78 avsnitt • Längd: 40 min • Månadsvis
The Real Cybersecurity Podcast decrypts the issues and business of technology security. But instead of just scaring you, these industry veterans provide real advice and analysis for organizations trying to make security real today. Hosted by Greg Young and Bill Malik.
The podcast Real CyberSecurity is created by Greg Young & Bill Malik. The podcast and the artwork on this page are embedded on this page using the public podcast feed (RSS).
Greg and Bill discuss how breach disclosure laws could play out while discussing the recent events around SUNBURST, water treatment as targets, and the critical CISO skill of just walking around and talking to people.
Bill reports that Mastodon lives on and how awful Twitter is, we talk about the SEC complaint re: the SolarWinds CISO, and Greg reports on his Digital Fight Club experience in Dallas (and how awesome it was)
Bill and Greg nominate their candidates for biggest fails in cybersecurity in 2023 - we focus on the ideas or technologies that were hyped and just didn't deliver.
Cybersecurity for elections is likely going to be hitting the news more often. Bill and Greg discuss the big picture issues of election security, why governments struggle with election security at all (spoiler: it isn't because technology isn't available), and a brief discussion of rural and small jurisdictions.
Here's the link to the poll book systems graphic we discuss during the episode:
https://www.cyber.gc.ca/en/guidance/security-considerations-electronic-poll-book-systems-itsm10101
An update of the state of AI cybersecurity (including the hype) and a roundup of noteworthy breaches in the news. Also our thoughts on Splunk.
This week Bill and Greg dig into posture management - not the chair - but the posture of assets, people, and identities and such. We discuss why infrastructure and operating system companies won't ever make best in breed security, and why infrastructure isn't self-defending.
Discussion on risk, GRC, and 3rd party risk with former Gartner analyst who is now with Black Kite.
Greg covers the new SEC rules for disclosing cybersecurity incidents, and our celebrity reporter Bill has a brush with greatness in the personage of Jonathan Frakes.
This week in Real Cybersecurity we celebrate the 365 day countdown to Skynet, the Guidelines for the National Cybersecurity Strategy, startup funding challenges, & recent hack news including Microsoft and Revolut.
A real treat for you today, as Bill brought in his friend Spaff for a great chat.
One highlight was hearing about his newest book, Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us
Amazon link to his new book: https://a.co/d/3SCd1nG
https://en.wikipedia.org/wiki/Gene_Spafford
We discuss Bill's ugly luggage, how new entries to the cybersecurity job market are often exploited, lapsing CISSPs, what really happened around Y2K, the limitations of AI in risk management, and why declassifying in a cavalier manner is catastrophic.
Bill and Greg answer listener questions about AI. And we didn't use ChatGPT for our answers. I think.
Our roving reporter Bill gives his impressions of the RSA Conference 2023, his talk on maritime cybersecurity he delivered just an hour before our recording.
Greg asserts that without public-private partnership cybersecurity is hobbled vs the bad guys: but only if they each stay in their lanes.
Bill and Greg discuss the security aspects of AI, the 'black box' of AI is vulnerable to being manipulated or polluted, or having biases that aren't evident to subjects., how a Bay Area bank collapse will impact cybersecurity, and Bill's visit to CERIAS' anniversary with Gene Spafford.
Bill updates us about the updates to the NIST CSF (Cyber Security Framework), and we talk about the state of ransomware.
Greg and Bill dig into the unique cybersecurity needs of FinTech, and manage to keep blockchain mentions down to a few mentions. In the 2nd part some brief security impact of ChatGPT and AI. Bill has a great story about naming collisions.
Bill and Greg try and unravel where the Crypto-Queen has skedaddled to, how all airline IT and cybersecurity are not equal, and how downsizing hasn't made a dent in the cybersec skills gap and people shortage.
We cover a lot of recent cybersecurity news, including AI developments, Infragard and the cyberwar part of the Russian/Ukraine war, and why it is the new era of Public-Private Partnerships
Greg and Bill discuss options when faced with recession cuts. Cut shelfware, or a platform could be your best bet in getting rid of inefficiencies. Cuts in cybersec aren't a common thing, but even so, getting rid of inefficacies and shelf ware is a great way to improve security.
This week we talk about the issues in the wide-spread use of open source components, and what an attractive target that makes for the bad guys.
Bill educates us on satellite and control systems vulnerabilities, and we go philosophical on information theory. Sorry about the sound on one channel.
This episode we answer the question "what is the state of zero trust?", and discuss the Twitter drama, Bill's recent talk in Santa Clara on automotive cybersecurity, and what the fudge is 5.5G (spoiler - not a real thing).
Bill and Greg present their top 6 issues you'll likely come across in cybersecurity in 2023. 3 are business related, and 3 are techie.
Recent hacks of well known tech firms bring us some lessons learned. The biggest lesson is that creating a security debt often doesn't work out. Maybe a big part of our security staff shortage is we're producing the wrong kinds of security leaders, and good leaders won't go into bad security companies.
In the second half we discuss the several roles of machine learning we see today in security.
Bill gives the OneDrive screwdriver a 1 star review as a backup hammer. We discuss how this shows that consumer and enterprise security tools are different, and being good for one does not mean naturally it is good as the other - it takes a conscious effort. This leads to how moving to new buying centers takes a conscious effort, and even more so when the buying center isn't adjacent. How small and midsize companies' cybersecurity is so unique.
Bill and Greg report on what Bill saw at AWS ReInvent, and what they've heard from Black Hat/DEFCON (spoiler - nothing earth shattering). The security nonsense continues in the cryptocurrency world. Greg talsk why Continuous Assessment is the most important trend.
ICS security course tales, hacking factories, the current state sponsored landscape.
The Real CyberSecurity podcast talks suspected state-sponsored eavesdropping using equipment providers, famous incidents involving tampered devices in embassies.
Privacy and cybersecurity seem to be diverging and that has to stop.
And how awesome the cybersecurity vibe in the US Northeast.
Bill and Greg discuss why even though blockchains have great inherent security, the businesses and applications that are using them for cryptocurrency are not. They then explore why we are planning now for Quantum Crypto, and what "Quantum Safe" means.
Bill gives a post event report on the RSA Conference.
Bill files his report from his trip to Halifax, how not all cybersec issues are technology, how outsourcing is best as a balanced approach, and how the most complex cybersecurity conversations are actually the business ones.
Bill discusses the great Microsoft report on the revealed details of the cyberwar aspects of Ukraine & Russia war, and The Countdown to Zero Day book about Stuxnet. And Greg discusses why security conferences need to change.
Greg and Bill review two pieces - Top reasons cybersec people leave their jobs by SecurityMagazine.com, and the Top 7 CyberSecurity Trends by Gartner as reported on by VentureBeat. Kudos to Peter Firstbrook for his comments that clarified the article and press release. Bill gives a really good description of the issues around Identity of Things. Greg opines we're about to enter the golden age of API richness in security, especially APi-API.
Hacked traffic enunciator boards, the reports of the top passwords from a hack, how poor communications security is in the news for the Ukraine war, security education, and internet of things chat. And a tutorial on Mesh Cybersecurity.
Bill and Greg discuss the impact should Russia disconnect form the internet, Pi Day, Conti Ransomware group messages, and the dynamic of Ransomware - how does the war in Ukraine change ransomware now that state sponsored entities are busy?
Will Bill (not to be confused with Kill Bill, because we really like Bill) be going to prison for tax evasion? Maybe, if you believe the sketchy letter he got in the snail-mail from "The Federal Tax Authorities".
Scammers continue to evolve. They haven't gone away because they are still making money. In this episode we discuss some recent scam trends, and a case from last week of the FBI seizing billions in Bitcoin from alleged money launderers.
We're in a strange place in the cycle of Data Privacy. We give it away, but seem most concerned about it. Greg and Bill pull on some threads including social media, encryption, VPNs, and how we got here. Happy Data Privacy Week!
I think the Union of Cybersecurity Workers Local 404 says we have to talk about Log4J. except we'll discuss some different aspects of it. Avoiding holiday scams and talking to your families about them. Some positive comments about Australian cybersecurity culture.
We dip into some history of hacking and spying where the technical security and physical security were both involved. The Thing, U2 and SR71 planes, ransomware as a service, bugged embassies, ... so much to discuss! Cybersecurity companies with poor physical security are not to be trusted. Why embedding security in silicon is and will continue to be bad.
This episode we roast the continuing awfulness of companies and politicians who accuse vulnerability researchers of hacking, Bill gives a history lesson on tarry substances used on crypto boards, and how the Morris Worm changed history.
National Cybersecurity Awareness Month (NCSAM) is October! In this special week 4 of 4 (the finish line!) of NCSAM episode we are speaking to consumers and individuals about social media security. A lot of security professionals have zero social media presence, but that's not the reality for most people. You can engage without undertaking high risk. And being respectful of the privacy and security others in your posts and feeds. Listen in and join us!
National Cybersecurity Awareness Month (NCSAM) is October! In this special week 3 of 4 of NCSAM episode we are speaking to consumers and individuals about passwords - those security things we all love to hate. But still, we have to protect them. Greg and Bill talk about some ways to make them easier to manage, and how to choose them. We also say the word entropy a lot, because it makes us sound more serious.
National Cybersecurity Awareness Month (NCSAM) is October! In this special week 2 of 4 of NCSAM episode we are speaking to consumers and individuals about device security. All your phones, TVs, and routers and such. protect yourself, and not just this month.
National Cybersecurity Awareness Month (NCSAM) is October! In this special week 1 of 4 of NCSAM episode we are speaking to consumers and individuals about surfing (the web) safely.
Some reality about security startups, the fool's gold and FOMO-stress of fame in social media and conferences for cybersecurity, some career advice, Bill has some great advice about what makes a good organization and some criteria for buying companies, and Greg points out that the difference in cybersecurity companies who have stock market success vs those whose target is making the best cybersecurity matters when you are buying stock vs buying products.
Greg and Bill talk some cybersecurity history about the Orange Book, and how fundamentally the approach to what we put security into has changed. Big IT vendors have trouble with security because it isn't their core business.
Bill and Greg cover the history of app security testing, why it is neglected, web application firewalls, code scanners, and how the devsecops loop is still mostly aspirational. Some thoughts on Zero Trust, and ... The Zachman Framework! DEFCON is here, trade show giveaways, and the most memorable celebrity keynotes.
Greg and Bill discuss, if in charge for a day, what they would change in cybersecurity to break the cycle we are in.
Greg has big issues about that meeting of CEOs concerning cybersecurity at the White House. Bill talks defect analysis. How challenging the CISO job is in government, and we salute you. AI and security clearances!
We start out with a few presentation tips, and do a status check on these unprecedented pajama-bottom wearing times. How the cybsersecurity culture in companies will be different in 2022. Complexity in the new hybrid telework/in-person will be exploited. SASE as a good tool to accommodate new business processes. What the near term of Ransomware as a service is. The biggest impact on Ransomware would be interrupting payments. We talk about our big current topics - XDR, Zero Trust, Resilience, Supply Chain, and SASE.
Balancing security education with security technology. Real risk: livestock are a bigger threat than sharks, and what about self-driving cars. The role of federal governments in tamping down ransomware activity. Small and Midsize Organization security. The dark arts of the Common Criteria and Formal Methods. Bill drives the Trolley Car in the Trolley Car Problem.
Was in-person RSAC only a year ago? Selling passwords for candy bars, thinking back to RSA 2020, the good and bad of virtual events, and green M&Ms. Virtual cybersecurity events need to be a rethinking of the event format, not the worst of both worlds. And stop recording sessions months in advance. And Zoom backgrounds.
Greg talks 6G security, allowing Bill to explain the real cybersecurity of 5G security. this leads us to the nexus with how the next gen of communications will need trustworthiness for connected cars.
Bill and Greg dissect parts of the SolarBurst and water filtration hacks, and Bill confirms that all criminals wear hoodies so Greg proposes banning hoodies. We cover the issues of Supply Chain security.
Brian Reed is proof that you can be smart, nice, a great father, and successful in security. Brian is a long time Atlantan (the city in Georgia, not the underwater one) and has been doing security IBM, ISS, Gartner and Proofpoint. Brian talks about:
- 2021 and the nexus between the upsides of DLP and the risks to privacy and surveillance if not done right.
- Remote working and security.
- Bill's dislike of open offices.
- His experience at Gartner, overlapping with Bill and Greg. We each name the smartest non-security analyst at Gartner we worked with, and the security analyst we'd each want on an advisory day with us.
- Cities we've been stuck in.
Greg repeats his clown factory analogy. He repeats himself a lot. Bill and Brian talk about American football as an attempt to confuse Greg.
He's on LinkedIn at https://www.linkedin.com/in/brianreed/
Bill shines a flashlight on the truth about 5G radiation, and shares his chicken recipes to demonstrate the difference in spiciness. We get seriousness about the security relationship between IoT and 5G and why they are so closely linked. Bill says good things about Christopher Krebs. Greg explains that investors and products buyers look at security companies differently. Greg laments the greed-over-security and clown factory theory of the Bay Area security scene. Greg and Bill agree that the Atlanta and Austin areas are great security scenes.
Greg and Bill interview John Pescatore from SANS about what's going on in the whacky world of cybersecurity. We cover a lot of ground including the breadcrumbs that attackers leave, the history of SANS, what are the big topics in the SANS community, Zero Trust, supply chain security, 2FA - why isn't it standard?, bug bounty programs, and the idea for a Netflix reality series called "This Old Firewall". And how nasty online events are right now, and how to fix them.
Bill updates us on some recent threat and vulnerability reports. Greg thinks that all CIOs need an animatronic CISO hype-man, and that people would pay money to have sanctions against them announced by an evil foreign government. Our oddball segment of the day is what mugs we have on our desk. How we build and deliver a great security presentation, but we talk about when we bombed. Bill says Moby Dick, Moby, MOBI? And we can't hate Rob Lowe.
Live (virtually) from Black Hat we give an update on what is being focused on. We agree that presenting without a live audience requires a different approach than live stage presentations. Bill reaches for smelling salts when confronted with rogue industrial robots, and Greg thinks secure voting is easy. Yes, really.
Bill and Greg cover the recent Twitter breach and try and unpack what maybe happened and what lessons we can learn from it. We invent a security axiom of "Occam's Younger Dumber Brother's Razor". We recount some insider cases, how too often good deeds are punished, and we give some career advice. And what is becoming a regular segment, we disclose what we're currently reading.
We take a helicopter up a few thousand feet to suss out what cloud security is really about. What security problems does cloud fix? What security problems does it introduce? One hypothesis is that a lot of IT is unnecessarily 'custom', and so is the security with it. The reality in the world is there is still a lot of on-premises IT, multi-cloud, and shadow IT today. Bill brings up the real issues of cloud resource garbage collection and the impacts of counters, and Greg shouts out 'object re-use!' and 'Y2K!' like a crazy person.
Current events are highlighting the nasty issues around privacy and broad surveillance. As some companies announce they will no longer support certain applications of facial recognition we discuss the shift in privacy to being up to the individual.
We talk about "The Channel" during the week when Canalys releases their annual Global Cybersecurity Matrix. No not TV channels, but the channel of partners that are how cybersecurity products get from the makers to the users.
We discuss the issues of dishonesty in cybersecurity marketing, that it's OK to not speak at security conferences, a bunch of non-traditional book references for cybersecurity, and our favorite conferences . And Bill ends up in Facebook jail for crimes involving cat videos.
Bill gets thrown in Facebook jail for crimes involving cat videos. We talk about how the importance minimizing Peak awesomeness is achieved when Bill gives us the security book recommendations from our listeners. And we lose our minds and go on a security book recommendation binge ourselves. We revisit election security. Greg has false negative brain syndrome because gets his spies mixed up (Aldrich Ames confused with Robert Hannsen), says transitive when he meant transitory, and creatively edits Keanu Reeves' bio.
We return after Bill has recovered from a denial of service attack, and cover the basics of where MITRE ATT&CK fits into the security world, and how Greg is a fan of it after his initial skepticism. Where does IoT fit into MITRE? Bill poses a big question - is remote voting security possible? We agree that ML and AI in automated screening out of job candidates is a garbage practice, and finish up with some reading recommendations.
We kick off with much discussion on CISOs: the secrets and qualities of successful them, where they fit into the org chart and their role and how that has changed. XDR - what is it? We try and parse out what XDR means vs platforms, how it helps threat hunting, and how it deals with issues such as alert fatigue, and obfuscation.
We also hear that Greg got a haircut from a professional stylist during an office Zoom chat (without violating lockdown) lowering his popularity with colleagues, while Bill rocks a Renaissance hat and gets into D&D.
There's a lot of discussion about webconferencing security, so we do some more! We agree on and name the must-see movie about spies, the difference between stealth and force in locks and lockpicking, attackers playing the long game, and Bill mentions the Mythical Man Month (which is not a statutory holiday).
The podcast Greg mentioned was "I Spy" by Foreign Policy.
https://open.spotify.com/show/3MOUvGwMfXnhsfUybX6vip?si=Yzf7H6qwQTC9uVpRvezo3A
This week we cover a few hot topics and it's a good one. Supply chain integrity is a big one. And we talk worst security practices. No, we aren't recommending these. We discuss about why Y2K provides us with lessons we need. Bill tells a great story about back up tape retrieval and airports, and some good advice on consequences and clear code. Greg relates the story of tampered typewriters and that he wants to visit the Kryptos statue at the CIA.
Telework is a big topic right now, and with any big topic we need to answer the questions about security. Who better to bring on and chat than John Girard? Recently retired (although up to more mischief than ever) John spent 25 years at Gartner, leading topics like SSL VPNs and mobile device management. So join John and us talk about telework security, but also some non-security telework advice.
In this second half of the interview we cover split tunneling, telework culture, investments in your productivity, our own experiences as long time teleworkers, the history of the Wireless Brothers, and John's friend Taylor Swift. Part 2 of 2.
Telework is a big topic right now, and with any big topic we need to answer the questions about security. Who better to bring on and chat than John Girard? Recently retired (although up to more mischief than ever) John spent 25 years at Gartner, leading topics like SSL VPNs and mobile device management. So join John and us talk about telework security, but also some non-security telework advice. John is famous for his elaborate Halloween displays, but we won't talk about that ... this time. Part 1 of 2.
Spring is around the corner so when looking for a high grade fertilizer stronger than manure we decided to combine blockchain and cryptocurrency. Blockchain is great security technology, but it is usually just badly implemented or treated like magic. The anonymity and irrefutably are great features of cryptocurrency, but the evil side that stains the technology holds them back as ransomware payouts are all made in Bitcoin. And we talk about the T word - Trust. And maple syrup. And why Keith Richards should replace Matt Damon.
Greg provides his post-RSA Conference report. We discuss the origins of worms and viruses, and continuous audit, Bill discloses his history in code testing, and why buffer overflows persist. We give a list of some cool AI-in-security use cases. There's even a SoundCloud analogy. And more!
Bill and Greg interview Richard Stiennon, who discusses his new book Security Yearbook 2020 and how it is a survey and history of the industry. We discuss that how non-security CEOs fare in the security market, and why non-security companies don't lead in security. And how awesome/nasty an "I Told You So, Security Edition" book would be, how small the cybersecurity industry is, and our favorite security leaders.
His book is available here: https://www.amazon.com/dp/1945254041/ref=cm_sw_em_r_mt_dp_U_VwxxEb5J3J4CW
We don't have one of those cool discount codes, but you can say "REALCYBERSECURITY" out loud when you order it and feel better.
Backdoors, software assurance, and supply chain are big topics in cybersecurity and related. Backdoors can be intentional or just sloppy design. The concern over manufacturer added backdoors in 5G has been a political and policy issue. Bill and Greg discover a shared love of Vancouver bar bands of the 80s, and Bill plants a Beastie Boys earworm.
5G security is a real cybersecurity topic (play on words intended). It's not just a mere upgrade from 4G, like 3G to 4G was. The architecture of wireless communication is changing and driving more and different edge computing - security changes with that new reality. And if that weren't enough buzzword-bingo, IoT security will change, and so will privacy and lawful intercept.
Bill and Greg measure the cybersecurity skills gap and find out that is may be measured in units of Mismanagementograms. Bill seems to know a lot of companies in Southern New Jersey. We give some career tips for anyone looking at getting into cybersecurity. Greg mentions feral donkeys, and rants about automated HR CV filters that filter out qualified candidates. Bill and Greg give shoutouts to unrecognized heroes of ITSecurity who deserve awards.
#cybersecurity #hacking #security #crytography
Bill and Greg are not experts in Identity and Authentication Management (IAM), but they have some opinions. Why "Passwordless Authentication" isn't. The business friction that is created by lazy authentication. We cover why we should start using the approaches of threat facing security for IAM - like the data lake of XDR to spot bad things, why not a similar approach of a bunch of data to spot good people and let them in? Bill discloses his long password.
This is what the Real CyberSecurity Podcast is about. FUD-free analysis of the bigger topics in securing enterprises, with a guarantee of actionable advice in each weekly episode. Hosted by Bill Malik and Greg Young.
Bill just returned from Japan and we discuss whether there are regional differences in cybersecurity. The focus of our talk is IoT, why we are still talking about IoT security, and why the standards efforts around IoT are misplaced. It finishes up with ... gasp.. actionable advice!
En liten tjänst av I'm With Friends. Finns även på engelska.