Down The Security Rabbithole

In this episode... What is the Security Advisor Alliance? We discuss some of the issues facing CISOs today Clayton gives us his perspective on how to solve some of those issues Clayton tells us about the mission of the SAA If your'e a CISO, are you signed up for the SAA Summit?  Shoot Clayton an email   Guest Clayton Pummill ( @cp48isme ) - https://www.linkedin.com/pub/clayton-pummill/10/32a/44a - Clayton is the executive director of the Security Advisor Alliance. He also has a storied background so I encourage you to give it a check!

In this episode... Facebook has released PGP-encryption-enabled email communications The anti-privacy platform will now encrypt emails to you if you give them your PGP public key Does no one see the insane irony here? http://www.theregister.co.uk/2015/06/01/facebook_pgp_support/ White House issues mandate for HTTPS (by default) for all federal websites "By the end of 2016" Is this a good thing? A bad thing? Or does it even matter? http://www.huffingtonpost.com/2015/06/08/https-federal-websites_n_7539164.html Attackers are using medical devices to pivot into health care networks The Internet of Medical Things is insecure There are challenges here, but the risks of moving faster aren't negligible Lots to be thought about here http://www.csoonline.com/article/2931474/data-breach/attackers-targeting-medical-devices-to-bypass-hospital-security.html Kaspersky gets popped, cue the typical verbiage "Three previously unknown techniques" "..highly sophisticated attack used up to three zero-day exploits.." ht

In this episode... Defenders are set up to fail? how and why How do we fill forensics and IR positions?What skills and qualifications do forensics/IR need to have? How can enterprises get better at IR from where they are today? How do we solve some of the problems plaguing the security industry?   Guest Andrew Case ( @attrc ) - Andrew Case is a senior incident response handler and malware analyst.He has conducted numerous large-scale investigations that span enterprises and industries. Andrew's previous experience includes penetration tests, source code audits, and binary analysis.  He is a core developer on the Volatility memory analysis framework and co-author of the highly popular and technical forensics analysis book "The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory".

Apologies to anyone who is having issues downloading this episode! In this episode... The ACLU encourages the government to get into bug bounties Read the original letter: https://www.aclu.org/sites/default/files/field_document/aclu_-_iptf_recommendations_submitted.pdf Points 1 & 2 are at sane Point 3 makes a hard left into into crazy-town http://thehill.com/policy/technology/243265-aclu-says-government-should-offer-rewards-for-finding-security-flaws-on-its The massive taxpayer data fraud (not really a breach) is believed to be the work of Russia, says the IRS Does it really matter? Was this a breach or an abuse of functionality? Would your company have caught this? http://www.cnn.com/2015/05/27/politics/irs-cyber-breach-russia/index.html CareFirst says their recent breach affects only about 1.1M people Healthcare is clearly in the "bad guys" target zone Quick to point out what the attackers did not get access to Of course it was a sophisticated cyberattack http://abcnews.go.com/Technology/wireSto

In this episode... David Shearer, Executive Director for ISC2 joins us to talk about the results of the ISC2 2015 Information Security Workforce Study We ask David to highlight some of the results We discuss how malware and application security were identified as top threats 3 years in a row -- and what's to be done about this We discuss the major discrepancy between priorities from this survey and recent CIO surveys We discuss the importance of communication skills (identified in the survey) while leadership and business management are far down the scale We discuss with David how under his leadership ISC2 can build a much tighter alignment to business -- not just more security certifications Guest David Shearer - David Shearer has more than 27 years of business experience including the chief operating officer for (ISC)², associate chief information officer for International Technology Services at the U.S. Department of Agriculture, the deputy chief information officer at the U.S. Department of the Interio

In this episode... Netflix launched FIDO (not that one, or that one, no the other one) Focused on automating incident response practices FIDO is an orchestration layer that automates the incident response process by evaluating, assessing and responding to malware and other detected threats. If you don't use it, at least they provide a structured framework for response and IR workflow http://techblog.netflix.com/2015/05/introducing-fido-automated-security.html IT Chief leaves sensitive data in car- spoiler: it gets stolen Something smells like a fish market in the July heat on this story Maybe it's time to check in on YOUR off-site handling procedures? http://www.thestarpress.com/story/news/local/2015/05/10/chief-left-hard-drives-car/27083031/ Crowdstrike discovers, names "Venom" Massive security vulnerability within the floppy disk emulator in virtual machine hypervisors Even if you disable floppy disk emulation, separate bug lets you enable it This has a graphic and everything! http://www.csoonline.c

In this episode... A quick walk-through of Rob’s talk (“Hacker ghost stories”), and why it’s completely relevant today Simple things that work blocking java (externally) effectively blocking “uncategorized” sites in your forwarding proxies (not) resolving DNS internally (not) default routing to the Internet from inside canaries in the coal mine, or evil canaries Guests James Robinson ( @0xJames ) - https://www.linkedin.com/in/0xjames Currently the Director, Threat and Risk Management at Accuvant-Fishnet Security and part of the Office of the CISO. He has a long and storied career of success as an enterprise defender across various industries.  Rob Fuller ( @mubix ) - Rob is an experienced InfoSec industry insider, with many interesting achievements and accomplishments. He's easily findable, as are his many public doings.

In this episode... A join Ponemon Institute & IBM Security study shows that, surprise surprise, developers are "neglecting security" The study only looked at mobile apps and app developers Less than half (of their study) test the mobile apps they build About 33% never test their apps http://www.eweek.com/developer/ibm-study-shows-mobile-app-developers-neglecting-security.html Illinois Bill SB1833 expands the definition of PII to include almost everything Requires notification in the event of a breach of... Online browsing history, online search history, or purchasing history Is this absurd, or just protecting our privacy? http://www.eweek.com/developer/ibm-study-shows-mobile-app-developers-neglecting-security.html The DOJ has jumped in and issued some sound fundamental breach guidance! 4 sections: what to do before, during and after a breach plus what NOT to do after a breach Fantastic fundamentals... great idea The push to fundamentals is critical! http://www.alstonprivacy.com/doj-issues-data-bre

In this episode... What about public safety, where do we draw the line on open research? Self-regulation? Disclosure? What are our options… What makes a researcher? We discuss “Chilling security research” A quick dive into bug bounty programs; do they help? Ethics vs. moral compass …we discuss Hacker movies, and what they’re doing for our profession Guests Keren Elezari ( @K3r3n3 ) - brings years of experience in the international cyber security industry to the stage. Since 2000, Keren has worked with leading Israeli security firms, government organizations, Global Big 4 and Fortune 500 companies. Keren holds a CISSP security certification, a BA in History and Philosophy of Science and is currently a senior research fellow with the prestigious Security & Technology workshop at Tel Aviv University. In 2012, Keren held the position of Security Teaching Fellow with Singularity University, a private think tank, founded by Dr. Ray Kurzweil and sponsored by Google & NASA amongst others. Since 2013, Keren

In this episode... Friend and security researcher Chris Roberts steps into it...  A poorly-conceived tweet, followed by mass hysteria Most everyone talking about this is missing the point entirely Of course, the EFF jumps in to keep from "chilling research" (roll eyes) http://www.usatoday.com/story/tech/2015/04/19/chris-roberts-one-world-labs-united-rsa-computer-security-tweets/26036397/ The EFF take: https://www.eff.org/deeplinks/2015/04/united-airlines-stops-researcher-who-tweeted-about-airplane-network-security Corporate threat intelligence teams opting to go anonymous? New company, making intelligence sharing work, anonymously? Many questions on whether anonymity is workable in the intelligence space https://www.eff.org/deeplinks/2015/04/united-airlines-stops-researcher-who-tweeted-about-airplane-network-security Target settles with Mastercard for $19M USD Mastercard trying to settle this out, as alternative payout option for victims (this time the issuers, not card holders) http://www.theregister

In this episode... Where do you even start with “threat intelligence”? Ryan talks about context, and why it’s *the* most important thing when it comes to threat intel How does a SME make use of a “luxury item” like threat intelligence? Michael asks what are 1-2 things you can do *immediately* as an SME? What are the basics, beyond the basics of security? Where do you make your first investment? Getting your own house in order is harder than it sounds, so what then? Michael drops some #RiskCatnip Michael breaks down the “feedback loop” and his basic questions to ask/answer Down the rabbit hole of shiny boxes, standards, and productized threat intelligence The overlap of data on commercial threat intelligence providers   Guest Ryan Trost - Ryan is the CIO of ThreatQuotient and knowledgeable on matters of intelligence with his extensive background and history in the community.

In this episode... TrueCrypt security audit results are good news, right?  Why are some of the most depended-upon  http://arstechnica.com/security/2015/04/truecrypt-security-audit-is-good-news-so-why-all-the-glum-faces/ At Aetna, CyberSecurity is a matter of business risk Jim Routh talks about how he runs a security program Security is a matter of business risk, if not you're doing it wrong http://blogs.wsj.com/cio/2015/03/30/cybersecurity-at-aetna-is-a-matter-of-business-risk/ Why aren't you vulnerability scanning more often? Wrong question. Simple answer -- because scanning doesn't matter if you can't fix the issues you find Example of how security misses the point http://www.csoonline.com/article/2901472/vulnerabilities/why-aren-t-you-vulnerability-scanning-more-often.html SecurityScorecard - a new startup that is exposing 3rd party risks to you -- or is it? Interesting business model How legitimate is this, and what are the risks? http://www.businessinsider.com/securityscorecard-raises-125-mill

In this episode... Jon Callas gives a little of his background and his current role We talk through why cryptography is so hard, and so broken today Jon overviews compatibility, audit and making cryptography useful Jon brings up open source, security, and why "open is more secure" is bunk We talk through "barn builders" vs. "barn kickers" and why security isn't improving We talk through how to do privacy, active vs. passive surveillance We talk through anonymous VPN providers, anonymization services, and how they're legally bound Jon talks about appropriate threat modeling and knowing what we're protecting We talk through patching -- how to do patching for Joe Average User Bonus-- Mobile is as secure (or more) than what we're used to on the desktop Guest Jon Callas ( @JonCallas ) - Jon Callas is an American computer security expert, software engineer, user experience designer, and technologist who is the co-founder and CTO of the global encrypted communications service Silent Circle. He has held major posi

Remember folks, as you listen reach out to us on Twitter and hit the hashtag #DtSR to continue the conversation, and speak your mind! Let's hear what your take is on the stories we discuss...maybe you have a unique angle we've not considered? In this episode-- Target settled class-action lawsuit over its data breach - for $10M USD Who wins? Lawyers, clearly the lawyers Burden of proof on the victims to show they've suffered a loss to get up to $10,000.00. If you can't prove loss, you can still try to get part of settlement of what's left-over http://www.usatoday.com/story/money/2015/03/19/target-breach-settlement-details/25012949/ Federal judge dismisses suit against Paytime -- "simply no compensable injury yet" Leaves door open for future suits if someone were to suffer a compensable injury "Once a hacker does misuse a person's information for personal gain...there is a clear injury and one that can be fully compensated with money damages." -- Judge John E. Jones III Watch this case, read the story for

In this episode... Michael C and the team talk bout "going back to basics" and the need for security fundamentals Michael C talks a little about why we (security professionals) fail at fixing problems at scale We dive into the need for automation, and Michael C talks about why creating more work for security professionals is a bad thing Michael C and the crew talk through why many of our metrics fail, highlighting the need to get away from the typical dashboard approach of "bigger numbers is better" We discuss the balance between false positives and false negatives -- a super critical topic Rafal brings up the role security professionals play in software security, and why we can't be expected to drive the daily tasks We talk through centralized vs. de-centralized security, and how to understand which works better, and where Michael C gives us his 3 key take-aways for listeners (don't miss these!) We talk through "assume breach", and what it means for security Guest Michael Coates ( @_mwc ) - Currently, Mic

In this episode-- Law firm hit and crippled by ransomware, decides it's not paying the ransom. They aren't quite sure what got encrypted But they have backups... ..and data was likely not exfiltrated http://news.softpedia.com/news/Ransomware-Hits-Law-Firm-Encrypts-Workstation-and-Server-474788.shtml Major law firms for ISAC to fight off adversaries, share intelligence Catching up to the threat they're facing Law firms are major targets, given the data they have ("secrets!") Downside: exclusive to a handful of major firms http://thehill.com/policy/cybersecurity/234722-law-firms-to-share-info-about-cyber-threats Big kerfuffle about Anthem's refusal of a 3rd party audie They were under no legal obligation... Who out there would submit to a 3rd party audit/test? Sounds like publish shaming, big headline, little story http://www.healthcareinfosecurity.com/anthem-refuses-full-security-audit-a-7980 Apple Pay being attacked, sort of When technology becomes 'good enough' attackers attack processes, people L

In this episode... We learn the origins of "RSnake" as told by Rob himself Rob gives us a peek into the dark side, from his contacts and experiences We discuss the black-hat economy as it's verticalized, specialized, and matured Rob discusses the balancing act of the good vs. bad and why the situation is as bad as it needs to be We discuss some of the things businesses and defenders really need to worry about Rob gives us his view of the inevitability of security from SMB to enterprise -- and why things are so good, or bad, or just right We discuss the different ways security is being understood, implemented and matured and why it's futile to chase absolutes Michael and Rob dive into the labor shortage in security - real, perceived, or misunderstood? Rob gives us his outlook on where things are going over the next decade or so   Guest Robert "RSnake" Hansen - ( @RSnake ) - Strategic. Web security expert. Visionary. Robert brings more than 20 years of web application and browser security experience, innovat

In this episode-- Would you be OK with your credit card company tracking you, to decrease fraud rates? Visa wants to track your smartphone. http://triblive.com/business/headlines/7774328-74/visa-card-fraud Your stolen healthcare data is increasingly being sold on the black market http://www.ihealthbeat.org/articles/2015/2/19/security-experts-health-data-increasingly-being-sold-on-black-market Lenovo has shipped software that performs a man-in-the-middle (MITM) attack against all SSL connections on some of its consumer laptops. This is really, really, really bad, but Lenovo doesn't seem to get it. http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/ http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html The web browser is totally broken, and a haven for malware. Long live the web browser? http://securityintelligence.com/broken-web-browsers-malwares-new-address/

In this episode Traveler's Insurance files suit against a web developmeent company for failing to provide adequate security, resulting in a breach of one of its customers http://www.law360.com/articles/614158/travelers-blames-web-designer-in-bank-website-data-breach We discuss whether security standards are now "implied"? Does Traveler's have any standing to sue? (Shawn thinks not) FTC goes after LabMD for a data breach http://healthitsecurity.com/2015/01/23/ftc-healthcare-data-breach-case-v-labmd-continues/ Is the FTC over-reaching? We discuss this statement from the FTC website: "[LabMD failed to] ..reasonably protect the security of consumers’ personal data, including medical information" Social media company TopFace pays a ransom to hackers http://www.forbes.com/sites/davelewis/2015/01/31/topface-facepalms-as-it-surrenders-to-data-breach-hacker-blackmail/ Face + Palm. We lament why this absolutely terrible decision may have far-reaching repercussions Guest Shawn Tuma ( @ShawnETuma ) - In addit

Topics covered Massive breach at American Health Insurer Anthem - from the "haven't we done this once before?" department as Queen - Another One Bites the Dust plays in the background https://gigaom.com/2015/02/05/oops-another-big-data-breach-this-time-at-anthem/ http://money.cnn.com/2015/02/05/investing/anthem-hack-stocks/index.html?sr=twmoney020615anthemwallst0600story (Obligatory OMG China! hype link) http://krebsonsecurity.com/2015/02/china-to-blame-in-anthem-hack/ Hackers target brokers, financial advisors -- SEC "does something" http://thehill.com/policy/cybersecurity/231649-hackers-targeting-brokerages-and-financial-advisers SEC weighs cybersecurity disclosure rules (why SEC?) - http://thehill.com/policy/cybersecurity/229431-sec-weighs-cybersecurity-disclosure-rules A promising new technology which detects hacks in - milliseconds? -but what's the use-case? http://www.bloomberg.com/news/articles/2015-02-03/new-technology-detects-hacks-in-milliseconds Google launches vulnerability research gran