I am Paul Ducklin, joined as usual by David Emerson, CTO, and Head of Operations at SolCyber.
Hello, David!
DAVID. Hey, Paul, how’s it going?
DUCK. Well, it’s going great for me, David.
I know you know what we’re going to talk about, but I’ve invented a title that I hope doesn’t set you back too much.
And that is․․․
DAVID. Oh, no! [LAUGHS]
DUCK. Exploits versus entropy.
DAVID. OK, yes.
DUCK. For those people who don’t know what entropy is, very loosely speaking, you could say it’s the measure of disorder in a system.
The reason I mention that is just for a bit of alliterative fun․․․
And the question I really want to ask you is, “In today’s cybersecurity world, are you more likely to get pwned by the latest, greatest vulnerability that’s been all over the media, and found by AI, and trumpeted by everybody?
Or are you more likely to be hit by some unnoticed level of disorder in your system that actually represents a risk that you have known about for years but never quite got round to dealing with?”
DAVID. You can’t really buy your way out of entropy.
Nobody can.
DUCK. There’s a law of thermodynamics about that, isn’t there?
DAVID. There is.
I feel like we have this message on this podcast a lot.
The shiny threat always comes in the dull door that you left open.
DUCK. [LAUGHS] That is an excellent way to put it!
As you say, it is generally the dull door that lets in the most thieves, because it’s the one you’re not looking for.
DAVID. It definitely is.
Most of the thieves are not sophisticated.
And, more to the point, most of the thieves that are sophisticated, that are working for nation-states that have the resources behind them to do some really nasty things․․․
They probably aren’t targeting you; they probably aren’t targeting your organization.
I’m speaking broadly․․․ maybe someone from Lockheed Martin is listening to this, and actually you should be worried, because the nation-states are targeting you.
But the vast majority of businesses are under threat by run-of-the-mill vulnerabilities that they didn’t patch.
Sometimes patches have been available for years for the things that they are simply not patching.
That is a failure of hygiene, and some of the costliest hacks in history are phone calls and missed updates.
And that’s really, I think, the story that the media tends not to emphasize.
Because it’s better to sell not only a story that is exciting and intriguing, but also products that are sophisticated and expensive to produce, and expensive to consume.
DUCK. And the problem with that “More tools, more tools” approach is not that new tools aren’t sometimes necessary, not that they’re unable to do the job․․․
․․․but they themselves can represent a significant distraction, can’t they?
For example, you buy some fantastic new tool that tries to prevent ransomware attacks by waiting until the last possible moment and then detecting that the actual encryption is happening.
Well, that’s a great idea, but if you focus so much on that, to the point that you think that’s all you need, then you’re going to get a very terrible surprise when someone comes into your network and instead of encrypting your data․․․
․․․they just steal it all and hold you to ransom anyway.
DAVID. Generic hygiene – again, which is not exciting – is something that does require time.
And if you’re spending your time implementing tools attempting to ward off highly sophisticated attacks, you’re not spending your time figuring out how to get your people to stop clicking links.
DUCK. Yes.
DAVID. And so, maybe stop clicking those links before you start war-gaming nation-state attacks!
That might be the better way to think about it.
It’s just that there’s an order of operations to this, and until you’ve got some really basic hygiene together; until you’re collecting logs; until you’re monitoring; until you’ve got the basics․․․
․․․you should not be thinking about sophisticated toolsets first and foremost.
Not to say never, not to say they’re not valuable, just that there are preliminary activities which actually are higher yield, because they are the ways in which you will get popped if you’re not subject to nation-state attacks typically.
DUCK. We sort-of see that in the mobile phone arena, don’t we?
There are clear and well-documented cases where very well-funded, let’s assume nation-state, attackers have deliberately targeted a very specific group of people.
Might be activists; might be journalists; might be political opponents.
If you focus on protecting yourself against those attacks, that’s great․․․ you might want to do it for some of your staff.
But if you take your mind, as you say, off worrying about clicking phishing links, and say, “Let’s protect everybody for an attack which, if used against us, almost certainly won’t target those people anyway, by design, because it was so expensive to build․․․”
It’s pretty much like you’ve driven yourself into a very expensive dead-end street, wouldn’t you say?
DAVID. Yes.
You’ve driven yourself to distraction, certainly.
DUCK. [LAUGHS]
DAVID. And we hear this a lot.
The success of your defense against nation-states does not rest on mitigating a zero-day that someone is not going to use against you anyway.
Your success in defense is going to rest on something way more mundane, like actually patching your systems.
And it’s hard to take seriously a deep conversation about defense against zero-days in an environment that has end-of-life operating systems.
That makes no sense.
DUCK. [LAUGHING] Yes, because once the operating system is end-of-life, they’re not zero-days, they’re infinity-days, aren’t they?
DAVID. Yes, pretty much. [LAUGHS]
DUCK. It’s much better to rethink what you’re doing with those computers that have the end-of-life operating systems.
If you really can’t do without it (maybe it’s an expensive lathe that you can’t afford to replace, and it only runs on Windows XP) then you need to think of a different way of protecting that system than saying, “I’m going to treat it like all my other Windows 11 computers that I want to be on the internet all the time.”
DAVID. That situation is common.
That system will never be secure, and needs to be isolated from your network.
It’s brute force; it’s simple.
But it’s representative of the actual threat profile, which is not a sophisticated threat profile, it’s a *forever* threat profile.
Windows XP is always going to be vulnerable to everything, including those sophisticated zero-days.
But the attackers don’t need them anymore, so they’re not going to use those.
Get that system off of the network; isolate it.
That’s really the fundamental message, and I think it just gets lost in some of the noise, and our ability to come up with sophisticated defense nowadays that we probably wouldn’t have found practical 10 years ago, or 15 years ago.
DUCK. So, it’s almost as though vendors are building these new tools because now they *can*, whether they really solve the problem or not.
And then, once they’ve built them, they figure, “Hey, this is a new SKU!”
And once they’ve got a new SKU, well, what do you do with SKUs?
You go out into the market and sell them.
DAVID. Well, the truth is that by value, some of the largest hacks in the world are․․․
․․․by *lost* value, by value destroyed.
DUCK. Yes, don’t make the crooks sound like they did us a favor, David. [LAUGHTER]
DAVID. Yes, yes!
So, if you look at MGM, or you look at Jaguar Land Rover, some of these gigantic exploits that have occurred․․․
These are companies being undone by phone calls; they’re companies being undone by phishing emails and by dumped credentials.
This is not some nation-state situation where someone saved up a zero-day since 1997, and now they’re going to use it.
It’s not that.
In some cases, these companies might be eligible for attacks like that, but․․․
If you’re a LinkedIn user and you’re not yet following @SolCyber, do so now to keep up with the delightfully useful Amos The Armadillo’s Almanac series. SolCyber’s lovable mascot Amos provides regular, amusing, and easy-to-digest explanations of cybersecurity jargon, from MiTMs and IDSes to DDoSes and RCEs.
Even if you know all the jargon yourself, Amos will help you explain it to colleagues, friends, and family in an unpretentious, unintimidating way.
DUCK. “Eligible.” [LAUGHING]
I imagine that if they are, as you say, “eligible” for an attack by some super-secret agency, and that agency can hire somebody who can do it with a phone call, that’s how the nation-state will do it.
DAVID. Right, yes.
Everybody will take the lower resistance path.
Yes, the nation-states have options available to them that are more sophisticated, but even then, if they think they can call to help desk and ask for a password reset, they’re going to do it.
If they think they can go to Pastebin and find some stale, crusty old credential that still works, they’re going to do that.
DUCK. You mentioned Pastebin․․․ basically a data-sharing site, a free data-sharing site.
If memory serves, that came into the Jaguar Land Rover hack, didn’t it?
DAVID. It may have.
Jaguar Land Rover, in September 2025, had one of the most extensive outages in history.
It cost a ton of money.
DUCK. Yes, I think it’s now generally recognized as the biggest, costliest cyberhack ever in the history of businesses operating in the UK.
DAVID. So, the number I saw was US$2.5 billion․․․ that’s not pounds, but 2.5 billion US.
DUCK. Because their production lines were down, completely down.
They did not produce a single vehicle for something like six weeks.
Is that right?
DAVID. At least.
It was a long time, and it was 0.17 points off of the entire UK GDP.
So this is impact at a national level, and not just small-nation level, but a large national GDP.
0.17 points of impact!
DUCK. So, this probably had at least some small effect on the price of the butter that I have in my fridge right now?
DAVID. Certainly had an effect.
Well, especially since you then bailed them out․․․
DUCK. [LAUGHS LOUDLY]
DAVID. [LAUGHS] But, yes, it definitely did.
That is impactful.
And we don’t know the mechanism – they never did release the mechanism – but there are a couple of theories.
The information points to mundanity.
The information does not point to anything more than a quarrel about hygiene.
There’s no “how” that seems to be implicating a zero-day or something sophisticated.
It appears to have been a credential that was at least four years old and posted to Pastebin.
So that really is about the most basic way to get popped.
DUCK. Was that someone inside the company who figured,” I need to share this credential, but if I send it by email I’ll in trouble, so I’ll use Pastebin?”
Or was this dumped some other way?
DAVID. The credential that was found that may be implicated was dumped by an incidental breach.
Not a breach of Jaguar Land Rover, but a third party.
DUCK. Aaaaaargh.
DAVID. It’s like when you shop at a department store and they lose your information and they tell you, “Hey, we lost your information.”
You’re supposed to rotate your credential.
Well, if you don’t, and you use the same password everywhere, and you’re also an employee of Jaguar Land Rover․․․
․․․that breach at your department store has just become a corporate problem.
Really basic.
DUCK. Because my understanding is that the people behind this seem to have been more or less kids.
I mean, technically adults, but their “gift,” if we can use that positive word for their criminality, was a mixture of persistence and self-belief.
DAVID. Yes.
On Telegram, Scattered LAPSUS$ Hunters claimed responsibility.
That’s kind-of a trio of cyber gangs․․․
DUCK. Yes.
If you can’t beat ’em, join ’em. [LAUGHS]
DAVID. No reason to believe that they didn’t do it.
At the end of the day, we know who did it; we know that they don’t think they did anything particularly sophisticated.
And, by all indications, this was not some kind of long, latent thing that they were performing.
This was not a persistent threat.
Basically, they got in, and the shutdown of the line had knock-on effects that were tremendous.
Because it turns out that shutting down a modern production line is more complicated than just a power outage.
It’s a status problem.
It’s, “Where were these cars when we finished putting bolts in them, how many bolts did they have, and what was their torque?”
We don’t know anymore, and so now you’ve got all of these frozen production items of uncertain state.
And that itself is a real management issue.
DUCK. There was no cyber attack on their OT [operational technology] or their industrial control systems, was there?
So, these guys didn’t even need skills in hacking things like robot welding machines, or industrial controllers and PLCs (programmable logic controllers).
Like in the steelworks․․․ you turn off the power to the steel-making vessels, and the steel solidifies.
Apparently, that’s game over – you’re never going to get it liquid again, so don’t turn the power off.
And that seems to be sort-of what happened there.
DAVID. Yes.
DUCK. That massive outage that you think, “Oh dear, nobody can make Teams calls. Nobody can process orders․․․”
It also meant that the production line froze, as you say, for weeks.
DAVID. Well, the production line freeze was self-inflicted.
And maybe rightfully so – I’m not necessarily blaming Jaguar Land Rover for their response.
I think their response clearly needed a recovery alternative.
But what happened was this cybergang collective indicated that they had been responsible for a hack, and Jaguar Land Rover pulled their systems offline to contain that hack.
And in doing so, in pulling their own systems offline, froze these systems in production.
DUCK. So you can’t empty it.
You can’t take the vehicles off.
They’re kind-of locked into the system․․․
DAVID. Yes.
I mean, maybe the engine has enough bolts in it; maybe it doesn’t.
Take your chances, right?
DUCK. [LAUGHS]
DAVID. It’s not as if a Range Rover is known for being especially reliable to begin with. [LAUGHS]
DUCK. But I imagine it would just be․․․ if you don’t have the IT network, and that is actually providing the oversight and the data that the industrial control systems need to run, I can see why you don’t really have a choice.
It’s almost like the plug pulls itself.
DAVID. You don’t have a choice.
But what in retrospect we know, I think, lays bare why hygiene is important, because this is a fragile system.
Of course, we know this *now*.
DUCK. Yes.
DAVID. When we think of cyberattacks in OT or an industrial process, we think of things like our attack against Iraq when we invaded in the Gulf War.
We think of things like, “Oh, the printers are printing the wrong values for your targeting system.”
And now your targeting system appears to work, but you can’t hit a damn thing because every time the printer prints out a value for your artillery to target, it’s off by an intentional amount.
That’s an OT hack of history that is sophisticated; that affects your offset; that affects your systems in ways that you can’t really detect easily until it’s too late.
DUCK. The Stuxnet virus is another excellent example of that, isn’t it?
You’d know something had gone wrong with your centrifuges, but it would be very, very difficult to say why.
DAVID. Yes.
DUCK. Here, it’s exactly the opposite, isn’t it?
It’s absolutely clear what happened․․․
DAVID. Oh, it’s completely the opposite.
This was not somebody saying, “Oh, all of our panels are going to be a little too thin, and you’re not going to notice it until it’s too late.”
This was basically just a cybergang saying, “We did something nasty,” Jaguar Land Rover over-correcting, and shutting everything down.
The “something nasty” ended up being some former staff record data.
Was it worth shutting your whole line down?
And what it actually exposed was that the line was fragile.
DUCK. Yes.
DAVID. The shutting it down was not, “Oh, we can restart it tomorrow.”
It was, “Oh, crap, two months of lost production.”
DUCK. No amount of concern in the world in this particular case for zero-days would have prevented this attack․․․ if it was based on a credential that was leaked by somebody who obviously figured, “I don’t care to make money out of this. I’m just going to see if somebody else can cause havoc at some future time.”
If that was all those years ago, what defense would have worked?
Should JLR have been searching the internet for potentially breached credentials?
Or would that also have been a case of just trying to get a technological solution for a human problem?
DAVID. To be really clear, they should have been searching for leaked credentials.
They should have been rotating their credentials.
DUCK. Yes.
DAVID. But doing those things in a vacuum, and without any consideration for the ways in which your processes are fragile, which is not a cyber problem․․․
Your processes being so fragile that you can’t shut down the line to contain an incident, and then restart the line in a sane way, is problematic.
And that alone should be considered the risk.
That is not a cyber problem, it’s an operations problem.
It isn’t because your credential was on Pastebin that your system is now shut down for two months.
Though they seem related, the problem is that your system is fragile, and it could be down for two months because you react in a way that actually isn’t such an insane way to react, which is, “We don’t know what these people are claiming success on, so let’s close it down for a bit.”
That would have been acceptable for a day until you figured out that, “Oh, it’s actually just former staff records that they had.”
DUCK. So, just finding the credential online would have been helpful, but that alone is not enough.
DAVID. The offense has an unlimited surface area and ways in which to attack you.
And so there’s an asymmetry, a natural asymmetry, that will always be present.
You cannot find all the credentials that are out there that have been breached.
You must be resilient when someone inevitably finds the one that you didn’t find.
DUCK. Yes.
DAVID. So, yes, scour Pastebin; look at the dark web; whatever.
There’s so much you could be doing that would mitigate any single attack, and it isn’t unhealthy to do those things.
But, fundamentally, make your operations resilient.
DUCK. Yes, because that crook who dumped the credential because they thought, “Hey, why not cause some trouble for somebody in the future”?
He could have just emailed it to his best buddy in the hacking community.
DAVID. Yes, or have kept it to themselves.
DUCK. Yes, and come back to it four years later thinking, “Ooooh, I forgot about that.”
DAVID. Yes, you have to defend against these things with resiliency.
In a more relatable way, if you’re one of our listeners that doesn’t produce cars․․․
If you have backups, and for some reason you get ransomed, you should not be in a position that you can’t shut down, or that your shutdown costs you two months’ of operations.
That’s crazy.
What you should be in a position of is that you’ve already thought through what an acceptable loss to you is.
You’ve tested your restore process, and you’re in a situation where instead of paying the ransom, you wipe that machine knowing that you’ve got data from yesterday and you’ve lost one day of production.
That’s resilience.
That’s the sort of thing that makes it so that, yes, you scour Pastebin, and you try your best, but when the inevitable occurs, you’re not out 0.17 points of your first-world income country.
That just is insane – it isn’t an equivalent, reasonable damage for what actually happened here.
DUCK. Another example of things that people might say in this case would have solved the problem is, “Well, what if they’d had two-factor authentication, multi-factor authentication?” (2FA, MFA)
That is a great idea, because it certainly makes you more resilient than relying on, say, a password alone.
But even that’s not enough, is it?
DAVID. No.
DUCK. There are any number of ways that even unsophisticated crooks, instead of stealing your password and your 2FA token, will steal some other sort of credential that gets them in, without needing the two-factor authentication token in the first place.
DAVID. Yes.
Implement multi-factor – you should, because it’s a really good idea.
But I posit that, no matter what, whether it’s true or not, if Scattered Spider shows up on Telegram and says they hacked your company, you’re going freak out.
DUCK. [LAUGHS] You heard it here first, folks!
DAVID. Yes.
It doesn’t matter who you are; it doesn’t matter if it’s true.
You know what I mean?
It might not be true․․․ maybe Scattered Spider’s lying or confused, or maybe they breached the most mundane of your databases and they’re just calling it a breach generically, and you’re freaking out.
The point is that what Jaguar Land Rover did, I think, could have happened whether or not there was an actual breach.
And so, it’s pointless to go through all these gymnastics of the technical things that will solve a problem that actually isn’t technical.
DUCK. Yes.
DAVID. The problem is *operational*.
The fundamental problem is that Jaguar Land Rover cannot, apparently, pull the plug on its systems without two months of interruption.
That’s an operational vulnerability.
And again, a more relatable version of this, I think, would be that a lot of companies don’t back up.
Or, if they back up, they don’t back up frequently enough.
Or if they back up frequently enough, they don’t test the restore.
And there’s a reason that’s a control for a lot of compliance and regulatory regimes.
If you don’t test your restores, we don’t know that the backups actually work.
And if you don’t think about how often you need to back up, you might lose two months of data because you’ve freaked out and need to restore a system.
That’s really all there is to it.
If you’re a baker and, let’s say, you have a strain of sourdough yeast that is absolutely singular and irreplaceable, I hope you’ve spent a moment thinking․․․
DUCK. David, are you giving away some personal secrets here about hobbies that you might have?
Do I detect a little bit of amateur baking in the Emerson family?
DAVID. Yes, it’s very amateur. [LAUGHTER]
You can think about this․․․ if you’re a baker, and you have some process that makes your bread good, you’d better think about whether that process can be disrupted.
What if you have a fire?
There are a million ways in which this could go sideways, so maybe you’ve kept a little chunk of that in the freezer somewhere, or maybe you’ve dehydrated it and kept it in a packet at your house.
It’s not unreasonable, even for a baker, to think about the things that make their business special, or that make their business run better.
And the disruption of a physical plant can occur, whether you’re making cars or whether you’re making bread.
You might lose access to your bakery for a month.
That might not be any fault of your own – it might be construction; it might be a fire; it might be a flood.
What would you do as a business?
It’s not an unreasonable question to ask, and it has nothing to do with cybersecurity.
Or, cybersecurity is just one of the hurricanes that could occur to you for many different reasons; it’s just one of the disasters.
DUCK. So, you’re not saying that people should give up on cybersecurity.
What you are saying is that there are very useful cybersecurity things that you can do, and you mentioned multi-factor authentication as an example.
But you should do them because they provide a tangible benefit to managing your risk, rather than because you think they’re the first thing that you should do because everybody’s talking about them.
Is that a fair way of putting it?
DAVID. Basically, yes.
I think that, and I think that cybersecurity and its attendant technical exploits and risks is really just one of the causes of operational disruption.
DUCK. Yes.
DAVID. And what we’re looking at here, in the case of Jaguar Land Rover, and in the case of MGM, huge companies that got hacked by nothing․․․
․․․what we’re looking at here is operational failure.
DUCK. MGM?
Was that the hack where somebody broke in via some IoT device in an aquarium in the lobby?
DAVID. No, not even.
They called the MGM helpdesk and asked to have their password reset.
DUCK. Oh, dear.
DAVID. I mean, it’s a telephone call.
That is an operational problem.
That someone can do that thing, which is social in nature, and then subsequently obtain enough access to shut down a casino.
DUCK. So they didn’t even need to go into any of the properties?
DAVID. No.
DUCK. Or be anywhere near to initiate the attack?
They just simply phoned up and asked very nicely?
DAVID. It was a remote exploit with legitimate credentials.
So it wouldn’t have been easy to detect.
DUCK. Yes.
DAVID. It is notionally in the realm of cybersecurity․․․ I’m not saying cybersecurity doesn’t exist.
But I am saying that *operations* is what allows cybersecurity to be a disruption when it becomes a problem.
Just like “operations” is what allows you to be surprised that you experienced a hurricane in New Orleans.
Your lack of operational readiness can turn almost any disaster into something much worse.
DUCK. So, David, to finish up, perhaps you’d like to give one starting piece of advice for people who perhaps have been focusing on the shiny aspects of cybersecurity․․․ “I must buy all the tools and toys.”
How do you turn that around, so that you do cybersecurity well by choosing the right things to do for the right reasons?
Where to start?
DAVID. Start with operations.
Start thinking bigger than your role.
If you’re hired to do cybersecurity, don’t drop the technical stuff, but start from principles which underpin the company that you’re at, or the enterprise that you’re at, whether it’s a company or not.
The point being, “What drives revenue? What drives your reputation? What drives your company? Why does your company exist?”
It has to exist for some reason – in the case of Jaguar Land Rover, that reason is cars.
Start not with, “How do we protect against people trying to steal our second factors?”
But start with, “How do we keep making cars?”
And run from that first principle into what is your actual job description, which is, “How do we keep making cars in the face of cyberthreats?”
DUCK. Yes.
DAVID. I think that that’s the mundanity that a lot of people aren’t really performing.
They’re performing these sort-of small, point tasks, like, “Let me check Pastebin, and let me make sure my MFA is modern.”
These are undeniably good things, but they just aren’t going to actually solve the problem of, “How do we keep making cars in the face of innumerable threats we cannot entirely stop.”
DUCK. Excellent!
To summarize in a somewhat dramatic way․․․
If someone turns off my baking machines, my production line, my whatever-it-is, how would I ever be able to turn it back on?
David, thanks so much for your thoughtfulness on all of this, and your ability to go beyond the shiny cybersecurity stuff.
When it comes to today’s businesses, that operational focus is really going to help you the most.
So, thanks to everybody who tuned in and listened.
If you like this podcast, please tell your friends; please tell your colleagues; especially, please tell your boss.
If you listen on a podcast feed, why not leave a comment?
Please like and share us on social media.
And please also have a look at https://solcyber.com/blog, where you’ll find a wide range of advice articles that are not about sales, they’re about educating the community.
And․․․
Until next time, stay secure.
DAVID. Bye, everyone!
[FX: CALL ENDS]
Catch up now, or subscribe to find out about new episodes as soon as they come out. Find us on Apple Podcasts, Audible, Spotify, Podbean, or via our RSS feed if you use your own audio app.
Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!
Paul Ducklin
06/29/2026
Share this article:
Table of contents:
The world doesn’t need another traditional MSSP or MDR or XDR.
We start with identity and end with transparency — protecting where attacks begin and keeping you informed, with as much visibility as you want. No black boxes, just clear, expert-driven security.
I am interested in SolCyber Foundational Coverage™
I am interested in a Free Demo
14424
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Privacy policy
