Week in Review: Microsoft's account bypass, CrushFTP CVE clash, 23andMe warning

David Spark

From the CISO series, it's cybersecurity headlines. Microsoft removes Windows 11 account bypass security companies clash over crush FTP CVE number and FTC sends warning to future 23andMe buyer. These are some of the stories that my colleagues and I have selected from this past week's cybersecurity headlines. And now we're looking forward to some insight, a opinion and expertise from our returning guest making his triumphant, I'm going to say third appearance on our show. Howard Holton, COO and industry analyst over at gigaom. You got the three stars up here, Howard. We're thrilled to have you back. I got to ask the pro jump into the news. How was your week in cybersecurity?

Howard Holton

I mean, it was great. The highlight of my week was the three stars.

David Spark

So it was just a solid ramp up to this moment.

Howard Holton

It was a solid ramp. Although it does beg the question, do I get a gold jacket and invited into the special bar when I hit five?

David Spark

Yeah, the five Timers club. It's very exclusive. Will the jacket will be in the mail? We don't know what the shipping situation is going to be at this point, but at some point it'll be delivered. So, you know, in 2027 we can, we can, we can get that done. All right. Before someone I'm not going to wait till 2027 to thank is our sponsor for today and that's Qualus Drisk your business. I'm also going to ask immediately for all everybody watching us on YouTube live. Just get the comments in there. We'd love to see it. I already see Max Tronic, I see ccl, I see ant zung in there as well. I'm not sure if that's German or not, but I'm just glad you're here. And if you're not joining us live, you can do so by going to CISO series.com look for the week in or go to our events page and look for the week in review image or you just subscribe to our YouTube channel. Find us. Either way, it's always fun to see your comments in the show before we jump into the news. Just a quick reminder that Howard's opinions are his own, not necessarily those of any employer, family, friends, vague acquaintances or clergymen. So we've got about 20 minutes. Let's jump in. First off, Microsoft removes Windows 11 account bypass according to Bleeping Computer, Microsoft has removed the bypass nro.command script from Windows 11 preview builds, which allows users to bypass the requirement to use a Microsoft account when installing the operating system have been introduced in the latest Windows 11 Insider Dev Preview build. This means the change will likely be coming to production. The change basically forces all users to have a Microsoft account whether they want one or not. Howard for this story we don't have to focus on Microsoft specifically, but there is an ongoing trend for large technology players to establish a, let's generously call it a captive audience by default. Thinking of things like putting OneDrive, making that default on Windows for example. I'm curious for you, is this heavy handed approach to user loyalty as a default requirement, does this pay off? How does this rub you?

Howard Holton

I mean it rubs me the wrong way but in line with Microsoft and kind of big company practices like you can't, it's really hard for Microsoft to do anything because they have this 50 year legacy, right? Today is their 50th anniversary by the way, for those who haven't been following. So happy birthday Microsoft. At the same time, you know, you carry that 50 year legacy along with you and so change is kind of hard. The writing has been on the wall. They really want all the analytics they can possibly get about everyone and this is certainly a step towards making that easier. At the same time it is heavy handed when the alternative is kind of Apple or Linux. I think that is yet another nail in the coffin of is there a viable alternative to Windows that we should be pursuing. You know, on the other hand we also, they've also been trying to push us away from on premise Active Directory for a long time which should make that easier. It should integrate better with kind of corporate onboarding. Right? Put in your corporate account once and it kind of you kind of get onboarded. So I think there's pluses and minuses. I do think though that it is, it is absolutely a sign that the trend is we really want to own all your data. I don't like the integration of OneDrive, but that's a different kind of conversation.

David Spark

Yeah, that's a classic 90s Microsoft move there with OneDrive but yeah, and I appreciate you giving us the nuance that this isn't purely a hey we're just taking away evil corporation kind of stuff here and CCL here comes in with login with Ms. Account option is really helpful for companies with remote employees. So thank you ccl. Appreciate sharing that. Kevin Ferrell don't worry, you're late but we're just through the first story. We're all good and you can always watch it in preview. So Kevin, this one is your first story. This is Our second story for everybody else. Security companies clash over Crush FTP CVE number. Short version of this story is that of a critical vulnerability in the Crush FTP enterprise file transfer solution. Its developers alerted customers to the vulnerability, and five days later the vulnerability intelligence firm Vulnchek assigned a CVE number. However, Crush FTP itself rejected this number, arguing that the real CVE had been pending, and 10 days later accepted a new CVE assigned by Outpost 24. So, Howard, the crux of this dispute seems to be around allowing a suitable delay to keep the vulnerability under wraps or at least unclassified, maybe to avoid malicious exploitation or perhaps bad optics is. I'm curious, I know you know, there are standard disclosure practices. How does this fall within it? There seems to be like a, I don't know, like a tension between the need to document vulnerabilities, need not to promote them publicly, and now we're getting disputes over who gets to name it. How are we supposed to take all this?

Howard Holton

It's, it's, it, it reads to me like it's very petty. Okay, it doesn't read to me like Crest FTP is doing the right thing and predicting the right thing. It really reads like they want to control the situation and are upset that they don't get to control the situation. Like, it just reads as petty. In a, in a place where guys, you made a mistake, work with the community, you have to open the, your arms a little bit, you have to open the, the kimono and really say, we understand and we're just going to let it die. The fact that they decided to double down, I think is what makes this a problem. There is always going to be that conflict. And as an industry, it'd be really great if we could say here is what we as an industry have determined is a reasonable amount of time to correct a vulnerability before it goes public. But we all know when something goes public, all of a sudden those resources that weren't allocated to fixing it are suddenly allocated to fixing it. Right? There is very much a name and shame in security that does have an efficacy to it that cannot be ignored. I'm not saying that's specifically what happened in this case, but their reaction seems to be kind of petty.

David Spark

Yeah, it begs the question of, I guess, what optics win, I guess were they hoping to achieve? That's the question for me. What did you expect to achieve that? You almost certainly had to have known that this would draw some sort of like any kind of kerfuffle out of a vulnerability that you're already dealing with. I'm not sure what the, what the Optic win they were going for with this.

Howard Holton

No, that's the thing I can't see. That's why it just seems petty because if you're going to argue over a CVE number, you're, what you're telling the entire world is are focus is not on the ball, right? You shouldn't care about the CVE number, you should care about what is the flaw and how do I remediate it. But if you literally lifted your head up to go, no, no, no, no, no, we want a different CVE number, we think we should own that differently, who cares? That's the wrong thing.

David Spark

Yeah, I mean David Peach, I was just going to call out his comment here, but yeah, like the point is one, we talk endlessly on the CISO series, whether it's defense in depth, CISO series or whatever show we got, it's all contextually based, right? Like a critical vulnerability is not critical exposure in your organization. Like that's not, there's, there's no one to one there in any way. So having it down or changed from a nine point, whatever, like whatever the changes, it shouldn't necessarily matter. It should just be how does this impact my organization? Like that that'll allow me to inform how I need to remediate it. Like that's the crazy thing. Great point, David and Howard, if you're.

Howard Holton

Focused on that score, you don't understand how the mono calculations need to work anyways. Which also makes me question what does DevSecOps actually mean to you? How do you handle security internally? How mature is your organization when it comes to staying on top of security trends? The big conversation is a CVE number by itself doesn't actually tell me as a CISO what the level of importance is for me. It just tells me a general indicator of what this impact is. But if I don't put that through a filter that is specific to me in my organization, my usage, it's not really useful and it generally also has me focused on the wrong thing, which is why we're seeing this trend for this kind of layered security and things like CTEM and asm.

David Spark

All right, next up here, kind of a follow up on a story we've been covering. FTC sends warning to future 23andMe buyer and yes, this is now a weekly segment here on the Weekend Review. The Federal Trade Commission sent a warning to the Department of Justice that any buyer of 23andMe must honor its existing privacy policies, ensuring users remain in control of their genetic data even in bankruptcy. FTC Chair Andrew Ferguson emphasized that 23andMe has explicitly promised not to share data with insurers, employers, or law enforcement without legal orders, and that these protections extend to any new owner. Howard, you know, I joke that we've covered this story in weeks past, but it warrants another review to consider the obligations a company has in terms of data protection. Really any kind of data. In the event of bankruptcy or even complete dissolution, Are you comfortable with explicit promises made by representatives of a company in this kind of position?

Howard Holton

No. Explicit promises are not legally binding on the new buyer. Right. The reality is, until the court rules one way or the other, liability is not firmly established. Even with the ftc. Right. I'm not sure, like, I'm not an attorney, so please, like, accept all this with that grain of salt, that big grain of salt. But I'm not sure the FTC can necessarily restrict that. What if the buyer is foreign and in a place that is not in the us do we stop the sale? Like, is the FTC going to get involved? Does the FTC have that power in this administration to restrict business in that way? And is that promise legally binding? What I would say instead is because these are question marks for me, I went and looked to make sure I didn't have any data there. Please, please, please. If you're on LinkedIn at all, there are 43 people right now that have their latest post on how to delete yourself from 23andMe. Otherwise, just Google it or ask your favorite AI agent. It'll walk you through it step by step.

David Spark

And I would also recommend, like, I am definitely keeping track of this chapter 11 that they're going through because bankruptcy filings are obtuse. But you get a look at this company, you're going to get a look at who's potentially interested in buying this. I'm interested if the FTC actually gets involved in the class, like in and of itself, like, are they involved at that level to. To supervise the sale? That'll be one of the big things for me here. Max Tronic said there has to be some sort of custodian that monitors this. I would hope that would be in the bankruptcy court. Yeah, usually that's some sort of the trustee, I would imagine.

Howard Holton

Yeah. The bankruptcy court establishes a trustee. The question actually becomes. And the trustee becomes a matter of public record. So the question would be, is that trustee someone that is equipped to deal with the nuances of a technology sale involving this kind of intellectual property? I think it also raises the question of should we allow these companies to exist? They do not exist in the public trust in any way, shape or form. Right. And this is kind of a fundamental problem with how we, with our current stance on government. Right. The government is, as of a couple months ago, I would say thoroughly exists, not in the public trust. And that is one of the purposes. So I think this whole separation of church and state that we have between business and government has a problem. When you do things like this where there is obvious value in the learning value contained within a project like 23andMe. At the same time, when it is a commercial product for commercial use, there's also enormous ethical challenges that, that frankly are going to endure as long as the data endures, far longer than the potential company endures. And I think that's something that we need to wrestle with. And we probably as a society really need to kind of step up and say I'd love to see something like the EU Commission on Privacy get involved and regulate the privacy of that sort of data as it relates to their, to EU members. Right. EU residents.

David Spark

And we'll see if we get any resolution in court coming out of this outside of the bankruptcy itself. But yeah, yeah, Howard, kind of in complete agreement with you. Before we move on to our next story, I have to spend a few moments with our sponsor for today, Qualys. Overwhelmed by noise in your cybersecurity processes? Cut through the clutter with Qualys Enterprise True Risk Management. Quantify your cyber risk in clear financial terms and focus on what matters most. Actionable insights help you prioritize. Prioritize critical threats. Streamline remediation and accelerate risk reduction while effectively communicating impact to stakeholders. Empower your cybersecurity strategy with tools that drive faster, smarter and more efficient risk management. Your secure future starts today with Qualys Enterprise Tru Risk Management. Visit Qualys.com ETM for more information. That's Q U A L Y S.com SL ETM.

Howard Holton

You know what, I have to comment. The, the lady in that advertisement, she really looked like someone's going to timeout based on what she saw on that screen. Right? She kind of had her, kind of had her shoulder up, kind of had an eye up, like, yeah, you know what you did? You know what a little curve to.

David Spark

The mouth like not listen, she's assessing some risk to her enterprise and I'm just happy she's using Qualys for that and I hope she's happy with it. Next up here, North Korea's fake worker schemes Getting worse, North Korean operatives continue to land full time IT and engineering roles, gaining deep access to enterprise networks under the guise of legitimate employment. An investigation by insider risk management company DTEX found these insiders operating in Fortune 2000 companies with privileged access to systems, remote tools and the ability to pivot into supply chain partners. HOWARD these so called individuals are often teams of North Korean agents sharing the responsibility of communicating as if they were a single employee. Dtech says forcing them to appear on video is not any kind of solution, is there, Is there no version of something akin to a Turing Test that would help employers know that the person they're hiring is who they're supposed to be?

Howard Holton

It's going to get harder and harder, I'll put it that way. This is not really a new problem. Right. We've had false interviewers kind of as a problem for a long time. It's something we discuss in some of the IT management subreddits rather frequently. Right. You'll, you'll interview an outsourced consultant. They do really, really well. Then the person that shows up to the office is not that person at all. It's not even a deep fake. It is just a bait and switch and this is just a version of that that also they add AI and deep fakes. I literally mean that in more than one way. They're using AI deep fakes to fake the image, but they are also using AI to answer questions because the best thing you could do in the past was use canonical language, use common language to trip up someone that doesn't speak the language as their first language because that's an easy thing. English has all kinds of methodologies, methods for that, as do other languages where you can recognize a non native speaker relatively easily. But with AI that's becoming harder and harder to detect. The reality is like even if we're a fully distributed world, maybe there is some value to paying the cost and flying someone into an office where you can meet them in person. Thus far we haven't been able to fake that one.

David Spark

Yes. The meatspace deep fakes hopefully still some years off. Yeah. And I appreciate the insight.

Howard Holton

Yeah.

David Spark

From an IT perspective like we that this isn't a new problem, it's just the national security implications that kind of going along with that more so than operational efficiency. Right.

Howard Holton

Yeah. I think there are some things that maybe could be done as I, as I think about it a little bit like maybe teams and Zoom and Google Meet could add some like network analytics as a feed because you know, like if I expect this meeting to take place in the US and instead the person's connecting from a foreign nation. Maybe I could get an alert. I'm not sure that would be relatively easy to implement. I'm just not sure how you would bubble that up to the user and make sure that the user had some sort of integration setting. Could be, maybe something that bamboohr system could do on the backend through a zoom integration, a little bit of validation or something. That way I would worry about any other validation, right? Like show me an id, do a validation. Because that's personal information that a prospective employer shouldn't have access to. Right. So I do think it's, it's going to get sticky, it's going to be complicated and we do need to be extremely cautious as we move forward.

David Spark

Something else we need to be extremely cautious about uploading secrets to GitHub. That's because GitHub expands security tools after 39 million secrets were leaked in 2024. GitHub has expanded its security tools after detecting over 39 million leak secrets in repositories, including API keys and credentials. Despite measures like push protection, leaks persist due to developer habits and accidental exposure. To combat this, GitHub now offers standalone security products, free organization wide secret risk assessments, enhanced push protection with bypass controls, AI powered secret detection through Copilot, and improved detection through cloud provider partnerships. So they're just, they're giving us all the tools here. Users are advised to enable push protections, avoid hard coded secrets, which I'm pretty sure has been standing advice for, I don't know, 20, like as long as the ability to hard code secrets has existed and use secure storage methods. So Howard, given how much we've heard about exploitations and lapses through GitHub, obviously not a new problem. What do you think about these new initiatives?

Howard Holton

I mean, fingers in a dam.

David Spark

Okay, wow.

Howard Holton

There's only so much you can do to compensate for bad human behavior, right? The reality is DevOps still has SEC in it. It's just a null value. We need to stop having security as a no value. And some of that is developers for sure. But also people are motivated by the easiest path they're allowed to take. And if the path your employer allows you to take violates common security practices because they don't reward you for them and they don't care, then you're likely to do it. Right. Organizations need to care and they need to accept the cost of the friction. Security is just friction. And so when we're, when we're pushing everyone for commits and we're measuring commits as though that is a metric that. That defines a good software developer versus a bad software developer. This is the kind of behavior you get. You get shortcuts, you get these misses and these misses can cost a lot of money. And I kind of think we need to not only hold the developers responsible, but we need to hold their leadership, their managers, all the way up until we find the manager that goes, no, no, no, no, no. I have it in writing. Have it in writing. I specified you had to do this. All the people below me are now going to suffer for it and middle management is going to be clearanced.

David Spark

Yeah. So fingers in the damn meaning. GitHub is far too late. Like this. This is. It's not even shifting left. It's like we need to move to the start. Like this needs to come from completely from the top down and enforce that. Like. Like you were saying. Ex. Like work that mandate. I guess that friction in. At an organizational level because by the time. What's that?

Howard Holton

Because. Because it's in every organization.

David Spark

Yeah.

Howard Holton

This is not GitHub enabling secrets to be released that were protected. This is people embedding secrets again in the repositories that they have been told dozens and dozens and dozens of times for dozens and dozens of years to not do. And we're still doing it. Right. This is less of a GitHub flaw. This isn't GitHub flaw really at all. Versus a user flaw. They just happen to be using GitHub. This is the same problem.

David Spark

An instantiation of bad. Oh God, I had the perfect time. But yeah, bad. The effect of bad incentives, misaligned incentives. And GitHub is just the end of the funnel for those.

Howard Holton

I don't even know that it's possible. But what I would love is I'd love GitHub to. Instead of adding a bunch of new tools, they add a tracker on the back end that effectively penalizes you for every secret found in one of your repositories that doesn't follow best practices. GitHub forces you to follow best practices or they penalize you $1,000 per day or $10,000 per day or $1,000 per repo or $1,000 per line of code. Something so egregious you either have to get off their platform or do the smart thing and actually protect your organization.

David Spark

GitHub will find you if you don't protect your organization. Is kind of the most brilliant advice.

Howard Holton

Just create a new user account level where the subscription for the user account level involves the ability to violate common security practices and it's $1,099 a day, you know what I mean? And so we were just conducting an internal audit to make sure that you're properly licensed against GitHub's EULA and we found that you weren't. And so here's your new license agreement. It's going to be $375,000 this week. Would you like to correct the behavior or would you like to pay the $375,000? We don't really care.

David Spark

Microsoft Satya I'm just saying this is a great new revenue stream. Happy 50th and let's make some money here and make some organization secure.

Howard Holton

You don't even have to give me a revenue share. You can have it for free. Happy birthday.

David Spark

Our last story here. We're shifting from Microsoft to Google. Google DeepMind unveils framework to exploit AI's cyber weaknesses Google DeepMind developed a new AI evaluation framework to identify weaknesses in adversarial AI attacks, helping cybersecurity defenders prioritize their strategies. After analyzing more than 12,000 AI driven cyber attacks, they found existing AI security frameworks to be inconsistent and ineffective, providing defenders with crucial points to break attack chains. So, Howard, eternal game of cat and mouse in cybersecurity. New tools are out there. We need to find new ways to disrupt them or protect themselves, build resilience. Do you see any differences in this era as compared to the pre era in terms of keeping up with adversaries and adversarial AI?

Howard Holton

Yes and no. Yes, there are some, definitely some new areas because these are new attack methodologies kind of. They're a layer of attack. They're, they're a layer of methodology that is new, but the methodology is still the same. You know what I mean? They're tools designed to increase the efficacy. I haven't really seen new attacks necessarily. Doesn't mean they're not there. And the power of AI is you have something that is far more dynamic than anything we've ever had before at our fingertips. So it does make it harder to detect. Right? Like I can no longer use the poor phrasing of the phrase as a method because it can write perfectly no matter how bad your writing is. Matter of fact, it's a really good use case for AI. Right? If you're dyslexic as an example. Really good use case. However, for every, for every good use case, there is an equally powerful evil use case. I love to see Google doing this. I actually think I'd like to See it expanded. Right. If they're, if they're good at this, then give me something I can turn internally as well to test my AI for weaknesses. Like when I first read the headline, I thought this could go either way and be equally useful. Right. We need red team, we need blue team, we need, we need a massive amount of tools. Because the biggest issue that I see isn't just attackers are now leveraging AI and really changing that dynamic substantially. But also we're trying to move business forward with AI and we're opening enormous sources of risk that the executives making the decision simply aren't aware of. I'm an executive making the decision. I'm fairly aware I'm not aware of all of the risks. Right. And I like to think that, you know, if you stack rank me against the massive number of executives in the 330 million companies that exist in the world, I'd be ranked in the top 1%. But, you know, there's a ton of people between me and the perfect and the level of perfection. Yeah.

David Spark

And it's. That's like that. Yeah. That ecosystem of whether, you know, you want to say frameworks or security tooling, just methodologies, I guess. Like we're still trying to wrap our head around what those look like and it's those areas of inefficiency, really. And to your point of being someone extremely informed of this, being aware of these risks and knowing that there's still a lot out there that you just don't have the tooling methodologies, what have you, processes to kind of stay on top of. Yeah, we're definitely in the awkward teen years of AI adoption. And it just turns out everybody can do it at the same time.

Howard Holton

I mean, if we're in the awkward teen years of AI adoption, where are we in cybersecurity? Because it kind of feels the same way. You know what I mean? It doesn't feel like we've really promoted beyond the awkward teen years in cyber either.

David Spark

We're in. Yeah. The 40 year old man child face of cyber security. Right. We're still living with mom and dad. Right.

Howard Holton

We're in the 40 year old adolescence where, you know.

David Spark

Yes.

Howard Holton

Like we got divorced, we had to come back home, we only see the kids once a week and we're trying to date again and oh my God, this is awful.

David Spark

We shouldn't have let Judd Apatow direct cybersecurity. It turns out that was a mistake. If we could do it over again. We can't.

Howard Holton

All right.

David Spark

Before we get out of here, I want to give a big thank you to everybody in our chat. I see apple pie alibi with a phenomenal name just showing up, dropping some knowledge. Ccl, one of our regulars, always having fun in there. Kevin Farrell, showing up late, but making up for it in strength. Big boss man, David Spark, of course, in there as well. Max Tronick. If I'm leaving anybody out, David Peach with this great comment. Thank you so much to everyone helping make this show better. Before we get out of here for you, Howard, you also had a couple good comments. What was one story this week in our rundown or just in the news of the week that was a thumbs up or an eye roller for you, something you reacted strongly to?

Howard Holton

I mean, when you sent me the headlines and I read that crush FTP one because I hadn't seen it elsewhere, it's not the kind of thing that I would focus on. I literally rolled my eyes. I was like, I can't believe in 2025, with everything that's going on in the darkest timeline, that someone decided that is how they want to be immortalized on video as a headline of the week. Like, of everything. Really? That's where you're gonna go? Okay. I'm also an analyst, and so a lot. A lot of times the feedback I get is equally ridiculous. Like, what is your feedback? Well, we should be all fives. Okay, that's helpful. Thank you.

David Spark

Cool.

Howard Holton

Yeah. I thought we were all adults. I guess we're not. I don't, you know.

David Spark

Well, you're an adult on the cyberspace, Howard. Where can people find you on there if they're so inclined to keep up with what you're doing?

Howard Holton

If you want to have a good laugh, follow me on LinkedIn.

David Spark

I can. I can highly vouch for Howard's LinkedIn presence.

Howard Holton

Otherwise, I'm kind of everywhere. I started traveling the second week of January, and I won't stop until mid July at this. This point. And I'm sure by mid July I'll be scheduled all the way through the rest of the year. I'm at every kind of major conference, and if you're curious about meeting me in person, I do try to post on LinkedIn where I'll be next week. I'm in Chicago and at Google Next. The week after that I'm in Amsterdam and then a few other places in Europe. I'll be in London this year and like I said, kind of at every major conference. If you want to set up time with me at rsa, I've got some slots available. I'D love to meet some, you know, nice down to earth folks that appreciate what I have to say and have some nice things to say themselves especially. Who is that in the chat? It's ccl. CCL seems to be super. And Apple Pie Alibi. I'd love to meet CCL and Apple Pie Alibi in person. I don't know who they are, but they sound like they seem like awesome, connected folks.

David Spark

Absolutely. Yes. We have some cool people in the chat. So yeah, if you can meet up with Howard or you're just in an airport lounge, maybe you'll have a chance to find them in there as well. So thank you so much, Howard Holton, COO and industry analyst over at gigaom. Just always a pleasure to have you on. We will not wait too long to have you on for your fourth appearance on this show. Truly appreciate it. Thank you so much. And thanks also to our sponsor for today, Qualys de Risk your business. And thank you again to our audience. Again, we can't always get everything up on the screen, but we love seeing you here. We love seeing you participate. Having a good time on a Friday, that's what it's all about. Remember to please join us next week. First, we're going to have Super Cyber Friday where our topic of discussion will be hacking social engineering, an hour of critical thinking about how a lack of controls is setting us up for financial loss. I will be hosting that. That's at 1:00pm Eastern. And then you can come back later that day for another thing, I'll be hosting the Week in Review, this very show starting at 3:30pm Eastern as it was today. And always to register for any one of those, you can head on over to the events page@cisoseries.com and why don't you just subscribe to our YouTube channel while you're at it. In the meantime, you still get your daily news fix every single day through cybersecurity headlines. Give us about six minutes, we'll get you all caught up. Until the next time we meet. For myself, for Howard, for our producer, Steve Prentice, for the big boss man, David Spark, and all of us here at the CISO Series Family, here's wishing you and yours to have a super Sparkly day. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.