Episode Transcript
[00:00:00] Speaker A: One, two, three. Come on.
[00:00:02] Speaker B: In the grand Stadium of the digital landscape, where teams of innovators and hackers face off daily, there stands a commentary box like no other picture. The buz of a pregame show, the strategy analysis of the halftime break, and the deep dives of a postgame discussion all rolled into one.
Welcome to off the Wire, a play by play on cyber issues, your sports desk for the big league of cybersecurity. Just like in sports, in the cyber world, understanding the play is key to staying ahead of the game. And that's exactly what we offer. A podcast that brings the strategy room to you, helping you to understand the moves, the players and the landscape like a true analyst.
Off the Wire, a play by play on cyber issues.
[00:00:54] Speaker C: Yeah. So welcome back to another episode of off the Wire, a play by play on cyber issues with John Watkins and my co host, Mr. Anthony Kent. How you doing today, Anthony?
[00:01:05] Speaker A: Pretty good, John. How are you?
[00:01:07] Speaker C: Know, I'm busier than a one eyed cat watching two mouse holes, man.
[00:01:13] Speaker A: Well, you haven't been responding to my text. I was worried that you big time me. What have you been doing these last couple weeks?
[00:01:19] Speaker C: Well, I've been doing these backdoors and breaches, tabletop exercises and trainings, and that has worked really well. So a shout out to Black Hills information security for all their support. I've been doing some of that, and then I do some non cyber related stuff. I'm a sign maker and I do some other things, too. So I've been busy with that. I've got a great big sign project that I'm working on. I've just been really busy. And then just kind of promoting the business and posting like crazy on LinkedIn. I'm sure you've seen some of those.
[00:01:49] Speaker A: Yeah. John, I'm not going to lie, I'm not really familiar with backdoor and breaches. What is that? Can you give me the nickel tour of what that is?
[00:01:57] Speaker C: Yeah, so that's a card game developed by Black Hills Information Security. And what it's designed to do is very similar to. They call it BNB. Kind of like D. D would be like it's a role playing thing just for incident response. And they really kind of focus on. There's five different pieces of the incident response process or whatever, and they really focus in on just an identification of a breach.
You'll have a scenario that's set up and they talk about initial compromise and pivot and escalate, and then C two and X fill and then finally persistence. And that makes a scenario.
[00:02:34] Speaker A: Okay, so you have four of those.
[00:02:36] Speaker C: Cards, and then you have several other cards that are sitting out there. And what they're made to do is they're defender cards.
[00:02:42] Speaker A: Right.
[00:02:43] Speaker C: So then you have all these defender cards that the defenders use with all these different processes on them, like, for example, endpoint security analysis, or they would maybe perhaps deception technology deployment. So you'd have those kind of things on there to try to figure out how this thing or what is happening in your environment. And you get ten turns, you got to roll a dice to see if any of this stuff works. So let's say you decide to do endpoint analysis. You roll the dice. It's a 20 sided dice. So, yeah, if you roll the dice and get a one through ten, it fails. And then if you roll the dice, get eleven through 20, then it succeeds, and then you got ten turns to try to figure it out. And it's really good to kind of figure out some attack methods that you probably wouldn't think about.
[00:03:20] Speaker A: Yeah, I think they did that at the NReCA Cyber conference. I don't know if you want to. Did you go to that?
[00:03:27] Speaker C: I hosted it.
[00:03:29] Speaker A: Well, there you go. I think I heard about that from my folks that attended. Okay, awesome.
[00:03:33] Speaker C: Yeah, I hosted that. There was three different tables, and we had three different kind of scenarios, and we ran through the game and several times, and I try to run through it at least a couple of times. The best way to do it is probably three or four times because especially that third time, because the first time you just kind of learn how to play. And it's cool because you can play online, it's play backdoorsandbreaches.com.
[00:03:54] Speaker A: Did you have to play DNd to enjoy this?
[00:03:57] Speaker C: I've never played dd in my life. I've never even brought it. I mean, I kind of halfway familiar with it. Some really nerdy friends of mine that I went to school with in middle school really big into DND, but I never was a DND guy.
[00:04:09] Speaker A: You might offend some of our listeners with that.
All right, well, that sounds interesting.
[00:04:15] Speaker C: Wouldn't be the first one that I offended. So it does happen. Hey, tell me, by the way, Anthony, a little bit about yourself for our listeners, if they don't already know.
[00:04:25] Speaker A: All right, Anthony Kent.
I've got about ten years experience in the cooperative world, and I've got about ten years experience in the cybersecurity world, where I supported the Department of the Navy and also have my education in cybersecurity. And actually, it was just earlier this year that I got my CISSp.
[00:04:46] Speaker C: Congrats.
[00:04:46] Speaker A: Thanks.
[00:04:47] Speaker C: Well, I have my CISsp, too. And, yeah, I'm just like Anthony. I've been in cybersecurity for quite some time, probably 14 years now, I think is the number. And I help folks with tabletop exercises. I could do policy development. I've done red teaming. I've done a little bit of everything in the cyber world, I think, except for, like, web application security. I've not done a lot of that, but kind of been around the block, so to speak. And I love cybersecurity and I love helping cooperatives. So that's me. That's what I do. And as you might know, I do a lot of drawing and art as well because I'm a very weird person.
And I do music. I do music, too. I'll tell you what I did. I'll tell you what I did, Anthony. I was just at a bluegrass festival this weekend. Really played bluegrass music. So the Bluegrass festival that I go to, there's a couple that I go to, but this particular one is in Wilmington, Ohio, and it's at the beginning and the end of every bluegrass season because it's an indoor festival. So this is in November. So it's an indoor bluegrass music festival, and it lasts three days long. I was only there for the two days of it. But people, there's all the bands that are playing and stuff. If you've never been to a bluegrass concert or festival, there's always all the bluegrass musicians that like to go to these things, also like to play. So what ends up happening is you have all these groups of jammers, and they're sitting around and they're playing bluegrass music. And I played on Saturday. I played music straight, not kidding you. For 6 hours. I did not stop.
[00:06:19] Speaker A: So I knew they had concerts. I had no idea that they had festivals that were multiple days.
[00:06:24] Speaker C: Oh, yeah. That's a bluegrass kind of bluegrass tradition is to have, like, multiple day festivals and what have you. So that's what I did. I did this weekend, and I played a whole bunch of bluegrass music. Whether it was your thumbs hurt reminded me scene. My fingers hurt a little bit. My fingers are sore, especially my left hand. But it was a lot of fun, and I enjoyed it greatly. But we probably ought to get back to talking about this episode a little bit. So what is this one all about this time, Anthony?
[00:06:53] Speaker A: This one is on large language models or chat GBT. And do you got the title for this one?
[00:07:00] Speaker C: The chat GPT Dilemma. Integration or regulation?
[00:07:04] Speaker A: I think I know what side I'm on, but we'll wait till the coin toss.
[00:07:08] Speaker C: Wait till the coin toss. By the way, just talking a little bit about the podcast itself, talking about our listener count, and we want to thank all of you that are listening and have listened. And I know there's folks that are listening in every episode and greatly appreciate that. And we definitely appreciate you coming back and listening and putting up with Anthony and I. We're well over 200 listeners at this point, and our top episode still being our first episode. So hopefully this one skyrockets on us. But everybody still is liking that first episode, fish or foe, and that's getting the bulk of our listens. But I don't know, talking about chat, GPT and large language models, we might do pretty good. What do you think?
[00:07:49] Speaker A: I don't know. I thought geoblocking was the jam, but I guess not.
[00:07:53] Speaker C: People like the fishing one. I don't know why that was. Maybe it was because our first one, I don't know. Just a reminder, we do have a donation page. We'll mention that it'll be in the show notes, if I ever get the show notes right. And then also we'll talk about it at the end of the show a little bit. So if you want to donate, we're all for that. We're also looking for sponsors. We do have a sponsor today, of course, and we'll introduce that sponsor now. That's John Watkins Consulting.
[00:08:17] Speaker B: Today's episode is sponsored by John Watkins Consulting, the Cybersecurity Expert Electric Cooperatives Trust. Are you an electric Coop struggling with limited resources and the daunting task of safeguarding critical infrastructure? John Watkins Consulting specializes in easing that struggle. With over 14 years of experience, John offers tailored solutions to fight your unique cybersecurity challenges.
Don't let the difficulty of board engagement and Cultural challenges hold you back. John Watkins Consulting will guide you through these challenges, turning your pain into progress. Yes. Ready to fortify your Coop's digital defenses? Call 937622 Eightyn or visit johnwatkinsconsultant.com. John Watkins Consulting turning your cybersecurity struggles.
[00:09:14] Speaker C: Into strengths and thanks, John, for that sponsorship. And if you want to sponsor off the Wire podcast, get a hold of Anthony or I, either one, and we'll be more than happy to hook you up. I'm still working on another sponsorship from another person or another company, so hopefully that happens before too long. But now I guess it's time for that infamous coin toss, right? Is it my turn to call it?
[00:09:41] Speaker A: It is your turn.
[00:09:42] Speaker C: Well, I'm going to go with head. Let's see what we can do here.
Tails.
[00:09:50] Speaker A: My choice.
[00:09:51] Speaker C: Yeah, you can be for the AI chat GPT, or you can be against it in the environment. What's your call?
[00:09:59] Speaker A: Well, just because I know how much you enjoy chat GPT, I'm definitely going to be against this one.
[00:10:05] Speaker C: Okay, well, I'll be for it. I can do that. Maybe I can just hook up all my answers on chat GPT.
Of course, chat GPT blowing up $20 a month for the pro subscription. And I don't even know what the numbers are, but I know it's got to be off the hook. They just had their conference recently, right, where they just announced a bunch of new features.
I think OpenaI, of course, it's been underground for a long time, it's been happening and then it just didn't pop up out of nowhere. But last year when they released Chat GPT, it just, would it go to a million users in one week?
[00:10:43] Speaker A: I know it hit a record for how fast it grew, but let me just call you out on one thing. The very first thing, isn't Openai a little deceiving? Isn't their code based now private?
[00:10:55] Speaker C: Yeah, not so open after all.
[00:10:58] Speaker A: Anyway, we'll go ahead and do one nothing.
[00:11:02] Speaker C: He's going to get an early start to this game.
Okay, so, yeah, so chat GPT is definitely blowing up. It's taking the world by storm. But I guess the question is, what are the security kind of concerns here? Should we just allow it free reign in our environment? I mean, I know of some buddy of mine works out a pretty big manufacturing place and they're just like zero chat GPT in the environment. Now they are allowed to use the Bing chat in the browser. It's because it's horrible and I guess it doesn't collect any information or something like that.
[00:11:37] Speaker A: Yeah, well, there's numerous companies out there blocking it. I'll name a few. Disney, the New York Times, JP Morgan and Chase and Verizon, they're all blocking it. And there's several that have warnings for their employees not to share confidential information, like Walmart. And, uh, they definitely have some policies regulating it.
[00:11:59] Speaker C: The one I'm talking about was Honda of America and then Caterpillar cat.
Both of those are blocking it as well. I think the size of the company has something to do with it.
[00:12:13] Speaker A: Right? I know I've got plenty of cons on why you should be blocking it or regulating it, but just for the people that have been in a cave, what are some benefits or what are some of the things that you use Chat GPT for, John?
[00:12:26] Speaker C: Yeah, so, I mean, chat GPT, like, for example, this morning, and it didn't do very well on my LinkedIn post, by the way. But I'll write a LinkedIn post, for example, I'll get up in the morning and have an idea for a LinkedIn post and I'll write it myself.
Sure, you will know. Seriously, I really do, every single one. And then I take it over to Chat GPT and I said, hey, here's my LinkedIn post, and here's my LinkedIn post, and what do you think about it, and can you offer any improvements or suggestions? And then I pop it in there, and then I look at it, and then I add my own, and I just kind of like, do a blend. I don't want it to be like all chat GPT content, but I will say that chat GPT expands my mind and helps me to think of things that I probably wouldn't think of. And what I found by doing that is that I'm very single minded when I'm writing something, and this gives me a lot more diverse way to look at things. And it just kind of opens my mind to all the different possibilities that maybe I wouldn't have considered else otherwise.
[00:13:27] Speaker A: So is this like your own personal assistant?
[00:13:30] Speaker C: It definitely is my personal assistant. And for $20 a month, it's a good buy.
[00:13:33] Speaker A: Well, I'm surprised you didn't replace me already with some chat GBT.
[00:13:37] Speaker C: How does everyone know you're not an AI voice?
[00:13:41] Speaker A: I'm sure they listen to me talk. They can figure it out.
[00:13:44] Speaker C: Yeah, it's that North Carolina accent, right? Yeah, I'm definitely in favor of can. I can definitely understand. I will give you one point for this, that there has to be some kind of DLP tool in place, because I think what's going to happen is the average person probably doesn't know how to use chat GPT the right way, and so it'd be real easy for them, especially if they've got the plus to just go ahead and just upload some document or something that's completely confidential. And then what is OpenAI actually doing with that data? We have no idea.
[00:14:24] Speaker A: Right. Yeah. I will say this, and this is really something that's for your side, but it's my understanding that OpenaI, that they change their terms of service, that they don't use the data that users enter for training. So it is my undersTanding. I mean, you don't know what they're doing with that data, but as far as using it to learn on, they're not supposed to be utilizing that anymore.
[00:14:47] Speaker C: Yeah, they're not supposed to. I don't know what they're doing with it.
[00:14:50] Speaker A: Yeah. Anything you put in the cloud, a public cloud tool, I think you're basically just mozzarella. Be sharing it with the world.
[00:14:58] Speaker C: Right. Well, I mean, I think the best advice there is, anything that's going out there ought to be just like put on the front page news. The one thing I think about is not just so much the chat GPT, but all the knockoffs.
[00:15:13] Speaker A: Right? Yeah.
[00:15:14] Speaker C: And the attackers right now are just having a field day with all of the crazy browser plugins and everything else trying to say because it's such a big craze with the AI that they're just totally taking advantage of people.
[00:15:31] Speaker A: Yeah, I would imagine we're going to stop seeing emails with misspellings and weird.
Obviously you can tell their English is not their native language. I think chat GBT will be the end of that, or it should be.
[00:15:43] Speaker C: It already is. Like, I saw some spam that got through to my Gmail account, some phishing attempts, and I mean, they were really good and it was paragraphs and that's the one thing that I noticed. And when it comes to, for example, phishing emails, a lot of times were pretty short. With chat GPT, you can put one prompt and get five paragraphs out for a pro, for the pro side of it. For policy creation, what's nice is it's good idea starter. And for policy creation, you could put in, say, talking about acceptable use policy, for example, and say, what's a great template for an acceptable use policy? And I think some of the templates that are out there on the web right now haven't been updated in a while. And so if you're using Chad GPT plus, then you could go out and, you know, I'm looking for an acceptable use policy template to customize for my organization or whatever. Can you start with know? And I think you can some really good starter material that way.
[00:16:46] Speaker A: So it sounds like people just are not going to be doing their own work going forward. Is that the case, John?
[00:16:51] Speaker C: I disagree with that one. I disagree with that one because right now, at least now, I don't know about how this is chat GPT Four, so who knows what chat GPT 40 is going to be like, but chat GPT four, it's not dumb by any means, but it does have some limitations and I think everything, oh, I'm going to lose my job and AI and all this. Yeah, okay, whatever. But the prompts matter, right? Like, the prompts really do matter. You can get some really stupid stuff out of it if you don't have the right prompts in there.
[00:17:21] Speaker A: You ready to get into the cons? Because I'm just chomping at the bit to start my tally against you.
[00:17:28] Speaker C: Go right ahead. Knock me down. Go for it.
[00:17:31] Speaker A: All right. Well, in preparation and just reviewing chat GBT, I found there was a report from Cyber Haven, and they said that 2.3% of workers have put confidential company information into chat GBT.
Just everything that I'm reading, if you leave it open, people are going to put confidential data into it.
[00:17:54] Speaker C: The 97.7% people that didn't put the confidential information in there, if that's a good thing, I guess it only takes the one person to do it, but 3% seems kind of low.
[00:18:06] Speaker A: Yeah, it's just like the phishing. You get one person doing it, then that data is out there. Matter of fact, I'll give you a recent example. Samsung, they leaked some of their source code as a user, multiple times put the source code into chat GBT.
[00:18:21] Speaker C: Right?
[00:18:22] Speaker A: Yeah.
[00:18:22] Speaker C: And I think that's a good point, actually, because I'll concede another point to you here, because it's not just everybody thinks chat GPT, and you're going to have it write something for you. Well, it can write code. So, like, if I put my code in there and it happens to be proprietary code for the organization I work for, that is a different kind of data leak. That's definitely sensitive, and especially when your source code ends up being your intellectual property. Right?
[00:18:46] Speaker A: Yeah.
[00:18:47] Speaker C: Where did you find that particular source of information? There about the Samsung data leak, by the way?
[00:18:53] Speaker A: Well, it's not a super reputable site, Gizmodo.com, but there were several articles.
Yeah, it was probably not the best one to reference, but there were several articles on the Samsung data leak.
[00:19:08] Speaker C: Yeah, okay, I understand.
I know how it is. When you start losing, you got to claw back, however you got to do. I get it. It's fine.
[00:19:16] Speaker A: And how many co ops do you think have a data loss prevention tool? I mean, you said that that's a necessity.
Do you think the majority of co ops have a data loss prevention tool?
[00:19:27] Speaker C: I would say, like, 2.3% have it, and that's probably pushing it. And I pulled that 2.3% by the ones. That's who's putting the company confidential.
[00:19:37] Speaker A: Okay, so it matches. Yeah, I would say outside of. I know Microsoft Office 365 has that built in, but that's specific to Office 365. But yeah, I would say outside of that, it's pretty slim. I'm sure there's co ops out there that do have some tools.
[00:19:54] Speaker C: I think your bigger ones probably do. I don't think your smaller co ops are going to have even.
I doubt that they're really thinking about DLP. I mean, the other big thing about it is most of your co ops aren't really looking so much at, they're not protecting some kind of intellectual data or intellectual property in that sense. Right.
Most co ops do not have a secret sauce on how they're distributing electricity and they don't have the eleven herbs and spices of electric distribution. So I don't know that they're too worried about stuff like that. Now, I will say that there are a lot of contracts, and if you're using chat GPT for a contract creation or even to review a contract or whatever, you could put some sensitive data in there pretty easily.
[00:20:40] Speaker A: Right? Well, I feel like aren't there people using this for legal advice? I mean, don't you think anything asking for legal advice would be pretty sensitive?
[00:20:48] Speaker C: I would think so. And especially if it's company related versus if it's personal. I mean, that's one thing. But I guess if it's company related, that's a whole nother ballgame right there. And then two, it's going back to this DLP thing. If you don't have a good data, a classification scheme, how are you going to do DLP anyways? Right? So I mean, how would you even know if you were losing data to this thing?
[00:21:09] Speaker A: So it pretty much sounds like I've won and you need to just block.
I mean, so if you don't block what you're saying now, you got to have a DLP in place. You got to have what? Data label classification. You got to be able to classify all of your documents. Is there anything else that sticks out that you got to have before you can open it up?
[00:21:30] Speaker C: Well, I mean, I will say this. I guess one of the cons of blocking it is people still have phones, right? And today with your phone, like Data lake protection is a big deal because first of all, it doesn't even work.
So second of mean, honestly, if I wanted to put something in chat GPT and you blocked it at the organization and I've got a phone, BYOD kills all those kind of rules because all I got to do is turn my WiFi off, go on LTE and then my phone with my iPhone, I mean, I can look at a screen and I can copy any of that data. Right.
[00:22:06] Speaker A: John, we're talking co ops. What co op has 5G in the office?
[00:22:10] Speaker C: Actually, we've got work that did.
[00:22:13] Speaker A: Our cell boosters are going through our firewall, so I think we could actually block it.
[00:22:18] Speaker C: There you go.
But I mean, what I'm saying is if a people has a cell phone that can do screen capture and from that screen capture do a copy and paste of some data and then throw it in, I mean, you can't stop having a personal chat GPT account, can you? I think it's pretty.
[00:22:37] Speaker A: You think end users are going to do the illegit thing and bypass all your security and get on their phone and use chat GPT?
[00:22:45] Speaker C: If they really want to use it, they will.
[00:22:47] Speaker A: Actually, I'm being sarcastic.
[00:22:49] Speaker C: I know they will, I know they will.
[00:22:52] Speaker A: But I don't think leaving it wide open is the mean. Don't you think you should have like an acceptable use policy or some kind of policy on this? Don't you think that should be a requirement?
[00:23:03] Speaker C: Yeah, I think you should hop into chat GPT and ask it to make you an acceptable use policy for a. Oh my goodness.
[00:23:09] Speaker A: Does anyone work these?
[00:23:14] Speaker C: I mean, I don't know. Just going back over this as a recap, this one's a toughie, you know what I mean? Having a usage policy for it, I think is an absolute must or necessity. There has to be some kind of talking about it because this thing's going to get out of hand real quick. It only takes one big incident for that to be the incident to be a real issue, right?
[00:23:37] Speaker A: Yeah.
[00:23:38] Speaker C: If these big companies are blocking it, there's a reason. Right. But I guess my fear would be is if you block it that people are going to go around you.
[00:23:47] Speaker A: Yeah, I agree. I mean, if you put stuff in place, if people don't like it, they're going to try to bypass your security. But with that said, I don't think the answer is to just turn a blind eye and let people do whatever they want on chat GPT.
[00:24:01] Speaker C: Fair enough. I mean, locked doors are there for a reason, right? They keep the honest people honest, right?
[00:24:05] Speaker A: Yeah.
[00:24:06] Speaker C: So I think that's all told. I think right now, if I was working at a co op, I would advise management to say, hey, I think we really need to take a look at this and if nothing else, put some boundaries on it. Locking it may not be the end all, be all, but definitely put some boundaries on it because I don't know that it is something like you said, that you just need to let the cat out of the bag and just open Pandora's box with.
[00:24:28] Speaker A: Right? Yeah.
If you don't feel like you've got the capability of do some of these items like DLP, do an acceptable use, mean, I kind of feel like you should be blocking it. But obviously if you leave it open, you need to put some boundaries in place, like you just said.
[00:24:46] Speaker C: So I lose the coin toss now I'm losing the argument.
It's not going my way today.
[00:24:53] Speaker A: Well, that's what happens when you have a chat GPT. Write all your notes.
[00:24:59] Speaker C: All right, well, thanks to John Watkins for sponsoring John Watkins consulting for sponsoring this episode. If you want to get in contact with John, that's me, I'll come on site and talk to you about cybersecurity and maybe even chat GPT if you're lucKy. And I might even use it to do my notes. But if you want to get a hold of me, you can call 937-6228 or you can hit me on the website, which is John Watkinsconsultant.com. John is spelled J-O-N for all of you listeners out there, but we want to thank everybody for tuning. I was one thing I'd like to know, Anthony, is that we're kind of hoping that people reach out to us. We want to hear what you have to say about what topics you'd like to hear us kind of go back and forth.
[00:25:45] Speaker A: So, you know, we both post on LinkedIn. You can reach out to me or John if you have a topic you'd like for us to cover.
[00:25:53] Speaker C: Absolutely. We have a way for you to donate to this podcast as well. You can do a one time or a recurring donation. Either one's fine. Off the Wire castos.com donate. We'll put that in the show notes as well. We really would appreciate that for financial sustainability, quality improvement and longevity and growth. But this has been John Watkins and Anthony Kent on off the Wire. We appreciate you taking time and tuning in. Make sure you like, make sure you share and tell folks about it. We want to kind of spread the word. And also we'd love to hear your feedback on what we could do and that you would like to hear. Or maybe you'd like to hear us do something better or anything like that. We welcome your feedback, that's for sure.
[00:26:42] Speaker A: And also, if you want to leave a review and state how Anthony is usually right, that would be greatly appreciated.
[00:26:50] Speaker C: He'll pay you for it. That's what he usually has to do, but that's no problem. Today he whooped me big.
[00:26:56] Speaker A: Yeah. Anthony Versus John GPT.
[00:26:59] Speaker C: John GPT I'm the Human chat GPT, folks. All right. Well, on behalf of Anthony Kent myself, want to thank you again for listening, and we'll look for you next time. And thanks for listening to off the Wire.
[00:27:10] Speaker A: One, two, three. Come on.
[00:27:12] Speaker B: Thanks for listening to off the Wire, a play by play on cyber issues featuring Anthony Kent and John Watkins. Make sure to, like, subscribe, follow, and hey, share this podcast if you liked it. We appreciate it, appreciate your time. So see you next time.
The views and opinions expressed in this podcast do not necessarily reflect those of.
[00:27:36] Speaker C: John Watkins Consulting or its affiliates.
[00:27:38] Speaker B: Always consult with a qualified cybersecurity professional for tailored advice.