Exposed Defaults, Offensive Playbooks & The ACL That Could

The Other Side of the Firewall launches Season 4 with a full, radio-style episode this week. Shannon and I break down three very different but equally concerning cybersecurity stories. Each story exposes a critical vulnerability, which could be found in policy, platforms, or even simple passwords.

Here’s the breakdown:

1. ServiceNow’s “Counterstrike” Flaw: The ACL Misstep

You’d expect more from a platform that underpins so much of enterprise IT. But ServiceNow—used by global companies and entire government agencies—recently had a misconfiguration that let low-privileged users enumerate restricted data.

The vulnerability, dubbed “Counterstrike,” came down to access control lists (ACLs). The system was supposed to require all four conditions—roles, security attributes, data conditions, and script conditions—to grant access. Instead, it granted access if any one of those conditions was met.

“It’s kind of scary…you would think we’d be past this at this point.” — Shannon Tynes

The exposure wasn’t theoretical. Varonis provided screenshots proving they could pull sensitive data from tables they should never have seen. This is a big deal, especially since GRC modules in ServiceNow often house vulnerability details, risk mitigation strategies, and even compliance timelines. Now imagine an insider threat exploiting this bug.

The good news: it’s been patched. But if your organization is running its own ServiceNow instance, manual ACL reviews are now a must. Don’t assume “deny all” is the default—verify.

2. “Night Eagle” and the Exchange Zero-Day: Yes, America Has APTs Too

We always hear about Chinese or Russian APTs exploiting U.S. systems—but this time, the shoe’s on the other foot.

Dark Reading reports a Western-based APT—believed to be American or Canadian—used a Microsoft Exchange zero-day to spy on China’s semiconductor and AI sectors. The group’s name? Night Eagle. And yes, we chuckled at the name too.

“I love that…we always say Jade or Bear for other countries. They gave us the eagle.” — Ryan Williams Sr.

What makes this interesting isn’t just the reverse direction of the threat—it’s the balancing act. Microsoft is an American company. Their zero-day was used as the attack vector. So when do our federal agencies disclose these vulnerabilities to the vendor? And when, if at all, do they hold back for offensive gain?

“You still have to do your due diligence, but how long do you hold the fuse before you report it?” — Ryan

It’s the murky world of digital espionage—and this time, the U.S. is doing the probing. If you’re in enterprise IT, it’s a reminder: your tools could be both the weapon and the battlefield.

3. McDonald’s AI Hiring Tool Used 123456 as a Password. Yes, Really.

Somewhere between funny and infuriating sits this one.

McDonald’s hiring portal, McHire, used an AI chatbot named Olivia to streamline applications. Sounds cool—until someone logged into the backend using “123456” as both the username and password. On the second try.

“Anything connected to the Internet is going to get tested.” — Ryan

That weak credential granted access to over 64 million job applications, many containing resumes, emails, and addresses. While it wasn’t full-blown PII in most cases, that data is gold for phishing attacks—especially on vulnerable demographics like young job seekers.

And it’s not just phishing—those records also contained personality tests. Imagine how much cognitive targeting can be done with that. This is about mind privacy now.

“They’ve got the personality inventory of 64 million people…what can they use that for?” — Ryan

We may look back on this as the start of something bigger: not just another breach, but the start of behavioral-based cybercrime. Imagine applying for your first job—and that being the point someone decided to steal your identity, or worse.

Final Thoughts: These Risks Are Personal

Season 4 is all about sharpening the signal. Whether you're a CISO, a SOC analyst, or just getting started in cyber—these three stories hit every level:

• Enterprise risk: Review your ACLs. Don’t trust platform defaults.

• Nation-state operations: Offensive cyber is real—and it’s happening both ways.

• Consumer-grade exposure: If “123456” still gets you in the back door, we’ve got work to do.

This isn’t theoretical. It’s not “one day maybe.” These are today’s risks. And as always…

Listen to the full conversation on theothersideofthefirewall.com or ram.cyber.io. 📚 And don’t forget—our book is available for pre-order now!

Thank you for reading, and stay tuned for more episodes of The Other Side of the Firewall podcast on Monday, Tuesday, Wednesday, and Friday, as well as the Ask A CISSP podcast every Thursday. Please like, share, and subscribe.

Stay safe, stay secure!

I’m excited to announce my new guide, The Other Side of the Firewall: The Real-Life Stories of Movers, Shakers, & Glass Ceiling Breakers in Cybersecurity, is available for preorder!

This guide took almost a year to write and is built on 4.5 years of research, thoughtful observations, and interviews with 27 incredible guests. Based on the podcast of the same name, it shares the powerful journeys of underrepresented professionals who broke into and reshaped the cybersecurity field.

If you're looking for real-world inspiration, practical insights, and proof that there's space for you in cyber—this book is for you.

📘 Order your copy now at a discounted price: theothersideofthefirewall.com

Ryan is a retired Air Force veteran who brings over 20 years of experience in network infrastructure, project management, and cybersecurity consulting to his current role as CEO of RAM Cyber Consulting & Assessments, LLC. RAM Cyber is a premier governance, risk, and compliance (GRC) consultancy dedicated to supporting the Defense Industrial Base (DIB), federal agencies, and corporate entities. We specialize in delivering expert guidance to ensure compliance, mitigate risks, and enhance cybersecurity postures.

Shannon, also a retired Air Force veteran, has more than two decades of expertise in network security and vulnerability management. He now serves as an Information System Security Officer (ISSO), where he continues to enhance national security protocols.

Chris is a Navy veteran with over 13 years in IT, information assurance, and risk management. His current role as a Senior Security Consultant focuses on vCISO and Cyber Assessments services enhancing data security and privacy for various organizations.

**The Other Side of the Firewall podcast is a product of RAM Cyber Consulting & Assessments, LLC. RAM Cyber Consulting & Assessments, LLC is a premier governance, risk, and compliance (GRC) consultancy dedicated to supporting the Defense Industrial Base (DIB), federal agencies, and corporate entities. We specialize in delivering expert guidance to ensure compliance, mitigate risks, and enhance cybersecurity postures. RAM Cyber is pending SDVOSB, VOSB, and 8(a) certification by the SBA, underscoring our commitment to excellence and service.