 We're back with David Strom who's a cybersecurity journalist at Silicon Angle. We're talking about the intersection of data protection, specifically backup and recovery and cybersecurity generally. David, good to see you again. How you doing? I'm doing great. How about yourself? Awesome. Thank you. And you know last time we had you on was as part of SuperCloud. You've been knocking it down on the security portal on Silicon Angle doing some great work, you know, gearing up for RSA, you know, early next year. But so let's talk a little bit about this notion of backup and recovery, so called data protection. We hear a lot about air gaps. We hear a lot about ransomware recovery and the whole mosaic of cybersecurity. Where do you see those pieces fitting together? Well, they don't really fit together all that well. And that's, I think, part of the problem that we're still talking about them. You know, when ransomware was first the thing, it was it was highlighting the fact that people don't do their backups very well. They don't check them to make sure that they actually are intact. They don't back up all the right kinds of data. They don't understand the craft that ransomware gangs apply on them to get into their network and to do damage to their system. But now we have these multi-point ransomware exercises. They just don't encrypt the data and hold the ransom. They then make fun of you and they shame you on their own website. They try to sell the data to people on the dark web. We even have a case this summer where the ransomware actor filed a SEC compliance disclosure saying that their victim hadn't had a disclose that they had been breached. I mean, you know, the nerd of them. I found a control. Yeah, you covered that story. And it is quite a position for the criminal to sort of call foul. So but, you know, as an observer of this industry for a long, long time, one of the things that you see are real. What is triggering you that you think is is vapor? You know, we talk a lot about zero trust. You and I have had this conversation before. You know, the narrative is it's a journey. But it's starting to to get a lot of traction in the CISO community. What is your take on the state of zero trust? What's real? What's vapor? What's how should customers be thinking about this? I think they should very carefully evaluate any product that claims to be the first or the only in this space, because most of the security tenants are things that we've been talking about for decades. So there's a lot of vendors that have jumped on the zero trust bandwagon, and we still don't have enterprises that are doing adaptive security control. You know, they view authentication as one and done, you log into your computer in the morning, and that's all you need to do. And there's no evaluation of your risk profile as it changes during the day, or additional checks to make sure that it's really you and not somebody who's acting like you. You know, those are really simple things to talk about. They're a lot harder to implement, but that's what's really going to go a long way towards lending zero trust. Well, and it's like I feel like there's a lot of paper cuts. And so there's products that you can buy their software, their tooling, their skills that you can bring to the table. And then there's all these other little things that you for instance just mentioned. Those are the things that David, it seems like it's hard to operationalize. Are there are there tools to help operationalize the tools? Is that where we're headed? Um, I don't know. I mean, I'll give you a really, a real example. So I got today the new Google Fido Titan USB key. It's a little, you know, little piece of plastic that hits into your into your drive and also can use the radio frequency for phones that don't normally have the same connector. And so I figured, Oh, great, I'll just add it to my bank account as another authentication device. Well, I go online, I go to my bank account, I navigate the 37 menus to finally get to that spot. And I've maxed out my number of security keys that I can use in my bank account. And the maximum number you can use is two, which is ridiculous. You know, I've got 10 or 11 of them. Why, why limited to two? Yeah, it's, it's totally pointless. So, you know, you have the proof is in the pudding and the applications are really the last frontier where they need security features can be implemented. I wanted to talk a little bit about, you know, you and I were trading notes last night about air gaps. And we talked about the Natanz, the uranium enrichment facility, which was the target of the Stuxnet virus. Natanz was air gapped. Right? The presumably the US and Israeli actors got in to speed up the centrifuges and so forth. So air gaps are really important. Don't get me wrong. But to your point, and the things we were talking about earlier, there are a lot of these little paper cuts that people need to think about. And so add some color to your perspective on air gaps and what else we need to stay protected? Well, the problem with the air gap is that they're very deceptive as the people who are operating that centrifuge plant found out because, you know, once a week they would take another USB thumb drive, put it in their Windows computer, download the latest configuration for the centrifuge and then walk it over that 10 or 20 feet across that air gap to where they would upload it to the controllers on those on those units. So the air gap was giving them a full sense of security and the the the spies figured this out. And they also really weaponized that they had seven zero days. And all was designed to do was to just infect those centrifuges and have them spin out of control. So it must have infected hundreds of thousands of computers and did absolutely nothing until it found a ventrifuge to connect. There's a there's a group of researchers in a Ben-Gurion University in Israel, which I've been to several times. And they have a long list of ways that you can defeat air gap, disk drive light sounds that your computer makes. I mean, just it's an incredible set of things. As long as your computer is operating doing something, they can figure out a protocol that can transmit data across an air gap. So it's very very accepted. And I think but I think the point is not saying don't do air gaps, do air gaps, but don't think just because you have an air gap that you can just ignore some of these other factors. I don't know if I've been I've been pumping up all week this book, a restaurant in Java. I don't know if you've read it. It's it's I just downloaded it. Thanks for your recommendation. Oh, good. I'm glad it's it's it's really well done. And I suggest people just take a look because it really does underscore how fragile our critical infrastructure is. I wanted to come back and ask you about a conversation that we were having last night in email. And I was saying that, you know, get in your opinion that historically, data protection backup and recovery has been thought of as a bolt on. And, and then you've got cyber security, sort of, in my view, was kind of separate. And then you responded, you said, I think by bolt on, you mean that there are two distinct groups within an organization. I thought this was really interesting. One that manages the backups and one that manages the overall cyber security processes. And you said, you're not sure that that's really the case. The conflict, if there ever was one, was between the network infrastructure group and the in the sec ops group, who was going to claim ownership, you know, over the proper backups, maybe how to do a proper backup. What are those organizational considerations that people shouldn't be thinking about? Well, you'd have two problems in small organizations, the network people and the security people is often the same single person. And so that person is just overwhelmed with problems and trying to keep the train running, which is what the network guys are supposed to do, and try to keep them from crashing, which is what the security guys are supposed to do. In the larger organizations, there's turf war, you know, who controls what if I have a firewall for my digital web estate, let's say of application. Then I have a third group of people where they're, you know, the developers who are developing those applications. And they're usually thinking about security very late in the game. And network people have invested millions of dollars in, you know, five nine bulletproof infrastructure. They don't necessarily want to change anything. Because they think their network is just fine. Thank you. And it may not be as segmented as somebody would like. Or segmented at all, you know, we still have companies that run their whole infrastructure on a single network segment, which is just crazy. It violates all security principles that we've known for decades. Well, right. And of course, there's that, that cost versus, you know, protection, how much, how much do you want to invest? But, but even in that case, there's probably some really good $5 fixes that you can do. I also, I forgot to mention when we were talking about air gaps, you wrote a piece that you turned me on to. I wasn't aware of it. Here's how hackers can steal your data using light, radio and sound waves. So this was something also that, again, when we think about, you know, critical infrastructure, when we think about air gaps, there's just so many novel techniques that maybe mainstream media hasn't been reporting on. That one blew me away, David, that that article that you wrote. Yeah, well, those are all the Ben-Gurion researchers. They have a specialty group of people that do that. And every so often they come out with yet another way to do, to defeat air gap. Yeah. What are the things that, you know, we always talk about the threat landscape and the shifting threat landscape. A lot of focus now certainly was a lot of focus on cloud. We're getting an increased emphasis on IoT, critical infrastructure. What are the things that you're watching that maybe, again, aren't mainstream that you think are going to affect that threat landscape in the coming, you know, two, three, four, five years? Well, I think people are underestimating that the level of expertise with the threat actors and hackers. There's a lot more blended threats, you know, like I mentioned with ransomware. The same is true with denial of service attacks where they're combining that with all sorts of other techniques. There are better ways to hide in plain sight in an infrastructure so that the detection tools fail at finding the malware and leave them resident sometimes for months at a time. So the situation is getting more complicated. The attack groups are getting better educated. They're buying more threat sense of service type of things, just like everybody's buying more cloud applications. They're doing the same thing and they're combining all these tools. The average fishing threat, for example, has 30 automated steps that an attacker can run to get into your network. You know, they just have one set of tools that feeds into another set of tools, where those used to be manual methods or where a fishing exploit was just one or two steps in the past. Ah, so much more sophisticated. So you're saying if you click on the link, it sets off a series of automated events that doesn't require a human. I don't know about you, but I've seen the fishing attacks become much more, I don't want to say sophisticated because I'm not qualified to say so. But a lot more enticing from a user's perspective, a lot less obvious, let me say. And I guess my question to you is I've suspected that it's in a large part because a generative AI, but then maybe other AI, what's your take on that? I think we're just beginning to see the AI based enhancement. I think most of these attacks that have happened so far, you know, you have a package that can't be delivered, you know, that kind of thing, you know, especially now around the holidays. You know, why the post office would send me a SMS message about my package? You know, they don't. So you just have to be very skeptical. You have to be very much have the presence of mind. You know, if you're looking at your phone and you're not really paying attention, it's easy to click on something and get trapped. So, you know, it's it's it really behooves all of us to be more careful about what we're doing when we're looking at stuff. Yeah, Lena Smart from MongoDB says excuse simple, just don't click on links. David, thanks so much. Yeah. Right. I mean, seriously, don't click on links unless you are 100 percent certain that it's the person you trust and even then double check. Right. David, thanks so much for taking some time. Really appreciate your your insights as always in your great reporting. Check him out at SiliconAngle.com. Thanks a lot. Pleasure to be with you. All right, we're cranking along. We're live in studio and on demand in our Palo Alto studios. You're watching Navigating the Road to Cyber Resiliency, a summit bringing together practitioners. We got cyber experts. We have independent analysts, technology experts, and we're exploring the cybersecurity and data protection intersection. Keep it right there.