CyberWire Daily – "Wheels Left Spinning After Cyber Incident"
Date: September 5, 2025
Host: Dave Bittner (N2K Networks)
Featured Guest: Aaron Anderson (Enterprise Security Manager, Adobe)
Episode Overview
This episode covers a sweeping set of cybersecurity news stories, including recent high-profile attacks and vulnerabilities, legal actions in the tech world, and global policy moves—capped off with an in-depth interview with Adobe's Aaron Anderson about implementing Zero Trust security. The tone remains brisk, occasionally witty, delivering practical insights for industry professionals and anyone tracking cybersecurity trends.
Key News Stories & Insights
Bridgestone Cyberattack Disrupts Manufacturing
[01:10–02:08]
- Incident: Bridgestone Americas confronted a cyberattack that disrupted manufacturing in South Carolina and Quebec.
- Response: "Rapid response contained the attack early, preventing customer data theft or deeper network compromise."
- Continuity: Although the full forensic analysis is ongoing, Bridgestone stresses business continuity, but product shortages may occur.
- Context: The lack of confirmed ransomware, but previous lockbit attack history, raises questions about repeat targeting.
CISA Issues Critical ICS Vulnerability Advisories
[02:09–03:27]
- Scope: Five new advisories affecting critical sectors—energy, manufacturing, transportation, healthcare.
- Vendors/Products: Honeywell, Mitsubishi Electric, Delta Electronics, and rail protocols among those affected.
- Severity: Vulnerabilities include buffer overflows, underflows, and weak encryption; Delta’s flaw scored a 9.8 CVSS.
- Mitigations: CISA urges "immediate mitigations such as strict access controls, network segmentation and patching."
Salesforce Salesloft/Drift OAuth Token Attack
[03:28–04:14]
- Breach Details: Proofpoint, SpyCloud, Tanium, and Tenable confirm data exposure via OAuth token exploitation in the Drift integration.
- Impact: Sensitive data (AWS keys, emails, phone numbers, CRM details) from over 700 organizations accessed; firms stress customer data not compromised.
Sitecore Configuration Vulnerability
[04:15–05:10]
- Threat: Vulnerability enables remote code execution and malware deployment in all Sitecore product lines.
- Attack Vector: Systems using sample machine keys from old documentation highly at risk.
- Mitigations: Sitecore urges immediate key rotation.
Stricter HHS Enforcement on Health Data Access
[05:11–05:43]
- Policy Update: HHS targeting stricter enforcement of information access rules.
- Penalties: Fines up to $1 million for IT vendors; providers face Medicare/Medicaid penalties for blocking patient record access.
- Focus: "Patients must have free, timely electronic access to their records, including through apps of choice."
Texas Sues PowerSchool Over Student Data Breach
[05:44–06:28]
- Breach: December 2024 incident exposed data of 62 million students, including nearly a million Texans.
- Allegations: Texas AG Ken Paxton alleges PowerSchool failed to secure sensitive data, in violation of consumer protection and identity theft laws.
Google Ordered to Pay $425M in Privacy Lawsuit
[06:29–07:09]
- Ruling: Jury finds Google collected user data despite disabled tracking, breaching its privacy policy over eight years.
- Significance: "Privacy advocates hailed the verdict as a rare and significant win, while Google plans to appeal."
15-Nation Guidance on Software Bills of Material (SBOM)
[07:10–08:03]
- Release: Cyber and intelligence agencies promote SBOM harmonization for global software supply chain security.
- Aim: Encourage "broad adoption, harmonized implementations, and integration into security workflows" to avoid fragmented, costly standards.
Industry Voices: The Journey to Zero Trust at Adobe
Guest: Aaron Anderson, Enterprise Security Manager, Adobe
[13:15–26:09]
Anderson's Background
[13:15–13:45]
- 25-year Adobe veteran, started in IT support, now manages enterprise security architecture & engineering.
Defining Zero Trust at Adobe
[13:54–14:47]
- Framework-based: "Zero Trust is really based on some of the more common frameworks... At Adobe, the CISA framework."
- Concept: Moving beyond perimeter controls to "an assumed compromise type of mindset."
- Access Control: "Confirming it is what we think it is, assessing... the risk before access is granted and using other attributes to make those decisions at the time of access."
Common Zero Trust Misconceptions
[14:56–16:00]
- Misunderstandings: Definitions and expectations differ; some think it’s only for large orgs.
- Reality: "You don't have to be a large organization with vast resources to take advantage of zero trust... it can really vary by organization."
Adobe’s Zero Trust Journey: Where to Start
[16:14–17:29]
- Start Point: Evaluate maturity against a chosen framework (Adobe uses CISA).
- Drivers: Legacy perimeter controls don't suffice in cloud/SaaS-heavy environments; pandemic accelerated remote work.
- Focus: Ensuring controls align with evolving data access patterns.
Measuring Zero Trust Progress
[17:37–19:03]
- Early Metrics: "How many users or how many services were actually meeting our baseline standards."
- Mature Metrics: "Not only achieving security goals, but also business goals."
- Example: Improved identity onboarding benefits both security and business efficiency.
Gaining and Maintaining Leadership Buy-In
[19:16–20:24]
- Wins: Secure, streamlined remote solutions: "Easy to sell... a big win."
- Communication: Articulate measurable outcomes and business benefits to leadership.
- SaaS Adoption: Zero Trust controls streamlined secure onboarding for internal customers.
Advice for Organizations Starting Zero Trust
[20:34–21:50]
- Framework First: Pick a structured approach to evaluate current state.
- Think Long-Term: "Really thinking of it as a journey and not just a project."
- Quantitative Measurement: Show "definitive success... that leadership can get behind."
- Relate to Risk and Business Value: Explicitly tie outcomes to reduced risk and business value.
Challenges & Lessons Learned
[21:57–22:50]
- Scope Creep: As maturity increased, the scale and complexity—especially of identity management—became more apparent.
- Organizational Dynamics: Business growth exposes new workflows and control requirements.
AI/ML Impact on Zero Trust
[23:01–24:46]
- Enabler: Machine learning enhances event/activity analysis for real-time access decisions.
- New Risks: "AI technology requires a lot of broad access to data... maybe some of your traditional controls will no longer be sufficient."
- Growth of Non-human Identities: More automation and data association raise new control needs.
The Future of Zero Trust
[24:55–26:09]
- Enduring Value: "It’s here to stay. And... because it's a framework... it's meant to grow and change as risks change."
- Expanding Influence: Zero Trust concepts now factor into vendor risk and onboarding.
- Executive Support: "Early on it became really important to get the executive support... Zero Trust really makes it easier if you... have clear metrics and outcomes."
Notable Quotes
- "Zero trust, again, is more of a journey." – Aaron Anderson [16:14]
- "You don't have to be a large organization with vast resources to take advantage of zero trust." – Aaron Anderson [14:56]
- "AI technology requires a lot of broad access to data... maybe some of your traditional controls will no longer be sufficient." – Aaron Anderson [24:00]
- "Keeping that in mind, I think a lot of organizations can be successful with it." – Aaron Anderson [26:07]
Other Notable Incident: Chess.com Breach
[27:27–28:08]
- Breach: 4,500 players’ data exposed due to a compromised file transfer tool.
- Scope: Less than 0.003% of total users; no passwords or payment data taken.
- Containment: Federal authorities notified; the attack ended quickly.
- Quote: "A small pawn sacrifice, but still a blunder." – Dave Bittner [27:29]
Conclusion
This episode provides actionable updates on recent cyber incidents, legal developments, and global policy advances, then offers a rare inside look at a major organization's Zero Trust transformation. Aaron Anderson’s insights deliver both practical steps and strategic direction, emphasizing that Zero Trust is a long-haul, adaptable journey—one accessible to organizations of any size, and now more vital than ever in an AI-driven, post-perimeter world.
