Contrarisk Security Podcast

Information security is often an afterthought in organisations’ planning and spending. And as a subset of that, Governance, Risk and Compliance (GRC) struggles to get the high-level attention it needs. In this interview, Danielle Jackson, CISO at SecureAuth, explains that the picture is improving as security issues are more commonly represented at board level through the appointment of C-level executives with responsibility in these areas.

Healthcare organisations are under attack, facing threats ranging from data breaches to ransomware. At the same time, they are responsible for the care of large amounts of personally identifiable information (PII), and data doesn’t get much more personal that when it involves medical records. To complicate matters, medical practices of all kinds, from GP surgeries to hospitals, are increasingly dependent on technology to operate – something that has made them high-profile targets. In this interview, Niall MacLeod of Anomali talks about the kinds of attacks this sector has seen and why they’re happening.

If your image of blockchain technology is entirely linked to crypto-currencies like Bitcoin, think again. Patrick Hubbard of SolarWinds explains that the distributed ledger approach of blockchain has applications far beyond payments and financial services. The assurance provided by a shared record, cryptographically certified, is that it offers a high level of trust and authentication without requiring a central authority. This could have benefits in areas as diverse as gem sales and the aerospace supply chain. And it's shaking off its 'do it yourself' image. With leading organisations offering blockchain as a service, enterprises are finally understanding how it fits into their information structure.

Do you worry that there are bad people accessing your networks? If you think your systems have already been compromised you're going to want to know how and by how much. In this interview, Peter Cohen at MWR Countercept explains the art of threat hunting - a proactive rather than reactive approach that doesn't rely on the attacker tripping alarmns. In fact, he explains, you assume that your adversary is too clever for your normal defences, such as firewalls, IDS and SIEMs. So you go looking for the weaknesses in your systems that the attacker has used. This requires an understanding of the attacker mindset and a skillset that is currently in short supply.

Do too many small and medium-size enterprises (SMEs) believe that security is something only big firms need to worry about? In this interview, Colin Tankard, managing director of Digital Pathways, explains that, indeed, many firms believe themselves to be too small and uninteresting to attract the attention of hackers. This is in spite of endless headlines about breaches and warning from industry and government bodies about the business impact of an attack.

Privacy in the digital realm has become a hot topic. There has always been a debate about to what degree law enforcement and intelligence agencies should be allowed to snoop on what many of us would consider private communications. But that discussion became supercharged following the leaks by Edward Snowden and seem to be coming to a head, not least with recent court battles between Apple and the FBI. In this interview, Javvad Malik of AlienVault shares his thoughts about the issues being raised by the fight between tech companies and the authorities.

Is the concept of 'defence in depth' outdated? In this interview, Matt Alderman of Tenable Network Security explains that, while organisations may have a lot of security solutions - such as firewalls, intrusion detection and anti-malware - they're not necessarily using the systems in the most effective way. Rather than just dump the information these point solutions give you into a Security Information and Event Management (SIEM) system, hoping you can make sense of it, maybe it's time to adopt 'big data' methods.

A large proportion of software development relies on open source frameworks and libraries. But vulnerabilities like Shellshock and Heartbleed has tarnished the reputation of open source code. In this interview, Patrick Carey of Black Duck explains how organisations can continue to benefit from the power and speed of implementation that open source code has to offer, while also ensuring their own safety. Through the careful of shared sources of vulnerability data - and especially by collaborating in open source development - developers can use open source libraries and frameworks to the full without unnecessarily exposing themselves to danger.

Many organisations are centralising and concentrating their cyber-security efforts in Security Operation Centres (SOCs). The aim is to provide a more coherent and comprehensive view of the organisation’s neyworks, and enable a focused and timely response in the event of an attack. But are they doing it right? And will these SOCs bring the benefits that organisations imagine they will? In this interview, Luke Jennings at Countercept by MWR InfoSecurity explains that running an effective SOC means having the right data - and the right people.

Mobile apps have become a focus for cyber-criminals – and that's bad enough. But when the apps that are stealing your personal information are also handling your healthcare data, that adds an extra sense of urgency to the problem. Stephen McCarney of Arxan Technologies explains how a recent analysis of healthcare apps found many of them to have serious flaws. And one of the most worrying is a lack of binary code protection, which could lead to trojanised apps.

The Internet of Things (IoT) is already a reality - but is anyone giving proper thought to security? In this interview, Cesare Garlati of the prpl Foundation explains how challenging it can be to add security to embedded devices. And he argues that virtualisation technologies, using a thin hypervisor layer, can provide the secure boot and root of trust needed to ensure that only genuine code gets run.

When you buy a security product or service, why doesn't it come with a money-back guarantee should you get hacked? Jeremiah Grossman, founder of WhiteHat Security, thinks that it should. He believes that the risks and vulnerabilities in certain areas of IT security are so well understood, and can be tested to such a reasonable degree, that it makes sense for security firms to offer guarantees.

Web application frameworks are now mature and sophisticated. But are too many developers depending on them too much to provide security for web applications? Sasha Zivojinovic of Context Information Security believes that developers don't always understand how user-provided data is going to be used within the application, and this can make them highly vulnerable.

Organisations usually view distributed denial of service (DDoS) attacks as an availability problem, often linked to extortion. But as Dave Larson of Corero Network Security explains in this interview, they are increasingly being used as part of multi-vector attacks designed to steal your data. And they are becoming easier to mount, putting them within reach of all kinds of malicious actors, from nation states down to individuals.

The Internet of Things is finally here and one manifestation is the 'smart' building. But as physical and data security converge, and more and more systems acquire web interfaces, are we simply opening up ever more systems to attack? In this interview, Colin Tankard of Digital Pathways explains how building systems lack common protocols and have often been developed with no consideration for security issues.