AI Cheese, CISA, Scaryware, Kimsuky Returns, Backups, Encryption, Jason Wood, and More, on this edition of the Security Weekly News.
Show Notes: https://securityweekly.com/swn-449
Deepseek troubles, AI models explained, AMD CPU microcode signature validation, what happens when you leave an AWS S3 bucket laying around, 3D printing tips, and the malware that never was on Ethernet to USB adapters.
Show Notes: https://securityweekly.com/psw-860
In the leadership and communications segment, Cybersecurity Responsibilities Across the C-Suite: A Breakdown for Every Executive, Humble Leaders Inspire Others to Step Up, Effective Communication in the Workplace, and more!
Show Notes: https://securityweekly.com/bsw-381
From online banking to mobile payments, nearly every aspect of our financial lives relies on digital systems. This reliance has brought incredible convenience, but it also means that any disruption — whether due to cyberattacks, system failures, or operational incidents— can have severe consequences. The Digital Operational Resilience Act (DORA) provides the framework to ensure that financial entities have robust measures to withstand and recover from disruptions. By addressing vulnerabilities in this highly digitized ecosystem, DORA not only protects financial institutions but also safeguards the stability and well-being of the European society as a whole.
Madelein van der Hout, Senior Analyst at Forrester, joins Business Security Weekly to discuss why DORA is important, how prepared financial institutions are, the consequences of failing to comply, and the impact these regulations will have outside of the EU, including fines up to 2% of global annual turnover or €10 million—whichever is higher.
Show Notes: https://securityweekly.com/bsw-381
Today, we've got: DeepSeek, Nicolas Cage, OpenAI, Hackers, Ransomware, Canada, Joshua Marpet and More, on this edition of the Security Weekly News.
Show Notes: https://securityweekly.com/swn-448
Speculative data flow attacks demonstrated against Apple chips with SLAP and FLOP, the design and implementation choices that led to OCSP's demise, an appsec angle on AI, updating the threat model and recommendations for implementing OAuth 2.0, and more!
Show Notes: https://securityweekly.com/asw-316
Threat modeling has been in the appsec toolbox for decades. But it hasn't always been used and it hasn't always been useful. Sandy Carielli shares what she's learned from talking to orgs about what's been successful, and what's failed, when they've approached this practice. Akira Brand joins to talk about her direct experience with building threat models with developers.
Show Notes: https://securityweekly.com/asw-316
This week in the enterprise security weekly news, we discuss
All that and more, on this episode of Enterprise Security Weekly!
Show Notes: https://securityweekly.com/esw-392
This week, we've added an extra news segment just on AI. Not because we wanted to, but because the news cycle has bludgeoned us into it. My mom is asking about Chinese AI, my neighbor wants to know why his stocks tanked, my clients want to know how to prevent their employees from using DeepSeek, it's a mess.
First, a DeepSeek primer, so we can make sure all Enterprise Security Weekly listeners know what they need to know. Then we get into some other AI news stories.
I think the most interesting aspect of the DeepSeek announcements is the business/market impact, which isn't really security-related, but could have some impact on security teams. By introducing models that are cheaper to train, sell access to, and less demanding to run on systems, DeepSeek has opened up more market opportunities. That means we'll see generative AI used in markets and ways that didn't make sense before, because it was too expensive.
Another aspect that's really confusing is what DeepSeek is or does. For the most part, when someone says "DeepSeek", they could be referring to:
From a security perspective, there's little to no operational risk around downloading and using the models, though they're likely to get banned, so companies could get in trouble for using them. As for the app, API, or SaaS service, assume everything you type into them is getting collected by China (so, significantly less safe, probably no US companies should do this).
But because these services are crazy cheap right now, I wouldn't be surprised if some suppliers and third parties will start using DeepSeek - if your third party service provider is using DeepSeek behind the scenes with your data, you still have problem #2, so best to ensure they're not doing this through updated contract language and call to confirm that they're not currently doing it (can take a while to get a new contract in place).
Show Notes: https://securityweekly.com/esw-392
Celebrating and Elevating Women in Cyber: Recently, International Women in Cyber Day (September 1) highlighted the ongoing challenges women face in the cybersecurity field, as well as the progress made in recent years. Women bring exceptional skills and knowledge to cybersecurity; however, it is estimated that they make up only 20% to 25% of the cybersecurity workforce—a percentage that has remained stagnant for years. Even more concerning, women often hit a glass ceiling just six to ten years into their cybersecurity careers. Lynn Dohm sheds light on these issues and emphasizes what the industry needs to focus on to continue celebrating and elevating women in cyber.
Segment Resources:
Show Notes: https://securityweekly.com/esw-392
.ASS, Deepseek, AI Time Travel, Google, HeartBlocker, TikTok, Aaran Leyland, and More, on this edition of the Security Weekly News.
Show Notes: https://securityweekly.com/swn-447
This week, we talked to our friends at Bitwarden about password vaults, storing more than just passwords, free software to manage those SSH keys, and vaults for developers. In the news, new/old Palo Alto vulnerabilities explained, taking down the power grid with a FlipperZero, more vulnerable bootloaders, putting garbage in your .ASS file, the US Government wants to look at routers, magic backdoors, weak password hashing, everyone is talking about Deepseek, hardware-level Anti-Virus, VMware ESXi and SSH, and if you pay the ransom you likely will not get your data back!
This segment is sponsored by Bitwarden. Visit https://securityweekly.com/bitwarden to learn more about them!
Show Notes: https://securityweekly.com/psw-859
In the leadership and communications segment, How CISOs can elevate cybersecurity in boardroom discussions, Nearly half of CISOs now report to CEOs, showing their rising influence, Steve Jobs Shared 1 Crystal Clear Way You'll Spot an Exceptional Leader, and more!
Show Notes: https://securityweekly.com/bsw-380
The last five weeks have seen a flurry of news on Artificial Intelligence, especially this last week. It started on December 17, 2024 when the Bipartisan House Task Force on Artificial Intelligence (AI) released a report on “[g]uiding principles, forward-looking recommendations, and policy proposals to ensure America continues to lead the world in responsible AI innovation.” Then a new administration, which:
The Business Security Weekly crew tries to make sense of it all.
Show Notes: https://securityweekly.com/bsw-380
DeepSeek, AIDs, Sex Crime, Microsoft, PayPal, GitHub, Joshua Marpet and More, on this edition of the Security Weekly News.
Show Notes: https://securityweekly.com/swn-446
An open source security project forks in response to license changes (and an echo of how we've been here before), car hacking via spectacularly insecure web apps, hacking a synth via spectacularly cool MIDI messages, cookie parsing problems, the RANsacked paper of 100+ LTE/5G vulns found from fuzzing, and more!
Show Notes: https://securityweekly.com/asw-315
A lot of AI security boils down to the boring, but important, software security topics that appsec teams have been dealing with for decades. Niv Braun explains the distinctions between AI-related and AI-specific security as we avoid the FUD and hype of genAI to figure out where appsec teams can invest their time. He notes that data scientists have been working with ML and sensitive data sets for a long time, and it's good to have more scrutiny on what controls should be present to protect that data.
This segment is sponsored by Noma Security. Visit https://securityweekly.com/noma to learn more about them!
Show Notes: https://securityweekly.com/asw-315
In this week's enterprise security news,
All that and more, on this episode of Enterprise Security Weekly.
Show Notes: https://securityweekly.com/esw-391
This interview is a bit different from our norm. We talk to the founder and CEO of OpenVPN about what it is like to operate a business based on open source, particularly through trying times like the recent pandemic. How do you compete when your competitors are free to build products using your software and IP? It seems like an oxymoron, but an open source-based business actually has some significant advantages over the closed source commercial approach.
Show Notes: https://securityweekly.com/esw-391
HackerOne's co-founder, Michiel Prins walks us through the latest new offensive security service: AI red teaming.
At the same time enterprises are globally trying to figure out how to QA and red team generative AI models like LLMs, early adopters are challenged to scale these tests. Crowdsourced bug bounty platforms are a natural place to turn for assistance with scaling this work, though, as we'll discuss on this episode, it is unlike anything bug hunters have ever tackled before.
Segment Resources:
Show Notes: https://securityweekly.com/esw-391
Cursive Funk, Microsoft, Ivanti, Sonic Wall, Exchange, PowerSchool, Aaran Leyland, and More, on this edition of the Security Weekly News.
Show Notes: https://securityweekly.com/swn-445
Andy Jaquith joins us to discuss how to prioritize vulnerabilities and remmediation in the real-world, including asset management and more! In the security news: ESP32s in the wild and security, Google oAuth flaw, DDoS targets, Ban on auto components, Bambu firmware updates, Silk Road founder is free, one last cybersecurity executive order, US Treasury hack update, Mitre launches a new program to deal with naming things, and educational content on Pornhub? (not what you think, its SFW!)
Show Notes: https://securityweekly.com/psw-858
Jeff Pollard, Vice-President, Principal Analyst on the Security and Risk Team, and Jess Burn, Principal Analyst, both from Forrester Research join Business Security Weekly to discuss the second part of The Future Of The CISO report. What if you don't like the future of the CISO role and want to get out? The report also provides guidance on what comes after the CISO role, as leaders contemplate the next step in their career. If you think it's a board role, you better know what skills are needed, as cybersecurity by itself is not enough. Join in for part 2.
Show Notes: https://securityweekly.com/bsw-379
Becoming a CISO is a lofty goal for many security and risk pros, and the role brings new sets of challenges. CISOs who accept the wrong opportunities will be forced to conform, rather than excel, and take on outsized liability for the scope of responsibilities.
Jeff Pollard, Vice-President, Principal Analyst on the Security and Risk Team, and Jess Burn, Principal Analyst, both from Forrester Research join Business Security Weekly to discuss The Future Of The CISO report. This report outlines the six most common types of CISOs based on Forrester Research and interactions with security leaders, including the characteristics and competencies of each type. This report helps security leaders define who they are, their values, and optimal situations for their skill set.
Show Notes: https://securityweekly.com/bsw-379
Smishing, Microsoft, Star Blizzard, Sneaky Log, VMARE, Josh Marpet, and more on the Security Weekly News.
Show Notes: https://securityweekly.com/swn-444