EPISODE SUMMARY
Subscribe or listen now: 
Hello from Cybrary and Delinea, and welcome to the show. If you've been enjoying the Cybrary Podcast or 401 Access Denied, make sure to like, follow and, subscribe so that you don't miss any future episodes. We'd love to hear from you. Join the discussion by leaving us a comment or a view on your platform of choice, or emailing us at Podcast@Cybrary.it. From all of us at Cybrary and Delinea, thank you and enjoy the show.
Dan Lohrmann:
Some of the ones I want to highlight are ones that as we look at '23, they're really what the industry-leading players are saying, and a lot of research and money goes into these reports. So it's not just like somebody's taking their hand in the air and saying, "I think it's going to snow. I mean there really are detailed research and connecting the dots in these forecasts."
Joseph Carson:
Hello everyone. Welcome back to another episode of the 401 Access Denied podcast, brought to you by both Cyber and Delinea. I'm the host for the episode, Joe Carson, Chief Security Scientist and Advisory CISO, and it is a pleasure to have you listen to today's episode. And I'm really excited, because we've got another fantastic guest welcoming back again, and I'm joined by the amazing Dan Lohrmann. So Dan, welcome back to the episode and podcast again. It's so exciting. If you want to give the audience just a little bit of an introduction about who you are, what you do, and some of the exciting things you're doing in the industry.
Dan Lohrmann:
Yeah. Thanks so much, Joe. It's always great to be on your show and really, really excited about this conversation today. Again, Dan Lohrmann. I am a field CISO with Presidio Corporation more than 30 years in the security industry, and started my career at the National Security Agency. I was in England with Lockheed, and ManTec in the nineties, and then 17 years in Michigan government. So in Michigan I was an agent agency, CIO. Then I was first state CISO from all 50 states actually, but first State CISO in Michigan, and became CTO in Michigan, and then CSO. So we moved to a physical cybersecurity merger in Michigan that we did in 2011 to 2014, and I led that effort, and did a lot of great work in Michigan, our team did a lot of great work. And then I worked with the security mentor, was there for a few years.
Now I'm with Presidio, and we're a worldwide cybersecurity solutions provider. We actually get involved in all aspects of technology. So digital transformation, other things, but obviously I focus on the cybersecurity practice, and work with CISOs all over the US and even all over the world solving cybersecurity problems and just love this topic of predictions every year. As you and I were just chatting about, every year I do a security predictions roundup, not my predictions, but what is the industry saying, the top reports from around the world, and we're going to put that in the notes. So encourage people to go out there and see that, and we're going to talk about what happened in '22 and what's going to happen in '23.
Joseph Carson:
Absolutely. And this is what for me, it's always the thing. Sometimes we have to look back and just see what things were trending, what was significant, what was happening, what major incidents may have occurred, and it's almost a good indicator just to see how we're doing. It's almost like a measurement, and I love when you put the report together, and you put that kind of basically the blog, and all the details. It's fantastic. And for me, it's that consolidated perspective and all the trends and what people are thinking alike. And sometimes there's even the ones out there that are bit, bit stretched, really the future predictions, but it's always good to get that perspective. I think it's always good to sometimes get the ones that's a bit out there in their own, but sometimes might be getting closer to reality. So it's great to have you back on.
I'm really excited about the conversation today. And so definitely all the great work you're doing around the year in review predictions. For this year, is there anything significant that stood out, any of the kind of trends in 2022 that was something significant that may have changed the future direction that we're going, that may have been something, new threats that occurred? What specifically stood out in 2022 for you?
Dan Lohrmann:
Yeah. So I put together just last week, a bio that will link to this as well, a cyber review every year before I put out the prediction report. And so my headline this year was, "The year the Ukraine War shocked the world." And so I think the Ukraine War played into so many aspects of cybersecurity globally, and even the United States. And I think the good, the bad and the ugly. But I just highlighting, I went back and looked at all the different pieces that we've done, and looked at all the different aspects of that, and the attacks. And I think there's so many aspects that we could talk about, but not just the preparation, things that did and didn't happen. I mean, on the good side, some people were saying Russia would retaliate against United States, and we might see nationwide blackout, or really critical infrastructure being hit.
And some of that did happen. We'll talk about that. There was certainly nothing like the colonial pipeline this year, but there were certainly some critical infrastructure attacks that happened, but nothing that was people would put on the radar as being, "Russia retaliated against United States and cyberspace." But there were a lot of attacks there. It played out in a wide variety of ways, and I think we saw that in March in when CISA came out with the, we call the "Shields Up" campaign, and you can go to CISA Shields Up, I think we've talked about that in the past, and some great tips for organizations on how to protect yourself. If you haven't been to that website, go to the CISA Shields Up website, but kind of talking about those threats, but a lot of fear around that, and a lot of attacks.
I think that led to this mentioned a couple of the things that happened, the reporting mandates that came out in the spring, that I think there's a lot of trepidation in Congress. The Republicans didn't really believe in necessarily having those reporting mandates, but when the Ukraine war happened, all of a sudden they passed with almost unanimous, those reporting mandates in the banking sector.
And I think lots of other sectors are starting to see those as well, so I think that is a big trend. In July '22, I wrote a piece called, "Attacks Against Critical Infrastructure are Quietly Increasing." So while we didn't have any major attacks, we did have a lot of different types of attacks that hit some critical infrastructure in the US and around the world. Hacktivism DDoS was a trend. Again, I think you could talk about record numbers, the surges, 500% increase, I think we said between in the summer timeframe and over certain months earlier this year. I'd love to hear your thoughts, Joe, whether that's continuing now, but a lot of people attributed that to the Ukraine War, Russia, Ukraine. NATO countries hit with unprecedented, unprecedented cyber attacks.
So when Montenegro got hit, Estonia got hit, several countries that applied for NATO membership like Finland were hit. So you started seeing these NATO attacks. And we can say lots more, but I think what happened in Ukraine clearly was the number one story, and the spinoff from that. And I think that's going to play big into the worldview of cyber securities as we head into 2023.
Joseph Carson:
Absolutely. I completely agree. One of the predictions I had last year to this year was actually around the cyber war. I think it was a little bit off because I don't think in 20, I don't think we actually, of course we have the war, but I don't think it was a cyber. I think there was cyber elements to it, absolutely. When I look back in this year, I think it was much more of an information war that it was all about basically the truth, and there was a lot of disinformation campaigns, there was a lot of disinformation. So it was a battle of truth I think this year was that information was basically at war. I think one of the challenges when I look back, and I think some of the significant things is about how the social media bubbles determines what you see.
And I see got the point where this year you started realizing that when I look at the algorithms, when you have a lot of the social media platforms and you create your personalization profile, it starts to really just show you the things that you're interested in and it just reinforces your beliefs. And this really means that for me, I think social media platforms are starting and those AI algorithms that's basically within these platforms are really starting to influence our education more than traditional education. Our social media is starting to influence basically our ideology.
And so how you'll learn, and what you see to really kind of reinforce. So for me, I think that information wars, and the disinformation campaigns, and how those algorithms play to your beliefs, I think for me, I started to get a bit shocking about basically where the social media platforms are really determining and you're basically your mindsets, how you see things and rather than get, when we are in person, we might have different beliefs, but we have debates and we have discussions around them, but social media doesn't allow for that to happen. Social media isolates you in these bubbles, and it really kind of stops you from seeing and having those debates.
And for me it was a bit of an area. And I think one of the noticeable things I've seen this year as well was a bit of a drop in ransomware than we've seen in previous years. I think that was a notable decline. Actually the ransomware financial demand costs were still quite high and increased. And I think it's also a bit on the decline of cryptocurrency evaluation as well, has also influenced what the ransomware gangs are asking in regards to the actually ransom itself. So I have seen, I think it's mostly a lot of that's to do again with the Ukraine war where a lot of the ransomware gangs and criminal gangs operate out of certain countries which are under sanctions right now, and therefore have been I guess distracted into other operations, rather than ransomware.
So I think ransomware has been declined this year, but it's still something that we need to keep the eye on because of course the moment you tick your eye off ransomware, it comes back with a much more devastating blow with new variants that bypass a lot of controls. Hacktivism, absolutely. I think one of the things you notice is that people taking it into their own hands and when they see and or read something that they don't agree with, whether it being Finland and Sweden deciding to join NATO, then of course a lot of hacktivism and mercenaries is taking things in. So I don't think a lot of the major attacks this year have been from state actors, but probably more from independent mercenaries, you know, just going doing things on their own.
So absolutely. There's a lot. I'm trying to remember which country had the major attack this year? I think it was a Costa Rica, the country was actually taken out from a ransomware. I'm trying to remember which gang it was. I'm just looking up here. Was it the rival gang? I'm trying to remember. So Costa Rica had the ransomware attack this year, and actually took out a lot of the government, was it-
Dan Lohrmann:
Conti.
Joseph Carson:
Yeah. Conti Ransomware Group. Yeah. So for me that I think that was a big notable attack was the Costa Rican one, because literally their pension schemes and how they pay and do all the financial things were actually completely taken out and under ransom. So from a government, an entire country to be under a ransom attack, I think that was also significant to see how that played out as well.
Dan Lohrmann:
In that attack itself, I mentioned that in my piece and the $30 million each day that attack continued. So that was a huge, huge impact that hit. So yeah. Yeah. That was a big one.
Joseph Carson:
Yeah. Absolutely. So think for me, those are some of the noticeable things this year. I think also cyber fatigue is also increasing. I think organizations have really taken new steps to try and let's say put new controls in place while it being multifactor authentication or 2FA in order to mitigate attacks. But what I've seen happen as well is the attackers look for ways around those. And what this year I've seen is the rise of social engineering, it's been around for a long time. It's been increasing.
Social engineering's been something that's always been in the toolbox for attackers, but I think this year they really started to take it on as a forefront, and we started seeing a lot of organizations who have MFA in place but attackers using social engineering to abuse cyber fatigue, and just look for ways for people just to click, "Yes", and bypass a lot of those MFA. So I think we've realized that this year that MFA is not a 100% protection, that it does actually does have a lot of good security controls. But you also, in addition to MFA, you really had this think about security awareness training as well, good practice and hygiene. You can't do these things alone, without making sure you compliment it with other types of security controls as well.
Dan Lohrmann:
Absolutely. I agree with everything you said. I think I would say a couple things. I would put one or two caveats around ransomware. I do think the numbers were down overall. I do think there were some really notable big hits that still got some attention, especially around hospitals. I mean, the increase the number of hospitals hit the ransom demand in Paris, $10 million ransom demand. Then they had one recently that was a couple months later where they literally had to shut down a hospital, and they were moving patients to another hospital. And when those kinds of things happen, or other major whole health systems getting hit, are huge deals. And I think that the two top ones that were listed by one security magazine article that I referenced, I'll just mention these two big breaches. One in Australia, Medibank, which was data belonged to 9.7 million citizens, customers, past and present including 1.8 million international customers were accessed, and that's big numbers.
And then the LA school district, unified school district in Los Angeles, 500 gigabytes of information stolen, second-largest school district failed to pay unspecified advancement on October 4th. And there's lots and lots of data, social security numbers, tax forms, legal documents, financial reports, et cetera that were stolen. I mean there were still a lot of big stories out there. So while the numbers overall may be down, I mean '21 was a huge year for ransomware.
Joseph Carson:
Absolutely.
Dan Lohrmann:
I still think there were a lot of notable attacks that did get people's attention. Nothing that rose to the level of Colonial Pipeline maybe or some of the things we saw in '21, but obviously I think Ukraine did kind of suck the wind out of the room and in many ways, but there's certainly a lot of big attacks that did happen this year.
Joseph Carson:
And we're starting to learn also the costs of some of those attacks that happened in 2021 as well. We look at the Irish health services, which was also under the country attack as well, that the cost of that has been excessive 80 million euros, which it shows you that this is for a lot of organizations and businesses and countries, it is devastating and it does ultimately those ones comes out of taxpayer's money that ultimately have to fund those and to recover. So it is quite significant. One of the things also, just kind of get your also thoughts around this year I got really concerned. I think for me probably the biggest one that I'm really concerned around, is the advancements of deepfakes. It's been a run for some time and we've seen kind of different elements of it, we've seen where you can replace faces and audio.
But I think this year I think it really got to the point where you can look at a deepfake video from a real video side by side, and you can't tell the difference. Humans are getting the point where the quality of deepfakes is so good that by your eye and your ears, you cannot tell the difference. You actually need some type of technology to go and look at the bits to see if there's some type of basically algorithm being used there to modify. We can actually start looking at the bits and bites itself. But for me the advancement that deepfakes is getting to the really point where you can look at a video, and it just looks like the real person speaking exactly how they would and manipulating that. What's your thoughts around deepfakes from a trend this year?
Dan Lohrmann:
Yeah. I totally agree and that shows up in several of these reports too, and several vendors are talking about. Obviously this last year we didn't have a president presidential campaign, but we see political campaigns, or very public figures being misrepresented is like, "Did Justin Bieber really say that?" Or, "Did that senator really say that?" Then quickly and something can come out in the press saying, "This was a deepfake." That's one thing. So I'm totally in agreeing with you what some people are now predicting as we head into 23 is that this is going to become more and more targeted so that now my friends, or your friends, or people at your local rotary club or whatever, they now fake something and those people, don't expect a local paper or the media or the national press to say, "This is fake."
So now, it's getting really personalized, it's getting more focused, we could see that on a widespread level of trust level. So I do think yes. They got more sophisticated in '22. I think as we get to '23 we'll see over the next year or two. One thing I also say with predictions as we go into this report is it's less important whether something happens this year, than, "Is it a trend? Is it a direction that we're heading?" A prediction a few years ago, people will die because of a cyber attack." Or whether that happened that year or whether it happens the year, January of the year after.
I mean clearly if multiple different people are seeing this, and the potential is there, it's likely to happen. So I totally agree with you. I think deepfakes, not only is it scary, it's becoming more widespread. It's becoming cheaper. It doesn't cost millions of dollars to create some super fantastic video that's fake, that somebody might use in a presidential campaign or something. That's one level. But now it's getting down to where anybody can get these tools and do it and it's getting cheaper and cheaper to do quality deepfakes.
Joseph Carson:
Absolutely. That's one thing. It's just becoming accessible for everybody to go and do. And simply, I think one of my predictions for 2023 is around that the advancements of defects will get to the point where it's not just about stealing your account, or stealing your identity to an account, or your credentials. Yeah. I see that deepfakes has the potential with somebody pointing it to your social media profile, they could simply steal you. They could become a digital version of you to all of your online content. And if we don't put in the things today in order to make sure that we're context aware, that we know the original source and we know that there's enough solutions out there that can actually flag deepfakes quickly, that it has a potential of major things. Like once it gets into media, and then it gets to the point where you could say any video that was created in the past is a deep fake.
And so it becomes also deniability as well, that it means that you have a good reason for actually denying any type of video, even if it may be real, something real that you did, that there's a deniability as well. So it gives people that say things that can have an easy way out. So for me, I think this is a bigger area of concern. I think it's a bigger area that we really need definitely a lot of emphasis, and focus around. How do we do it? Does it need regulation? Does it need some type of responsibility that we need to all come together with some standards, or government cooperations? For me, I think this is up there with the potentials of AI. Deepfakes is in that realm.
And that kind of brings me one of the interesting ones of course is recent times has been Chat GBT, which must have been an interesting one. I've seen some interesting peers of mine playing around in interesting ways. And it can also become get the point where it can actually help you identify how the hack in the best ways as well. Yeah. So it's been interesting seeing some of the interesting conversations. So for me, of course it is using things like natural language learning abilities, and machine learning and using all those algorithms. But that's another area where you're getting to the point where that, "Are you talking to real person, or are you talking to a bot?"
Dan Lohrmann:
You're right.
Joseph Carson:
Would be the question.
Dan Lohrmann:
No. You're right. And I think if we want to dive into some of the predictions, I just want to say, as I mentioned earlier in the broadcast that some of the ones I want to highlight are ones that as we look at '23, they're really what the industry-leading players are saying. And a lot of research and money goes into these reports. So it's not just like somebody's sticking their hand in the air and saying, "I think it's going to snow." I mean there really are detailed research and connecting the dots in these forecasts. I'll just mention it off the top three reports that I had this year, and I have a methodology for this. We can talk about that if you want to go there, Joe, but Trend Micro, again, topnotch report, detailed report. And one of the things they do literally it's over 100 references, so you can dig into the detail, "How do they come to this conclusion? Why did they say this is going to happen?"
And then go read three, four, five reports backing up. And then they really do have statistics to back a lot of this up. So I'll just list a couple of things that they're talking about. But then we have Trend Micro, WatchGuard is number two, great report. And Kaspersky, which I know is Russian, I'll tell you, they do a great job around the world. They have a good great research arm, and I have absolutely to tell you they have a lot of really good material that was well researched/ and I always hesitate, people look at me and I always get a little feedback from, "Why is Kapersky in the top five?" But it's good material, it's a good read. Whether you agree with everything or not or they come from a different point of view. I like to get different points of view on different things.
But back to Trend Micro, just a few of the items shape-shifting ransomware business models will become a bigger avenue for data theft and blackmail. Because some of these, I'm just going to run off these predictions. There's pages of details, "And what do they mean by that, and how does that work?" And I encourage people to go to the reports and read it. Inconsistent applications of cloud technology. We heard enterprise's adoption of new tools increase. So again, cloud hacks, a lot of messages, a lot of themes around cloud people moving data to the cloud. We all keep hearing this, but people process technology and misconfigured cloud services, people putting things in the cloud, "Well, it's with Google, it's with Microsoft, it's with Amazon, it must be safe." Well, maybe then they do have great services and I'm not knocking them, but it does come down to how you configure things and what you do as a company to protect that data.
The enterprise perimeter will expand into the home. We heard that a lot quite frankly during COVID. So that's not a whole lot new. Some of these have been trends we've seen for a couple years. You mentioned social engineering, totally a big thing. Social engineering is an ever growing threat. BEC, which is business email compromise, and deepfakes will take new forms. Exactly what you're saying. That was one of theirs. Number five, give you four more here real quick from trend, and you can give me some feedback if we go through a couple more of these.
Joseph Carson:
Sure.
Dan Lohrmann:
But the hype surrounding digital novelties like NFTs and metaverse will keep waning, but the blockchain technology on which they are built is going to be where the real action is. So that's a really interesting one to read about, "What do they mean by that? Even if NFTs and Metaverse become big this year or '23, what about blockchain and how is that going to be attacked?" Attackers will further capitalize with vulnerabilities, and in truth through overlooked attack surfaces like open source software. So again, that whole lifecycle support-
Joseph Carson:
Supply chain.
Dan Lohrmann:
... software, big one. Two more, industrial entities will top off their tech stack but struggle to keep up with staff shortages and vertical regulations. So again, the whole TA talent issue, how that plays into the recession, "If we have a worldwide recession, what does that look like with pay and tech and talent?" A lot of talk about that. And then last one here, enterprises will veer away from point solution approaches and go to more platforms, less vertical, "I need the best product but it's getting too complex", and I'm hearing that a lot CISOs, if they have 40 tools, they want to get to 20, if they have 80 tools they want to get to 40. People want to right size their tool set. So those are just the top eight with Trend Micro, and I'd love to hear your thoughts on those, Joe.
Joseph Carson:
Oh. Absolutely. I think for me it's very enlightening. Absolutely. I completely agree with all of them. Every single one of them is spot on. We might have different terminologies. I think for me, absolutely the remote working side, the perimeter of organizations is extending into the home. That's one of the things Kenneth mentions is that the people's homes are becoming extension of the office. And I actually referring to it when I went, from, "Bring your own device", to, "Bring your own office." Employees offices or home offices is almost like a mini cloud of the organization's extension. So for me, absolutely. I think that's going to be where people's homes are going to be basically mini micro offices, and micro clouds, an extension of the workplace. And it means that how we manage the old traditional way is going to have to evolve, because we can't expect organizations to manage your home network.
It's not going to happen. They're not going to be able to secure it. So there has to be different ways of where that security starts and stops. Absolutely. The workforce, I think that's a real big one, to the point where, "How do we get new talent?" Because I think we've been actually losing a lot of talent I've seen is even when I've worked in a lot of over the years I've seen people leaving, not even just leaving the company from burnout, and mental health, but actually leaving the industry and choosing other career paths.
And we really need to start thinking about how we can attract more people to get into the industry, "How can we make it fun again?" I think one of the things I'd like to see is how we can bring the enjoy back into the security industry because I think it's been too much fear and fun for the past couple of years, and we just show how we can entertain. And for me, I think I've seen hacking gamification being a big adoption there, to get new talent as well as also making some of it enjoyable and fun.
Dan Lohrmann:
I'll just jump in on that. It may have been another company that did an interesting prediction around talent and they basically said, and like I said, that may not be Deloitte, but it was a really interesting prediction I saw that companies will go away from certifications and skill sets, and go more towards just hiring talent period to fill cybersecurity roles. And the philosophy is, "Well, how will they know what to do?" Well, I mean, managing vendors, man working as teams, working with others, bringing in the best and brightest even if they don't have maybe the experience, or the certifications, or maybe even the college degree in the right field, maybe they're not a computer security expert, but that they're predicting that that's going to be one of the solutions.
Joseph Carson:
Absolutely. I think completely when the talent side of things, there's going to be that you might be specialized in a certain area, but you might be managing those relationships from vendors and vendors will be moving more to manage service providers, or MSPs, or you basically managing that side of things so it becomes more, you're managing the relationship and the expertise will retain in the vendor, and basically you'll be just basically pulling them in when you need them. So completely agree. That's one of the definitely ways forward.
And also we'll expand. One of the things that to deal with social engineering is abusing people's trusts. So we have to make sure that we have good cybersecurity awareness training programs that actually is about how we make sure that people can identify those. So it's all about how we can communicate to people. And I also think that one of the lacking areas of talent in our industry is therapy and psychology. And for me, I think it's really about, "How do we make sure we have the necessary support with the team as well, to make sure that we have all of the necessary kind of resources to make sure we're focusing in the right areas?" One of the other things, one thing that was probably missing I think that we haven't covered is also the cyber insurance, I think-
Dan Lohrmann:
I was actually going to bring that up, because let me quickly go through the six for WatchGuard, the second list real quick, and then get your response. And I know we have to wrap up here in a few moments, but I always like WatchGuard every year. They're a smaller company but they do a really creative job with a lot of their YouTube videos, they're a lot of fun. But they've got their top six, let me just read those. And they lead off with insurance. There's a lot of them that actually talk about cyber insurance, a lot of prediction reports talk about this.
This one's saying insurers verticalize their already increased security requirements. I've seen a number of other ones that talk about, one says, "An insurer will buy a MDR company, or they will start taking over doing managed services themselves, and insurers will merge with managed solutions. Because they want to get that inside insight of what you're doing." And then that's an interesting, we'll see if that happens or not, but several people predicted that cybersecurity evaluation and validation becomes a top factor in selecting vendors and partners. The first big metaverse hack affects a business through new productivity use cases. That's an interesting one.
Joseph Carson:
That's an interesting one.
Dan Lohrmann:
It was. Yeah. Definitely interesting. And I think another one here, there's a lot about MFA. You mentioned MFA earlier, a lot about MFA. Since so many people are moving to MFA, multifactor authentication, that a lot of the bad guys are going after ways to get around that. So MFA adoption fuels surge and social engineering, which again you mentioned that earlier. A novel robotaxi hack will result in a daze and confused AI car. There's a fun one for you. So somebody's got to hack your car, and drive it into a retreat. AI coding tools introduce basic vulnerabilities into new developers projects. So those are their top six. I'll stop, and let you respond, but there's-
Joseph Carson:
Really interesting.
Dan Lohrmann:
... a lot about MFA.
Joseph Carson:
Yeah. Really interesting. Absolutely. The MFA for sure, social engineering, all of that. The insurance one, absolutely. Interesting about the consolidation between EDR, MDR, and the cyber industry. Yeah. Because that's one thing I think my worry is that cyber insurance companies, they're really looking how they evolve, and make sure they reduce their exposure. Because they have a big exposure into a lot of attacks. And they've been increasing the prices, they've been putting hard limitations in place in regards to what you get payouts and so forth, when depending on the type of attack. My worry is that when I look at some organizations are looking to cyber insurance companies as an alternative to the risk. And that concerns me is that, "Here's the financial safety net, is it you do good cybersecurity? Or you get cyber insurance?" And I'm hoping that organizations are not making it and an, "Or", decision that I'm choosing either or, because ultimately it should be both.
The cyber insurance company should be requiring you to do good security, but that's not always the case, Andre not always evaluating that. So having that combination of EDRs, and SDRs, and MDRs all together with the cyber insurance company absolutely makes sense to me. So it'd be interesting to see if that one goes. Because the metaverse side of things, that's an interesting one that for me, not a 2023 prediction, but more of a long-term prediction is definitely we will start seeing much more of VR and augmented reality. And I do see those types of attacks evolving in the future. Where you'll have people I've seen using augmented reality and VR to do basically pipeline checks where they're actually flying a drone, they're in the cockpit flying that drone, they're checking it for leaks, they're checking it for maintenance, and doing repairs.
And that's an augmented reality side where they're looking through the lines of that drone. For me that's probably an early, not 2023, but beyond a bit. But going into the metaverse though, that'll be interesting. I've seen a lot of discussions around things like stealing your virtual home and your virtual money in the metaverse, is that you may have built a house, you may have had all of this land and whatever it is and people stealing, getting in the metaverse. I think one of the things we had Philip Aman on from Europe, Paul, and we were talking before about, "How does a criminal investigation go from the law enforcement into, 'I've had my virtual house stolen', how does an investigation go into that?"
Dan Lohrmann:
You need an avatar cyber expert. My family's going to see Avatar, you know, need an avatar cyber expert to go in there and do the investigation. It'll be fun to see how that happens.
Joseph Carson:
Virtual cops. We're going to have virtual police officer, law enforcement.
Dan Lohrmann:
Something like that. Yeah. Absolutely. I mean, I know we don't have any more time than really we're out of time, but I do like some of the Kaspersky ones and the whole list is great. I encourage you to go read it, but they talk about the next WannaCry. They talk about male servers becoming priority targets. Interesting ones, a lot about space. There are a lot of predictions about space last year, space getting hit. There's actually some headlines recently about the US Space Program may be getting hacked. And so how much of that is real or not? I mean think there's different arguments out there right now, but there's talk about that. There's a lot about hacking drones, hacking satellites. And then what is SIG delivered malware, signals intelligence for those in the NSA community, and the three letter agencies, that's a little spy novel kind of thriller-
Joseph Carson:
We have seen-
Dan Lohrmann:
... for you.
Joseph Carson:
... we have seen basically the buildup of ransomware being embedded within a spreadsheet, and then there's a mathematical algorithm, a macro that will bring it together in all of those different fields, and forms, and they'll be hidden in forms. But putting it in signals, that'd be pretty impressive, especially if it comes from different sources and it accumulates in a central location, that would be interesting if that was possible. I've seen data been moved between things like playlists. From a playlist, you might download a playlist from Spotify, or some media or some streaming channel. And in the playlist itself it's got all of the right codes and names and then what you can do is basically as long as you get something to execute, it can actually build that payload together from the playlist data. So there's some interesting aspects, but signal intelligence, bringing it together of that would be a pretty impressive, somebody was able to come up with, make that possible. Quite complex I would say. But absolutely.
Dan Lohrmann:
I would say so as well. But it's interesting, it's coming from Kapersky's, so I'm not going to say anything more than that. But they know something. Anyway.
Joseph Carson:
Dan, it's been fantastic having you on the show and really it's really enjoyable talking about a lot of these, and definitely we'll make sure we'll get for the audience links to the predictions, and review content from the show notes. And really interesting conversation really. And some of those predictions for me I'm like, "I'm going to go back and take a look at some of them." I completely agree with a lot of them. Some of them are I think a little bit further down and some have already seen. I think the space one we've seen for some time. The question comes really into is that is the motive that, "Yes. I think they've been hacked, but do they want to let you know that something has happened?" I think those are more stealthy types of attacks that's usually using cyber, but really interesting, and look really looking forward to reading it. And as always, it's been a pleasure. Any final comments you want to let the audience know?
Dan Lohrmann:
No. Just thanks a lot. Appreciate it being on your show and wish everyone a happy holidays.
Joseph Carson:
Absolutely. And for everyone, stay safe. Enjoy the episodes. It's been great having Dan on and tune in to the 401 Access Denied podcast every two weeks. Bringing new thought leadership, new ideas, and really trying to educate you, entertain you, and keep making the world a safer place. So thank you. Stay safe, and take care.
