Attila:
... if this, uh, podcast is, is being used as training material, then I think the AI engine just said, “Challenge accepted.”
Matt:
[laughs] We will work on our personality.
[upbeat music]
Narrator:
You’re listening to the Cyber Secured podcast, helping you become safer in every way. Now your hosts, Matt and Attila.
Attila:
Welcome to the Cyber Secured podcast, Hawaii’s number one cybersecurity podcast. I’m your host, Attila, and—
Matt:
I’m Matt.
Attila:
Thank you so much for tuning in, and it is the new year. It is 2026. And if you are in IT, then we want to talk to you, because everyone is freaked out about their network getting compromised.
And, you know, we deal a lot with companies that have compliance requirements, and compliance is great. Compliance is a good rule of thumb, but compliance also tends to drive IT people crazy because a lot of it is operational, right? Like, how do we get HR to do a proper background check? And how do we write up documentation on a proper incident response? And how do we do documentation on a policy and procedure?
Man, that stuff is boring to an IT person. And believe me, ’cause I’m the compliance and the IT guy, and so is Matt.
Matt:
[laughs]
Attila:
So we wanna have an IT discussion.
Matt:
Yeah.
Attila:
And part of that is, let’s just be real. What’s it gonna take to actually keep your network from getting compromised and having to deal with a cybersecurity incident?
And so that leads me into why we created the Riskara IT Survival Test. It’s an actual test that you as the IT manager can do on yourself, on your own network. And it’s a checklist to find out what it’s gonna take to keep a problem from happening, and it’s based on years of experience.
And, you know, we’re giving that out to the community. So reach out, and we’ll make sure you get a copy of the test that you can do for yourself.
But when we sit down and we talk about real-world stuff, we’re not talking about fluff. We’re all talking the same language. It’s IT. How do we make sure that these things are done on your network?
Matt:
Well, and we’re not just talking about compliance either, ’cause compliance is mostly—at least for a lot of what we see it’s guidance. But it’s not necessarily what is happening out in the real world, which we see.
Attila:
Sure, yeah.
Matt:
We see things that happen in the real world, and these guys are clever. So compliance will take you only so far, and it will allow you to be able to apply and get certain types of contracts and whatnot.
Attila:
Yeah.
Matt:
But when it comes to real security, there are some things that you should really look at, and this questionnaire helps you get through that.
Attila:
Yeah, absolutely. I mean, think about it. You don’t have to take my word for it—just Google hospitals getting compromised by ransomware. Hospitals are subject to HIPAA compliance. They have lives on the line. They have people who really care about the networks. And yet—hacked. Ransomware. How’s that happening?
Well, there are things that you can do. I hate to say it, but a lot of this stuff is so simple but not easy.
Before we jumped onto our mics here, Matt and I, we went through a couple of the questions on the IT Survival Test and figured we could maybe talk about them and why they’re on there, and what’s a real-world application of fixing a problem that you can do today, or at least get started on, so that 2026 doesn’t become a year of disaster. It becomes a year of relief.
Matt:
Well, here’s an easy one. Second question on this list is: Do you have a deny-by-default application control on your office workstations and servers? We talked about this last week.
Attila:
Sure.
Matt:
We had a situation where this lady needed to view a PDF. She didn’t realize that she had a PDF viewer on her computer. She might not even understand what PDFs are exactly, but she needed to open a PDF, so she went online and she looked for a PDF viewing application.
And to run an application on a computer, you generally don’t need to be an admin. You can run anything. The only time an admin permission is needed is typically if it needs to access higher-level security, it needs to do something to the system, it needs to access things that the general user doesn’t have access to if they’re not an admin. But they can run and open an application.
And this application, as we mentioned last week—
Attila:
Mm-hmm.
Matt:
… asked her for her credit card information.
Attila:
Wow!
Matt:
It didn’t do anything malicious. It didn’t try to spread a virus. It didn’t try to install malware or anything, so that’s why it wasn’t caught by our EDR software.
When she did try to put in her credit card information, that is when our alarms went off and we got flagged by it. So we went ahead and contacted the IT manager. It was an old app that she started up, didn’t realize that she already had PDF Viewer installed, but denying applications by default would have blocked that.
Attila:
So let’s kind of rewind on this. Deny by default means that unless this application is approved explicitly ahead of time by an IT manager, it can’t run, right?
If you kind of think about it, that’s how security was created in the first place. Think about just the basic firewall. Even a Windows firewall or a firewall device—by default, stops all—
Matt:
Incoming traffic.
Attila:
… you know, ping, incoming traffic.
Matt:
Well, back in the day, Windows Firewall was nonexistent. Didn’t exist. We connected our computers directly up to the internet.
I remember a time when, as a teenager, as a kid playing games online with other people, if you could figure out what their IP was—someone that was driving you nuts on a game server you’re playing—you could send this packet, this crafted thing, to their computer and crash their computer across the world.
Attila:
Wow!
Matt:
And back then, I’m sure there was a litany of things you could have done to be able to just get into the computer. And sure enough, I don’t know how many years later, we had ransomware and viruses and worms that spread across the internet.
Attila:
So when you have deny by default turned on, there’s no more of a reactive approach. So that story you just retold about the lady downloading a third-party piece of software—we had to react—
Matt:
Right.
Attila:
… to her download, right?
Matt:
Yep.
Attila:
Instead, it should have just stopped by default.
Matt:
Yep.
Attila:
So from an IT manager’s perspective, it’s a whole lot less work to maintain it, but I think it’s a little bit more work upfront.
So I did a little bit of research on this because there’s different products out there that do these things—application control. I think ThreatLocker is probably the most—
Matt:
Well-known.
Attila:
… well-known one.
Matt:
Yeah.
Attila:
It’s on, I think, 70,000-plus organizations. But an IT manager does need to maintain that application list. And as it changes or as it drifts, they do have to do a little bit of work.
Versus dynamic application control where a SOC team or an outside party like us would manage the applications permitted on the network, so the IT manager can just kick back and say, “Go do your thing.”
Either way, deny by default—or at least having application control—is something that I’m seeing on some cyber insurance questionnaires. And I have seen it on some interpretations of the CMMC 2 language that’s out there.
Matt:
It’s a new concept, but it’s not a complicated one, and it’s starting to become something that by default can be really helpful.
Attila:
Now, here’s a big problem though, moving—segmenting—to our next question. So we’re talking about browser extensions.
Matt:
Yeah. So would this block browser extensions?
Attila:
Mm.
Matt:
No, I don’t think so.
Attila:
No, not. So the question we have here is: Do you review the browser extensions that your users have installed onto their computer browsers?
And maybe we should remind our audience what browser extensions are in the first place and why they exist.
Matt:
I think one of the biggest, most popular, and well-known ones is Honey. And they were caught actually [chuckles] doing some pretty ludicrous stuff. I won’t go into details here.
Attila:
Well, but what is a browser extension?
Matt:
A browser extension is something you can load up in your browser that is supposed to be a little helper. A good example is a password manager browser extension.
It can see you putting in the password. It can help you manage your passwords. It can put passwords in for you. It can help you do your 2FA—all kinds of stuff.
They’re really, really powerful tools—really useful—and also way OP. OP means overpowered.
Attila:
Overpowered.
Matt:
Yeah. They can see and manage and manipulate and copy everything you do in your browser.
Attila:
So I’ve used the Honey browser extension.
Matt:
I have too.
Attila:
And one thing I noticed is that when I would go to make a purchase, Honey would say, “Hey, wait a minute. There’s a little form field there that says discount code here. Would you like us to try 20 or 30 different discount codes that have been published on the internet?”
And yeah, sometimes it saves a little bit of money, but that means it was watching me go to that website whether it’s—
Matt:
And log in and put in your password.
Attila:
Yeah. So it’s picking all that stuff up. So Honey got in trouble for harvesting that information and then selling it to advertisers, right?
Matt:
They… yeah, they were selling, reselling stuff. They were definitely playing kind of a man-in-the-middle sort of role, but doing it in a very sneaky legal way.
Attila:
Sneaky legal.
Matt:
Yeah.
Attila:
But that’s just one. How many browser extensions are there? Zillions.
Matt:
Oh, there’s so many. And I’ve always tried not to load too many in my browser, because I always felt—especially after using… what’s the one that’s supposed to help you with your grammar?
Attila:
Grammarly.
Matt:
Grammarly, yeah. We could use that in this podcast as we’re talking. [laughs]
I had Grammarly loaded for quite a while, and I liked it, but I noticed my browsing would slow down, get a little sticky, and it felt like it was interfering with my interaction with the web.
And this is before I really understood how powerful browser extensions were, so I removed it and things got better. But yeah—it could see everything.
And when we were at DEF CON, this was something that was demonstrated. It was kind of scary.
Attila:
What did they demonstrate?
Matt:
So the gentleman demonstrated how passkeys are all the rage now in terms of how we store and access passwords—how we connect to websites. Google is starting to roll out passkeys. Apple is rolling out passkeys. And it’s great. It’s a good move forward incrementally in terms of trying to do better security with your average user.
Attila:
How can we describe passkeys in like two sentences?
Matt:
A passkey is a combination of password plus 2FA—so it’s both something you know and something you have all wrapped into one.
When you go to a club and you want to get in, you have a password you say to the bouncer at the door. Anybody could have that password. But when you combine that with 2FA, he’s looking at a clock that’s synced to a certain time, and you’re linked to a clock synced to the exact same time, and at the exact second you both say a keyword tied to a number that second. That’s 2FA.
The number changes every 30 seconds. A passkey is a combination of those two things, and you don’t actually have to remember the password—it’s stored in your passkey vault. And then the website sends the encryption.
I’m oversimplifying this a lot, but the website sends the encryption so that your system can get in.
So what they demonstrated at DEF CON was that browser extensions can actually observe this stuff.
Attila:
Oh, interesting.
Matt:
Can observe the passage of the passkey can interrupt the flow, of the passage of the passkey to a website. They did point out they can’t duplicate it. It’s not like it can actually copy the passkey from the system and then from then on it would also have access like it relays it to a malicious third party and it has access.
Attila:
Kinda like pass the hash.
Matt:
Yeah. It can’t do that.
What it can do is act as a man-in-the-middle and interrupt that handshake and say, “Whoa, whoa, whoa. That passkey doesn’t work anymore.” Then it would force you to reauthenticate and do a new passkey.
When it does that, then it would be able to can copy the handshake, pass it off to the malicious third party, and get in on your behalf.
And he pointed out after that: any browser extension has this ability with the default permissions.
Attila:
’Cause they’re all overpowered.
Matt:
They’re all overpowered. The default permission of a browser extension is that it can interact with your browser session and That’s both good and bad. Good because it’s being a helper. Bad because there are so many malicious extensions out there.
Attila:
And our world has moved to browser-based everything. Banking, accounting—
Matt:
All of our stuff with Microsoft, SharePoint.
Attila:
Sure.
Matt:
If you’re not Microsoft organization, then Google, Dropbox.
Attila:
Google’s gone full tilt.
Matt:
Yep, over the years.
Attila:
Everything online. Everything’s browser-based. So if it’s reading all that information, and there’s no way for you as the IT manager to really understand who has what installed as browser extensions—what do you do?
Matt:
This is kind of a new frontier. There aren’t a lot of tools for being able to mitigate against this.
Attila:
Well, there’s a couple.
Matt:
there’s a couple
Attila:
there’s a couple, I’ve heard about but haven’t used it first hand but Malwarebytes has some sort of browser extension monitoring thing, I’ve heard. The big one is Google Enterprise Manager.
One of our clients recently rolled this out on a few hundred workstations, and it worked out pretty well. There’s a free tier and then there’s a not-free tier. Obviously, the more you pay, the more features you get.
On the basic level, you can have everyone’s Chrome configuration uniform. You can permit or deny browser extensions. You can also create custom homepages so everyone, when they open Chrome, they see a company webpage—so they can’t go to inappropriate sites.
And it has more granular options the more you pay. But just the ability to block users from installing extensions—
Matt:
Yeah.
Attila:
—because let’s be honest, you can have a user with standard permissions, non-admin rights—
Matt:
And even have app blockers built in.
Attila:
Yeah.
Matt:
You can have the whole nine yards of security rolled out on the system.
Attila:
Yet they can install a browser extension which reads everything that they’re doing, and they’re using web-based everything, so… whoops. [laughing] You got a problem.
Matt:
Working on HR docs, including how much everyone’s getting paid, all being read by your browser extension. [laughing]
Attila:
How many times do you have to enter a Social Security number sometimes? If you’re an HR manager setting up employees on the payroll portal and it picks all that stuff up…
Matt:
And the reason why years ago we never had websites that would allow you—or took credit card information—is because there was no encryption. Websites were plain text, in the clear.
So any information you submitted over the web could be seen by anybody on the network. And then SSL, HTTPS, was introduced. That allowed banks and other organizations to feel secure about allowing people to put in credit card information, Social Security numbers.
Attila:
HTTPS has been around a long time, but web browsers weren’t enforcing it. I remember when it happened.
Matt:
I feel like the last couple years
Attila:
Google would complain if it was HTTP, not HTTPS, and say “This website’s not secure.”
If your SSL certificate on your companies website and it expires, and because you do have to renew them. Google would just go on and continue to do its thing. Now it puts a big “website is insecure” message and you have to go and renew it.
By the way, folks are so adverse to buying SSL certs like it’s some mysterious black box process— interns of installing the cert sometimes you have it on internal network devices where you can put the cert , on web servers.
I’m happy to share—not a sponsor by the way—our little secret weapon is Namecheap.
Matt:
Yeah. Namecheap has a lot of certs, different types you can purchase.
Attila:
What’s the one you like that you rotate every 90 days? It’s free.
Matt:
Oh, Let’s Encrypt.
Attila:
Oh yeah, Let’s Encrypt.
Matt:
Let’s Encrypt through Cloudflare. They won’t allow a cert longer than 90 days. I use them for wildcard certs. And a few Folks out there might raise their fist at the air as I say this but I use wildcard certs a lot for obfuscating how we get to certain things on the internet.
But to keep it secure, Let’s Encrypt and Cloudflare keep it at 90-day expiration so if the wildcard cert were copied, it wouldn’t be usable forever.
Attila:
The Comodo cert on Namecheap is like five or six bucks and lasts for a year. So if you don’t want to do it four times, you can just spend the five bucks.
Matt:
And for those of you who not tech-savvy—yes, we’re getting into how the sausage is made a bit. Just know we’re talking about how stuff related to how things are validated on the internet as safe. Like: “Yes, this is Bank of America,” or in Hawaii’s case, Bank of Hawaii. “This is their website, and they purchased a cert, and you’re not being fooled into putting your information on someone else’s server.”
Attila:
For the IT managers listening—when you do buy the cert, if you do Let’s Encrypt, every 90 days you gotta do it. I always forget how to reinstall the cert, so I just put it in GPT like: “This is the web server I’m using. This is the Linux distro. Give me a step-by-step on how to reinstall the cert because I already forgot how to do it.”
Matt:
I just realized Google Fu is slowly becoming less of a thing and it’s all now AI-based.
Attila:
I heard Gemini struck up a deal with Apple now, so a lot of the Google Fu-ing you used to do is being fed into Gemini and shifting over to Apple. So you’re going to see convergence there. I think search engines are slowly migrating over to just AI.
Matt:
Yeah. I’m noticing all my searches on Google are showing up as AI responses first. That’s a whole other bucket of worms.
Attila:
I can’t understand whats the business model. Google makes billions from advertisers, and if you want to advertise on Google, but they’re chopping that away—
Matt:
They’re not. You can advertise in that space.
Attila:
Oh, in the AI space?
Matt:
Yeah. Somehow I’d have to look it up, but I have heard forgot where I read the article they were talking about how theres now prompt poisoning—malicious actors paying for advertisements that are getting into those responses. Because it shows up first, people trust it.
Attila:
I see So if you ask “What’s the best coffee?” and Starbucks is a big time advertiser and they spend more money than Peet’s coffee
Matt:
It can show up there in the AI response.
Attila:
And it’ll say “Starbucks is definitely the best coffee,” and you say, “Well, it’s AI. It must be true.”
Matt:
Or “What’s the best EDR?” then Someone poisons the prompt with an advertising budget, you click the link, or goto the website and it could be a malicious actor.
Attila:
Buyer beware. Don’t trust the AI.
Matt:
We’re re-entering a Wild West phase of the internet with AI. Things were starting to get more secure, more well known
Attila:
Stable. Predictable.
Matt:
From 2010 to 2018 we were getting out of the Wild West phase. Theres a lot of hacking a lot ransomware malware stuff going on of Then were slowly understanding the threats that were out and locking things down and kind of getting hold of it and then now 2022 to 2025 we were feeling good—but then AI came along and it’s getting Wild West again.
Attila:
From an IT manager perspective, AI is going to make a lot of those tasks those hires that you wanted to get and bring in junior IT people those positions go away.
Matt:
Yeah.
Attila:
Instead, a senior person may have an AI army behind them, to assist or outsourced to someone using AI—so that way don’t need to increase headcount. I think That’s a bit disappointing.
I do know that there’s a philosophy that new technology creates new jobs, in different ways I just don’t know how that’s playing out. Maybe time will tell maybe a few tax returns will be posted by the tax service but I do know There’s a lot of uncertainty in education space specifically around IT, programming, and all of these kind if knowledge work jobs traditionally gave a good career good options good choices for those coming out of college but I kind of faced a lot of that same stuff coming out of college too I was inexperienced in the work force —it was hard for me to start out just for being experienced—but combine that with AI, I don’t think these kids have a chance. It’s tough.
Matt:
Yeah.
Attila:
Theres a lot of uncertainty There’s political uncertainty, AI uncertainty, economic uncertainty.
Matt:
I think we’ve just got to work on our personality skills. That’s going to be the last vestige AI won’t take over—personality.
Attila:
Personality. [laughs]
Matt:
[laughs]
Attila:
If this podcast is being used as training material, then I think the AI engine just said, “Challenge accepted.” [laughs]
Matt:
[laughs] We will work on our personality.
Attila:
Yes.
Matt:
[chuckles]
Attila:
All right. Let’s do one more of these. Which is another good question we have on this list? Should we talk about 2FA, VPN?
Matt:
Yeah, I think I’ve mentioned it a few times. VPN is what I want to talk about. I feel like I mentioned it a few times but to me VPN Most people are familiar with it. They don’t necessarily understand what it means, but they know they use it, and they know it’s important. When they go home, they need it to connect to a file system or whatever they use for their environment.
Attila:
We’ve dealt with multiple breaches because VPN being an entry point. So maybe we should talk about some of those and how it could have been done differently.
Matt:
So depending on the organization, some places issue out work laptops. Some places will you know be easygoing with how they let people connect. Sometimes they allow people with home computers to install VPN.
Attila:
But why would a company even use a VPN?
Matt:
Well, if they have on-prem servers—
Attila:
There we go.
Matt:
Yeah. On-prem servers, on-prem services, or services that can only be accessed through the VPN—that’s the primary need.
Attila:
It’s usually sensitivity of data, right?
Matt:
Yeah.
Attila:
Like for example Some of the clients—engineering firms—have 30 to 50 terabytes of data. You just can’t put that all in the cloud. So Maybe some working files, but not archives. Archive files are VPN-enabled.
Lot of Companies still using on-prem Active Directory—so if you got to authenticate then always-on VPN authentication helps
Companies that travel — a lot of mobile workers they do international work—connect from Guam. Because 365 is geo-fenced, they need that persistent VPN connection.
Licensing servers and we also see legacy so Legacy applications so were talking about like Document imaging. X-rays. Medical imaging. On premise Legacy CRM systems. EMRs. Those are typically stored on-prem or local data center servers and in order to access taht VPN is required.
Matt:
Yep. And in and of itself, it’s not dangerous. What’s dangerous is the fact that typically the setup with VPN allows access to the entire network, and there isn’t anything locked down in terms of what a VPN user has access to when they connect to the network.
So if that system lets say its a home system is used regularly by a son that is playing a lot of online games, and then a new game comes out, and he doesn’t have the money or the budget to to pay for it he might go to torrent site and download a free copy. Or they go to YouTube. You see videos on how to install free Photoshop or how to unlock this games for free and it will be a bunch of instruction and how to do it and it will actually work it will do it but when they run the command in the instructions in video, it launches a reverse connection to a bad guy.
Attila:
Yeah, we went through this on last week’s newsletter. It’s called Hacking Yourself Through TikTok.
These videos have been on YouTube forever and now they’re spreading to other social platforms.
Moris Stealer it does exactly what you described, but it’s specific to crypto wallets and browser-stored passwords. Those are the two things it goes after. But you’re right—this is real world.
You get a nice, beefy company laptop. Your kid wants to play a video game. You don’t want to spend 150 bucks for it. I don’t know what it costs anymore —so couple hundred bucks—and you’ve got this beefy engineering laptop, so why not put it on there?
We’ve dealt with this firsthand. We got into conflict with an end user because of it because they wanted to install—this was a few years ago—I think it was World of Warcraft.
Matt:
Well, sometimes it’s even the user themselves. They’re a gamer.
Attila:
Yeah, they’re a gamer.
Matt:
Let’s face it, a lot of adults are gamers. [laughs]
Attila:
It’s true.
Matt:
I’m raising my hand here. You can’t see it, but my hand is being raised.
Attila:
I see it. I see it.
Matt:
[laughs]
Attila:
Again, I’ve self-deprecated myself a few times on this show by talking about how I know nothing about sports another thing I’m weak at is games. Im not sure why I just get bored easily. I haven’t found the right game yet that’s what it is.
Matt:
I’m a pretty minimal gamer compared to some of our other guys, so I’m not that far behind you.
Time and priorities.
Attila:
What stage of life are you in?
Matt:
Yeah, yeah.
But the fact is, a lot of these systems people bring home from work they are powerful. Perfect for gaming. What can happen like we said Someone runs a malicious script off YouTube to play a game for free, later the VPN connection gets made, and boom—the malicious actor now has a wide-open window into this new network.
Here’s an HR computer. Here’s payroll computer . Here’s an engineering server with client data. They can move laterally on that network depending on the tools they have available to them.
And here’s where application lockdown comes into play.
Attila:
We’ve come full circle.
Matt:
Yeah, full circle. If there’s application lock on that VPN system, then they wouldn’t be able to actually load those tools to move laterally.
Attila:
We should spend more time talking about VPNs, but we’re out of time for this episode, so we’re going to save that for the next one.
But I want to stay on this thread of how do we do IT survival in the new year? It’s so important that we hit these key topics.
We need to pick it up with VPNs in the new year because we still see a ton of them out there. Folks are connecting with outdated, misconfigured VPN configurations, and they’re leaving themselves wide open for attack. As an IT manager, you need to be aware of these problems and what you need to do about them.
So Perfect—let’s pick that up on the next episode. Thank you for listening. I’m Attila.
Matt:
I’m Matt.
Attila:
Stay safe out there.
Matt:
Happy New Year, everyone.
[upbeat music]
Narrator:
This episode was brought to you by Cypac. To learn more about keeping your business safe from threat, crime, and disaster, visit cypac.com.
[upbeat music]