DOGE days numbered? - CyberWire Daily

Summary11 min read

Podcast Summary: CyberWire Daily - "DOGE Days Numbered?" (February 5, 2025)

Introduction

In the February 5, 2025 episode of CyberWire Daily, hosted by Dave Bittner from N2K Networks, the spotlight is on the escalating controversy surrounding Elon Musk's advisory team, Doge, and their involvement with federal agencies. The episode delves into various cybersecurity news, including significant vulnerabilities, corporate espionage, workforce initiatives, and updates on cybersecurity certifications. This comprehensive summary captures the key discussions, insights, and conclusions presented throughout the episode.

1. DOGE Team Faces Growing Backlash

Elon Musk's Doge and Federal Agency Access

The episode opens with a deep dive into the contentious role of Elon Musk's advisory group, Doge, within federal agencies. The team has been accused of attempting to dismantle critical federal operations, raising alarms among cybersecurity experts, government officials, and Democratic lawmakers.

National Security Concerns: Experts warn that Doge's efforts could jeopardize national security by exposing sensitive data of federal employees and violating federal laws. “Their actions could compromise national security, expose federal employees' data, and violate federal laws,” states Bittner ([02:31]).
Access to Critical Systems: Specific concerns revolve around Doge's access to pivotal federal systems:
- Treasury's Payment System: Handles over $6 trillion in annual transactions, including Social Security payments and federal salaries.
- Office of Personnel Management (OPM): Stores sensitive employee records. Musk reportedly installed an unvetted private server, reminiscent of the 2015 OPM hack by Chinese hackers. “At the Office of Personnel Management, which stores sensitive employee records, Musk allegedly installed an unvetted private server, raising fears of a Repeat of the 2015 OPM hack by Chinese hackers,” Bittner explains ([02:31]).
Administrative Privileges and Legal Violations: Contrary to White House assurances that Doge's access is read-only, reports indicate that a former Musk employee may have been granted administrative privileges. This unauthorized access is argued to breach federal cybersecurity laws, including FISMA (Federal Information Security Management Act), thereby creating vulnerabilities that foreign adversaries could exploit.
Political Repercussions: Senator Elizabeth Warren has called for accountability from Treasury Secretary Scott Bessant, emphasizing the enormity of the systems at risk. “Senator Elizabeth Warren has demanded answers from Treasury Secretary Scott Bessant, emphasizing that these Systems handle over $6 trillion in annual transactions,” notes Bittner ([02:31]).
Operational Hazards: The lack of oversight and independent logging systems makes it impossible to verify the integrity of accessed or altered information. House Democrats have expressed concerns that new email systems at OPM may facilitate phishing attacks targeting federal employees. Additionally, there are reports of federal employees facing termination or leave for resisting these unauthorized changes.
Analogy to Jenga: The situation is metaphorically described as a precarious Jenga tower, where each reckless interference risks triggering a catastrophic collapse of government operations. “Critics liken the situation to a precarious Jenga tower, where reckless interference could trigger a catastrophic failure of government operations,” Bittner highlights ([02:31]).

Industry and Government Response

In response to the growing threats associated with edge devices, the UK's National Cybersecurity Centre and its Five Eyes partners have released new guidelines. These standards aim to bolster the security of routers, network-attached storage, IoT devices, and perimeter security solutions, which are frequent targets for cyber attacks.

Baseline Security Standards: The guidelines set baseline security measures for manufacturers and outline best practices for consumers selecting network hardware. Emphasis is placed on logging and forensic capabilities to ensure devices can effectively detect and investigate threats.
Rising Vulnerabilities: A 2024 report indicated a 22% increase in vulnerabilities within edge devices, many with higher severity ratings. Recent zero-day exploits targeting products like Avanti and Fortigate underscore the escalating risks.

2. Critical Security Vulnerabilities and Updates

macOS Kernel Vulnerability

A significant security concern involves a critical macOS kernel vulnerability that allows for privilege escalation, memory corruption, and kernel code execution. Discovered by MIT CSAIL researcher Joseph Rajakandran, the flaw affects macOS Sonoma, Sequoia, and iPadOS.

Technical Details: The vulnerability arises from a race condition in Apple's XNU kernel, involving unsafe memory operations such as memcpy. This improper synchronization permits unauthorized credential modifications.
Proof of Concept: Rajakandran released an exploit demonstrating the flaw, urging users to avoid running untrusted code until Apple releases a patch. “A critical macOS kernel vulnerability allows privilege escalation, memory corruption and kernel code execution,” Bittner reports ([02:31]).

Google and Mozilla Security Updates

Both Google and Mozilla have released urgent security updates addressing multiple high-severity vulnerabilities in their browsers, Chrome and Firefox, respectively.

Chrome 133: Includes 12 security fixes, three of which were identified by external researchers. Two critical "use after free" flaws in the Skia graphics library and JavaScript engine could enable code execution or sandbox escapes. Google incentivized reporting with awards of $7,000 and $2,000 for the bugs.
Firefox 135: Patches several vulnerabilities, including high-severity "use after free" bugs in the Custom Highlight API and XSLT. These fixes mitigate risks of code execution across Firefox, ESR, and Thunderbird. “Google and Mozilla have released security updates for Chrome and Firefox addressing multiple high severity memory safety vulnerabilities,” Bittner explains ([02:31]).

Veeam Backup Products Vulnerability

A critical vulnerability in multiple Veeam backup products exposes systems to man-in-the-middle attacks, allowing remote code execution with a CVSS score of 9.0.

Impact: The flaw in the Veeam updater component can lead to full system compromise, data theft, and ransomware attacks. Affected products include Veeam Backup for Salesforce, AWS, Azure, Google Cloud, and others.
Mitigation: Veeam has released urgent patches, advising users to update immediately to prevent exploitation. “A critical vulnerability in multiple Veeam backup products allows attackers to execute remote code via man in the middle attacks with a CVSS score of 9.0,” Bittner notes ([02:31]).

Zyzole Routers Vulnerabilities

Zyzole has declared it will not issue patches for two actively exploited vulnerabilities affecting its end-of-life routers, contrary to recommendations from security researchers.

Exploitation: Threat intelligence firm Graynoise reports that attackers are exploiting these flaws to execute arbitrary commands, resulting in full system compromises. Approximately 1,500 vulnerable routers remain exposed to the internet, with botnets like Mirai leveraging these vulnerabilities in large-scale attacks.
Company Response: Zyzole advises customers to replace affected routers rather than expect fixes, although many compromised devices remain in use and even available for purchase online. “Zyzole suggests you replace those outdated routers,” Bittner summarizes ([02:31]).

3. Corporate Espionage Case: Former Google Engineer Charged

Lin Wei Ding, a former Google engineer, stands accused of stealing AI trade secrets for a Chinese company, facing multiple charges that could result in significant prison time and hefty fines.

Allegations: Prosecutors allege that between 2022 and 2023, Ding copied over 1,000 confidential files related to Google's AI supercomputing infrastructure. He reportedly used Apple Notes to transfer the data to bypass security measures.
Career Trajectory: After leaving Google, Ding accepted a CTO position at Beijing Rongshiu Langzhi Technology. Concurrently, he founded a Chinese AI startup seeking government funding to develop AI infrastructure.
Detection and Arrest: Google detected the data theft in December 2023, promptly revoking Ding's access and notifying authorities. He was arrested in March 2024. “Former Google engineer Lin Wei Ding faces multiple charges for allegedly stealing AI trade secrets for a Chinese company,” Bittner states ([02:31]).
Potential Consequences: If convicted, Ding could face up to 15 years per economic espionage charge and 10 years per trade secret theft count, along with millions in fines.

4. CISA Issues Advisories for Industrial Control Systems (ICS)

The Cybersecurity and Infrastructure Security Agency (CISA) has released nine new advisories highlighting critical vulnerabilities in Industrial Control Systems (ICS). These vulnerabilities affect major vendors like Rockwell Automation, Schneider Electric, and AutomationDirect, impacting sectors such as energy, manufacturing, and transportation.

Key Vulnerabilities: The advisories identify risks including remote code execution, denial of service (DoS) attacks, and unauthorized access, with some vulnerabilities scoring as high as 9.3 on the CVSS scale.
Affected Devices: The vulnerabilities span a range of devices, including routers, Programmable Logic Controllers (PLCs), and industrial software platforms.
Mitigation Strategies: While some vendors have issued patches, others recommend network segmentation or outright device replacement. “CISA has issued nine new advisories highlighting critical vulnerabilities in industrial control systems,” mentions Bittner ([02:31]).
Botnet Exploitation: Graynoise reports that botnets are actively exploiting certain vulnerabilities, emphasizing the urgent need for organizations to apply updates and protect critical infrastructure from cyber threats.

Industry Leadership Changes

Karen Evans, former DHS and Energy Department cyber executive, has joined CISA as a senior advisor for cybersecurity. Her extensive experience includes serving as DHS CIO and leading cybersecurity efforts at the Department of Energy. Although her role is currently advisory, sources indicate she may ascend to a pivotal position within DHS.

Strategic Importance: Evans' leadership comes at a crucial time as agencies battle Chinese-backed cyber threats like Volt Typhoon. Her expertise is expected to bolster CISA's capabilities in countering sophisticated cyber adversaries.
Political Landscape: The future of CISA under the Trump administration remains uncertain, with Homeland Security Secretary Kristi Noem advocating for a more streamlined agency and criticizing its involvement in countering misinformation during elections. Key cybersecurity leadership roles in the administration are still awaiting appointments.

5. Cybersecurity Workforce Scholarship Bill Introduced

House Homeland Security Committee Chairman Mark Green, a Republican from Tennessee, has reintroduced the Pivot Act—a bill designed to address the U.S. cybersecurity workforce shortage by establishing an ROTC-like scholarship program for two-year cybersecurity degrees.

Legislative Details: The Pivot Act proposes that students at community colleges and technical schools receive scholarships in exchange for two years of government cyber service. Managed by CISA, the program aims to accelerate security clearances and inject 10,000 new cyber professionals into the workforce.
Support and Challenges: Despite previous unanimous committee support, the bill stalled in the last session but remains a priority due to escalating cyber threats, particularly from Chinese-backed hacking groups like Volt Typhoon. “House Democrats warn that the new email system at OPM could enable phishing attacks targeting federal workers,” Bittner adds ([02:31]).
Agency Roles: Mark Green emphasizes the critical role of CISA in national cybersecurity and workforce development efforts, even amidst internal Republican debates over the agency’s functions. “House Homeland Security Committee Chairman Mark Green... argues the agency is critical to national cybersecurity and workforce development efforts,” he states ([02:31]).

6. CertBytes: CISSP Practice Segment

In the CertBytes segment, hosted by Chris Hare and Steven Burnley, the focus shifts to cybersecurity certifications, specifically the CISSP (Certified Information Systems Security Professional) exam.

CISSP Exam Overview

Target Audience: The CISSP exam is designed for experienced security practitioners, executives, and managers seeking to validate their comprehensive knowledge across various security practices and principles.
Expert Insights: Stephen Burnley, N2K Networks’ resident ISC2 expert, underscores the CISSP's reputation as the premier cybersecurity certification. “It has been the premier cybersecurity certification... they have earned their reputation as sort of the capstone of any cybersecurity professional's certification journey,” Stephen asserts ([17:08]).

Study Tips and Practice Question

Study Strategy: The recommended approach is to focus on exam topics that challenge the candidate. Stephen advises, “You study the parts of the exam that scare you... cover every objective in the outline when you're studying,” encouraging a comprehensive review ([17:52]).
Practice Question: Participants engage in a scenario-based question to assess understanding of the security management lifecycle.

Question: You are your organization's security administrator and you're reviewing the audit results to assess if your organization's security baselines are maintained. In which phase of the security management lifecycle are you engaged?

Choices:
- Plan and organize
- Implement
- Operate and maintain
- Monitor and evaluate
Discussion: Steven Burnley methodically analyzes the question, emphasizing the importance of verb tense and contextual logic in mapping actions to lifecycle phases. Ultimately, the correct answer is Monitor and evaluate. “Monitor and evaluate... are synonymous with review and assess,” Steven concludes ([19:19]).
Additional Advice: Stephen commends Steven's analytical approach and reiterates the value of focusing on action verbs to determine the correct lifecycle phase. “Study what scares you... those are pro test taking skills,” he adds ([21:47]).

Upcoming Certifications

Stephen mentions upcoming updates to various certification exams, including an early 2025 CISSP update and recent changes to the Cisco Certified Network Associate (CCNA) exam, encouraging listeners to stay tuned for more resources ([22:17]).

7. Closing News: Google's AI Ethics Playbook Update

In the final segment, Dave Bittner addresses Google's recent update to its AI ethics playbook, which marks a significant shift from its previous stance.

Policy Changes: Google has quietly updated its AI ethics guidelines, removing the prior pledge not to use AI for weapons or surveillance. The company asserts that this change reflects a new geopolitical reality where democratic nations should lead in AI development.
- “Google just quietly updated its AI ethics playbook, deleting its previous pledge not to use AI for weapons or surveillance,” Bittner reports ([25:19]).
Strategic Realignment: This update coincides with rising U.S.-China tensions over AI dominance. Google, along with OpenAI, Microsoft, and Amazon, is aligning more closely with defense agencies, shifting away from earlier moral stances against military applications.
Public and Internal Reaction: Critics view this as tech giants abandoning their previous ethical commitments in favor of government contracts and geopolitical maneuvering. Despite the backlash, Google maintains that its focus remains on human rights, even as it engages more with defense initiatives.
Loss of Past Commitments: Bittner remarks, “As for past promises, well, those seem to have been lost somewhere between government funding and geopolitical tension,” highlighting the perceived erosion of Google's earlier ethical assurances ([25:19]).

Conclusion

The CyberWire Daily episode titled "DOGE Days Numbered?" provides an in-depth analysis of pressing cybersecurity issues, from contentious corporate-government interactions and critical system vulnerabilities to significant espionage cases and strategic workforce initiatives. Additionally, the episode offers valuable insights for cybersecurity professionals pursuing certifications. The closing discussion on Google's AI ethics shift underscores the complex interplay between technology, ethics, and geopolitics in the modern cybersecurity landscape.

Notable Quotes:

“Their actions could compromise national security, expose federal employees' data, and violate federal laws.” — Dave Bittner ([02:31])
“Study what scares you... those are pro test taking skills.” — Stephen Burnley ([21:47])
“Google just quietly updated its AI ethics playbook, deleting its previous pledge not to use AI for weapons or surveillance.” — Dave Bittner ([25:19])

Resources and Further Information

For more detailed insights and access to the ISC2 CISSP practice test mentioned in the episode, listeners are encouraged to visit N2K's website and explore additional resources at thecyberwire.com.

Loading summary

Transcript35 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network, powered by N2K. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data Privacy is protected. DeleteMe's team does all the work for you with detailed reports so you know.
[00:45]
Chris Hare
Exactly what's been done.
[00:47]
Dave Bittner
Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K the Doge team faces growing backlash. The Five Eyes release guidance on protecting edge devices. A critical macOS kernel vulnerability allows privilege escalation, memory corruption, and kernel code execution. Google and Mozilla released security updates for Chrome and Firefox. Multiple Veeam backup products are vulnerable to man in the middle attacks. Zyzo suggests you replace those outdated routers. A former Google engineer faces multiple charges for alleged corporate espionage. CISA issues nine new advisories for ICS vulnerabilities. A House Republican introduces a cybersecurity Workforce scholarship bill on our CERT byte segment, a look at ISC2's CISSP exam and Google updates its stance on AI weapons.
[02:26]
Steven Burnley
Foreign.
[02:32]
Dave Bittner
It's Wednesday, February 5th, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It is great as always to have you with us. Elon Musk and his advisory team, the Department of Government Efficiency Doge are facing growing backlash over their efforts to dismantle federal agencies. Cybersecurity experts, government officials and Democrats warn that their actions could compromise national security, expose federal employees data, and violate federal laws. Key concerns center around Doge's reported access to critical federal systems, including the Treasury's payment system, which processes Social Security payments and federal salaries. Additionally, at the Office of Personnel Management, which stores sensitive employee records, Musk allegedly installed an unvetted private server, raising fears of a Repeat of the 2015 OPM hack by Chinese hackers. The White House insists Doge's access is read only, but reports suggest a former Musk employee was given administrative privileges. Senator Elizabeth Warren has demanded answers from Treasury Secretary Scott Bessant, emphasizing that these Systems handle over $6 trillion in annual transactions. Security experts argue that Musk's actions violate federal cybersecurity laws, including FISMA, and create risks for foreign adversaries to exploit. The lack of oversight and independent logging makes it impossible to verify what information has been accessed or altered. House Democrats warn that the new email system at OPM could enable phishing attacks targeting federal workers. Legal experts stress that granting unauthorized access to federal systems is a felony, and federal employees resisting these changes are reportedly being fired or placed on leave. Critics liken the situation to a precarious Jenga tower, where reckless interference could trigger a catastrophic failure of government operations. The UK's National Cybersecurity Centre and its Five Eyes partners have released new guidance to improve the security of edge devices. These include routers, network attached storage, IoT devices and perimeter security solutions, all frequent targets of cyber attacks. The document sets baseline security standards for manufacturers and provides best practices for customers selecting network hardware. It emphasizes logging and forensic capabilities, ensuring devices can detect and investigate threats effectively. Edge devices face growing threats from both financially motivated hackers and and state sponsored actors. A 2024 report found vulnerabilities in these devices increased 22% with higher severity ratings. Recent zero day exploits such as those targeting Avanti and Fortigate products highlight the risks. A critical macOS kernel vulnerability allows privilege escalation, memory corruption and kernel code execution. Discovered by MIT CSAIL researcher Joseph Rajakandran. The flaw affects macOS, Sonoma, Sequoia and iPad OS. The issue stems from a race condition in Apple's XNU kernel involving safe memory reclamation, read only page mapping and unsafe use of memcpy. Improper synchronization enables unauthorized credential modification. Ravakandran released a proof of concept exploit demonstrating the flaw. Apple has not yet patched it, so users should avoid untrusted code. The researcher recommends using Atomic writes to fix the issue. Google and Mozilla have released security updates for Chrome and Firefox addressing multiple high severity memory safety vulnerabilities. Chrome 133 includes 12 security fixes with three reported by external researchers. Two critical use after free flaws affect the Skia graphics library and version 8 JavaScript engine, potentially enabling code execution or sandbox escapes. Google awarded $7,000 for one bug and $2,000 for another. Firefox 135 patches multiple vulnerabilities, including two high severity use after free bugs affecting the Custom Highlight API and xslt. Additional fixes addressed code execution risks in Firefox, ESR and Thunderbird. No active exploitation has been reported, but users should update their browsers immediately. A critical vulnerability in multiple Veeam backup products allows attackers to execute remote code via man in the middle attacks with a CVSS score of 9.0. This flaw in the Veeam updater component can lead to full system compromise, including data theft and ransomware attacks. Affected products include Veeam backup for Salesforce, aws, Azure, Google Cloud and others. Veeam has released urgent patches and users should update immediately to mitigate risks. Attackers can intercept and manipulate update requests injecting malicious code. Zyzole has announced it will not release patches for two actively exploited vulnerabilities affecting its end of life routers, despite warnings from security researchers. Threat intelligence firm Graynoise reported that attackers are using these flaws to execute arbitrary commands, leading to full system compromise. The vulnerabilities were discovered by Volnchek in mid 2023 but remained unpatched. Zyzyl claims it was unaware until January 29 after Granoise reported active exploitation. The company advises customers to replace affected routers instead of expecting fixes. Security researchers argue that many impacted devices remain in use and even available for purchase online. Census reports nearly 1,500 vulnerable routers exposed to the Internet, and Gray Noise warns botnets like Mirai are exploiting the flaws in large scale attacks. Former Google engineer Lin Wei Ding faces multiple charges for allegedly stealing AI trade secrets for a Chinese company. Prosecutors say ding copied over 1,000 confidential files related to Google's AI supercomputing infrastructure between 2022 and 2023. He allegedly transferred this data using Apple notes to bypass security measures. Ding was later offered a CTO position at Beijing Rongshiu Langzhi Technology. While still employed at Google after leaving Rongshu, he founded a Chinese AI startup which sought government funding to develop AI infrastructure. Google detected the theft in December of 2023, revoked Ding's access and notified authorities. He was arrested in March of 2024. If convicted, he faces up to 15 years per economic espionage charge and 10 years per trade secret theft count plus millions in fines. CISA has issued nine new advisories highlighting critical vulnerabilities in industrial control systems. These flaws impact major vendors like Rockwell Automation, Schneider Electric and AutomationDirect, posing risks to energy, manufacturing and transportation sectors. Key vulnerabilities include remote code execution, denial of Service attacks and unauthorized access, with CVSS scores reaching 9.3. Affected devices range from routers and PLCs to industrial software. Some vendors have issued patches, while others recommend network segmentation or device replacement. Gray Noise reports Botnet's actively exploiting certain vulnerabilities. Emphasizing the urgency of mitigation, CISA urges organizations to apply updates immediately to protect critical infrastructure from cyber threats. Additionally, former DHS and Energy Department cyber Executive Karen Evans has joined CISA as a senior advisor for cybersecurity. While her role is currently advisory, sources suggest she may be named Executive Assistant Director for Cybersecurity Authority or move into a top DHS position. Evans previously served as DHS CIO and led cybersecurity efforts at the Department of Energy. Since leaving government in 2020, she worked in the private sector and co led a national study on CISA's cybersecurity workforce role. Her return comes as agencies combat Chinese backed cyber threats like volt typhoon. Meanwhile, CISA's future under the Trump administration remains uncertain, with Homeland Security Secretary Kristi Noem advocating for a smaller, more nimble agency and criticizing its involvement in countering misinformation during elections. Key cybersecurity leadership roles in the administration remain unfilled. House Homeland Security Committee Chairman Mark Green, a Republican from Tennessee, is reintroducing the Pivot Act, a bill aimed at addressing the US Cyber workforce shortage by creating an ROTC like scholarship for two year cybersecurity degrees. The legislation, which previously had unanimous committee support, stalled last session but remains a priority due to growing cyber threats, particularly from Chinese backed hacking groups like Volt Typhoon. Under the bill, students at community colleges and technical schools would receive scholarships in exchange for two years of government cyberservice at any level. The program, managed by CISA, also seeks to expedite security clearances and place 10,000 new cyber professionals in the workforce. Despite internal Republican debates over CISA's role, Green argues the agency is critical to national cybersecurity and workforce development efforts. Coming up after the break on our CERT Byte segment, a look at ISE2's CISSP exam and Google updates its stance on AI weapons. Stay with us.
[13:52]
Steven Burnley
Foreign.
[14:00]
Chris Hare
Cyber threats are evolving every second.
[14:02]
Dave Bittner
And staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with Threat Locker, the cybersecurity solution trusted by businesses worldwide. Threat Locker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. Up next, it's our CertBytes segment. N2K's Chris Hare is joined by Steven Burnley to break down a question from N2K's ISC2 CISSP practice test.
[16:06]
Steven Burnley
Hi everyone, it's Chris. I'm a content developer and project management specialist here at N2K Networks. I'm also your host for this week's edition of CertFight, where I share a practice test question from our suite of industry leading content and a study tip to help you achieve the professional certifications you need to fast track your career growth in IT, cybersecurity and project management. Today's question targets the ISE2 CISSP certified information systems Security Professional Exam, which was recently updated on April 15, 2024. This exam is targeted for experienced security practitioners, executives and managers who want to prove their knowledge across a variety of security practices and principles. The ISE 2 asserts that the CISSP is the world's premier cybersecurity certification. So I have enlisted Stephen once again to join us, who is our resident ISC2 expert. So it's very apropos that he's here today. Welcome Stephen. How are you?
[17:06]
Unknown
I'm doing great, Chris. How are you?
[17:09]
Steven Burnley
I'm doing well, thank you for asking. So what do you think about the CISSP being touted as the world's premier cybersecurity certification, as I mentioned?
[17:19]
Unknown
Well, I think a title like that is well deserved for the cissp. It has been the premier cybersecurity certification before we started talking about cybersecurity on a daily basis and they have earned their reputation as sort of the capstone of any cybersecurity professional's certification journey.
[17:40]
Steven Burnley
Oh, nice so, Stephen, you are going to be asking me today's question, but while I muster up some moxie, I understand you have a 10 second study bit for us. So what do you have?
[17:53]
Unknown
Well, I always recommend to students that in a broad topic exam like this, it's really comprehensive, that you study the parts of the exam that scare you. You know, sometimes we gravitate towards the material we're familiar with. But I like the phrase the obstacle is the path. So if it scares you, read. For example, they've added an exam objective related to DevSecOps for software development. Security might not be in the wheelhouse or experience from a lot of people traditionally, but still builds awareness of the topic. So cover every objective in the outline when you're studying.
[18:26]
Steven Burnley
I like that. Study what scares you? All right, hit me with today's question.
[18:32]
Unknown
All right, now this is a scenario question, so let's go through it. It says you are your organization's security administrator and you're reviewing the audit results to assess if your organization's security baselines are maintained. In which phase of the security management lifecycle are you engaged? Now, it is multiple choice. So let me read you your four choices. Plan and organize, implement, operate and maintain or monitor and evaluate.
[19:06]
Steven Burnley
Okay, Stephen, so this is from the Evaluate and apply organizational processes and organizational roles and responsibilities under the objective of evaluate and apply security governance principles. Correct?
[19:20]
Unknown
Exactly.
[19:21]
Steven Burnley
All right, so I got one correct so far. So this is one of those step one, step two, step three, sequential type questions where there's a precedence relationship, meaning there is a specific order of operations involved. I'm not at all network security proficient. Surprise, surprise. So I'm going to use some contextual logic here to answer this question. But first I have to ask, as this seems to be a set of steps that are part of the security management lifecycle. Are all of the answer choices inclusive of all of the steps that are part of this cycle?
[19:54]
Unknown
On this one?
[19:55]
Chris Hare
No.
[19:56]
Steven Burnley
Hmm. Okay, so if the student has these steps memorized, this should help narrow down the focus of their options a bit. Now I'm going to hone in on the verbs used, which should help me clue into the proper answer selection. Okay, so it says reviewing the audit results to assess. So the words review and assess, if I just pull those two verbs out, I can see how they map to each of your answers. So do I feel that plan and organize, map to review and assess. Well, plan and organize sound like initial steps one would take, so I'm going to rule that one out. Next, implement. This doesn't quite map to the act of reviewing and assessing, which sound more post implementation, so strike that one out. Also next, operate and maintain. Since the question refers to maintained in the past tense, this doesn't track well either, so I'm going to pass on that one. Lastly, monitor and evaluate. These terms seem to fit well as monitor can be synonymous with review and evaluate is synonymous with assess. So I'm going to go with D. Monitor and evaluate.
[21:09]
Unknown
Very nice work. That is the correct answer. D. All right. And you are engaged in that monitor and evaluate phase of the Security Management lifecycle. And this phase could include things like review logs, audit results, metrics, and service level agreements. Assess team accomplishments, complete quarterly steering committee meetings, develop improved steps for integration into plan and organized space and review audits is not part of any other phases.
[21:42]
Steven Burnley
Okay, so Stephen, do you have any other advice about how a student can study for this question?
[21:48]
Unknown
Well, one of the things that I liked listening to your breakdown is that you were paying very close attention to verb tense, like the difference between maintain and maintained. And when you're looking at these procedural questions like that, you are exactly on the right track. Those are pro test taking skills there.
[22:06]
Steven Burnley
Excellent. Well, another good question. Appreciate your being here today, Steven.
[22:10]
Unknown
Thank you very much for having me.
[22:12]
Steven Burnley
Sure. Are there any upcoming ISE2 or other practice tests you'd like to promote here?
[22:18]
Unknown
Yes, actually we have an update coming to the CISSP exam in early 2025. And in addition to that, we did just update the framework for the Cisco Certified Network Associate or CCNA exam this past September. And we also have a ton more coming and Microsoft Comptia and Amazon exam updates. So keep on the lookout for those on our website.
[22:42]
Steven Burnley
All right, looking forward to those. Thanks so much Steven.
[22:45]
Unknown
Thank you.
[22:46]
Steven Burnley
And thank you for joining me for this week's certbite. If you're actively studying for this certification and have any questions about study tips or even future certification questions you'd like to see, please feel free to email me at certbyte2k.com that's C-E-R-T B Y T E2K.com if you'd like to learn more about N2K's practice tests, visit our website at n2k.com certify for more resources including N2K Pro offerings. Check out thecyberwire.com pro for sources and citations for this question, please check out our show Notes. Happy certifying.
[23:34]
Dave Bittner
That's N2K's Chris Hare joined by Steven Burnley. We'll have a link to N2K's ISC2 CISSP practice test in the show notes.
[23:58]
Chris Hare
And now a message from our sponsor. Zscaler, the leader in cloud security Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement connecting users only to specific apps, not the entire network continuously verifying every request based on identity and context simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@Zscaler.com Security.
[25:20]
Dave Bittner
And finally, our Terms and Conditions desk points out that Google just quietly updated its AI ethics playbook, deleting its previous pledge not to use AI for weapons or surveillance. Because, you know, times change and so do corporate priorities. The company says the update reflects a new geopolitical reality where democratic nations should lead in AI development. Gone are the days when Google employees protested Pentagon contracts. Now Google joins OpenAI, Microsoft and Amazon in cozying up to defense agencies. The move follows rising US China tensions over AI dominance, with Google aligning itself with national security interests. Critics see this as yet another example of tech giants quietly ditching their past moral stances. But Google insists it's still all about human rights, just with more government contracts on the side. As for past promises, well, those seem to have been lost somewhere between government funding and geopolitical tension. And that's the cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2n2k's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman Our executive producer is Jennifer Ibin. Peter Kilby is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.