Down The Security Rabbithole

In this episode... Raf sits down with Howard Shmidt to talk about Cyber Security from the public to private sectors and everything in between. Howard & Raf talk through challenges of cyber security in the board room Howard gives us some of the challenges that government faces, from his experience Don't miss this episode!   Guest Howard A. Schmidt ( @HowardAS ) - Former Supervisory Special Agent,Director of Computer Crime and Information Warfare, AF OSI, Former CSO Microsoft Corp. Former Chairman of White House Critical Infrastructure Protection Board, VP, CISO eBay Inc. Special Agent, US Army CID (Reserves). Law Enforcement Officer Chandler Police Department, AZ

In this episode... Standard & Poor's Adding Cybersecurity to Ratings The headline In a report issued this week, the rating agency says it could issue a downgrade before a cyberattack if a bank looked ill-prepared, or following a breach that causes significant damage to a bank's reputation or which leads to substantial monetary losses or legal damages. Behind the curve? Stop. Michael wrote about it this week - stop calling it gaps… 16 questions… good start? How long has it typically taken to detect a cyberattack? What containment procedures are in place if the bank is breached? How many times was the business the target of a high-level attack during the past year, and how far did it reach in the system? What's the internal phishing success rate? What kind of expertise about cyberattacks exists on the board of directors? How much does the bank spend on cybersecurity, what resources does it devote, and what is the total tech budget this year versus last? Including security in the ratings - and

In this episode... Raf asks why we talking about global supply chain, 3rd party risk again Josh discusses what little things we are not thinking about today, that we should Josh discusses what happens as companies move critical data to the cloud We discuss regional IT in a global data world Raf opens up the “tiny company 3rd party” can of worms We discuss the cyber crime survey and CISO board reporting results; link:http://www.csoonline.com/article/2978020/security-leadership/do-boards-of-directors-actually-care-about-cybersecurity.html What about supply-chain issues with electronic components, software? Guest: Josh Douglas - CTO for Raytheon Cyber Products – has nearly two decades of experience in helping global enterprises and government agencies secure their most prized business/mission assets. During his past 9 years at Raytheon, he has overseen Raytheon’s Cyber Security Intelligence Operations, Malware Concepts, Security Infrastructure Operations and Research Technologies tasked to produce effective f

In this episode... Patreon got hacked, but it's OK This is a lesson in how to do security in a reasonable manner Great response, good security https://www.patreon.com/posts/important-notice-3457485 The double-edged blade of the DMCA could have helped VW cheat emissions Reverse-engineering illegal Definitions of 'researcher' and further 'independent researcher' are interestingly defined - lots of room for discussion http://www.itworld.com/article/2986856/enterprise-software/how-the-dmca-may-have-let-carmakers-cheat-clean-air-standards.html CFOs are getting involved in security whether they want to or not Good to-do checklist for CFOs http://ww2.cfo.com/accounting-tax/2015/09/deals-demand-prior-cfo-involvement-data-security/ Lawsuits preventing disclosure of vulnerabilities in the news We're "chilling security research" again Good points made, on top of bad points and half-truths Stems from the Fireeye vs ERNW fight http://ww2.cfo.com/accounting-tax/2015/09/deals-demand-prior-cfo-involvement-data-sec

In this episode... Kirby tells us what OSINT is We discuss how much we are giving away on digital channels? We discuss if there is such a thing as anonymity anymore Location sharing in apps — the bad, the ugly, the scary Kirby and Michael discuss “checking up on your executives” Raf talks about “logo pages” — why do these still exist?! Kirby gives us some thoughts on OPSEC Kirby leaves us with a dose of reality about privacy in today’s world   Guest Kirby Plessas ( @kirbstr ) - Kirby is the CEO of Plessas Experts Network, Inc. She did some things before this too, but we can't tell you about them or we'd have to black-bag you and send you to Gitmo. You can get her LinkedIn bio here: https://www.linkedin.com/in/kirbyp.

On this episode of the NewsCast Intel forms new Automotive Security Research Board (ASRB) to focus on security of their automotive platform http://newsroom.intel.com/community/intel_newsroom/blog/2015/09/13/intel-commits-to-mitigating-automotive-cybersecurity-risks Good security as a competitive advantage? Interesting development in the effort to secure cars as a technology platform Appeals court forces the issue of 'fair use' in DMCA case http://www.engadget.com/2015/09/14/appeals-court-copyright-holders-must-consider-fair-use-before/ Interesting development in the case against Universal Music Group's malicious prosecution and nonsense take-down orders Bitpay sues their insurance company after giving away $1.8M http://www.coindesk.com/bitpay-sues-insurer-after-losing-1-8-million-in-phishing-attack/ Interesting argument in court - indirect loss Company exec got phished for credentials Execs fall for "transfer large quantity of money" scam Follow this case! China making demands of US tech companies

In this episode... Brandon, Michael and I discuss the challenges of leadership and how leadership is more than just telling people what to do. Brandon gives us some of his back-stories and anecdotes to illustrate his points on leadership along the way. I promise you'll love this episode, and I highly encourage you to go donate what you're able to, to Red Circle Foundation (http://redcirclefoundation.org). Guest Brandon Webb ( @BrandonTWebb ) - Brandon is a former Navy SEAL, bestselling author and CEO of Force12 Media. He founded Red Circle Foundation as a way to give back to the families of the Special Ops community in a meaningful way. Links Red Circle Foundation - http://redcirclefoundation.org/  SOFREP - http://sofrep.com Brandon's website - http://brandontylerwebb.com/

In this episode Court strikes down Wyndham's challenge to FTC power We have covered this before Wyndham argued due proces and lack of case law - asked for dismissal Court said no dismissal, FTC has standing FTC is arguing that Wyndham made promises it did not keep Should be interesting to watch this go to court (or likely not) http://www.csoonline.com/article/2975915/data-breach/wyndham-vs-ftc-corporate-security-pros-need-to-lawyer-up-about-data-breach-protection-experts-say.html Ashley Madison hauled into court by class-action suit Lots of thorny issues here, must separate out moral from legal Shines light on the continued bias for breach prevention Interesting Streisand effect here http://www.csoonline.com/article/2975755/data-breach/ashley-madison-hauled-to-court-in-class-action-suits-over-data-breach.html Verizon launches Hum OBD port vehicle monitor and communication tool In light of the stunt-hacking against Chrysler/Jeep is Verizon tone deaf? ..or are they simply that confident in their securit

In this MicroCast, live from HTCIA Conference 2015 in Orlando, FL, Michael and I quickly set the stage for a conversation on conference speaker/attendee engagement.  [Raf] One of my biggest pet peeves as a speaker is getting a room-full of people who watch (and listen) me speak, wait for me to finish, and leave when I'm done. [Michael] As an attendee, you need to know what you "do" and what you're looking for from the conference.   --> Here's the link to the article Michael mentions: http://paulsohn.org/how-to-connect-with-anyone-you-just-met-with-5-questions/   We welcome the discussion on this topic, #DtSR on Twitter!

In this episode... We discuss what life is like as the CISO when you have all the responsibility for, but no administrative access (or hands on keyboard) Brandon tells his story about how his IT organization went from in-house, to out-house, and how they got where they are Brandon tells us the process and strategy he uses to get a handle on his security We discuss why visibility is one of the most important things to outsourced IT (and security) Brandon tells a story of an incident where things went very sideways We discuss the balance between outsourcer scalability and customer deviations Brandon tells us why sometimes it takes 3 months to scan your environment for a vulnerability ( your head will explode ) …and so much more Guest Brandon Dunlap ( @bsdunlap ) - Brandon is the global Chief Information Security Officer for a an employee-owned, global leader in building critical infrastructure in energy, water, telecommunications and government services currently operating in more than 100 countries through

In this episode... Just when you thought America's neutered "chip & sign" was a safe http://krebsonsecurity.com/2015/08/chip-card-atm-shimmer-found-in-mexico/ Admittedly we put these stories in here just to get Michael all fired up Ashley Madison's data and source code and CEO's email spool now released and public http://www.theregister.co.uk/2015/08/20/ashley_madison_email_dump/ http://www.csoonline.com/article/2973575/business-continuity/ashley-madison-self-assessments-highlight-security-fears-and-failures.html So much to talk about that's just wrong with this story... Uber is hiring people for security http://www.ibtimes.com/uber-boost-security-staff-after-data-privacy-concerns-2055903 Does more headcount equal better security? Where will these people come from given the shortage of talent? That gadget you attached to your OBD2 port on your car to "save on car insurance" may be used to kill you Seriously The dangers of all these wireless & connected devices is scary Risk assessment anyo

In this episode... We discuss the ever-growing need for strong leadership in security I ask whether experience and longevity in a position naturally brings leadership qualities We talk through how leadership interplays with other competencies Michael asks whether the security leader has a place at the executive table (the "big kids table") Michael asks if the MBA has value in security leadership We discuss the model my team uses for leadership and how we build them Michael and Heath discuss various competency models for leadership We discuss measuring, KPIs and relative distance We discuss how leaders can make better decisions Heath leaves us with an Alex Hutton quote

In this episode... The Belgian government's internal phishing test has "gone off the rails" a bit Used a legitimate entity to test against Panic and hilarity ensued, but mostly panic http://www.networkworld.com/article/2951514/security/belgian-government-phishing-test-goes-offtrack.html British ICO makes a 180,000 pound fine Disconnect between policy and reality Was anything lost? 2 big failures lead to a fine https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2015/08/ico-fines-nationwide-money-lender-the-money-shop-180-000/ McAfee and Black Hat attendee surveys wildly different Answers you get depend on who and how you ask Interesting answert though... Lesson: The more experience you have, the less confidence? http://www.slate.com/blogs/future_tense/2015/07/21/two_surveys_of_cybersecurity_professionals_show_starkly_different_attitudes.html

In this episode Raf asks - Why haven’t we solved the same old software security bugs? James asks how a security team gets out of the way and still get better security? We discuss threat modeling, and channel a bit of John Steven Jeff talks about the OWASP ESAPI and standard security libraries and controls Jeff talks about “libraries with known vulnerabilities” and the role of open source components Raf brings up the ugly side of enterprise outsourcing - code development by committee We discuss static, dynamic and run-time security tools Raf asks Jeff what the RIGHT approach to creating a software program looks like   Guest Jeff Williams ( @PlanetLevel ) - Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast. In 2002, Jeff co-founded and became CEO of Aspect Security, a successful and innovative consulting company focused on application security. Jeff is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP

In this episode... "Hackers remotely kill a Jeep!" Lots to talk about Basics of segmentation weren't followed, aren't followed Discussion on software 'fitness' and liability http://www.cato.org/blog/hackers-remotely-kill-jeep Firefox blocks Flash and FaceBook calls for its death Should it concern you that FireFox can change your config without your permission or an update? How helpful is this? Does the message/pop-up actually DO anything to stop users from clicking YES? http://money.cnn.com/2015/07/14/technology/flash-firefox-facebook/index.html Ashley Madison (the cheating website) breached! Check their privacy policy - is it consistent with actions? Did this event delay or possibly end the company's aspirations of going public? The morality of AM's business model shouldn't be an issue here - but it keeps coming up http://www.csmonitor.com/World/Passcode/2015/0722/Ashley-Madison-breach-a-painful-reminder-of-online-data-s-permanence British Gas bows to criticism over blocking password managers http

In this episode Talent shortage - is it real, and how bad is it? We discuss: what does negative unemployment actually mean? Michael asks- ecurity is still relatively new, how do we determined what “qualified” means? What skills are necessary to be a good security professional? Hiring - we discuss how we get better at screening potentially qualified employees We discuss how we can vet out real experience, versus resume skills Mark and Michael discuss specialization, automation, and optimizing our workforce Mark shares his thoughts on growing and retaining top talent Guest Mark Orlando ( @MarkAOrlando )  - As the Director of Cyber Operations, Mark is responsible for Foreground’s Federal practice as well as the Virtual Security Operations Center (V-SOC) managed service. He leads a national team of analysts, engineers, incident responders, and managers who secure some of the most high profile networks in the Federal, financial, commercial, and power and utilities industries. As the senior operations subject ma

In this episode...   Peter Morin joins us to talk through the upcoming HTCIA International 2015 Conference in sunny Orlando, Florida. We talk through a preview of talks, events, and some interesting reasons you should be going to HTCIA Int'l Check out the incredible lineup of keynotes, speakers and talks - http://www.htciaconference.org/ Come see the #DtSR crew live and in person as we record and broadcast from the conference

In this episode... Appears as though Windows 10 WiFi Sense could have some issues with WiFi -- more on this as it develops Why is the default opt-in, and why in the world do I have to change my SSID to opt out?! Is it really a good idea to use an SSID to describe security constraints on your network? (Hint: NO) http://www.computing.co.uk/ctg/news/2415787/windows-10-wi-fi-sense-security-warning-over-automatically-shared-passwords "Washington Post will encrypt the news" Ridiculous click-bait headline Is this a good idea? Should everything be HTTPS? What about ads, are we defeating ourselves? https://hacked.com/washington-post-encrypt-news/ OPM hackers stole 21.5 million people worth of records That's all government employees, past, present, and under-cover (possibly) 1.1 million biometrics (fingerprints) -- quick! go reset your fingerprints... oh wait Bad --> worse --> catastrophic --> now what? http://www.computerworld.com/article/2946031/cybercrime-hacking/opm-hackers-stole-data-on-215m-people-includi

In this episode We take a little peek inside the mind of a CEO, from the security perspective We discuss the state of information security in the last decade Dan shares his wisdom on how the role of a security professional and security leadership has changed over the course of his career We discuss about the talent shortage - and get an in-depth look at solving some of this problem Dan shares with us his views on balancing people, processes and technology resources to achieve meaningful security We talk strategy, and Dan and the guys talk through why it's so vital We get Dan's "closing remark" (something you won't want to miss)   Guest Dan Burns, CEO Optiv, Inc. -  Dan Burns brings more than 23 years of business, technology and security industry experience to his role as chief executive officer. In this role he is responsible for the development and implementation of high-level strategies and direction of the company’s growth. Being able to provide clear insight into navigating the complex information secu

In this episode With me gone, James and Michael run feral! It's June, so here are the top 3 security priorities for CISOs for 2015 (yes in June) http://www.information-age.com/technology/security/123459699/top-3-security-priorities-cios-2015 Boils down to: patch faster, improve credentials, code better Is this the right list?  It mentioned side-stepping cloud and mobility. What if migrating to the cloud offers the opportunity to not worry about patching or code, and improve your credentials?  Someone pointed out to me that this matches the OPM hack; perhaps this is just content driven from that? Does that make it more or less valid? Let us know… #DTSR Cybersecurity tops advisors's compliance worries: poll http://www.thinkadvisor.com/2015/06/24/cybersecurity-tops-advisors-compliance-worries-pol More people concerned.  This directly undercuts the notion that people don’t care. They do care. They care about their money. The advisors entrusted with their money care. People care.  The question for us: what ar