Week in Review: Google vishing response, DeepSeek peak week, ransomware victim costs

Rich Strofolino

From the CISO series, it's cybersecurity headlines. Vishing attacks smacks Zach from Hack Google strikes back. Deepseek's peak week includes a leaked week and Ponemon shares ransomware despair. These are some of the stories that my colleagues and I have selected from this past week's cybersecurity headlines. And now we're looking forward to some insight, opinion and expertise from our returning guest. Making her second appearance, Alexandra Landegger, global head of cybersecurity and transformation over at rtx. Alexandra, it's been about two years since you've been on the show. Thanks so much for coming back. I gotta ask, how was your week in cybersecurity?

Alexandra Landegger

You know, I saw a meme earlier this week that said, I HEAR it's already January 54th and man, that could not be more accurate.

Rich Strofolino

It's the most 2020 time of the year, truly for all of us. Well, thank you, Alexandra, for being here. Hopefully we can get you through January. You we'll be almost on the other side by the end of the show, so looking forward to that. Also looking forward to thanking our sponsor for today, that is Conveyor and they want you to meet sue, the first AI agent for customer trust. Remember, you can join us on YouTube live. Do so go to cisoseries.com, hit the events dropdown and look for the cybersecurity headlines Week in review image. If you join us, you can join in our chat. I have ccl, I have Kevin Farrell, I have of course the big boss man David Spark in there. We've had some lively conversations of late. We want to have more of them and. And that means you need to join us. Get in on the live chat, please. It's a lot of fun. Before we get into the news, have to just remind everybody that Alexandra's opinions are her own, not necessarily those of her employer, friends, family or other affiliates. We've got about 20 minutes though, so let's get it started. First up here, Google responds to Zach from Hack Club's vishing attack. Last week, Zach Lada, the founder of Hack Club, a nonprofit network of computer science and coding clubs, published details about a sophisticated phishing attack that that saw attackers pose as the Google Workspace team claiming to investigate a suspicious login attempt overseas. Pretty standard kind of phishing attempt here, but got around a lot of the hurdles. The call came in from a genuine number associated with Google Assistant Caller ID said Google Lotta asked for further proof. That's not good enough. And then the attackers complied with what appeared to be access to a workspace G CO subdomain and that was used to create an account for Lada to. To send the password reset. So that's kind of how they got around a lot of that. But Alexandra a lot of said this attack gets around the two fundamental best practices for identity verification. Although Google said it's now hardened its defenses against abusers leveraging G CO references at signup, this shows that there's the constant power of threat actors to find weaknesses everywhere. I'm curious what goes through your mind when you see stories like this.

Alexandra Landegger

When I first saw this story, it actually brought me back to childhood where, where my mom, single mom, she told me occasionally a grandparent or a friend or someone might pick me up from school and we had a code word that would let me know that it was okay to trust that person and get in their car or whatever it was. And we can't always go analog like that. We have to be able to trust people in the workspace. We have to be able to decipher what is real. What can we trust, what can't we trust? And so in a weird way, this brought me back to decades ago figuring out how do we replicate that kind of trust in the workspace where we can make sure that again, here we saw a couple of examples where people were skeptical, they tried to ensure they could trust, and yet things happened. And so what is that balance of sort of technical to personal soft controls that we can put into place to make sure that we can truly trust whatever we're providing access too?

Rich Strofolino

Yeah, and I think that's going obviously becoming more, more and more critical as we're seeing, you know, more sophisticated deep fakes and that kind of stuff. And, and I, the, the good news is it's happening. I feel like just, just slow enough that we can still have these conversations before the nothing means anything deep fake apocalypse hits us here. But I, I found this was a really good reminder to one, always trust the smell test when it comes to, to these kinds of things. And yeah, thinking about those kind of those soft and hard control of combine.

Alexandra Landegger

Yeah, it's, it's interesting too because with, I mean we've seen a number of these phishing attacks across the industry here. And how do we train our executives to be skeptical? It's one thing if you're in cyber, we are all bred this way. But when you're talking to someone in finance or in HR or in legal, you know, how do you make sure that they recognize where, where, where things might be going wrong and where to speak up and where to ask for help and how to ask for help along the way.

Rich Strofolino

All right, our next story here. One of the big stories this week, Deep seq's peak week. The world was taken seemingly by surprise this week with the release of Deep Seq's R1 reasoning model built in China. Nvidia reportedly lost $589 billion in market value on that day. If you do the math, that's $6.8 million per second, the largest single day loss for any company in history. It just shows how shocked the market was by the news. So, Alexandra, lots to look at here. The fact that Deep SEQ seemingly cost a fraction of what other LLM models cost to create an exposed database discovered by Wiz them shutting down registrations due to what they're saying was a massive cyber attack. US Navy banning its use because, you know, China. I'm curious, what's your take on this?

Alexandra Landegger

This one, I think, is an amazing story. And the speed that it picked up, I think, is part of what makes it so interesting in that we didn't have time to digest what was facts, what is feelings, what is assumptions. Before we start having to make decisions, figure out, do we default, deny, do we default, allow? Starts becoming some of the big conversations in cyber IT executive suites right now, where it's like, can we trust something up front and then do the research and figure out whether we're going to allow it or disallow it like the Navy did? Or do we get in the way of potential innovation? Do we get in the way of what our employees need access to, to do their jobs, to give ourselves the time and space to really understand what's going on here. The whole financial angle as well, I think is part of what spun up a lot more interest in this one because it affected a lot of people's pocketbooks. It affected a lot of people's feelings given some of the geopolitical tensions right now. So across the board, this hit every angle of our lives.

Rich Strofolino

I think, yeah, a half a trillion dollars will do that to some people. What the interesting thing I think about this, though, is from an, from an organizational perspective, right, people trying to, to bring these, these tools and people wanting to try this out. I think that the good news is, is we've kind of had, we've already had the field test for this, right, with ChatGPT, you know, over the last two years, essentially, and organizations being like one, we should all be familiar with adapting to new technologies, albeit this one has extremely low Friction, extremely, potentially high value. But we've kind of run this drill before. The stakes maybe are a little bit different. OpenAI having your data or Google or Microsoft having your data versus potentially on a server that the Chinese government has access to, depending on your organization, that's a much different risk proposition. But I feel like we've already had the fire drill for this kind of stuff. And as we're going to be probably seeing more and more of these, hopefully that becomes much more reflexive for organizations. Right?

Alexandra Landegger

That's exactly right. Is sometimes when you look at instant response, there's a reason that we take the time to document a plan before we're in crisis mode. So how can we leverage moments like this one to pause, reflect, okay, what are the types of decisions we need to make when new technology comes out? What are the guiding principles? Who has the authority to make these types of decisions? How do we make it sort of standard work and not yet another ad hoc firefighting effort?

Rich Strofolino

All right, next up here, most ransomware victims shut down operations, according to Poneman. A new report from the Poneman Institute found that 58% of organizations hit by ransomware last year were forced to shut down operations as part of their recovery process. They didn't close up shop, but they needed to shut down for recovery. That's up from 45% of victims in 2021. The report also found organizations seeing significant revenue loss due to an attack, up from 22% to 40% in the same span, while those experiencing brand damage also increased. Alexander, the report also said that recovery times and costs are improving, at least for those who. So it's not all doom and gloom here. But significantly, those who paid a ransom, 32% of those said attackers demanded further payment or tried to keep the negotiations going in some way. Not encouraging news for any organization as they maintain their cyber response strategy. Do you have any guidance or encouraging findings from this report that struck out, that stood out to you?

Alexandra Landegger

So, I mean, I think ransomware hit the headlines a number of years ago now. It's still one of the top ways that we see attacks happen. And really I think one of the good things that we're seeing is fewer people are paying ransoms, which reduces ransomware works because people pay. And so there's a whole business here. And so more that we are seeing, the decrease in people paying. I think that's a good thing. But really some of the key actions I think that have helped us make some of this progress and obviously we need to double down on because we're not where we want to be. Yet exercises are so crucial. Get into a room with your senior executives before this happens. Understand how you want to make decisions together as a company, what your risk tolerance is. And the other big one is having a trusted law firm on retainer. You do not have time to negotiate agreements while you're in the heat of the moment. And these firms have, you know, great relationships with all sorts of actors that can help you work your way through these types of events as well.

Rich Strofolino

All right, well, before we move on to our next story, we have to spend a few moments and talk about our sponsor for today, Conveyor. Let me guess, another security questionnaire just landed in your inbox, which means all the follow up tasks you don't have time for are close behind. What are you going to do? Well, here's a better what would sue do? Sue is Conveyor's new AI agent for customer trust. She handles the entire security review process, like answering every customer request from sales, completing every questionnaire, or executing every communications and coordination task in between. No more manual work, just a quick review when she's done, ready to let sue take the reins. Learn more@conveyor.com that's C O N V B E Y O R dot com our next story here Edge rolls out Scareware Protections, those pesky pop ups that claim to have detected a virus and which offer a download of a free antivirus software, is the type of scareware that is annoying at a minimum, but also a trap for those who fall for it. I know at one point my parents PC it was tough to open a browser tab. Let me say that the last preview of Microsoft's Edge browser though introduced a new opt in Scareware blocker fe. This uses locally running computer vision to compare sites against known scareware sites and it's looking for similarities. If it detects a malicious site, it automatically exits full screen mode, stops any media or audio playing from the page, and gives users the options to report the site to Microsoft. Of course Windows already offers some Scareware protections. There's Defender Smart Screen, but this only works for already flag sites. The novelty here is that this can work for net new stuff. I'm curious Alexander, do you feel that this new feature will be useful in company environment? Maybe more importantly you feel people will actually pay attention to the warnings that they get from from these kind of things.

Alexandra Landegger

You know my team rolls their eyes when I say this, but I truly believe cybersecurity can be home to anyone. Right? You know we've got engineers, we've got communications backgrounds, but the thing that I'm really excited to see more and more of are people with psychology degrees because this story is exactly psychology at play in terms of how we, we drive, drive the right human behaviors here. When you see a big pop up, what are you doing with it? Does, does it get you to say yes or no? How do you have people again sort of build that skepticism? How do you teach them what's good, what's bad, but also they can't have your epiphany, they have to have their own. And so if you tell them, hey, this is a dangerous site, do you still want to proceed? You know, at some points that will be helpful. But the way you phrase it, the way you show it, I think is huge here. The whole idea of it being an opt in feature as well, I think is again another sort of fascinating element of the psychology here. There's a lot of features we roll out that are opt out. What made this one opt in? I'd be very curious to understand the decision there.

Rich Strofolino

I do wonder if some of that is related to the, maybe the ML hardware that needs to. That might be enough of a roadblock. They don't want to turn on for everybody and it doesn't run well or anything like that. But CCL in the chat has some concerns that a lot of tech support folks would lose their job because of this. I'm gonna make the classic, you know, AI argument that we hear that. I don't know, I feel like that's the, the low level stuff, the rolling my eyes. Yeah, it's playing an annoying sound, don't click on it, yada yada. And maybe give space to elevate the things that they can deal with. Now does that require less people? Like those are above my pay grade questions. But I mean always, I guess maybe a more industry wide concern. Alexander, you seemed like you had a reaction there.

Alexandra Landegger

I mean, I have many reactions.

Rich Strofolino

Are you worried about things like that or is that just like technology is always changing, we always are getting new tools. Like we will need security people and help desk people, regardless of this feature or not.

Alexandra Landegger

I mean, no matter what, there will always be more needs. Right? As technology evolves, the jobs evolve. And so as long as you're someone that is willing to evolve your skill set and flex and grow into new spaces, I mean there's, there's so much work out there right now. There is so much security risk out there right now, the jobs aren't going anywhere quite yet.

Rich Strofolino

I will also say if I'm a scareware page author. This just gives me more license to be creative in my design so that I can get around like, oh, I guess I can't copy and paste all my scareware anymore. I have to. Yeah, exactly. Yeah. All right, next up here, North Koreans clone open source projects to plant backdoors and steal credentials. According to Security Scorecard's latest report, North Korea's Lazarus group carried out a large scale supply chain attack dubbed Phantom Circuit. Great job. Security Scorecard with the name embedding backdoors in cloned open source software. The campaign began in late 2024 and targeted cryptocurrency developers and tech professionals by distributing malware laced repositories on platforms like GitLab. Alexandra Four concepts we never really want to see together. Cloned open source software, malware laced repositories, GitLab and oh yeah, North Korea. Seems like all the. This seems to raise a lot of questions with like the long term viability of open source. When I see stuff like this. Can you walk me off the ledge here?

Alexandra Landegger

You know today's theme like you might. It's Friday afternoon, so if you want to play a fun drinking game. Every time I say the word skepticism or trust, take a sip. I mean this is, this story, the last couple really, I think how can we build trust in open source software while maintaining the right level of skepticism? How do we build the right tools to identify where we can and can't, where we can and can't actually use these tools? Where we can trust these tools or where do we need to be skeptical about them? How do we create the human behaviors that people know what to do when they're looking at source code and open source available options. But ultimately the job of cyber is not just about protecting things. It's about enabling business to operate at the speed it needs to. How do you build the right guardrails? How do you build the right behaviors? Knowledge, awareness. To me that's the opportunity and why I'm really excited to be taking on this job right now as head of cyber strategy because that's some of the big set of challenges that I get to solve with this position.

Rich Strofolino

Yeah, it's really interesting that question of motivation to be secure with this kind of stuff for the longest time. Always the wrap of open source. I mean the great thing about it is it can be fairly. There's very low barrier to entry, right? You can, hey, I can just clone this. Boom, it's on it. Know, I can start either developing them or just deploy it or stuff like that. And we're seeing security maybe requiring, you know, more of a speed bump when it comes to this. And how does that change, you know, the, the investment that companies want to make and individuals want to make as well into these kind of projects, I think will be fascinating to see for years to come. Kevin Farrell. Wait, y'all are already playing a drinking game? Oh, it's. I promise, Kevin, it's just coffee. It's just coffee. Don't worry. Don't worry. It's a tiny coffee cup. Even if it was, there's not much you can fit in it anyway. All right, we're going to finish up today with the story from darpa. And they're seeking to create firmware that can respond and recover from cyber attacks. Red Sea is a new project from the Defense Advanced Research Projects Agency. There's a reason we use the abbreviation, which is seeking to give networks the ability to repair themselves after a cyber attack, restoring locked files and communicating with other systems to collect forensic data. The project seeks to build new defenses into bus based computer systems, which are firmware level systems used in everything from personal computers to weapons systems and vehicles. Alexandra, you know, sounds like an interesting development, kind of a. It's been described by the project leaders as a missing link. I think that's very apt. Why have we not thought about self healing networks before? Have we? What is it? Is it AI that's going to enable us to do these kind of things more proactively? Like, why are we maybe closer to solving this?

Alexandra Landegger

I think there's a lot of amazing technology that you see come out a lot of the times in movies. Thanks to Hollywood. We see these big dreams. And I've definitely seen some TV shows talking about self healing, firmware, software, et cetera. And I love this dream. I think it would be incredible. The question is, how do we get there? And I was actually really excited to see DARPA putting this out there. I know some of the partnerships that we have across the US Government that I've seen across industry. It can really help drive capability and help Hollywood go from big idea to actual reality. You know, whether it's DARPO or the NSA Collaboration center, there's, there's a lot of great organizations out there that are, are partnering up with industry and smart thinkers across academia to, to make some of this reality.

Rich Strofolino

Yeah. And it's one of those things where, you know, when you're thinking about firmware, the, I don't know what the motivation is for a company to invest in this as opposed to shiny new features, you know, advancing your AI and stuff like that. And that's where like DARPA can really make a huge difference. They have this mandate. They can do the pie in the sky stuff. They can spend a couple of years and some decent chunk of change on doing this. That will have huge returns long term. But that's the kind of spend that's hard to justify in R and D when you're like we could shave a bezel off this phone. That would probably be make people a lot more happier in the short term.

Alexandra Landegger

Yeah, no, that's absolutely right. We creating the right incentive structures in the right places. That's what works here.

Rich Strofolino

Yes, absolutely. And CCL is having some confidence fan of darpa, I guess. I can't say he's wrong. Darpa. Keep up the DARPA ing good stuff there. Before we get out of here, Alexander, was there any story that was a thumbs up or an eye roller for you in this week of news?

Alexandra Landegger

You know, I have to say the DARPA one has, has my attention and I'm excited to watch it evolve.

Rich Strofolino

Yes, it's one of those. Yeah, I want to, I want to like, I want the DARPA RSS feed like just constantly like refreshing like it's gonna get, it'll definitely be good stuff. Yes, good, good stuff. More security stuff. Alexandra Landegger, the global head of cyber strategy and transformation over at rtx, thank you so so much for returning to the show. For lending us your wisdom, your perspective. I truly, truly appreciate it. Thank you so much.

Alexandra Landegger

Well, thank you so much for the time and Happy Friday.

Rich Strofolino

Happy Friday. If people want to follow you on cyberspace, see what you are up to, where can they find that information?

Alexandra Landegger

LinkedIn would be the best spot. Always feel free to reach out and send a message.

Rich Strofolino

We will have a link to that in our show notes. Thanks also to our sponsor for today, Conveyor. Remember they want you to meet sue, the first AI agent for customer trust. And also thanks to our audience today, we can't always get everything up on the screen. We're busy with this drinking game. I mean that we're not doing totally. But we deeply appreciate you being here participating ccl, Kevin Farrell, big boss man. David Spark among those watching us live. Always, always appreciate that reminder. Join us next Friday, February 7th for Super Cyber Friday where our topic of discussion will be hacking security effectiveness. An hour of critical thinking about how to holistically make sure your tools are working for you. Then come back for another episode of the week in review that starts at 3:30pm Eastern. And to get more information and register for both. Head on over to the events page@cisoseries.com in the meantime, you can still get your daily news fix every single day through cybersecurity headlines. Give us about six minutes. We'll get you all caught up. Until the next time we meet. I'm Rich Strofolino for myself, for everyone here on the CISO Series team, reminding you and yours to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to CISO series.com for the full stories behind the headlines.