Week in Review: CISA workforce cuts, AI slopsquatting risk, CVE funding saga

Trina Ford

From the CISO series, it's cybersecurity headlines.

Rich

Major workforce cuts planned for CISA cribs exit sentinel 1 after security clearance pulled and CVE faces termination but rescued by CISA. These are some of the stories that we have selected from the past week's cybersecurity headlines. And we are now looking forward to some insight opinion and expertise from our return guest. Yes. Making her second appearance on our show, It's Trina Ford, CISO of iHeartMedia. Trina, thank you so much for joining us.

Trina Ford

Thank you for having me. I'm happy to be back.

Rich

All right, Trina, my question I ask. Well, actually regularly Rich is here and asks, but how was your week in cybersecurity?

Trina Ford

All my weeks are long, but this week has been pretty promising. We filled a few roles. We've moved.

Rich

That's always good.

Trina Ford

Yeah, we've been moving the needle in the program. It all feels really good. So this has been a good long week, but I'm happy that it's going to be. It's the weekend.

Rich

We're going to be wrapping it up soon after this show. All right. Our sponsor for today's episode is Vanta A New Way to grc. A little more about that later in the show. Hey, join us over on YouTube live. Go to cisoseries.com hit the events dropdown and look for the Cyber Security Headlines Weekend review image. It's actually a picture of Trina right there. Just click on it to join us and be sure to contribute your comments in the chat. We will do our best to address them during the show. I hope the chat room is alive right now. Now, disclaimer opinions are those of our guest, not of our workplace. We have just 20 minutes here, so let's get started on this. Major workforce cuts planned for cesa. So the agency working on plans to slash staffing and spending amid increased scrutiny from the White House, which is still chafing over what it sees as CESA's role in suppressing conservative viewpoints. Now that's a quote from the record half of its full time staff, that's 1300 people face removal along with 40% of its contractors, according to a source with direct knowledge of the dwelling developing plans. Speaking to recorded future news now, the timetable for the announcement is also not yet set, they said. All right, Trina, clearly this is not great for news given that CESA and other agencies are all pulling together to combat cyber threats that only increase in size, variation and sophistication. This is not a bloated bureau. Bureaucratic agency may ask, what do you feel this move will do really, to the cyber community as a whole? It's kind of a hit.

Trina Ford

Yeah, it is a hit. I believe that it's sending a message that most leaders, most security professionals we've been trying to more or less combat. And I think that ultimately this is going to be discouraging for some and, or most of us because CISA provides value, especially to those smaller companies and programs and organizations who don't have the access to certain resources and information that CISA provides. And.

Rich

Yeah, go ahead. That makes, you know, you bring up a really, really good point there. It's because, you know, one of the, the issues that we talk about a lot in our programming is this whole concept of living below the security poverty line. Shout out to Wendy Neither, who coined that term. And it looks like this may widen the gap of the haves and have nots and, you know, who is above and below that poverty line. What do you think, Trina?

Trina Ford

I agree. And it'll leave those that have not more exposed than they were or would have been. A lot of different companies depend on the CISA information. And not for nothing, if those have nots are exposed, if we utilize the same third parties or partners, then that leaves those that have exposed as well. So it ultimately affects the whole ecosystem.

Rich

Now, the Internet, though, is awash with cybersecurity knowledge. Couldn't this knowledge be had anywhere else?

Trina Ford

It could. And, and most of us do utilize different resources. But again, CISA kind of provides a holistic viewpoint for all of us. They provide standards, they provide guidance, they services that are free. And again, it gets down. It comes back to the need for us to have a centralized place where we can share amongst others. Yes, there's always going to be opportunities in other places and other tool solutions, other, what do you call it, programs that may come to fruition. But this one has been proven to be tried and true. And not for nothing. We need a little stability here in our cyber programs.

Rich

Agreed. CVE faces termination, then rescued by cisa. Now mitre, the organization that runs the CVE database, that's the, you know, the vulnerabilities that are out there. Announced on Wednesday that its contract would expire due to the expiration of federal funding through the Department of Homeland Security. Shortly afterwards, CISA executed the option period on the contract to ensure that there will be no lapse in critical CVE services for the next 11 months. Phew. Well, only 11 months. So given how much people in cybersecurity rely on the CVE database for tracking vulnerabilities. Although I will say people argue that you don't build your vulnerability program based on it still has its value. The withdrawal of support from the DHS does not appear to be very helpful. What would CISOs need to do if the CVE database dies away? Is it a matter of simply finding a new source of financial support or should a replacement be considered? What do you think?

Trina Ford

It would be great for us to come together and find some support, financial support for the MITRE CV program because to your point, it has been utilized heavily across a lot of the practitioners and, and companies. Now. Most of us don't put all of our eggs in one basket. To your other point, we have. We utilize threat intel, we utilize our other communities, we utilize our vendors. So we do have other options. But again, it gets back to consistency.

Rich

And continuity and one source that everybody knows.

Trina Ford

Exactly. Exactly.

Rich

Yeah. And CCL mentioned here that CISA is a coordinator. I mean, it's, you know, you need one to sort of lead the charge.

Trina Ford

Exactly. And it gets back to why CISA is this program that CISA has built and taken the time to nurture and grow is so important. Again, cyber professionals and leaders, we need some type of continuity and consistency, especially in today's climate. This is a little discouraging. And not for nothing, it makes us uneasy because what message are we really sending?

Rich

Very good point. Krebs exit Sentinel 1 after security clearance pulled and we covered the breaking news of the presidential order that revoked Krebs's security clearance last week on the show. Krebs, Chris Krebs has indeed resigned as Sentinel 1's Chief Intelligence and public policy officer, effective immediately. Describing this as a, quote, fight for democracy, for freedom of speech and for the rule of law, he said, quote, I'm prepared to give it everything I've got. Now, Krebs firing may set a precedent on how other cyber leaders and practitioners convey findings that may not be popular with the government or even with the private sector. I will also mention, like, I used to do a tech segment on a on Clear Channel Radio, and my tech segment appeared on both the liberal talk station and the conservative talk station. I always felt that tech and cybersecurity were bipartisan. Was a bipartisan topic, you know, it did not show sort of leaning one way or the other. But as a ciso, how do this make you feel? It sounds like it's that there is a bipartisan or essentially a partisan issue going on right now. What do you think?

Trina Ford

This one's a tough One, because it's less about my feelings and more about what we as CISOs live every day. This is a constant for us, the trying to find that balance, trying to do the right thing. We were hired to perform a certain role, do a certain job. Part of that is findings and risk. That is also building trust and having integrity and reporting based on facts, not our feelings, because we let feelings get in the way, it goes south. We already have a challenge, a big enough challenge, trying to find that balance and deal with all the different mandates and requirements. Look, we're not at the table yet. Some of us are, but. But for those of us who are not necessarily at the table yet, we have to almost do a dance every day to figure out what to say, how to say it, who to say it to, in hopes that we don't upset someone. And then next thing you know, it's kind of like exclusion, or they go around us because they don't want to hear what we have to say. As CISOs, those that are responsible for it, it gets back to the accountability and responsibility, but not necessarily having the authority, because if you hear your CFO say something or if you hear legal counsel say it, it's different than when you hear a CISO said they're not. They're still going to be that cfo, they're still going to have that seat at the table. But from a cyber professional perspective, the CISOs may not. And so, unfortunately, seeing what happened with Krebs, it really brought to light what we deal with on a daily. It's feelings aside, it's what we deal with. Finding that balance, knowing what to say.

Rich

And when, you know, and I see CCL kind of made a reference to this. So I heard a rumor. Let me make this clear, I heard it as a rumor that he was pushed out because customers of Sentinel One wanted him out. Now, again, let me stress that is a rumor that I've heard. But, you know, I wouldn't be surprised if this is something that does happen in cyber security where CISOs, you know, a customer doesn't like a CISO for some reason or another, or doesn't like certain employees for a reason or another and sort of demands employees leave. I don't know. Have you ever heard of this going on, Trina?

Trina Ford

Well, I haven't heard the rumor, but I can absolutely say that I have friends that are CISOs, and they have been what I'll call excluded, ostracized, and. Or next thing you know, they end up looking for a job. Whether that was forced or on their own accord. We never know.

Rich

Yeah, I mean, nobody flat out says it because if you would, then there'd be a lawsuit coming in.

Trina Ford

Exactly. Exactly.

Rich

All right, now a word from our sponsor. That would be Vanta. Let me ask you a question. Do you know the status of your compliance controls right now? And I mean like right now, this very moment. I don't mean leave the show, but just if I were to ask you right now to check it. Because we know that real time visibility is critical for security, but when it comes to our GRC programs, we actually rely on these point in time checks. But that doesn't have to be the case. More than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks like SoC2 and ISO2701. They also centralize key workflows like policies, access reviews and reporting. And it helps you get security done or get security questionnaires done five times faster with AI. Now that's a new way to GRC. You can actually get started with Vanta@vanta.com headlines and please, when you go to visit them, go to vanta.com headlines so they know that we sent you there. All right. Click fix Becoming a favorite among state sponsored hackers. The technique is so easy to get fooled by. Here's what it is. You arrive on a web page and this popup says to use a combination of keys like the Windows key plus 1W to prove that you are a human or to fix some fake compatibility issue. It has become prevalent in recent months. And Proofpoint is now stating that multiple state sponsored hacking groups from Iran, North Korea and Russia have been deploying over the three month period from late 2024 through the beginning of 2025. This is an escalation of sorts from simply being a tool for cyber crime groups. Trina, we are having enough trouble getting people to not fall for phishing or deep fakes or just heck, there's so many scams out there. These Windows messages along with fake captchas look so real it will be difficult for people to avoid falling for them. Any ideas on how we can stop this type of attack?

Trina Ford

It's going to get back to humanizing cyber, right? It's going to get back to education. I'll say it like I've said it before. It's going to be more about. What do you call it? Not best practices, but getting back to the basics. So at the end of the day it's going to be about training and we're going to have to use our threat intel, we're going to have to utilize our vendors and our community in order to make sure that we, we can bring awareness to our user base, to our developers, to our engineers. Because not for nothing, I know that they're tired, we can't seem to get ahead of these sophisticated new tactics or what have you and they're starting to utilize exactly what we train our people to do. We want them to be alert. We want them to, to take.

Rich

Well, I see something like this, like a potential protection again is alerting us on the source. So like for example, you know when you get an outside email or an email that doesn't come from a trusted source or a known source, you get this big colored bar at the bottom of the screen, yellow or red or whatever the color is. And they by the way, they change it over time, which has been a wise move so you don't get sort of bored of it or used to it. Maybe some kind of alert coding like this is not coming from the source it says it's coming from kind of a thing because the average person doesn't dig into the source when a captcha pops up. What do you think?

Trina Ford

Agreed. The challenge is though that captcha is meant to help protect and now captcha is being utilized to actually hurt. So again it's going to get back to our people, our security practitioners and others perform the necessary research and coming back with those kind of real life type examples to help educate our people so that they don't click or they, or they're at least aware enough and then trust but verify. There's going to be opportunities for us to also utilize some of our tools to help minimize and mitigate the potential for risk and exposure for our users. When it comes to this, I want.

Rich

To quote Michael Vinling here where he says identify or excuse me, identity will be everything. Putting it on humans to determine the origin and validity of an email on various signals will become increasingly harder and eventually impossible. I, I, I, I agree 100 on that. It you to look at your staff as the means to build your security program. You know that's an inevitable failure point right there.

Trina Ford

We'll always be behind the eight ball but unfortunately we also don't have some skill sets. The staff, we're constantly kind of evolving and trying to keep up. Yes, we absolutely should look at identity and other tools that we have. But at the end of the day when it comes down to it, it will absolutely have to be education because it spills over Right. It's not just at work, it's your personal life. So you want to educate on both sides because now we have that integration that we really try not to have with this work life balance. I'm sorry, with remote working.

Rich

Oregon Department of Environmental Quality suffers cyber attack. Now, you've heard the story before, but I'm going to bring this up because there's a reason I'm bringing it up again. All right. Or I'm going to say this type of story before. The Oregon Department of Environmental Quality, a regulatory agency that regulates the quality of air, land and water in the state, says it has found no evidence of a data breach following a cyber attack that occurred last week. Now, a spokesman for the department said vehicle inspection stations were closed on Friday and the employee emails and servers are, quote, expected to be down through the end of the week as the agency continues to check its computer system. All right, this kind of appears as a non story at first glance, but thinking back to the famous Florida water treatment plant story a couple of years ago and also that every week we report on some small town somewhere getting hacked, is there a lesson to be learned about not ignoring the small fry when it comes to collective national cybersecurity? I mean, you can kind of pick these off one by one, can't you? If you're an attacker? Trina?

Trina Ford

No, absolutely. If we start to think there's no entity that's too small to be targeted when you think about it, or useful to be protected or useful. Exactly. Because when you think about it, it's all about data. If you look at it that way, whether you're small or large, it's going to be about data. Then these threat actors have become, they're knowledgeable and they understand that we're all integrated in some way, shape or fashion. If you're a third party or if you have a third party, if you a partner or vendor, we all have access to each other's systems. And at the end of the day, if we discount the small fry, focusing on the big, I think we learned our lessons long ago that they will attack small just to target the bigger, bigger fish. So at the end of the day, it's a misconception that we can ignore the smaller companies, you know.

Rich

Yes. I mean, one at a time taken down and it essentially causes major, major ripples. As we have seen last story, AI co dependencies are a supply chain risk. Security researcher Seth Larson has coined the term slop squatting to describe a new type of software supply chain attack similar to typo Squatting. These attacks see threat actors creating malicious packages on indexes named for ones commonly made up by LLMs when generating code. For those unfamiliar with this, here's an example. If you ask an LLM to write code for a specific task, it might suggest importing a library that sounds plausible but isn't real. So basically replacing good code with bad. Now, a recent research from Socket on hallucinated software packages found that 58% of these hallucinated packages were repeated more than once. But some good news here. GPT4, Turbo and Deep Seq were able to correctly identify hallucinated packages. The model is created with over 75% accuracy. Still means we got a problem. But the good news is it's improving. All right, this is another creative technique designed to take advantage of new technology and are growing trust in it. What can engineers and developers do to avoid or combat this particular attack? Trina, what do you think?

Trina Ford

I think there's the theme here is truly awareness, right? And they have to slow down and recognize that if it seems that easy, it's not. This copy pasting, you're going to have to trust, but verify. They're going to have to put checks and balances in place. And not for nothing, they are going to have to understand that. And I'm not saying garbage in, garbage out, but garbage in, garbage out. The LLMs, they learn from us and we make stuff up as we go. So why would we think that the LLMs are not making stuff up as they go? You have to, which is all the disclaimers. You have to verify, validate, and check yourself. And when they're building these packages, when they're looking, they need to also do the same as you would on an audit side, right? You'll check, you'll trust, but verify. You'll have code reviews. And you should also take the take the perspective of least trust, don't trust it. If you don't, you know, before you use it, test it out.

Rich

And I'm going to quote, I think.

Trina Ford

That'S what they're going to let me quote.

Rich

A past guest or a frequent guest. We've had Davi Ottenheimer about the garbage in, garbage out. It's actually more, even more nuanced than that because LLMs are essentially trained by us and we all come with our own bias. So what you would train it on and what I would train it on, even though we are doing best intentions and we're trying not to put garbage in, it will be biased. And either way it comes out, it'll look fantastic, apparently. But maybe not what we need.

Trina Ford

For that matter, and not for nothing, maybe we should be training up the LLMs ourselves or AI, however you want to look at it, to check for this, for us to spot it, for us. I mean, we're going to have to get just as creative.

Rich

Very good point. All right, I want to acknowledge our fantastic crowd that has been in here. We have. I don't remember, is it Michael Vinling or Mikhail Violin? I think it's Michael Vinland. I think Michael, he goes by that even though it looks like Mikhail, the way he spells it. I also TJ Williams and ccl, all in the chat room. Even our reporter Sean was in there. Sean Kelly was in there briefly at the beginning. So thank you everybody. Please come join our live shows. Hey, I got a question for you as we wrap this up. Of the six stories we did, were there any thumbs up or eye roller stories for you, Trina?

Trina Ford

I think the crab one was an eye roller for me. I'm just over it.

Rich

Well, don't be over it. It may be the beginning of a long story that we see. And he's just the first, sadly. Who knows? We'll see. All right, where can people find you, trina? Is it LinkedIn somewhere else? Where can they find you?

Trina Ford

Yes, they can find me on LinkedIn.

Rich

Ah. And now are you hiring over there at iHeartMedia?

Trina Ford

We are absolutely hiring. If they go to our website, they will see all the positions that we.

Rich

Have available and can they reach out to you and say, hey, I was interested in this position I applied? Yes. Maybe mention that they saw you on this show or heard.

Trina Ford

If they do that, they'll get right in there.

Rich

You see the bump from the CSO series? Take advantage of it. All right, that's Trina Ford, the CSO of iHeartMedia. Thank you so much for joining us, Trina. And thank you also to our sponsor, Vanta. Vanta a new way to GRC. Remember, go to their website, vanta.com headlines. Specifically go to vanta.com headlines so they know that we sent you there. And also thank you to our audience today. We can't always get every comment on the screen, but we deeply appreciate you being here and participating. Join us next week first for our Super Cyber Friday show where our topic of discussion will be hacking your risk. An hour of critical thinking of all things you look at to find what is specifically important to you. And that's at 1pm Eastern. And then come back later in the day for another episode of Weekend Review starting at 3:30pm Eastern Time. To register to join us on YouTube and add your comments live, just go to the Events page over on CISO series.com and in the meantime, you can still get your daily fix every day through Cybersecurity Headlines. It's just six minutes, that's all it takes and you'll get your Cyber news today. There's a reason it's the most popular show on the CISO series. We love the fact that you're listening and watching. Thank you for tuning in to Cybersecurity Headlines.

Trina Ford

Cybersecurity Headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.