EP 6 – Incident Response POV: 2025 Emerging Threats

David Puner: You are listening to the Security Matters podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in identity security.

Imagine this scenario, someone calls your help desk in a panic. She sounds exactly like your company’s VP of finance. Same voice, same urgency, same backstory. I’m traveling and I lost my phone, she says. I’m calling from my son’s phone. I’m really late for my meeting with the CEO and need my credentials reset.

Quickly, the IT support specialist on duty is there to help. So he does, but the caller isn’t your VP. It’s an attacker. With a single act of social engineering powered by AI-generated deepfakes, they now have access to your environment — not just as a user, but with the means to escalate, override, and erase. From resetting credentials, replacing MFA devices, and compromising your infrastructure, attackers are not knocking at your door. They’re already inside.

So — how can you distinguish what’s what and who’s who when they sound just like you and your colleagues? Today I talk with Bryan Murphy, Senior Director of CyberArk’s Incident Response Team, about how evolving threats are further turning identity into an attack surface — the attack surface, really — and why your first line of defense might be as simple as a video call.

Okay? Let’s get into it with Bryan Murphy.

David Puner: Bryan Murphy, Senior Director of the CyberArk Incident Response Team — welcome to Security Matters.

Bryan Murphy: Hey, thanks David. Appreciate you having me.

David Puner: Absolutely. Great to have you back on the podcast. The last time you appeared on an iteration of this podcast was October 2022. Glad we could finally have you back on. Bryan, I know you’re a busy guy. Where have you been and what have you been up to?

Bryan Murphy: We’ve been busy over here at CyberArk. We’ve started to form a new incident response team, which is going to help our customers recover from cybersecurity incidents. Previously I was working on our remediation team where we would just help recover CyberArk assets when incidents happened. But now, because our customers are asking for it, we’re actually building a full IR team to assist in those threat attacks.

David Puner: So you’re saying you’ve been busy?

Bryan Murphy: Just a little bit, sir.

David Puner: Alright. Well, thank you for taking the time to talk with us today. Looking forward to diving right in. Today we’re going to talk about the evolution of cyber threats — which, you know intimately, I think it’s probably safe to say. And seeing that you’re on the incident response team, you obviously know firsthand what’s going on out there in the threat landscape. So you’re very much on the front lines.

Let’s start things off with: in your role with the CyberArk Incident Response Team, what’s your purview and how do you enter the fray?

Bryan Murphy: The way we work now is instead of coming in from an incident perspective and saying we want to be your second call after you call your incident response firm — debatable if you call the lawyers first — but after the incident response call, you would call CyberArk to help you figure out what happened with your identity platform that you have.

And now we’re saying we should be your first call. Now instead of having to call an IR firm — or if you do call an IR firm, you can have us there alongside them — to help you work through these incidents that are going on. And what we found is a lot of these attacks happen through the identity platforms, as well as through your privileged access management solutions. Meaning the attackers are using these to gain deeper access to your environment. And this is why it’s crucial for CyberArk to launch and have this team to work alongside the other responders within the industry.

David Puner: So are you on the hook? Are you on the other end of a burner 24/7? How does that work?

Bryan Murphy: No, I’m not. I don’t know that my family would love that. We do have a call tree process where they will get in contact with us as needed. And what I mean by that is you can contact CyberArk Support — the numbers we all know and love — and they have a process to do the initial triage to handle what’s coming in first, to allow us the flexibility to not be on 24/7, but still provide you that 24×7 service that you need when incidents arise.

David Puner: Now that we’ve established that you’ve got a very close view into emerging threats — at CyberArk Impact this month, you hosted a session on evolving cyber threats and attack patterns to be on the lookout for. Let’s start generally and then dive into those big, notable emerging threats. What are some of the most significant changes in the evolution of cyber threats in the last few months?

Bryan Murphy: I would say it starts with AI.

David Puner: Okay.

Bryan Murphy: And yes, I know it’s a buzzword and we’re talking about AI everywhere, and we’re gonna AI everything in our lives going forward — for good reason.

David Puner: Yep.

Bryan Murphy: But what we’ve seen in the emerging threat space with this: attackers are using AI to better craft, say at the simplest form, a phishing email — a way to get you to click what they’re looking for in the drive-by. But in addition to that, we’ve seen them be more sophisticated with deepfakes, where they’ll contact your help desk and say, “Hey, I’m Bryan from CyberArk. I’m on the phone, I need you to reset my password.” But they’re doing it with AI, so it sounds like me. The person on the other end — if they know me — it’ll sound like me, and they’ll trust.

And what makes this really challenging is all of the controls we had before to prove someone is who they say they are aren’t really as good as they used to be. So with that, it’s not good enough to say someone sent me a text message, someone sent me an email and said reset my credential, or they called in and I talked to Bryan — he was the person. You’ve really got to go through the steps of: did you check with their manager? Is this a legit request? Did you check them visually on a call?

Doesn’t have to be the whole time like we are here today. It could just be for five seconds to make sure they are who they say they are. But you need to do these things in addition to what we did before, because the attackers are getting better and better at faking and impersonating who they are.

David Puner: With the help of AI, are attackers now attacking or attempting to attack help desks more than they were pre-AI? Or are they just doing it more effectively now?

Bryan Murphy: I would say it’s more effective, and it might also be that they’re more successful.

David Puner: Mm-hmm.

Bryan Murphy: So we’re seeing more of it in the industry, but I can’t say that we’re seeing more of it because they’re upping the attacks they’re doing. I think this is a way they’ve found to be more successful.

If you look back and you think about when we said, “Do MFA,” we said, “Use an SMS push. That’s the great way to do it.” And you know, we said, “Well, no, you don’t want to do that because there’s SIM swapping and cloning of phones and ways to take over the MFA device that you have.” We shifted and we said, “No, put it on the device. Have an OTP pin — you know, an app that you’re using — to get that information back to approve the request.”

This is just the next evolution where instead of them having to compromise your device, they’re saying, “I’ll go directly to the help desk and set up a new device.” And so how do they do that? Well, they call in and say, “Hey, I lost my phone.” They play on the factors of — it’s very urgent, people like to help.

And if I called you and I said, “David, I have this big issue. I need you to help me get my device reset. It’s a really important call. I’ve got to meet with the CEO of this company, and if I’m not there, it’s really bad.” They play on that urgency. They play on getting you to do it quickly. And this is where people will succumb to wanting to help — and maybe they’re helping the wrong people.

David Puner: So is this an example then of an attacker having a brand-new phone or a phone that has nothing to do with the person they’re claiming to be, and calling a help desk and saying, basically, “Activate this phone because I lost my phone”?

Bryan Murphy: Yes, that’s exactly what they’re doing.

David Puner: Is this now something that is becoming more well known — that folks are looking out for? Or how does it then evolve from that call to an actual successful attack?

Bryan Murphy: It’s definitely something we have to be more on the lookout for. Because in the past, if you think about it, we would just grab a credential. Maybe they would have you on your machine, click on a link, do something to grab your credentials for the system. And because we didn’t have MFA as prevalent as it is today, they would be able to use those credentials and fly right by.

Now we have to worry about them just taking over the MFA device and approving everything that they want to do. So obviously, they need the credential still, and that might be help desk reset my credential — it could be these different things that they’re doing — but they’re getting away.

Now, the takeaway from this for the audience is: they’re able to grab the credential and the MFA device. Meaning, they can reset the device to a new device. So now they’re not waiting for the user to click “approve” — they’re approving it themselves.

David Puner: I want to get back to what organizations and help desks should be on the lookout for later on, but in keeping with the thread that we’re talking about here — in the actual attacks — so an attacker successfully gets in, the new device is either added or reset. So then what happens? Because obviously the end goal isn’t just to get into the system.

Bryan Murphy: Correct. So now they have access to your systems. And this is where they’re in the environment — and they may not be a privileged user, they may just be a standard user, which we hope everyone is using least privilege and that that’s all the access the attacker has.

David Puner: Right?

Bryan Murphy: But now they’re going to do reconnaissance, and they’re going to look around — see what else you have access to, what other systems are available for them to look at, connect to, see the traffic — and this is where they start their privilege escalation.

David Puner: What is something that they would — like an eye on the prize — what would they want to get to first?

Bryan Murphy: So maybe I have an admin account that I use. Maybe I have administrative access to data. It doesn’t have to necessarily always land at “you have administrative access to servers.” It could be that you have access to data. Maybe you’re working on a top-secret project. Maybe you’re working on something for the company, that they’re going to go in a different direction, they’re going to acquire somebody — could be a litany of things. And they don’t know what they’re looking for, they’re just looking for something that they can use for profitability.

So if that’s extortion against you or that’s selling it to your competitors, they’re looking for this information. But we typically see them go after the administrative access to the systems to take your environment down.

David Puner: Okay.

Bryan Murphy: This is where we get into the traditional ransomware — you know, all your systems are locked and encrypted. We all know this and are fighting against it. There are other ways for them to attack and extort you without taking over your systems with administrative access.

David Puner: Okay, and is there anything new or novel that they’re going after these days?

Bryan Murphy: I wouldn’t say it’s exactly new, but it is important to call out — and this has to do with your virtual infrastructure or your hypervisors.

David Puner: Okay. So hypervisors — just to interject here so the listeners are all on the same page — tell me if I’m right here, what a hypervisor is: it’s kind of like the manager of virtual machines and it helps virtual machines share a computer’s resources like memory or processing power without interfering with one another. Did I get that right?

Bryan Murphy: Yes. Think of it as the host.

David Puner: All right, sorry to interrupt there, but I think it’s important that we define what a hypervisor is for the audience.

Bryan Murphy: Absolutely.

Bryan Murphy: So going back to why this is important — many of our customers that we see have their hypervisors domain-joined. So when you think about it, they’re using a domain credential to access all of the hypervisors they have in their infrastructure.

With all of these hypervisors there, the attacker — if they’re able to grab that domain credential — now has access to the host or the hypervisor within your environment. So when you think about this from an attack perspective, they’re not attacking each individual system or server you have. They’re attacking what hosts or holds them all — and they’re gaining their foothold there.

So now they don’t need to have the credentials to every system. They have access to the infrastructure. They’re just gonna delete your backups. They’re gonna shut down those systems. They potentially could clone them, take them offline, and try to brute force or do other things they want to do with these systems once they have that information.

David Puner: This is in an on-prem environment that we’re talking about here?

Bryan Murphy: Yes.

David Puner: Okay. So do you see this happening in cloud environments also? And then what are the ramifications for both on-prem and cloud?

Bryan Murphy: So it does, David, and I appreciate you bringing that up. The reason I started with the hypervisor in our conversation is that everybody has hypervisors. We understand they’re in our infrastructure, and we have to protect them. But I don’t think a lot of people understand the criticality of mapping them to the domain accounts. And it’s not to say you can’t use a domain — it’s just saying it’s usually tied to a credential that somebody knows, and it’s giving them access to many machines.

But getting back to cloud and where you were asking about this — we see the same thing. Maybe you’re using Okta or something else for your IDP, and what you’ll see is you replicate your credentials from your Active Directory on-prem to your IDP in the cloud. And now you have the same username, same credential in both spaces. And it’s okay.

But where we fall into a trap is that we use that credential in the cloud to gain us access to the systems — just like we said about the hypervisors. So now if the attacker has that credential — and I’m going to segue back to the social engineering where they stole the MFA device — they can now approve anything in the cloud. They can do what they want to do there because they know the credential and now have the access.

David Puner: So we’ve gotten basically three levels of this attack. You’ve got the initial help desk social engineering aspect of it, and then you’ve got to the next level, which is the hypervisor attack. And then you’ve got what you were just talking about — about taking it even further. So how can organizations prevent or mitigate these attacks, and at what phase? Because obviously if you don’t mitigate it or protect yourself against it from the initial wave of attack, then you’re onto the next level of it. So maybe let’s start with the initial attack and then take it from there.

Bryan Murphy: Yes. The best thing we see customers do is implement some sort of credential tiering and some way to isolate where the credentials have access.

So to frame this up for our listeners — if you think about credential tiering, think of it as: whatever credential you’re using has access to a limited number or subset of systems within your organization.

Now, the traditional way we recommend this is we look at critical assets to run the infrastructure — yes, that would be the hypervisor, that would be the cloud infrastructure — and we would consider that to be called something like Tier 0.

Now, with those, you would have a single credential to access Tier 0. Then when you move to your other tiers — we’ll call Tier 1 our servers or our application servers that we use within our organization that are not infrastructure-related but still important for us to have — we would have a separate credential there.

When you think about this from an attacker’s perspective, they’re now not looking for one credential. They have to get to multiple credentials to get to multiple systems. So what we’re doing is we’re making it harder for them to take over our whole environment — whether it be in the cloud or on-prem where we have our systems.

David Puner: Is there a name for that?

Bryan Murphy: It’s called credential tiering, is what it’s often known as.

David Puner: Okay.

Bryan Murphy: But I will say, I think a lot of us in the industry have had trouble implementing this, and we find it a very daunting task to do. And the way I try to pose it to our customers that work with our teams at CyberArk is that you don’t have to do it end to end.

So when you start talking about tiering, you go into: I’ve got Tier 0, I’ve got Tier 1, I’ve got Tier 2, I’ve got critical assets, I’ve got this, I’ve got all these different control planes — and it just becomes overwhelming. Just like everything in our life, if we feed ourselves too much data, we just get overwhelmed and we sort of shut down.

What we tell our customers to do is — hey, start doing credential tiering, but maybe start slow. Let’s start with Tier 0. Let’s just figure out what those are. Let’s put a credential around those. Everything else — it’s just as it was.

Is it perfect? No. But it puts us in a better position to react when a cybersecurity incident happens. And since we separated Tier 0, we now have an understanding, we’ve practiced, we’ve built repetition on how to build these credentials and isolate our assets. We can then in the future worry about the additional parts of tiering instead of trying to do it all at once.

David Puner: Is there a fundamental new way that organizations should be training their help desk employees — or just employees in general — to recognize and respond to social engineering attacks?

Bryan Murphy: This is me personally — I feel we need to do the… I don’t know if you’ve heard where somebody asks you a question, you sort of pause for a couple seconds and you process what they say before you respond.

David Puner: Mm-hmm.

Bryan Murphy: Yes. I think we need to implement more of that when we start working with our help desks. Because if somebody needs a credential, it’s great. When one of my guys needs to have their credential reset, a lot of times they’ll come to me and say, “Can you open a help desk ticket? Can you do this for me? I need to get access.” And we’ll have a conversation.

I’ll either call them, I’ll talk to them first — make sure that it is them that I’m talking to — before we implement the request to get the credential reset. And a lot of times it goes through multiple people. It might be one of their peers says to me, “Yes, I know this person needs it.” It might be myself and then also the help desk. Or they’ll send me an email, they’ll send me a text message — they’ll do it through multiple protocols of ways to connect so that we can verify who they are.

David Puner: Mm-hmm.

Bryan Murphy: Right. And there’s even been times where when they’ve asked for stuff, I’ve been like, “Hey, jump on a call with me. Let me see you physically.” I think physically seeing someone is the most important thing. I don’t have this problem, but your hair might not be done — things like that — when you get on the phone. It’s fine. We just need to make sure you are who you say you are, because the attackers are now using these deepfakes to pretend to be us when they’re calling other people within our organizations.

David Puner: Wow. It’s adding a whole new dimension to what you were doing prior to the whole AI revolution — or whatever we want to call it these days.

Bryan Murphy: It is, David, and it’s coming fast. And we just cannot ignore that it’s coming — and it’s here.

David Puner: So then I grabbed onto another evolving threat that you were talking about in your Impact presentation. It was something that you called credential dumps — which, I know we were already talking about credentials. What are credential dumps, and how do the concepts of credential siloing and tiering come into play with the credential dumps?

Bryan Murphy: Absolutely. And when you think of credential dumps, think of this as: I’m not going to attack every user or every credential within your organization. What I’m going to do is I’m going to attack the system that holds the credentials.

So maybe this is your IDP — your identity provider you have — that’s SaaS, cloud-hosted, in your environment. Or it’s your Active Directory or your directory structure that you have with those credentials you use to access your systems.

Now, I want to be clear here. I’m not saying that that’s a bad way to store your credentials — it’s not. This is the way you should be doing it. But it does open up an attack vector where the users that access these identity stores are a bigger target than others have been in the past.

David Puner: So then what happens if or when your identity solution is breached? First of all, what would that look like? And then what steps can a breached organization take to recover, rebuild, and/or fix their security gaps?

Bryan Murphy: This is a great one. We do this all the time with our customers. And the way I can describe it to you is: you have to move away from a directory structure to localized accounts.

David Puner: Okay.

Bryan Murphy: And right away, I’m sure everyone’s thinking, “We can’t do that. We have 5,000, 10,000 users. There’s no way we can move to local accounts.” You’re right — and we’re not saying to do that. But we’re saying to use local accounts for just two users, to start to control where the trust is within your environment. So you’re regaining the trust within your IDP — so that you can reset the verification factors, the way that people are going to get the identity store to be trusted again.

Oftentimes what we do here at CyberArk is we will stand up a second identity structure with CyberArk to be the source of truth during the incident. So this way, you can use something new that you trust to then allow the federated access and everything you need to get into your systems — without doing local accounts everywhere — and regaining the trust.

Once the trust is restored to the identity provider and we have control back, we can then switch back to the other identity store we have. We find customers do this and it works well.

What they’re starting to also consider is not having a single identity store anymore. And there are pros and cons to this. But they’re starting to think about maybe having a second identity store just for their security tools — just for their IDP — so that if multifactor device A is compromised, it’s not the same device they’re using as B to connect to these high-target assets that they have.

David Puner: Are there any particular pros and cons to that that you want to address — that you think are worthy of mentioning here?

Bryan Murphy: I think it’s definitely worth having the conversation, because there are challenges to it. If you’re replicating data from a single source — if the source is compromised — it can trickle down between. But really the stopgap here is the multiple MFA devices that you would use.

And this doesn’t mean two phones. It could just be that you have two different authenticating apps — A and B — that you use for the different ways you’re logging into the environment. So think of: if you’re a privileged user, you’re going to use MFA device A or app A. And you’re going to use B if you’re logging in as a standard user.

So now, this way, if they go to do a reset, they’re not doing a reset on just a single MFA product. They have to do it on multiple to gain the access. So it’s definitely something to consider. There are challenges around it — it’s not a perfect thing that you can do — but it’s definitely something worth considering.

David Puner: How does time factor into all this? It seems like anything more that people are expected to do or need to do — it feels potentially burdensome or time-consuming.

Bryan Murphy: Our world is moving faster and faster. And what they want to do is they want instantly to have any access or any information that they need at their fingertips.

And when you work on an incident, one of the biggest pitfalls we see customers fall into is — they’ve been tied up and they haven’t had the funds or the ability to make things the way they want them to be, for whatever the reasons are.

And the trap they fall into with time is — they say, “I now have the opportunity to build it the way I want to. I can make this perfect. I can make it as secure as it needs to be.” And when you’re working through an incident, that should not be your goal.

Your goal should be to get a system functioning that provides the access others need. Because every little bit you add to it — you’re taking time away from somebody else who may need to recover another system. Maybe Bryan here is sitting waiting for the hypervisor team to build me a VM to get my app up. They can’t get to building my server until they build your server in the list.

And when you work through an incident, you have to think of: these systems are only going to live in the state they are for about 30 days. And then, as we go past the 30 days, we can build it as robust, as secure as we want to — beyond. But we can’t do it within that initial time when we’re trying to get all of the systems functional and operational again.

David Puner: So it’s a step-by-step. It’s phases.

Bryan Murphy: Yes.

David Puner: So then we’ve established many times over here that you are on the front lines. So based on your incident response experience, what are some of the general best practices for incident response teams to effectively manage and recover from cyber incidents in general? We’re going general here.

Bryan Murphy: I would say you have to have, obviously, a plan. And any sort of incident you work through — it’s all about how you prepare. So we said plan, preparation, being ready for it, how we respond — we want to know that. But even more so than that is understanding how you’re going to validate. Understand who’s on the calls, who’s working with you — because you’re going to have third-party vendors from every different product line that you have coming in to help you on these war room calls and things that you’re going to do — which are not people that you know.

And the reason I bring this up is — we have seen attackers be on the machines with us and on the remediation war room calls as you’re trying to kick them out. This is where we’re going to bring it all back to those deepfakes we started early on with, David. And we’ve seen them say, “I’m going to verify this is John who’s on the call. This is Tina who’s helping us out.” And someone is verbally verifying them — not visually, or not knowing what asset they’re coming from.

And we have seen where the attacker then is understanding what you’re doing to find them and eradicate them from the environment — and they’re able to stay one step ahead of you because they’re hearing everything you’re working on.

So while it may seem a little bit like lip service — that, hey, do a visual verification, know who these people are — it’s really critical to do that in your security events. Even if it’s someone you haven’t met, you just want to see them so you can see each time they join the call, they are the same person, they are in the same place. These things are happening with people you know, and it’s not somebody new who’s jumping on the call that’s untrusted.

David Puner: Are there any particular types of industries or organizations that are more susceptible to these new types of evolving threats that we’re talking about today?

Bryan Murphy: I have to say no, unfortunately. And that’s because they don’t have a bias. They’re going after whoever they can get. And if they’re able to get a credential, or get a phishing email to you, or craft something to get the credential from certain organizations — they’re going to take what they can get.

Now, I want to separate that from nation-state attacks and specifically crafted attacks against organizations. Those are still happening. For the general population that’s out there, any of us could be susceptible to this by clicking on a link, doing something that we don’t know, putting in our credentials on a site that’s not correct, where they harvest them from us — it can happen to any of us.

And this is why it’s so important that every single person — whether it’s your home life or your professional life — is very diligent about making sure they’re not clicking on inappropriate links.

David Puner: When you think about all of this — and the emerging threats and the evolving threats and everything that’s going on in the cyber world — how are you thinking about identity as it figures into all of this?

Bryan Murphy: The challenge I see with identity is that — with people — we’re building a digital footprint. And as these applications and platforms grow, our digital footprint and our digital profile is growing.

Now, the consensus is to have this all be one so that we can verify who somebody is by having one digital profile. It becomes challenging because now the attackers can really pinpoint who you are. They can say, “I know you go to Subway every Thursday, and you do this because I see you used your card to get your rewards.” And these different things happen — we’re building patterns that are able to be tracked with big data.

And it’s allowing for, obviously, corporations to use it to advertise and market more — and it has value. But it also has equal value to our adversaries as well.

David Puner: Whenever I talk with you, Bryan, you’ve always got some interesting insights into how we conduct security at a personal level — which obviously has broader implications considering that individuals together comprise an organization. What are you seeing on this individual level these days that we can learn from and bring into our professional cyber hygiene practices?

Bryan Murphy: I think the first one is — use a password manager. Use something to create unique, obscure passwords to what you use. And it sounds like an old term to say, but it’s not being done today.

I can’t tell you how many people I talk to and say, “What’s your password?” It’s their kid’s name and a date. It’s their dog’s name, plus another name that’s in there. And it’s very guessable.

But the more concerning part is not that the password’s guessable — it’s that they don’t have it unique across different platforms. They use it for, say, social media, for banking, for other financial trades they do online.

And one of the things I like to see people do in their personal life is try to separate and decouple your social media — say email address or username that you use there — from your banking.

And when you think about that — if someone steals your social media address, or some blog site you signed up for and they get your email address — what are they going to do? They’re going to go to the Capital Ones, the JPMorgans of the world, and they’re going to put that email address in and say, “Forgot password.” Right? They’re going to try to figure out where else you have accounts.

Well, if those two don’t match — well, your digital footprint is completely different between the two — and it’s going to prevent them from potentially stealing actual dollars or funds from your accounts.

David Puner: So on this podcast, we’ve talked about passwordless and passkeys and alternatives to passwords — and of course, all the problems with passwords that everybody knows about. In your mind, are passwords here to stay? I mean, the reality is we still have them. But what is your opinion about when we may no longer use passwords anymore?

Bryan Murphy: I don’t think we’ll ever get away from using passwords. I think it’s going to be more: when do we use passwords and when do we do it a different way?

Because if you think about a secret or a system we’re accessing — you’re always going to have a secret zero. The initial one that sets it up, the one that goes in — that will probably always have a password.

Where we’re moving with the industry — does that mean that I need a password to log into a website? Does that mean I need a password just to do basic things on the web or on a certain application I’m using on my phone? Probably not.

So I think we’re at the age where passwords will still exist, but they’re going to be less prevalent than they were before. And we’re going to move to stronger authentication methods for the different things that we do with our devices.

David Puner: And as you’re seeing it, are users generally using stronger passwords and usernames than in the past?

Bryan Murphy: I like to use the password analogy. When I say what people do, there are two analogies here that I’ve had that have really made people’s faces go “Ah.” You say, when you’re building a system, they use a TLA — a three-letter acronym — 123. So if you work for a company, it’s the TLA of that company, 123 is the password. And it’s generally the build account or the over-permissioned account to access systems.

Now, that’s somewhat gone by the wayside — but you still see it out there in the organizations.

David Puner: So differentiate those passwords and your username across accounts, no matter whether it’s in your personal life or at work.

Bryan Murphy: Yes. And we have precedent for this too, David. If you think about it — when you log into a system, don’t we do a dash A or a minus A account for your admin, and we do just your standard David account for logging into your systems?

We already have precedent for separating it out. We just need to now take it a little further.

David Puner: Bryan Murphy from the front lines — thanks so much for coming back onto the podcast. Great to talk with you and hope to see you soon.

Bryan Murphy: Thanks, David. Always a pleasure.

David Puner: All right — there you have it. Thanks for listening to Security Matters. If you liked this episode, please follow us wherever you do your podcast thing so you can catch new episodes as they drop. And if you feel so inclined, please leave us a review — we’d appreciate it very much, and so will the algorithmic winds.

What else? Drop us a line with questions, comments — and if you’re a cybersecurity professional and you have an idea for an episode, drop us a line. Our email address is securitymatterspodcast (all one word) at cyberark.com. We hope to see you next time.