A

From the CISO series, it's Cybersecurity Headlines. CISO makes a plea for Safer Infrastructure. Password Manager Extensions Face clickjacking and we Cybersecurity Headlines turn five Years old. These are some of the stories that my colleagues and I have selected from this past week's Cybersecurity headlines. And now we're going to have a very special edition of the Week in Review. First gonna be looking at some of the biggest stories of the week and then we're gonna be looking back at the last five years. Now, to help me with this, I am joined by a coterie of people that have some perspective on the matter. First up is our fearless reporter and master of headline sophistry, Hadas Kasorla, as well as our producer for this show and the first reporter for the show, the glorious Steve Prentice, Steve Hadas. I am so excited to be celebrating five years with both of you. Gonna have a good time today, I think.

B

Yeah, I think the biggest story, Rich, is the cats on your shirt. Those are amazing.

A

The cats are indeed legendary on the Week in Review show. If you're not watching the video, you are missing out. So just one more reason for you to always catch the video version of this show live every Friday at 3:30. Before we jump into the news and a little bit of reminiscing, we have to of course thank our sponsor for today, Conveyor, the number one AI for Trust center and Security Questionnaire Automation. Now, as I've already mentioned, if you're listening to the show as a podcast, you may have missed out on some of the video components here. Remember, you can join each and every week on our YouTube channel or go to cisoseries.com and look for the events page and join us live. See the video version, get involved in the chat. I already see Michael Vinding and the big boss man, David Spark in there wishing all of us a happy anniversary. It feels good, warm and fuzzy and you can be right in there and join in the chat. And if you want to let us know how you're feeling about the show through email feedbackes.com, i see each and every one of those emails and I love it when we hear how we are doing, good, bad or indifferent. I want to hear it just before we get into the news here. Just a quick disclaimer that Hadas and Steve, these are all their opinions, not necessarily those of any employer, in fact of the CISO series, really, these are just their personal opinions and so we're going to have some fun with those. We've got about. Oh, usually we have about 20 minutes. We might go a little long today. That's okay. So let's get into the news here. First up, CISA implores OT environments to lock down critical infrastructure. The agency is seeking to get attention from companies with operational technology environments to get them to set a better cybersecurity posture. Good luck with that. Noting an increase in attacks this year, 87% year over year. According to Dragos, CISA published some new foundational guidance for OT cybersecurity. The that starts with the absolute basics, assume nothing and start entirely fresh with a new taxonomy based OT asset inventory. Knowing what you have might be a good place to start. A link to the report is available in the show Notes to this episode if you want to get into all of the gory details. But hadas cease has been a constant present in the news for basically the entire time we've been doing this show. One of the major components in kind of the broader cybersecurity landscape. I'm curious, what are your thoughts about its constant uphill battle to get attention from, you know, whether we're talking about OT or just organizations in general, even the government itself and kind of its role here?

B

Yeah, I mean I think realistically all security has a struggle getting attention from businesses. As a security professional I have, I sometimes struggle getting that kind of attention. I also think that CISO specifically for a while at least, was maybe trying to do more than they should have been and maybe lost the attention because they weren't as focused. I do think, however, that most of my peers and I actually do pay quite a bit of attention to what CISA is doing, the things that it puts out, the recommendations it has. And I often reference CESA's stuff. So I think if they stay mission clear and also keep putting out, I think really good things like this, they're not going to need to struggle for attention.

A

When you say you're using these, are you using these to build out things to get buy in from your organization? I'm just curious.

B

It's dependent on what, right? So for ot, I would say yeah, this is actually really helpful. This is a really helpful reference to get people who don't know where to start to get people who have been in the business forever and now all of a sudden they're like what ot? I have to secure that. So I think that this is a really good reference and I think that with this concent on securing your environment from CISA that they can be.

C

They.

B

Will be more sought after. By security professionals for advice and products like this.

A

Fantastic. Just a shout out. Schmooze has congratulated us on five years and CCL in our chat. Our chat's kind of having some fun here. No live music performance, CCL. That's going to be for the 10 year anniversary we've already booked. Steve is going to be doing some guitar solos and stuff, stuff like that. So that should be happy to sing. Yeah, oh yeah. Oh yeah. We got a dynamic duo here. So 10 years. Look for it 20, 30. Book it on your calendar. We'll put it out there for you as well. Moving on to our next story here. Executives fall for Podcast Trap. The Better Business Bureau warns that attackers are using fake podcast invitations to trick executives. These poor executives with emails that look legitimate and carry professional branding. Victims are asked to join a test interview or technical check during which AI generated voices and videos pose as podcast hosts. While the session seems routine, the attackers prompt the targets to install software, grant remote access, or share files, giving them the ability to exfiltrate data, harvest credentials or deploy malware. Researchers note that this method leverages common business practices since executives are accustomed to media requests and interview prep. So Steve, this falls into one of your favorite categories, the social engineering trap. And that was one of my big takeaways. Just kind of looking back at some of my favorite stories from this year, I'm curious, what are your thoughts? What stands out to you with this particular story?

D

It happens over and over again and now we've got to the big bosses at the top. The idea here always is that no matter how much work we put into defense in depth and fortifying the networks, it's always the humans, unfortunately, who are the weakest links. We've seen this. I mean, I received one on my phone just today, some wonderful piece of good news from one of these big headhunting companies saying that I'm really good at this particular job. You know, every single day you get these messages which are just simply phishing social engineering. And we do our best to try and stay aware of this, but it's just not possible. So now you see executive level people who are used to being asked to be interviewed. I mean this is part of the perks of the job. And they're getting used to even shows like this. They come on to do a show like this and of course they're going to fall for this. You know, if we just someone just says this is a technical check for the podcast to come up, of course they're going to do it. I Always speak to a topic. And I was delighted that David reminded me of this a couple of days ago, that he still uses this, a term called gap it, which is where you put a gap between what you see and what you do next. So whenever you see a message like that, okay, you stop and say, where's this coming from? Is it real? What should I do next? Rather than simply just click on the link. So now this is something that must permeate the C suite level and the executive level. And just the same thing. Always, always. Every single message that you get that wants you to do something, go back around another way to connect. So if it looks like Steve is asking you to join a technical check for a podcast coming up. Reach out to Steve, reach out to me via my previously arranged email. Don't click on the button here. This is it. It's a simple two word mantra, but it's the kind of thing that needs to be taught regularly, encouraged and given company time to practice the idea of separating what you see and what you do next.

B

Is this an elaborate way of you guys telling me I've been pwned?

A

Yeah, this is actually for our five year anniversary, we are revealing we are working with North Korea. And I'm so sorry, but you did install that browser. Yeah, well, no, but I think about this. I mean, all of these steps of being like, oh, did you check this setting? Have you tried installing this? Those are the same things our producers do when we have podcast guests on the CISO series. And everyone wants to be very accommodating because you're like, oh, well, you're profiling, you know, you're going to highlight, you know, my, you know, for some of these, I'm sure it's. You're highlighting my company. I want to, you know, I want to sound the best. You're telling me to do this thing. It's, you know, Steve, you're absolutely right. Like, whether it's technical controls that give us these speed bumps or just these moments to think before we act like this, I think, you know, again, whether that's through technical implementation or just personal discipline is really kind of one of the best ways we can do this as it becomes just basically trivial now to do, you know, do very convincing video fakes. We were joking around and CCL in the chat said this reminds me of a story where a pastor was duped into traveling to a village in an African country and found that the church does not even exist. If you want the 19th century equivalent to that, actually look up Gregor McGregor fantastic con man story, just truly tremendous. We're going to move on to our next story here, though. Password Manager browser extensions face clickjacking threats A new study shows that browser extension password managers can be tricked into giving up your logins with just one click. Security researcher Marek Toth likens it to clickjacking. But instead of tricking you into clicking a malicious button, your click triggers invisible login fields that the extension may think it's a real form, and then autofill your saved username, password, two factor codes, even credit card details. The trick only works if the attacker is on the domain or subdomain your password manager already trusts. If you use one of these services, you know, I always love when you sign up at the login page and it doesn't recognize the main URL. That's always my favorite password manager behavior. But hadas tests showed that 11 major browser extension managers were vulnerable, including 1Password, Bitwarden, LastPass, and so far there's no fixes from vendors and the flaw also impacts Chrome Edge and other browsers. So basically I'm going to say the entire password manager market. I'm curious, what are your thoughts?

B

I think that we need to be weary of it. I'm guessing that both the browsers and the password managers are working on fixes. But I also think that even though it is a story that we need to be aware of because you have to be in the domain or subdomain, it's concerning, but less concerning because the attacker would first have to be able to get a URL with that domain. And that's not saying that they can't because, I mean, we've had stories on here where Google's subdomains have been.

A

That.

B

Hackers have received them, have have purchased Google subdomains. So it is a concern. But you know, I like on, on the level, on the list of all the things to be concerned about, keep using your password manager.

A

Yes. Yes. Yeah. Please don't make this be an excuse to. Yeah. To avoid these things. The net benefit, even if, even if there are some quirks, you know, like still use these. Please, please, folks, we love our password managers. Michael Vinding I do have to say we haven't implemented a leaderboard yet for our comments. I'm going to say I think CCL probably would be on the top there. But Michael, I appreciate your vigorous efforts for this week to get to the top of something that doesn't exist. Next story up here and our last story that we're going to be covering today. Workday Confirms a data breach. Last weekend, the human resources technology giant confirmed that threat actors accessed a third party customer relationship database obtaining personal information. Workday added a noindex tag to its blog post disclosing the breach, so it didn't surface in search. Hmm. So Steve, there seems to be a lot of maybe irony around a company that looks after people's resumes fixing a blog post so it doesn't show up. Hey, maybe I'll throw that on my personal website too. I'm curious, what do you feel when you read the details of the story and kind of Workday's response here?

D

I'm always going to caption this with the expectation that this is correct and true, but the fact it was quoted directly from the article, I expected to do so. And I don't want to pick on this particular company individually. It is ironic given that they're there looking after all of your data, but what it points to, I think from a cyber security mindset and a cyber criminal mindset is there's a great deal of spinelessness in corporate everywhere. We are so terrified of losing that brand value or losing share price on the markets that we leap to these things very, very quickly to hide or downplay anything that's wrong. Every single breach we have covered on this show, pretty much paragraph number three of the story is them saying, we take your data seriously and we have done everything we can to dig in and find out what the problem is. And it's like, well, horse bolted, you know. There is a bit of a problem here with regards to the fear that organizations have that their long term brand will be damaged or tarnished in some way by this, that they do these things. And so that's why this story stuck out to me. Not that I wanted to pick on them specifically, but the sheer action of trying to hide the truth has never worked because you know, hey, it's out there and people can find it. I think there's a lot more that could be done if organizations say we've got to really be more forthright and fearless when dealing with criminals because it's a short step from hiding the blog that talks about the mistake you made to just saying, yes, we'll pay the ransom, please give us our data back and continuing on this procedure. So if you know me, my angle is always about senior management's approach to how work should be done and some of the things that are lacking therein. And that's why the Story just simply spoke to me was don't hide your mistakes. Stand up, admit them and tell people that you're going to fix this. But more importantly, here's what else we're doing to keep you safe. I think that's a far better approach for organizations in any industry.

A

Okay, now Steve, I'm going to preface this as this is mostly a devil's advocate argument and I almost entirely agree with you. In this particular case, I'm going to make the argument that maybe the thought process was the lawyers talking. This was a breach that came from a third party. Right. This was not. Workday gets breached. Right. Presumably the scuttlebutt out there is that it was potentially Salesforce related. We've seen a bunch of Salesforce related breaches. The idea being workforce didn't do anything wrong. Our vendor got breached, but it impacted our users, therefore we want to disclose it. But maybe we don't want to, you know, throw out bad advertising for ourselves for something that wasn't our fault. I kind of disagree with this. Take but one if it is Salesforce or if it like third party breaches are now so common, I feel like there's enough nuance for anyone that cares to look into it at all that it's increasingly obvious these are just commonplace things that are happening. Does that, does that just come across as completely disingenuous or does that fact kind of matter, Hadass, to you? I'm curious what your thoughts are.

B

I'm dying here.

E

I'm just like.

B

First of all, I want to say, Steve, this is such a good take. I love it. Especially because if you look at ever since the initial huge breach of Target, within a year, even though company stock prices fall, when they first have big breaches, they're back to where they were. It's not as impactful as they are afraid it's gonna. It is impactful. You need to change your behavior. But it's not like a deal killer most of the time in this case. Rich, for your question, because it is a third party breach. It's even more reason for them to be super honest about it. It's not going to end. Their responsibility is to their customers. That is why they are in business is because they have customers who purchase their services and their software. That should be first and foremost, not how do we CIA Listen.

A

For all my, from my PR flacks out there, I just had to, I had to, I had to at least make that argument. I again didn't really agree with it, but at least occurred to me. Right. It's worth considering.

D

Well, I will say first of all that yes, it is Completely disingenuous. And secondly, I disagree with the disagreement. So what I'm going to suggest is the choice that they make in the third party vendor is not an excuse. You know, if you hire a third party vendor, you are responsible for their behavior. And we again, looking back over the stories of the last couple of years, at least this comes up. If you had a bingo card, I'd put third party vendor right in the middle because that's always who they pause and blame for the same reason. No, you hired these people, you signed a contract with them. It's on you and your name's on the outside of this tin.

A

It's on you and Michael Vinding pointing out. I hate that we're normalizing breaches almost as much as the non apology of, well, not really our fault. I mean, to that I would say there's a difference between normalizing and like realizing, I mean, we're having this conversation, that it's a matter of when, not if. Right. So I don't think it's necessarily normalizing breaches, but it's a reflection of what we can all want to never have a breach. But I don't know if it's necessarily normalizing it. I agree. The non apology, the trying to push it under the rug, it just rubs everybody the wrong way. It makes me question past things that have happened in the past. What kind of visibility and full disclosure are you getting? So, yeah, not exactly a great taste of my mouth from. From a workday there. All right, well, before we jump into some kind of the five year anniversary celebration here, we want to spend a few moments and thank our sponsor for today. Conveyor still stuck spending hours on security questionnaires every week. You are not alone. Conveyor will get you to a place of questionnaire zen with AI that auto generates accurate answers to questionnaires of any format. Portals, spreadsheets, PDFs, you name it. No more manual copy, pasting or chasing down answers. Conveyor's AI fills out everything you want, start to finish, freeing your team to focus on what really matters. Try Conveyor today and cut time spent on questionnaires by 90%. Learn more at conveyor.com that's C O N V E Y-O R.com oh yes, the whole yes, the buy the breach stock program. Don't take financial advice from the CISO series. Full disclosure. All right, so just let's look back into the hazy mythical past here. We launched cybersecurity headlines on Wednesday, August 19, 2020. We've been delivering the show Every weekday outside of a few major holidays ever since. Our consistency is one of the things we really pride ourselves on. Just being in your podcast feed each and every weekday to kind of keep you up to date. Steve, you've been here since day one. What did we cover that first day? I'm curious.

D

Yeah, I have him here. I pulled up the page, actually. And so the stories we had then was that Oracle enters the race to buy TikTok's US operations.

A

Oh, God. Oh, I forgot. Oh, all.

D

That's all that time.

A

Oh, my gosh. I forgot how much oxygen that soaked up in the room for years.

D

Jack Daniels was hit with ransomware, so that was a big shock to a lot of people. 200,000 healthcare records exposed through GitHub credentials leak. Hey, that's original. Apple will not make.

B

The more things change, the more they stay the same.

D

So Apple will not make any exceptions for Epic, the makers of Fortnite, who wanted to do some app store stuff or refused to do some apps. So there's a battle going on between Apple and Epic over Fortnite, which we've.

A

Seen reversed over the last five years. Yes.

D

Crypto mining worm steals AWS credentials. Hey, haven't heard those initials before. So a lot there. Microsoft delayed zero day fix for two years. According to Brian Krebs, this was. Took him two years to patch that. I mean, that happens, I suppose. British students grades algorithm reveals potential for cultural bias in AI, the term that was not really used very much, but was starting to show up. And finally, I love this one the most. Oculus users envision a Facebook future. We were all getting ready to strap on the Oculus devices and do our virtual stuff that way. That's what we were doing.

A

Yeah, I mean, it's clearly the future. I can't wait for Apple to get into that market and just completely dominate and really transform everything. It's going to be. Oh, wait, wait. I'm sorry. Oh, good gravy. Hey, Kevin Farrell's joining us. Kevin, thank you so much for being here. I appreciate the happy five years.

C

Wow.

A

Yeah, it's very interesting. I mean, hadas, from your perspective, I know you've been listening to the show for a while. What is the. Is there anything surprising or lack of surprise, I guess, looking back five years.

B

Okay, first of all, for a while. I think you mean fangirl since day one. All right, all right. For a while.

A

Okay, okay.

B

No, I mean, I think that, like I said, you know, the more things change, the more they stay the same. I think five years from now, the players names will be different, but a lot of the. Actually a lot of the issues will be the same. But also there will be a lot more AI issues, obviously.

A

AI solving that AI. It's interesting that even, even five years ago, we were kind of touching on that topic. I. I'm always, I'm curious, you know, in five more years when after the musical performance, if you know, will we be talking about, like, oh, man, we didn't even talk about Quantum back then. I can't even believe that. Or what, you know, or if it's just going to be all AI or. Well, you know. Well, I don't want to think that. I don't think that bubble bursts, but like, do we. How are we talking about it? Well, that's true. Yeah.

B

Yeah, it'll be, it'll be our AI representations.

A

I'll be all of the Hadas Hadass bot will be rocking and rolling on the show. That's fantastic. So, Hadas, you know, in preparing for the show, we have asked our reporters to maybe think about their favorite stories they've covered since being here. You are the freshest on the block here. So I guess we'll go in reverse chronological order. What has stood out to you since you've come on board? What has been two months now?

B

Yeah, I would say that for me as a reporter, I like the weird and wacky stories the best. But my favorite story overall since I started was the replit story where the entire prod database of a company was deleted by AI. Speaking of AI. And the reason it's my favorite story is because there were just so many things that went wrong with that. And it's sad. It's really sad that like an entire company basically fell apart with the reliance on AI. And as a practitioner in cybersecurity, it's the thing that I'm worried about most is that I love AI. I love new tech, I love using it, I love the potential of it. But I also am a little leery of our reliance on it so swiftly and our lack of controls in its use. You know, if you're using AI in your production environment.

A

We've talked about this on Defense In Depth on the CISO series before. Quite a bit. Like, it's like, you know, trying to fix the airplane while it's in flight. Right? It's like we have to adopt these tools because we need to be able to move fast. Everyone else is doing it. Also, we need to secure these tools and also to meet the new threats that are already using these tools. You need to adopt AI at the same time while trying to, you know it is a Gordian knot for sure to try.

B

And all of that is true. But you still need to get back to the basics. You don't put in a brand new tech into your prod environment like that, like that or without having you know sufficient backups to make sure that you can. It just. That's what boggles my mind is like and I say this actually is as a practitioner you still have to do the basics. You still have to have asset management, you still have to have vulnerability management. No matter how new the technology is, you still have to take care of your basics.

A

I'm just encouraged that someone is going to get. Many people are probably going to get their master's degree from business school writing out the business use case of what went wrong with Relet and if we played some small part in that, you're welcome all future people that get master's for all of time. Basically. That is a. A plus story. Had us. Yes, definitely one of my favorites as well. Uh, we are going to uh, also hear from Sarah Lane, one of the reporters that uh, has uh, one of the more recent uh, additions to Cybersecurity headlines. She could not be here today uh, but she sent a nice video and so I thought uh, we give that a listen and uh, Sarah, take it away.

E

Happy 5th anniversary to cyber Security Headlines. Hello everybody. I am Sarah Lane. I'm one of the newer members of the team at CISO series. I started cyber security headlines just after the first of the year 2025. So it's been going on nine months now and you've never seen me before. So here I am in my studio that I record the show and a variety of other tech focused shows. So I just wanted to give a big shout out to the CISO series team. They have been more than welcoming of me even when I had to, you know just, just kind of figure out what kinds of stories the you the audience wanted when I first started and are just a great group of extremely smart people and also very funny. You should see our Slack messages sometimes. You know this is, this is. We should be comedians, all of us. But anyway, Rich Stroffolino asked me, you know, just do you have a favorite story, you know over the time that you've been doing csh And I'm not sure that I have a favorite story but I will say that my favorite stories are not so much like this breach or attack happened because that you know that sort of, that always Feels like step one, okay, the company or individuals that are affected have to figure out what to do. But then. And this is where I also lean on our team, and I thank them as well. We will, you know, pick up a story, and then someone else figures out what's the next step of the story. Here's the update to the story. And then eventually, if all goes well, we as consumers, because we're all consumers at the end of the day, right, no matter where we work or what we do, we. We feel more informed about how this affects us and what we can do to keep ourselves safer going forward. Those are my favorite stories because I feel like at the end of the day, I can go to the next person who doesn't know much about technology at all and say, here, here's what you do. Here's what you do differently, and here's. Or here's what that company did differently, and here's how you can walk away from this and feel like, I got smarter.

A

So that's.

E

That's. Those are the stories that I like the most. Otherwise, I am so pleased to be part of the team. It's been a really, really fun ride so far, and I know y' all have been doing this for. For a few more years than I've been here, but I hope to see you for many more to come. Thank you so much. And again, happy anniversary to the CISO series, Cybersecurity Headlines.

A

Yay, Sarah. Yay. I have. I've had the pleasure of working with Sarah for a couple years before she started here at Cybersecurity Headlines. Was thrilled that we were able to bring her into the fold. I love her perspective. I love her voice that she brings to the show. And hadas same for you. You say you were a fan girl. I was a fan of having you on various shows and just kind of working with you in that capacity. So it has been thrilling to expand our team. Absolutely, absolutely love this. And Michael Vinding pointing out, yes, screensavers. And G5 fans will also likely know Ms. Sarah Lane as well.

B

I'm just glad I can prove to everyone I'm not AI.

A

Yes. Yes. It's because you have a poise that all humans aspire to. Hadas. I think that's how I read it as well. Also, just make sure your GPU doesn't max out during the rest of the show. Okay. All right, before we move on and talk to, we're going to hear from Lauren as well, one of our other producers here as well. I just wanted to send A a big thank you and just acknowledge the role that Sean Kelly played in this show for many, many years. He was a centerpiece. I consider him still one of the founders. He wasn't here on day one, but he hosted this show the week in review. Was always game to step up with that. Even though really busy guy. He had to step away just this summer because he actually became a CISO himself. Onward and upward. We were thrilled that he had this opportunity and got this new role and we are looking forward to having him as a guest on this show. We would love to have him on as soon as he is able. He's dealing with some health issues at this moment, but we wanted to acknowledge just his skill, his breadth of knowledge, his warm yet authoritative delivery style and just always being just such a valuable teammate, a friend, a colleague to work with on a day to day basis. So Sean, we are rooting for you and we can't wait to have you on the show as well. So just a big thank you for Sean for being with the show for so many years. Also wanted to bring in Lauren Verno. She joined us about a year ago on September 3rd. She too has prepared a video. You get to see our reporters in action. How fun is this? Am I vamping because I'm trying to load the video. Who will know? But anyway, Lauren, why don't you take it away.

C

Happy 5 years CISO series. Specifically the Cyber Security Headline show. So my name is Lauren Verno. I joined the cyber Security headlines team a little over a year ago. We're coming up on two years and it has been an absolute dream. A little bit about me is I actually used to be a news anchor and reporter and report on stories every single day. And then I moved to the cybersecurity world and this show allows me to continue, you know, researching those top stories of the day and bringing them to you and creating a rundown. So we were kind of asked to share a little bit about our favorite stories and what our favorite stories to report on. And I like to say that the stories that I get to have a little fun with the writing are my favorite stories to write about in recent memory. You know, Medusa Locker, ransomware gang, looking for pen testers. I mean the jokes that come out of that one of. I think you have to go back to the episode though, that ironicness of it. I love to give just a wild genre of what your top headlines of are for the day. I try to find a really well rounded rundown so that every single person who listens can at least find one story that they can take away. And coming back from my journalist days, I would always say when I was thinking of my stories for the day, I'd think, okay, what was the story that I went and called my mom and told her about? I just have so much fun telling these stories. But I will say this five year anniversary, not shocking at all because I'm waiting for the 10 year anniversary of the this podcast. I think what makes it so unique is each reporter really brings their own style and has their own voice because we all come from different backgrounds but we all have a passion in tech and cyber security. And then we, we're able to every day bring a little spin off. I hope everyone understands how much that we take the top stories of the day. We don't get to research and write this way ahead of time. We spend every single day scouring the Internet and scouring Reddit to find those top stories of the day so that you don't have to. Because you know, there are lots of media outlets there to get your generalized news of the day, your weather news, but it's really actually hard to find your top cybersecurity news of the day. And that was something that I found as such a niche thing about the cybersecurity headlines. And when I got the opportunity to join, I just, just, I couldn't say no. So cheers to 5 years cyber security headlines and cheers to many, many more. I can't wait to continue bringing you guys stories and getting to talk about something that I find so much pleasure in writing. And I hope that every day you get to take home and, you know, share and pass along some valuable information. All right, have a good day.

A

Bye. I'm still on mute. There we go. Lauren. Just fantastic. I love hearing Lauren work. Everyone here has a unique instrument that they use to present the news. They have a unique perspective. I always love seeing what their passions are. I've shared plenty of things that I'm passionate about. But Steve, as the og, I gotta know what was your favorite story that you've seen lo these five years?

D

I tell you that very quickly, it is the Florida water story. It's because this was once again an organization that placed their faith in shared passwords. We've got ourselves a really good remote access software. Seems to work really well. Hey, we can save some money by not having our engineers drive around and inspect the places in person. Just simply do it from your home and yeah, we'll just have one password now. Again, I do not wish to pick on them specifically. In fact, in this morning's newscast this Friday was a story about scattered a kid from a scattered spider who just got arrested, got sentenced for doing bad stuff. But the, the end of the story was that he, he called the case unjust because another scattered spider kid hacked the judge while the case was going on. You can't write this stuff, they said. How did that happen? Well, somebody came in to say that they're fixing the password system for the court system. And they phoned up another judge and said, hey, we need to change the password so we can have access to the password system. And they gave them the password. So they changed the password. You know, I'm thinking about all the sim swapping stories we've had and again, all the social engineering stuff, the Hong Kong heist, the deep fake heist of last year. And once again there is this incredible belief that it's not going to happen to us. We're too small, we're too insignificant. They'll go after the big people or we're just going to look to save money by sharing the passwords. Just write it on a sticky, put it under your keyboard, everything will be fine. So I guess because my background is Lauren was talking about we all come from different places. My background is in psychology, is the psychology of change and the psychology of adoption of technology in the workplace. So I'm always looking at this stuff and having to shake my head as to why. This constant notion of keeping our head in the sand, that it won't happen to us because there's bigger players out there is just like the gap it thing I said before. It's a key piece of the education that all people of any level must adopt is that we are weak, we are prone to this and nobody is too small to get attacked. So yeah, the Florida water story will always stay with, with me.

A

Yeah, that. And that has the feeling of I, you know, it's kind of a, I don't want to call it genre defining but like in terms of conceiving where the impact that cyber attacks can have. I mean I could say in a much broader sense the Russia, Ukraine war. Right. Has I think was a sea change in how as for a much wider set of us seeing that that cyber warfare and cyber operations is literally just another theater of conflict. And I feel like the Oldsmar water plant story is kind of that way for these critical infrastructure systems as well. So. Yeah, Steve, perfect. Absolutely love it. Before we get out of here, I guess I'll share my favorite story real quick. Quick My favorite. So Steve mentioned his background coming from maybe a psychological perspective. I'll keep it with the social sciences. I put on my anthropologist hat, or at least my anthropology almost undergrad degree hat. And I love anything that has to do with culture, obviously. Right. So the thing that was fascinating to me was the fall or the disillusion or the infighting with the Conti ransomware group that we saw with the Russian Ukraine conflict of suddenly they were on two different political sides or two different sides of a hot war. And that to me, I'm always fascinated when we get a glimpse into how these threat actors operate. They're effective. More and more you just realize, oh, these are just businesses, admittedly mostly not completely deregulated, I guess, running on their own, completely off the books set of regulations for them, but that these are organizations. So they have the same stresses, they have the same issues that a lot of legitimate organizations have. And as we get windows into that, however we get into that, that to me is always fascinating to bring. In a weird way, it makes these groups seem less monolithic. You realize that these are just humans trying to just cause harm and have financial gain. I don't know if that makes it better or worse.

B

It's kind of fun to see the in office politics fighting and you wonder if they have an HR department to deal some of the strife. And yeah, it really, you're like, oh, I wonder what they're talking about at the water cooler this morning.

A

Yeah, like, like, you know, we always talk about, oh man, like soc analysts are like just like so overwhelmed. It's like there's someone on that other side that's just like, man, have to do maintenance on a ransomware as a service portal again. I can't believe this button broke it like, like this is someone's boring Tuesday is also to like launch that worm or you know, whatever the case may be. So like I, I for some, like for some reason that always speaks to me and to my interests as well. Yeah.

D

Boris, you are on mute.

A

Yeah, yeah, exactly. They have some horrible teams chat as well that someone can't agree to. Yeah. So I'm glad that I'm seeing some people saying that resonates. And yes, CCL, my handle everywhere is Mr. Anthropology. That's my joke to myself that I'm not Dr. Anthropology. And I've come to peace with that finally after several years. So that's fantastic. But thank you to Hadaska Sorla, to the glorious Steve Prentice, and for all the contributions from Lauren and Sarah. I really appreciate Them sending in videos. I know they're very busy and I appreciate them making the time. I guess I'll start with you, Hadass. People want to follow you on the cyberspace. Is LinkedIn the best place to find you?

B

Yeah. Although I will be setting up an AI website soon.

A

Your humanized AI from Hadas Kasorla coming soon.

B

And just to know. It's Hadas Kasorla.

A

Hadas Kasarla, yes. And Steve Prentice, you are also active on the LinkedIn. You've got your irons and fires metaphor. You're a busy guy, right?

D

Yeah. But you can find. It's Steven Prentice. Just look for the person all in black. It's Stephen Prentice at LinkedIn. I love, I'm so happy. The number of people who look to connect with me from this show I take as a compliment. I think it's one of the modern day compliments. When somebody says will I connect with you? And that they don't then turn around and try and sell you something in the first five seconds. You know they want to have a real relationship. So, Steven Prentice on LinkedIn, I'd love to talk about to you.

A

I just want to say if you're interested in what we're talking about, you want to get some more cybersecurity content. If you're listening to cyber security headlines, also check out the other podcast from CISO series. We do some longer form discussion stuff. We're always talking to interesting leaders. I get to help put those shows together. So it's really cool to get those and that helps me get perspective that I can bring to these shows. You can find me on LinkedIn as well. Just Richard Serofalino and you can find me at Mranthropology pretty much in every other platform. Before we get out of here, I also want to thank our sponsor for today. That helps make the show possible. Conveyor, the number one AI for Trust center and Security Questionnaire Automation. And a huge thank you to our audience. We had a fantastic turnout for today. I'm going to do the Romper Room in here. I see D.C. johnson, CCL, Michael Vinding, Kevin Ferrell, the big boss man, David Spark, Chris Haller in there as well, TJ Williams, a lot of our regulars and some not so regulars showing up making us feel special on this five year anniversary. So thank you all so, so much for just helping make the show awesome. And remember, feedbackisoseries.com, we love to hear from you. We want to make the show better. We do that when you let us know what's working, what's not working, what you love and what you want to hear more of. Remember, we have some plugs. Oh, yes, Steve, yes.

D

Yeah, No, I just wanted to thank David Spark. He often goes behind the scenes, doesn't say a lot, but his drive and vision makes all of this possible, which is why he gets to fly the corporate jet. But he, you know, he's done so much for making these shows interesting and fascinating and just going out there and pushing them and making friends along the way. So I just want to say thank you to him for doing all this stuff.

A

Yes, the big I, I make, I call him the big boss man. But yes, he is definitely a, you know, the vision of what the CISO series wouldn't be here without David. And he's always pushing us to make the show better as well and bring it to you. And the reason we have the consistency we have is because it was set up from day one to deliver that by David. So, yes, I will echo that as well, Steve, if you want to hear some David Spark, I would suggest listening to almost any CISO series podcast, but specifically Super Cyber Friday next week. Or not next week on the 5th, when our conversation will be hacking AI in meetings. That's going to be looking at how we can avoid some liability while still getting advantages from all of your AI recordings and transcriptions and making use of those without being creepy and weird. That starts at 1pm Eastern. Not next Friday, the Friday after. Then come on back for the week interview. That's 3:30pm Each and every Friday. It's always a fun time here at the Weekend Review. We have some fantastic guests coming up. We're pretty much booked out through September at this point. We're getting October going. It's going to be fun. We love seeing everybody here each and every Friday. Remember, if you're listening to this, you want to join us live, head on over to the CISO series YouTube page or go to the events page at cisoseries.com in the meantime, you still get your daily news fix every single day through cybersecurity headlines. Where you can hear Steve, where you can hear Hadas, where you can hear myself and Lauren and Sarah. Give us about six minutes, we'll get you all caught up. Until the next time we meet. For myself, for our glorious producer, Steve Prentice, for Hadaska Sorla, for the big boss man, David Spark, and all of us in the broader CISO series organization, here's wishing you and yours to have a super Sparkly day cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.