Cyber Security Headlines: Week in Review

Episode Theme:
A roundtable conversation with security leaders Jack Kufal (CISO, Michigan Medicine) and Nick Espinosa (host, The Deep Dive) exploring the week's top security stories. Topics include the surge in student hackers targeting schools, the role of boards in cybersecurity oversight, CISA's attempt to retain control of the CVE database, industry breaches, and Microsoft’s Windows 10 support controversy. The hosts tackle the mix of policy, technology, and human factors shaping modern cyber risk.

Key Discussion Points & Insights

1. Boards’ Evolving Fiduciary Role in Cybersecurity

Timestamp: 02:07 – 05:44

• Jack Kufal highlights growing board responsibility:
  "Boards have a fiduciary expectation here and there's gaps, there's gaps in understanding, there's gaps in programmatics, and that really helps drive home some of those more corporate risks that sometimes get unspoken about." (02:07)

• Nick Espinosa echoes the strain on CISOs:
  "CISOs themselves have been pulled...we're not taking responsibility because we're not getting the budget, we don't have the manpower...there has to be a shift." (02:56)

  He cites the Qantas breach where the board penalized C-level execs instead of just CISOs as evidence of changing dynamics.

• Both discuss lack of program continuity as CISOs’ average tenure is so short—less than two years, leading to instability and transition gaps.

• Jack: "Continuity of a program ... if the board's in on that, you start getting a little bit more of a cadence and a sequencing with a hope of continuity and maybe a little bit less than, if you will, the sacrificial CISO." (04:09)

2. Major Industry Breaches & Supply Chain Risk

Timestamp: 05:48 – 07:19

• Nick notes the worsening trend of supply chain breaches: "Every week is getting worse with supply chain hits. Right. But you think of like the high end vendor in cybersecurity and they're all declaring data breaches. Thank you, Salesforce, you know, for that." (05:59)

  He lists recent victims: Palo Alto Networks, Tenable, Qualys, Hackerone, CrowdStrike, and mentions the Salesloft breach impacting 760 organizations.

• Host: "That's like log4j level of exposure here." (07:19)

3. The Increasing Prevalence of Ads & IoT Security Concerns

Timestamp: 06:53 – 07:09

• Growing annoyance over ads on smart devices (Samsung refrigerators, TVs, and Android OS). Security context—these ads can also expand attack surfaces if such devices are breached.

• Nick jokes: "When I hack this thing and expose it to the world, you know, I'm not going to tell them how I did it." (07:09)

4. Trivia Break: Anthropic Claude Usage

Timestamp: 08:34 – 09:57

Fun interlude where the panel guesses which U.S. states or professions use the Claude AI most—Utah leads per capita. The surprise: anthropologists use it more than infosec analysts, prompting laughs and a brief credibility crisis.

5. UK Student Hackers & School Cyber Attacks

Timestamp: 11:20 – 16:20

• UK regulatory agencies report a surge in student-initiated school cyber attacks, often motivated by “dares”—1 in 5 British kids (10-16) has engaged in illegal online activity.

• Jack:
  "Part of this is also you've got a group of young adults who are expressing, albeit illegal, a certain skill set and a certain amount of creativity, and there's something there to harness and say, well, how could that actually be better used?" (11:21)

• Both panelists favor a constructive approach:

  • Engage these students, offer cybersecurity classes, bug bounties, and ethical guidance.
  • Nick:
    "Hire these kids. These are the ones that show some aptitude, they show some interest. We should be putting them into classes...and for the love of God, put them in morality and ethics classes." (14:28)
  • Host:
    "Institute school bug bounties. Right. Like, give them a chance to like, figure out what's wrong. Help us figure this out." (15:00)

• A sense of nostalgia and humor emerges as panelists recount their own youthful hacks.

6. CISA and the CVE Database – Funding, Control, and Global Importance

Timestamp: 17:50 – 24:32

• CISA released a plan to keep CVE under its purview, citing risks in handing control to a wholly nonprofit/multi-stakeholder funding model.

• Nick (impassioned):
  "This is insane. CISA'S core mission is to basically bring coherence to essentially a chaotic ecosystem...this is something that cannot go away...CVE is that centralized place where we get on the same common page for threats and vulnerabilities. This one drives me up a wall." (17:56, 19:58)

• Host:
  "CVE is the worst system, except for all the other ones we've ever tried. Right...it is an imperfect system, 100%, but also a critical." (19:58)

• Jack:
  "The fact that we came within a hair of losing it...just the idea of losing the CVE database is like a—we decided to switch all the cold water taps to Gatorade. It's like, well, that's going to have some significant impacts...many things depend on that water being there." (21:17; 21:45)

• Both stress the need for global common standards, especially for multinational orgs:
  "If I've got to interconnect to your university in Australia, we're going to solve these six high threat number 10 CVEs. It has meaning right, that transcends...your institution." – Jack (23:42)

7. Microsoft Ending Free Windows 10 Support—Big Deal or No?

Timestamp: 25:33 – 28:40

• Consumer Reports and others label Microsoft hypocritical for charging $30/year per device for extended support, or requiring users to upgrade hardware or face security risks.

• Jack:
  "It's a big deal, but it's not a new big deal, right? Life cycle is always a big deal." (25:33)

• Nick:
  "I don't think it's a big deal, personally...30 bucks and I get less AI junk, less ads. I can stay on Windows 10." (25:42)

• Host and Jack agree that the extensible paid support approach is better than nothing, especially for complex orgs—though Nick jokes: "There's the right way, the wrong way, and the Microsoft way, which is usually the wrong way, only a whole lot faster." (26:28)

8. Reuters Investigation: AI Chatbots Easily Generate Phishing Emails

Timestamp: 29:35 – 32:52

• Reuters proved Grok, ChatGPT, Claude, and others could generate convincing phishing emails despite guardrails. 11% of volunteers clicked links in a test.

• Jack:
  "Any tool can be dual use, right? So this tool is being dual use to do nasty things...the real question is and what's the counter to it?...AI got really cheap, right? So it's a consumer level tool like auto dialers used to be." (29:35)

• Host:
  "There was a spectrum here, right? Like grok like did it, no questions asked. It was like yeah, no problem, I'm going to tee this up for you. Some of the others, you know, denied it. You had to say oh this is for research or...make some excuses..." (30:43)

• Nick:
  "AI isn't introducing basically a new type of cyber crime here. I just think it's supercharging it, you know, and I think that's what we're grappling with." (31:35)

Notable Quotes & Memorable Moments

• On Boards & CISO Role:
  "Who would have known that giving someone none of the decision-making power but being responsible for everything turned out to be like toxic and like horrible. Who could have known?" – Host (03:46)

• On Security Budgets:
  "When CFOs are treating nickels like manhole covers, it just helps no one." – Nick (03:28)

• On CISA and the CVE Threat:
  "If the road goes away, we got a problem." – Nick, on losing CVE (20:19)

• On Recruiting Young Hackers:
  "It may be in the wrong channel. So this was kind of channeling." – Jack, on youthful creative hacking (15:32)

• On Microsoft Support:
  "It's the counter incentive. I'll stay on Windows 10 for 30 bucks if that means I don't get Copilot." – Jack (25:56)

• Gatorade Analogy:
  "Just the idea of losing the CVE database is like—we decided to switch all the cold water taps to Gatorade. It's like, well, that's going to have some significant impacts." – Jack (21:45)

• On AI-powered Phishing:
  "Water is wet, fire is hot, AI is going to write better phishing emails." – Jack (29:35)

Important Timestamps

• [02:07] Boards’ new responsibilities & program continuity
• [05:48] Week’s supply chain and vendor breaches
• [11:20] Surge in student hackers and school cyber attacks
• [17:50] CISA, CVE control, and funding debate
• [25:33] Microsoft's Windows 10 support controversy
• [29:35] Reuters' AI phishing investigation

Takeaways

• The panelists advocate for engaging cyber-curious youth as future defenders, not just penalizing them.
• Critical shared infrastructure like the CVE database must remain stable, transparent, and outside parochial interests—losing it would be disastrous for vulnerability management globally.
• The AI revolution is democratizing both defensive and offensive capability—education, not panic, is the best counter.
• Vendor lifecycle management (a.k.a. “planned obsolescence”) remains a major pain point.
• Security teams need more board-level understanding and consistent executable strategies; turnover at the CISO level is harming continuity.

Panelist Contact:

• Jack Kufal: LinkedIn (“the safest place”)
• Nick Espinosa: YouTube (/NickEspinosa) & LinkedIn (“may or may not be wearing pants”)

For more daily stories, visit csoseries.com.