Week in Review: Surveillance camera vulnerabilities, data sovereignty conundrum, French submarine cyberattack - Cybersecurity Headlines

Summary4 min read

Cyber Security Headlines: Week in Review

Host: CISO Series
Guest: Derek Fisher, Director of Cyber Defense and Information Assurance Program at Temple University
Release Date: August 1, 2025

1. Unpatched Vulnerabilities in LG Surveillance Cameras

The episode begins with a discussion on a critical security flaw identified in LG's surveillance cameras. Approximately 1,300 units are vulnerable to unauthenticated remote code execution due to an unpatched authentication bypass vulnerability. This issue poses a significant threat to critical infrastructure, as highlighted by SISA.

Rich:
"An unpatched authentication bypass vulnerability in a specific model of LG security camera allows for full unauthenticated remote code execution." [00:36]

Derek Fisher:
"Hardware presents unique challenges because it’s a full stack product. Unlike software, updating hardware is not as straightforward, especially for legacy systems designed to last decades." [03:44]

Derek emphasizes the difficulty manufacturers face in maintaining security for end-of-life products and suggests that there needs to be a better framework for managing and upgrading vulnerable hardware used in critical environments.

2. Microsoft's Struggle with Data Sovereignty in France

The conversation shifts to Microsoft's challenges in guaranteeing data sovereignty for its French and broader European Union customers. The Cloud Act, a U.S. law, compels U.S.-based tech companies to provide data to the government, regardless of where the data is stored globally.

Rich:
"Executives from Microsoft France stated that they cannot guarantee data sovereignty to their customers in France due to the Cloud Act." [07:13]

Derek Fisher:
"The interconnected nature of today's technology means data often traverses multiple global endpoints, making it impossible to guarantee that data remains within national borders." [08:58]

Derek draws parallels between past and present surveillance realities, highlighting the complexity and inevitability of data crossing international boundaries. He predicts a rise in digital nationalism as nations seek to create isolated digital ecosystems to protect their citizens' data.

3. French Submarine Cyberattack Exposes Naval Group Secrets

A significant breach involving the French submarine manufacturer Naval Group is examined. Hackers identified as Nefer P2 leaked 13 gigabytes of sensitive documents, including combat systems source code and weapons configurations. Although Naval Group found no evidence of an internal breach, experts suspect an exploited on-premises SharePoint server.

Rich:
"Hackers calling themselves Nefer P2 have leaked extensive internal documents from Naval Group, raising concerns about the use of vulnerable technologies in military and defense sectors." [12:10]

Derek Fisher:
"Espionage has evolved from physical infiltration to digital theft, enabling attackers to steal vast amounts of data rapidly. The reliance on commercial off-the-shelf technologies by defense organizations exacerbates this vulnerability." [13:55]

Derek underscores the difficulty in securing military secrets in an era where cyber espionage can compromise entire databases swiftly, questioning the effectiveness of relying on mainstream technology providers for sensitive operations.

4. FBI and CISA Issue Advisory on Scattered Spider Tactics

The episode highlights an updated advisory from the FBI and CISA concerning the persistent threat posed by the Scattered Spider group. Utilizing advanced social engineering and intrusion techniques—including phishing, MFA fatigue, SIM swapping, and ransomware—the group continues to target national security and critical infrastructure.

Rich:
"Scattered Spider remains a serious threat, employing sophisticated tactics to breach systems, including the encryption of VMware ESXi servers." [17:05]

Derek Fisher:
"MFA fatigue is a genuine problem. Constant authentication requests can lead users to become desensitized, increasing the risk of security breaches." [19:18]

Derek discusses the psychological impact of relentless security measures like multi-factor authentication (MFA), which, while necessary, can lead to user fatigue and decreased vigilance. He also touches on the broader issue of youth involvement in hacking groups, suggesting a correlation between underemployment in cybersecurity and the rise of such threats.

5. Surge in Supply Chain Attacks on Developer Tools

The final major topic covers the discovery of supply chain attacks targeting GitHub Actions, the uaparser JS npm package, and the Gravity Forms WordPress plugin. These attacks involve backdoors and poisoned code that compromise thousands of systems, emphasizing the vulnerability of trusted developer tools.

Rich:
"Researchers at Armis Labs have identified significant supply chain attacks that exploit trusted developer tools, posing a heightened risk to software integrity." [21:24]

Derek Fisher:
"The complexity of modern software dependencies makes it difficult to maintain a secure supply chain. With thousands of NPM packages classified as malicious annually, the challenge of ensuring code integrity is immense." [22:58]

Derek points out that the vast web of dependencies in contemporary software development creates numerous entry points for attackers. He advocates for better software bill of materials (SBOM) practices and improved metadata management to enhance visibility and security, though he acknowledges that without actionable processes, SBOMs alone are insufficient.

Key Insights and Conclusions

Legacy Systems Vulnerability: As hardware reaches the end of its lifecycle, manufacturers and users must develop sustainable strategies for maintaining security, particularly in critical infrastructure.
Data Sovereignty Challenges: The global nature of data flow complicates national efforts to enforce data sovereignty, potentially leading to increased digital nationalism.
Evolving Cyber Espionage: The transition from traditional espionage to cyber-based methods allows for more extensive and rapid data breaches, necessitating advanced protective measures.
User Fatigue and Security Measures: While essential, security protocols like MFA must be balanced to prevent user fatigue, which can inadvertently weaken security postures.
Supply Chain Security: The interconnectedness of software dependencies requires robust strategies for monitoring and securing the software supply chain to prevent large-scale compromises.

Derek Fisher's expert commentary provides valuable perspectives on the intersection of technological advancements and cybersecurity challenges, emphasizing the need for proactive and adaptive security measures in an increasingly complex digital landscape.

Connect with Derek Fisher:
For more insights and updates, you can find Derek Fisher on LinkedIn and subscribe to his Substack newsletter.

Loading summary

Transcript37 lines

[00:00]
Rich
From the CISO series, it's cybersecurity headlines. Security cameras get spied on, the data, sovereignty emperor might have no clothes and submarine builder springs a data leak. These are some of the stories that my colleagues and I have selected from this past week's cybersecurity headlines. And now we're looking forward to some insight opinion and expertise from our guest, Derek Fisher, Director of Cyber Defense and Information Assurance Program at at Temple University. Derek, thank you so much for being on the show, spending your time with us. I gotta ask, how was your week in cybersecurity?
[00:36]
Derek Fisher
You know I had a pretty first thank you for having me on but yeah, a pretty mundane week. Been wrapping up a book so I was trying to finish up some work there. Working on a new training course so doing some recording for that as well. So yeah it was and I was playing around with some lab related work. I'm building up some security testing tools that I was playing around with. So wasn't an exciting necessarily from a news perspective, but definitely had my hands dirty and was really plowing through some work this this week. So it was, it was busy for me.
[01:11]
Rich
So productive and non destructive is the wish for all cybersecurity professionals. So may we all follow in your example. Yeah, a big thank you also to our sponsor for today, dropzone AI, the leader in autonomous alert investigation. If you're listening to the show as a podcast so you're not listening live, remember that next week you can join us and our loyal band of vocal experts on YouTube live. Do so go to cisoseries.com, hit the events dropdown and look for the Cybersecurity Headlines Week in review image. You can also subscribe to the ciso series on YouTube and either way you will find us each and every Friday at 3:30pm Eastern. If you are here live, we want to see your comments in the chat. We will do our best to address them during the show, but they help make the show better, they delight us, they, they intrigue us and they make our Friday. So please come join chat, have some fun. You can also send us feedback through electronic mail. Now we have an address for that. Feedbackymbolcisoseries.com Send us your thoughts about the show, the news of the week or really just anything that's on your mind. We'd love to hear from you before we jump into the news. Just a reminder here that these are in fact Derek's own opinions, not necessarily those of his employer or any staff, affiliates, friends, family or nemeses. We have about 20 minutes. So let's get started. First up here, unpatched flaw in LG surveillance cameras allows admin access Sees there's warning of an unpatched authentication bypass vulnerability in a specific model of LG security camera. The type often mounted on ceilings in commercial buildings, you know, where things you might not want a threat actor to see would be. Approximately 1,300 of these cameras are active and vulnerable to full unauthenticated remote code execution. As SISA points out, this is a critical infrastructure threat which is not just simply a risk to isolated devices, but potentially endangered facilities that are vital to public safety and national operations. The manufacturer LG innatech is aware of the vulnerability, but it will not patch it because this particular camera is end of life. So Derek, we actually ran another story this morning on cybersecurity headlines about Dahua, another security camera maker with remote execution vulnerability. But in the case of lg, the situation seems to be exacerbated by the fact that this is an end of life product. It's not going to get the patch. As SISSA points out, the central role that these cameras play in critical infrastructure, not only as security devices but as being connected to company networks. Hello, lateral movement. I'm curious, do you think maybe these manufacturers should shoulder more responsibility toward the safety of these expiring products?
[03:44]
Derek Fisher
I mean the trickiest part is that this is hardware, right? Software is a little bit easier to. Not that it's, we, not that we don't have technical debt when it comes to software, but hardware is a little bit different because you have a full stack product, you know, in a box, right? You have software, you have hardware all running together, network capability, all running together in one package. So you, you have a little bit of a different type of form factor there. But you know, I, I came from Siemens Healthcare. I, when I started getting into security we, you know, Siemens Healthcare, if you're aware, they obviously create these large MRI machines, X ray machines, things like that. Those were not, you know, a two year product or a one year product. They were decade long. They were designed to be decades in the field. And oftentimes even today you'll find these machines running Windows 95. And so that is, you know, and that's true even in a financial industry in terms of some of the, some of the hardware and software that runs in some applications there is that we live in an environment where these pieces of infrastructure are legacy, they're end of life and it's a reality. I think the manufacturers do have a bit of a responsibility, but at the same time putting yourself in the shoes of the manufacturer. How long is that tail? And we used to try to push the idea of maybe GA -2 or GA -3 or something like that where we'll let our customers up front know that we're only going to support, you know, back two, three versions and after that it's done and so we can try to pursue something like that. But you know, going back to my days of working in a commercial space where the customers would come back and say we're not upgrading because we can't, this is a money making machine. Sometimes literally it's a money making machine that we're not, you know, if we upgrade we have to, you know, assume failures, we have to assume costs and all these things and it's just not, it's not broke, so we're not going to fix it. And so there's, there's this, you know, back and forth between the manufacturer versus the consumer, where the need actually is and where the spend is going to come from and who's going to absorb that cost. I think in cases of these types of critical infrastructure issues especially there needs to be some method for moving off of those vulnerable pieces of hardware, whether it's, you know, the manufacturer offering some type of subsidized upgrade or some type of, you know, path to the GA version or the latest version, you know, to assume that, that the manufacturer is going to go back and push patches to older versions, I think that's just a fairy tale.
[06:35]
Rich
Yeah, I think I agree with you. When these things happen, it's easy to look at the manufacturer. I think there needs to be one, an upfront obsolescence plan. Like you were saying, you should know the roadmap before you even install this thing to know what your exposure is going to be. And I do agree there needs to be a, like a, you know, pull ripcord in case of critical vulnerability on both sides so that you're not caught, neither side is caught flat footed with this. But this seems to be an increasingly relevant conversation as we are now living with, you know, essentially network computers living in physical space for coming up on three, four decades now, depending on the hardware.
[07:14]
Derek Fisher
Right. And I think there's also the, the, you know, we can, we can architect around some of these devices knowing that, you know, at some point they're going to go end of life. We need to, you know, reduce the blast radius, you know, we'll talk about micro segment and zero trust, I'm sure, because that's a constant theme. But you know, you have to ask yourself, who's going to implement that? Right? You know, you're asking potentially, you know, some of these systems that maybe have an IT team of one person, right? And so they're going to architect and build out these systems that are going to protect these, you know, devices. And that's, that's a, a bridge too far in some cases. So.
[07:55]
Rich
All right, well, next up here, Microsoft cannot guarantee data sovereignty. Executives from Microsoft France said their company cannot guarantee data sovereignty to customers in France and by extension to the wider European Union due to the Cloud Act, a law that gives US Government authority to obtain digital data held by US Based tech corporations, irrespective of whether the data is stored on servers at home or on foreign soil. It is said to compel these companies through warrants or subpoenas to, to accept the request. This appears to be a major story that will likely fly under the radar, is pretty wonky policy wise, and will lead to, I'm imagining a great deal of litigation, especially considering as aws, who supported the bill along with Microsoft and Google, you may know them as the big three cloud providers. Stating that the Cloud act does not only apply to US Headquarters companies, it is applicable to all electronic communications service or remote computing service providers that do business stateside. The second quote from AWS is no trifling piffle either. So, Derek, what's your take on this? Trifling piffle or a piffling trifle?
[08:58]
Derek Fisher
This shouldn't be any surprise to anybody, right? So we know. You know, when I was doing some reading on this, on this, I remember thinking about when I was growing up, we had, you know, the landline phones in the, in the, you know, living room or in the kitchen. And, you know, the joke was always that the FBI is tapping into your phone, right? And they're listening and it's like, nobody's that important. But, you know, back then it was like this big, you know, that was the joke, right? Everyone's phones are being tapped. You know, the reality is that, you know, today the, the data is just everywhere, you know, and the reason I make that parallel between the, you know, the wires being tapped by the FBI is because it was a very confined, you know, like, okay, my phone, right? That's it, you know, and as long as I keep my conversations, the phone, I'm fine. But, you know, today it's like you don't even know the different tentacles that the services that you're using, you know, where it's making API calls, where it's storing Data is it trans, you know, transmitting over, you know, a global network just to come back, you know, back into the U.S. i mean, or vice versa. If you're in Europe, if you're in Germany, the data that is being processed there, you know, is shooting around the world and touching many different endpoints being cached in certain places. So you know, the, the, the one comment that I saw while reading this article was that, you know, the ask was are you, can you confirm that you know, the data that European citizens data would never, you know, touched a certain endpoint? And I believe it was a rep from AWS said no, I can't guarantee that. And it's like, yeah, I mean all of us have work in this, in this industry and, and know that you cannot make those kind of guarantees that the data that's being produced in a certain area will always reside in that area. Given the interconnected, you know, type of technology that we have, I think we're seeing this, this rise of digital nationalism where you know, you know, nations are going to start, I mean we already have nations that are doing this, but nations are going to start just creating their own Internet, you know, their own networks and, and their own services and, and it's going to be, you know, if you want to truly keep your citizens data from traversing outside of your nation's boundaries, you know, digital boundaries, that's the, the lengths that you have to go to. And I think there's been plenty of examples of that in Europe where their companies are, are coming up with those solutions and selling them and making good money off of it.
[11:36]
Rich
So yeah, definitely a trend to keep watching and as we get kind of, I don't even want to say more clarity, but more action along that trend. Right. Of that kind of digital national or national digitalized nationalism. I love that phrase. Yeah, we will see if that continues to make waves as these types of issues continue to be relevant. And as Devin pointed on our comments here, yeah, it looks like GDPR fines are on the way or revisions to GDPR to be quite frank with some of that stuff. I think there's going to be some push pull on both sides with that.
[12:11]
Derek Fisher
But there was a point about the GDPR fines where companies are taking on. There's two sides of that. It's either I take on whatever X percentage of GDPR fines or other regulatory fines I may take or if the US government comes in and says you have to hand over this information, you know, a US company is not going to say no, they can't. Right. I Mean, we've learned that through the Patriot act and now, you know, throughout time since, you know, since the early 2000s, that like, if the government comes knocking you, you have to turn it over, whether we like that or not.
[12:48]
Rich
So, yeah, don't, don't envy any digital privacy officer.
[12:54]
Derek Fisher
Yeah, these days.
[12:56]
Rich
All right, next up here, French submarine secrets surface after cyber attack. Hackers calling themselves Nefer P2, a name that might cause Manga nerds sitting up a little straighter if I didn't completely mangle IT, have leaked 13 gigabytes of internal documents belonging to French submarine manufacturer Naval Group. Everything from combat systems source code and simulation software to weapons configurations and internal comms. Naval Group says it's found no evidence of a breach in its internal systems. But regardless, the data cat is out of the bag. Calling this a textbook case of navel gazing, some experts are suggesting the breach may be due to an exploitation of an on premises SharePoint server. Which raises the question of military and defense organizations using the same types of vulnerable technology as the civilian sector. First off, kudos to our glorious producer Steve Prentice and Hadask Sorla this week for fantastic submarine puns. But Derek, I'm curious, what are your thoughts?
[13:55]
Derek Fisher
You know, there's a, there's a lot going on on this one. I mean, so I'll pick on Microsoft here, right, because it was a SharePoint, you know, or the. They're saying that it was potentially SharePoint, you know, vulnerability that led to this. But you know, Microsoft spends a lot of money and time and effort in getting those contracts because, you know, they don't obviously want a lot of the, a lot of the military contractors. Right. These are private individual companies that, that produce, you know, hardware or they do engineering for, you know, the military of the nation that they, they work for. So, you know, the military itself is not, I mean, they do have engineering arms, but a lot of it's being done by these, these consultants and these contractors. So these organizations, they get approached by Microsoft, they get approached by AWS and all these big companies and they spend a lot of time, you know, trying to get them to get on board with the, with that product. So it's, it's hard for us to say that should these, you know, should national secrets not be run on, you know, Microsoft products or AWS products? You know, I don't know. I mean, what are the alternatives? You know, going. I kind of go back to what I said earlier about some of these organizations having a small IT team, maybe not even having, you know, a robust, like Internal security mechanism. So who's going to maintain something that's not commercial off the shelf in, in favor of, you know, going to Microsoft and just kind of saying you guys secured for us because we don't have the, you know, the capability to do it. But I think, you know, the bigger problem here is, is espionage. Right? I mean, and that's, I think we'll, we might talk about this a little bit later. But you know, espionage is a huge problem, you know, these days with whether it's military secrets or just commercial ip. It just, it's, it's staggering in comparison to when, you know, back in, in the 50s and 1950s where you know, KGB agents would have to, you know, sneak into some facility with you know, a camera snuck into the heel of their shoe and then snap some pictures and make off with know, a couple pieces of, of film. You know, now it's, you can, you can steal entire databases of, of information in a matter of, of minutes. You know, and, and so I think the scale is, is much different and it's not like it's something that's ever going to go away. So this is, there's a lot, again, there's a lot going on here. I don't know if there's an easy solution.
[16:38]
Rich
So yeah, I don't know if we want like, you know, if the, the solution to this is government spins up its own hardened Linux complete ecosystem like that seems completely infeasible at, you know, at scale. And, and would the outcome be any better? Probably not.
[16:57]
Derek Fisher
And that does exist. I mean there are, you know, the secure, secure Linux there is aws, you know, designed specifically for, yeah, they all.
[17:05]
Rich
Have government SKUs for all of this that are extra hardened or for military use.
[17:08]
Derek Fisher
But again that's, that's, that's not the commercial off the shelf type of applications and technology that a lot of people are accustomed to working with. And there's a learning curve there in some cases depending on the technology. And it comes back down to who's going to maintain it, who's going to make sure that it's working appropriately and is that really that much more secure than what you're already using?
[17:35]
Rich
All right, well before we move on to our next story, we have to spend a few moments and thank our sponsor for today. DropZone AI security teams everywhere are drowning in alerts. That's why companies like Zapier and CBTS turn to DropZone AI, a leader in autonomous alert investigation. Their AI investigates everything, giving your analysts time back for real security work. No more 40 minute rabbit holes. If you're at Black Hat, find them in Startup City. Otherwise check out their self guided demo@dropzone.AI this is how modern socks are scaling without burning out. That's D R O P Z O N E AI alright, next up here. FBI and CISO warn about Scattered Spiders evolving tactics. The FBI and CISA have issued an updated advisory warning that Scattered Spider remains a serious threat using sophisticated social engineering and intrusion tactics including phishing, MFA fatigue, SIM swapping and ransomware like Dragon Force to breach systems including encrypting VMware ESXi servers. Despite recent arrests tied to the gang, US, UK, Canadian and Australian authorities emphasize that Scattered Spider's evolving techniques continue to pose a big risk to national security and critical infrastructure. So Derek, Scattered Spider has certainly made a name for itself this year. Last week we discussed their affiliation with the Comm, which seems to consist of young and aggressive hackers. There are two kind of directions we could take here, maybe both here. One kind of this growing power of youth focused hacking groups like Scattered Spider and by extension the Comm, or maybe the buried lead here of the story is MFA fatigue being a more serious threat than we give it credit for.
[19:18]
Derek Fisher
I mean, the MFA fatigue is definitely a real thing because, you know, I have a routine when I get up in the morning, I come downstairs, I get in front of my desk, I start going through all my accounts to look at, you know, whether it's the social media accounts or bank accounts, whatever. I'm, you know, just checking on how things are going, whatever. And my phone, you know, in the morning I have six alerts, you know, for mfa. Right. Because I mean, and they're, you know, legitimate. They're ones that I'm going through. But it is, it's, you know, you're constantly being hit with MFA requests. So the MFA fatigue, I mean, that's a real, that's a real problem. And we talk about psychological, sorry, psychological acceptability when it comes to security is that, you know, if we make the bar too high for security, people are going to find ways to either circumvent it or find ways to just ignore it. And I think that, you know, drives that point home of MFA fatigue where yeah, if you're just constantly getting pinged for it, you just, whatever. I'm just gonna, I just wanna, I just want to check, you know, this one thing or whatever the case is, you know, as far as the, as far as Scatter Spider and the youth and, and you know, getting, you know, younger, a bench of, of, you know, hackers and attackers into the field. Some of that may have to do with, you know, and I'll just say this from the standpoint of like the US economy and where, you know, we are in terms of hiring, there's a lot of people with cybersecurity talent or technical talent that are struggling to find jobs. And you know, unfortunately, like the old saying goes, idle hands are the devil's play thing. Right. So if you give, if you don't give people some type of activity to channel their energy, they're going to find ways to channel, channel some, some way or another. I don't know if that's the case that's happening here, but it's certainly something that would be interesting to see the trends on that over time where if we're not giving people the appropriate outlet, they're going to find ways to, to, you know, fill that gap.
[21:24]
Rich
Yeah. But I would also say we're also seeing kind of a combination with that, right. Of maybe some underemployment of people curious in this field that are kind of either problem solvers or like to break things and take them apart, you know, like get a satisfaction out of that. Combine that with the advent of modern LLMs where even if you might, you know, I don't necessarily know a ton about Python or whatever, you know, coding language, whatever, but all of a sudden I can get fairly like, I can get that, that, that shallow expertise that every LLM instantly gives you. And all of a sudden you don't have to be very sophisticated, but then you can start, you know, it's a lot easier to get that ball rolling too, just from that end as well, even with the guardrails that are in place.
[22:06]
Derek Fisher
Right? Yeah, that's a good point.
[22:09]
Rich
All right, our last story for today here, supply chain attacks spotted on GitHub Actions, Gravity Forms and NPM. Researchers at Armis Labs have uncovered major software supply chain attacks in GitHub Actions, the uaparser JS npm package and the Gravity Forms WordPress plugin, all involving backdoors or poison code that jeopardizes thousands of systems. These incidents remind us how trusted developer tools can be compromised and how AI driven coding practices are being exploited. Experts warn that attackers can now backdoor vast numbers of software projects in days, making early detection and code integrity checks more critical than ever. I'm curious, Derek. We're seeing these, we're seeing these prop up, we're seeing these crop up in the news a ton recently. What are your thoughts about these large scale vulnerabilities?
[22:58]
Derek Fisher
I Was going to say these are, these sort of feel like a dime a dozen anymore because you know there's, there's constantly. And I don't have the numbers in front of me but I, I know that like there's you know, thousands of NPM packages that are, are classified as malicious, you know, that are found, you know, you know, per year. But you know, I remember when I was software developer many moons ago that you know, we had a very sort of well curated because software was developed much differently back then but you know, very well curated list of like here are the products that we work with, here's what goes into our software. You could, you know, you could point to the, you know, the bill of materials on an, on a application and say yeah, I know what all those are now. You know, today when you're building software, I mean you have of packages that are coming from everywhere. Those are just the direct dependencies which all have their own dependencies which are indirect dependencies and those can number into the hundreds or depending on the size of your application, even into the thousands. You have this massive web of other people's code. You're really working with other people's code and you have to trust that other code coming from all these at different sources. And so attackers obviously are taking advantage of that, that trust that is there because to be honest, not many people are, are following, you know, good software bill of material hygiene where you know you're building prominence, you're building pedigree into your SBoM, you know, where who's made the code changes, where it came from, when it was last updated, the dependencies that are all built into that. And so we don't have a good, the technology is there. It's all, we can all do this today. But you know, the, the, the follow through from, from many organizations just isn't there and it leads to these types of unfortunate breaches.
[25:00]
Rich
So Devin McCarthy in our chat brings up wonder if there will ever be a breaking point where SBOMs will be required. I don't even think that fundamentally solves the issue. I mean certainly more, you know, more visibility is better. But you know, Derek, to your point, how deep does that go? You know, do you just have your dependencies or do you have the dependencies of those dependencies? You know, then you're stacking turtles at that point. I also am fascinated with just the whole maintainer ecosystem in open source. That is an entirely different thing where either maintainers are retiring, they're passing away ownership of those change can change and that Completely changes something that was rock solid, maybe for decades, all of a sudden into a security threat. Admittedly, an S bomb would make it much easier to find that. But yeah, those certainly visibility good, but doesn't to me at least doesn't completely solve the issue.
[25:53]
Derek Fisher
Yeah, and that's where again, like sbom, to your point, SBOM gives you visibility, right? But like anything, you can have that visibility, but if you do nothing with it, it doesn't, you know, it doesn't help.
[26:04]
Rich
So you can collect all the logs you want if you're not, look, you know, if you're not analyzing them. Exactly, exactly.
[26:08]
Derek Fisher
But yeah, I mean, one of the things I've been was playing with this week is, you know, trying to develop, you know, a nest bomb with, with prominence and pedigree, you know, built into it. And to generate the nest bomb like you, you know, that's no problem. You take your, you know, code base, you generate the S bom. That's not a big deal. It's getting all that additional metadata into there and then actually doing something with it, you know, so you did flag, you know, a, an unsigned package, you know, or you were able to, to tag a package, you know, based on maybe some threat intelligence that you have that says, okay, this, you know, this potential package, even though it doesn't have a CVE listed, it looks like there's, you know, potential activity on it, whatever the case is. But, you know, that's where you have to have the processes, the technology, the checks in place to be able to act upon that when you get that information. So unfortunately, in SBoM, you know, yes, it's great, you should be generating those, but, you know, without all the additional metadata, it's just information that you can use in a breach, you know, when you need to find where the package is. But you know, it's not going to help your overall process unless you build that intelligence in.
[27:17]
Rich
All right, well, thank you to everybody that got involved in our chat today. Devin McCarthy, I see you in there getting in the chat. CCL, of course, one of our regulars, Kevin Farrell, Maxtronic, even getting in there, having some, some fun with the puns, as I like to say. We would love it if more people could come and join us in our live chat. It's a fun time. Nobody bites there, I promise. We're seeing new names pop in all the time and makes it a ton of fun. Derek, before we get out of here, was there any story for you that was a thumbs up or a face palm for you? I feel like There's a couple face palm candidates. I'm not gonna lie to them.
[27:51]
Derek Fisher
Yeah, I think the, I think Data sovereignty one is one that it's not really a face palm, but it was more like it's sort of obvious. But there's no obvious solution other than everyone just retreating to their borders, their digital borders, and that's it. So I think it's going to be a tricky problem that we're going to see a lot of chatter about in the near future, I think.
[28:16]
Rich
Yeah, it feels like a staring contest right now and companies are unfortunately kind of in the middle and hoping somebody blinks soon.
[28:24]
Derek Fisher
Right.
[28:26]
Rich
All right, Derek, where can people find you on the cyberspace if they are so inclined to give you a follow, see what you're up to?
[28:32]
Derek Fisher
Yep, you can find me on LinkedIn and likewise I have a substack where I do try to keep up with it. Usually try to release something every other week if I can. But yeah, you can check me out there as well.
[28:47]
Rich
We have links to both of those in our show Notes. Give them a. Give them a subscribe on substack and you will not regret it. Thank you so much. Derek Fisher, director of the Cyber Defense and Information Assurance Program at Temple University. Just dropping the knowledge. Having a fun time. Having a great Friday afternoon. Thank you so much for your time and we hope to have you back soon.
[29:07]
Derek Fisher
Yeah, thanks Rich. Really appreciate it. Thank you everybody.
[29:10]
Rich
Thanks also to our sponsor for today, Dropzone AI, the leader in autonomous alert investigation. Thank you again to our audience today. I know we can't get every comment up on the screen or address it on the show, but we deeply appreciate you being here and participating delights me to no end. And don't forget, you can send us feedback through electronic mail. Feedbackisoseries.com We've been getting a little bit more into there. I love replying back, seeing what people are feeling about the shows. We love your feedback. Send it. Do not be shy. Please join us next week first up for Super Cyber Friday where our topic will be Hacking Toxic Culture, an hour of critical thinking about how we poison the well in cybersecurity. That starts at 1pm Eastern. Then come on back for another episode of the week in review that starts at 3:30pm Eastern. To register for both, you can go to our events page@csoseries.com you can follow us on YouTube. Make sure you always catch us when we go live there as well. In the meantime, you can still get your daily news fix every day through Cybersecurity headlines. It is available wherever you get podcasts. It takes about six minutes and you'll get all caught up. Until the next time we meet. For myself, for our glorious producer Steve Prentiss, for Derek Fisher, for all of us here in the CISO series organization Conglomerate Family, here's wishing you and yours to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.