
Loading summary
Sean Marion
From the CISO series, it's Cybersecurity Headlines.
Rich Stroffolino
TikTok is back, but with strings attached. Kristi Noem promises to curtail CISA and employees of failed startups represent data theft risk. These are some of the stories that my colleagues and I have selected from this past week's cybersecurity headlines. And now we're eager for some insight, opinion and expertise from our returning guest, making his second appearance, Sean Marion, VP and CSO over at Xcel Energy. Sean, thrilled to have you back on the show. It's been about two years. I gotta, I gotta ask, before we jump into the news, how was your week in cybersecurity?
Sean Marion
Mike was great. You know, in this role, sometimes weeks are good, sometimes they're bad. I have to say this was a really good week.
Rich Stroffolino
All right, we gotta chalk that up on the win column and, and just savor that. We're gonna change your mind though, so maybe we got some serious news here, so maybe maybe we'll make it less good. I hope not. I hope it's good. I hope we come positivity throughout the course of the show, but we'll find out in just a moment. Before I jump into the news, also have to thank our sponsor, Vanta. A new way to GRC. Remember, you can join us on YouTube live, get in on the comments, help us shape the conversation that we're having on the show. It's always a pleasure. I already see the chat room is lighting up all of a sudden I'm seeing Happy Fridays all over the place. We got Kevin Farrell, we got David Cross, we got Michael Vinding, and of course one of our regular CCL is in there. It's a really great crowd. You want to get in there, never know what's going to be brought up. So make sure you're joining us live each and every Friday at 3:30 Eastern and get in on that chat. Final thing before we jump into this, I've been promising. We're jumping into the news now, it feels like for 20 minutes. Just a quick reminder that Sean's opinions are his own, not necessarily those of his employer. We've got about 20 minutes, so let's get started. First up here we got TikTok's Wild Week. Hard to ignore this one. The immensely popular video platform this week became the Schrodinger's cat of social media by being both a thing and not a thing in terms of its US presence. It was shut down last weekend pursuant to a Supreme Court court ruling which was upholding the constitutionality of A law, but was then restored by President Trump on his inauguration day Monday. Kind of. I mean the app is operational now, but it is under a 90 day reprieve, during which time it seems it must find a buyer and possibly must accept 50% ownership by the US government or an American company. All of those particulars kind of murky. We just know there is a brief stay of US execution at least. So, Sean, putting aside the politics, one of the most interesting outcomes of last weekend's closure of TikTok was the exodus of self titled TikTok refugees. We're stretching the term of refugee very broadly here, but that's what they're calling themselves. And they started to migrate over to apps like RedNote and Lemon8 to similar platforms that are also based in China, presumably would have the same data security concerns. Some of these refugees describe this as an act of revenge against the government for depriving them of TikTok and knowingly going even though less safe to less safe platforms as a form of protest. I guess this is a new form of cyber risk here. I'm curious, what's your take on all of this?
Sean Marion
Yeah, it is a new form. You know, I was thinking when I saw this because I, my four kids, two of which are obsessed with TikTok now they're all in their 20s, right? So they make their own decisions, but you know, kind of chatting with them. On one hand you'd want to educate your, you know, your populace of the risks of using this, but based on their actions, I don't think some people care. They may not understand, but they certainly don't care. You can see you could go into red note things like that. I feel like there's got to be a better way to approach this where they can still use the platform safely. I wonder if the government, the US government were to have 50% ownership, would we have a different take? Not you and I, but would users be like, oh, I don't want the government spying on me. And it's like they were, it was just a different government. So we'll see, we'll see. For my daughter's sake, I hope that, I hope that it sticks around.
Rich Stroffolino
I also think this is a product and I realize if there are national security concerns or something, there's a limit to what you can say. But I also feel like no one to me has made a very convincing case other than China may do something with this data. If there were, there's like no case of being like here is what they're going to do with it, or here's what they have done with it. Here are the actual harms that have been done. It's all couched in hypotheticals and behind national security briefings that we don't have access to. And I feel like because of that, to, to a user, it's kind of unfair to be like this app is, is not good. But even though we can't tell you.
Sean Marion
Why, it's this very ethereal thing. It's. And it relates very much to, like, the business when, especially dealing with the dod. This was a gripe I had with them for many years because they put too much of the information on the wrong side of that tear line. And I can't do anything when it's classified. And so it's like you're telling me I have, I might have cancer, but you can't tell me what kind of cancer, or you can tell me, but I can't tell anybody else. You can't tell me how to fix it. So it's like you're not arming me with the information I need. And I think you see the same thing here. A lot of, I say kids, but because I think it's a younger demographic, so maybe they had a Senate hearing. They're not watching C Span. Not my daughters aren't. Like, they're not, they don't, they don't know. They don't understand. If they understood, would they make a different decision? I mean, some would probably not, although. So I think there's got to be a better way to do this than just. I will say the last thing on this is I don't think banning fixes it either. Remember when, like, Chat GPT came out, a lot of companies like, you know, we're going to ban Chat GPT and before you know it, they're all trying to embrace it because their employees are using various forms. Anyway. Banning rarely works. There's got to be a better way to work with them and enable a more secure experience.
Rich Stroffolino
And of course, Kevin Farrell still holding a torch out for Vine. Kevin, I know that ship has passed, but I'm still with you. I'm a Vine head at heart. Next story here. Kristi Noem promises to curtail cisa. Department of Homeland Security secretary nominee Kristi Noem stated in testimony before the Homeland Security and Governmental Affairs Committee last Friday that if confir, she would keep the department out of efforts to combat disinformation and misinformation and pledged to make CISA smaller and more nimble. She also added that CISA has gone Far off mission, which is to hunt and help harden our nation's critical infrastructure. Again, let's try to keep the politics out of this story, but how do you feel about the tightening up of CESA's mandate? And if this was to go through, I'm curious, what do you envision as the repercussions, positive or negative for cybersecurity?
Sean Marion
You know, so, you know, they were formed in like 2018, I believe. So you're talking an organization that's seven years old. To think that they structured it 100% perfect on day one and there's no opportunity to improve, I think is silliness. I personally, I think Jen's done a great job over there. I mean, it's a big task, a tall order. I think she did a tremendous job. Is there an opportunity to tighten it up and. Sure, of course. I mean, they should continually be evolving. You know, I dug into like, I was trying to understand both sides. I, I try to make sure I understand both sides of every story. And so I was trying to dig into like the freedom of speech implications here. And what I found interesting is it's not quite as clear cut as even I thought. There's a lot of nuance and this is where attorneys make their money. And I don't do. I think it's, you know, I think long term, I think this is, it will be better for us. I think right now where you see a lot of the politics coming out that aren't really helpful, but I do think that trying to evolve the organization into something better, whatever that means, I think is a smart move.
Rich Stroffolino
Yeah. And the only, the biggest concern I've seen from purely a cybersecurity perspective, is what this means maybe for more local outreach that CISA has done in terms of providing resources for educational institutions and stuff like that, like the very small, where that's borderline critical infrastructure. Right. Obviously the mandate for this is, hey, let's protect the oil and gas, let's protect the energy, let's protect the water system. I think everyone's in agreement on CISA should have a mission or some governmental organization should have a mission on that. It's more of those corner cases of like, where we're seeing very tangible good of raising that cybersecurity poverty line that I'm seeing a lot of concern in kind of conversations online, you know, outside of, you know, the, the misinformation, disinformation kind of stuff, which has an inherently kind of political component to it.
Sean Marion
You know, when I was working my way various leadership positions and coaching and training. I get a question from a lot of young managers like, well, how do you know, like, what your scope of authority is beyond what's documented, beyond what your signature authority is? I have the same answer. It's like, you'll figure it out. You're going to push bounds in various places, you're going to push people in various places, and eventually you'll learn kind of what your bounds are beyond what was in any job description. I think it's kind of similar here with ce. They've got to learn kind of what those bounds are and they're going to reach spots where they're going to get pushback, whether legal pushback or community pushback or whatever. And they got to learn from that and continually improve their, their, their team, their mission, their capabilities. So, like, I think this is kind of natural. I think it's, it's, you know, without getting into the politics, I think they should have approached this differently, you know, because it's, it's so much more of a partisan issue. And I think the core thing that they want to achieve, we all kind of agree with. We need to protect critical infrastructure. How they do it, I know there's some nuance to that and they'll figure it out, but I think going through this will make them stronger.
Rich Stroffolino
All right, our next story here. Employees of failed startups at risk of stolen personal data. Dylan Airey, co founder and CEO of Truffle Security and quite a fascinating researcher, discovered that malicious hackers could potentially buy the defunct domains of failed startups and use them to log into employee cloud accounts. To test the flaw, he bought one failed startup's domain and from it was able to log into ChatGPT, Slack, Notion, Zoom, and an HR system containing Social Security numbers. He then used former employee emails to take advantage of the sign in with Google option to access the apps. Explained, startup employees are more vulnerable because startups tend to use Google's apps and cloud services to run their businesses. They're readily available, not hard to set up, et cetera. Google does have tech in its OAuth configuration called a sub identifier that should prevent the risk outline in this research, but Only if the SaaS Cloud provider uses it. But again, we are seeing a case of legacy vulnerabilities where people forget to neutralize accounts once they're no longer needed. So, Sean, I'm curious. How can companies small and large protect themselves better, not not only with their own closed accounts, but when we're talking, we're looking into third Party vendors.
Sean Marion
Yeah, I found this one to help support me. This was a great story and I feel bad for the companies that were taken advantage of, but in the security industry, we have all these startups out there trying to tell us what the tech we need to solve these problems, the problems of tomorrow. And are you thinking about Quantum? What are you doing about AI and all these things we need to think about that there's no doubt. But truth be told, a lot of the times the problems we deal with are basic things. Like they're not the really, really complicated things. They're like asset management, identity and access management. In this case, you know, making sure that you remove emails, legitimate email from accounts that and you. So you find these attackers, that they take the path of least resistance, even back like the old movies. And they would like, you know, we've breached the firewall and we've been in. It's like that's not life, man. Life is you're fishing somebody or you're taking advantage of a crappy password. Like it's, it's, it's the simple things I think we just need to get really good at. And I won't without disclosing anything. You know how many people listening, like remember, you know, conficker and some of these old, like those things are still around. Right. So that tells you that like we, some of these basic problems we're just holistically as an, as an industry, not really good at fixing.
Rich Stroffolino
Well, and as Max Tronick says in the chat, you know, it's domain name management. Unsexy task. Right. Has a lot of big implications. And yeah, I feel like there is that suffering of, you know, this is. You might not have gotten into cybersecurity to do domain name management, but like if that's where your biggest risk is, you know, that's, that's what you got to be taken care of.
Sean Marion
Yeah, I was chatting with somebody today about this. Not about the specific story, but the concept of like the unsexy things. The unsexy things are the ones that like, I think we, we don't put enough energy into. And not just security, but I'm talking IT business and so forth. Business continuity. Like how many have really good business continuity plans? Some do, I know that. And some not so much because it's not. That's the unsexy stuff, but you gotta get the unsexy stuff, right?
Rich Stroffolino
I, I was lucky. I cut my teeth in my IT knowledge with a bunch of storage gray beards. So I learned from the people that had the unsexy job, why their unsexy job was important. And so I always, yeah, I have, I have a deep appreciation for, you know, whether you're a DBA or whether you' dealing with domain name management. Those are the people that help. You need them to make the business run for sure. Before I move on to our next story, I have to spend a few moments and thank our sponsor for today. Vanta, do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, you rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks like SoC2, ISO 27001. They also centralize key workflows like policies, access reviews and reporting and helps you get security questioners done five times faster with AI. Now that's a new way to GRC. Get started at vanta.com headlines that's V A N T A dot com headlines. All right, next up here, attackers impersonate Ukraine's CERT UA Ukraine's computer emergency response team, CERT UA released a report documenting how threat actors use the remote desktop tool Anydesk to infiltrate their network. These attackers would send connection requests from a compromised Anydesk account claiming to do a security audit. CERT UA does use Anydesk for some cyber incident response procedures. They announced this in the disclosure, but said that they were always be they always have done this with prior agreement over secure communications channels. So, Sean, always a little bit of some pie in the face when cybersecurity experts get caught falling for the same tricks as regular people. I'm curious though, what are your thoughts when you see a story like this?
Sean Marion
Yeah, you know, we're still people, right? We still make mistakes. I two, two points here. One is I don't know the volume of attacks that Ukraine has experienced right now in general, but I think we can all agree they're probably fairly high given what's going on. So they're going to be hitting it from all angles. So is it likely something is going to slip, slip through? Of course, this one seems like one that could have been prevented with some basic checks. If you read through like they had some checks and balances there that didn't quite play out. So there's obviously an opportunity to improve that. But I will say if I hearken back to we were Talking about with TikTok, the answer here, the knee jerk react response here from a lot of security professionals, like, we'll get rid of any desk or shut down remote desktop or things like that. And if you don't need those, yes, absolutely do that. But there are times when you do need them. And if you've got processes for these, like, I'm not saying that's, that's the best answer, but, you know, in this case here, I think they could have done a much better job of maybe with some other technical controls or something of just ensuring that if they're going to use any desk, there's a process and a way to do that securely. And I, as, I hate to use the word securely in any desk in the same sense, but, but you get my point. Like sometimes we have these entrenched processes and anyways, I read it through. I just thought you guys had some of the right controls to prevent this and that you just didn't follow them. So kind of egg on your face, yes, we are, we should be held to a higher standard of security professionals. But it's not that we're perfect. We make mistakes. We're humans. So I feel for him as well.
Rich Stroffolino
Well, and I also appreciate the sunlight, the disclosure in this in terms of like, yeah, this is not a great look to fall for a remote desktop scheme. But also this is like communicating about this. And yes, we actually do use this tool. It's not that we don't. And then doubling down on those controls, figuring out where those fell down, whether it was through, through, you know, human process or whether it's, you know, something fundamentally more flawed than that and getting better, I feel like that is ultimately the positive. Yes, bad, like remote desktop hacks, never a good thing. But if we can get better front because of it and we're willing to talk about it, I feel like that helps everybody.
Sean Marion
I couldn't agree more.
Rich Stroffolino
All right, next up here, Subaru security flaws exposed tracking system for millions of cars. A little bit of a long read here, but I think this is a fascinating story. Sam Curry, a researcher with a long history of discovering vulnerabilities in automotive brands, has now revealed vulnerabilities in a web portal belonging to Subaru that allowed him to unlock a car, start its ignition, and reassign controls of those features to a different phone or computer. He also discovered that the portal was able to track the physical movements of a Subaru down to a single parking space in front of any building, with data stretching back a full year. This is occurring within a Subaru feature called Starlink, intended for use by employees at Subaru of America. Subaru stated that the individuals authorized to use the technology receive proper training and are required to sign appropriate privacy security and NDA agreements as needed, and that the systems have security monitoring solutions in place which are continually evolving to meet modern cyber threats. We have a full link to the blog post for it with the research from Curry, so check those out in our show notes. But Sean, a couple of different things I guess take away from this story. The first is the granularity of the tracking. Curry said, like I said, to be able to track to a specific parking space many times a day. Kind of reminiscent of problems we've seen with airtag tracking and that kind of stuff. But like it's a lot harder to replace your car than an airtag. Then there's the defiant stance with regards to NDAs and security, which clearly did not work in this case. I'm curious, you know, what are we to take on this?
Sean Marion
This is a frustrating one. When I read it, why, why was my only thought. And, and I know that from a, an engineer standpoint, like they're trying to set it up and I'm assuming, you know, so bear with me here, but they want to make sure they've got the ability to troubleshoot and maybe, you know, help support the, the custom, the customer, whatever the case is. So I'm, I, I always try to assume good intent, which I know in my profession is maybe a flaw. But that said, there should have been a common sense discussion of like how could this be exploited, taken advantage of? Should we be tracking this amount of information? I don't care if you train your team or they have NDAs or whatever the case is, assume all of that fails. Assume the worst. What, what happens and is the worst is that, can we accept that? Are we going to continue with this? And my guess is, and I'm again, I'm guessing, I'm assuming is that the security team either wasn't involved or was involved and then, you know, told to go away, which we all know happens. And I just. You just. Why? It was just like why I don't, you know, you buy an air tag, you know what the airtag does, right? You may not understand the intricacies, but as a general user, I mean, you know, it's meant to track. You buy a Subaru, do you expect that somebody sitting back and at headquarters can track your car to a specific parking lot? I really doubt that. And nobody's reading the fine print. So I just thought this was inexcusable, frustrating. I Don't own a Subaru, by the way. But I just, I just thought it was inexcusable. Does make me wonder, okay, Subaru got busted, but I got a Chevy, do I. Are they doing something similar? Do I need to be concerned? And what can I do if they were? I can't just can't get rid of it. So why, why is the best response to this?
Rich Stroffolino
And also, if you're going to maintain a system like this, maybe hire someone like Sam Curry to say, like, how is this like. Or put a bug bounty or something on there to say, like, hey, tell us how this is broken so we don't have a horrible headline that says we're exposed the location information to pinpoint accuracy on any Subaru from a desktop. Right.
Sean Marion
And then maybe even give, like, educate the owner and give them the ability to turn it on or turn it off like, you know, like we do with a lot of our personal data. Like, I don't want to share this. I should. In this case here, I would venture to say that a, there's probably a way to completely disable it until I, as the user say, I need help. I want to enable this and turn it on and maybe it's on for 30 minutes and automatically. I don't. They could go through all of that, point being not telling anybody and just putting it on the car. And I gotta find out from Sam that, I mean, thank God there's people smart like him. But. But I mean, come on, just why?
Rich Stroffolino
All right, our last story of today, and I think maybe this will. Maybe, maybe we can tie this to the last story here. CISOs gained boardroom traction, but still lack soft skills, according to Splunk. Maybe kind of tying into, hey, the security team maybe gets ignored. Maybe a little better communication could go a long way here. Let's get into the details. Researchers at Splunk, now a subsidiary of Cisco, released a report showing that 82% of security leaders now report directly to the CEO, up from 47% in 2023. And that in general, the two groups are getting along well, especially when aligning on strateg cybersecurity goals and communicating progress against milestones. However, some of the areas where skill gaps are perceived to exist are in business acumen, emotional intelligence and communication. As expected, the two camps remain distance with regards to a belief that enough money is being or not being spent on cybersecurity efforts. You can guess which side of the divide everyone is on there. But Sean, do you feel that CISOs and other security specialists should ramp up their business acumen, emotional intelligence, you know, all these things they're talking about here. And if so, you know, how can. What. How do you get that ball rolling?
Sean Marion
So, so, full disclosure, I didn't read this before I put a post up on LinkedIn. I think yesterday, day before. It's very much tied. I didn't. They're not tied. I didn't read this just in case people think I cheated. I have a very specific opinion on this. And yes, I do. I think that there was a time when CISOs were young from a profession perspective. Right. We've been around a couple of decades. CFOs have been around forever, CEOs and so forth. We're learning a lot as we go. But there's this tendency, I think, for a lot of the leadership to not understand the security team. So they look to hire a C. So that under is technical. You got to be able to talk to them. And there's some truth to that. We need to be able to converse with the security team and have those types of discussions. But truth be told, the biggest value I bring. I've been talking to boards for 10 years and I didn't get it right at first. I've learned there's been a lot of trial, trial and error. I have learned a lot about how to communicate them, how to, you know, relay risk to them. They don't care about zero trust, most of them, unless you work for a technical company, they don't even know what that means. So how do I relate to them, the importance of zero trust, and why we need to make investments there and get support from that, from the cfo, CEO and so forth. I can only do that if I have a degree of business acumen. I have emotional, like those, those skills are incredibly important. I argue that the days of the technical ciso, they're not over. There are companies that do truly need technical, like deeply technical CISOs. I get that. I know some of them. But by and large, especially the bigger companies, that's not the skills that they're really. That they. I was going to say the skills they're looking for, unfortunately, still looking for those skills. But I think once they get them and they put an individual in the boardroom who cannot talk to the board, they start to change their tune pretty quick.
Rich Stroffolino
Yeah, George Strasberg, totally backing you up here. Talking to the board is vastly different than talking to peers or people in it. And you need to learn that communication, that board specific stuff. And I know there is a lot of. I remember I was doing some research for cybersecurity or for the CISO series podcast and I came across a Reddit thread of, you know, hey, I'm a non technical CISO or something like that. And there's a lot of a, like, community pushback of like, how could you do your job if you don't come from like a deeply technical background? And again, not saying that that stuff is not needed and everything is contextual. Right. Some organizations, like you said, deeply need that, but just kind of ignoring that there could be any other consideration. I don't feel like that's just the board level. You know, that's not just the leadership level either. That's, you know, coming kind of from both sides of kind of a misalignment on what the, the actual job is. So I think that's, that's really. I appreciate that perspective.
Sean Marion
I'd hit on what CCL said here. So also very different talking to board versus talking to C suite. I would agree. Yes. And I would expand that to say different to talking to your peers, different than talking to your head of cyber ops. Like, it's an interesting role and it has evolved so quickly that CISO has to be able to talk to all of those groups in very different ways and get the same message across. Like, what I look at is talking about vulnerabilities with my team is something that we're going to have a discussion about. I want to talk about risk, those types of things. The board or not the board so much, but the C suite I'm talking about, how do I get the investment to fix those vulnerabilities? Same outcome I'm looking for, but two entirely different discussions. And you have, you have to know how to balance and walk that line. If you don't, it's going to be a challenge. It's going to be a continual challenge to get what you need to make progress.
Rich Stroffolino
All right, well, before we get out of here, and thank you so much for that, Sean. That was just truly excellent. Was there a story in the lineup today or just in the news of the week that you reacted strongly to a thumbs up or an eye roller, we like to call it.
Sean Marion
Maybe like a thumbs up eye roller. I don't know, maybe it's like a mix. The CESA thing has really intrigued me. TikTok. I'm not on TikTok. So I did whatever the CESA thing did because I, I spent a lot of time just trying to understand the what and the why, trying to separate the politics and all the, the discourse coming out of you know, out of D.C. and understand like okay, what is my take on this? Because I have a relationship with them. I think there's a lot of good value that comes out. My first take stay at, stay out of like they have a clear mission. Stay out of their space. As I read more I was like well maybe there's an opportunity to improve here. I think we can do it better. But I, there were some eye rollers there but there was also some like that's pretty cool as well.
Rich Stroffolino
Yeah, definitely something we'll be keeping an eye on and, and seeing like if, if they come out with a super sharp mandate I, I feel and that they can deliver on even if it's. If they're cutting some stuff out that they were doing. I feel like from a cyber security perspective that's a net. Net positive. If it's. We're, we're taking away all, you know, like there's a lot that remains to be seen but I, I agree with you. There is, there is a path there for making it an even sharper tool for the industry which would be a net positive before or before we get out of here. Sean, is there any place on the cyberspace that people can follow you if they are so inclined?
Sean Marion
LinkedIn pretty much it. I dumped all my social media a while back except for LinkedIn. You can find me there. I haven't took a bit of time off for the new job but feel free to find me there, reach out, happy to interact and I said I put an article up there about my perspective on C. So just timing was perfect.
Rich Stroffolino
Well thank you so much Sean Marin, VP and CSO over at Xcel Energy. Excellent. We will have to have you back on ASAP because that was truly spectacular. Thank you so so much.
Sean Marion
Great to see. Thanks Adam.
Rich Stroffolino
And thanks also to our sponsor for today Vanta A new way to grc. Thanks to all of our audience today. CCL Geor Strasberger getting involved in there. I've also saw Max Tronick, Kevin Farrell, everybody having a good time in there and giving us some, some excellent points help make the conver our conversation better. Remember each and every Friday you can join us get in on that chat on YouTube at 3:30pm Eastern. Also a reminder to join us next Friday, January 31st for Super Cyber Friday where the topic of discussion will be hacking the third party risk management process. An hour of critical thinking about practical tips, tips for reviewing risk. Then we'll have our weekend Review show at 3:30 Eastern so you can register for both. Get all the information at our events page@cisoseries.com in the meantime, you can still get your daily news fix every single day through cybersecurity headlines. Give us about six minutes. We'll get you all caught up. Until the next time we meet, I'm Rich Stroffolino reminding you to have a super sparkly day.
Sean Marion
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.
Cyber Security Headlines: Week in Review – January 24, 2025
Hosted by CISO Series
Summary: The podcast opens with a discussion on the tumultuous week surrounding TikTok’s status in the United States. Initially shut down following a Supreme Court ruling upholding the constitutionality of a law targeting the app, TikTok was swiftly reinstated by President Trump on his inauguration day, albeit under a precarious 90-day reprieve. During this period, TikTok must secure a buyer and potentially accept a 50% ownership stake from the US government or an American company. The specifics remain unclear, leaving the platform's future in a state of limbo.
Key Discussion Points:
Notable Quotes:
Conclusion: Both hosts expressed hope for a more secure and user-friendly solution, emphasizing the need for balanced regulatory approaches that protect users without driving them to less secure platforms.
Summary: The conversation shifts to Kristi Noem’s testimony before the Homeland Security and Governmental Affairs Committee, where she pledged to narrow CISA’s (Cybersecurity and Infrastructure Security Agency) focus. Noem aims to exclude the department from combating disinformation and misinformation, advocating for a leaner, more agile CISA concentrated solely on protecting critical infrastructure.
Key Discussion Points:
Notable Quotes:
Conclusion: Both hosts view the restructuring of CISA as an opportunity for the agency to refine its mission and enhance its capabilities, despite acknowledging the challenges posed by its politicized mandate.
Summary: Dylan Airey of Truffle Security uncovered a vulnerability where malicious actors purchase defunct domains of failed startups to access employee cloud accounts. By leveraging the "sign in with Google" feature, attackers gained unauthorized entry into platforms like ChatGPT, Slack, Notion, Zoom, and even HR systems containing sensitive data such as Social Security numbers.
Key Discussion Points:
Notable Quotes:
Conclusion: The discussion underscores the significance of maintaining robust domain management practices to prevent unauthorized access, highlighting that security often hinges on managing the unglamorous yet essential aspects of IT infrastructure.
Summary: The episode delves into the vulnerabilities exploited against Ukraine’s CERT UA, where threat actors impersonated the team via the remote desktop tool AnyDesk. These attackers sent connection requests under the guise of conducting security audits, successfully infiltrating the network and compromising sensitive systems.
Key Discussion Points:
Notable Quotes:
Conclusion: The hosts agree that while technical tools like AnyDesk are necessary, their secure and controlled use is paramount. Transparency and continuous improvement in security protocols can help prevent similar incidents.
Summary: Sam Curry, a security researcher, exposed critical vulnerabilities in Subaru’s Starlink web portal, which allowed unauthorized individuals to unlock cars, start ignitions, and reassign control features. Additionally, the system could track a vehicle’s exact parking location, raising significant privacy and security concerns.
Key Discussion Points:
Notable Quotes:
Conclusion: The incident underscores the critical need for automotive companies to prioritize cybersecurity in their connected features. Proactive measures, including engaging with security researchers and implementing flexible privacy controls, are essential to safeguard user data and maintain trust.
Summary: The final discussion revolves around a Splunk report indicating that while CISOs have gained significant traction in boardrooms—82% now report directly to the CEO—there remains a deficiency in soft skills such as business acumen, emotional intelligence, and effective communication.
Key Discussion Points:
Notable Quotes:
Conclusion: The podcast underscores the necessity for CISOs to cultivate soft skills to bridge the communication gap with executive leadership. Enhancing these skills can lead to more effective advocacy for cybersecurity initiatives and better alignment with organizational goals.
Summary: In wrapping up, Sean Marion shares his reflections on the discussed stories, particularly the restructuring of CISA and TikTok’s regulatory saga. He underscores the importance of continuous improvement and proactive engagement in cybersecurity practices.
Notable Quotes:
Conclusion: The episode concludes with a mutual agreement on the importance of learning from security incidents and striving for resilient, secure systems. Both hosts express optimism about the industry's ability to adapt and strengthen its defenses in the face of evolving threats.
For those interested in further insights, Sean Marion can be reached via LinkedIn, where he shares perspectives on cybersecurity and leadership.
This summary provides a comprehensive overview of the "Cyber Security Headlines" podcast episode released on January 24, 2025, capturing key discussions, insights, and expert opinions shared by the hosts.