Doug and Russ return to the stage to talk about Living with AI in the coming years and some of the impacts. Russ is always interested in modern problems and AI is probably going to be one.
Show Notes: https://securityweekly.com/vault-swn-8
I once told my college advisor that I wanted to double major in computer science and jazz performance. She laughed at me. Instead, I jumped into a career in IT and played jazz - without a degree in either. Turns out, that was fine - the industry valued experience and results over academic achievement. Today's guest has two degrees, one in fine arts, one in pre-law, and that's also fine. If there's anything I've learned in InfoSec, it's the mind that matters most, less so the degrees or certs on your wall. Angela Marafino gets cybersecurity and understands what makes it tick. Using this knowledge, she has built a personal brand, network, and career in an impressively short time. She is simultaneously mentor and mentee. Today, we'll explore Angela's path into the industry as well as some of her views on challenges, like imposter syndrome.
https://hbr.org/2021/02/stop-telling-women-they-have-imposter-syndrome
https://www.itspmagazine.com/focal-point-podcast
https://twitter.com/hackerbookclub1
Show Notes: https://securityweekly.com/vault-esw-6
Dr. Diffie is a pioneer of public-key cryptography and was VP of Information Security and Cryptography at ICANN. He is author of "Privacy on the Line: The Politics of Wiretapping and Encryption".
Show Notes: https://securityweekly.com/vault-psw-6
Doug and Russ talk about digital fingerprints, hashing, digital DNA, and passwords.
Show Notes: https://securityweekly.com/vault-swn-7
Throughout her career, Sandy Dunn has continued to mature and refine her skills. In the early days, she describes her job as a "hostage negotiator", constantly negotiating between the business teams and the security team. But as you mature, so does your approach to security. Now, Sandy talks about simplifying "knowledge management" to make it easy to understand security and becoming a "business listener" to make the right decisions.
Show Notes: https://securityweekly.com/vault-bsw-6
We will provide a short introduction to OWASP SAMM, which is a flagship OWASP project allowing organizations to bootstrap and iteratively improve their secure software practice in a measurable way. Seba will explain the SAMM model, consisting of 15 security practices. Every security practice contains a set of activities, structured into 3 maturity levels. The activities on a lower maturity level are typically easier to execute and require less formalization than the ones on a higher maturity level. A the end we will cover how you can engage with the SAMM community and provide an overview of what happened at our latest SAMM User Day which happened on May 27th.
Segment Resources:
-https://www.youtube.com/channel/UCEZDbvQrj5APg5cEET49A_g
Show Notes: https://securityweekly.com/vault-asw-6
This week, in the security market, we talk about next NEXT gen anti-virus, how Okta can (apparently) do no wrong, and a VC firm imploding.
Then we discuss how smartphones and speakers are allegedly being used to spy on us, and the future of privacy and consumer tech products.
The latest SSH vuln is much less concerning than media outlets and academic researchers would have you believe. The Citrixbleed vuln, however is about as bad as vulns can get, and has led to one of the biggest US consumer breaches in a while, with Comcast/XFinity losing all customer records.
The SEC backpedals (again!) on requiring breached companies to provide details about how they got breached.
And finally, we have some fun with some squirrel stories that you should absolutely check out by going to our show notes, here: https://securityweekly.com/esw344
Show Notes: https://securityweekly.com/esw-344
Join us for our last live episode of the year as we navigate the 2023 cybersecurity landscape, covering global initiatives, deepfake concerns in the UK, NordVPN's cyber insurance expansion, China's major cyber attack on US infrastructure, successful ransomware takedowns, and the year's most bizarre scams according to Which Consumer Magazine. It's a rapid-fire exploration of the top stories shaping the digital defense narrative.
Show Notes: https://securityweekly.com/swn-351
Understanding how CyberRatings, NaaS, and SASE combine to make network security easier to buy and deploy. MEF is an industry association, providing standards, certifications, and facilitating community discussions. MEF has teamed up with CyberRatings.org to establish a certification program for SASE services, making it easier for buyers to understand what's included in SASE-related products and services.
Segment Resources:
Show Notes: https://securityweekly.com/esw-344
We're excited to give an end-of-year readout on the performance of the cybersecurity industry with Mike Privette, founder of Return on Security and author of the weekly Security, Funded newsletter. This year, this podcast has leaned heavily on the Security, Funded newsletter to prep for our news segment, as it provides a great summary of all the funding and M&A events going on each week.
In this segment, we look back at 2023, statistics for the year, comparisons to 2022, interesting insights, predictions, and more!
Segment Resources:
Show Notes: https://securityweekly.com/esw-344
AI generated description fun: "As the glasses are filled and the mood lightens, our veteran guests, each with a legendary tale or two tucked under their virtual belts, embark on a journey through the complex landscape of supply chain security. These old dogs share war stories, anecdotes, and hard-earned wisdom about the evolving challenges and threats that have shaped their illustrious careers. From the early days of computing to the present era of interconnected systems, our panelists delve into the intricacies of securing the supply chain. Expect insights on the timeless art of social engineering, the ever-expanding attack surface, and the unforeseen vulnerabilities that emerge when least expected."
Talking points:
Show Notes: https://securityweekly.com/psw-811
Firmware security is a deeply technical topic that's hard to get started in. In this episode of Below the Surface, Xeno will discuss some past work in firmware security, and how he has organized resources such as a low level timeline (with over 300 talks), and free MOOC classes, to help teach people about firmware security.
Segment Resources: https://ost2.fyi https://darkmentor.com/timeline.html
This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them!
Show Notes: https://securityweekly.com/psw-811
Nagios gets a review from NCC Group, hackers hack some anti-fixing code to fix trains in Poland, abusing OAuth post-compromise, 5Ghoul flaws in 5G networks, MITRE teases a new threat model for embedded systems, a conversation on vuln scoring systems, and more!
Show Notes: https://securityweekly.com/asw-267
In the leadership and communications section, Building an Effective Information Security Strategy, What Makes a Company Great at Producing Leaders?, 80 Fun Meeting Icebreakers Your Team Will Love, and more!
Show Notes: https://securityweekly.com/bsw-332
Santa, SEC, Google, Qakbot, VMWARE, AI, Turing, Voight-Kampff, Jason Wood, and more are on this edition of the Security Weekly News.
Show Notes: https://securityweekly.com/swn-350
Service meshes create the opportunity to make security a team sport. They can improve observability and service identity. Turning monoliths into micro services sounds appealing, but maybe not every monolith needs to be broken up. We'll also talk about the maturity and design choices that go into service meshes and when a monolith should just remain a monolith.
Segment Resources:
Show Notes: https://securityweekly.com/asw-267
Cyber has been an historically hermetic practice. A dark art. Full of mysteries and presided over by magicians both good and bad. This is a bit of an exaggeration, yet there is some truth to it. Many in our industry knew that the SEC was evaluating the role that cyber risk management and incident disclosure plays in the pricing mechanism for an equity. Many of the participants in GRC, IRM, and Cyber Risk anticipated this before the SEC had even proposed such rules. Boards, C-Suites, and Information security teams within publicly traded companies brought it up occasionally in the year preceding its adoption. Lawyers on K Street actively advocated in the press against enacting such rules, and there is still a hearty back and forth concerning the merits of SEC involvement in cyber risk. But more transparency is a very welcome development. For investors, it’s essential.
Industry veterans say that this development hearkens back to Sarbanes Oxley, which had very big implications for Governance, Risk, and Compliance. This is likely cyber risk’s SOX moment, and the drop date is December 15th of this year on all 10-K filings. The SEC will not look kindly upon boilerplate disclosures, particularly if a cyber attack with significant losses occurs. So where do you start?
This segment is sponsored by CyberSaint . Visit https://securityweekly.com/cybersaint to learn more about them!
Show Notes: https://securityweekly.com/bsw-332
On this week's news segment, we pick up where we left off with Doug running the show last week. We discuss current early stage categories, AD canarytokens, and low hanging vulns. We talk about why cybersecurity is important, but not nearly as unique or special as some might have you think. The goal of patching faster than exploits can be used - is it a fool's errand?
Also, pickleball - the country's fastest growing sport, is causing chaos across the nation.
Show Notes: https://securityweekly.com/esw-343
What is telemetry data and why is it important to cybersecurity? Why is it such a pain to collect, store and use? How do we improve our ability to gather and benefit from this data? Today, Tucker Callaway, the CEO of Mezmo joins us to answer all these questions and help us understand the future of the SIEM and other cybersecurity data tools.
Show Notes: https://securityweekly.com/esw-343
On this podcast, we've often struggled with whether or not to include stories and discussion on identity verification. Is identity verification cybersecurity proper, or cybersecurity adjacent as part of fraud prevention? As always, when we're unsure, we find folks to talk to and learn more.
Today, we'll be learning about weak points in the identity verification chain from Rob O'Farrell. He'll also be helping us to understand what identity verification is, and why it's important to cybersecurity overall. As more and more of the world is digitized (especially the lagging healthcare industry in the US), reliable identity verification seems more important every day.
Segment Resources:
Show Notes: https://securityweekly.com/esw-343
Tesla, TikTok, Karakurt, VISS, Volt Typhoon, Cozy Bear, GambleForce, Aaran Leyland, and More News on the Security Weekly News.
Show Notes: https://securityweekly.com/swn-349
Analyzing firmware with EMBA, TinyXML, and the ugly supply chain, ignoring vulnerabilities that allow attackers to turn off your vehicle, Android lock screen bypass and running water, LogoFAIL updates, and the confusing severity, you still haven’t patched Log4Shell, the password is 123456, and an amazing Bluetooth hack that affects you!
Show Notes: https://securityweekly.com/psw-810
Mr. Sharpe is a long-time (+30 years) Cybersecurity, Governance, and Digital Transformation expert with real-world operational experience. Mr. Sharpe has run business units and has influenced national policy. He has spent much of his career helping corporations and government agencies create value while mitigating cyber risk. This gives him a pragmatic understanding of the delicate balance between Business realities, Cybersecurity, and Operational Effectiveness. He began his career at NSA, moving into the Management Consulting ranks building practices at Booz Allen and KPMG. He subsequently co-founded two firms with successful exits, including the Hackett Group (NASDAQ HCKT). He has participated in over 20 M&A transactions. He has delivered to clients in over 20 countries on 6 continents.
Show Notes: https://securityweekly.com/psw-810
Benchmarking prompt injection scanners, using generative AI to jailbreak generative AI, Meta's benchmark for LLM risks, tapping a protocol to hack Magic the Gathering, and more!
Show Notes: https://securityweekly.com/asw-266
Cybertruck, Viagra, Struts, Atlassian, Log4Shell, Pharmacies, Security Clearances, Naughty Bots, Jason Wood, and more on this edition of the Security Weekly News.
Show Notes: https://securityweekly.com/swn-348