Week in Review: CISA officials furloughed, DeepSeek's weak security, Cairncross as cyberdirector - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines: Week in Review

Host: CISO Series
Episode Title: Week in Review: CISA Officials Furloughed, DeepSeek’s Weak Security, Cairncross as Cyber Director
Release Date: February 14, 2025

Introduction

In this episode of Cyber Security Headlines, host David Spark engages in a detailed discussion with returning guest Doug Mayer, VP and CISO at WCG. They delve into the week's pivotal cybersecurity stories, offering expert insights and analyses. The conversation spans topics from administrative changes within CISA to vulnerabilities in emerging AI technologies, providing listeners with a comprehensive overview of the current cybersecurity landscape.

1. CISA Officials Placed on Administrative Leave

The episode opens with a significant development: several members of the Cybersecurity and Infrastructure Security Agency's (CISA) election security team have been placed on administrative leave. This decision primarily affects those working on misinformation and disinformation efforts, as reported by Cyberscoop.

David Spark [02:30]: "Former election secretary Kim Wyman warns that shutting down these efforts will hit smaller jurisdictions the hardest, leaving them more vulnerable to misinformation."

Discussion: Doug Mayer expresses concern over the potential negative impacts of this move, highlighting the risks it poses to both federal and state levels. He notes, "I think this is going to impact negatively across the country and at the state level..." [03:03]. The conversation underscores the importance of CISA's role in safeguarding election integrity and the broader implications of diminishing its capacity to combat misinformation.

2. DeepSeek’s Weak Security

The discussion shifts to the vulnerabilities identified in DeepSeek's R1 large language model. Researchers from AppSec revealed that DeepSeek's R1 failed numerous security tests, notably its inability to prevent malware creation and its susceptibility to guardrail bypassing.

David Spark [04:12]: "Clearly capitalizing the momentums of LLM generally, but also revealing how willing end users are to embrace new technologies..."

Discussion: Doug Mayer assesses that DeepSeek's premature market entry without robust security measures is unlikely to dismantle existing markets. He comments, "It's no surprise that a brand new to market, supposedly cheaper ran option is not fully baked..." [05:57]. The conversation emphasizes the necessity for comprehensive security protocols in AI deployments and cautions against the rapid adoption of unvetted technologies.

3. RNC Executive Tapped as National Cyber Director

Sean Cairncross, the RNC's Chief Operating Officer, has been nominated to serve as the National Cyber Director, a role that advises the President on cybersecurity matters. This nomination has sparked debate due to Cairncross's limited direct experience in cybersecurity.

David Spark [07:57]: "Not being shy about telling us how he feels. We want to hear your thoughts."

Discussion: Doug Mayer voices skepticism about appointing someone without a strong cybersecurity background to such a critical position. He asserts, "You really want to bring someone in, has expertise, someone who knows cyber..." [09:19]. The conversation highlights the importance of technical expertise in leadership roles within cybersecurity, questioning whether Cairncross's business and political experience sufficiently qualifies him for the position.

4. US Adversaries Increasingly Turning to Cybercriminals

A report from Google's Threat Intelligence Group reveals that state-sponsored actors from countries like China, Iran, and North Korea are increasingly collaborating with cybercriminals to advance their espionage goals.

David Spark [14:25]: "It's about getting away from passwords. And this here, 2fa is one step away from getting away from passwords. MFA is five steps getting away from passwords."

Discussion: Doug Mayer underscores the escalating threat posed by the convergence of state and criminal cyber activities. He notes, "Adversaries are much more advanced than us. Adversaries move quicker..." [14:25]. The discussion emphasizes the need for organizations to bolster their defenses and collaborate with vendors that are proactive in addressing these sophisticated threats.

5. UK Releases Hurricane Grade Scale for Cyber Attacks

The UK Cyber Monitoring Center has introduced a new rating system for cyber attacks, paralleling the Hurricane Saffir-Simpson scale. Designed to classify the severity of systemic cyber events, the scale aims to provide a standardized measure for assessing the impact of significant cyber incidents.

Doug Mayer [17:39]: "I think security team security organizations already have a lot of complexity between regulations and broken regulations and not consistent regulations around the world."

Discussion: While the initiative is lauded for its potential to aid the cyber insurance industry, Doug Mayer expresses reservations about its applicability on a global scale. He highlights concerns over subjectivity and the varying contexts of different organizations, suggesting that a one-size-fits-all approach may lack the necessary nuance [17:39].

6. Astaroth Phishing Kit Bypasses 2FA with Reverse Proxy Techniques

A new phishing tool, Astaroth, has emerged, capable of circumventing two-factor authentication (2FA) through sophisticated reverse proxy methods. This tool intercepts authentication tokens in real-time, effectively rendering traditional 2FA measures ineffective.

Doug Mayer [21:54]: "I think 2fa should have been killed long time ago because I took two FA out of my, my language a long time ago. I go up by mfa."

Discussion: Doug Mayer advocates for the adoption of Multi-Factor Authentication (MFA) over 2FA, emphasizing the need for advanced anomaly detection and comprehensive security operations. He argues that while 2FA has its shortcomings, moving towards more robust MFA solutions can enhance security resilience [21:54]. The conversation highlights the evolving nature of phishing threats and the imperative for organizations to adapt their authentication strategies accordingly.

7. Doug Mayer’s Takeaways and Final Thoughts

In his concluding remarks, Doug Mayer reflects on the overarching themes of the week, particularly the advancements and challenges in AI security.

Doug Mayer [24:30]: "I am pro AI. I'm just pro AI properly and threat teaming and investing in it."

Discussion: Doug emphasizes the dual-edged nature of AI, acknowledging its potential while cautioning against premature deployment without adequate security measures. He underscores the importance of red teaming and investment in secure AI development, advocating for a balanced approach that leverages AI's benefits while mitigating its inherent risks [24:30].

Conclusion

This episode of Cyber Security Headlines provides a multifaceted exploration of critical issues shaping the cybersecurity domain. From administrative shifts within federal agencies to the vulnerabilities of emerging AI technologies, host David Spark and guest Doug Mayer offer valuable perspectives that underscore the dynamic and often precarious nature of today's cybersecurity landscape. Listeners are equipped with nuanced analyses and expert opinions, enhancing their understanding of the complex challenges and trends in the field.

Find More Episodes: For full stories behind these headlines and daily updates, visit CISOseries.com.

Loading summary

Transcript35 lines

[00:00]
David Spark
From the CISO series, it's cybersecurity headlines. CISO officials placed on administrative leave RNC executive as national Cyber Director and has Astaroth killed two fa. These are some of the stories that my colleagues and I have selected from this past week's cybersecurity headlines. And now we're looking forward to some insight opinion and expertise from our returning guest, Doug Mayer, VP and CISO over at wcg. Doug, it's been about a year since you've been on the show. We're thrilled to have you back. I gotta ask though, how was your week in cyber security?
[00:38]
Doug Mayer
It's always interesting and challenging. Definitely some interesting stories out there. There's so much going on with AI and even, even with some of the government activity. It was very interesting. AI is definitely one of the biggest buzz items that we're seeing. So gemmet, like for for instance, Gemini long term memory issues that's coming up and obviously, you know, Deep Seek is a big, big conversation. So the week, the week is always very interesting. So I wouldn't be in this role, I wouldn't be in this role if it wasn't so.
[01:12]
David Spark
Exactly, exactly. It's the ultimate job security. And so Doug, we are, we are absolutely thrilled to have you back. Can't wait to get into the news. Like you said, super interesting week. Before we do so I have to say a quick thank you to our sponsor for today, Vanta A new way to GRC. Remember to join us on YouTube live. Do so you can go to cisoseries.com hit the events drop down and look for that old cybersecurity headlines week in review image or if you're subscribed to us on YouTube, you can find us that way too. Either way, click on it, you can enjoy the show and you can get in on our chat. We have a lively chat that goes on. We've had some great conversations over the past couple of weeks. I already see Kevin Ferrell and the big boss man David Spark getting into it in the chat. We want to hear your thoughts. They help make the show better. So please make sure you're in there. Just a quick reminder everyone that Doug's opinions are his own and not necessarily those of anyone else. He's just sharing his own opinions and we are grateful for them. We've got about 20 minutes though, so let's jump into this first story here. First up, CISA officials placed on administrative leave. Several members of CISA's election security team were placed on administrative leave late last week. Primarily those working on misinformation and disinformation efforts. That's according to reporting by cyberscoop. The move follows the new administration's pressure to scale back CESA's role in countering election related falsehoods, despite the agency's past efforts to combat foreign influence and assist local elections. Former election secretary Kim Wyman warns that shutting down these efforts will hit smaller jurisdictions the hardest, leaving them more vulnerable to misinformation. Doug, no surprise here. We knew these kind of actions were gonna be part of the new administration's priorities. They've said they wanted to scale back the mandate or focus the mandate of cisa. Difficult not to get political when talking about these types of stories, but from the perspective of cybersecurity and national security and not just focusing on elections, but, you know, kind of taking that wider picture. I'm curious, what are your thoughts?
[03:03]
Doug Mayer
No, I think this is a, this is going to impact negatively to across the country and at the state level because of, you know, one area that they were focusing on was election machines and election to make sure that misinformation is not driving anything. This was a fairly new area that started in 2017. So to back it out already that it's probably making progress and probably has shown a difference going through a full election cycle. I think that's, that's bad, that's some bad news for states and the federal government, so.
[03:35]
David Spark
Well, yeah, and it's one of those issues where cisa, within that wider mandate can focus on things that might be harder to get, you know, local attention to, like forgetting again, forgetting about the politics. They deal with some fairly wonky stuff, some fairly opaque situations, talking about influence campaigns and stuff like that. That's hard to get, that's harder for, I feel like local dollars, especially across all 50 states, to kind of get behind too. So, yeah, kind of losing that national mandate, I do think, I'm sure it will impact some of those smaller districts and municipalities, you know, very keenly.
[04:13]
Doug Mayer
Yep. Yeah, I think and I think as you're sort of in elections, last two elections, that it's really gets down to the, to the local, the local areas, the counties. So, yeah, those are going to be really impacted by this and make sure that there's no miss or disinformation coming. Then. Yeah, the social media sites are pulling back on some of their, their, their reviewing of this and misinformation in a certain way. It's going to compound.
[04:36]
David Spark
So, yeah, we'll see what the impact of kind of this overall, I guess you could call it Rollback of content, moderation, prioritization long term. We'll see how that plays out for sure. Next up here, a peek at Deep Seq's weak security. According to researchers at Appsoc, DeepSeek's R1 large language model failed various security tests for business applications, and this largely comes down to a lack of comprehensive guardrails. They found that R1 could not prevent users from creating malware 93% of the time. They also could jailbreak away from system safeguards 91% of the time. I think that's the same failure rate I had identifying US capitals in grade school. The model showed stronger scores though when it came to lead leaking training data, failing at 1.4% of attempts. They had said a 2% failure rate is kind of acceptable. So that was one thing they could point to as positive. But overall, the researchers found it extremely easy to cause the model to hallucinate and generate toxic or potentially harmful content. So Doug deepsea came at the world kind of out of the blue. It just seemed like one day that was all what was in my RSS feed. Clearly capitalizing the momentums of LLM generally, but also revealing how willing end users are to embrace new technologies. Even without kind of understanding what the, what the security risks are or any kind of due diligence. Do you feel Deep Seek will be a giant killer in the marketplace or are there any other reasons maybe for its sudden explosion in the market?
[05:57]
Doug Mayer
No, I don't think, I don't think they're going to be killing any markets here. I think the market of AI is going to be going to be always surprises. I think this is no surprise that a brand new to market, supposedly cheaper ran option is not fully baked. And, and that's, that's probably what's happening here. But you, the problem is you don't know if it's going to be really fully baked. Anything typically coming out of China like this is usually like a version of a version of something that's out there that needs time to mature. You got to really see if Deep Seek becomes an enterprise option or is it just going to be more of a, a public option that, that people need to think twice about putting their data in. Security experts out there are still leaning on that guardrails are so important and when you look at AI and they look at guardrails, you have to red team them. And what this outcome of this article really explains is that what they did was they red teamed it and it's not getting through that. It's not succeeded that red teams and it still needs baking. So I think deepsea came out really quick just to make a point against the US, the US tech companies. And you know that's, I think that's where they're at right now. They're going to be used by negative threat actors too. So.
[07:16]
David Spark
Yeah, well it's almost like it was a, you know, productized proof of concept. Right. Like their whole reason for differentiation. Right. Is the training costs were so much lower that generated so much hype around it that I feel like then everyone downloaded it because every single, you know, anything that touched tech was all of a sudden talking about Deep Seq and it kind of became the self fulfilling cycle. Yeah. The real question is how will they iterate? Will they partner with any kind of larger productivity suite outside of China, you know, to, to kind of get into, you know, more business applications then that, then that's where it becomes much more imperative obviously to, to make sure you're doing that red teaming and stuff like that. You know, right now it's kind of in the, I don't know, it's top of the app chart. Let's check it out. You know, kind of, kind of.
[07:58]
Doug Mayer
Well, just like when Twitter when, when Tick Tock was going away at the end of the year, all the other apps were coming out, they were coming from there too. So this is just another one. But I think it's, it's good for, it's good to make it competitive for chat GDP and, and Gemini. Competition is always good and, and China is really good at making competition and cheaper options. Right. So it's no different than in Deep Seq AI, Right.
[08:21]
David Spark
Yeah. It turns out when the switch, it turns out when the switching costs are zero, it people will switch a lot.
[08:26]
Doug Mayer
Oh yeah, yeah. That's what open source is all about, right?
[08:29]
David Spark
Exactly. All right, well next up here, RNC executive tapped as National Cyber Director. Sean Cairn Cross, the RNC's chief operating officer has been nominated to occupy the senior role in the Office of the National Cyber Director, a position that advises the President on cybersecurity matters. Karen Cross has no known cybersecurity experience, but has held various roles in the current President's previous administration as well as being the owner of a Washington D.C. area consulting firm. So Doug, again not taking any political sides here, but looking at this from a strategic perspective, is there merit in hiring someone from outside the industry who may be able to provide some fresh ideas, give it, you know, fresh set of eyes without any kind of, you know, preconceived baked in experience, I guess. Or is this specific role too sensitive for such an approach?
[09:20]
Doug Mayer
I gotta be honest, this is like a CISO role in my mind. You know, you really want to bring someone in, has expertise, someone who knows cyber, who can write security policy, understand security policy, understand when there's a national cyber attack or an event that's happening that the government needs to be aware of. You need someone who really is seasoned at that and knows how to think on their feet and advise up and manage up to next executive level. I think it's sounds like this is more, maybe a more political move or something to save money. I'm a little worried now. I did see that they hired a few seasoned people under this person and that's good. But the problem is that you need quick thinker, you need someone who knows this, who lives it and to advise closer up to the executive level. So it's very similar to what we see with CISOs and companies.
[10:17]
David Spark
Yeah. And I know on the CISO series podcast, you know, we've done episodes and stuff like that about, oh, do you need to be technical to be a CISO or something like that? And certainly one of, you know, your job as a CISO is not to be the technical leader necessarily. It's to be a communicator. It's to be, you know, to, to have all these different stakeholders come to you and then be able to make that recommendation and communicate that to the business. My question is, yeah, it's, it's, yeah, great to have an awesome staff. It's probably good to have a pre, like a good relationship also with the President. I like, honestly, like that is like, I, I think that can't be like when you're communicating cybersecurity stuff, personal relationships do matter, but it's whether you have that, you know, that, that, that ability to, to take in all the information, synthesize it and, and make that outcome doesn't require deep technical knowledge necessarily, but it does require some experience, I would imagine.
[11:08]
Doug Mayer
Yeah, I mean the, the conversations that with this, with this their peers are going to be, is going to be dynamic and, and if you're not, if you don't have that experience, if you didn't grow up in, you're going, you're going to have to go back down and pick brains of people under you. And I don't know if that's, that's someone you need to be in this position that needs to be a more fast thinker, especially, you know, with the leadership above. You know, they're they, they, they pivot on the dime, right? They, they, it's, it's very off the cuff. So if you're off the cuff, your boss is off the cuff, you need to have answers to them right away. And I think that's important here that we're missing, we might be missing, I don't know. This gentleman was an A C, a CEO at, in the RNC and has had experience in business. I don't doubt of that. Has a very, it seemed like he has financial background so he knows cost cutting. But this role, you can't be nickel and dimer and you need to be very much on top of the topic.
[12:04]
David Spark
And yet you don't want latency to your point, like when, when things are pivoting fast, you don't want latency in that decision making process. And Kevin Farrell in our chat is making this an early voter for his eye roll story of the week. So not being shy about telling us how he feels. I love it. We want to see more people letting us know in the chat. Before we move on to our next story though, I have to spend a few moments with our sponsor for today and that is Vanta. Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get started at Vanta.com headlines that's V A N D. Next up here, US adversaries increasingly turning to cybercriminals and their malware for help. According to a Google Threat Intelligence Group report, adversarial governments are increasingly leveraging cybercriminals and their tools to advance cyber espionage goals. Fueled by resource constraints and the operational demands of conflicts like the war in Ukraine, this trend is observed in China, Iran and North Korea where state sponsored hackers utilize malware and techniques commonly associated with cybercriminals to enhance deniability and, you know, save a pretty penny or two. Google and other cybersecurity firms warn that this growing overlap between state actors and cybercriminals poses a significant national security threat worldwide. So Doug, this mercenary concept has Been a constant throughout the history of human warfare. Hey, let's throw money at the problem. Not exactly a new idea. And in this era it's clear that organized criminal gangs are extremely good at mastering new techniques. Quick and paired with plausible deniability, I mean, who could resist? I'm curious, you know, this, this kind of a, kind of a wider, you know, industry, you know, awareness story here. How does this knowledge impact your decision making as a csim?
[14:25]
Doug Mayer
Oh, it really does. And I gotta be honest with you that this has been a problem for the last 20 years. Right? So the adversaries are much more advanced than us. Adversaries move quicker and then if they have state, nation states behind them and they have more nation states getting behind them, it's going to become harder. So I'm going to be looking at vendors and suppliers that are way, that are above and beyond and understand all these threats because it's just going to impact us as CISOs of private business. It's just going to impact us quicker and we need to have third parties that understand this and respond quickly. Patching is really tough right now. Can you imagine when this is being used even further by more adversaries? It's going to be crazy. And then what's difficult is that these adversaries, they go after, they, they go after companies that, that have involvements in areas of interest in the nation states. So that these adversaries and it's adding, adding to the cyber criminals and the mammal attack is going to compound this problem and make it more aggressive. So yeah, I don't think this is a new story. I think it's just an expanding story and I'm always thinking about this.
[15:40]
David Spark
So yeah, I think it just speaks to the fact that again like cyber operations are like truly like almost seamlessly just an extension of any other foreign policy option, military option, you know, however you want to frame it is just increasingly like this is how as a, whatever regime you have, this is how we extend power. Right. And so hey, do we need to, you know, hire a, a financially motivated, you know, threat actor to carry this out and we can do it with no red tape and no paper trail or anything like that. All the better, right? Yeah, so yeah, definitely seems that's kind of the undercurrent that I kind of got from this.
[16:19]
Doug Mayer
Yeah, I mean, I mean North Korea has been doing this for several years, right. We know that the Sony hack and things like that have been, always been notorious for that. China's been doing it, Russia's, Russia probably has their own staff. But like, this is an expanding problem. So yeah.
[16:36]
David Spark
All right, next up here, UK releases hurricane grade scale for cyber attacks. The Cyber Monitoring center, or cmc, which is made up of cyber insurance industry figures and some cybersecurity thought leaders in the uk. See their proposed rankings or rating system parallels that of the Safir Simpson scale, which identifies the severity of hurricanes. It's not exponential, like something like the Richter scale for earthquakes, just a linear scale, 1 to 5. The proposed cyber attack scale was designed to rate systemic events, which is something that emanates from a single source, such as an attack on a vendor, but has significant impacts on myriad other organizations. Things like NotPetya, or maybe even potentially something like CrowdStrike. Kudos. I know they're from the UK when they use the term myriad. So, Doug, at the moment this scale focuses solely on the impact of an attack would have on UK businesses because it's just a proof of concept at this point. They're just trying to build this out. But if it were to be applied globally, do you feel it would be an effective tool for CISOs or do you think these ratings could become, you know, too subjective?
[17:40]
Doug Mayer
I got to be honest, when I, when I read this, I said that this is all great for the cyber insurance industry to help put pressure to make sure that, you know, that we're getting, we're doing what we're doing to reduce our rates. But I got to be honest, if you ever, if you ever watch the weather and they say the EU models come, this is the EU model for this storm and this is the US model for this storm. It just confuses people. And I think that this is going to be subjective. I think security team security organizations already have a lot of complexity between regulations and broken regulations and not consistent regulations around the world. I think this is just going to add another number that we all go, that's great, that's a one through five. But do you know my context of the tact that, that I experienced through that same same situation? No, they don't. I mean, we get asked all the time about, about CrowdStrike and you know, it's, everyone did it, everyone respond differently. It's all about preparedness, it's all about context, it's all about what you put in place, how, how available and redundant you are. So that number won't mean nothing to a lot of companies across the world. It's just going to be very specific to a certain industry. That's what I get worried about.
[18:51]
David Spark
Yeah. And I can think of other I mean, we talk about this all the time with CVE numbers, right? Where it's like, yeah, this is a 9.8 critical. But, like, the way we have this deployed in our organization, actually we don't need to patch. Like, you know, this isn't the top priority to patch or something like that. And I think for cyber insurance, like, I could definitely see the application for this to be useful to that industry, but then I worry about it getting tied to things like regulations. Oh, this is a five. So some sort of regulatory requirement comes in and then, like you said, limits your ability to address a specific context. Again, I realize there are extremely complex situations you're dealing with. Like, it's nice to have the security of the certainty of a number. Right. But yeah, it almost seems like the too many variables outside of cyber insurance, I'm hesitant to say, like this, this could be all that useful, you know, in any other kind of aspect there.
[19:43]
Doug Mayer
Yeah. Well, I can tell you cyber insurance is trying to. Trying their best. Right. They're not trying to hurt like, they're trying to survive. Right. They have ransomware attacks. They got. They want to see what the costs are. They get. They got costs from Crowdstrike, clearly, probably people recovering and they're trying to survive. We've seen this. We saw them trying to use like, you know, security scorecard and other rating systems to say, hey, you look pretty good. You must be pretty good. By the way, do you have MFA turned on everywhere? Oh, by the way, what is your patch? How many. How frequently are you. Are you pen. How frequently you're pen testing, you know, what does that look like and sound like? So they have this rating and it has no context. And then they try to figure out some context behind it. It just creates a lot of. A lot of churn. And instead of auditing, auditing people like, they, you know, based on their. Their. Their investment, they. It. It's more powerful than having a grading system. So. And that's where I worry about. They're gonna. They're gonna lean on 1, 2, 5. So.
[20:38]
David Spark
All right, well, our last story for today. Astaroth fishing kit bypasses 2fa with reverse proxy techniques. This new phishing tool has surfaced on cybercrime platforms featuring advanced techniques to bypass two factor authentication uses session hijacking and real time credential interception to compromise accounts on Gmail, Yahoo, Office 365 and other platforms. Positioning itself between users and legitimate login pages to capture usernames, passwords, two FA tokens, and session cookies. Unlike traditional phishing Kits that struggle to bypass 2fa. Astaroth intercepts authentication tokens in real time, allowing attackers to hijack active sessions before any security measures can respond. Cybersecurity expert Jason Sirocco warns that this approach renders 2fa ineffective, as attackers can instantly assume control of compromised accounts. So, Doug, the name Astaroth comes from ancient mythology and demonology, and he was considered the Duke of Hell. So I guess not to be concerned with the Duke, Duke, Duke of Earl. Producer Steve Prentice, everybody. Perhaps the name is appropriate because it looks like this technology could sound the death knell for 2fa. Should we roll out the the wake for 2fa? I'm curious, what's your take on this?
[21:55]
Doug Mayer
Oh, I think 2fa should have been, should have been killed long time ago because I took two FA out of my, my language a long time ago. I go up by mfa. Okay, and two FA should be six fa because all the, oh, I'm telling you, it's like, it's crazy. If you read the article, they do, they do say MFA is a challenge too. But people have to truly roll out a real mfa. There has to be about anomaly detection set, you know, about knowing where these people are, when it, when the session, when they're, when the tokens used. When knowing be able to respond to something that shows a pattern of geolocation problems. Because this is all a proxy, right? That proxy will show something that is not coming from the right place. But you need to have security operations tuned and monitoring for sessions and anomalies. This is what I read about and I see people who are using two FA text messages who don't understand where the device comes from is going to have a blind spot. I think 2fa needs to go away. I've been, you know, any company I've been at, there's always hesitation around mfa. But this example of real MFA and real tuned in security operations is critical here. And having this not just on Yahoo, you know, Microsoft Office, because those are Microsoft Office and G and Gmail is really a suite for enterprise. What about all the other front doors and what about all the other access points? If you have that same two fa, you're going to be, you're going to be compromised and it's not just going to be your email and phishing. So I feel like this is a real big problem. But it's a bigger problem than this article led on because it really focuses on fishing. And I mean, I'm reading articles about how teams meetings are now compromised by just texting someone and sending them a team session or a zoom session that the tokens, the sessions are being hijacked real quickly. All of this is about monitoring in session and response to that and that abnormal detection is critical here. That's the only way we're get around this. It's always going to be difficulties to maintain advanced control like this without having that oversight. So yeah, I like this article and I think it was really important because I don't know about my peers out there. I drink and speak MFA every day. Right. And it's about getting away from passwords. And this here, 2fa is one step away from getting away from passwords. MFA is five steps getting away from passwords. And that's what it's important to differentiate here.
[24:31]
David Spark
Some rich contextual mfa. So Doug, I wasn't expecting you to be like the lead pallbearer in the, the funeral for, for 2fa, but I'm glad we got there. That makes me so happy. Before we get out of here, was there any story that was a thumbs up or an eye roller for you? Seems like many, some potential eye rollers out there. But what do you got for us?
[24:51]
Doug Mayer
I mean I keep on coming back to AI. I think there was an, I think there was a big thumbs up that you know, we're talking about deep SEQ in this session. But like the same, the same week earlier and earlier this week there's about Gemini having long term memory problems with how people were able to, how researchers were able to bypass some of the guardrails in Gemini and stick, stick, you know, malicious content for bots that could be used. And there, I think, I think AI has a real struggle and it's going to take a few years. So I think the article that I read about from Aris Technica about, about Gemini was a really good thumbs up because I, I think there has to be more and more attention on how AI is protected. And I, and it's, it can't be just positive marketing, it has to be about investment.
[25:42]
David Spark
So yeah, that whole conversation about like just the idea of like weird only starting to understand what it would take to red team really a lot of these LLMs and stuff like that and just understanding like things like for lack of better term inception into an LLM like that. Right. Like, like it's just a, it's just a new landscape in terms of like just being comfortable to even have start having those conversations. But we're so gung ho with integrating these tools justifiably for productivity. Like I'm, you know, I'm not people want to use new technology. Right. So it's, yeah, it's, it's interesting. Like it'll be fascinating to see how that matures. There'll be a lot of financial motivation to mature it very quick. So it'll be interesting to see how that shapes up. For sure.
[26:27]
Doug Mayer
Yeah. And I just want to echo that. I am pro AI. I'm just pro AI properly and thread teaming and investing in it. Right. Is the way to go. And there's AI for corporations that need to silo that and not in public areas. And then there's there's use of public AI in people's personal life that helps them. There's a need and there's a place, but it has to be done right. You know, that's what it comes down to.
[26:52]
David Spark
All right, well, Doug Mayer, the VP and CISO over at wcg, bringing us just all the great takes. Truly, truly appreciate your time. Doug. Where can people find you online if they are so inclined?
[27:04]
Doug Mayer
I'm pretty much you can find me on LinkedIn. I'm pretty active there. I like to use that LinkedIn to connect with peers so I can, so we can brainstorm and share information. So I'm there pretty actively. Some of the other social medias I kind of stay off of personally, but if you want to talk to me, that's definitely where you can get me at.
[27:25]
David Spark
We'll have a link to that in our show notes, so be sure to give him a follow. Also thanks to our sponsor for today, Vanta A New Way to grc. Also thanks to everyone that was in our audience today. We always can't get every comment up on the screen, but we deeply appreciate you taking the time, being here on Valentine's Day and participating. Remember, you can join us next week. First, we've got a loaded Friday. Next week we got Super Cyber Friday where our topic is going to be Hacking Metrics that Matter. An hour of critical thinking about finding what you need to measure to improve your security program. That starts at 1pm Eastern and then you can come back for another episode of the Week in Review that starts at 3:30pm Eastern. To register for both, you can just head on over to the events page at ciso. In the meantime, you get your daily news fix every single day through cybersecurity headlines. Give us about six minutes, we'll get you all caught up. That's just about it for us today. For myself, for Steve Prentice, our intrepid producer, for Doug, for all of us here at the CISO series team, here's wishing you and yours a super sparkly day.
[28:30]
Doug Mayer
Thank you.
[28:33]
David Spark
Cybersecurity headlines are available every weekday. Head to cisoseries. For the full stories behind the headlines.