In the leadership and communications section, The Board’s understanding of cybersecurity, What does your CEO need to know about cybersecurity?, As CISOs grapple with the C-suite, job satisfaction takes a hit, and more!
Show Notes: https://securityweekly.com/bsw-356
Cyber insurance underwriting is all over the map. With such a variation in application requirements, how should small and medium businesses prepare to receive the best policy for the price? Brian Fritton joins Business Security Weekly to discuss a systematic approach to preparing for cyber insurance. By working with the underwriters, this approach provides implementation guidance on the controls required to maximize your coverage, including premium discounts, higher ransomware supplements, and a reduction is deductibles. If you're struggling with cyber insurance, don't miss this interview.
Show Notes: https://securityweekly.com/bsw-356
Wir fahren auf der AutoBahn, APT 40, Meliorator, RADIUS, AT&T, Apple, Josh Marpet, and More on the Security Weekly News.
Show Notes: https://securityweekly.com/swn-397
Bats in your headset, Windows Wifi driver vulnerabilities, Logitech's dongles, lighthttpd is heavy with vulnerabilities, node-ip's not vulnerability, New Intel CPU non-attacks, Blast Radius, Flipper Zero alternatives, will OpenSSH be exploited, emergency Juniper patches, and the D-Link botnet grows.
Show Notes: https://securityweekly.com/psw-834
In this week's enterprise security news,
All that and more, on this episode of Enterprise Security Weekly!
Show Notes: https://securityweekly.com/esw-367
I'm always thrilled to chat with ex-analysts, and Henrique Teixeira can cover a lot of ground with us on the topic of identity management and governance. The more I talk to folks about IAM/IGA, the more I'm shocked at how little has changed. If anything, it seems like we've gone backwards a bit, with the addition of cloud SaaS, mobile devices, and shadow IT. Identity is one of the most common entry points for attacks, so we've got to do better as an industry here.
We'll cover a variety of topics in this interview, including:
This segment is sponsored by Saviynt. Visit https://securityweekly.com/saviynt to learn more about them!
Show Notes: https://securityweekly.com/esw-367
Iceman comes on the show to talk about RFID and NFC hacking including the tools, techniques, and hardware. We'll also talk about the ethics behind the disclosure of vulnerabilities and weaknesses in these systems that are used in everything from building access to cars.
Segment Resources:
Show Notes: https://securityweekly.com/psw-834
Zotac, Eldorado, Donex, Qlins, Ticketmaster, AI, Physical Security, Aaran Leyland, and more, are on this edition of the Security Weekly News.
Show Notes: https://securityweekly.com/swn-396
Sandy Carielli and Janet Worthington, authors of the State Of Application Security 2024 report, join us to discuss their findings on trends this year! Old vulns, more bots, and more targeted supply chain attacks -- we should be better at this by now. We talk about where secure design fits into all this why appsec needs to accelerate to ludicrous speed.
Segment resources
Show Notes: https://securityweekly.com/asw-290
In the leadership and communications section, Bringing the boardroom to the cyber battlefield, Navigating the CISO Role: Common Pitfalls for New Leaders, Ask Better Questions to be a Better Leader, and more!
Show Notes: https://securityweekly.com/bsw-355
Polyfill loses trust after CDN misuse, an OpenSSH flaw reappears, how to talk about secure design from some old CocoaPods vulns, using LLMs to find bugs, Burp Proxy gets more investment, and more!
Show Notes: https://securityweekly.com/asw-290
On average, CISOs manage 50-75 security products. Many of these products have either not been deployed or only partially deployed, while others overlap of products. How do CISOs effectively consolidate their products to a manageable size?
Max Shier, Chief Information Security Officer at Optiv Security, joins Business Security Weekly to discuss technology rationalization within cybersecurity. Max will discuss how to inventory your security products, identify overlap, and pick the right products for your organization.
Show Notes: https://securityweekly.com/bsw-355
Check out this interview from the SWN Vault, hand picked by main host Doug White! This segment was originally published on July 20, 2017.
Doug talks about how to count from zero to one!
Show Notes: https://securityweekly.com/vault-swn-18
Exploring the Hardware Hacking Realm with Joe Grand, AKA Kingpin
Joe Grand, also known by his hacker pseudonym "Kingpin," stands as a prominent figure in the cybersecurity landscape. With an extensive background in hardware hacking, reverse engineering, and embedded systems, Joe has carved a niche for himself as a respected authority in the field.
As a seasoned security professional, Joe has contributed significantly to the cybersecurity community through his expertise and innovation. With a career spanning decades, he has become a go-to resource for insights into the intricacies of hardware security, emphasizing the critical intersection between hardware and software vulnerabilities.
In our podcast interview, we delve into Joe's journey – from his early forays into hacking to his current role as a thought leader in cybersecurity. Gain a unique perspective on the evolving challenges faced by security professionals, especially in the context of hardware-based threats.
Joe's expertise extends beyond theoretical knowledge, as he has been actively involved in hands-on research and development. As a co-founder of Grand Idea Studio, he has played a pivotal role in developing cutting-edge hardware security tools, contributing to the arsenal of cybersecurity professionals worldwide.
Join us as we explore the world of hardware hacking, reverse engineering, and the broader cybersecurity landscape with Joe Grand. Whether you're an aspiring hacker, a seasoned security professional, or simply curious about the intricacies of cybersecurity, this podcast episode promises deep insights into the mind of a true cybersecurity luminary.
Show Notes: https://securityweekly.com/vault-psw-11
Check out this interview from the SWN Vault, hand picked by main host Doug White! This Secure Digital Life segment was originally published on March 6, 2017.
Have you ever wondered what phishing is? Do you know what spear phishing attacks are? Doug and Russ explain how to protect yourself from phishing scams in the inaugural episode of Secure Digital Life!
Show Notes: https://securityweekly.com/vault-swn-17
Check out this interview from the BSW Vault, hand picked by main host Matt Alderman! This segment was originally published on October 11, 2022.
As 2023 approaches, security leaders are hard at work preparing their budgets, identifying their projects, and setting their priorities for the next twelve months. At the same time, the growth mode days of cybersecurity spending appear to be over as budgets receive more scrutiny than ever. Join us as we discuss the pressures and problems that CISOs will encounter in 2023, and how they can best defend their cybersecurity budgets while the economy slips into a downturn.
Show Notes: https://securityweekly.com/vault-bsw-12
We've made a slight tweak to the news format, only focusing on the most interesting funding and acquisition stories. As always, you can go check out Mike Privette's Return on Security newsletter for the full list of funded and acquired companies every week.
This week, we discuss two $100M+ rounds, from Huntress and Semperis. We also discuss NetSPI's acquisition of Hubble, and the future of the CAASM market.
We focus on the important of detection engineering, echoing some of Martin Roesch's thoughts from our interview with him just before the news. One story is from the excellent DFIR report, a website and newsletter you should absolutely be subscribed to if detection engineering is important to you. The other story is from Thinkst, and showcases their ability to create file share honeypots with file listings that can now be tailored to specific industries.
We discuss the results of some polls that RSnake ran on Twitter, to get feedback from folks on what they think about these models where CISOs are reportedly getting kickbacks for buying products from companies they advise.
We also discuss the latest whistleblower insights about Microsoft and the state of security there, and the recent Polyfill.io incident that targeted over 100k websites with malware.
Finally, we spend the rest of the news segment discussing the current state of Generative AI, from our own perspectives, but also through the lens of Bruce Schneier's latest blog post, a year old post from Marc Andreesen, and a rage-fueled rant from an angry Aussie.
Don't miss the squirrel story - we highly recommend sending it to all your PhD friends (or not, if they're easily insulted and/or likely to hold a grudge).
Show Notes: https://securityweekly.com/esw-366
For decades, security teams have been focused on preventing and detecting threats, only to find themselves buried so deep in alerts, they can't detect anything at all! We clearly need a different approach, which will be the topic of our conversation today with Marty. We'll be discussing a shift in philosophy and tactics. We'll discuss whether SecOps has a hoarding problem, and possible paths out of the current situation preventing today's teams from successfully detecting attacks. Finally, we'll discuss the impact AI has on all this (if any).
Segment Resources:
Show Notes: https://securityweekly.com/esw-366
Healthcare and malware, MoveIT, Chrome won't trust Entrust, the discovery of Volt Typhoon, & more on this episode of the Security Weekly News!
Segment Resources: https://therecord.media/volt-typhoon-targets-underestimated-cisa-says
Show Notes: https://securityweekly.com/swn-395
We all might be a little worn out on this topic, but there's no escaping it. Executives want to adopt GenAI and it is being embedded into nearly every software product we use in both our professional and personal lives. In this interview, Anurag joins us to discuss how his company evaluated and ultimately integrated AI-based technologies into their products. We discuss:
Show Notes: https://securityweekly.com/esw-366
Zyxl NAS devices are under attack and the exploit is pretty simple, A new UEFI vulnerability with a name that some people don't like, that time you setup a load balancer and forgot about it, I love it when there is a vulnerability in a Wifi driver, Polyfill is filling the Internet with supply chain vulnerabilities, open source doesn't mean more secure, what happens when there is a vulnerability in your bootload, The Red Hat Linux kernel model is broken, when disclosure goes wrong, and more IoT router vulnerabilities.
Show Notes: https://securityweekly.com/psw-833
This may be controversial, however, we've been privately discussing how organizations benefit from penetration testing and vulnerability scanning. Do you still need these services as a critical part of your security program? Can't you just patch stuff that is missing patches? Tune in for a lively debate!
Show Notes: https://securityweekly.com/psw-833
Thoughts on shared responsibility models after the Snowflake credential attacks, looking at AI's current and future role in offensive security, secure by design lessons from Apple's Private Cloud Computer, and more!
Show Notes: https://securityweekly.com/asw-289
Baltimore, GPS Jammed, US bans, ARM, YouTube, Kraken and Joshua Marpet, and More, on this edition of the Security Weekly News.
Show Notes: https://securityweekly.com/swn-394
OAuth 2.0 is more than just a single spec and it's used to protect more than just APIs. We talk about challenges in maintaining a spec over a decade of changing technologies and new threat models. Not only can OAuth be challenging to secure by default, but it's not even always inter-operable.
Segment Resources:
Show Notes: https://securityweekly.com/asw-289