Down The Security Rabbithole

In this episode   I posed some questions to Joey, an InfoSec professional who had recently moved into a CISO role in a midwest retail company: Let's talk a little bit about the background you had before walking into your first day as a CISO... How long have you been in your role, and what do you think "so far"? What do you think were the biggest lessons you've learned in your time as a new CISO? What do you make of all the talk about CISO burn-out rates, and the average tenure of a CISO being less than 2 years? What do you see as the role of the CISO in today's business climate? How do you work with other IT leadership, and executive leadership to make your mark and do your job? From your experience, what do you think someone who is taking a new CISO role, or thinking about doing so, should know?

In this episode...   The FTC is getting into providing guidance on password changes Well OK, this isn't really guidance, it's just a blog But - does this mean that the FTC is getting into technical guidance? https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes   Dwolla hit by CFPB and fined $100,000 Who is the CFPB (Consumer Finance Protection Bureau)? This opening sentence is crucial: "The Consumer Financial Protection Bureau (Bureau) has reviewed certain acts and practices of Dwolla, Inc. (Respondent, as defined below) and has identified the following law violations: deceptive acts and practices relating to false representations regarding Respondent’s data-security practices in violation of Sections 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act of 2010 (CFPA), 12 U.S.C. §§ 5531(a), 5536(a)(1)" http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf http://blog.dwolla.com/we-are-never-done/   FTC To Study Credit Card Industry

In this episode, we wind down from RSA Conference 2016 and talk with Jonathan and Michael, both security executives and leaders at their respective companies whom were both out at RSA Conf and share with us some of their insights, lessons learned, and discuss some of the more interesting topics.   Join James and I for an informative, insightful, and slightly unnerving conversation about the state of our industry. If you missed RSA Conference (or even if you were out there but wish you weren't) this is one you're going to want to listen to at least once.

This is RSA Conference week, so while Rafal is out in San Francisco trying to make it through another one, James and Michael break down the news events that you may have missed.   300,000 Homes affected by security alarm bug http://www.forbes.com/sites/thomasbrewster/2016/02/17/simplisafe-alarm-attacks/#3202d4e679a3 According to Spokesperson, Alarm still alerts users' smart device when the alarm is armed or disarmed. Device is an alerting mechanism, not a lock Technically, we’d consider this… wait for it… a ‘detective’ control. Appears to only intercept when pin is entered into the device.. does this effect if user arms/disarms via their device?   82 Percent of company boards are concerned about security http://betanews.com/2016/02/29/82-percent-of-company-boards-are-concerned-about-cyber-security/ Suggests that since CISOs don’t report to the CEO/Board, they companies aren’t serious. Ridiculous. This is myopic… Boards care. Executives care. In security - are you perceived as a leader? Or a technica

In this episode... Michael and I moderate what turns out to be an expert-filled panel discussion on the real issues of the Apple vs FBI debate Shawn Tuma, our favorite cyber attorney, provides expert insights into the statutes, laws and applicable legislation in this case Dave Kennedy, Von Welch and Gary bring their technical expertise and background to discuss the issues from a technology and policy perspective We think this is one of those landmark podcast episodes you'll want to listen to a few times. Lots of interesting content here, and we encourage you to share!   Don't forget, #DtSR on Twitter!

In this episode   Class action lawsuit against SuperValu dismissed No damage (use of stolen information) so there's no case? As time passes, risk of use of stolen data, according to judge, decreases The precedent appears to be that in order to sue, you have to prove damage (imagine that?) http://legalnewsline.com/stories/510661014-data-breach-class-action-against-grocery-chain-dismissed Nieman Marcus - breached again (with another lesson this time) http://www.bankinfosecurity.com/neiman-marcus-reports-new-breach-a-8843 So is it official, not having MFA is weak authentication? Is someone accessing accounts through the web interface with stolen passwords a “breach”? Encryption would have done nothing to save any of this information as it was accessed through the interface. Did they have account lockout?  What's the rest of the story here? Hacker steals and releases information on 30,000 FBI and DHS employees The biggest weakness is always the human who wants to be helpful What does this mean for the enterp

In this episode... Andrew discusses a few of the key challenges making it difficult for the healthcare sector right now Robb, Andrew and Raf discuss the importance of identity in the corporate environment Robb and Andrew give some of their wisdom for the successes and failures of CISOs (and the broader security industry) We discuss the technical vs executive CISO approach (which is better?) Robb and Andrew provide some unfiltered advice for CISOs and those who want to become them Guests Robb Reck ( @RobbReck ) - Chief Information Security Officer at Ping Identity, contributor to ISSA Denver with a long history as a successful security executive and leader. Andrew Labbo - Drew is the CISO at Denver Health and Hospital Authority and is the owner and principal of RMHG, which offers HIPAA consulting and HIPAA advisory services. Drew has over 15 years’ experience with information security and technology and over 10 years’ experience as a Privacy and Data Security Officer. He is an expert on HIPAA Privacy and Se

In this episode   Employees may face penalties if they misinterpret security policies? Human behavior still seen as the biggest weakness Employers are growing less tolerant of misbehaving employees If you "invite a data breach" you could be held liable http://www.welivesecurity.com/2016/01/14/employees-face-penalties-misinterpreting-security-policies/ New lawsuit filed blaming Twitter for ISIS attack Should social media filter content from terror groups like ISIS? Can social media companies be held liable, why or why not? http://blogs.wsj.com/digits/2016/01/14/lawsuit-blames-twitter-for-isis-terrorist-attack/ SCADA/ICS make incident response more complicated Typical IR activities are complicated by the nature of ICS systems Differences are there, but strategy still possible What is the path forward? http://www.darkreading.com/perimeter/how-incident-response-fails-in-industrial-control-system-networks/d/d-id/1324094 Only in NYC: Dept of Consumer Affairs warns parents of baby monitor hacks These issues s

In this episode What goes us here - so where are we? Where do we go, and how? (addressing stunt hacking) We discuss how we can influence outcomes, without hand waving and endangering lives What about truly understanding risk, versus ‘security stuff’? Michael breaks out the “risk catnip” Raf asks Haroon - “What are the 2-3 things security does right now, that we should just quit?” We discuss some of the breakers that are turning into builders, and implications With the rate of bad vastly outpacing the rate of good - what’s the solution? Guest Haroon Meer ( @haroonmeer ) - Haroon is an internationally acclaimed long-time industry insider and is working hard to change the "how we've always done it" dynamics. His talk "What got us here, won't get us there" is now world famous. He works over at Thinkst and does some pretty amazing things you should check out.

In this episode FTC imposes a $250,000 fine for "false advertising" of encryption Interesting case, where there really was 'false advertising' Would this even have been a 'security issue'? https://www.ftc.gov/news-events/press-releases/2016/01/dental-practice-software-provider-settles-ftc-charges-it-misled NY wants to ban encrypted smart phone sales Another clear case of legislators being clueless? What about all the existing technology, and kit you can buy across state lines? http://www.zdnet.com/article/apple-iphone-ban-new-york-looks-to-outlaw-sale-of-encrypted-smartphones/ Las Vegas casino is suing cybersecurity firm over "woefully inadequate" work Are there ethical implications here of a competitor defining negligence? Burden of proof is on casino to prove "woefully inadequate" - but against what standard? Does this ultimately raise quality, price or both for IR services? http://thehackernews.com/2016/01/casino-hacker.html The FDA issues draft guidance of security guidelines If everyone is doing i

We open up our 2016 year interviewing Shawn Tuma on the show. Shawn is our legal eagle, and a regular contributor to the podcast. This episode ran a little bit long (OK a lot long) but I think you'll enjoy the show...    In this episode... Most important cybersecurity-related legal developments of 2015 Tectonic Shift that occurred with “standing” in consumer data breach claims Discussion of law prior to Neiman Marcus case, and post Neiman Marcus Does this now apply to all consumer data breach cases? Immediate impact? Companies now liable? Lesson is in seeing the trend and how incrementalism works Regulatory Trends FTC & SEC gave hints in 2014, post-emergence of Target details Wyndham challenged authority – came to fruition in August 2015 SEC not far behind – significant case in September 2015 Aggressiveness of FTC is substantial – FTC v. LabMD … all over LimeWire Officer & Director Liability 2014 – SEC Comm. fired the warning shot … pointed the finger Shareholder derivative litigation Indiv

In this episode...   Juniper has a backdoor problem 2 separate issues, auth bypass & VPN weakness backdoor discovered in Juniper devices lots of speculation on who put it there, but it was meant to be disguised as ‘debug code’ enterprise implications - same as before (what's the bigger picture?) https://isc.sans.edu/forums/diary/Infocon+Yellow+Juniper+Backdoor+CVE20157755+and+CVE20157756/20521/ Iranians broke into New York dam in 2013 and “had a look around” no direct damage done US has largest number of ICS connected to Internet critical infrastructure is vulnerable, being probed this is not a ‘government problem’ - every company has some ICS on their network http://www.theregister.co.uk/2015/12/21/iranian_hackers_target_new_york_dam/   Facebook announced it’s dumping Adobe Flash is this a bigger deal than it sounds like HTML5 has its own vulnerabilities and issues though… right? *only* for videos, games still in Flash Facebook will work with Adobe (really?) to improve security of Flash http://www.s

In this episode... We discuss what in the world is going on in the healthcare space, and why they’re such a target for attackers Dustin discusses why the explosion in digitalization in health care is both amazing and terrifying We discuss future-proofing “smart” healthcare I stumble on “the fundamentals” Dustin discusses the security of “data analytics” in the healthcare space I ask how we can make health care professionals better security people, without making them security people I ask Dustin what the healthcare industry should be doing, going forward into 2016 Guest "Dustin" is a progressive CISO at a Fortune 250 Healthcare organization

In this episode... Vizio is getting sued, over data their TVs collect? James provided security tips on the local news station and one of those tips was around the privacy details of your gadgets Companies need to be considering what they are doing with their data At what point does data go from an asset to a liability? Do companies understand the difference? http://www.consumerreports.org/lcd-led-oled-tvs/vizio-sued-for-smart-tv-data-sharing Wyndham settles (caves to) the FTC Agrees to legally be bound to do things they should already be doing .. ? 20 years of audits Interesting ending to the long saga, assuming the courts approve https://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-unfairly-placed-consumers-payment The US Federal Bureau of Investigation (FBI) admits to using 0day vulnerabilities Why is anyone surprised? Goes to a question of trust, and that's it. Are these being found anyway through programs like bug bounties? http://searchsecurity.techtarget.com/news

Thanks for joining us! This is a very important episode with true experts on the topic of cyber insurance. I was lucky enough to get an attorney and a VP of an insurance firm who specialize in the topic and their depth of knowledge and candor may shock you. The net is that cyber insurance is a positive for our industry.   In this episode..   Eran says that if you don’t do good security, the courts will frown down upon that Keith tells us why insurance covers security, but it does not cover negligence We start back on the discussion on the importance of knowing your critical assets Keith discusses why the insurance market is essentially a mirror of your program Eran talks about how his team dissect and investigate breaches to improve understanding Keith and Eran discuss how the process of buying cyber insurance can actually lead to improved security Guests Eran Kahana ( https://www.linkedin.com/in/erankahana ) - Attorney, Maslon, LLP with extensive data security experience and an expert in cyber insurance m

In this episode I interview Mike Daugherty - author of The Devil Inside the Beltway [Amazon.com link] live from the Security Advisor Alliance first-ever Summit in Dallas, TX. Mike was kind enough to sit down with me (twice, thanks to a tech failure) and tell his absolutely surreal story of what happened to him, his company at the hands of what can only be described as an insane situation. If you own a business, or manage a business, or work in enterprise -- you need to hear Mike's story. If it wasn't documented and video recorded, you'd never believe it's true. Truth be told, I've been a supporter of the FTC as an advocate for the victims of breaches - the person who's information is stolen. After hearing Mike's story... I have had my mind completely changed.

In this episode We start a constructive discussion addressing the problem of the ‘talent shortage’ The panel discusses the general lack of understanding of the big picture challenge from both sides: business and security The panel discusses basic security issues in an expanding ecosystem of Internet connected things The panel discusses some real potential solutions to our talent issue   Guests Bryce Austin ( @BryceA ) Holly Miller ( @OPSEC_Girl ) Jeff Man ( @MrJeffMan ) Mike Kearn ( @MichaelKearn )

In this episode... Is this seriously the FBI suggestion to companies hit with ransomware? http://thehackernews.com/2015/10/fbi-ransomware-malware.html Sets an awful precedent ... or does it? What other options are there? Would you take this advice? Microsoft is opening a data center in the UK ...why? http://thehill.com/policy/cybersecurity/259656-microsoft-opens-uk-only-data-center-following-eu-ruling Have the US spying revelations finally hit home? What about EU Safe Harbor? What do you think, if you're a multi-national Internet company? Is healthcare really that far behind enterprise security? http://www.cnbc.com/2015/11/11/us-health-care-way-behind-on-data-security-says-forrester.html Forrester calling out the healthcare sector for being far behind on security Is there more pressure, less attention, or more legacy? (or all?) How do you fix this situation? Disheartening (but predictable) state of human weakness http://www.scmagazineuk.com/many-uk-workers-willing-to-sell-their-companys-ip-study/ar

In this episode Rob & Liam discuss the practical applications of threat intelligence for today's enterprise We discuss what enterprise threat intelligence really is (and also what it isn't) We discuss the place of feeds, tools, processes and people in the mechanics of the program We discuss the need to conduct a program-based intelligence approach for the enterprise Guests Liam Randall ( @hectaman ) - With a career spanning 20 years, Liam Randall has worked at every level of the information systems pipeline- from building and operating large networks, developing and maintaining large 100M+ e-commerce solutions, to designing and implementing global network security monitoring sensor grids. A frequent speaker and trainer at security conferences Liam has trained over 1000 students on advanced incident response with a focus on leveraging the open source Bro Platform.  https://www.linkedin.com/in/hectaman Robert M. Lee ( @RobertMLee ) - Robert M. Lee is the founder and CEO at Dragos Security LLC where he

In this episode... Turn any old car into a "smart car" for $200 with this new miracle device "BACKED BY FROGVENTURES, VOYOMOTIVE IS TACKLING THE BURGEONING CONNECTED-CAR SPACE" Could be a fantastic idea Could be an awful idea Has anyone considered the security ramifications? What about privacy? http://www.fastcodesign.com/3052012/this-device-will-turn-your-clunker-into-a-smart-car-for-200?utm_source#4 OMB preps cyber sprint follow-up Michael's take on "gap focus": http://www.csoonline.com/article/2992553/security-leadership/stop-focusing-on-gaps-to-gain-influence-as-a-security-leader.html Hoping for 75% authentication for 2FA - not exactly great Lots of challenges here, but is this the right thing to do? TalkTalk breached, 3 teenagers arrested, CEO goes tone deaf CEO says they "were not legally required to encrypt client information" Teenagers arrested in breach The poster child for having a breach preparedness plan, before the cameras start rolling and media starts calling https://hacked.com/british-