A

From the CISO series, it's cybersecurity headlines. Baltimore pones escalate, Ransomware gangs propagate and LLM legalese prompts perpetrate. These are some of the stories that my colleagues and I have selected from this past week's cybersecurity headlines. And now we're looking forward to some insight, some opinion and some expertise from our guest making his maiden voyage on the good ship. Week in review, Ray Espinoza, VP of Information security over at Elite Technology. Ray, thank you so much for joining us. I gotta ask for a jump into the news. How was your week in cybersecurity?

B

Well, Rich, first, thank you very much for having me as a longtime listener of the show. This is a huge honor, so I really appreciate it. So what did my week look like? And I know we talked about it here briefly. I am also a football coach on top of being a cybersecurity professional. And so having the opportunity to get ready for week one has been an interesting focus along with 2026 financial planning and fighting the good fight every day. So.

A

So just a low stress week is what you're saying. Just budget football and on top of regular cybersecurity. Okay, all right. I like this. I like this. Ray. With all that in mind, thank you so much for making the time to be here. I am super, super excited. I'm also super excited today to thank our sponsor, Threat Locker Zero Trust Endpoint Protection platform. I'm also excited for all of the people in our chat. I see TJ Williams already, he's saying let's do this. Woo. We got Kevin Farrell, we got ccl. These are our regulars and in our chat you in fact can join them. We're on YouTube. If you subscribe to the CISO series YouTube channel, you can find us each and every Friday at 3:30pm Eastern. Or if you want more information about that, go to cisoseries.com and look for the events dropdown. And if you are here with us right now, remember, get involved in that chat. Don't just be a lurker. I mean you can if you want to. If anyone wants to be a wallflower, you are always welcome to do that. But we love seeing seeing you in the chat. Always fun to see. And if none of that sounds good to you, and I don't know why, but you could send email to us. Feedback. Csoseries.com we love to see those as well. Before we get into the news, just a quick reminder here that all of Ray's opinions are in fact his Own, not necessarily those of his employer, staff, affiliates, or clergy. We've got about 20 minutes, so let's jump in. First up here, city of Baltimore gets pwned to the tune of $1.5 million. The city admits that it's fallen victim to a con in which an individual spoofed a vend and tricked city employees into changing the contractor's bank account information, according to the city's inspector general, Isabel Mercedes Cumming, who also said the city's accounts payable department had failed to implement corrective measures after previous incidents of fraud and did not have proper protections in place to verify supplier details. The fraudster relieved the city of $1.5 million in two payments, and only one of those has been successfully recovered. Now, Ray, it's tough out there for any municipality. I'm not, you know, we're not trying to kick anybody when they're down. And props to the inspector general for telling it like it is. Looking more generally across organizations, I'm curious, why do you think it's so difficult to implement corrective measures? You know, even when we're hearing, hey, they have previous instances of fraud here, you know, fool me once, et cetera, et cetera, metaphor.

B

I think it's a really tough problem to solve, right? So you experience an issue the first time, and you're thinking about, what can we learn from it? How do we make this better? Are we training folks? Maybe there's some technology that we can invest in. Can we solve this problem somewhere and then continue to move on to the next fight? And I think maybe there was part of that historically, and I don't know, I haven't been in the building, and so I don't have any additional insight. But as I think through, well, then it happens again, and then you start to realize, well, maybe we did some training and maybe we did some technology, but did we actually try to address some of the processes that can create a much stronger gate for these types of threats to occur? Because this is typical business email compromise. There's no link, there's no attachments. And so, you know, you're. Your email security vendor is not likely to find it unless you have somebody new, or at least those that I'm hearing that are promising better results with AI now of being able to spot fraud. But I think that's the piece that many folks have missed. And I know when I look back years back as a longtime security leader, sometimes you're addressing the issue the best that you can with the tools that you have, and then you move on to the next one. Because you see the fire on the horizon. So I would guess that maybe something like that happened here, but then when it happens again, then you're like, okay, team, now what can we do to actually protect this? Because this has a real monetary impact on our organization.

A

Yeah. And presumably, you know, already resource constrained. I don't think many municipalities have $1.5 million to spare, you know, regardless of where that money would be going. Yeah, the. Yeah, that process part of it is the interesting thing, because when we're talking about all this, you know, the rise of deepfakes or just like this type of fraud, being able to bring to scale at a much more personalized level than ever before imaginable, a lot of the solutions are, well, we need to integrate AI into all of our systems. We need to put all of these speed bumps in place. But without linking that back to human process, that's going to need to be the final interface at one point or another. Yeah, I think really great perspective there, Ray, in terms of maybe that being the missing piece for a lot of organizations.

B

And I wonder too, is there a security culture there? And I've been at organizations large and small and in varying stages of their overall security journey, where employees feel deputized to, and they feel that there's a level of entitlement that they have to protect the company, to protect their data. And as silly as that sounds, right. If you think about it, we all care about our jobs. We all care about protecting the company and the data and everything else that we're doing. But I've been at organizations where I had to go in. I'm like, wow, okay, I have my work cut out for me, but I need to change the culture here. And then there's others where I've been able to build it, or I walked into and I'm like, heck, yeah. Everybody's like, security, you know, and then I see this thing and it makes me nervous. What do you think? What can we do? And I'm like, holy cow, this is amazing. When you're already thinking like that. I have to wonder sometimes at these organizations that have been under resourced and underfunded, is it. Is it easy to fight the good fight every day when you feel like you're just getting beat down? Like maybe that's what was going on there. But it is interesting to think about.

A

All right, next up here, Ransomware gang takes down. Excuse me. Ransomware Gang takedowns create more smaller gangs. Cybersecurity observers are warning that the success that Law enforcement agencies globally have enjoyed in taking down large operations. We've covered them on the show Lockbit, Black Cat or alfv. And HIVE does have a darker side. Since the takedowns focus largely on impounding or destroying the gang's infrastructure, but not arresting the operators per se. This has allowed the gang members to reform in a greater variety. Malwarebytes tracked down 60 new ransomware gangs operating this year. Researchers are attributing this growth to a mix of domain experience, commoditized malware and abundant AI, which is lowering the barrier to entry. Kind of looks like a no win situation for the good guys. Hey, we took down the big bad guys and like a hydra, they just, you know, sprouted a bunch of new heads. Ray, I'm curious, what are your thoughts? Is, do we need to broaden just from the infrastructure side of this and focus on the personnel as well? Like, should we, can we view this in a good light? I guess.

B

I mean, anytime you're taking threat actors off the street, that's a win. But when you realize like the underground economy is still there, you still have a small percentage of very advanced threat actors who have skills that others don't. And rather than them taking on the risk of taking on these attacks, it's like, well, I'll just create the software to enable you. Rich, if you want to go defraud these folks and you're just going to give me a small percentage of them, you think about it from a business perspective. And I try to, and I'm looking at it as a logical human being here and trying to protect others because that's my nature. I mean, like, that's bad, but it'd be silly of me to pretend that that doesn't exist. And so I think the more that these software kits become commoditized and being sold to other threat actors, the easy it is for them to get involved. You know, the barrier to entry used to have to be an elite hacker, you know, like 20 years ago. And I talk about that because I'm a little bit older, right? You know, 20, 30 years ago, you had to be elite. And it was a small group of folks who had a set of skills. Now somebody sitting a teenager in their mom's basement or up in their room, they have access for a fraction of a bitcoin. They can now go and start to exploit and sort of drive some of these attacks. And so I think those are the things that continue to worry me. And I don't know if it's ever really going away. If there's money to be made, there's people that are going to be out there that are trying to take advantage. And if we look throughout history, has history taught us anything different? That, you know, there's always one group and if they look like they can be exploited, there's going to be another group that can and will. And, you know, and that's terrible to look at it. And so we need to figure out like, well, how do we protect them, how do we drive education, how do we raise awareness with others and collectively, how do we fight this fight knowing the threat landscape is never going to go down, it's never going to go away, it's only going to increase. And so what do we do about it?

A

All right, next up here, one of my favorite stories of the week. Legal PWN Technique hides LLM prompts inside contract Legalese Researchers at the security firm Pangea are warning of another creative way to Jailbreak LLMs and empowering them with instructions that can be used to exploit vulnerabilities and circumvent cybersecurity practices. This one focuses on the inability of many LLMs to distinguish between instructions in their user's prompt and those hidden inside ingested data. The prompts are also being inserted inside the large paragraphs of legalese in contracts, carefully written not to raise suspicion among human readers. And let's face it, who's reading the fine print? Not all LLMs are fooled, but the most popular and heavily used ones do succumb to the prompts more readily. So, Ray, it's a little ironic that the reason the most important paragraphs and contracts are set in all caps is because it's supposed to, you know, make them more noticeable, pay attention to them. But it also makes them, I don't know, a little hard to read at times. I'm curious. It's an easy place to hide prompts in plain sight. Can cybersecurity experts turn the tables by, you know, maybe, hey, let's, let's throw, you know, we talked about throwing some AI at the first story here. Can we throw some AI, scan the legalese more closely to look for these? Is it, are we, do we need to keep stacking the AI to prevent the AI from doing the AI things?

B

That's the biggest question, right? It's, you know, how do we protect against these things? And if you think about it, like, how fast have we pushed AI or how have we, as the world pushed AI out on everybody? You know, all of a sudden I felt like one day, you know, OpenAI launched ChatGPT, and then the world sort of changed overnight in this huge wave. And people are like, oh, well, can I give it this? And will it give me better insights? And then people are like, well, how can I use this for work? And how do I drive better, more efficienc? But now all of a sudden, threat actors are trying to figure out, well, where are those bounds? Where can I push, where can I exploit? And then how long will it take for these AI providers to catch up? And it's that cat and mouse game that we've been seeing for as many years as I've been around in the technology space. So I think it is interesting, you start thinking about, well, can you trust one group to help you put good guardrails around, what comes in to prevent this type of stuff? And so I think it's going to continue to maybe get a little worse before it gets better, because the rate of innovation seems to be happening faster, really, than those guardrails that are coming in. But I don't know. I sure do talk to a lot of founders and folks across the world who are trying to solve the AI security problem in a number of different ways. So maybe there is hope on the horizon.

A

Yeah, we've talked about this on the CISO series podcast. You know, it's kind of like fixing the plane while it's in flight, right? No one wants to get, no one wants to be the last to innovate, right, and take advantage of this new tech. But at the same time, you're. You're being asked to secure the tools that you also need to use because your adversaries are using AI and increasing scale. So it is tough. I, I am encouraged that in a weird way, seeing the creativity that threat actors use, right? Like, let's throw prompt injections into literally anything that people might be too lazy to look at as a way to get those ingested into an LLM. I feel like we're starting to see that kind of creativity on the defender side, and we always do. Right? Like, to your point, it's a cat and mouse game constantly. Whether you're talking about the cloud, whether you're talking about mobile security, whether, you know, now it's the latest, hottest thing is AI, right? But, you know, humans are going to human, right? We are capable of incredible creativity and maybe we can use AI to kind of augment that and kind of use it as a force multiplier. And that's kind of what gets me excited, is seeing that kind of tug back and forth, admittedly I'm on the sidelines. I don't have to live it every single day. I'm sure it's a lot more stressful when you're in the trenches.

B

You're always trying to figure out how do I think about protecting my organization, how do I enable my organization to adopt this technology so we can experience the efficiency gains that you would get from it. But you can't do it willy nilly. You can't just say, oh, we're going to use a public one that everybody else does. My grandma uses it. We'll use it too for our most sensitive information. You have to think about it differently. But we do have to enable our businesses to be able to adopt AI responsibly. And different companies have different and varying levels of risk tolerance. And so some are like, heck yeah, let's do it, let's jump in and we'll fix it as we fly. I love the example that you gave and others are like, yeah, let's see, how are we going to manage governance, do we have the right visibility, etc.

A

Yeah. And CCL in our chat, having fun. Have a security AI, watch the legal AI and then you have to have a central governance AI to watch all the sub AI AIs in your group to do that. Really like that. And I like Joe, our suggestion for the algorithm, do smash that like button. I do appreciate that whatever AI, whatever AI magic is behind the scenes there, please help us out there. Also help us out by listening to me thanking our sponsor for today. And that's Threat Locker. Threat Locker is a global leader in zero trust Endpoint security offering cybersecurity controls to protect businesses from zero day attacks and ransomware. Threat Locker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit threatlocker.com CISO that's T H R E A T L-O-C-K-E-R.com CISO.

B

All.

A

Right, next up here, SaaS company Workiva discloses a data breach this second half of the year. I think kind of belongs to Salesforce customers and this Workiva breach seems to be one of these, at least according to reporting from Bleeping Computer. Workiva itself provides a cloud based SaaS collaboration platform and its clients list is a who's who of recognized brands. Just a pretty, you know, kind of basic question here Ray, about kind of the follow on effects here. You know, Workiva's breach occurred through a third party CRM system connected to Salesforce. But I'm curious what happens to a company like Workiva or anybody when its deep pocketed customers, you know, start lawyering up? You know, I don't think they're just looking for a finger to point here at this point. Right.

B

Probably, you know, they, everybody wants to try to pass the buck a little bit. However, I mean, the risk still remains. Anytime you're going to use a third party, you're going to allow them to collect, process or store your data. You know, this is where the security diligence piece comes in and you know, third party risk management and you have a good understanding, you provide the right guardrails and maybe, maybe I use that too much. Right. You know, but I'm constantly thinking about again, enabling the business to adopt these types of technologies, but making sure you have the right level of visibility, et cetera. Getting a little bit back to your question though, like, well, how bad is this for Workiva? We read about breaches every single day and they're terrible and they suck and they're no good for anybody. Many organizations now seem to be judged on how well do they communicate, how fast do they respond and how transparent are they about the process and do they actually take meaningful steps to get better after they're breached. And so it will be interesting to see as Workiva continues to work through that, can they rebuild some of that lost trust that is experienced with this breach and find ways to be able to improve from a security perspective in a material way and show that to customers? Because I sure have been in organizations who spend a ton and they still have issues, right? No, there's nothing that's bulletproof. There's not enough budget to always do all the things. You're always trying to do the right things and be responsible. But, but if you really lean into being honest, clear and transparent with your customers, that goes a long way and making sure that it continues to be a trusted relationship.

A

Yeah, I always think back to 23andMe is kind of my example of like, and admittedly completely different situation. Right. That was customer data that, you know, that was breached and it was accessed and stuff like that. And that was credential stuffing. But kind of the comms that came out of that were like, well, it's kind of your fault for reusing your password. It's like, like that may like part of that is like your cybersecurity guy that said that. That should not have been the statement that came out to the public. So yeah, that response piece, yeah, I think is when we're talking about things being a matter of time. When, not if. Yeah, that to me speaks a little bit to not just the ability. Perception is reality. Right. So even if it's, you have a comm strategy for when this happens. Right. So I'm not finding out about reading bleeping Computer or one of these outlets out here. You know, it's not coming out in a Bloomberg piece. It's coming out because you're being forthright. You're not hiding the blog post announcing it by not, you know, by turn, you know, turning off the indexing on your robots Txt file. Right. Like a lot of those things go a long way to. Yeah, this is an unfortunate situation. No one wants to be in it. It stinks. But you can, you can at least shine a little sunlight on there and make people, you know, have a little confidence that you're, you're managing, you're on top of this, you're managing it. You're not trying to hide it until you're ready to talk about it.

B

Absolutely.

A

All right, next up here, SAP invests in sovereign cloud infrastructure in Europe. The company, headquartered in Germany, says it will invest 20 billion euros into expanding sovereign cloud infrastructure in Europe over the next 10 years, pitching itself as a secure and compliant alternative to American cloud giants. This move is intended to help provide sovereign infrastructure for the public sector and regulated environments. However, some within the organization includes, including CEO Christian Klein, disagree with the initiative, favoring a focus on using AI to improve manufacturing and other processes for its customers. 20 billion euros is nothing to sneeze at, even for SAP. But Ray, two big things here to unpack. The first being the question, just the overall question of the viability of digital sovereignty in a fast moving environment. Just one example, AI just indexed the entire web like overnight, you know, so that's, that's kind of a big deal. The second issue, maybe a little bit of an uncharacteristic, an uncharacteristic split with Christian Klein seeming to not kind of be on board with this infrastructure plan. His stim was made in June, but still resonates as something somewhat of a schism. I'm curious which issue kind of stands out more to you on this?

B

I think they're both interesting that probably what maybe would worry me if we, you know, for folks who are SAP customers, whoever will, what's up with the rift, you know, and such a difference of opinion at that, at that high of a level, you know, when you start thinking about the world that we live in now, do we Sometimes hold on to some of those old principles that maybe we were brought up with. You know, like, I'm older, my parents taught me, like when you earn, you know, a dollar, you save a huge bunch and you leave it in savings and so that it's there and it happens and then you start to get older and you realize, wow, well, the power. Could I have made more if I invested in what does that look like, et cetera. I feel like that's an example of, of sort of old ways of thinking. And now I apply it to this of like, well, do I feel better if our data is in country? Because why? You know, because, you know, there's, there's certain level of protections. I don't have to worry about spying governments, et cetera. It still comes down to, I think, a lack of trust sort of across the board and, and what they believe as the potential exposure. I do think, I do believe that things like GDPR and others, I think the essence of it, of giving individuals the right back to their own data, that really being the driver around data sovereignty and whatnot. I almost feel like, are we moving it slightly to make it fit to part of our old way of thinking of years ago, we thought, I want software in my own closet here in our building or in our own data center cage, because it's ours.

A

Four walls. We got these walls, we're going to use them.

B

Exactly. And then the cloud came and it's like, well, now I have to think about can I apply similar logic but in different ways with, you know, with, with different controls, et cetera. So to me it feels like there's a little bit of that going on. But, but I do have to wonder too, if there's a rift there at the top, you know, what does that mean overall from, you know, their, their overall direction? You know, the last. I know most CEOs have a pretty strong voice around like the direction of the organization. So we'll be interested in watch.

A

Definitely. Definitely. All right, our last story here. Cephalus Ransomware spoofs Sentinel 1 as attack vector. A new ransomware named Cephalus is casting its spear at various professional firms in the US and Japan. It leverages Remote Desktop Protocol, or rdp, accounts that have not been secured with multi Factor Authentication and then drops a real program executable from security firm Sentinel 1 into the computer's downloads folder. This is then tricked into sideloading a malicious dll. Selfless is also able to delete Windows Shadow copy files, which companies often turn to for recovering their data. And Then also disables Windows Defender class move their cephalus. I'm curious though, what about this disguise as this kind of this overall approach. Right. You know, oh, we're going to hide in plain sight, right? We're going to hide as the security software. New technique, old hat for you, Ray.

B

New technique, old hat for sure. I mean, you know, gone are the days or maybe not gone. I think it's just different threat actor groups who they want to break every window along the way to let you know that they're in because there's a certain level of fear about it and then there's others who genuinely care about making money. It's like, well let me, let me take what I want first and then I'll allow you to pay me maybe to give you your information back, et cetera. I think the scary point of that entire story is utilizing a well known and trusted endpoint protection solution like send the one and then using a side load attack to be able to have that look good but have it not be good. It is really scary and I feel like the overall technique you still the crux of it was unsecured credentials. That's still a big deal, right? I think the Verizon data breach report this past year had moved that above phishing on source of breach, which I think was the first time in a while. It was always in the top three. So I think that's still sort of the core story here of MFA folks and other controls to be able to secure access. But gosh, when those threat actors are in there, they are extremely crafty at finding ways to maintain persistence and, and doing so by trying to trick people. That I feel is old hat Sentinel One and attacking that pretty new.

A

And so yeah, yeah, that yes would. And again like I feel, I feel this is where I have, I always have sympathy and, or empathy perhaps for the person that sees oh Sentinel One, that's in my downloads. I, I know I can trust. You know, I know I can trust that. But it turns out unfortunately you can't. What we can trust though is for our audience in our chat to be having a fun time helping make the show better, submitting stuff here. I love ccl. We didn't get to this quite in the SAP story, but CCL was speculating they were probably encouraged by Microsoft not to be able to guarantee that EU data cannot be accessed from the US and that goes back to the whole constant pendulum swing of the privacy shield and Max Schremm's lawsuits making those null and void. So yeah, Great point ccl. We had Max Tronic enjoying victim blaming in there. So lots of great stuff there and of course just lots of fun there. So thanks to everybody that was submitting, having fun in there, always fun. Before we get out of here, Ray, I have to ask, of all the stories that we had in the rundown today or maybe just the news of the week, was there any story that you want to give a big hearty thumbs up to or a facepalm just kind of enraged you in the, in the rundown this week?

B

This may sound like a safe answer, but I promise it's not. You know, like I have a lot of empathy for, for folks who experience any sort of issue and you know, and because there's always folks behind the scenes that are there to, to do the response and the cleanup and trying to drive communication, et cetera. And so I try to steer away from any of the face palms because I don't want to judge folks that they're walking different paths. You know, we're all hopefully moving in the same direction, but they're in different phases, part of their journey. So my heart goes out to folks who are compromised and have some level of breach that they have to work through because a lot of people are going to do a lot of really hard work to try to get the company back to earn trust again.

A

It is hard out there for everybody. So keep on trucking folks. Ray Espinoza, VP of Information Security over at Elite Technology, thank you so much for being on the show, for lending your expertise, for just helping us have a fun Friday. Running down the news here. Where can people find you online if they're so inclined and want to check out what you're up to?

B

We'd love to connect on LinkedIn. You can search for Rey Espinoza. I'm sure there's probably a dozen or so, but I seem to be the only one in cybersecurity so maybe that'll help narrow it down.

A

Well and you can also look for the link in our show notes or look on the video screen if you are watching the video version as well. Thanks also to our sponsor for today, ThreatLocker Zero Trust Endpoint Protection Platform. Another big thank you to our audience. Always appreciate you being here each and every Friday at 3:30pm Eastern. Don't forget you can also send us feedback through email. Feedbacksoseries.com it's electronic mail. It's catching on. I think it's going to be here for the long haul. Remember to please join us next week. First up we have Super Cyber Friday where our topic will be Hacking Managed Services, an hour of critical thinking about what questions to ask when you're looking for a provider. That starts at 1pm Eastern. And then come on back for that week in review with me. 3:30pm Eastern. We're going to be having some fun. To register to join us for all of these good things, head on over to the events page@cisoceries.com and subscribe on YouTube. We can review. You don't need to register, you just need to show up and we'll have some fun time. In the meantime, you can still get your daily news fix every single day through cybersecurity headlines. Give us about six minutes. We'll get you all caught up. For myself, for Rey Espinoza, for our glorious producer Steve Prentiss, and for all of us here with the CISO series team, here's wishing you and yours to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.