Week in Review: AI powered cyberattacks, Chinese time hacked, the 72 hour workweek - Cybersecurity Headlines

Summary7 min read

Podcast Summary:

Cyber Security Headlines – Week in Review: AI Powered Cyberattacks, Chinese Time Hacked, the 72 Hour Workweek
Host: CISO Series
Guests: David Cross (CISO, Atlassian) & Montes Fitzpatrick (CISO, Navis)
Date: October 24, 2025

Episode Overview

This Week in Review episode dives into the biggest cybersecurity headlines of the past week, focusing on major stories such as AI-driven cyberattacks, the AWS outage, China’s allegations against the NSA, the intensifying “996” work culture in tech, high-profile breaches, and evolving community responses as CISA faces layoffs. The hosts and veteran guests offer candid, expert insights while maintaining humor and relatability.

Key Discussion Points and Insights

1. The Human Impact of CISA Layoffs & Community Response

Timestamps: 02:12–03:15, 22:51–25:00

Layoffs at CISA (Cybersecurity and Infrastructure Security Agency) and their ripple effect, especially for small and medium enterprises that rely on its expertise.
Both guests underscore the civic-minded, mission-driven nature of CISA employees and the pressing need for the cybersecurity community to unite and fill the upcoming support gap.

“I think this is one of the interesting challenges that we may be facing here in the near future…maybe we need a greater community to kind of help out.” – David Cross [02:12]
Discussion on alternative support models:
- Civil organizations, peer-to-peer networking, existing groups like InfraGard, and leveraging local law enforcement partnerships.
- Strong call to action for collective community participation.
“We really need to have a place people can go…especially small to medium enterprises…they need help. This community, we need to bond together and kind of help nourish these communities to defeat the common enemy.” – David Cross [22:51]

“There is certainly no harm in getting together and talking with your peers, having that partnership with local law enforcement because there may be some intelligence that they might be able to bring to you. And honestly…these are things that we all should be doing anyway.” – Montes Fitzpatrick [23:49]

2. AWS Outage and Internet Resilience

Timestamps: 03:51–08:55

AWS Outage Explained: Major AWS services went down due to a DNS race condition impacting DynamoDB—highlighting the fragility of “critical infrastructure” in the cloud era.
The guests share real-world impacts (e.g., digital ticketing for football games affected) and reflect on dependency risks.

“This makes you take a step back and say…what if there was something on security I was depending upon at that moment? Would I totally be lost, not have security?” – David Cross [05:38]

“You just can't trust technology. And I think that…we aren't really just focused in on one particular stream…that's on, you know, incumbent upon us to ensure the availability of our systems…and that may mean diversification.” – Montes Fitzpatrick [04:52]
Is AWS "Critical Infrastructure"?
- Debate whether providers like AWS and Cloudflare should be treated as critical, not just operational, infrastructure.
- Consensus that organizations hold ultimate responsibility for building resilience—multi-cloud, redundancy, and failover systems.

3. Geopolitics & Cyber: China Accuses NSA of Hacking National Time Center

Timestamps: 08:55–11:29

China accuses NSA of hacking its National Time Service Center—a critical underpinning for national infrastructure. The hosts note the potentially massive consequences but also the cyclical, tit-for-tat nature of these accusations.

“There are spies, there’s activities, there’s some stealth activities, and sometimes they get exposed…this is what governments do to plan for various things in the future.” – David Cross [09:50]

“It is sort of funny…that this was an accusation levied against us just after we levied an accusation against China…everybody’s doing a little of everything.” – Montes Fitzpatrick [10:34]
The incident underscores how cyber has fully entered the geopolitical toolkit and acts as a signal of capability, not just an operational threat.

4. Tech Work Culture: The Spread of the “996” / 72-Hour Workweek

Timestamps: 11:29–16:12

The Rise of “996” in the US: The infamous Chinese tech “9am-9pm, 6 days a week” work schedule is reportedly spreading to US startups, especially in AI, semiconductors, and quantum fields.
The guests debate whether CISOs or security teams could—or would—adopt such a grueling schedule, touching on compensation, burnout, and organizational risk.

“Wow. 72, wow, what a dream that would be…You make a choice…Is the 100 hour workweek worth a million dollar bonus or not?” – David Cross [12:51]

“There’s a risk-reward if you are duly compensated for the extra time...but unless you are entrepreneurial in spirit, that’s not just something that can be really tractable…You’re going to burn out.” – Montes Fitzpatrick [13:53]

“There’s a term in Japanese called karoshi, which means death from overwork…and they had to move that back because karoshi just doesn’t help the workforce overall.” – Steve Prentice (producer) [15:52]
Studies and personal experience emphasize that productivity and sustainability collapse under constant overwork, making these approaches risky not just for individuals but for organizational strategy as well.

5. Major Breaches: F5 BIG-IP Exposure & Lessons Learned

Timestamps: 17:14–21:19

F5 BIG-IP Breach: Over 262,000 devices remain exposed after Chinese nation-state attackers penetrated F5’s deployment and engineering systems.
The breach echoes previous large-scale incidents (e.g., log4j), triggering “do we have this?” questions across organizations and underscoring the challenge of maintaining up-to-date asset inventories.

“Being in for at least a year, that is quite a while to check underneath the shorts there, that’s for sure…are we asking [security companies] to solve a problem that is maybe a bit beyond…their current resources?” – Montes Fitzpatrick [18:38]

“This is the time again. Do you have an asset inventory? Do you have a software inventory, hardware inventory?...And I think that’s the friendly reminder that we all got after this case.” – David Cross [20:39]
Guests praise F5’s transparency and communications post-breach.

6. Cutting-Edge Attacks: Laser Fault Injection and Side Channel Risks in Automotive Chips

Timestamps: 25:00–28:30

Laser Fault Injection Attacks: French researchers introduce insulating oxide layers in automotive chips to defend against attacks that could manipulate circuitry with lasers—raising both sci-fi-like intrigue and reminders of practical risk management.
Both guests maintain humor but use the story to underscore the ever-present need to consider (even rare or esoteric) side-channel attacks.

“Have we really seen this happening? It’s possible, technically possible…but it’s like winning the lotto…I think we’re cool where we are today.” – David Cross [26:50]

“What it illustrates is the side channel attacks…I think, you know, security professionals…we don’t necessarily forget about that, but sometimes we sort of, you know, put it to the side…” – Montes Fitzpatrick [27:29]

Notable Quotes & Memorable Moments

On AWS Outages:

“Would I totally be lost, not have security? …What if there was something on security I was depending upon at that moment?”
– David Cross [05:38]
On Work/Life Balance:

“You make a choice…Is the 100 hour workweek worth a million dollar bonus or not?”
– David Cross [12:51]
On Burnout & Company Strategy:

“How does that affect long term strategy for an organization if you’re going to have a churn of people who just can’t handle this for more than a six month period? It seems like it’s playing with fire…”
– Steve Prentice [15:04]
On Laser Auto Cyberattacks:

“It’s possible, technically possible… but it’s like winning the lotto…”
– David Cross [26:50]

Important Segment Timestamps

CISA Layoffs, SME Impact, & Community Gaps: 02:12–03:15, 22:51–25:00
AWS Outage Root Cause & Critical Infrastructure: 03:51–08:55
China’s National Time Center Hack & International Cyber Tit-for-Tat: 08:55–11:29
72 Hour “996” Workweek in Tech: 11:29–16:12
F5 Breach & Asset Inventory Lessons: 17:14–21:19
Laser Fault Injection & Side Channel Attacks: 25:00–28:30

Overall Tone and Takeaways

The conversation is candid, smart, and occasionally irreverent, balancing serious insights with a touch of industry in-jokes and banter. Key takeaways include:

The increasing importance of community-driven initiatives in supporting cybersecurity, especially as public resources like CISA are cut back.
The fragility of modern digital infrastructure—even the biggest names face failures with wide-reaching impact.
Cyber operations are a routine part of geopolitics—attribution and escalation games are par for the course.
Overwork may offer compensation, but it’s not sustainable for long-term security teams or organizations.
“Basic” security hygiene like up-to-date asset inventories remains critically important.
Side-channel and hardware-level attacks remind us to keep an eye on emerging threats—without losing sight of the practical likelihood.

Find the full episode and more at CISOseries.com

Loading summary

Transcript58 lines

[00:00]
A
From the CISO series, it's cybersecurity headlines.
[00:07]
B
What brought AWS to a crawl? China accuses NSA of hacking National Time center and 996. It's not an area code. It's your new work week. These are some of the stories that we have selected from this past week's cybersecurity headlines. And we are now looking forward to some insight, some opinion and indeed some expertise from our guests, David Cross, CISO at Atlassian and and Montez Fitzpatrick, CISO at Navis, both veterans of the Week in Review. Glad to have you both here on this, our last Week in Review show. Thank you both for being here. I can't wait to get into the news.
[00:44]
C
Well, thank you, Rich. You know, last time you said was the last time, but here I am.
[00:49]
B
You know, we keep it when a good thing's happening, you don't want to stop. I think we'll get into what's coming next. Don't worry. There's more of this. If you like this, we will have more of it. Learn. Stick around for the end of the show. We will get to it before we do so I have to thank our sponsor for today, Threat Locker. Assume everything is a threat. If you are listening to this show as a podcast, remember that next week you can join us and our loyal band of vocal experts on YouTube live for our new show, the Department of no. That's coming up on Mondays at 4pm Eastern starting this Monday, October 27th. Same idea. It's more of a briefing to get your week started. So I hope you will join us for that. We're super excited for that. For those of you that are here right now though, be sure to contribute in the chat. We already have Kevin Farrell blaming some DNS in the chat. I have a feeling he's going to be accurate there. Michael Vinding as well, Will Andrews as well. Always good to see everybody in the chat. And if real time communication is not your thing, feedbackisoseries.com is the email. Can't wait to see some of those. Before we jump into the news, just a quick reminder that these opinions are our guests, not necessarily of those of their employers or anyone else. They're just rolling with their own. We've got about 20 minutes, so let's get it started here. First up, David, I need to know from you and Montes, what was your biggest story in cybersecurity this past week? I'm going to start with you, Mr. Kraus.
[02:13]
A
I have to admit that with the seesaw being shut down right and Being, you know, laid offs and things like that and how that affects the small medium enterprises. Right. That rely upon kind of the assistance in the area. I think this is one of the interesting challenges that we may be facing here in the near future that maybe we need a greater community to kind of help out.
[02:32]
B
Yeah. And we've definitely seen. I'm thinking of. Craig Newmark has done some stuff with this, with, with civil organizations and stuff, I mean of, of many. But yeah, something maybe more organized to, to step up into that gap here. Montes, for you. What was the biggest story in cybersecurity this past week?
[02:50]
C
Can I say ditto?
[02:52]
B
Yes, I will allow it.
[02:54]
C
And, and for of course, all the reasons that David mentioned. But you know, as well, and I'm sure David also has some connections like I do, you know, you know, know some folks over there and there are, you know, very high quality individuals that are over there, you know, good peers. And it's just, you know, it's a shame because the what's provided was necessary.
[03:15]
B
Yeah. And, and I, I always like to say, you know, civic minded too. Right. Like you're not working for C SIG because it's the best paycheck. You can get benefits probably pretty good. But like, you know, people that are very mission focused. Right. Usually are kind of drawn to those roles or you know, especially as you get kind of in the upper echelons of leadership there. So yeah, definitely it's easy to forget the actual people that impacts as opposed to the scope, you know, of how this will impact the industry. So thank you for bringing that into focus, Montez. I appreciate that.
[03:47]
A
Well, the one thing we do know, it wasn't DNS that's causing that. So I'll leave it at that.
[03:51]
B
You know what, you found the silver lining because we cannot say the same for AWS this past week, DNS race condition brought AWS to a crawl last Monday. This was a story that caught everybody's eye. When AWS goes down, it tends to be, I don't know, bringing most SaaS apps with it, it seems like. And it turns out the cause of this most recent outage was a DNS failure, specifically a race condition in Dynamodb's automated DNS management system that left an empty DNS record for the services regional endpoint. Oops. I mean, we've all had bad days and even a large player, every large player that's been in this category has made a similar mistake at upgrade or coding or something like that and things just tend to go kablooey. I'm curious though, given the scale of these types of outages specifically for AWS East 1, how do you feel about the solidity of the global Internet ecosystem? Montes, where are your thoughts on this?
[04:53]
C
Well, I think the most important aspect of this is that Amazon said I'm sorry, let's not, let's not, you know, take that for granted. You've been in technology for, for long enough, you know, that you, you know, you just can't trust technology. And, and I think that we would be, you know, behooven to ensure that we aren't really just focused in on one particular stream. Right. And, and so that you know, that's on, you know, incumbent upon us to ensure the, you know, the availability of our systems and that that may mean, you know, diversification.
[05:34]
B
I mean David, for you is, is the fault not in our stars, but in our multi cloud.
[05:39]
A
Well, great question. Certainly I think I felt it firsthand myself is because hey, it was a Monday Night Football game and a season ticket holder for the Seahawks is mobile tickets. I can't get my mobile tickets. Oh, what's going to go on. But this makes you take a step back and say that well what if there was something on security I was depending upon at that moment? Right. Would I totally be lost, not have security? And so I think this is where organizations and people say the Marconi Society, I think next month like the Internet Resilience Forum and workshop how to look at this broader problem and solve it. Because Amazon may able to do some things but think about everyone else. How do they have resilience in these types of cases?
[06:18]
B
Yeah, that's one of those things where you build out your infrastructure but when the failure is aws, that does make it tough. I've seen kind of calls for my favorite part about any of these kind of outages is the deluge of LinkedIn think pieces of what this can teach you about whatever business subset you have on there of varying degrees of oh, that's actually insightful to oh, this is clickbait. One of the more interesting ones I got me thinking was and I can't remember who does I do apologize but kind of calling for AWS cloudflare name piece of Internet infrastructure is treating that like critical infrastructure. Thinking about it kind of in those terms, I don't know if that helps people that are building and trying to build resilience depending on that but does that kind of line of thought, does that have any credence for you, Montez?
[07:09]
C
As I'm thinking about catching up to what you're saying. I was, the first part was I was like, man, I missed out on getting in on some of the grift myself. That's me. That's, that's, that's a fault of. Of mine. I need to rectify that. But, you know, seriously, the, the reality of, of the situation, you know, you know, that we're facing and what it, what it actually means to be, you know, critical infrastructure, where that's a, an actually a named, you know, you know, you know, something, you know, something that we're naming it or not. I don't know that it, that that actually matters. And so, you know, the, the function functional piece of it is, is that it is critical for a lot of, you know, organizations. And then, you know, if you are relying on that criticality, I think that it is incumbent upon you as a technologist to ensure that, you know, these critical pieces stay up. Now, if you mean it from the broader aspect of like, okay, like national infrastructure, now, that is a potentially a different conversation, and I don't have the answer to that, but I bet you David does.
[08:19]
B
Yeah, I mean, David, like, obviously that carries a lot of baggage with it, right? When, when we're framing it in those kind of terms. Is that too bombastic or given that, hey, I couldn't get into my Monday Night Football game potentially, you know, that. That's pretty. That's pretty. If that's not critical, what could be?
[08:35]
A
Well, it's not the end of the world. The Seahawks still won. Right. So I'll leave it out. But I think this is what, you know, say chaos theory and chaos monkey and things like that. It's like this is what resilience all about and like, you know, why we're trying to, as a community and things like that, how we are ready for these. Right. And have that resilience. And I think that's the biggest takeaway from my point of view.
[08:55]
B
All right, well, next up here, China accuses NSA of hacking National Time Center. China has accused the NSA of carrying out cyber attacks on its National Time Service center, claiming the attacks exploited messaging service vulnerabilities and 42 types of special cyber attack weapons. Sure. Between 2022 and 2024, the center maintains and distributes China's official standards of standard of time. And this supports critical systems like communications, financial frameworks, power grids, transport, defense, space shuttle launches. You name it, it's in there. Meaning any disruption could have widespread consequences. Sounds like a single point of failure to me, David. I guess you could say that Time is on our side for this situation. And now let's throw all the geopolitical grains of salt we need to on this. But assuming this accusation is correct, would you worry about any unanticipated repercussions, including those widespread consequences? China, if I recall, seems like they have a pretty big footprint.
[09:51]
A
They do. And certainly, I think, as one of the things I always think about is this is kind of standard, kind of procedures that we've known about for the past, I don't know, hundreds of years or maybe the past hundred years.
[10:00]
B
Right.
[10:01]
A
Is that there are spies, there's activities, there's some stealth activities, and sometimes they get exposed. Right. And I'm not personally, I'm not alarmed by this because I think they're going to continue to understand where the weaknesses are in various places. And this is what governments do to plan for various things in the future.
[10:20]
B
Montes, is this, I guess, geopolitical power at work? Just the, you know, this is. Cyber is now just part of the toolkit. Right. Within this, as opposed to diplomacy, you know, military. That cyber is just another avenue for that.
[10:34]
C
Yeah. I don't think we did it. No, no, no, of course we didn't. Come on, now. It was funny. And so. Yes. Is it, you know, part of the, you know, the geopolitical package? It's. It is sort of funny. Or that this was an accusation that was levied against us just after we levied an accusation against China for doing critical infrastructure? I mean, you know. Yeah. Who knows? Is this, you know, is this a game? It's kind of like a part of like, hey, don't make me hit you kind of thing. Right. And so I don't know if that is the, you know, it just seems awfully convenient that after we've accused China of doing some critical infrastructure sort of, you know, trade craft, that then they say, well, oh, well, then you guys as well, have also done this, which I think we all know that everybody's doing a little of everything.
[11:30]
B
Yeah. A little bit of tit for tat. And also, I. I mean, I always think of this as in terms of, like, proving capability. Right. Like, at a certain point, like the NSA almost being found out isn't beside the point. It's knowing that they can do operations like this. So, you know, again, kind of showing, like, hey, if, if geopolitical situation changes, there could be. These are some of the consequences that we're capable of on both sides of this and obviously other nations as well. Like, this isn't just the China and the US either. Next up here, deep tech work culture pushes for 72 hour work weeks. The pace of intensity of development and growth in the tech sector responsible for AI, semiconductors and quantum computing has resulted in many companies eyeing an extended work culture to keep up. An article in Wired describes the spread of the so called 996 work culture already established in China in which employees are expected to work from 9am to 9pm six days a week, thus creating a 72 hour workweek. As the article states, many startups in the US are asking prospective employees if they are willing to commit and to get the job. The answer needs to be an unequivocal year. Yes. David, from your perspective, do you think CISOs would be willing to ask their employees to commit to a 996 style work culture? And would a 72 hour workweek actually be a reduction from your current time obligations as a CISO?
[12:51]
A
Wow. 72 wow, what a dream that would be. Well, you know, I think there's an element or certainly and I think that you got to look at the overall, you know, expectations and the rewards that go with it, right? There's various different roles that you can say hey it's a 9 to 5 job. There's other ones that you have on call, there's other ones that you can have incidents, response and those type of things. I think the most important is everybody is you make a choice, right, on what you want from a work life choice, not work life balance, but saying that hey these rewards just that I can get for being on call five weeks, a month or it's an element is that no, I don't want to have that. And hey, there may be lower compensation with that and certainly I think it leads to, I think it was yesterday's Wall Street Journal where he's talking about, you know, the people in AI saying hey you're working the 100 hour work weeks, right? But maybe you'd be getting million dollar bonuses. Well, you can make a Choice. Is the 100 hour work week worth a million dollar bonus or not? So montage, are you up for the 1 million or no? You're, you're 9 to 5?
[13:53]
C
Well, I would say, you know, a 12 hour work week on college football Saturday is heinous work. Let's just say that off the jump. But you know, there is, you know, there's a risk reward if you are duly compensated for the extra time and, and that, you know, that matters to you, you know, especially, you know, you're maybe a, you know, a young gun, such as myself. Right. Just to, you know, that would be, you know, willing to, you know, do that for a bit of time for just reap some reward. But I think the, the overall sense of it, you know, unless, you know, you are, you know, entrepreneurial in spirit. Right. That that's not just something that can be really tractable. That's just not. You can't do that for a long and extended period of time. You're going to burn out.
[14:40]
B
Yeah, I was going to say, you know, we're talking, we always talk about sock burnout and stuff like that and I, you know, certainly there are a lot of things that go into that, but I can't imagine a 12 hour workday, six days a week is like going to make that better. Admittedly, there are some other things you could do in there too. I'm not saying just time alone is going to lead to burnout. But Steve, I'm curious if you have any thoughts? Our producer, Steve Prentice jumping in.
[15:05]
D
Yeah, this burnout thing, I mean, it sounds interesting to have a nice big paycheck for doing that kind of work for a while, but how does that affect long term strategy for an organization if you're going to have a churn of people who just can't handle this for more than a six month period? It seems like it's playing with fire with regards to having a reliable group of people to maintain your organization.
[15:28]
A
Yeah, I can jump there. The one thing is, I think we all try to avoid is being in the industry is avoiding the security sine wave, all hands on deck, things like that, everyone killing yourself and then it dips down again and then, you know, kind of going this up and down, up and down. And I think that's very frustrating versus trying to get a very balanced right and plan. So, yep, we can peak up a little bit and we can peak down. And I think playing it out of how you can operate in that rhythm is probably the best things you can do as an organization.
[15:53]
D
Just one final point, if I may. There's a, there's a term in Japanese called karoshi, which means death from overwork. And the Japanese experienced this in the 60s and 70s when they were doing these kinds of hours and people were just literally dying of heart attacks. And they had to push that, they had to move that back because karoji just doesn't help the workforce overall.
[16:13]
B
I also think it's just kind of funny that we are dealing with AI companies that are selling us services that are going to enhance us. Right. To allow us to Work less. We're worried that AI is going to take our jobs, but also you need to work a 12 hour job to work at one of these AI companies. Just some odd messaging I think, but some. Oh, we got a really good comment in here from Michael Vinding. There's also studies showing that your productivity drops drastically when you approach those conditions for a prolonged time. And I would say like I, I'm not, I don't think it's impossible to design a way, I don't know, 72 hours, but maybe long, like a longer work week. But if you designed the workday to not be like you need to be on 100% doing the exact same thing for 12 hours at a time, that for sure is burna. I think think there are ways you could do it that if you cared about investing in your employees and stuff like that to not make it completely like grinding people down. But yeah, Michael Vinding, that was kind of where my thoughts were as well. All right, well, before I move on to our next segment, we have to thank our sponsor for today and that is Threat Locker. Cybercriminals don't knock. They sneak in through the cracks. Other tools miss. That's why organizations are turning to Threat Locker as a zero trust ENDPOINT protection platform. ThreatLocker puts you back in control, blocking what doesn't belong and stopping attacks before they spread. Zero trust security starts here with ThreatLocker. All right, next up here, hundreds of thousands of hundreds of thousands remain exposed in F5 breach. More than 262,000 F5 big IP devices remain exposed online after the company confirmed a breach by nation state attackers. Those attackers stole source code and data after gaining access to F5's big IP deployment and engineering systems. F5 said there were no signs of compromise in its financial, cloud or CRM systems and only limited to customer configuration data being stolen. So Montez. The breach has been privately linked to the China based threat group UNC 5221 which was found to be active in the network for at least a year. Last time I checked that is a while Last week on the show our guests Tom Hollingsworth and Brett Conlon both agreed this would be to watch. We're getting a further idea of the the still existing footprint and scope of this attack. I'm curious, what's your take?
[18:38]
C
Wow, that is one I absolutely agree. You know, and just like what you said, you know, being in for at least a year, that is, that is quite a while to check underneath the shorts there, that's for sure. The what I sort of go back to. And as I've. As I think about this, I really, you know, think about just what are we, you know, asking of our security companies? And, you know, is it. Are what we're asking, is it appropriate, you know, the, you know, the level of, you know, the scrutiny and the level of, you know, hey, you know, be up. And just what, you know, is where are we asking them to solve a problem that is maybe a. A bit beyond, you know, where their current resources are? And if that is the case, as I answer your question with a question, if that is the case, then how do we, you know, how do we get, you know, these vendors to where they need to be? Because, you know, F5 is, you know, no small, insignificant, you know, vendor. And certainly we, you know, there are. There were plenty of mistakes made here. I am certain of it. But, you know, you know, being human and, and all that, and, you know, as we know in our business, we have to be right 100% of the time, which is probably nearly impossible.
[20:04]
B
Yeah. And like you were saying, I mean, F5 is like one of those. One of those vendors, one of those companies that you don't think a lot about unless you're. You're dealing with it, but it's almost a default, right? Like when you're talking about the Fortune 500, Fortune thousand or something like that. I mean, David, how do you. I mean, if you're an organization impacted now, luckily, F5 is directly. Has already directly contacted impacted customers and stuff like that. So to me, there is a level of transparency here. I think F5 is not dropping the ball when it comes to comms, that we've seen some other hacks and stuff like that. But like, how do you start to kind of wrap your head around this, David?
[20:39]
A
Well, the one thing that came to mind, which I saw across the community, is as soon as this kind of leaked out, this was published, whatever. Everyone got the reminder of log 4J. Hey, hang on. Do we have log 4J? Oh, do we have F5? Big IP? Who's got it? Do we have it? Do we not? This is the time again. Do you have an asset inventory? Do you have a software inventory, hardware inventory? And knowing what you have is that, hey, are you impacted or not? And it's amazing. I think that's a refresher here. It's been a couple of years since log 4J, right. That people are realizing that, wow, do I have a good inventory? Is it reliable? Do I know I need to patch something or deal with Something. And I think that's the friendly reminder that we all got after this case.
[21:19]
B
Yeah, yeah. That is one of those questions where I'm not a cybersecurity professional. I just like to talk with them on a weekly basis. But one of those things where it's like, oh, just knowing what you have is actually an amazing challenge. And once you think about the scope of most large organizations, that would be big, like F5 customers. Yes, they have a lot of things that they need to manage, but just being able to solve that question quickly is such an advantage for these organizations. So, yeah, really great point, David. Thank you for that. Next up here, multiple CISA divisions targeted and shut down layoffs, according to sources. We kind of led the show with this, but I wanted to dig a little deeper. Several divisions at CISA are allegedly impacted in termination orders issued to the federal workforce on Friday evening. That's according to people familiar with the situation. Talking to NexGov and anecdotally, we've certainly seen, if you've been on LinkedIn, you've probably seen stuff like this. The orders affect staff within the Stakeholder Engagement Division as well as the Cyber Defense Agency's Infrastructure Security Division. We already talked about knowing some people that have been impacted by this. But, David, you know, CISA has been a bone of contention for the current administration, kind of ostensibly rechannelling its, Its mission, its core mission. If these types of terminations occur and continue to occur. I'm curious, what's the backup for people who rely on CISA? We talked about, is it civil organizations? Is it CISOs networking together or where are we going here?
[22:51]
A
Yeah, I see this as a continued call to the community. Things like the CISO series or in the CISO society and other communities, the Team eight Villages and others like that, is that we really need to have a place that people can go. Is that when you need help, you can call out and there's help there, because especially small to medium enterprises and the SMBs that they're not likely to always have cybersecurity experts or threat intelligence experts and things like that, they need help. I think this community, we need to bond together and kind of help nourish these communities to defeat the common enemy that, you know, that we will continuously see for our entire career.
[23:28]
B
I mean, Montez, I mean community. Listen, as work with the CISO series, I'm all for, you know, building community and helping them out. Is that, I guess, enough? Given kind of the breadth that CISA had taken on itself over the last eight years across two different administrations.
[23:50]
C
Well, I think it, it'll have to be. And because the, you know, if you know, those roles are no longer filled and that function is no longer done, that is the alternative. And, and so there are, you know, there are some, you know, CISA's mandate and vision and function was, you know, somewhat unique but there was, you know, there are some small overlapping there and you know, the, you know, such as like, you know, the infra guard and then and the various community, you know, working groups that are, that happen to be within the different regions all across the country. And certainly there is certainly no harm in getting together and talking with your peers, having that partnership with, you know, with local law enforcement because there may be some intelligence that they might be able to, to, to bring over to you. And, and honestly these are, barring the function of cease of CISA being around or not, these are things that we all should be doing anyway. We, we really should be, you know, talking more often. Which is why, you know, I'll be, I'll be calling you at 6am sharp tomorrow.
[25:00]
B
Rich. Well, my son is an early bird so I'll be up on my, probably my second cup of coffee, so no problems there. Montez, this is what I want to know from our community feedbackiso series.com let us. I'm genuinely curious. Are you, you know, following with Montez? Are you, you know, working with local law enforcement, doing those community building efforts? There's a lot of, you know, support. I don't want to come support organizations but networking organizations, information sharing organizations like what are you doing? Is there just a killer Slack group that we all need to be part of? If so, send us the invite feedbackiso series.com that's what we need to know real quick. I want to get on this story because it is the awesomest story of the week and I just, we got to just give it some love here. Laser auto cyber attacks emerge. That's not me mushmouthing it. Those are actual words that mean something. Researchers in France have developed a new chip to defend against laser fault injection attacks targeting automotive microcontrollers. Let's just, just let those words sink into your brains for a second. The chip adds an insulating oxide layer that makes it harder to manipulate circus with focused laser beams, fricking laser beams if you will, including attacks that can flip bits or bypass authentication. It also improves cost efficiency and helps automakers meet global cybersecurity standards. We've heard about bit flipping. You talk about rowhammer attacks on more consumer Level hardware and that kind of stuff. We obviously need this kind of research. Is this anywhere on your risk radar, David, for you worrying about bit flips from lasers in your car?
[26:38]
A
Absolutely. Now I, after the pre show getting ready here and listening to montage like how he got the Tempest shielding right from Brabus on his, his ride. So I'm like, I'm down with that.
[26:48]
D
Right.
[26:48]
A
That's the only way to go.
[26:49]
B
Right.
[26:51]
A
But at the same time, you know, we've heard about Rowhammer and other things for many, many years, but just like it's also a spectrum meltdown, right. Have we really seen this happening? Right? It's possible, technically possible, but the, it's like winning the lotto or the Mega Play or Powerball. I don't think we need to all get the bravest customization like Mataz. You know, I think we're cool where we are today.
[27:17]
B
Yeah. I don't think this is going to lead to another like Kia Hyundai, like being able to. Everybody stealing cars, right. Shooting laser beams at microcontrollers Montes. I mean, your ride's safe, right?
[27:29]
C
Absolutely, absolutely. No, that is, you know, they, the conditions for this, right, were you know, obviously very controlled and you know, in a lab, you know, the conditions, you know, everything was well known. But I think what really underscores here is the fact, and you talked about it before with, you know, the Kia Hyundai is that, you know, these, you know, the, what it illustrates is the, you know, the side channel attacks, right? And I think, you know, you know, security professionals, you know, we don't necessarily forget about that, but sometimes we sort of, you know, put it, you know, to the side and you know, with the, you know, necessarily, you know, I have to think about, you know, you know, reapplying, you know, you know, the Tempest shielding. Right. You know, things, you know, things like that. So it's, it is, you know, something that should be illustrative of our own environments. Just as like, ah, you know what, yeah, this doesn't apply. But there is a lesson here and there is something about, you know, side channel that we need to also make sure that we pay attention to.
[28:31]
B
I like, I like schmooze in our chat. This auto protected by mirrored Faraday cage.
[28:36]
A
Love it.
[28:36]
B
I think that might impact your gas mileage. Schmooze. That's the only thing I'm going to say. But. And Kevin Farrell, I will not speculate on the effectiveness of your radar detector laser jammer that you allegedly had installed in your vehicle. We don't want to get you in trouble, Kevin. So we'll be cool about that if you're going to be cool about it all only. Exactly. Well, thanks to everybody that got involved in our chat. I'm talking. I already mentioned Smooze, Kevin Farrell, Will Andrews pointing out. Also, by the way, I love this comment. When we're going back to the knowing what you have, it's not just inventory for your company, your critical vendors. Hey, that also ties into the AWS story, Will. You're getting it. You're tying it all together. Michael Vinding. Just everybody helping make the show a ton of fun. Thanks to everybody being here and that includes you, David Cross and Montes Fitzpatrick. Thank you both so much for your time here. David, if people want to follow what you're up to on the cyberspace, where should we send them?
[29:39]
A
You can find me on LinkedIn, of course, and my travel blog, which everyone loves. Davidcrosstravels.com oh fantastic.
[29:46]
B
And Montesquieu, if in in our navigations in this next cyber frontier, where where would people find you?
[29:55]
C
Finding me at LinkedIn is the best place. And if you do reach out to me on LinkedIn, you'll just let me know where you're you're coming from. Like, like how did you find me?
[30:04]
B
Yes, yes, we want to know both of both of you can also be heard on some other CISO series podcasts as well. So if you like what you hear here, search for them on our site and you can find them. I'm sure you've done numerous, numerous shows. It's always fun when you are I'm.
[30:19]
A
Looking for my record jacket, right? Going more than five times.
[30:22]
B
We can't make a jacket that's better than the icon, the burgundy icon that you usually rock on the show, David. So if whenever we can, we will. So thank you, thank you both again. And also thank you to our sponsor for today, Threat Locker. Assume everything is a threat. And another big, huge thank you to our audience today. You know, we always can't get every comment up on the screen. You got to bring a mirrored Faraday cage. That's the standard of comment that we demand on this show. But thank you all for joining us for being here. It's a ton of fun. Remember feedbackiso series.com I want to know what you where are you turning? If CESA is no longer able to kind of operate at the level that it was with staffing or for whatever reason, I want to know where are you turning? As an alternative for that, we will read some of those emails. If you join us next week, that is, on Monday, this upcoming Monday the 27th, for our new show, the Department of Know K N O W. So we're gonna have the same great guests, same great conversations, but we're gonna help you set up your week. It's gonna be your Monday briefing to kind of help you contextualize what these stories actually mean for your work ahead. To learn more about that, go to the events page@cisoseries.com I'm super excited about it. I will be there. I will be the host of that show. And I hope you will join us for the Department of know. In the meantime, you signature daily news fix every single day through cybersecurity headlines. Give us about six minutes. We'll get you all caught up. For myself, for our glorious producer, Steve Prentice, for Montes and David, and indeed for the entire CISO series organization, here's wishing you and yours to have a super sparkly day.
[32:03]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.