is they get you at a weak point. I'd been getting a lot of text messages from my carrier. You're late for lunch. And so you just say, okay. Yeah. I hadn't had my coffee. That was my excuse. Yeah.

[00:33:21] So, so I think that this, to my way of thinking, that's the next frontier for enterprise security. The call is, is your employees. Let's be, let's be frank. Right. The, the, the, the reason a personal computer is so much fun. The reason we all got our own PCs is we could do anything with it. We want it. There were no. General purpose device. There were no constraints. Yeah.

[00:33:49] You could download software, run it, do whatever you wanted to do. That model doesn't work inside the enterprise. You, I mean, and, and this, the reason I think it's, it's the, like the final frontier. It's also the biggest problem. It's because your users have personal computers at home. They know the way it's supposed to be. They want freedom. Right. But they can't be trusted with that freedom. And that, and that, again, you and I couldn't be. Right.

[00:34:19] Because we almost clicked the link. Right. I mean, so it's not about who they are or lack of training. It's that there is, there is tremendous pressure created by the opportunity to extort, which there wasn't historically, but there is now thanks to cryptocurrency. So there is, there is pressure.

[00:34:41] And that's, I mean, I don't want to, to have anyone come away undervaluing the importance of that. You know, your boss says, well, who would want to attack us? Who would want to, you know, you know, we don't have anything. You do. You do. You, you have, you have extortability. Right.

[00:35:03] And, and, and, and, so this tremendous pressure is, is motivating endless cleverness. You know what scares me? We get these emails all the time. We unfortunately, I think we're going to change this, have a easily guessable ad email address for our accounting department. Somebody said, oh. And so we get literally, you know, several emails a day, right?

[00:35:32] Lisa, saying, you know, your bill is due. And now we're a small enough company so that our accounting people know enough not to do that. But if you have a large company with a big accounting department, a lot of invoices coming in, that terrifies me. That would be so easy just by, you know, just oh yeah, well let's pay that invoice. How do you control that? That's really problematic.

[00:36:01] The, I think that what, what this next frontier of security that is to deal with this, the call is coming from inside the house. It's necessary to, unfortunately, reconceptualize the internal networking architecture. You need to assume not that you have an evil maid, as it's called. You know, an evil. We're going to have to change that, by the way.

[00:36:32] An evil. An evil butler. How about that? Or an evil janitor or something. No, it's not, it's not a bad employee. It's somebody who, who a social engineering hack tricked. And they're really good now. They've gotten better, these engineers. Yes. And they're going to keep getting better. Again, don't underestimate the pressure to get inside.

[00:37:00] And so, so, you know, anyone who's listened to security now has heard me talk about the, the model I have of, of security as being porous. Where it's not as open as a sponge, but more like, you know, some porous stone. Where if you have sufficient pressure, you can get some leakage through. So it, you have security, you have a wall, but it isn't perfect.

[00:37:30] But nothing is perfect. And this is the problem, is that, is that it only takes one mistake from one employee, one time, who, you know, who allows something onto their machine. You guys have to be perfect. The bad guys only need to succeed once. So, so in the same way that I would urge people to, to, from the outside looking in, to assume that authentication doesn't work.

[00:37:58] You cannot rely on authentication. The, the, the, the sad reality is you cannot rely on your employees not making a mistake. Making a mistake is human. Right. You know, and so, so, and you, and you can give them training and you can be testing them. And we know that, that, that we have sponsors of the podcast that specialize in doing exactly that. There's people on the show floor doing that. They saw all of this training. Yes.

[00:38:27] Raising, you know, maintaining on a level, a heightened level of, of anxiety essentially. Right. About, about like the, that individually they're under attack from the outside. But you're not, you're not saying don't do that. It's just insufficient. No, I'm saying you need that. Yes. It is insufficient because mistakes can still happen. And so the, the, the easy way of setting up an organization's network is to have a big switch and plug everybody in. Right.

[00:38:56] And we're one big happy family. And if you're inside the network, you're good. Exactly. Right. And the problem is you are then maximally vulnerable in that, in that scenario. Yeah. So, so, so a powerful technique. And I, I saw it mentioned in, in some of the notes for, for the, for, for this conference, a powerful technique is white listing apps.

[00:39:22] It's also really painful because nothing that's not white listed will work. Right. And it's going to upset people. Do you ban all shadow IT? Do you, do you say you can't use outside apps? You can't. I, I think you have to, you know, I, I heard you just the other day, given the example of the employee who gets their laptop infected at home and then brings it into the enterprise. It happened to the NSA for crying out loud.

[00:39:50] If it can happen to the NSA, it could happen to anybody. Yeah. So, so, so the, the, this, the, the final weakness, I think, this, this, you know, the call that's coming from inside the house is not somebody who's maliciously attempting to do something, but somebody who makes a mistake, who allows something bad to get into their machine.

[00:40:17] And now their machine has more access than it should have. That's, that's where I'm going with this is that in the same way that, that if, if authentication isn't perfect, then you're, you've got IP filtering to back it up. So they're not even going to have a chance to authenticate because they're coming from, from, from, from, from an untrusted location in, on the world where only three are trusted. The others, you know, everything else isn't.

[00:40:48] This is zero trust, right? Yes. That's the whole idea. Zero trust. Yeah. And, and so it's, it's. You used to call it trust no one. You coined that phrase. TNO. Well, I got it from Mulder on X-Files. Okay. Yeah. That was in a different context. I think there were aliens involved, but it's the same idea. So, so you have to then say, okay, if something bad gets into this employee's machine, what could it do?

[00:41:17] What access does the machine have? And I would argue that to, in this day and age, still today, too many endpoints in the enterprise have too much privilege. We talk, we all understand the concept, the concept of least privilege, but it is, it is so difficult to actually implement. Well, try telling the CEO that he can't serve to any site he wants. He can't. Right. Sorry.

[00:41:49] Because he could make a mistake. Well, he will make a mistake. He probably more likely than anybody to make a mistake. I hope this message, though, is getting through to business leaders, to CEOs. They understand that, yeah, we're locking you down for a good reason. Well, and arranging to send them a spoofed email that they fall for. That's one way. Would be like to say, well, look, it did happen to you. Yeah.

[00:42:18] So, so, so the, the, the point being, ask yourself what happens if any endpoint in the enterprise is malicious? Does it have too much privilege? And, and I understand the pain.

[00:42:37] I mean, the, the, just the, the additional overhead associated with really implementing a least privileged policy on an, on an endpoint by endpoint node by node basis. It's not the default. It's not easy. As I said, the easiest thing to do is to get a switch and plug everybody in. Open it up. You, you need to segment.

[00:43:04] You need to think in terms of, of departmental level access. Um, but, but, but what we always see is the bad guys get in somewhere and then they, they. Lateral movement. Lateral movement. In the network. We were talking the other day about a hack that somebody had set up, you know, like 90% zero trust.

[00:43:26] But there was a security camera that had just enough RAM and just enough processor to run an encryption routine, a malware routine. So they use that. That was the one thing that wasn't protected. Yeah. It seems like though, if you really implement true zero trust, that would be easier in the long run. The hard thing is the social thing is to explaining to your users. Yeah. They super glued their USB ports. It's not, it's not easy. Yeah. Yeah.

[00:43:56] Or that, you know, if you want to log in, um, you have to go, you have to jump through some hoops in order to do, you have to, you have to continually internally re authenticate. Prove that they, oh God, we hate that though. Yes. You know, I'm sitting at breakfast with my wife. It's going to be hated. Google's making me log in again. Um, but that's, well, that's why, right? That's why you have, what you have to do. Right. It, you know, you worked on squirrel.

[00:44:26] You had an idea for a, a, a good authentication method that did not require a password. Pass, is pass keys. That's part of it, right? Making it easy and still secure. Is it possible to have both? I, I, it seems to me that what we're, what we're going to, where we're going to end up being is pervasive biometrics within the enterprise. Iris or fingerprint or face.

[00:44:52] Or a, a, a thumbprint on your keyboard or on your mouse. Your level three facility, your colo had that, right? You had to, you had to do a hand print. Yeah. I had, I had a hand geometry reader in order to, in order to get in. Yeah. So, so, so, so the, the, the way I think this story ends is that in order to do anything, the, you, the user needs to continuously re-authenticate.

[00:45:21] And, and I don't mean anything, but I mean like you, you, certainly you, you need to create security perimeters and, and, and think this through. A lot of thought will have to be, be put into this. But it, it will be necessary for, for the person to constantly prove that, that, that, you know, they are them doing this. But that's why passwordless is a step forward. Well, and that's why biometrics. And biometrics too. I think because it is, if people are going to get very used to putting their thumb on something.

[00:45:50] And it's not so hard. No, exactly. And that, that's where you get the right trade off. Yeah, the face recognition. It's a little easier. And it's as secure. Yeah. Um, it's necessary. Yeah. Because, because, I, because I think you, you, you, you need to have it demonstrated that this is, that this is an, an, an, an, an internal entity, an employee in the organization who wants to do something. They should feel good about it.

[00:46:18] Because this is what we have to do. And we made it easy for them. Yep. Just put your thumb on the keyboard in order to do it. We only have five minutes left. What about, uh, I mean, one thing that's really changed the landscape in so many ways is AI. Um, we're so early in AI that I don't think we yet could guess what's going to happen. I think that's a fair bet. Yeah.

[00:46:44] Um, I got a piece of feedback actually from one of our listeners last week that, and I'll probably mention it in our next podcast. It was an, it was an application of AI for watching. So, it ran locally on their machine and it, its job was to keep them out of trouble. And I think that's brilliant. That's a good idea. I think it's brilliant. Yeah. I would, you and I could use an AI looking over our shoulder.

[00:47:14] Do you really want to click that link? Exactly. Yeah. Um, because we're not- But that sounds a little bit like the Nanny UAC, Windows UAC kind of, but- People really resent that. Except way more, way more intelligent. Right. We're not talking clippy here. Do we remember every time to look at the far right end of the URL to see what the TLD is? Right. We'd look at it mostly- But AI would always look. It would always look. Yeah. And it would see what, the URL underneath the link that we're about to click. Right.

[00:47:43] And neuter our clicking it. Right. You know, whoops, wait. And then up comes the dialogue saying, wait a minute, you know, what you think you're clicking doesn't correspond to what this email is about. So I, you know, none of us want, well, most of us don't want recall, you know, like, you know, recording everything we do with our machine. Recall's funny because it was simultaneously too much and too little. Right. So it didn't go far enough and it went way too far.

[00:48:11] But I love the idea where we have, where the way the world has evolved with the external pressures, creating an economic incentive for bad guys to breach our security and suborn an employee without their knowledge. So, having, so thus, you know, tricking them into making a mistake, having a local AI, which

[00:48:41] is looking over their shoulder all the time. It's not leaking information. It's not in the cloud. You don't have to worry about it from a privacy and security standpoint. Watching what they do, you know, like keeping them from pasting a something on their clipboard into the run dialogue and hitting enter because they don't really, they're following instructions. They don't know that's bad. And it says, whoops, hold on a second.

[00:49:09] All the frontier models are now starting to add security modules to it. And I think, you know, at first I think people were a little nervous about this idea thinking, well, even with vibe coding that the AI may make security mistakes and maybe early on it was, but you can also, I think you can train AIs not to do buffer overflows, not to use, you know, stir copy when it could use string copy.

[00:49:35] It can look at the patterns that are of common mistakes and prevent you from doing those, right? My feeling is we're also at the early stages of AI coding. Yeah, yeah. Anytime you take a general AI and say, write some code. That's a bad idea. You're not doing nearly as good a job as when you have a specific coding AI that you, you know, gave birth to from scratch for that purpose.

[00:50:04] That's it. That's really going to be something. We haven't seen that yet. Yeah, we're getting there. Yeah, it's pretty amazing. Oh, we got a long way. We're at the 1% point, really. I mean, we're, you know, if anyone were to ask two years ago, would we be where we are today with AI? We would not have predicted this. And two years hence, who knows? No, there's just no way to know. Yeah.

[00:50:31] This is why old guys like us are still excited about doing what we do because... But keep an eye out for agents that keep your employees from making mistakes. I think that's going to be a serious win. Yeah, I like that idea. I hope you all will subscribe to Security Now. You'll find it on our website, twit.tv slash sn, or in your favorite podcast app. We do it every Tuesday.

[00:50:58] Steve is a national, international treasure. We're very glad that he decided to keep doing it. For a while, he was making noises about stopping at his 999th episode. But we're now at 1,068. So that's the good news. Let's hope for another 1,000. Thank you so much. We really appreciate it. I thank you, Steve. And we're going to go to the cocktail party. And if you want to get a selfie with Steve, we'll be there. Or with Leo.

[00:51:26] Well, I'll be behind him going with the devil horns. Thank you so much. We really want to thank Threat Locker, our sponsors for this show, sponsors for the conference. I think they do an amazing job. And we're really happy to be partnered with them. I hope you have a great conference. See you later.