DrZeroTrust

A noted Russian "leader" openly admits to tampering with elections, does that close the book on whether or not that has happened?  An article on the Hill says that "ignorance" is the issue for legislators regarding cyber.  Is it "ignorance" or willful ignoring of the problem?  With the midterm elections going on surely I can't find potentially insecure and misconfigured election related systems?  Right?  And surely the company that has been tasked with securing those election networks isn't at risk, right?  The CIO of the US DoD will release their Zero Trust strategy in the coming weeks, what should we take away from that?  And a great article from Andy Ellis on some of the realities of being a CISO in today's business world.  Those points and more on this episode.

Banks have paid out a massive multi-billion dollar plus to ransomware operations, but where does all that money go?  Is crypto entirely to blame?  Dropbox had a compromise issue, but luckily it's never happened before?  Right?  And it's good that it wasn't related to any companies intellectual property.  Oh wait.  And then let's talk about Chegg.  They get the award for continued cyber negligence I think.  But the FTC is now suing them, even though this is the fourth breach in a few years.  Good thing they moved fast.  Why does this keep happening and how are such major companies getting away with ignoring basic best practices?  Those questions and more on this episode.

A major insurance provider for an millions of people is dealing with a compromise, surely they have buttoned up the easy stuff?  Right?  Wanna bet.  Can I find a misconfigured SSH server that pipes me directly into an adversary nations internal networks?  Maybe.  More problems with TikTok as it gets reported in Forbes that the company was working to access American citizens personal location data "without their knowledge".  Uh oh.  How about the new mandates from TSA for the rail companies?  Do those requirements really have teeth and will they help things?  How many standards for compliance and the legal requirements to do business via digital connections are there?  Guess.  FastCompany got hit via the use of really bad passwords, that must have been a really hard problem to solve.  Right?  Those questions and more on this episode.

How long does it take to find possible vulnerable assets online, about 21 minutes.  Yeah.  Is the OPM data breach "settlement" even worth it?  Surely I can't find admin usernames and passwords with 1234 on the internet, right?  Certainly not for a state or local system, right?  Is data security up to par after a breach?  Why aren't states and local governments willing to work through the paperwork to get a cyber security grant?  That's nuts!  Is the job market getting any better for staffing?  Do trends indicate that?  A free resource for ZT planning, really?  Well, some of it's free but the resources are great.  Do vendors sell "snake oil" or is more a factor of the market at large and are investors and VC's affecting the ability to execute?  Those questions and more on this episode!

Dell has setup a Zero Trust Center of Excellence, that's pretty cool.  Real investment into strategic technology alignment sounds like a good idea to me.  Disinformation around the hurricane Ian fiasco.  How can we defend democracy when folks buy into this stuff?  Are you using Reddit to gain insight into your customer experience, you should be.  How secure is the organization that is forcing me to renew my business and cyber insurance policy, wanna guess?  And what about the Uber CISO issue?  Does that scenario really affect us all?  Those questions and more on this episode.

How many VPN's are out there that might have a configuration issue?  Are there any major companies that might be piping threats into their networks (the answer is probably).  Has Uber fixed the low hanging fruit from it's recent issue?  More ICS and SCADA vulnerable systems aren't out there, right?  Research from ZScaler on the use and adoption of the VPN is interesting, has the tide shifted with this old technology?  Are users really the weakest link, or has the security industry misled that group?  Those questions and more on this one!

Why are security leaders going "scorched earth" when they leave employers?  How can an organization better be prepared to deliver on their promises?  Does ethics apply in technology (it sure should)?  What's the right and wrong way to go about blowing the whistle when the need is there?  Does money paid out call into question the motives for speaking out?  Is it better to go out with a bang or just fade away?  Some hard hitting questions on this one!

What a wake up call this week when working with SMB's on their cyber security strategy and the reality of the space.  Do SMB's use outsourced security, and is that smart?  Does that hurt their overall awareness?  Why aren't things getting patched the way they should even when we have been notified by CISA and others of "critical vulnerabilities"?  Does the upcoming legislation around semi-conductors and silicon pointed at China have any impact on our national security and cyber future?  Those questions and a few more on this one.

Is the news media collaborating to manipulate our collective consciousness?  How would that happen?  Is local news "more true" than national news?  What about OPSEC for the war in Ukraine?  Could an organization cause a kinetic attack based on pictures that came from soldiers sharing via social media?  How does politics play into the space around cyber and disinformation?  Some hard hitting questions in this one to ponder.

How can you secure no code or low code applications?  Is devsecops a real thing?  Does anyone actually do this?  How should organizations look at the risks from these types of "factory made" apps?  Why is the 8200 unit such a big thing in the Israeli cyber scene?  What types of pricing make sense for security applications that you might not own?  How should the market approach the future of application security in an all cloud world?  Those questions and more on this one.