Down the Security Rabbithole Podcast (DtSR)

In this episodeWe discuss the largest challenges in the state government sectorBrian discusses balancing the need for openness versus security/secrecyPhil talks about the challenge of balancing policy with agency needs in state governmentMichael asks how state-level security justifies and prioritizes security requirementsRaf asks how policy is created that can be both effective, and broadThe group talks about metrics, policy implementation, and showing value to protecting citizensThe guys answer "What's the best piece of advice you've gotten in your career?GuestsPhilip Beyer ( @pjbeyer ) - Philip is a security professional with more than 12 years progressive experience. Currently leading information security for an organization as a function of business goals and risk profile. Consummate generalist with background in multi-client consulting and specialization in risk management, incident handling, security operations, software assurance (OpenSAMM, BSIMM), and technical compliance testing (ISO 27002, PCI-DSS, HIPAA). Confident leader, problem solver, relationship builder, technical communicator, public speaker, presenter, and security evangelist. Fast-paced learner with a strong work ethic and self-starter attitude.Brian Engle ( @brianaengle ) - Currently the Chief Information Security Officer & Texas Cybersecurity Coordinator who is a results-oriented executive and leader with over 20 years of progressive experience in Information Technology and Information Security across the government, healthcare, manufacturing, financial services, technology, telecommunications and retail verticals. His specialties include risk management, project management, and cost effective delivery of appropriate security solutions within organizational risk tolerances. Consummate generalist with a background in effective incident management, security and network operations, vulnerability and threat management, as well as technical compliance evaluation and gap analysis.Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Topics coveredCommunity health systems and UPS Stores breached - an analysis and contrast of the two breaches, the data, and the common messagehttp://regmedia.co.uk/2014/08/18/community_health_systems_8k.pdfhttp://blogs.wsj.com/cio/2014/08/20/the-morning-download-community-health-systems-breach-stirs-up-heartbleed-fears/http://time.com/3151681/ups-hack/The case of the pre-mature declaration of BYOD death, via an over-hyped court case?http://www.cio.com/article/2466010/byod/court-ruling-could-bring-down-byod.html"Shadow clouds" (cloud services consumed by enterprises, not approved by security) are on the rise. No one on the show is shocked, and you aren't either.http://www.computerworld.com/s/article/9250606/Shadow_cloud_services_pose_a_growing_risk_to_enterprisesFaceBook gives the $50,000.00 away for the "Internet Defense Prize" joining Microsoft in trying to make being defensive-minded (and actually solving some security problems, rather than continuing to point them out) sexyhttp://threatpost.com/new-facebook-internet-defense-prize-pays-out-50000-awardHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

In this episodeJason tells us why he isn't hating on complianceJason talks about how security people are often the source of the issuesJason gives us his perspective on compliance-driven securityJason correlates compliance to quality assurance in securityWe talk about security's unbroken streak of failing at the basicsWe lament poor metrics, why we suck at them, and what comes nextWe discuss how you can tell whether an investment in security 'is working'We discuss the need for repetitive and consistent securityJaason gives us his three things that he wants to leave you with GuestJason Oliver ( @jasonmoliver ) - Jason M Oliver, CISSP, CRISC is the Chief and CEO of Tikras Technology Solutions Corp, a Native American Owned Small Business, President at Arrow Ventures, a seasoned security industry veteran, leader, and lifelong pursuer of knowledge. His unique approach to solving security issues involves individualized plans tailored to meet each specific customer’s needs. His high level of unwavering integrity has been met by the highest regard from both customers and peers.Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Topics coveredSurvey shows CISOs still struggle for respect (from business peers)http://www.cio.com/article/2460165/security/cisos-still-struggle-for-respect-from-peers.htmlHold Security uncovers 1.2 billion password heist on Russian hacker sites (but something smells funny) - draw your own conclusions folks... I'd love to hear 'emhttp://www.theverge.com/2014/8/6/5973729/the-problem-with-the-new-york-times-biggest-hack-everhttp://www.youarenotpayingattention.com/2014/08/08/the-lie-behind-1-2-billion-stolen-passwords/https://identity.holdsecurity.com/Submit/http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/Yet another Android core software blunder, called "Fake ID", essentially gives "highly privileged malware" a free ride.http://arstechnica.com/security/2014/07/android-crypto-blunder-exposes-users-to-highly-privileged-malware/HP study says 70% of "Internet-of-Things" (IoT) vulnerable. There's a shock, we're carrying around legacy baggage? Perish the thought.http://h30499.www3.hp.com/t5/Fortify-Application-Security/HP-Study-Reveals-70-Percent-of-Internet-of-Things-Devices/ba-p/6556284Civilian sector is better than the military at Cyber-War exercise. *rollseyes*http://www.navytimes.com/article/20140804/NEWS04/308040019/In-supersecret-cyberwar-game-civilian-sector-techies-pummel-active-duty-cyberwarriors?sf29369064=1Target booking $148M due to data breachhttp://fortune.com/2014/08/05/target-data-breach-profit/Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

In this episodeWho is J.W. Goerlich (redux from episode - How did he get to where he is now?How does the security executive deal with the "moving finish line"?JW discusses how 'security' people can break down barriers between "us" and "them"We discuss why we still fail at the basics, and what all this means...JWG tries to talk about his favorite controls frameworkWe discuss what difference it makes where the CISO reports in the enterpriseWhat will the CISO be, or need to do, in ~3-5 years?We discuss hiring into InfoSec - from outside, or within ... and why?JW gives us the one thing you need to remember GuestJ.W. Goerlich ( @jwgoerlich ) - Results-driven IT management executive with a track record of building high performance teams and providing flawless execution. Leverages background in systems engineering, software development, and information security expertise to consistently lower operating costs and raise service levels. Designs solutions that support long-term strategic planning and create immediate impact throughout product lifecycle in process and efficiency gains.Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Topics coveredCertificate pinning back in the spotlight with the GMail iOS app having some difficulties, but there is a bigger issue here. We discuss.http://securityaffairs.co/wordpress/26577/hacking/gmail-app-flaw-mitm.htmlNearly 3 years later, the NASDAQ hack attributed to FSB/Russian 'state sponsored' hackers, via 2 "zero day malware'. Highlighting need for attribution, common language, and other issues in security.http://www.infosecurity-magazine.com/view/39397/nasdaq-hackers-used-two-zero-days-but-motives-a-mystery/Cyber insurance - is this a forcing function to improve overall security, or yet another carpet to sweet security problems under?http://www.reuters.com/article/2014/07/14/us-insurance-cybersecurity-idUSKBN0FJ0B820140714A judget has just ruled that your "GMail account" has the same legal (or lack thereof) protections as a hard drive you own. Dangerous precedent, or nothing new?http://nakedsecurity.sophos.com/2014/07/22/your-gmail-account-is-fair-game-for-cops-or-feds-says-us-judge/also relevant - http://nakedsecurity.sophos.com/2013/08/14/google-says-gmail-users-cant-expect-privacy/ Not discussed, but interesting reads:"Operation Emmental" is an assault against 2FA and online bankinghttp://secureidnews.com/news-item/operation-emmental-attacks-online-banking-and-2fa/Looks like healthcare is next on the list of verticals targetted... filed under things we all suspected, but will soon seehttp://healthitsecurity.com/2014/07/24/how-healthcare-can-learn-from-retails-it-security-mistakes/ h/t to Eric CowperthwaiteHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

In this episodeJim Tiller - a few things you probably didn't know?In the last 15 years, what has changed, and what hasn't?Why isn't security moving forward?"Complexity is the camouflage for bad guys" -JimChasing the moving line of 'security'"Fixing the airplane as it flies"How do enterprise security organizations push away from playing 'prevent' permanently?Fundamentals, fundamentals, fundamentals ... you're still failingWhat things are CISOs doing that they're NOT right now?Where will security be, as a discipline, in 10 year?GuestJim Tiller ( @Real_Security ) - Jim has been in the security industry since the very early 90’s and has continued his mission in working with individuals, groups, organizations, and companies around the world to collaborate, develop, and implement business aligned security strategies and technologies. Through his career he's worked with and in numerous organizations for the advancement of information security technologies, practices, and standards and through these activities help organizations achieve their goals. Find Jim on LinkedIn here.Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Topics coveredFlorida Information Protection Acf of 2014 is in the books, and it brings "sweeping changes" to the data breach disclosure process in Florida. Good thing or bad? You decidehttp://www.scmagazine.com/fla-passes-sweeping-data-breach-notification-bill/article/357858/http://www.flsenate.gov/Session/Bill/2014/1526/?Tab=RelatedBillshttp://www.flsenate.gov/Session/Bill/2014/1524The DoJ has nabbed a 'prolific hacker'... a Russian national. Russia calls it kidnapping. Tensions flare. Again.http://mashable.com/2014/07/08/russian-man-hacking-retailers/Chinese man charged with industrial espionagehttp://arstechnica.com/tech-policy/2014/07/chinese-businessman-charged-with-hacking-boeing-and-lockheed/US Banks are calling for a "Cyber War Council" (so much wrong here, it's incredible...)http://www.businessweek.com/news/2014-07-08/banks-dreading-computer-hacks-call-for-cyber-war-council#p2The ultra-ultra-legacy code problem and why we're not getting security any higher up the ladder any time soonhttp://www.businessweek.com/articles/2014-06-25/the-talent-that-keeps-your-50-year-old-software-running-is-retiring-dot-now-whatPayroll processing company Paytime was hacked and breached. But in the midst of the rush to file law suits, at least one company is pledging to stand by Paytime in this rough time... sanity prevails?http://www.witf.org/news/2014/07/at-least-one-company-stands-by-paytime-after-data-breach.phpHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

In this episodeWho is Dan Geer (just in case you live in a cave and don't know)Dan's definition of security - "The absence of unmitigatable surprise"What exactly is the pinnacle goal of security engineering?Responsibility, liability and when software fails as a result of security issuesIn a liability lawsuit - "What did you know, when did you know it?"The fraction of the population who could sign an "informed consent" is falling - so now what?Why ICANN is actually making all of this so much worseWhat do we do about "abandoned software"?Fixing security bugs in software is a tricky business...good, bad, worseAre things getting better [in security]?Dan talks about a "diversity re-compiler" and how we can make the exploit writer's job harder(from Jason White) -What "low hanging fruit" issues are we simply not addressing properly right now?(from Jason White) If the Internet were being built from scratch today, what would you keep and throw away?GuestDan Geer - Dan Geer is a computer security analyst and risk management specialist. He is recognized for raising awareness of critical computer and network security issues before the risks were widely understood, and for ground-breaking work on the economics of security.Geer is currently the chief information security officer for In-Q-Tel, a not-for-profit venture capital firm that invests in technology to support the Central Intelligence Agency.In 2003, Geer's 24-page report entitled "CyberInsecurity: The Cost of Monopoly" was released by the Computer and Communications Industry Association (CCIA). The paper argued that Microsoft's dominance of desktop computer operating systems is a threat to national security. Geer was fired (from consultancy @Stake) the day the report was made public. Geer has cited subsequent changes in the Vista operating system (notably a location-randomization feature) as evidence that Microsoft "accepted the paper." --http://en.wikipedia.org/wiki/Dan_GeerHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Topics coveredYour server may have a hardware flaw that exposes your baseband management interface to the world - http://arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/Airports are getting hacked, APT involved, state-sponsored attackers! - http://www.nextgov.com/cybersecurity/2014/06/nation-state-sponsored-attackers-hacked-two-airports-report-says/86812/PayPal flaw renders 2-factor auth on mobile useless, disabled temporarily while they work on fix - http://www.darkreading.com/mobile/paypal-two-factor-authentication-broken/d/d-id/1278840?FTC vs. Wyndham: another shoe drops, the FTC takes a hit while Wyndham scores a win - http://www.mediapost.com/publications/article/228730/judge-authorizes-wyndham-to-appeal-data-security-r.htmlDilbert says it best - http://dilbert.com/strips/comic/2014-05-19/Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast