Christina Shannon (3:58)

You know, when I think about who are the big cloud providers, right, you always think aws, you think Microsoft Azure, and then you think about their security bundlings and they're pretty mature and they're getting more mature. And then, I mean a distant third, at least for my head, is Google, right? Like in terms of organizations that are adopting and what they use. And so I think this is a really good move for Google in the sense of increasing their market share. And I think that, you know, this will Wiz is a great product. So I think adding that to their, to their cloud platform, as long as it's integrated well, I think that, you know, could give them a big boost in terms of customers.

Rich (4:39)

Yeah, it's definitely, I mean, I've been, you know, kind of following the cloud, you know, the public cloud race going back to 2015, 2016, and it's always AWS, Azure and Google and their, and their whole thing for the longest time was they were kind of one of the early pioneers in a lot of AI, like enterprise AI workloads and that kind of stuff, being very friendly to that everybody else is caught up to there. So yeah, it kind of makes sense. And I really don't feel, I don't know what the case would be for this to be seen as anti competitive when you have such a fairly, you know, I mean, three players is a diverse market when it comes to big tech these days anymore.

Christina Shannon (5:18)

I agree. Yeah.

Rich (5:20)

All right, next up here, Senate bill offers improved cybersecurity for water utilities. The bill is being reintroduced by Senators Katherine Cortez Masto of Nevada and Mike Rounds of South Dakota after previous legislation was stalled during the 118th Congress. Named the Cybersecurity for Rural Water Systems Act a little disappointed there's not a better acronym. The bill would update and expand the Department of Agriculture's circuit rider program, which provides technical assistance to rural water systems. A press release announcing the bill states that just 20% of water and wastewater systems across the US have basic cyber protections. Gulp. So, Christina, we have covered the fragility of the water system and water utilities a few times over the years. It always appears as a neglected part of our infrastructure, even though we all use water. We aim to stay away, obviously from politics on this show, but with the current administration spending a lot of time removing, repealing programs, they would say cutting red tape. Do you feel that this one has achieved chance of passing? And what if it doesn't? This is the second time they've tried to do it.

Christina Shannon (6:25)

You know, I'm cautiously optimistic. I would say that, you know, but even if it doesn't pass, I look at this as, this is like foundational in terms of when you think about what are the things that you need to protect from a cyber standpoint. Like, I look at this as like a public safety hazard, right? This right in the same category as critical infrastructure. It's, you know, think about the old incident in Florida like a few years ago, right? That could have been horrible. And so when you think, like to me it's more where it's black or white in the sense of whether it's, you know, even if it doesn't pass, you know, there should be some kind of maybe public private partnerships, maybe you bring it down to a state level and you get some legislation there I mean, this should be something that's at the top priority, you know, for at all levels of government, in my opinion.

Rich (7:16)

Yeah, it's one of those things that it's. I mean, that sound cliche, but it's so easy to take it for granted because you turn on your tap, your water's there, it's like you don't. I guess it's tough to communicate that obviously, I guess down to an individual level, that's not what's needed to necessarily pass legislation. Right. To have that public will to do. So I would hope, whether you're talking local, state, federal, there's an awareness. Right. That like water as utility is critical infrastructure. Yeah. But we definitely need to keep tabs on kind of the status of this. And then if, you know, if this doesn't come to pass, like what the local efforts are looking like, we've seen CISA trying to raise that cybersecurity poverty line for these kind of utilities for the past couple of years. What their new mandate is going to allow them to do in this space, maybe in conjunction or in the lack of this kind of legislation, will definitely be something we'll be keeping tabs on this show for sure.

Christina Shannon (8:14)

Yeah. The only thing I wanted to say is you think about workplace safety, right? And you think about OSHA and all those different regulatory bodies that come in and they make sure that all that's in line. Right. Like, I think, like, there's got to be more of that for, you know, our utilities, our critical infrastructure, you know, wherever it comes from, whether it comes from private or public. Like that to me is just, it's black or white, foundational. You got to do it.

Rich (8:37)

Yeah, yeah. Well, I just always think, I mean, especially like that old smart one that was like a remote PC dial in, you know, kind of social engine, like the threshold to get access is not perilous for someone looking to do bad. And I hope we can make progress, whether it's through this bill, whether it's, you know, whatever the effort is, I just hope that we keep that in mind of let's keep the water out.

Christina Shannon (9:01)

Agree.

Rich (9:02)

Stuart Sanstrup says turn off the water for 10 or 20 hours at the Capitol and it might get passed pretty quick. Stuart, I'm not necessarily agreeing with you, but I'm saying that does sound highly effective. Next up here, Hellcat's JIRA campaign strikes again. The Switzerland based global telecommunications provider ASCOM has confirmed a cyber attack on its IT infrastructure in which its technical ticketing system was breached. This appears to be the Work of a threat group called Hellcat, which is busy targeting JIRA servers worldwide using compromised credentials and also busy having pretty cool night. The attack went through their JIRA ticketing system, which has become a common attack method for Hellcat, who has also attacked telco companies in France and Spain. So Christina, we've seen many attacks on JIRA coming from Atlassian largely because of its value as a container of sensitive data such as project details, source code, confidential documents. Really a treasure trove of what threat actors could, could make all sorts of use of. To be fair, all high profile companies have their share of attacks. But as a security professional, what advice would you have for organizations that use JIRA specifically?

Christina Shannon (10:15)

You know, like you just said, it's, it's, that is a treasure trove for a lot of sensitive data. Right. Even intellectual property source code. Right. Like I think, you know, start with multi factor authentication. That's where I always start. And then you look at, you know, is your JIRA environment segmented appropriately? Right. Separate your JIRA environment and other sensitive environments from the rest of your corporate network. And then looking at, you know, from the standpoint of privilege access or you know, ensuring that you have least privileged controls applied and then you go to, okay, well what's, you know, what's my detection response? Right. Do I have EDR installed on these servers? There's a number of controls you could do, but I think like really it starts with, you know, do I have least privilege and do I have multi factor in place from.

Rich (11:07)

Yeah, is part of this also, I guess are organizations realizing that there's a big target on JIRA at this point? Like have we, have we hit that at least that level of saturation before? Like, because I feel like all super sound processes and steps that you're pointing out here, but until you get that buy in that this is like a priority, it's harder to do all of those things.

Christina Shannon (11:32)

I'm not sure that it's fully there yet. Right. I think that too some of that has to do with the organization structure. A lot of times, whether it's a web or sorry, whether it's a development team that uses jira and they're usually separated from the security team, the help desk, a lot of times not part of the security team. So I think a lot of it is, are these teams in silo, are they communicating with each other at the organization level? And as long as that's happening, I think you're seeing, I'm starting to see a lot more people talk about JIRA servicenow some of the ticketing systems as hey, this is that place where we're storing sensitive data and we got to protect this too. I don't think it's all the way there yet though.

Rich (12:11)

I just think Active Directory is holding up a sign just like pointing at Jira at this point. And it's just like, please don't, don't hurt me anymore. Before we move on to our next story, I have to spend a few moments with our sponsor for today, Delete Me Data brokers bypass online safety measures to sell your name, address and Social Security number to scammers. Deleteme scours the web to find and remove your private information before it gets into the wrong hands by scanning for exposed information and completing opt outs and removals. With over 100 million personal listings removed, Deleteme is your trusted privacy solution for online safety. Get 20% off your delete me plan when you go to JoinDeleteMe.com CISO and use that promo code CISO at checkout. Next up here Stalkerware Company Spy X Suffers a Data Breach Spy X is a consumer grade spyware operation described as mobile monitoring software for Android and Apple devices, ostensibly for granting parental control of a child's phone. It suffered a Data breach in June 2024, but according to TechCrunch, it has not been previously reported and there's no indication that Spy X's operators ever notified its customers or those targeted by the spyware. The breach was revealed that Spy the breach has revealed that Spy X and two other related mobile apps that were clones of Spy X had records on almost 2 million people at the time of the breach, including thousands of Apple users. Hey, you weren't left out. So Christina, Spy X probably does not like being called Stalkerware, but I got to look by maybe how it's being used here. Like many of its competitors, they do seem to end up doing maybe more than they were designed for. From a cybersecurity standpoint, it must appear as yet another attack vector. Looking at if employees are using this type of app simply for the reasons intended, such as monitoring their kids activity, I'm curious, what's your take on this?

Christina Shannon (14:14)

You know, alanis Mars said, isn't it ironic, right? That song goes through my head on this one. But I think it's, I think from a personal use standpoint I kind of get it right. I could see some use cases there where some parents want to keep tabs on their kids. Putting that in a corporation though, I think there's far more risks and benefits. I think if Companies want to do that. You got to go look at what's my acceptable use policy and probably update that. You got to start thinking about data privacy. And have you told people how you're using their data? I think there has to be a lot of governance put in place if you're going to try to use that in a corporation to make sure, A, you're thinking about data privacy, B, you're protecting this platform from a data breach because you know a lot of bad is going to happen if you have a data breach using this. As we already see, it doesn't even seem like the company tells people too.

Rich (15:14)

Yeah, I mean, I mean that's the, that's the other side of it. It's like, as CCL points out, what does the spy in the company name stand for? You know, it's kind of, it's kind of a great point. And if you're trying to pose yourself as a legitimate service, like, because I do agree there, you know, I'm not at the age where my kids have phones yet, but I'll be certainly thinking about these types of things. But then you need to be upfront, you need to be the best citizen when you have that kind of device access. I feel like the onus is on you to be a first class, transparent citizen when these kind of issues come up.

Christina Shannon (15:51)

Completely agree.

Rich (15:53)

Next up here, 23,000 repositories targeted in popular GitHub action. A supply chain attack on the widely used GitHub Action TJ action change files. I mean, you all know it. I know need to tell you about it. Compromised CICD secrets in build logs for over 23,000 repositories. Attackers hijacked a GitHub personal access token to inject malicious code that exposed secrets in publicly accessible workflow logs. Though there's no evidence the data was exfiltrated, GitHub removed and restored the repository on March 15 after eliminating the malicious commit. But the incident raised concerns about broader supply chain risks for open source projects. Always a hot topic these days, this attack highlights the risk of compromised CICD secrets and the broader vulnerabilities in open source supply chains. Christina, Given how attackers exploited a GitHub personal access token to inject malicious code, I'm curious, what steps should organizations take to better secure their CICD pipelines and minimize the impacts of similar threats?

Christina Shannon (16:53)

You know, they should just keep their secrets and clear text and their code. No, I'm kidding. I thought you said what should they not do? They should use, first off, use a key vault, basically use that to manage all your secrets, do automated rotation and then look at how are you scanning your code for vulnerabilities before you do that, commit action. That'd be another thing you could do. Then, obviously, from a defense in depth standpoint, you also still do multi factor authentication. Look at your IAM controls. Look at your EDR controls. Those are typically from top to bottom. I'd say if you look at the protect, identify, protect, detect, respond, recover controls, you should put all those around GitHub.

Rich (17:45)

Yes. That seems more and more imperative by the day for something that so many. It's the lifeblood of so much. It's hard to overstate its importance. Right. And the fact that we're just kind of starting to really, I don't know, take those controls more seriously. Again, kind of going back to JIRA and kind of where we need to position that in our organizations too. It's a little surprising, honestly, at this stage in the game. But progress is progress. Let's get better. Okay, our last story of the day here. Supply chain hack hits 100 or over 100 auto dealerships. Over 100 car dealership websites were compromised by a supply chain attack where hackers injected malicious click fix code through the LES automotive video service. The attack tricked visitors into copying and executing a malicious command, ultimately infecting them with a sectop rat remote access Trojan. Through PowerShell, researchers warned that click fix, a growing social engineering tactic, has been used for years, but there has been a surge in the technique over the past several months. So, Christina, this is another Qlik fix story. I'm curious, have you encountered this? You know, it can be easy to fool people quite easily. And I'm curious, how would a CIO or CISO train people out of getting fooled by a fake captcha run through click fix? I mean, that's our first instinct is let me get this out of the way here.

Christina Shannon (19:12)

Yeah, so I've not had it, knock on wood, right? I've not had it happen to me or, you know, organizations that I've, you know, served in CISO or CIO roles. But I think that this is one of those times where that you always hear the term it's an evolving threat landscape. But this is one of those situations or stories that makes that a true statement. Right. When you do security awareness training, most of the history or most of the past, we focus on phishing and how you teach people to spot phishing. I think that has to evolve and some products are evolving it to where you do simulated attacks with users, where you get them Used to looking at, hey, this is an irregular authentication prompt. Maybe I should think about this before I just click it or before I copy and paste malicious code. That's where I'd start from a security awareness standpoint.

Rich (20:10)

Yeah, my sympathies always go out to us poor users because I mean it really does prey on the, you know, we've gotten, we maybe let's, let's, let's for the sake of argument say we've made progress on phishing and then you get something like this where it's just that one thing that everyone just wants to get through. Like, and I agree, like there's a multi prong approach here. We can start making progress. We can, you know all the, all the classic security awareness stuff. We can do timely remediations. We can, you know, work on resilience so it's not the end of the world if, if someone does do this. But like it does feel distressingly impossible at times for the port to keep up with all this. I feel like with training we can adapt to click fix. We can know that there, you know, we can just like with fishing, we can educate and get to a high percentage of literacy on this. But it just, it feels like okay, well then we'll just move to the next chain in the pipeline and yeah, and on and on down there.

Christina Shannon (21:14)

I also, I echo. I feel bad for users, right? Like they think they're going on a safe website. They don't want to have to think about it. They just want to go do what they're trying to do and bam, right?

Rich (21:23)

They're doing the thing that the thing tells it to do and that they've done a thousand, like that's, that's, that's where it like feels, it feels rough. What does not feel rough is reading the comments from our chat because everyone is crushing it today. There's some really great stuff going back to the, to the GitHub actions. We had a really fun conversation or CCL saying always be careful using non vetted actions and make sure the tokens can only be used for limited actions. We also had apple pie alibi also solid YouTube handle on there kind of joining in that chat going back and forth. We had a great talk about, you know, Atlassian on prem stuff, maybe alluding to some details that we don't know about CCL there. I'm not going to ask any questions I don't want answers to, but this is the kind of stuff you get in our chat. You get people that know talking about these stories, sharing their perspectives helping make the show better. I truly, truly appreciate it. The other person that's helped make the show better, let me tell you, ain't this guy. It is Christina Shannon, the CIO over at Kik Consumer Products, just absolutely crushing it today. Christina, thank you so so much for your time. I truly appreciate it every time you're on.

Christina Shannon (22:34)

Thank you very much. I always enjoy having this discussion. So thank you. Rich.

Rich (22:39)

We will not hesitate to impose on you again to but until then, where can people find you on the cyberspace LinkedIn.

Christina Shannon (22:46)

That's usually where I like to hang out. Yeah, come find me there.

Rich (22:50)

Absolutely. We will have a link to that in our show notes. Or I guess you could just search for Christina Shannon. Not too difficult. Or if you're following the CISO series, you're tagged in our post about this. Why don't you go ahead and share that as well. Let people know and come to our next super Not Super Cyber Friday. Wrong Event Week in Review it's been such a busy Friday folks. Let's face it here. One thing I'm never too busy for is thanking our sponsor for today. Delete me. Take control of your personal data. Once again, huge thank you to our audience. I know we can't get always every comment up on the screen. There are some conversations happening fast and furious, but fantastic to see that. I absolutely love it. It really does help make the show better. Thank you. Thank you so much. Remember to join us next week for Super Cyber Friday. That was my tease for it by pretending like I didn't know what show this was. Where our topic of discussion will be Hacking fragmented IAM A an hour of critical thinking of how to simplify the confusion on identity management, governance and security. It's an extremely easy show title to say. That all happens at 1pm Eastern and then you can come back later in the day for another episode of the Week in Review, which is indeed the very show we are doing right now that starts at 3:30pm Eastern. To register for both, just head on over to our events page@cisoseries.com in the meantime, you still get your daily news fix every single day through cybersecurity headlines. Give us about six minutes, we'll get you all caught up. For myself, for our producer Steve Prentice, for Christina Shannon, for the big boss man David Sparkin. All of us here in the CISO series family, I am wishing you and yours to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.