Cyber Security Headlines – September 16, 2025
Episode Overview
In this episode, host Rich Stroffolino of the CISO Series unpacks the day's most important cybersecurity news. The agenda includes sweeping changes to Android's security update process, findings on CISA's cyber employee incentive program, real-world adoption of LLMs by security practitioners, critical data breach disclosures, new sanctions over Russian cyberattacks, and industry insights into old vulnerabilities and insider threats.
Key Discussion Points and Insights
Android Shifts to Risk-Based Security Updates
[00:08–01:30]
- Change Announced: Google alters its Android Security Bulletin (ASB) strategy, focusing monthly updates on only high-risk vulnerabilities; other patches move to a quarterly release.
- Goal: Reduce testing/validation burden for OEMs and accelerate patch turnaround on critical issues.
- Result: Some months may see zero vulnerabilities listed in the public ASB.
- Quote:
- "Hopefully speeding up patch time on the most critical issues while giving them more flexibility in addressing less urgent ones." — Rich Stroffolino [00:38]
CISA Incentive Audit Exposes Mismanagement
[01:30–02:20]
- Backdrop: A Department of Homeland Security OIG audit reveals abuse and poor record-keeping in CISA's bonus program aimed at retaining critical cyber employees.
- Findings:
- Bonuses paid to non-cyber support roles.
- Inadequate documentation for bonuses and enrollments.
- Bonuses treated as improper back pay from 2022–2024.
- OIG's Recommendation:
- Do not end the program.
- Transfer responsibility to another office.
- Establish clearer guidance and record processes.
- Quote:
- "The OIG's audit found the program was used to pay employees in support functions outside of cybersecurity." — Rich Stroffolino [01:41]
How Security Practitioners Use LLMs: Anthropic’s Economic Index
[02:21–03:00]
- Report Released: Anthropic's Economic Index details Liong Large Language Model (LLM) deployment, especially by security professionals.
- Top Use Cases for InfoSec Analysts:
- Automating coordination of computer system plans with stakeholders.
- Creating documentation.
- Performing risk assessments.
- Developing incident response plans.
- Other Roles:
- Automation of security functions by web developers/administrators and network admins.
- Quote:
- "For information security analysts, the most popular use case was automating the coordination of computer system plans with stakeholders." — Rich Stroffolino [02:36]
Open Source AI Security Tool Benchmarks: Cybersock Eval
[03:01–03:48]
- Release: CrowdStrike & Meta’s Cybersock Eval offers open source benchmarks for evaluating LLMs in cybersecurity.
- Focus: Malware analysis & threat intelligence reporting—areas where LLMs’ value is uncertain.
- Findings:
- Early results: "Middling performance" from major LLMs.
- Limited gains in security reasoning, unlike code/math tasks.
- Quote:
- "Because most models have not been trained to reason about cybersecurity analysis, they don't currently see similar performance scaling for additional analysis time." — Rich Stroffolino [03:37]
Major Data Breaches Disclosed
Fairmont Federal Credit Union Breach
[04:08–04:46]
- Incident: Over 187,000 affected after names, SSNs, payment card data, and more were stolen.
- Timeline: Breach took place between Sep 2023–Oct 2023, discovered Jan 2024; concluded investigation Aug 2025.
- Perpetrators: Black Basta ransomware group claims responsibility.
- Quote:
- "The attack occurred... credit union did not discover the breach until January 23, 2024, and did not conclude its investigation until August 17, 2025." — Rich Stroffolino [04:26]
Finwise Insider Threat Breach
[06:00–06:35]
- Incident: Former Finwise employee accessed sensitive data post-termination, affecting 689,000 customers (including American First Finance users).
- Discovery Lag: Breach on May 31, 2024; detected June 18, 2025.
- Remediation: Two years of credit monitoring offered.
- Quote:
- "No word, though, on how the former employee was able to access the info and after employment or the extent of the personal data leaked." — Rich Stroffolino [06:24]
Microsoft SMBv1 Issues Highlight Legacy Vulnerabilities
[04:47–05:24]
- Issue: September 2025 Windows update disrupts SMB v1 file sharing on Windows 1110 and Server OS.
- Advice: Microsoft pushes users to drop legacy SMBv1, deprecated since 2014.
- Quote:
- "But really, please don't use CIFS, SMBV1 or any other ancient file sharing, please." — Rich Stroffolino [05:18]
Geopolitics: New Zealand Sanctions Russian Cyber Actors
[05:25–06:00]
- Action: NZ sanctions Russian GRU-linked group (Unit 29155 a.k.a. Ember Bear/Cadet Blizzard) for attacks including Ukraine’s 2022 Whispergate incident.
- International Context: EU and UK have also sanctioned the same actors.
- Quote:
- "The group was responsible for the 2022 Whispergate attack on the Ukrainian government ahead of Russia's invasion of the country." — Rich Stroffolino [05:37]
Brief Feature: SMS Security & the Supply Chain
[06:36–07:00]
- Tease: Next podcast episode digs into SMS delivery supply chain as an attack surface, following the prominence of SIM-swapping and general SMS insecurity.
Memorable Quotes & Moments
-
On supply chain SMS vulnerabilities:
"There's also a whole supply chain for delivering these messages. That's an underappreciated attack surface." — Rich Stroffolino [06:45] -
On security legacy tech:
"Microsoft reminds us that people still use old things." — Rich Stroffolino [04:47]
Important Timestamps
- Android risk-based security update change: 00:08–01:30
- CISA incentive audit: 01:30–02:20
- LLM use in InfoSec: 02:21–03:00
- Open source benchmarks for AI security: 03:01–03:48
- Fairmont Federal CU breach: 04:08–04:46
- Microsoft SMBv1 problem: 04:47–05:24
- New Zealand sanctions Russian cyber actors: 05:25–06:00
- Finwise insider breach: 06:00–06:35
- SMS security chain preview: 06:36–07:00
Summary
This episode paints a vivid picture of the evolving cybersecurity landscape, where even major platforms like Android are shifting strategies to balance risk and response times, while institutions wrestle with both legacy vulnerabilities and the complexities of human trust. The deep dive into LLMs and their nuanced real-world adoption underscores the profession's ongoing experiment with AI-driven tools, while high-profile data breaches and global cyber actions keep defense and accountability at the forefront. As always, the episode closes with a wink to both professionals and everyday users: don't use ancient protocols, and never underestimate overlooked attack surfaces—like the SMS supply chain.
