A

From the ciso series. It's department of no. This is Rich Strofalino with the Department of no. John Attil Johnson, the CEO and founder at Nemeritis. I gotta ask, what is your priority this week, Rich?

B

I spend most of my time worrying about what risks to worry about. So it's very meta. Do I worry? What do I worry about? And am I worrying about the right things? So that's my priority is making sure I'm worrying about the right things.

A

So you're prioritizing your worries that, you know, as someone, as someone raised Catholic, that's actually very, very reassuring to me. Jason Shock, he sees over at Sendler fsb. What is your priority this week?

C

Finding a younger, less hairy me. So helping people with their cybersecurity careers. Who's gonna take my place as ciso?

A

Ooh, I like that. We're thinking about the future. We're perhaps worrying about the future or worrying about worrying about the future in Jonna's case. I like this. I like this. Well, one and all, welcome to the Department of Virtual Monday strategy meeting. Thank you so much for making the time and wanting to learn more about how the news of the week is going to impact what you're doing. Our sponsor for today is Threat Locker. Remember to join Threat Locker for the most hands on cybersecurity learning event of the year. That's March 4th through 6th in Orlando. We'll be talking more about that later in the show. Also, remember to get involved in our chat. You can do so on YouTube. Just say hi to us on there. It's going to be a fun time. We promise we're going to. We're all nice in there and if you want to send us an electronic mail feedback@csoseries.com just a quick reminder that all the opinions expressed on this show are in fact those of our guests and myself, I guess, and not necessarily those of any employers, friends, past associates, anything like that. We've got about 30 minutes, so let's dive in. We gotta get started with no or no. This is where there's so much news this week. We can't do deep dive discussions into everything, but this gives us a chance to say, hey, do we need to know a little more about this or no. Thank you. Good headline, but maybe that's about it. Let's start out with this first story here. Call it an unpleasant Candy Gram for MongoDB. Attackers are actively exploiting a critical vulnerability dubbed Mongo Bleed. Following publication of a proof of concept code, Rapid7 urges immediate patching. I gotta ask, put some context of how critical is something critical in mongodb? Jona, for you, is this know a little more or no, thanks.

B

Honestly, it's very binary because if you're using MongoDB, you know, and you better be paying attention to it. MongoDB is pretty well. I remember when it first came out several years ago, it's pretty well expanded in the industry. So it's definitely One of the SaaS apps to watch and a lot of people have been using it for their database development. So there's a sub cadre of people for whom this is absolutely essential.

A

Jason, what about you? Do you need to know a little more about this? Are you in that cadre or is it.

C

No, thanks for you, absolutely no more active exploitation. And if you have a potential impact, then you're looking at some likelihood. So yeah, no more.

A

All right, Next up here, N8N servers are having not a great time here. There was a critical vulnerability found called nightmare ni8 mayor. Pronunciation is tough on all of this, but basically it allows for hijacking of locally deployed N8N workflow automation servers. The flaw was discovered, was disclosed to N8N through responsible disclosure practices back in November with a maximum severity of 10.0. I mean, congratulations, you nailed it. You aced there on the vulnerability and it is considered open source, so it shines a light on the vulnerabilities that we see kind of the good and the bad here, right? We can get lots of sunlight on here, we can see exactly where it is in the code. But for you, Jason, does this know a little more or no? Thanks.

C

It's know a little more especially with the blast radius that could occur as far as with automation tools and you know, across enterprise environments. So no more. Definitely dig in.

A

Jona, what about you? Where's your mind at with this one? You need to know a little more about it.

B

Again, it's binary. If you're using N8N, you absolutely must know more. Just like if you're using MongoDB, you absolutely must know more if you aren't. The only thing to really pay attention to is the fact that workflow automation can be subject to vulnerabilities. So keep an eye on it, but not that interesting. It's like if you're using this particular tool, it really matters. In this case, yes, it really matters.

A

I was talking about this with someone on our team and I said this is the devil in the details of this because it's all locally everything. All these are either hosted on VPS or through cloud services. There's 80,000 of these servers that are exposed online. But the blast radius isn't if you own one. If you use this vulnerability on one, you don't access 6,000 organizations. It was seeing a more disaggregated approach. The pros and cons of that from a security standpoint, interesting with this one. Next up here, Microsoft. Starting in February, Microsoft will start enforcing multi factor authentication for all users accessing the Microsoft 365 admin center. Meaning now, if you're not clear here that this will block those without MFA enabled from signing in to Microsoft 365 admin portals Jonna know a little more on this or no doy Abs?

B

Absolutely. Now, leaving aside the fact that Microsoft should have done this a decade ago, Microsoft has been talking for a year, giving strong recommendations as to configuration. Now they're saying, look, I think it's November, February 9th, basically at that point you will not be able to log on as an admin without mfa. So get ready for it, pay attention to it. Definitely no more. Because Microsoft is so widespread and used so widely. Microsoft 365, I should say.

A

Jason, what about for you? How is this one striking?

C

You definitely agree, no more don't want to get locked out of your admin accounts. Plus, to John's point, this should have happened a long time ago. So it's welcome.

A

It's interesting, right? Microsoft is always in that problem of they have to move as fast as the slowest person, or at least they feel like they have to because they have such a massive footprint, right? And so yes, this is a decade too late, but when they set the deadline, theoretically, unless they do an exemption because 50,000 organizations can't do it all of a sudden, overnight, at least we're in a better place. So it's kind of the. Again, I think an interesting two sides of the coin there for this, but I agree with you Microsoft. Come on, we could have, we could have turned this on. All right, and last up here, phishing actors are using a wide variety of phishing messages related to phishing as a service platforms. Things like Tycoon 2fa with lures themed around voicemails, shared documents, communications from human resource departments, password resets or expirations and others leading to credential phishing. This was coming out of a Microsoft report. That report suggests tightening up DMARC configuration and some other email settings. Do we need to know a little more about this, Jason, or no? Thank you.

C

No more. Definitely. Dmarc, spf, dkim, Set those to reject to make sure that they are at the highest levels that you can make them for your organization and get there quickly. So no more.

A

Jona, what about for you?

B

Absolutely agree. No more. This is really risky because when something comes internally, most users have a fairly straightforward algorithm for deciding whether or not to trust something. If it looks like it's coming from Rich, I trust it. So I'll click on that shared document. So this is a really big deal.

A

Yes, yes, I like that. Thinking about we talk about the human issue with cybersecurity, the human algorithm. I think that's a really healthy way of thinking about that. Right. The algorithm is just doing what we trained it to do, clicking on those dang emails. Let's just reject all the things with your email. Come on, Come on. All right, before we move on to our deeper dive discussion, we've got some meaty topics to get into. Have to spend a few moments and thank our sponsor for today. And that's of course is Threat Locker. Want Real Zero Trust training. Zero Trust World 2026 delivers hands on labs and workshops that show CISOs exactly how to implement and maintain zero trust in real environments. Join them on March 4 through 6 in Orlando. Plus there is a live CISO series episode CISO series podcast episode on March 6. Get $200 off with the code ztwciso26@ztw.com that's ztw.com for those of you not in the U.S. all right, next up here, let's dive into the discussion here. First up, BrightSpeed is investigating an old breach. BrightSpeed is a major US fiber broadband provider serving 20 states and it's investigating breach and data theft claims made by the Crimson Collective extortion group. Which foreign extortion group? I'm going to say it's a pretty decent name. BrightSpeed confirmed it's probing a potential cybersecurity incident, but has not verified the claims. I think it's interesting here. Let's put this in the infrastructure story category here. I guess another one of our death by 1000 cuts here. These types of breaches may be for data theft only, but they also reveal a little bit of the fragility of public access to the Internet and all the implications that that has onto that. It's not that much different than hacking a water treatment plan. I guess you can't die from lack of Internet. But I'm curious, John, what's your take on this?

B

I don't know. This to me is kind of a whole lot of nothing. I mean not that it's unimportant to a user whose data is now floating around on the dark web, but good God, if your data, you thought your data was private before you were woefully confused. This is just, you know, this is just yet another large company misplaces your data accidentally. It's happened with AT&T, it's happened with Verizon, it's happened with even larger companies. So it's kind of like eh, you know, keep in mind that what they're basically not saying is that they're somehow taking down the infrastructure. What they're saying is oh, we stole user data. It happens. I think everybody's aware of that. Here's yet another one is kind of the way I would put it, but I'm not feeling like this is a really big deal.

A

Jason, what about for you? Are we five minutes away from a two years of free credit monitoring email coming out from the fine folks at Brightspeed or why did the story strike you?

C

That always seems to happen. You know, these, these are, these stories that come in. I think it's, you know, be aware of it, it's just yet another story like Johnna was saying that you need to be aware of. It's, I always say, gain wisdom cheaply. So if somebody else has a breach then what can you learn from this? You can go back and look at your third party vendor management. You can also look at, you know, further how are you protected against credential stuffing and social engineering attacks.

A

So it's a reminder, what about the optics of this? You know, right where it's, it's a threat group making this claim and kind of putting Brightspeed in, in the, the hot seat here. I mean, I guess from a, from a security organization standpoint when you, when you get a claim like this, you're like, oh, I was not aware of that. Like what, what do you have to treat it the same whether it's, you know, always assume breach. When you get kind of news like this, Jason, I'm curious from your perspective.

C

So we're in the breach containment era. Companies will get attacked, you will be breached. How you respond to those is the measure that I'm looking at now. How fast can we recover? How fast can we fight through that attack and that breach? So it's just par for the course. It's just yet the next company that's in line, it's in the queue and you know, these attacking groups get bragging rights. But okay, yeah, and I, I just.

B

Have to back you up 100%, Jason, on that whole assume breach. And the metric of success is how quickly, what we call our median total time to contain the breach. Not remediate, just contain. And that's our quick and dirty way of assessing how sophisticated a cybersecurity organization is. How quickly can you tell that something happened that might be a breach, how quickly can you determine that it is in fact a breach, and how quickly can you shut it down? That's the median total time to contain. And that's the metric that we look at when we assess cybersecurity organizations.

C

Yeah. And coming from a cyber incident response background, if it helps the listeners stop the bleeding, start the breathing, treat for shock, make sure that that bleeding stops, then you can actually get into what Jonna was just talking about, contain that thing, get business back up, and then go through the admin pieces.

B

To be clear, when I say contain, I'm talking about stop the bleeding. You know, that's really where we're saying the same thing. My image is a little more homey. It's like you saw the bug, you put the slam the bill jar down on it. Oops, now the bug's not going anywhere. But you haven't solved the problem, but at least you got that. You got that back.

A

Let's lift the bell jar here for a second here and let a wild David spark out.

D

Wild David spark. He's out of the loop. So everything you're saying, of course, agreement. But what I just want to say is we hear this time and time again specifically in that the. The way cyber security leaders are measured or is how they respond to an incident, that is their measurement. Not often that they stopped something which we rarely know about, but it's how they do it. And it's also the measurement of. Is this a company I want to work with in that how did they respond to that last breach? Was it a good experience or a bad experience? And good and bad defined by what the two of you just said now.

A

And I will also just add comms and transparency outside of the like, I realize, like, you know, you're in the middle of it, you're in the thick of it, but that should be planned when you're planning your incident response as well. That to me goes such a long way of. Listen, I know all this stuff is hard, right? I cover it every single day. I know that this is, you know, eventuality kind of stuff, but yeah, transparency and comms always goes a long way.

D

Let me throw up one more thing on just that, and I know I've said it on shows before, but Andy Ellison said that this was something that he used to do that I thought was fantastic. Whenever they got together during an incident and they would have regular check ins, it was planned that the, the communications that would be sent out publicly was written before the meeting. And so the idea was, oh yeah, are we releasing this or not? Not a discussion of what are we going to say, but the what are we going to say happened before the meeting and the discussion is, is this thing going to get released or not? And then that allowed for sort of faster engagement in communication with.

C

And those pre scripted messages do show to the public that they've considered this and they've rehearsed it and they've actually had a tabletop exercise about it to.

A

Create and they're ready to blame the users. Always blame the users. This has never backfired in the history of all incident response.

B

Well, honestly, incident response isn't about blame. That's the key thing. And that's actually one of the other key things. We always recommend that folks have prescripted responses that people keep updated their response trees because you will not believe how often the source of information for who to tell people who to communicate with has also been breached. And so now you can't get access to it for some reason. So there's that. But the other thing is blame is orthogonal to what you're trying to accomplish. Use the NTSB approach to National Transport Safety Bureau approach to analyzing an incident. Look at what happened. Refrain from casting blame. Just analyze and you'll get better anyhow.

C

Yeah, character counts in people. Character counts in companies too. Be transparent with what you know and get the job done to stop that bleeding.

A

Or SCCL just says in our chat, or the intern, either one, either one are valid. Valid, you know, kind of excuses. All right, all right, we got to move on here. Our next story here. No mfa, no problems. Maybe a little acknowledgment of our no or no segment here. Thanks Goes out to researchers at Hudson Rock for reminding us that certain companies, we're not going to say who, except that they're the engineering firm Pickett and Associates, Spain's Iberia airline, the Japanese home builder Sakusi House, haven't been doing their MFA homework. Data was stolen by threat actors and this was achieved because none of the organizations listed had enforced MFA for logins. The logins were inevitably stolen and then they could just easily log in. Some people train their dogs by using a spray bottle of water to remind them hey, when you're not doing great here, do we need an industrial sized spray bottle to send around to companies who aren't doing their mfa? We could start with probably Microsoft, right? Like now, now they have the spray bottle, maybe they can do it. You know, Jason, what are you thinking here?

C

Mfa, I think is proper cyber hygiene. If you don't have it, then you're not, you're not clean. So put it in place.

A

John, are you putting on the MFA deodorant here? As everybody is the same, this is completely obvious.

B

Yes. Why would you not do MFA again, some if you're less sophisticated or for other reasons. Not that Microsoft is unsophisticated. Microsoft's real justification for not enforcing it has, has always been that they're, they want to be user friendly. They don't want to make it difficult for the users. At some point you just got to suck it up and deal. And at this point, you know, certainly several years ago, users have gotten socialized to the fact that they, they're not going to log into their bank without getting a, you know, a ping to their phone, like they get it. So nobody's going to freak out if they have to use mfa.

A

All right here. And it wouldn't be an episode of Department of no if we didn't at least talk about something LLM or AI related here. So prompt injection problems keep needling us all, keeping us up at night, et cetera, et cetera. Researchers at Radware say they identified several vulnerabilities in OpenAI's ChatGPT service that allowed the exfiltration of personal information. This current issue surrounds an indirect prompt injection attack called Shadow Leak. That in short, allows malicious instructions in a Gmail message, for example, to get ChatGPT to transmit a password without any intervention from the agent's human user. In the meantime, there's a new CVE numbered vulnerability in the Terminal Controller MCP. That's Model Context Protocol Server. In version 0.1.7, the Execute command function allows attackers to execute arbitrary commands through a crafted input. This vulnerability scored a 10 out of 10. Again, the Olympics are coming up. I feel like we're all getting ready. And is of special interest because gentic AI still a hot commodity. And this Model Control Protocol Server links terminal access into the web of agent actions, giving AIs that are now pretty capable coders access to the command line, which if you do the math, is, I believe, bad. This is another incarnation of the perennial favorite class of vulnerabilities, improper neutralization of special elements in command. John you brought this one to the party. What about it speaks to you?

B

Well, I think there's a couple things. First of all, an awful lot of people are still going, what's MCP again? Which is no surprise because it really gained a lot of momentum through 2025. It is the protocol that allows agentic AI to talk to one another, which is basically the way to think about it. So then everybody goes, oh, okay. Because most companies have been pushing. Anyone who's doing anything in AI is usually pushing agentic AI. So all of a sudden now you've got a massive vulnerability in the control, in the controller that manages this communication between agentic AI. That is, let's put it very simply, not a good thing. Right. So fortunately, the fix is what the fix always is, which is either patch or upgrade. In this case, it's upgrade. But being aware that you are introducing brand new risks, you know, you asked what I worried about. One of the things I worry about is the fact that people don't worry enough about the risks that AI is bringing to them, because there's a broad spectrum of risks that are associated with AI, not necessarily the obvious ones. Here's an example of one that's on the technical side of the spectrum, but very real.

A

Jason, what about for you? I mean, how are you, you know, how are you handling that worry, right, of we don't even know, kind of we're not fully weighting what we're bringing into our organization as we're so quick to want to use these new agents and stuff like that.

C

Yeah, if it helps the listeners. Governance and guardrails. Do you have the proper policies, charters and documentation to say, this is how we're going to use AI, this is how we're going to actually govern and protect against it. And then have that architecture with the guardrails that will just protect the users. Starting with the models. You know, we've known for a long time that the model, if there's a problem with the model, then it's going to be a problem for everyone. So make sure you have the governance and guardrails in place.

B

Well, and I would just peg to that. I think people know that they should do that. I think people. You're right, Jason. They're not doing it, but at least they know they should do it. I don't think they've stopped to say, hey, how secure is the. Is the glue that connects all these agents, you know, separate, which is almost orthogonal from the models themselves. It's like, hey, have you looked at the infrastructure here? Because you don't need to just secure the models, you also need to secure the infrastructure across which the models are communicating, which is probably not something people thought about.

A

In some ways, it kind of reminds me of some of the crypto stories that we were finding where it wasn't necessarily you wouldn't target the exchange, you would target the bridge between the connection points are the weak points. And this kind of gets back into the N8N vulnerability, too. The major use case for that that I've been seeing, I've been playing around with, to kind of get some automation started with that. And one of the big use cases is, hey, you can take all your inputs from a database, feed them into an AI agent. That AI agent can spit out an output that you can. Then again, because it's this central connection point, it becomes this really tasty target for a 10.0 security vulnerability. I think that will be something that we keep seeing for as long as we're in this kind of, I don't know, wild west era of AI stuff right now. All right, before we get out of here today, I gotta ask. Jason, I'm going to start with you. A lot of big topics today, a lot of things to be worried about, maybe some things not to be worried about, which I liked. Any piece of advice that you can share from our audience today that just kind of stood out to you?

C

Yeah. As a ciso, make sure that you know where you're going, know where your cybersecurity program is going. Because if you don't, if you don't know what maturity level you're at or the road that you're taking, any path is going to get you there. And it could be the wrong one, because OWASP has a top 10 for LLMs and it's been out for a couple of years. Maybe people should read more.

A

I like that. Don't coast control your own destiny as a security leader. I like this. This is some positivity. All right, Jonna, are we going to keep the positivity vibe going with the advice? What do you got?

B

I just say I'd circle back to this whole concept of median total time to contain. And every time you're doing something in your organization, ask yourself how it's going to help you with that. Are you going to be able to detect that something weird happened faster? Are you going to be able to determine that that weirdness is in fact a breach faster? Are you going to be able to contain that breach faster and better? If the answer is no to any of those things, you might ask yourself why you're not doing it, why you're doing it.

A

All right, well, thank you both for making the time being on the department of no, always an absolute pleasure and a privilege to have you both on. I know you're both busy folks. You got a lot of stuff going on. John, tell people what you have going on on the cyberspace where they can find more of what you're doing.

B

Go hit us up on substack nemities.substack.com There's a contact Us tab at the top if you want to find out more. And you can just scroll through and read whatever we have posted back through the years.

A

And Jason, I know you've got some stuff coming up if people want to hear what you're up to. Where can they find you?

C

Absolutely. I'm speaking at the MBA Servicing Conference on Cybersecurity Programs and AI Protection in AI Security on February 18th in Texas. And you can always find me on LinkedIn.

A

Please reach out to Fantastic. We will have links to all of that goodness, LinkedIn substack speaking engagements, all of that good stuff in our show notes, so make sure you check that out@cisoseries.com a huge thank you to our sponsor for today, Threat Locker. Remember to join Threat Locker for their most hands on cybersecurity learning event of the year. That's March 4 through 6 in Orlando. You can find more details in the show notes as well and remember to send us feedback. Feedbackisoseries.com is the electronic mail address. Remember to join us next Monday, 4pm Eastern for another edition of the Department of Know. To register for the show, head on over to cisoseries.com and click on the Events tab. You'll find all the information there. Remember, you can subscribe to our events calendar as well. If you haven't already done that, everything will already be in your calendar. You will never miss a live event anything that we have going on in your area. We have live shows all the time, so that is always fun. A big thank you to the big boss man, David Spark for popping in the show and as always, a huge thank you to our glorious producer Steve for making the show as smooth and as glorious as it possibly can be. Thank you so much for joining your Monday standup. Have a great week. And for all of us here at the CISO Series, here's wishing you and yours to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to CISO series.com for the full stories behind the the headlines.