Unlock the future of cybersecurity with the ”Dr. Zero Trust Podcast” on all podcasting platforms! Join me as we delve into Zero Trust Security, redefining how we protect data and networks. Explore frameworks, threat prevention, identity management, exclusive interviews, and emerging tech. Whether you’re a pro or just curious, trust me– this podcast is where those who value honesty and real insights go for their cybersecurity insights! Tune in on Spotify, Google, or ITunes now. #DrZeroTrustPodcast #Cybersecurity #ZeroTrust
The podcast DrZeroTrust is created by Dr. Chase Cunningham. The podcast and the artwork on this page are embedded on this page using the public podcast feed (RSS).
In this conversation, I discussed various aspects of cybersecurity, including the manipulation of narratives through social media, the implications of leadership structures within Cyber Command and the NSA, personal liability for cybersecurity leaders, emerging trends for 2025, and significant supply chain vulnerabilities. The discussion also reflects on the challenges faced by cybersecurity professionals and highlights key incidents from the past year.
Takeaways
Social media can easily manipulate narratives, impacting public perception.
The dual leadership of Cyber Command and NSA raises concerns about authority and effectiveness.
CISOs face increasing personal liability, affecting their role and decision-making.
Ransomware incidents are expected to remain high, posing ongoing risks to organizations.
Supply chain vulnerabilities can have cascading effects across industries.
Generative AI poses new threats, enhancing the capabilities of malicious actors.
Cybersecurity leaders are experiencing burnout, with many considering leaving their roles.
The importance of reassessing functional dependencies in cybersecurity insurance is critical.
Fortune 100 companies are significantly affected by recent vulnerabilities in web application firewalls.
The year in cybersecurity was marked by significant breaches and challenges, indicating a need for improved practices.
In this conversation, I discussed various cybersecurity reports, highlighting the increasing risks associated with AI, human behavior, and organizational vulnerabilities. He emphasizes the need for better security practices, the implications of recent data breaches, and the importance of updated cybersecurity legislation. The conversation also touches on the failures of government agencies to secure communications and the need for accountability in cybersecurity funding.
Takeaways
Fridays are a better time for live streaming.
There is a significant uptick in state-sponsored cyber attacks.
Organizations are not configuring AI services securely.
Human behavior poses a major risk in cybersecurity.
Phishing attacks have a guaranteed click rate of 5%.
Windows has a new zero-day vulnerability affecting multiple versions.
Deloitte experienced a significant data breach.
NIST emphasizes password length over complexity.
Cybersecurity legislation in Canada is facing delays.
The EU has identified substantial cyber threats to its member states.
In this conversation, I discussed the ongoing cybersecurity talent crisis, highlighting qualified individuals seeking employment and the systemic issues contributing to the hiring problem. He delves into recent cybersecurity incidents, their financial implications, and the impact of identity security on consumer behavior. The discussion also touches on government regulations and the need for innovative practices in cybersecurity, emphasizing the importance of proactive measures and collaboration in the industry.
Takeaways
There is a significant talent shortage in cybersecurity.
Qualified individuals are struggling to find work in the industry.
The hiring process needs to be more inclusive and flexible.
Recent cyber incidents have financial repercussions for companies.
Consumers are increasingly concerned about identity security.
Government regulations are often bureaucratic and ineffective.
Innovative practices like micro-segmentation are essential for cybersecurity.
Companies must prioritize transparency and security in their software.
The cybersecurity industry needs to adapt to evolving threats.
Collaboration is key to addressing the hiring crisis and improving security.
In this conversation, Dr. Zero Trust and Kevin Brink discuss the challenges and innovations in implementing Zero Trust security frameworks, particularly within the Department of Defense (DoD). Kevin shares insights on the need for automation in Zero Trust assessments to overcome the limitations of manual processes, emphasizing the importance of empirical data for continuous evaluation. They explore the cost and scalability of Zero Trust solutions, as well as the value of assessing existing security measures against Zero Trust principles.
Takeaways
Automation is essential for effective Zero Trust assessments.
Manual assessments are labor-intensive and unsustainable.
Empirical data is crucial for validating security measures.
Zero Trust can be applied across various industries, not just DoD.
Breach and attack simulations provide quantitative data for assessments.
Cost-effective solutions can scale based on organizational needs.
Continuous monitoring is key to maintaining security compliance.
Zero Trust frameworks can help identify areas of inefficiency.
Integration with existing systems enhances the value of Zero Trust.
Understanding the specific needs of an organization is vital for implementation.
In this conversation, I discussed various aspects of cybersecurity, including recent TSA regulations, stock market trends related to cybersecurity companies, emerging threats from AI-driven phishing scams, the importance of veteran employment in the cybersecurity field, rising salaries and stress levels among cybersecurity professionals, and the need for organizations to address vulnerabilities and improve their security measures. The discussion emphasizes the importance of proactive measures in cybersecurity and the potential for financial gain in the stock market following breaches.
Takeaways
The TSA is proposing new cybersecurity regulations for surface transportation.
Investing in cybersecurity stocks can be profitable after breaches.
AI is increasingly being used in sophisticated phishing scams.
Veterans can fill the talent gap in cybersecurity roles.
Cybersecurity salaries are rising, but so is job-related stress.
Organizations need to patch vulnerabilities promptly to avoid exploitation.
Emerging tools and resources can aid in cybersecurity efforts.
The importance of reporting significant security concerns is emphasized.
Cybersecurity professionals are seeking better work-life balance and training opportunities.
Proactive measures are essential to combat evolving cyber threats.
In this episode of the Dr. Zero Trust podcast, hosts James Pham and Oz Wasserman from Opsin discuss the implications of generative AI in the context of cybersecurity and Zero Trust principles. They explore the evolution of AI, the risks associated with generative AI, and how Opsin aims to secure sensitive data while leveraging AI for productivity. The conversation highlights the importance of understanding the security landscape as generative AI becomes more integrated into enterprise environments.
I discussed various topics related to #cybersecurity, including CISA's new international cyber security plan, the appointment of a new CISO at UnitedHealthcare, the progress of federal agencies in implementing #zerotrust, and the evolving landscape of hacking influenced by #AI. The discussion also touches on a serious hacking incident involving The Walt Disney Company and food safety, insights into hacker motivations, and the vulnerabilities present in critical infrastructure. I really emphasized the need for effective leadership and actionable solutions to address these pressing cybersecurity challenges. #drzerotrust #happyhalloween
Takeaways
CISA's international cyber security plan aims to enhance global cooperation.
UnitedHealthcare's new CISO faces significant challenges post-ransomware attack.
Federal agencies are making progress on Zero Trust implementation.
AI is changing the hacking landscape, making it more accessible.
A former Disney employee's hacking incident raises serious food safety concerns.
Insights from hackers reveal motivations beyond financial gain.
Critical infrastructure vulnerabilities are alarmingly prevalent.
Effective leadership is crucial for solving cybersecurity issues.
Simple fixes can prevent major security breaches.
The conversation highlights the importance of proactive cybersecurity measures.
In this conversation, I discuss the ineffectiveness of compliance violations and fines in changing corporate behavior regarding cybersecurity. I present data showing that fines are often negligible compared to company revenues, making them merely a cost of doing business. I argue for a reevaluation of negligence in cybersecurity and emphasizes the need for accountability, suggesting that without significant consequences, organizations will continue to prioritize profit over security.
Takeaways
Compliance violations are often seen as a cost of doing business.
Fines do not significantly impact large corporations' revenues.
Cyber insurance can offset the costs of compliance violations.
Statistically, companies often see stock price increases after breaches.
The current compliance framework does not enforce real change.
Negligence in cybersecurity needs a clearer legal definition.
Fines for violations should be more substantial to deter negligence.
Government organizations often escape penalties for breaches.
The data suggests a need for a shift in accountability measures.
Compliance does not equate to actual security improvements.
In this conversation, I discuss various cybersecurity incidents and trends affecting organizations, including CrowdStrike's stock performance, foreign influence in U.S. elections, cybersecurity failures at Sellafield, and the impact of cyber incidents on critical infrastructure. The conversation also covers recent breaches at ADT and American Waterworks, challenges in healthcare cybersecurity, and T-Mobile's compliance issues. Throughout, I emphasizes the importance of robust cybersecurity measures and the ongoing threats faced by organizations.
Takeaways
CrowdStrike's stock has seen a resurgence after a breach.
Foreign actors are actively trying to influence U.S. elections.
Sellafield's cybersecurity failures have resulted in significant fines.
Cybersecurity incidents in critical infrastructure lead to financial losses.
Chinese hackers have targeted U.S. telecom companies for intelligence.
ADT has experienced multiple breaches in a short time frame.
American Waterworks reported unauthorized activity in its systems.
Healthcare organizations are struggling with cybersecurity preparedness.
MoneyGram faced a cybersecurity issue affecting customer data.
T-Mobile is under pressure to improve its cybersecurity measures.
In this conversation, I discuss various cybersecurity topics, including investment strategies in cybersecurity stocks, vulnerabilities in vehicle security, the implications of AI vulnerabilities, the rise of cyber threats related to social media scandals, workforce development initiatives in cybersecurity, the risks posed by North Korean cyber actors, the disconnect between leadership and security teams regarding ransomware, political cybersecurity breaches, the critical state of cybersecurity in healthcare, and the increasing threats to aviation security.
Den Jones talks about why he is launching 909 Cyber for smb's and other businesses. He and I chat about how to address critical strategic shortfalls for organizations and he runs us through how he put Zero Trust in place while at Adobe! Don't miss this one!
The conversation delves into various pressing cybersecurity issues, including a recent attack on Hezbollah involving explosive pagers, the implications of cyber warfare, election interference by Iranian hackers, the severe impact of ransomware on healthcare, and the ongoing challenges of data privacy. The discussion also critiques the effectiveness of cybersecurity reports and the need for more substantial recommendations in the industry.
takeaways
In this conversation, Myself and Aaron Shah from Cybermaxx discuss the complexities of cybersecurity, emphasizing the importance of understanding both offensive and defensive strategies. We explore the dichotomy in cyber operations, the adversarial mindset, and the common misconceptions clients have about their risk levels. The discussion also covers the role of Managed Detection and Response (MDR) services, the challenges faced by small and mid-sized businesses, and best practices for effective cybersecurity management.
In this conversation, I discuss various topics including music licensing, the recent school shooting in Georgia, the impact of cyber security breaches on corporate reputation, the glitch in Chase Bank ATMs, the warning from Warren Buffett about cyber insurance losses, Chinese hackers exploiting software bugs, the launch of a cyber incident reporting portal by CISA, a bipartisan bill to strengthen healthcare cybersecurity, and a judge granting a request to suppress a cyber expert's efforts to warn the public.
In this podcast episode, DrZeroTrust discusses various cybersecurity topics, including a partnership between G2 and security vendors, a cryptocurrency scam that led to the collapse of a Kansas bank, weaknesses in the FBI's cybersecurity practices, a breach at National Public Data, the state of phishing training, the use of AI chatbots by police officers, new cybersecurity rules proposed by the FAA, a lawsuit against Georgia Tech over cybersecurity failures, and allegations that the Biden administration pressured Meta (formerly Facebook) to censor COVID-19 content. DrZeroTrust emphasizes the importance of contributing to the cybersecurity community and encourages individuals to think critically and conduct their own research.
In this conversation, I discuss various topics including the US Army's failed $11 million marketing deal with the UFL and Dwayne 'The Rock' Johnson, the state of ransomware in state and local government organizations, the Mimecast Global Threat Intelligence Report, the reliance on a few tech companies for critical aspects of the economy, the need for campaigns to report cyber breaches, the vulnerabilities in open source software, and the findings from the IBM Cost of a Data Breach Report.
Evgeniy, the author of a book on soft skills in technology sales, discusses the importance of soft skills in the tech industry. He emphasizes the need for curiosity, the ability to overcome fear, and the importance of practicing soft skills outside of work. Evgeniy also talks about the flaws in the way conferences are organized and suggests a more networking-focused approach. He advises against making assumptions and encourages asking questions to better understand others' needs. The conversation highlights the value of visualization and the power of listening.
Get a copy here: https://www.softskillstech.ca/
What should we know about the "possible" DDoS hit on the Trump X broadcast? What does another breach of billions of records mean? Even if it's got criminal record and background information? Uh oh. And more on this one!
In this conversation, I interview Gentry Lane, CEO and founder of Nemesis Global, about cybersecurity and the challenges faced in the industry. They discuss the lack of leadership and strategy in national cybersecurity, the need for a global, interoperable system platform for early detection and threat recognition, and the ineffectiveness of current cybersecurity measures. Gentry emphasizes the importance of taking action and implementing radical changes to address the persistent aggression on critical infrastructure. She also highlights the need for technical expertise and a shift in mindset within leadership positions. Overall, the conversation calls for a more proactive and comprehensive approach to cybersecurity.
Keywords: cybersecurity, leadership, strategy, critical infrastructure, early detection, threat recognition, technical expertise
Takeaways
Was my full body scan MRI worth it? IBM's data breach report is out, what should we pay attention to. Did Crowdstrike's issue reveal more about how fragile our connected world is? And are Deepfakes protected speech? Lot's to discuss on this one!
What are Non-Human Identities, and why should we care? What does a 4 time CISO have to say about this issue? Does Zero Trust stand up to his scrutiny? Don't miss this one!
DDoS hosts get arrested, but is it really a legit punishment? Cisco has an issue with remote access and a level 10 vuln, uh oh! Deepfakes are up over 1000% in countries with elections in 2024! And Snowflake adds MFA, after their issue, hurray! Buckle up!
In this conversation I discuss the Confucius Institute, cybersecurity search engines, ransomware defense evasion tactics, the GOP platform on protecting critical infrastructure, the OpenAI breach, cybersecurity concerns in the automotive industry, the White House's push for increased cyber funds, and the healthcare industry's pushback against cybersecurity reporting rules.
Takeaways
Augusta, Georgia is not an exciting place to visit
The Confucius Institute raises concerns about its funding and curriculum
Cybersecurity search engines like Greyhat Warfare can provide valuable information
Ransomware attackers are focusing on defense evasion tactics
The GOP platform emphasizes protecting critical infrastructure from hackers
OpenAI faced a breach but did not inform law enforcement
The automotive industry is increasingly concerned about cybersecurity
The White House is seeking increased cyber funds for federal agencies
The healthcare industry is pushing back against proposed cybersecurity reporting rules
New "listening" sites in Cuba, uh oh. Is Temu a threat, it is from China. OpenSSH has some serious issues. Will the Supreme Court affect our cyber security posture? TeamViewer gets hit as well. Buckle up!
Did Microsoft's leadership really say they don't have to play by China's rules? Did they potentially lie in front of Congress? Have you ever read the book that is guiding Chinese cyber warfare strategy? I'll tell you where it is. Those important points and WHOLE lot more on this one.
US government contracts pay big fine for doing "no no's" on cyber, why isn't that happening more often? A crime related database was hacked and leaked, not good for those who filed complaints. Microsoft's CEO took a beating on Capitol Hill for the companies issues with security, ouch. And more on this one!
What does it mean to be Breach Ready? A CISO tells me all about his views on this. How should we think about micro-segmentation? Is it really that hard to do right? Where should controls be applied to help limit lateral movement? Can software really help you be ready for an 8K filing with the SEC?
What does it take to really get hit hard for a "cyber" crime? Deepfake the President and find out. Why is it a risk to have a single vendor running all government IT systems? And how does that seem like "fair" competition as required by law? What is skill based hiring for cyber and is that a good thing? Check this episode out!
What should we know about micro-segmentation? How important is a policy engine to Zero Trust enterprises? Where does the focus for network controls need to be? And more on this one!
Was that Nigerian prince who wanted to share his money with you real? The US DoJ files paperwork on a Russian Lockbit "mastermind", so what? How much is it going to take before we see real action based on the aggression we see from our adversaries? Those and more on this one! Don't miss it!
What is cyber GRC? Why do we need to concern ourselves with it? Can any business do this? How can a business achieve smart compliance? Does AI introduce risk to the process or benefit it? Lots of great stuff here with Cypago.
Meerkats are dangerous, I guess. Especially in DNS. Yeah, that Meerkat. Why should we know about this type of attack? How does China play in here? Where is the risk? Does this type of attack merit increased concern?
Is the VPN a security technology? Should businesses still use that risky technology? How can an organization move off that old tech? Where do VPN's fit into Zero Trust? Xage Co-Founder gives some great insights here.
What is RAG and why does it apply to LLM's? Why should it be confidential? How does that work? Where can we do this? And what is the way forward for customers? SafeliShare's CEO shares some insights here. Check them out at RSA this week!
A coach used a deepfake to frame one of his coworkers, signs of things to come? GPS is being messed with, should we worry and is it safe to fly? The White House released more requirements for the same stuff we already have requirements for? And does the United CEO's testimony hold water? Listen up!
Mandiant says attacker dwell time is "going down" but how is that measured? Is that accurate? TIkTok finally get's the treatment it "deserves" with a proposed sale or ban, but is that going to make a difference? Another agency is created for cyber diplomacy, yeah (your tax dollars at work). And a known Russian cyber group attacks a town's water supply and floods nearby areas, doesn't that constitute some reciprocity?
What is Lumu's AutoPilot? How can you use this? Why did they build it? Who is it for? Can you afford it? Lots of great insight in this one! Congrats to Lumu on a new, innovative offering! Meet them and learn more at RSA2024!
Where does all our tax money go? Want to know about government waste, man this is nuts. How is the state of ransomware in the US, is it getting better? More on the Google Chrome incognito mode fiasco. And more on this episode!
Should you worry about the FISA debate? Azure has internal passwords left exposed, whoops. Some reports on Zero Trust from big government, it's actually happening. Healthcare org is hit twice with ransomware, ouch. Mo' money in cyber, good thing or bad?
Was Incognito mode from Google really "private"? Don't think so. What does the report from the fed say about Microsoft's issues with the China hack? Attacks are already bypassing "AI" solutions, shocker. More on the XZ Linux backdoor as well. Check out this episode and tell me what you think!
Meta was caught with their hands in the trust cookie jar again. Nissan put out a notification of a breach. Citibank is refusing to pay for customers life savings that are stolen via cyber, ouch. CISA has more requirements for reporting on critical infrastructure hacks, but how bad is that problem? Those insights and more on this episode!
How much money did Congress allocate for cyber? Was it enough and what agency got the lion's share? An Israeli nuclear facility has been hacked, that's no bueno. What does Talos tell us about Tiny Turla? A murder suspect gets released due to a cyber technicality, who is liable for that one? Those questions and more on this episode!
The President and the White House have put out some new "requirements", do they actually matter? Are we seeing early attacks or testing going on as we run up to the election? WTF is Hugging Face and why should you know about them? How did the ransomware group BlackCat get into a mix about payments? And are companies complying with the new SEC rules? Can they even do so? Those thoughts and more on this one!
POTUS has a TikTok account, why? Isn't that a problem (we just had congressional briefings on that exact issue.) How do we think about FUD in our marketing for cyber, and why should or shouldn't we use the data that we have in our GTM? There is a fundamental DNSSEC flaw in the internet, is it getting patched? And more on this one!
Is the new AI leader the right choice for that role? How do we keep China out out of our critical infrastructure when it's so hackable? Who got deepfaked for 25 million dollars? And how does a cyber trade school help us address the shortfalls of human capital in our space?
What happened when the social media CEO's went to congress? Should we be impressed? Is monitoring your kids social a good thing? If Taylor Swift isn't safe from deepfake attacks is anyone? Is there legislation that can help with deepfakes, or is it all fluff? Should you pay attention to the adversaries posting 3k comments about using GPT's for hacking? And more rhetorical questions on this one!
Oh boy the ZScaler super ZT AI powered SD-WAN SASE blah blah. Wow. Some good research from Forescout on what you should prioritize from the attacker perspective. Key findings from 2023 that show us what the adversaries are focusing on. And the MOAB (Mother of All Breaches), should we be concerned. Enjoy this one.
OpenAI removes it's ban on their products being used by the military and DoD, should we care? What do I think? The WEF says Zero Trust is needed, ok cool, so what? Google has issues with cookies and Oauth. IBM says the "Quantum Apocalypse" is coming, should you build your bunker yet? Those and more on this one!
Chris and I cover all kinds of items in this one. Why should we care that there is a ZT certification now from the Cloud Security Alliance? Is that a good thing? What about other certifications? Why is the industry still doing the same stuff and nothing changes? Do the big players muscle out the little guys to the detriment of us all? Those and more on this one!
23andme tells us it's our fault they got pwnd. Yeah. Wickr is done, but why? ZeroFox won a big award, but what does that mean for the US government and identity? Some budget facts for 2024 thinking in cybersecurity. Another company refuses to pay their ransomware bounty, good or bad? Mandiant's X account got hacked and used for a crypto scam, lol.
Is it time to finally deal with the China cyber threat? Has the back and forth with Ukraine and Russia shown what the future of cyberwarfare looks like? What does the Qualys report about vulnerabilities teach us about #notsuckingatpatching? SSH is in big trouble, what do we do, and how big is the problem? Almost Christmas y'all!
What new things did I learn about the 23andme breach? Why are they changing their terms of service? Is a cyber Pearl Harbor a real thing, or should we think differently about the current state of attacks? Is reducing headcount for cyber a good idea, or even possible? How bad is Google data security? Those questions, comments, and more on this episode!
What's up with the Okta fallout? What does Uber's former CISO say about the SEC and dealing with a hack? How hard is it to find a hackable water control system when the problem with it is published in the news? Do companies really use "ai" to write fake articles? Are you paying for it? Those points and more on this episode!
How does a CEO of a tech company view security? How does she run a company that is totally remote? What does her relationship with her CISO look like? What should I tell my daughters about being a woman in tech based on her experience? And more on this one!
Solarwinds fires back at the SEC! It's about to go down! Trustwave has some great insight on hacking medical devices, don't be tempted! The Okta breakdown of what happened and when. Github releases some "AI" to help with security "left of boom." And more on this episode!
What statute is the SEC using to go after the CISO at Solarwinds and why should we worry about it? Or should we? What is a keyword search warrant and does that threaten our privacy and legal system? What is a .tk and why is that island chain the "global home of cybercrime?" The White House has another task force meeting on ransomware but it's just getting worse, why? Those points and more on this episode!
Meta is in trouble for creating an addictive application for kids, but what does that say about us as parents? How do we solve that problem (it's simple). Flashpoint has some great data on threats, you should check it out. What about the insider threats and the NSA, Alaska Airlines, and others? How do we fix that problem? And Recorded Future analysts have found valid links between Iranian threat actors, Russia, and the Israeli conflict, wow! Check this one out!
You gotta listen to this one. Some hard hitting topics are discussed. What is China up to with their cyber ops? Is Russian playing in the field during the Israel conflict? Where do we go from here at the national level? Are we already losing the super power race via cyber?
Home cybersecurity insurance? What's that all about. Some great research from Google on talking to the board about cybersecurity. Microsoft Defender "auto-secures" machines now. How viable is that? Some points on the conflict currently ongoing and cyberwarfare as well.
What's the scariest sound you can hear in the middle of the night? It's not what you think. Microsoft and Bing have some "splaining" to do as their system is helping generate images of SpongeBob and other cartoons attack the World Trade Center. WithSecure has some really solid insights on the tactics and tools that bad guys use. Cisco Talos found that QakBot is back, shocker. And how will AI and deepfakes affect elections, ask Slovakia. Those points and more on this episode!
How does a CEO of a unicorn company view cybersecurity? How does the board of such a company look at the risks of cyber threats? Does insurance make sense for those leaders? What about the big acquisition in recent days, does that affect the overall market? Those questions and more on this episode!
Rick Moy and I discuss ZT and the cloud. How developers can and should look at security (it's not how you think). Dealing with ethereal assets, 5G and a whole bunch of other great issues in this episode!
Should executives ever be exempt from security standards and practices, the answer rhymes with bell no. MGM got his with ransomware via a third party and some social engineering, but they spend hundreds of millions on security. So what should we learn from that? CISA wants to offer free scans for utilities, is that a good or bad thing? Congress wants to legislate around deepfakes for elections, how will that work? And a major university was found to be fudging their self certification for compliance, whoops! Those and more on this one!
What is Surf's new RBI extension? How does this fit with Zero Trust strategically? Why is RBI now a "thing" in security? Is this just for enterprises or all businesses? How hard is it to configure this thing? What about third parties and developers, does this help them be more secure? Those questions and more on this one!
Data from Blackberry points to the same methods of exploitation, shocker. Some recent revelations from the National Security Agency and #china threat. Additionally, more insights on some of the flaws in our #compliance and #regulatory #cyber spaces. SeeTickets gets hacked, again. What's up with that Dallas City hack? Those and more on this episode!
Cyberpsychology and the hacker mindset, what should we think? Malwarebytes and their funding and layoffs, what does that indicate about the market? AI and LLM's aren't people, stop treating them like they are from MIT. Compliance does not equal security, say what? Phishing as a service get smarter according to Microsoft. The FBI "brought down" a massive botnet, they'll never come back right? And a very suspect claim from a vendor on their "response time". All that and more on this one!
Thoughts on the recent RNC candidate debate where cybersecurity never came up, super. China is using Linkedin to recruit spies, how can you know when you are targeted? Trustwave published new research on BEC hacks, what do we get from that research? Two guys are arrested for laundering money via crypto, is that a treasonous act? MAC's get some new malware, hurray! Ransomware group deletes a providers entire customer base's data, whoops! Those and more on this one!
How to defend from a "Zero Day" attack that is "not in any anti-virus" engine. Proxy wars from AT&T. Interesting data from Flashpoint on the underground market. Is CISA really enforcing effective controls if they rely on training? Irish police department have a data breach that might lead to terrorist targeting, yikes! And rethinking the terminology and understanding around cyberwar! Those points and more on this episode!
Insider threats are a real thing, do you have the tools to detect malicious intent before it becomes a threat? How do we know if behavior equals threat? More data on ransomware and the insurance market. Companies selling insurance are considering "ratings" for premiums. Halcyon identifies "new" threat groups, or is the same one with a new fancy name? The new cyber workforce plan, good or bad? Those questions and more on this episode.
Does the Veterans Affairs Administration really do all it can for Veterans? I have a tale to tell about this one folks. Sophos released a report on the current state of ransomware for education, it's not encouraging. Ivanti has a bug that should be patched for mobile security customers. The FBI used a FISA database improperly, interesting. Cofense has some new data on phishing as a threat, guess what it's still a thing. And some thoughts on the 4 day rule from the SEC for disclosure of breach activity.
SECOPs teams have faith in the their tools, but question if they will "miss" something? What? Administration releases plan for IoT security and labeling, how will it work? Top10 predictions for 2023 and security. That Zero Trust thing is still in there I hope. The upcoming election and the explosion of AI are already going bonkers, what is next? Those questions and more insights on this episode!
An AI girlfriend talked a kid into trying to kill the Queen of England with a crossbow, yeah. Fortinet vulnerability, how bad is it and are we patching fast enough? What is the number one avenue of exploit for cloud? Hint, it rhymes with bumans. Japan's largest port is under ransomware attack, uh oh. What CEO's really think about their security teams from the World Economic Forum, and more on this episode!
An event in NYC with BeyondIdentity made me sad for the state of the market, why? What happened with the Supreme Court and the 1st amendment via cyberstalking, huh? "Never before seen hacking tactics" from Chinese APT says Crowdstrike, you sure about that? A church brings "AI" to preach, did they just impact religion? Those points, some hard hitting questions and more on this episode!
Is it possible to take a different approach to threat detection and do better? Why are endpoint security solutions missing the threats that we buy them to detect? Is a counter-terrorism method applicable to threat hunting? How does malware evade allow listing in some instances? What gaps in coverage are we seeing from methodologies for threat intelligence? Those questions and more on this episode!
Samsung is dealing with an insider threat that tried to copy their entire chip manufacturing plant, wow! CISA issued a "binding" directive for ZT, but how binding is it really? The top 10 from the Verizon DBIR, what does that tell us about the space? Another Presidential candidate uses a deepfake to target their adversaries, should we worry? A mother deals with a deepfake voice attack where her daughter is "kidnapped", does this bode well for our collective future if criminals are vectoring in on this type of attack? 99% of organizations expect an identity related compromise this year, jeez (#killthepassword already). Those points and more on this one!
NSA released a guide on securing remote access, cool so what should we learn from it? ILTA has produced a study about law firms and their cybersecurity practices. Are they prepared for the threats they face? Deepfakes are showing up on TikTok with stories from dead kids asking for followers (seriously). Lumu published a blog on how MSSP's can adapt to better server their customers. What should we know about that? Forbes published an article about the "most cybersecure companies" in the USA, that's a great idea right? Those points and more on this episode!
Youtube flagged my content for PII violations, but what did I do to get put in the penalty box? CISO's plan on investing more for cybersecurity over the next few years, new research from Nuspire indicates the growing spending trend. Mitiga has found some configuration issues with Gdrive and Gsuite, what should businesses know to defend themselves? Armorblox says brand impersonation is increasing, how much of a threat is this type of attack? Gigabyte hardware and firmware has been found to be shipped with embedded back doors, uh oh. The IDSA has produced some new research on the status of iam and strategy, what can we learn from that? And G2 has unbiased reviews on security tooling and solutions, what can you learn from visiting that site. Those points and more on this episode!
Ever wanted to learn the difference between a Lama and an Alapaca, we talk about that here. Weird but interesting. Crowdsec discusses their approach to changing the way we handle malicious IP's and domains. Their approach to Zero Trust as part of a global network is innovative. We chat about how open source solutions can help businesses of all sizes better defend themselves. Some discussion on collective threat intelligence, and conversations about sharing information to dynamically defend the network.
Should we be concerned that our leaders (and former leaders) are posting deepfakes onto social media? What can we learn from the Uber case and the final decision by the lawmakers? What did the general counsel do in that case, what about the CEO? How should we plan for a ransomware attack? Can we learn from the lessons that a CISO has been through and be better prepared (hint: yes). When is the best time to learn when to fight, before the event or during? And was I wrong about my thoughts on executive punishment for breaches, probably...
Are K-12 organizations and universities prepared for the onslaught of cyber threats? How long does it take me to find a vulnerable school district, it ain't long? An appeals court has upheld Merck's claim in the the NotPetya case. What does that mean for cyber insurance, and why does this make me so happy? Iran is moving quickly into the realm of influence operations, are they mirroring the Russian operations and how will this affect the upcoming election cycle? ChatGPT had a breach issue, how much of a threat or problem is this? Should we have expected anything less? Phishing is getting worse, statistically speaking, but how is this possible with all of the training we get? Is there a technical alternative that works? Those questions and more on this episode!
How hard is it to use "ai" to clone your own voice? I did it and you can hear the sample on this podcast. What should we learn about the recent Pentagon leaker? Was it a technical failure, insider threat, of failure of leadership? What does MIT say about privacy for ChatGPT and "ai" and are there violations taking place? Are MAC's a viable target for ransomware, seems like that is a reality now. Those questions, points, and a line up of some of my schedule at RSA if you happen to be around!
Can ChatGPT make me a less crappy programmer? That isn't hard to be honest, but there are implications to consider. Can you use AI (I really hate using that term but you can't beat the market I guess) to be an artist? Does that impact other talented people's future earning potential? How hard is it to use StableDiffusion to create bogus images? How bad was FTX's cybersecurity? Hint: It rhymes with pepto-bismol. What else should we know about cyber insurance and who do insurers actually "take care of?" What about the leaks from the DoD? How does this keep happening? Those points and more on this episode!
How many vulnerable systems out there are connected to the internet with a ten year old vulnerability, with RCE, and have no authentication? Surely the answer is 0? Operation Cookie Monster took down a dark marketplace, so what? Should there be a victory lap? KnowBe4 published some research on state and local security and BEC statistics, what should we learn from that document? Fake ransomware attacks are taking place, what the hell is that? Crowdstrike and others are publishing on threat groups, but the nomenclature is all over the place. How do we know what attackers are doing what if we can't align on the naming conventions? More insights on the Silicon Valley Bank fiasco (the executives did some "questionable" things). What does that mean for the cybersecurity market at large? Those questions and more on this episode.
Did the Pope wear a puffy jacket? So what? How might applied deepfakes be used to manipulate the collective narrative? What about our political system? Cofense published their annual report on the state of email security. What can we learn from that? Cymulate also published their analysis of more than 1 million security assessments. What's in there for us to learn? Lloyds CEO said they might take a hit on their cyber insurance offering due to their policies around the "war clause. Ok, what's the big deal? Ivanti published a report on government cyber security status. Surely all is well if the government is involved (and this is a global analysis, not just the US y'all.) Those points and more on this episode!
Not Blockchain...Or, kinda...But not really? Anyway listen to smarter folks than me (lots of those) talk about how we can innovate around the use of distributed ledgers as part of a security strategy. And how is this approach being accepted internationally, especially in Australia? Cool new methods of enabling security with the folks from Tide (not the soap, the security guys). Some solid conversation on this one y'all!
Did I spread misinformation about the SVB fiasco? Uh oh. Did Ring get hit with ransomware, and are they secure? What weird ports do Ring cameras use? Rubrik has some issues going on, but did they handle it well? Is it smart to market your organization or brand as Zero Trust? Oh crap I am in trouble. SpaceX may have been hit via a third party, ouch. Why does third party risk continue to lead to compromise? A recent report states that you can make up to 250k as a developer for the dark web. Might be time for a career change. Those points and more on this episode!
30% of dark web operators are women, according to TrendMicro. That means more women are operating in the criminal side of cyber than on the defender side, wow. The TSA is pushing new requirements for airports and airlines, but how secure are they and the FAA? Layoffs are showing up in cyber, even though companies are doubling or even tripling their profits in the only market that has negative unemployment. Why? What does that tell us about those companies and their strategic execution? Some tips on what to do if you are a business user of Lastpass. And more on this episode!
US SOCOM had emails exposed to the internet for weeks thanks to a cloud misconfiguration. Surely it's not still messed up? Is the US Treasury as secure as it should be in regards to cyber? What about using ChatGPT to send emails to students when a mass casualty event occurs? Good or bad idea? Does the Supreme Court understand the technology they are enforcing and drafting laws about? What about section 230 and the big tech providers? 50% of CISO's say they are burnt out and it's only February, how can we help one another? Those questions, my dog goes bonkers, and more on this episode!
Should we worry about the spy balloon? Why not? Gartner published some "research" on Zero Trust and how they don't see the strategy as a silver bullet. Awesome. Let's analyze that game changing paper. Venturebeat also published a report on how to get wins from your Zero Trust endeavors this year, what should we pay attention to there? Why wasn't cyber a topic during the State of the Union? PWC published a good report on the executive sponsorship for security in large organizations, what can we learn there? Those topics and more on this episode!
Can we have a national and international strategy that addresses ransomware? How would that work? Is it better to address the "how" of those attacks or the "why"? What should we do to remove the incentive for these attacks? Would a US first approach make us a bigger target? What about kinetic attacks on those hacker groups? Those questions and more on this super episode!
What happens when marketing attacks and goes "bold" without really understanding their position? Is it smart to also not pay attention to your social profiles (lol)? Why is the DoD Red Teaming their ZT providers? Should you do the same as part of your strategy? Why not? Organizations aren't taking cyber warfare seriously according to Armis research, but why? Is that wise? Blackberry says malware is basically published at a rate of about one new sample per minute, wow! And Akamai has published some research on the Windows CryptoAPI, what does that mean? Those points and more on this episode!
What the h*ll is quantum really? Why should we care? Does cracking an algorithm with quantum change the balance of power globally? Is quantum potentially a WMD? How can this technology be used by our government and others? What about the banking system and quantum applications and risks? Those questions and more on this very nerdy episode!
Checkpoint released a report on the wrap up from 2022, what can we learn from that analysis? It's a super cool report by the way, ping me for the link! How secure or insecure are the education systems in the US? Can I find some glaring issues? China wants to "work with" the UN on addressing disinformation, ok. Lol, sure. What do they mean? A major shipping system is hit with ransomware, uh oh! Orange published some research on the criminal mindset and motivations for ransomware operators. Wow that is very interesting, but what should we take away from that research? Norton got problems y'all, what can we learn from the problems they face? Those points and more on this episode!
Is TikTok really a threat to national security? Why should we be concerned about this app? Should your kids be on this thing? What are the implications for national security and those folks who have clearances? Where does this all go in the next year? What about social media and the justice system? Are you still able to get a fair trial in today's news cycle focused world? How does that affect our future? Those questions and more on this one with an expert who served in the FBI!
Welcome to 2023 y'all. Let's get into the new year by looking at some news you need to know. A major FAA system went down and caused an outage for all of Florida. How secure is the FAA, and what about other airport safety systems? Surely, no misconfigurations there. Right? Links to study guides for OSCP cert via Reddit, pretty cool huh? A hospital was hit with ransomware then the bad guys gave the key away for free. What does that reveal about the business model for those threat actors? The best example of how "useful" GDPR is, via a hack. Lol. Those points and more on this one!
Okta has an issue with their source code and a Github breach. Does that matter, and if so why? Is the FDA asking for more funding a real issue, and are they secure enough to be mandating legislation? 1password published an interesting analysis on the state of access for 2022, what can we learn from that? What about this ChatGPT thing, how can it be useful and is it a threat? And the most egregious example of combining marketing, social media, TikTok, and a lie that have influenced millions is discussed. Those points and more on this episode!
Why are certs hurting the industry? Are they really? How much does it cost to get an entry certification? Why so much? Is the process for certifications fair for everyone? Should companies have a fellowship track for non-manager technologists? How do we get past this problem? Is HR in the way of fixing the cyber security hiring crisis? How hard is it to fix the problem with management and onboarding? Could a CISO get their own job based on the HR filtering system? Those questions and more on this episode.
Do buyers always configure vendor security solutions correctly? Is there a magic button to push and then your organization is secure? Do vendors have no risks or avenues of compromise? How bad is the MSQL database security that is out there right now (think millions). The DoD released it's strategy for Zero Trust, what should we take away from that? Amazon is offering a security data lake recently, is that a good thing? The White House and Starlink were hit by a threat group via a DDoS attack, so what? And another attack on an island nation that is now working off of paper to run the government, super. Those points and more on this episode.
A former Forrester analyst and a former Gartner analyst talk about the market and a variety of topics. Is it a good idea for layoffs to be taking place right now in cyber as the economy takes a dive? How will that affect our collective security? What should you know about analyst reports like the Wave or the Magic Quadrant? Does security product bloat actually hurt operational capabilities? Should automation be everywhere? How does strategy start, and where? Why do customers still run towards point solutions, rather than broader strategic offerings? What about the new book "The Art of Selling Cybersecurity"? Those questions and more on this one.
Zscaler has come up with their own certification for Zero Trust. Is that a good thing? What else is up with Medibank and how bad is the security for the Australian government that is pushing the formation of these new "hack back" teams? Is that even a thing? China is using universities to plunder research and intellectual innovations from America, so what? Why isn't that more of a problem? Don't we have a means to address this insider threat activity? Navigation systems for pilots were affected recently, did you hear about that on the news? Why not? How much financial impact can one tweet have on a major company? It's a lot y'all. Those questions and more on this episode.
A noted Russian "leader" openly admits to tampering with elections, does that close the book on whether or not that has happened? An article on the Hill says that "ignorance" is the issue for legislators regarding cyber. Is it "ignorance" or willful ignoring of the problem? With the midterm elections going on surely I can't find potentially insecure and misconfigured election related systems? Right? And surely the company that has been tasked with securing those election networks isn't at risk, right? The CIO of the US DoD will release their Zero Trust strategy in the coming weeks, what should we take away from that? And a great article from Andy Ellis on some of the realities of being a CISO in today's business world. Those points and more on this episode.
Banks have paid out a massive multi-billion dollar plus to ransomware operations, but where does all that money go? Is crypto entirely to blame? Dropbox had a compromise issue, but luckily it's never happened before? Right? And it's good that it wasn't related to any companies intellectual property. Oh wait. And then let's talk about Chegg. They get the award for continued cyber negligence I think. But the FTC is now suing them, even though this is the fourth breach in a few years. Good thing they moved fast. Why does this keep happening and how are such major companies getting away with ignoring basic best practices? Those questions and more on this episode.
A major insurance provider for an millions of people is dealing with a compromise, surely they have buttoned up the easy stuff? Right? Wanna bet. Can I find a misconfigured SSH server that pipes me directly into an adversary nations internal networks? Maybe. More problems with TikTok as it gets reported in Forbes that the company was working to access American citizens personal location data "without their knowledge". Uh oh. How about the new mandates from TSA for the rail companies? Do those requirements really have teeth and will they help things? How many standards for compliance and the legal requirements to do business via digital connections are there? Guess. FastCompany got hit via the use of really bad passwords, that must have been a really hard problem to solve. Right? Those questions and more on this episode.
How long does it take to find possible vulnerable assets online, about 21 minutes. Yeah. Is the OPM data breach "settlement" even worth it? Surely I can't find admin usernames and passwords with 1234 on the internet, right? Certainly not for a state or local system, right? Is data security up to par after a breach? Why aren't states and local governments willing to work through the paperwork to get a cyber security grant? That's nuts! Is the job market getting any better for staffing? Do trends indicate that? A free resource for ZT planning, really? Well, some of it's free but the resources are great. Do vendors sell "snake oil" or is more a factor of the market at large and are investors and VC's affecting the ability to execute? Those questions and more on this episode!
Dell has setup a Zero Trust Center of Excellence, that's pretty cool. Real investment into strategic technology alignment sounds like a good idea to me. Disinformation around the hurricane Ian fiasco. How can we defend democracy when folks buy into this stuff? Are you using Reddit to gain insight into your customer experience, you should be. How secure is the organization that is forcing me to renew my business and cyber insurance policy, wanna guess? And what about the Uber CISO issue? Does that scenario really affect us all? Those questions and more on this episode.
How many VPN's are out there that might have a configuration issue? Are there any major companies that might be piping threats into their networks (the answer is probably). Has Uber fixed the low hanging fruit from it's recent issue? More ICS and SCADA vulnerable systems aren't out there, right? Research from ZScaler on the use and adoption of the VPN is interesting, has the tide shifted with this old technology? Are users really the weakest link, or has the security industry misled that group? Those questions and more on this one!
Why are security leaders going "scorched earth" when they leave employers? How can an organization better be prepared to deliver on their promises? Does ethics apply in technology (it sure should)? What's the right and wrong way to go about blowing the whistle when the need is there? Does money paid out call into question the motives for speaking out? Is it better to go out with a bang or just fade away? Some hard hitting questions on this one!
What a wake up call this week when working with SMB's on their cyber security strategy and the reality of the space. Do SMB's use outsourced security, and is that smart? Does that hurt their overall awareness? Why aren't things getting patched the way they should even when we have been notified by CISA and others of "critical vulnerabilities"? Does the upcoming legislation around semi-conductors and silicon pointed at China have any impact on our national security and cyber future? Those questions and a few more on this one.
Is the news media collaborating to manipulate our collective consciousness? How would that happen? Is local news "more true" than national news? What about OPSEC for the war in Ukraine? Could an organization cause a kinetic attack based on pictures that came from soldiers sharing via social media? How does politics play into the space around cyber and disinformation? Some hard hitting questions in this one to ponder.
How can you secure no code or low code applications? Is devsecops a real thing? Does anyone actually do this? How should organizations look at the risks from these types of "factory made" apps? Why is the 8200 unit such a big thing in the Israeli cyber scene? What types of pricing make sense for security applications that you might not own? How should the market approach the future of application security in an all cloud world? Those questions and more on this one.
An article from Recorded Future points out new legislation in North Carolina and Florida that bars state backed organizations from paying ransomware attacks. Surely that means they have their stuff on lock and have no misconfigured assets, right? Google has an AI and privacy program that seem to be intersecting and could impact all of us, and Apple is dealing with those issues as well. How do we handle this problem? According to new research from Tessian "apathy" is the biggest vulnerability for an organization, but don't we train our folks enough to mitigate that risk? Those questions and more on this episode.
Do enterprises really buy Zero Trust? How should they think about a strategic approach to a problem. What about rip and replace? Are there no-go's when it comes to working to help an enterprise adopt ZT? Where do they budget for these endeavors? Is this only a big business problem? Those questions and more on this episode.
Okta's Zero Trust study. What does it say about the market and the growth of ZT? More cyber insurance shenanigans, why does this keep coming up? Should we really use this "service"? Water treatment plant is hacked in the UK, but is it really a clear case of compromise? What happens if you try and send someone shit in a box (literally) and the service is hacked? Is that a PII violation, or HIPPA or what? How many devices are out there that are possibly exploitable right now (hint, it's a lot!). Those questions and more on this episode.
Truths about selling into the channel market with a real expert. How should your organization go about selling to a channel? Is the market different? How can you use those partners smarter? Do you have to sell twice? What shouldn't you do to leverage that channel? How can you optimize your channel approach and force multiply your sales efforts? Those points and more on this episode!
How hard is it to find "internal use only" files with a simple crafted search? How about spreadsheets with passwords and admin logins? What should we think about this whole Trello thing? What happened when I got phished (yup, they got me). Was it even a problem? Is the national emergency alert system really vulnerable? How big does the Zero Trust market get in the next 9 years? Those points and more on this episode!
Are there potential ways to attack a nuclear site via online misconfigurations? What about water as a vital national resource, can you attack a water supply system? Or a dam? Are containers inherently secure, and does that matter when they are part of a cluster? PE firms keep buying up the security market players, is there an anti-trust issue there? Is your threat intelligence service pulling in IOC's from US Cyber Command? Was the Pelosi visit part of a cyber attack? Does that matter and is it cyberwarfare? Weak security in the system used to track organ transplant systems, that's ok right? And some points on how to stay motivated (lol) and my thoughts on dealing with trolls online. My cool new swag from Lumu and more on this episode. Check it out!
Can I find privacy violations with Shodan? What companies are using hackable unpatched scada systems that are misconfigured? Can we find osint on a company that has government contracts but is not secure? Why is phishing training still a multi-billion dollar business when a variety of reports indicate that the numbers for that "defense" don't justify that expense? Is the government really as secure as we think they are? What about finding illegal violations of compliance mandates in ics systems? Isn't breaking the law a bad thing? Those questions and more on this podcast!
More ideas and thoughts around applying Zero Trust to cloud workloads and kubernetes. How should we think about the inherent vulnerabilities in these application development environments? How can you secure something that only exists for minutes at a time? Can you use open source solutions to approach the problems in this space? Do developers really need to be security engineers, and should security people know how to build apps to make things more secure? Check this one out and look for a video demo on Tigera.io and their open source Calico solution soon!
Marriott got hacked again, say what? Does it mean anything? What about their fines, didn't that teach them something? Can I find vulnerable government assets that are misconfigured and make 30 grand in bug bounties in half an hour? What about cloud resources that the DoD uses? A billion records are stolen in China, what's up with that? Those questions and more on this episode!
What's up with the WAF market? Talking about how we should and shouldn't use a WAF with an expert. Is the WAF the best way to address the problems we face? Where is this market going? What about the evolution of the WAF and it's place in history? And some hard questions with data to challenge why we might need to move to a new approach.
Can I find medical offices open to the internet? How hard would it be to hack them? Why is phishing training a problem for enterprises and businesses? Deepfakes and PII are being used for nefarious purposes, say what? Those points and more on this episode.
Thoughts on RSA2022. New research from Digital Shadows breaks down key areas of concern for us. I find some vulnerable databases on the web (some are "security vendors"...uh oh). We are still failing at the basics, and the password is eating our lunch, why is this still a problem? A great new blog from the S/R team at Forrester on the economy and the security market. Did AI just go sentient? Those thoughts and more on this episode!
Can an organization be compliant if they are using Slack to share files, passwords, and other critical and risky data? How does an agent-less system keep up with all of those short communications in collaboration applications? Is there more risk if we use modern applications that allow unlimited interaction and collaboration? What about business context, is there value to deciphering risk?
RSA is next week, I really need a beard trim. See y'all out there! Finding vulnerable hospital systems on the internet shouldn't be this easy, but here we go. Don't worry though they all are HIPPA compliant lol. How powerful is pimeyes at finding images of people on the internet and how does that affect privacy and security? Should you be worried? The new Microsoft Zero Day, how bad is it? What about hacking tractors and affecting the food supply, that can't be a thing right? DHS took seven years to hire one person, yeah. Your tax dollars at work. Costa Rica ignored it's own cyber defense strategy, and that worked out well right? How much money is going into the Zero Trust market? And the tech jerk of the year award goes to an absolute turd of a person. Those questions and more on this one!
Can you find vulnerable stuff online from 2003? Surely not? Uh oh. Do we need a cyber moonshot to get past the failures we face in cyber security? Is there more evidence that legislation isn't dealing with reality, and that some of our leaders are missing the point? Using your phone SIM to do MFA, good or bad? Is DuckDuckGo really a "private" browser? Those points and more on this episode.
What matters more, targeting the "asset" (tractors) or the infrastructure for John Deere. Can you overthrow a government with a ransomware attack? Why are insurers changing their approach to cyber policies and why are they raising rates? What about the NSA guidance on best practices, is it really that different? Those questions and more on this one!
Can we find vulnerable ICS and SCADA controls on the internet? What about the physical doors that are in those facilities? Have we really learned anything a year after the pipeline hack? Microsoft has put out it's advise for ransomware defense, is it any good? What about F5 and it's big new vulnerability, should you be worried? Why shouldn't we talk about gangs "going down" in cyber, and does that hurt or help as we deal with those threats? Those points and more on this episode!
Finding vulnerable passwords with Google dorks, it's super easy (don't do this). How many VPN's can I find that are possibly misconfigured? Why does it take a 600 million dollar hack for a company to adjust it's approach to cyber? New banking legislation and rules on a 36 hour reporting mandate, good or bad? Those points and more on this episode.
What do SMB's care about in cyber? Where do they need help? How do they budget for this issue? Is there value to training or is it better to have a technical control? What is "security theater for businesses, and what fixes problems? Those questions and more on this episode!
Why is the government looking at legislation on "quantum security"? Can I find vulnerable systems for ICS and SCADA that have no authentication on a livestream? Does a cyber attack have the ability to stop a university from operating and put it out of business for good? What about T-Mobile's "unstoppable" phish? Should we be scared? Those questions and more on this episode.
The dog barks, like always. What is the Zero Trust market map? How about Microsoft's new CVE issue, is that something that we should have fixed years ago (the answer is hell yes). Can I find vulnerable assets with no authentication in real time? Forrester research published some great data on enterprise breach activity globally, what does it mean and how should we think about it? What about cyber and nuclear threats, do those relate? Those questions and more on this episode.
Is cyber insurance worth it? Do insurers actually know what they are doing, and why are policies not being honored? Is a strategy useful for better security and helping lower a premium? What data is being used to validate a policy, or is that even a thing? Is this a big deal for small business, or is cyber insurance better suited for enterprises? And am I wrong by saying it's a "rip off"? Those questions and more on this very cool episode.
Working with big enterprise ZT, how does one engage the leadership effectively? Is this about more tech? Who holds the keys to the kingdom on budget? Where does it make sense to start with a big time roll out? How hard is it to get ZT in place? How long is the journey? Where does one go after they solve their first problem? And why is Sean Connery on the line for this call?
"The Devil Never Sleeps" is one of the best books out there that can help us better understand how to deal with today's never ending threats. Juliette Kayyem has done a great job of helping break down a variety of past historical issues and applied realistic and insightful ways to help her readers think more intelligently about accepting the threats and dealing with them, rather than being fearful of them. Her book is a must read, go get your copy now!
Is #zerotrust happening in Australia? What problems do the folks doing the work run into? How does he deal with the business side of the issues he face? Where did he start? How should one go about discussing security strategy with folks that aren't in our space? And what is a no no for getting things done when collaborating with business leaders?
What should we take from the Okta situation? More legislation to mandate training for government cyber security, really? Too many agencies are getting involved in cyber, right? What about the White House's "guidance" on the Russian threats? Deepfakes and disinformation can influence actual combat, say what? More bad hiring practices in cyber and some real issues with state and local cyber practices. Check it out!
Why isn't cyber getting any better nationally with all this legislation? How should we view CISA's new rules? What about the Committees that congress and the Senate sit on? Analysis on a deepfake that has some very interesting implications. Where can we do better?
Where can you go to learn how to "do" a deepfake, I'll tell you, but be careful. My thoughts on "getting involved in the conflict" in Ukraine from a cyber perspective. The Conti group had a leak and some great reporting was published on it, wow! Analysis on wiper malware, and the "most advanced malware ever", lol. Also, some finer points on what Zero Trust means and how to enable this strategy from a variety of vendors, and a new report on 9 steps to ZT, most of them are business related! Say what?
Zero Trust world was a blast, well done Threatlocker! Microsoft has done some great work in helping people to understand Zero Trust. Misinformation for critical infrastructure and corporate security is hard to do without a solid technology in place, especially at scale. Reference architectures for Zero Trust are available. Is the IRS the agency that can finally help with the ransomware problem and crypto crime? The Justice Department's three year plan to move to Zero Trust and how they are approaching the issue, and an example of a state and local government that is enabling Zero Trust. Check it out!
#cyberwarfare and first strike capabilities in the Ukraine conflict? Finding vulnerable SCADA and electric systems in @shodan isn't hard, how much is out there? How did the #fbi get back stolen #crypto? Should we be "afraid" of hacking and cyber threats (weird things are happening everywhere lately, are you worried)? Some tips on how to read through congressional documents that are available on the hill. Also, some pork that is being tossed into the new protecting America act that has been passed. Lastly, how should we think about getting and using threat intelligence without paying for it. Check it out!
More ways cyber insurers are getting out of paying. Two students hack a school system and ask for a job, awesome. Microsoft talks about the lack of good IAM for Azure. Google breaks down cryptojacking in it's cloud. The insanity around threat intelligence and naming a threat actor group, and more on this episode.
Interesting points on a Zero Trust report by Illumio. How to stop the majority of ransomware, it's not that hard. How did we allow the US DoD to buy drone technology that was financed by China? And what about some Shodan results that we should be aware of (like a submarine)?
What is threat intelligence, and what is the value in data? Does brand defense make a difference? Do his customers worry about deepfakes? What is attack surface management and how is that market changing? And more on this episode.
The new memorandum on cyber security for the federal government and Zero Trust. Drones are used to attack an airport in the Middle East. Lawyers and cyber insurance team up as they address the issues we face in cyber, and more on this episode.
Predictions from vendors for 2022. Are the leaders on Capitol Hill actually doing anything on the cyber front? The first log4j malware attacks are showing up, what can we do? What about insider trading using hacked systems to gain a financial advantage? Those questions and more on this episode!
A look back at 2021 and the major hacks we endured. How did they happen? What should we learn? Where did it all go wrong? Can we defend ourselves from these threats in the future? Does Zero Trust really make sense?
Is disinformation actually affecting people? What is narrative intelligence? Should corporate organizations defend their brand from trolls and narrative attacks? Will this be more important in the near future?
Do the crazy valuations of companies help them or hurt them? Does big money in cyber security investing fix the problem? Why do some people continue to build businesses even after they cash out?
What can we learn from the game of golf and security strategy? What telemetry matters most? Do you practice right in cyber or in your golf game? What's your favorite course? And many more great golf analogies!
Is cyber insurance a rip off? What do insurance providers do to get out of paying their policy holders? Does cyberwar affect small businesses? Is everything of value to defend? Are humans really the biggest threat vector? Should you pay attention to a CISA advisory?
What is multi spectrum warfare? Is the US the global superpower anymore? How do state and local governments look at cyber versus federal? Will China maneuver in the next 2 years to prepare for a future war?
What does empathy really mean? How do you deal with the "brilliant jerk"? Where is the line on terminating an employee who endangers your business with bad cyber practices? Is the industry really more fair? What about sexism and privilege?
What do consumers really think about passwords? Can technology solve the problem of unsafe passwords? Where does the market go for better user access? Does cloud make a difference? And more on this episode.
Can I download and configure an SSI app during a live recording? Is SSI useful for the average consumer use case? How should we look at the combination of SSI and biometrics? Does this ultimately help kill the password?
Disinformation with lobsters? What about the Missouri Governor and "hacking" that website? Does the new ransomware plan make much difference? New threats in email from Microsoft and how do humans detect them?
How does he advise companies to select technology? What does he think about strategy? What is a non starter for him? How do board members look at cyber risk and technology expenses?
Richard Stiennon (the OG Curmudgeon) and I discuss investments and market dynamics in cybersecurity. He provides his views on a variety of topics and breaks down how he sees the market through his lens and vast experience. Check out his books and his insights on this space every chance you get!
Stealing secrets via PB&J? What is the MSSP market for ZT? When is hacking not hacking? Thoughts on the USAF Chief Software Officer's scorched earth letter, and more.
Cybersecurity awareness month at the White House, so what? Big dollars for ZT in the DoD, really? The demographics of cybercrime and what that means for the rest of us, and what about maritime cybersecurity?
Discussions on how a brand builder and designer worked to build one of the most successful brands in all of cybersecurity. How valuable is culture and leadership to a brand in the space? How do you "punch above your weight class" with marketing? And how much value is there in a simple, authentic message?
Discussions on how a big time CISO handles security for his organization. Getting executive buy in. What is a non-starter for solutions and vendors? How does his team select tooling? What is the most important thing for his global organization? These and other important questions in this episode.
Bad OPSEC on social media? Farmers COOP hit with ransomware? State government organization down for 4 months after "sophisticated" attack? What should you know about cyber insurance? Banking industry sees 1300% increase in attacks in 2021! 10 ways to avoid failing at ZT and more in this episode.
Are certifications worth it? Does school prepare the workforce for a career in cyber? What about K-12? How do we get better? What matters more being certified or time on the keyboard? Why do we have a shortage of cyber folks when the labor statistics say so many people are looking for work in technology?
Deepfakes are being used by scammers, now! What about the ZT study? Do you need more money for ZT? Is social media a valid threat vector?
Thoughts from a guy running a cyber security company on everything from growth, hiring, and how he keeps his company secure even though he knows they are a real target.
Is the new director of CISA doing the right thing? Do people really pay for ransomware keys? What about the T-Mobile hack? Is sorry good enough? What is the new method of ransomware that only encrypts part of a file?
A government and industry meeting on cyber at the White House? Why is cyber insurance such a crazy market sector? What do ransomware actors do when they get on a system? What should we learn from those tactics and how can we defend ourselves better?
Insights and knowledge with an expert on China, the CCP, and the motivations and tactics around cyber warfare operations.
MFA/2FA is no good? What about disinformation and propaganda with covid? Is your baby's camera vulnerable to the new compromise? And what do users actually think about going "around" security controls?
A conversation on Zero Trust with the person noted for coining the term and starting the ZT movement.
Was Blackhat worth the trip, no. What happens when you ransom a tractor? How big is the ZT market? Another hospital is shut down due to an attack, did patients die? What about JCDC?
Is ransomware a weapon? What do we do about these attacks? What is the task force doing about this? Do the folks on Capitol Hill get it? And that one time I got beat up by a bully...
Why does Jeff talk so fast? What's a solid 10 year prediction if there is such a thing? How should some of the major problems be solved? Will we all be unemployed after this podcast? Those items and more on this episode.
Masks everywhere at Blackhat? Why does Kaseya have a ransomware decryptor NDA? Why the lack of MFA in Twitter? Are we getting better at fixing vulnerable software? And What is the Ransomware Sheriff?
What is a Zero Trust Overlay Network? Why do people with British accents sound so smart? Is Zero Trust achievable with today's digital infrastructure? More on those topics and other interesting discussions on how to use SDN/SDP and what this all means for security practitioners.
Laws for critical infrastructure security and pipelines? A federal breach notification law? The US indicts for APT actors for hacking? An interview with a ransomware operator? Will NATO's condemnation of APT actions make a difference?
Art from @britive and Martin from @vubiquity talk about how they see access playing a key role in Zero Trust and discuss how they enable focused access controls in an on demand model.
A Congressional bill on Deepfakes? What about the trend in phishing and ransomware? Do APT nation state leaders care about our "requirements"? And what happens when a law firm sues a ransomware gang?
Some really great reports published recently on a variety of issues in cyber. Check it out.
Sandy has forgotten more about SDLC, AppSec and software security than most folks will ever know. I was very lucky to get to pick her brain for a few minutes on how this affects the software lifecycle, and discuss her thoughts on how we "shift left" on building secure code.
Some really great reports published recently on a variety of issues from leadership in cyber to how the SEC is getting involved in enforcing fines in this space. Check it out.
"Think like a hacker" with Tal Kollender from Gytpol. Check out her background and learn about what it's like to be a real woman in technology and how she looks at helping customers fix their issues and stop threats in their tracks.
Some finer points on a recent ZT EO and the new guidance, a rant on the issues that continue to plague organizations as ransomware gangs keep coming back, and my thoughts on the next generation of cyber folks coming into the workforce.
Some finer points on a recent ZT market publication, a rant on the issues that continue to plague organizations, and my thoughts on how SMB's should face this threat.
What should we think about with the most recent ransomware hacks and are we doing enough nationally to counter this threat? Also how can or should Zero Trust be part of this conversation, and what can a person in a leadership position do when faced with guaranteed failure?
This session I interviewed my intern. We talked about how our generation (the old guard) can help bring the next generation of cyber security pro's into the workforce and about how we can help them be interested and engaged during their work.
En liten tjänst av I'm With Friends. Finns även på engelska.