Aaron Anderson

You're listening to the Cyberwire network. Powered by N2K.

Dave Bittner

The DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot. Think your Certificate security is covered by March 2026 TLS certificate lifespans will be cut in half, meaning double today' renewals. And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal volume. That's exponential complexity, operational workload and risk. Unless you modernize your strategy, Cyberark Proven in Identity Security is your partner in certificate security. Cyberark simplifies lifecycle management with visibility, automation and control at scale. Master the 47 day shift with CyberArk Scan for vulnerabilities, streamline operations scale security visit cyberark.com 47day that's cyberark.com the numbers 47day A cyber attack attack disrupts Bridgestone's manufacturing operations CISA warns of critical vulnerabilities in products across multiple sectors. Additional cybersecurity firms confirmed data exposure in the recent Salesforce salesloft Drift attack. A configuration vulnerability in sitecore products leads to remote code execution. HHS promises stricter enforcement of healthcare information access rules. Texas sues an education software provider over a December 2024 data breach. A federal jury orders Google to pay? 420 million over improperly collected user data. Nations unite for global guidance on SBoMS on our industry Voices segment, we're joined by Aaron Anderson, enterprise security manager of Adobe, on embracing the journey to zero trust and chess.com gets caught in a tricky gambit. It's Friday, September 5, 2020. Hi, I'm Dave Buettner and this is your Cyberwire Intel Briefing. Happy Friday and thanks for joining us here today. Bridgestone Americas, the North American arm of tire giant Bridgestone, is investigating a cyberattack that disrupted some manufacturing operations. The incident, reported on September 2, initially impacted two facilities in South Carolina and later one in Quebec. Bridgestone says its rapid response contained the attack early, preventing customer data theft or deeper network compromise. While forensic analysis continues, the company stressed that business continuity and customer obligations remain top priorities. Staff are working to minimize supply chain impacts, though product shortages are possible. Bridgestone has not confirmed whether ransomware was involved and no group has claimed responsibility. The company previously suffered a lock bit ransomware attack in 2022, raising questions about potential repeat targeting. CISA issued five new ICS advisories warning of critical vulnerabilities in products used across energy, manufacturing, transportation and healthcare sectors. Affected systems include Honeywell's One Wireless WDM and Experian pks, Mitsubishi Electric's Iconics Digital Solutions, Delta Electronics, comgr, and the End of Train Head of Train Rail Protocol. CISA highlighted flaws ranging from memory buffer overflows and integer underflows to weak encryption and symbolic link exploitation. Many issues could enable remote code execution, denial of service or data exposure. Notably, Honeywell and Mitsubishi vulnerabilities carry high CVSS scores, while Delta's flaw scored 9.8. Rail vulnerabilities could let attackers spoof break control signals. Vendors are releasing patches, but CISA urges immediate mitigations such as strict access controls, network segmentation and patching to reduce exploitation risk. Cybersecurity firms Proofpoint Spy Cloud, Tanium and Tenable confirmed data exposure in the recent Salesforce Salesloft Drift attack, part of a campaign disclosed on August 26 by Google Threat Group. UNC6395 exploited OAuth tokens in the Drift integration to steal sensitive Salesforce data from over 700 organizations. Exposed information included AWS keys, emails, phone numbers and CRM details. While the firm stressed that customer protected data and internal systems were not compromised, they rotated credentials, removed drift and secured systems to prevent further impact. Attackers are exploiting a configuration vulnerability in sitecore products to achieve remote code execution and deploy malware. The flaw affects all versions of sitecore, xm, xp, XC and Managed Cloud. If deployed in multiple instance mode with customer managed static machine keys, systems using sample keys from old sitecore documentation are most at risk. Criminals have used these exposed keys to push malicious viewstate payloads, enabling deployment of weep steal malware for system and user data collection. Mandiant reported disrupting one such attack before full impact was known but observed privilege escalation, credential theft and lateral movement attempts. Sitecore urges customers to rotate keys immediately. CISA has added the flaw to its known exploited vulnerabilities catalog. The Department of Health and Human Services announced stricter enforcement of the 21st century cures acts and information blocking rules, which prohibit practices that interfere with access, exchange or use of electronic health information. Violations can carry fines up to $1 million for health IT vendors and information exchanges, while providers risk financial penalties from Medicare and Medicaid. HHS says patients must have free, timely electronic access to their records, including through apps of choice. Exceptions exist for privacy and security concerns, but providers delaying or limiting access may face enforcement. The Office of Inspector General is investigating cases, and experts expect HHS to focus on vendors imposing unreasonable data restrictions and providers failing to provide timely access. Texas Attorney General Ken Paxton has sued education software provider PowerSchool over a December 2024 data breach that exposed the personal information of 62 million students, including 880,000 Texans. The breach, caused by stolen subcontractor credentials, led to the theft of names, Social Security numbers, contact details and medical Data. Attackers demanded $2.85 million in Bitcoin. PowerSchool later confirmed paying the ransom, though the company claimed stolen data was erased. Schools were later re extorted. One 19 year old student has since pleaded guilty to orchestrating the attack. Paxton alleges PowerSchool violated Texas Consumer protection and identity theft laws by failing to secure sensitive data. CrowdStrike investigations also revealed earlier breaches. In 2024, Paxton vowed to hold PowerSchool accountable for putting families at risk. A federal jury ordered Google to pay $425 million to plaintiffs who claim the company collected user data even after they disabled app activity. Tracking. The class action suit, representing 98 million users, alleged Google violated its own privacy policy over an eight year period. The jury did not find malice or award punitive damages, but ruled Google's actions invaded privacy. Privacy advocates hailed the verdict as a rare and significant win, while Google plans to appeal, arguing its privacy tools already honor user choice. Cybersecurity and intelligence agencies from 15 countries have jointly released guidance promoting software builds of material materials as a key tool for securing the global software supply chain. Published September 3, the document, titled A Shared Vision of Software Bill of Materials for Cybersecurity, defines SBOMs, explains their value and outlines roles for producers, users and operators. It encourages broad adoption, harmonized implementations and integration into security workflows. Signatories include cisa, NSA and agencies from Europe, Asia and beyond. Officials stressed that modern software's complexity makes transparency essential, while experts warned that divergent approaches could hinder progress. Observers see the agreement as a milestone, but note the next challenge is aligning legislation across nations to avoid fragmented requirements and costs. Coming up after the break, my conversation with Aaron Anderson, enterprise security manager at Adobe, on embracing the journey to zero trust and Chess.com gets caught in a tricky gambit. Stay with us foreign they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales's industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales. T H A L E S learn more@thalesgroup.com cyber and now a word from our sponsor, ThreatLocker, the powerful Zero Trust Enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker. Aaron Anderson is Enterprise Security Manager of Adobe and on today's sponsored Industry Voices segment we discuss embracing the journey to Zero Trust.

Aaron Anderson

So I've been working at Adobe for quite a while now, for 25 years. Just had my anniversary. So I started off actually doing support in an IT capacity for out of college for a different organization. Came to Adobe, started working in more of a SOC incident analyst kind of role and then just over the years have been able to take advantage of Adobe's flexibility and move into new roles. And now I manage a team that's all focused on enterprise security and architecture and engineering type tasks.

Dave Bittner

Well, today we're focusing on Zero Trust. I would love to hear how you and your colleagues at Adobe define that.

Aaron Anderson

Yeah, so for us, Zero Trust is really based on some of the more common frameworks we tend to use it Adobe, the CISO framework, and it's a way of evaluating our own controls and our own maturity against those controls for how we want to address changes in the environment and how we're assessing our ability to, you know, address those changes. So as a good example, it used to be that previous to Zero Trust, a lot of the perimeter controls were sufficient for what a lot of security organizations consider good enough. But nowadays it's really addressing the assumed compromise type of mindset where we don't know for a fact that the device or the user or those things are what we expect. And so really building into how we allow access based on that Zero Trust concept of confirming it is what we think it is, assessing the impact or the risk rather before access is granted and using other attributes to make those decisions at the time of access.

Dave Bittner

Yeah. I'm curious, as you and your colleagues have gone along this pathway, have you found that there are some common misperceptions that folks have about zero trust?

Aaron Anderson

Yeah, there's a few, a few that we've encountered. One is that zero trust has been out there for a while now, so everybody's perception of what it does or does not include is a little bit different. So internally that means really evaluating and evangelizing how we perceive zero trust in Adobe, how we've done our own assessments, what the framework looks like that we're using, and how we're measuring our success and adherence to those principles across the board. I think another misconception I've seen just talking to other individuals and other companies is that it's only intended for large organizations. And our implementation of it and how we've used the controls and the framework really highlights that you don't have to be a large organization with vast resources to take advantage of zero trust. It's really something that you can do at almost any level, whether it comes to how you're managing your identities and entitlements to broader device and data controls that might get into the level of what a large enterprise can do. But again, it can really vary by organization. But all of the security controls, regardless to what level they're implemented, still offer some value for an organization.

Dave Bittner

Well, can you take us through that journey and maybe help some organizations hear about where maybe they should start with zero trust? What sort of considerations did you all make once you made a decision to move forward with this?

Aaron Anderson

Yeah, so we started with really evaluating what were some of the more common frameworks that talk about zero trust. So at Adobe we use the CISA framework, as I mentioned, and that's really built upon other ways that CISA standards have been implemented at Adobe. So there's some built in trust for what those provide. So really evaluating that where were we at from a maturity perspective? Because zero trust, again, is more of a journey. And so really evaluating where are we at today, where do we want to go and how can we use that to make prioritized decisions about where we, where we want to end up. And then I think some of the other things that took us down the path of considering what we want to do here is just recognizing the changes in the environment. Some of the historical perimeter level controls, things like firewalls just were no longer sufficient for a largely SaaS and cloud based type of environment. You know, the pandemic and remote work made a big difference. So really all of a sudden, so many workers were not using the corporate network. So really evaluating how our controls were reflected and still meeting our expectations for the changes in both the work work Patterns where the data actually that we were trying to protect resided and just how people are now accessing it in such a different way than they used to in the past and evaluating did we still meet what we were expecting and, and what do we want to get out of it going forward, knowing those things will continue to be the trends.

Dave Bittner

How did you measure progress along the way and determine whether or not you were being successful?

Aaron Anderson

Yeah, that's a good question. And it was definitely a challenge initially. We started with some very basic measurements to begin with, such as how many users or how many services were actually meeting our baseline standards. So a great example was for remote access. How many users have we successfully migrated to a stronger remote access solution that was much more aligned with our Zero Trust, Zero Trust initiative and efforts. And then as we've matured, really getting much more complex to measuring how well are we not only achieving security goals, but also business goals. So aligning those two, I think one example is when it comes to identity, we've really taken a stance of as we've gotten more complex, not only looking to determine how we can achieve what we want to get from a security perspective. So again, knowing who the user is behind that identity, how it's being used, what it reflects, but also evaluating how is this being impacting the business. So can we do things with part of the Zero Trust initiative that would make it easier for the business to get value out of it? And that's really getting back to how access is being granted entitlements. So as we streamline that, we saw value on the Zero Trust side and the security side, but also the business saw value and the amount of time they had to spend onboarding workers or ensuring that the access they had worked on day one. So those are the things where I think, you know, just thinking the Adobe Journey, Adobe Journey, where we started to where we're going, and we've really been able to mature those metrics and those value measurements to make sure we're still on track.

Dave Bittner

Well, you mentioned the business sides of things and how was leadership on board with this? How do you. How were you able to set expectations for them along the way?

Aaron Anderson

Yeah, so that's a, that's a good question in that initially some of the biggest ones we had were being able to show the business value, making a secure remote solution. Remote access solution for all the remote work was just a big win. And this is a time when we recognized both internally that so many workers were not going to come into the office that it was just easy to Sell this is a new offering that didn't require, say radical changes or growth. In our VPN solution. The much more nuanced as we've been able to show progress there and show that we can deliver, being able to show the business and leadership clearly what we will be delivering as an outcome, how we'll be measuring it. And that really went a long ways. Getting the, I think the supports and the recognition that our implementation was actually going to have value not only from a security perspective, but either in cost savings or in some cases just ease of implementation for the business. When it comes to, you know, onboarding a new service, I think actually SaaS is a great example. Being able to demonstrate how the solutions we're providing can make it easier to more securely make a SaaS solution available to our customers, our internal customers. It's a big win for not only the program, but for the business as well.

Dave Bittner

What advice do you have for organizations who may want to follow in your footsteps here? They're looking to implement a zero trust model in their own organization.

Aaron Anderson

I would look to start with what it is that you might consider as a framework just to get an understanding of how you're going to evaluate zero trust in your organization. So then using that to really measure what's your current state. I think a lot of organizations don't take the time to really evaluate where they're starting from. And if you don't know where you start, it's kind of challenging to understand just how much success you've had or where you should be prioritizing your work. I think another key thing I would consider is as you're starting down this journey, really thinking of it as a journey and not just a project so that you can really look at what's the long term goals, what are the things we want to achieve over time and how are we going to measure in a very quantitative way as we're making that progress. You know, Zero trust, although there a lot of it is, is very technology based. A lot of the big wins actually come from understanding how that technology will be measured and impact the business, what kind of ways you can show definitive success and something that leadership can get behind. I don't think this is unique to Zero Trust. This is common to a lot of, you know, security offerings, being able to measure that. I just think with Zero Trust, because it's a whole program, it's important to really be explicit in that and being clear about how you'll be measuring your outcomes, your successes, and how you'll be able to Relate that to either reductions in risk or business value.

Dave Bittner

Were there any unexpected challenges or things you can share with our listeners that you all learned along the way?

Aaron Anderson

Yeah, so I think a couple of things would be is that again, I think there were certain perspectives about how Zero trust might work for an organization. So there were some leadership misconceptions or different perspectives rather on what it would be delivering and what it would be delivering. I think some other things is just as we've gotten better at it. It's one of those things as you measure your maturity, you're like just the breadth of what might be involved. I think one of the things that we've learned is just using identities which are very important nowadays. The growth of both human and non human identities is we've really looked to mature our Zero trust solutions has just highlighted how big that can get without a lot of control. So really internally being explicit about what that scope is and just learning just how broad the business might organically grow in ways we didn't expect came to light as we start to implement controls or really look at the workflows that were being used by different teams.

Dave Bittner

I'm curious, as we've seen this explosion of the use of artificial intelligence and machine learning, has that had any impact on your Zero Trust journey?

Aaron Anderson

Yeah, I think it's had both. There's both some capabilities we're using now. So especially around machine learning, we're using a lot of that technology to do better analysis of the activity that's going on and use that to make decisions in a continuous model as to whether or not access should be granted. So I think a good example is using not only the combination of the user, but other data mining around the user type, the device type, the geography to make real time assessments as to whether or not that access should be allowed or if some other kind of mitigating step might be required. A good example might be step up authentication where combinations of those factors can be used in mirror or real time in some cases to make decisions on what that access is actually going to look like. The other flip side is that AI has made. I think it has a lot of opportunities, but there's still a lot of work to be done. Exactly how that represents risk and from a zero trust perspective, are the controls that we currently have in place still able to take, still able to function in a way that matches how AI is being used? One of the things that I think most organizations are looking at, AI have noticed is that a lot of AI technology requires a lot of broad access to data in order to make the best use of that, that information and to make it valuable back to the customers. But that that combination of access for a service to access many data types does mean that maybe some of your traditional controls will no longer be sufficient when it comes to just doing device posture checks or identity checks. I think this is also directly related to what we've seen internally is just the growth of non human identities in order to associate all this data together as well. And that's an area where I do believe the Zero Trust foundations will apply to that. It's just taking a little bit more time to make sure that our controls are still encountering. Sorry, rather factoring that in when we make decisions.

Dave Bittner

Hmm. Where do you suppose we're headed with this? I mean, it sounds like from Adobe's point of view, Zero Trust is here to stay.

Aaron Anderson

Yeah, I do think it's here to stay. And I do think because it's a framework that's really we envision as a program, it's meant to be to grow and change as risks change. So I do believe that the concepts, the core concepts still have a lot of value and they allow for continuing to look at new ways of business doing things, the new security requirements. I think as an example, as we've gotten better at it, we're using it to evaluate maybe areas that we knew were risk, but we didn't quite understand as well around some of our vendor and vendor onboarding and some of the risks associated with those vendors. So as an example, asking our own onboarding partners just how are they thinking about Zero Trust or at least the core concepts of it and using that in our decision making process. So it's definitely here to stay, at least for the long time that I can see. And I do believe that because of the flexibility it offers, it will continue to be something that can be changed to meet changes in either risk or business requirements. Early on it became really important to get the executive support, like with any security project. And I think Zero Trust really makes it easier to do that if you take the time to evaluate your ad and really have clear metrics and outcomes you're delivering. So, you know, keeping that in mind, I think a lot of organizations can be successful with it.

Dave Bittner

That's Aaron Anderson, Enterprise Security Manager at Adobe.

Aaron Anderson

Abercrombie is an official fashion partner of the NFL. And I'm CeeDee Lamb, wide receiver for the Dallas Cowboys. You know, I'm here for Abercrombie's Cowboys gear. That's not a question, but I need a whole wardrobe to go with it. No shade to the guys, but I'm used to having the best tunnel fits. This season, Abercrombie has me covered. Shop NFL by Abercrombie in the app, online and in store. When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans, send event invites and pin messages so no one forgets mom's 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone. Learn more@WhatsApp.com.

Dave Bittner

And finally looks like chess.com just got caught in a tricky gambit. The online chess Giant admitted that 4,500 of its players had their data swiped during a June breach involving a compromised file transfer tool. That's less than 0.003% of its 100 million users. A small pawn sacrifice, but still a blunder. The attack ran from June 5 through June 18 before being checkmated on June 19 when federal authorities were alerted. No banking details, usernames or passwords were taken, so accounts remain in stalemate safe condition. Chess.com insists its code wasn't compromised, though it declined to reveal which tool was the weak square on the board. Hackers remain anonymous and no exposed data has surfaced online. For now, players can keep their kings safe and their rooks on the file. Graham Clulee Call your office and that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com be sure to check out this weekend's research Saturday and my conversation with Selena Larson, threat researcher and lead of intelligence analysis and strategy at Proofpoint. The research we're discussing is titled Microsoft OAuth app impersonation campaign leads to MFA phishing that's research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.

Aaron Anderson

SA.