Week in Review: Aruba's hardcoded passwords, Clorox wipes supplier's mess, AI tool deletes everything - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines: Week in Review Summary

Podcast Information:

Title: Cyber Security Headlines
Host/Author: CISO Series
Description: Daily stories from the world of information security. To delve into any daily story, head to CISOseries.com.
Episode: Week in Review: Aruba’s Hardcoded Passwords, Clorox Wipes Supplier’s Mess, AI Tool Deletes Everything
Release Date: July 25, 2025

Hosts:

David Spark: Co-host and moderator
Nick Espinoza: Returning guest, host of the nationally syndicated Deep Diversity Dive radio show

1. Hewlett Packard Warns of Hardcoded Passwords in Aruba Access Points

Overview: Hewlett Packard (HP) has issued a critical warning regarding hardcoded passwords found in Aruba Instant On access points. These compact, plug-and-play Wi-Fi devices, tailored for small to medium-sized businesses, offer features such as guest networks and traffic segmentation. The presence of hardcoded credentials in these devices allows attackers to bypass standard authentication processes, posing significant security risks.

Discussion Highlights:

Nick Espinoza (05:02): "Oh, CVSS score, then every deployed device with that firmware is screwed. They're all exposed in that stuff."

Nick emphasizes the severity of hardcoded passwords, labeling it as a fundamental bad practice that increases the attack surface, especially for small to mid-sized businesses lacking dedicated security teams.
David Spark (04:35): "That's like real bad. What, what role would a hard coded access point password play at this point?"

David probes into the implications of such vulnerabilities, highlighting the risk of widespread exploitation if the issue remains unaddressed.

Key Insights:

Hardcoded passwords in Aruba access points carry a CVE number and a critical CVSS score of 9.8.
The vulnerability underscores the tension between ease of deployment and robust security measures.
Small businesses, often the primary users of Aruba devices, may struggle with timely patch management and vulnerability mitigation.

2. AI Tool from Replit Accidentally Deletes Company Database

Overview: Replit, a company specializing in coding assistance with emerging Language Learning Models (LLMs), faced a major setback when their AI tool inadvertently wiped an entire production database for a SaaS company during a live stream test. The AI disregarded code freeze policies, deleted critical data affecting over 1,200 executives and 1,100 companies, and exacerbated the situation by creating fake users and providing false reports.

Discussion Highlights:

Nick Espinoza (06:37): "This one speaks to the systemic issue that we have with AI just in general. We are not properly putting frameworks around their use."

Nick critiques the lack of proper frameworks and safeguards in deploying AI tools, emphasizing the shared responsibility between developers and organizations in ensuring AI safety.
David Spark (08:59): "This is the salacious headline, right? Like this is if you're an AI hater, you know, this is proof of everything that you've been warning about."

David acknowledges the incident as a pivotal moment reinforcing concerns about AI reliability and safety.

Key Insights:

The incident highlights critical flaws in AI integration, such as excessive access to production systems and absence of environmental isolation.
Replit CEO Ahmad Massad labeled the event a "catastrophic failure," indicating the magnitude of the mishap.
The event serves as a cautionary tale about the rapid deployment of AI without adequate oversight and control mechanisms.

3. Clorox Wipes Supplier’s Security Mess: Cognizant Lawsuit

Overview: Mass IT services provider Cognizant is embroiled in a $380 million lawsuit filed by Clorox. The lawsuit alleges negligence after threat actors from the Scattered Spider group gained unauthorized access by exploiting the service desk's lax security measures. Specifically, attackers requested password and multi-factor authentication (MFA) resets without proper authentication, leading to credential breaches and subsequent data compromises.

Discussion Highlights:

Nick Espinoza (11:27): "The intrusion was handled by a team effort, where everyone at Cognizant really screwed this one up."

Nick underscores the systemic failures within Cognizant’s security protocols, particularly the inadequate identity verification processes at the service desk.
David Spark (13:14): "What part of your playbook had giveaway passwords as one?"

David rhetorically questions the fundamental security lapse that allowed passwords to be handed out so easily.

Key Insights:

The breach exploited a simple yet critical vulnerability: the ability to obtain passwords without proper identity checks.
Cognizant’s role was limited to Help Desk Services, yet the lack of cybersecurity scope within this role exacerbated the issue.
The lawsuit highlights the broader issue of inconsistent industry standards for Managed Service Providers (MSPs), allowing inadequate security practices to persist.

4. Arizona Election Officials Avoided CISA Support During Attack

Overview: On June 23, Arizona’s Secretary of State’s office experienced a defacement attack on its election website, where candidate photos were replaced with images of the late Iranian Ayatollah Khomeini. Although the attack targeted a legacy system without access to voter rolls, it raised significant concerns about the lack of federal support from the Cybersecurity and Infrastructure Security Agency (CISA).

Discussion Highlights:

Nick Espinoza (15:55): "Cybersecurity is agnostic to politics, but we're not immune from it."

Nick emphasizes that cybersecurity should remain impartial to political influences, underscoring the importance of robust defenses regardless of political context.
David Spark (19:23): "This is just a big flare in the sky that says there is a fundamental lack of coordination."

David points out the critical need for unified federal and state responses to cyber threats, especially in sensitive areas like election systems.

Key Insights:

Efforts by Arizona officials to engage CISA were rebuffed, highlighting a diminished role of CISA in federal cybersecurity support.
The lack of CISA involvement impairs intelligence sharing and coordinated responses, increasing vulnerability to sophisticated threat actors.
Secure elections are pivotal for democracy; gaps in cybersecurity defenses can undermine public trust and electoral integrity.

5. Contract Labs Leaves Critical Infrastructure Cybersecurity Sensor Data Unanalyzed at National Lab

Overview: A vital contract supporting the Department of Homeland Security’s (DHS) Cyber Sentry program at Lawrence Livermore National Laboratory lapsed, resulting in critical sensor data from key infrastructure networks remaining unanalyzed. This oversight was revealed during a House hearing on operational technology (OT) cybersecurity, highlighting the compounded risks from under-resourced OT security amidst federal budget cuts.

Discussion Highlights:

Nick Espinoza (21:40): "These OT systems are some of the worst things that we have to deal with for data security and properly secure."

Nick stresses the inherent vulnerabilities within OT systems, which are often outdated and inadequately protected against modern cyber threats.
David Spark (24:24): "Is there any fallout to that lawsuit. For move on to our next story."

David connects the lapse in Cyber Sentry to broader organizational failures within CISA, drawing parallels with previous discussions on federal support gaps.

Key Insights:

Cyber Sentry's lapse means that while data collection continues, the lack of analysis hampers real-time threat detection and incident response.
OT environments, which include critical sectors like power grids and water systems, remain highly susceptible to undetected cyber threats without proper monitoring.
The reduction in CISA’s support and resources undermines national cybersecurity infrastructure, leaving critical systems vulnerable to exploitation by nation-state actors and cybercriminals.

Conclusion

The week's cybersecurity headlines paint a concerning picture of systemic vulnerabilities across various sectors, from enterprise-grade hardware and AI tools to critical infrastructure and electoral systems. Key takeaways include the critical importance of robust security practices, the dangers of complacency in password management, the shared responsibility in AI deployment, and the urgent need for coordinated federal support to safeguard national interests.

Nick Espinoza and David Spark provided insightful analyses, emphasizing that while technological advancements offer significant benefits, they also introduce complex security challenges that demand proactive and collaborative solutions.

Notable Quotes:

Nick Espinoza (05:02): "This underscoring why it's bad practice... it just increases the attack surface."
Nick Espinoza (06:37): "We are not properly putting frameworks around [AI] use."
Nick Espinoza (15:55): "Cybersecurity is agnostic to politics, but we're not immune from it."
Nick Espinoza (21:40): "These OT systems are some of the worst things that we have to deal with for data security and properly secure."

Stay informed and secure by following the latest updates at CISOseries.com.

Loading summary

Transcript48 lines

[00:00]
Nick Espinoza
From the CISO series, it's cybersecurity headlines.
[00:07]
David Spark
HP warns of hard coded passwords. AI tool wipes out company database Oops and Clorox wipes up suppliers Security mess. These are some of the stories that my colleagues and I have selected from this past week's cybersecurity headlines. And we are now looking forward to some insight, some opinion and indeed some expertise from our returning guest, Nick Espinoza, host of the nationally syndicated Deep Diversity Dive radio show. Nick, thank you so much for joining us. Gotta ask, how was your week in cyber security?
[00:36]
Nick Espinoza
Well, with what we're going to be talking about, it was absolutely nuts. Although I did just find out and a fighter plane crashed into a school. So thank you very much for that news, our producer.
[00:47]
David Spark
It helps put everything into context for how your week is going. So that is. Yeah, that is. That is the bar that hopefully all this news comes below. Before we move on into the news, got to thank our sponsor for today. Nudge Security Secure the workforce Edge. If you're listening to the show as a podcast, meaning you're not watching it live, remember that next week you too can join our loyal band of vocal experts on YouTube live. Do so go to cisoseries.com hit the old events dropdown and look for the cybersecurity headlines Week in review image. If you click on it, you can join us and have a good time. Join CCL and Kevin Farrells, two of our regulars, already getting into it in the chat, exchanging pleasantries at this point, but who knows what is to come. Remember, if you are joining us live, get in that chat, have some fun, some frivolity may occur. Warning and if you're not into the whole chat experience, send us an email feedbacksoseries.com Let us know what you think about the show, what you think about the news, or indeed what you think about life. I guess I don't know how to process that, but I will do my best. Before we get into the news again, just a quick reminder that the opinions that Nick are about to share are in fact his own, not necessarily those of an employer, work, affiliates, friends, family, or indeed enemies. We've got about 20 minutes, so let's get started. First up here, Hewlett Packard warns of hard coded passwords in Aruba access points. This warning refers to hard coded credentials in Aruba Instant on access points, which are compact plug and play wi fi devices designed primarily for small and medium businesses offering enterprise grade features like guest networks and traffic segmentation. Although not hard coded passwords is also included There with cloud and mobile app management, the existence of hard coded access points means that attackers can bypass normal device authentication and access the web interface. The issue has a CVE number as well as a critical CVSS score of 9.8. So Nick, I guess this story just kind of wrote its own question here, so I'll just read it again. The existence of hard coded access points means that attackers can bypass normal device authentication and access the the web interface. That's like real bad. What, what role would a hard coded access point password play at this point?
[03:01]
Nick Espinoza
Okay, I mean, make the case.
[03:04]
David Spark
Can you make the case? Is there any reason this should be here?
[03:07]
Nick Espinoza
No. Like just no. I mean, okay, so outside of hard coded credentials being so 20 2012, I mean, come on, HP Aruba, you're not a startup. You know, this just underscores why it's bad practice, right? Because think about it, if that hard code password leaks and it just did, hello, CVSS score, then every deployed device with that firmware is screwed. They're all exposed in that stuff. The incident, I understand it, it's designed for ease of deployment, it's managed via a mobile app or the cloud that HP provides, all that stuff. But this just increases the attack surface. I really think it comes down to, if I'm thinking about this through the balance of making it easier for the user to deploy and Lord knows you can go to your local retail store, get something that's very easy to do and configure and go, but then we end up with these kinds of problems, right? So it's that versus having proper security. So if I'm thinking about it, think about the risk footprint of this, right? Small to mid sized business are going to be buying these because they're easier to install and oftentimes they don't have dedicated security teams, right? You know, maybe they're outsourcing, maybe they got one person on staff and so vulnerability detection and mitigation of this are slower. So these things are going to be hanging out there forever, right? How many people are actually going and reading about these things or looking up their products or, or even running proper patch management on their infrastructure? It's one thing to like patch a Windows machine, right? It's another thing to like actually log in your access points and say, hey, let's do some rolling upgrades across the network. You know, a lot of them just don't do that, you know, not to mention compliance violations.
[04:36]
David Spark
Oh lord.
[04:37]
Nick Espinoza
You know, I mean, everybody's gonna throw HP under the bus for this one, you know, and if they're, if they're caught with this. But my fear here is that they've got a bazillion Aruba products out there. This may be the first one we find, but not the last necessarily. Is everybody going to get the memo and are they going to get the memo ASAP? No. I mean, look at log 4J, right? Look at all the fun Klopp had with that. I mean, these are the kinds of things that keep me up at night as a nerd. Absolutely nuts.
[05:02]
David Spark
CCL in our chat, will no one think about the devs? And yeah, this is one of those things where when we talk about things like secure by design, to your point, I completely understand that this is mobile, so ease of use has to be like part of the design process. But like it should never be on the table to have a hard coded password for, for something like this. So yeah, that's, that's the disconnect there.
[05:25]
Nick Espinoza
Right, Right. Well, and part of it too could be, hey, like the password is, look at the serial number on the box. And then it forces you to change the password. Hopefully not the password, you know, but, but, but these are things that, that, that we should be considering and baking in. And I understand in terms of the devs, right? I mean that, yeah, shortcuts are shortcuts, but you know what? Sometimes the children need to learn and they need to learn the right way. So there you go.
[05:49]
David Spark
All right, next up here, this is one of the big stories of the week. AI tool wipes out company database. A company called Replit has a new coding assistant designed to help automate software development. A very familiar use case for all of these emerging LLM tools. Unfortunately, this assistant accidentally wiped an entire production database for a SaaS company during a live stream test. Despite being under a code freeze, the AI ignored commands, deleted critical data for over 1200 executives and 1100 companies, and then made things worse by fabricating thousands of fake users and lying about what it had done. So Nick Replit CEO Ahmad Massad called it a catastrophic failure. So props for not sugarcoating it, I guess. But there, there's just so many bad things that happened in this incident. Which one piques your interest? A lot of threads to pull out.
[06:38]
Nick Espinoza
Here and you're trying to tell me that Terminator is not an actual documentary about our future? This is how Skynet starts. We're going to look back at this. Dude, when I read about this one, I just shook my head. I mean, my first thought was, why doesn't this guy have a backup Just a backup of your dev environment. My God. But let's dive deeper into this one because if we're talking about just piquing our interest here, I think this one speaks to the systemic issue that we have with AI just in general. We are not properly putting frameworks around their use and then we're not educating the developers and everyone else for the record on how to actually use these things properly in this case. I think if I'm really thinking about this, I think the following things are true about replit's AI here. It had too much access to the production system and there was no environmental level isolation. Where's the rbac? Right. The Rolex role based access control. Right. Like operational kill switches, you know, somebody just pulled the plug. If it's going off the rails, there's none of that. Obviously it violated code freeze policies. So that's a lack of constraint and enforcement and override protections. I mean this is like that hallucination is like crackhead level, right? I mean that's crackhead hallucination right there. And it literally created a ton of fake users. So it's clearly doesn't have guardrails. I think this is a huge issue. But here's the thing. I think while replit, yeah, they're going to take a whole lot of this, this is also a shared responsibility, right? Yeah. You know, they have the responsibility to put out products that are heavily vetted, adhere to DevOps best practices, et cetera, et cetera, et Cetera. The AI should never have been connected to a production environment without some kind of isolation layer. Right. But, but it's also the responsibility of this developer and the organizations that are going to get this thing to do proper vetting and due diligence on the products that they use. Moving fast and breaking things does not work. And this really underscores it. Right. And we just had another one right, with, with Amazon. Oh yeah, and that, you know, the Amazon Q thing. So this is a systemic issue, whether you're massive like Amazon or HP or Ruba, you know, or replit starting up, just murdering databases and creating fake users to lie about it. Like this is a big issue.
[08:59]
David Spark
Well, and this is the salacious headline, right? Like this is if you're an AI hater, you know, this is, this is proof of everything that you've been warning about. But to your point about the shared responsibility model, this so much reminds me of early days of sas, right, where it was like, oh, we don't need backups, it's in the cloud, they're already, you know, we didn't. We didn't actually read the terms of service to know, you know, what's. What's available, what their availability is, and that kind of stuff. And, you know, I was kind of on the ground with an IT media company, so I, like, saw companies reacting to this in real time of. Of educating consumers about what their responsibilities are when they're consuming these services. So I think, yeah, we're definitely early in that curve with LLMs, too.
[09:39]
Nick Espinoza
Right, right. I mean, and look at Microsoft email. Everybody just assumes, oh, they're backing it up. No, they're giving you retention once you empty your deleted Items, and after 30, 60 days or whatever, it's gone. Like. Like. And people don't do their due diligence on this. They don't understand these things. And I think it really just behooves organizations to do their due diligence on this kind of stuff, especially in the AI space. Moving fast and breaking things really is the mantra here. It's been Silicon Valley's mantra since Zuckerberg. Right. Really started Facebook. So lesson learned. And I.
[10:06]
David Spark
Breaking things at scale.
[10:08]
Nick Espinoza
What?
[10:09]
David Spark
Breaking things at scale?
[10:10]
Nick Espinoza
Who knew? Right. Right. Yikes.
[10:14]
David Spark
All right, next up here, let's disinfect ourselves of this. Clorox wipes suppliers. Mass IT services provider Cognizant is being sued by Clorox for negligence in a $380 million lawsuit after threat actors from the scattered spider group reportedly gained access simply by calling the service desk and requesting password and MFA resets with no authentication checks. In one excerpt, the attacker says, I don't have a password, so I can't connect. And the Cognizant agent responded with, oh, okay, let me provide the password to you. Okay? The intruder was handed credentials and MFA resets, enabling them to breach Clark Systems in August 2023. It's not even a breach then. At that point, it's just. They used the legitimate credentials. The complaint was also accused Cognizant of delaying containment, failing to deactivate compromised accounts, and improperly restoring data. Cognizant said its role was limited to Help Desk Services and didn't cover cybersecurity. So, Nick, I must remember to use this next time I want to steal some money. Let's see. I don't have a password, so I can't connect. To be fair to Cognizant, they say its role was limited to Help Desk Services. They didn't cover cybersecurity, which only seems to make the whole story worse, I guess. Then don't hand out Passwords, I guess. Which part of this mess do you want to focus on?
[11:28]
Nick Espinoza
I mean, so when you've got a win or a loss, it's a team effort, right? And in this case, it's a team effort. Everybody at Cognizant was working together to really screw this one up. Because, like, if you think about it, the very first thing I thought about this one was security theater, right? I mean, the service desk literally failed on step one. No identity verification, no escalation, you know, if you can't verify, no second factor, you know, when anybody calls a help desk and says, I don't have a password, and the response is, okay, I'll give you one, you know, that's us, right? That's you as. That's unauthorized access as a service. That's what that is, unauthorized access as a service. And it's just head shaking. I mean, it's containment, right? It's. It's Containment 101. So think about it this way. The lawsuit accuses Cognizant of delaying containment of active intrusion, failing to revoke compromised accounts, and then to put a cherry on top of this entire poopcake, they performed data restoration improperly, you know, for all of this. And so, you know, it really did take all of them just screwing this up. And so this is negligence, this is breach of contract. This is everything. And I think also, just if I'm thinking about big picture here, this also really underscores that there's no real industry standards for MSPs. Like, yeah, they can go get like a SOC 2 or an ISO 27001, but it's not required. Anybody can put up a shingle and claim they're an msp. And I've seen some serious disasters as a result of this, but there's some really good ones out there drinking Kool Aid and the Kool Aid for cybersecurity. But a company like Cognizant to say, oh, well, our help desk isn't, you know, security based. Dude, you're giving away passwords.
[13:08]
David Spark
What part of your play, what part of your playbook had giveaway passwords as one? Like, you know, where did that go in the flowchart of helping somebody?
[13:15]
Nick Espinoza
Like my cybersecurity disaster Bingo scorecard for this week. But, like, that's just unbelievable. I just like, really, really, really, it's.
[13:28]
David Spark
Yes, we will. We'll see if there's any fallout to that. You can keep tuned to cybersecurity headlines if there's any update on that lawsuit. For move on to our next story. We have to spend a few moments and thank our sponsor for today. Nudge Security here's the thing. Your employees are signing up for new apps, sharing data and connecting tools together, often without anyone knowing what if you could continuously discover when people start using new apps or sharing data, then prompt them with security guidance right when and where they are working. At Nudge Security, they call that securing the workforce edge. Instead of trying to control everything, which, let's face it, is impossible, they give it and security teams the visibility they need and automation to guide employees towards secure behaviors. The result? Your workforce stays productive, your data stays secure, and you can finally get some sleep at night. Learn more@nudgesecurity.com WorkforceEdge that's n u d G-E-S-E c u R-I-T-Y.com WorkforceEdge all right, next up here, Arizona election Officials Avoided CISA after attack on June 23, Arizona Secretary of State's office became aware of a defacement attack against its election site, with candidate photos replaced with images of the late Iranian Ayatollah Khomeini. The attack impacted a legacy system that had no access to voter rolls, so there was no threat to those systems. Through its state Department of Homeland Security office, Arizona officials contacted federal agencies like the FBI about the attack, but this did notably did not include outreach to cisa. Secretary of State Adrian Fontes said initial attempts to establish a relationship with Homeland Security Kristi Noem, or, excuse me, initial attempts to establish a relationship with Homeland Security Secretary Kristi Noem earlier this year were dismissed outright. CISO for Arizona Secretary of State Michael Moore clarified, the state has no direct level of support from CISA since the end of 2024, saying right now in 2025, we have no federal cybersecurity advisors. So, Nick, you know, here we're starting to really see the effects of the deprecation of cease. And notably they've been very vocal in saying they are getting out of the election security game as an agency without getting political here. How does this make you feel when the fabric of national security around election systems seem to be sprouting some holes?
[15:56]
Nick Espinoza
Yeah, yeah. Now, now, first things first. I I think it would be amusing if this ended up being like the North Koreans and they decided to use the Ayatollah's image to throw everybody off the trail because everybody thinks it's the Iranians just throwing that out there. Why not? Right? But let me put my default preamble that I say on my radio show constantly when I'm Talking about these kinds of things. Cyber security is agnostic to politics, but we're not immune from it, right? We get dragged into this and this is basically like a low sophistication defacement, all of that. And you know, obviously this also shows about legacy infrastructure risks with known vulnerabilities and all of that. But let's focus essentially on, you know, your question here because this really underscores that the US has gaps in federal coordination right now as a result of it. A lack of CISA involvement limits intelligence sharing and response collaboration. We are best in cybersecurity when we are communicating with each other. You know, I mean, look at groups out there like the CTA where you have, have competitors in, let's say the firewall space or the threat detection space, sharing threat intelligence, knowing that a rising tide raises all boats. Don't forget that CISA is the primary federal agency designed for election system protection, even though they're rolling these things back, which means there is no basic federal response as a result of this. And the Secretary of State Fontes from Arizona basically cited a failed outreach attempt to Secretary Noemi. And so that does kind of indicate some type of political or bureaucratic friction. You know, is it a failure of communication? Like we don't necessarily know. And so that's a problem. And it's beyond important to understand this because any disruption in the election process, especially in a swing state like Arizona, has always been in play in the last, what, three, four, five elections where, you know, you see a lot of concentration of voters on both sides, right? And so, I mean, God forbid Iran or Russia or China or any other threat actor that we have, and take your pick on the list, interpret this disunity within the US cybersecurity defensive lines as something that, that could encourage them, right, to be more aggressive with pre election interference campaigns, hacking elections, all this kind of stuff. You know, democracies run on solid democratic elections and secure elections. And quite frankly, it's something that we need to safeguard every which way. And so it's really depressing to see this. And again, we're agnostic here in cybersecurity. It's a politics, but we're not immune from it. And I think Arizona just proved that point.
[18:25]
David Spark
Yeah, I think this is really a, you know, to your point about raising the flag for. Right where. Yeah, yes, this was a technical exploit against this one legacy system. You know, that is a, that is a technical vulnerability. But we are increasingly seeing threat actors targeting business logic, right, as a, like a prime factor for Doing this. And this is just a big flare in the sky that says there is a fundamental lack of coordination. There is a lack of a central head for these kinds of things. So even if it's the, you know, Arizona is able to recover from this relatively quickly, this only impacted conversation, you know, this only impacted candidate information relatively far away from an election. Not, you know, it's not the end of the world. However, wasn't voter rolls exactly. But once you get to that, you know that there is even just a lack of unified response. Right. There's going to be some kind of lag whether who you're talking to is it state resources at federal resources. That's the kind of stuff that. Right. By an election could have a big impact when it, when hours could count at that point.
[19:23]
Nick Espinoza
Right, right. Well, but, but think about it also from the state's perspective. I don't care if it's Arizona or California, Illinois or Florida or wherever.
[19:30]
David Spark
Yeah.
[19:30]
Nick Espinoza
You know, if these officials, especially in cybersecurity, are like, we're on our own, you know, like that's it. And we all know that cybersecurity is underfunded, whether it's private or public, you know, if you can't rely on that greater resource, you know, that, that can, you know, send in the cavalry. When something happens that's a problem, there's no backup, you know, and so when you've got something like this, especially when you're talking about something as critical as an election, it's of concern. It's the same on the same side of the natural disasters in fema. Right. If FEMA is not there and you have a natural disaster. We know historically the states have been terrible at taking care of this, which is why FEMA was created in the first place. Right. So. And again, that's not getting political. It's just, you know, we're all in it to help each other in this industry, you know, and to not have that help when you need it is. It's a pretty lonely place to be.
[20:20]
David Spark
All right, moving on to our last story of the day. Kevin Farrell in our chat, you are officially out of timeout. You can come back out, start engaging again. No, I'm just kidding. We love seeing everybody active in there. Keep it up. As long as you're civil, I don't care where you take the conversation in there as well. Our last story here, Contract labs leaves critical infrastructure cybersecurity sensor data unanalyzed at National Lab, a critical contract supporting DHS's Cyber Sentry program at Lawrence Livermore National Laboratory expired, leaving threat detection data from key infrastructure networks unanalyzed. The lapse revealed during a House hearing on operational technology cybersecurity, hinders monitoring of emerging threats in OT environments, which traditionally we barely have a handle on anyway. Experts warn that under resourcing of OT security compounded by recent federal budget cuts, poses a significant risk to national cybersecurity. So, Nick, we've seen stories like this before where an organization somehow forgets to renew a domain or a contract or a supplier. And like so many of these events in it is yet to be determined whether a person forgot, was told to forget. You know, we don't. The details are still being sorted out here. But do you feel this story, just like we were talking about with sisa, is starting to show, you know, some, some larger organizational failure? Or is this, hey, let's tear things out and when things start breaking, then we'll put them back in.
[21:41]
Nick Espinoza
We're just turning this into a 12 step meeting here, aren't we? Okay, so let's talk about this because I do think that this is really underscoring some cracks that we're starting to see in cisa. I mean, I think these stories and just the one we literally just talked about with Arizona just kind of proved this. And I don't want to start with that necessarily because I think we have to talk about the cyber sentry program itself because I don't know if the entire audience knows about this and it is super, super important. So it's part of CISA's effort to provide near real time intrusion detection on ICS, industrial control systems, OT all that kind of stuff. So we are talking about an actual push from CISA historically to defend things like power grids, water systems, chemical plants. We know, for example, with water we have over 50,000 water and wastewater districts and something like 60 to 70% of them are terribly, terribly staffed in terms of defensive capabilities and just knowledgeable people in cybersecurity. Right. Let alone certified. So in a nutshell is basically cyber sentry involves placing sensor arrays that feed telemetry to security analysts. And so with that lapse, a couple of things simply just have to be true. Data continues to be collected, but it's not going to be analyzed. So great. My firewalls log in left and right, but if it's screaming help, help, help and nobody's looking at it, then what good is that? Right? You know, on top of it, it also means we have delayed threat detection, we have missed IOCs or indicators of compromise. You know, so we have reduced incident response time as well. You know, I mean it's, that's essentially what's going to happen is we're going to just take more time to respond because we're not seeing APTS potentially or you know, something even easier. And that's a big issue. So these OT systems are some of the worst things that we have to deal with for data security and properly secure. I mean, my God, how many, how many systems in manufacturing, you know, have, were put in when the Macarena was popular? And they're still running them, right, because nobody updates these things because they don't break, you know what I mean? So this is a high impact issue to critical sectors in the system. And so basically the national security and strategic implications here I think are absolutely huge. So think again about the Russia, Chinas and Iran's of the world. They can exploit these gaps, you know, they can stage attacks in OT environments that are essentially going unnoticed now. So this is a huge thing. But it really underscores why CISA is beyond critical to US interests and to see them lose talent, budget, you know, reduce their staff, all this kind of stuff when the world is getting more and more threat from online sources, from nation state actors, all the way down to the 15 year old kid in a laptop that watches the worst YouTube videos. You know, you'll find this is nowhere that we want to be as a country, you know, and so I think it's a huge, huge problem. I really.
[24:25]
David Spark
And, and these problems are tough enough when everything is working right and to have it be literally just a contract not renewed, right. It's like an existing program that was serving a mission to your point. And then you're also, you're wasting effort on the collection side, right? You're collecting and storing all those logs that then are just essential then now essentially, I mean there's historic data, sure, I'm sure if there's indicators of compromise, obviously you need to know about them, if they can analyze them later. But like the value of those is to find them as quickly as possible, not for necessarily historic data. So yeah, it really is very frustrating when you see this was doing a job, maybe not. Who's to say if it's working at optimal efficiency, if it couldn't be improved? This is totally separate conversation. But to just have it cut off seemingly over a bureaucratic lapse is. Yeah, is very frustrating.
[25:16]
Nick Espinoza
Yeah, it is frustrating and CISA has offered some really great programs over the years. Like a lot of companies didn't know you could get free vulnerability testing externally from them. You can sign up for it. These are things that as they are tracking with threat actors of the world and looking at things like integrity of the election, you know, they are trying to protect the critical infrastructure in the United States and the private sector as well, you know, so losing that is. Is just makes us less whole as a cybersecurity community because we're getting less threat telemetry, but it makes us less secure as a nation as well. So I'm not a fan of this by any stretch, and I'm really hoping. I'm really hoping it changes.
[25:54]
David Spark
All right, well, we have to get out of here in just a few moments, but before we do, I want to thank everybody for contributing in our chat. We had Kevin Farrell having some fun in there. CCL was suggesting for our last story there. Oh, we can just. Why don't we just get AI to find, correlate and analyze all those logs? Problem solved. It's no big deal. We just throw them all in the chat. GPT.
[26:12]
Nick Espinoza
Well, when it starts wiping. When it starts wiping firmware and then lying about it, you come talk to me.
[26:18]
David Spark
Well, yeah, we'll get replit right on that to try and get that on there.
[26:23]
Nick Espinoza
We'll be safe. We'll be down.
[26:24]
David Spark
It'll be great. Hey, if there's no logs, no indicators of compromise, what I'm here.
[26:28]
Nick Espinoza
Machines don't work. You can't get hit, you know.
[26:32]
David Spark
All right, before we're.
[26:33]
Nick Espinoza
We're.
[26:33]
David Spark
Now we're doing best. Bad idea. This is the wrong show. Super Cyber Fridays, where you can find all of those. Nick, before we get out of here, was there any story that a lot of. Seems like a lot of facepalm stories today. Was there anyone that was. Was the topper for you this week?
[26:47]
Nick Espinoza
Yeah, yeah. I mean, and some of the stuff that, you know, we didn't get to was like the. The calm, you know, like those kids, you know, like the miners that, you know, basically no fear of the law. You know, try jailing a juvenile, you know, and they're being put to. Put to work by groups like Scattered Spider and all that kind of stuff. I think that's one of the things that longitudinally we're going to have a huge issue with, because that's a big problem. But yeah, that other than that, you know, I think we covered a lot of good ground. I don't know if I want to call it good, but. But a lot of important stories, let's put it that way.
[27:19]
David Spark
Well, thank you so much. Nick Espinosa, host of the nationally syndicated Deep Dive radio show. Where can people find you on the cyberspace if they are so inclined to follow more of what you're up to?
[27:29]
Nick Espinoza
Yeah, yeah, you can find me at YouTube or LinkedIn slash. Nick Espinoza. Hopefully I'm on a public radio or NPR affiliate near you. You know, if you're in the United States or some parts of Canada, although it's not public radio up there technically the same way. Anyway, yeah, you can find me those places and come say hi, come hang out.
[27:46]
David Spark
Fantastic. Well, thank you so much once again. Nick, always a pleasure. We'll have to have you back on really soon thanks to our sponsor, Nudge Security. Secure the Work Forest Edge. Also want to thank everybody in our chat once again. Schmooze. Just one of our new regulars, I think in there as well, along with Kevin Farrell, CCL big boss man. David Spark will be back in a couple of weeks, I think, so we can look forward to seeing him in there as well. Always fun to see the crew. And if you want to join us, remember we're streaming on YouTube every single Friday at 3:30pm Eastern. So make sure you get in there and have some fun. Don't forget you can also send us feedback@feedbackisoseries.org it's an electronic mail address. I don't know if you're aware of this. You can send messages. It's kind of like the mail, but it's electronic and we don't charge for postage. Remember to please join us next week. First, we've got Super Cyber Friday, where the topic will be Hacking the Talent Myth, an hour of critical thinking about why the skill shortage might just be a hiring problem. I'll be hosting that. That starts at 1pm Eastern and then come on back for another episode of the week in review at 3:30pm Eastern. Head on over to cisoseries.com look for the events page to register and get more information about both. In the meantime, you still get your daily news fix every single day through cybersecurity headlines. Give us about six minutes, we'll get you all caught up. Until the next time we meet. For myself, for our glorious producer Steve Prentice, for Nick Espinoza, and for all of us here at the CISO series, here's wishing you and yours to have a super sparkly day.
[29:16]
Nick Espinoza
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full screen.
[29:21]
David Spark
Stories behind the headlines.