Doug and the Security Weekly crew talk about vulnerabilities, are we patching the right things? This is the burning question. We will try to answer it. Segment Resources: https://blog.sonicwall.com/en-us/2024/04/patch-tuesday-which-vulnerabilities-really-need-prioritizing/ Segment description coming soon!The Crowdstrike incident: what happened and what we can do better, people forget what 0-Day really means, shutting off the heat in January, honeypot evasion and non-functional exploits, what not to use to read eMMC, what if we don't patch DoS related vulnerabilities, a CVSS 10 deserves its own category, port shadow attacks, IPC and DBUS and a very informative and entertaining article, container breakouts, when you are bored on an airplane, Linksys security violations, fake IT workers, Telegram 0-day, and how to be more resilient on the same technology stack! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-836

Elon's Killer Robots, Crowdstrike and More Crowdstrike, Southwest, Play, FrostyGoop, Josh Marpet, and more, on this Edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-400

Generative AI has produced impressive chatbots and content generation, but however fun or impressive those might be, they don't always translate to value for appsec. Allie brings some realistic expectations to how genAI is used by attackers and can be useful to defenders. Segment resources: https://www.forrester.com/blogs/generative-ai-will-not-fulfill-your-autonomous-soc-hopes-or-even-your-demo-dreams/ https://www.forrester.com/blogs/top-5-things-you-need-to-know-about-how-generative-ai-is-used-in-security-tools/ https://www.forrester.com/blogs/the-blob-is-poisoning-the-security-industry/ SAPwned demonstrates tenets of tenant isolation, a weak login flow puts Squarespace domains at risk, how AIs might (or might not) be useful for fixing code, getting buy-in for infosec investments, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-292

Back in April, we covered a story on episode #348 titled "CISO-CEO communication gaps continue to undermine cybersecurity". In that article, Sumedh Thakar, the CEO at Qualys, stated "CISOs must translate technical risks into business impact for CEOs." But he didn't say how. So, we invited him on the show to explain. In this episode, Sumedh walks us through real life interactions with his CISO and Board and explains why security needs to be communicated in business terms. Security is a risk management discipline. No one understand that more than Jeff Recor. Jeff has built risk management practices for Deloitte, Grant Thornton, and Accenture and has recently formed his own risk consulting practice. In this unscripted interview, Jeff will share his insights on the evolution of security as a risk management discipline, what CEOs and Boards really need, and how CISOs can be successful as a business leader. Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-357

In this episode of Security Weekly News, Dr. Doug White and Josh Marpet delve into the widespread impact of the recent CrowdStrike and Microsoft technical issue, which disrupted various industries, including airlines, DMVs, and hospitals. They discuss the interconnectedness of modern systems, the reliance on automatic updates, and the critical need for thorough testing and third-party risk management. Emphasizing the importance of understanding and planning for system failures, the hosts highlight the necessity for comprehensive inventories, continuous monitoring, and robust backup plans to ensure business continuity and resilience. Tune in for expert insights into mitigating the significant consequences of system failures. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-399

In this episode of Enterprise Security Weekly, we revisit the insightful book "Jump-start Your SOC Analyst Career" with authors Jarrett Rodrick and Tyler Wall, exploring updates on career paths, opportunities, and the industry's reality. We delve into the myths versus the truths about cybersecurity careers, discussing the viability of high salaries and the best entry points into the field. Next, we tackle the critical issues plaguing the cybersecurity industry despite its rapid growth and increased influence at the board level. We ask why, despite ample resources, are failures more prevalent than ever? Lastly, we cover significant news in enterprise security, including the rumored historic acquisition of Wiz by Google, recent company acquisitions, and the evolving concept of shared responsibility in cybersecurity. Join us for a comprehensive discussion that spans career guidance, industry analysis, and the latest news in enterprise security. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-368

Thinking about getting a 3D printer or have one and need a good primer? Check out this segment, we live 3D print a Captain Crunch whistle and talk all about 3D printing for hackers! Segment Resources: Slides used in this segment: https://files.scmagazine.com/wp-content/uploads/2024/07/3D-Printing-for-Hackers.pdf Major 3D Printer Websites: https://vorondesign.com/ https://www.prusa3d.com/ https://www.creality.com/ https://bambulab.com/ https://elegoo.com Major 3D File libraries: https://printables.com (Prusa) https://thingiverse.com https://thangs.com https://makerworld.com (Bambu Labs) https://cults3d.com Youtube Channels: Uncle Jessy CnC Kitchen The Edge of Tech Makers Muse Find new flaws in UEFI using STASE, combining vulnerabilities to exploit Sonicwall Devices, remote BMC exploits, Netgear patches, and not a lot of information, 22 minutes before exploited, if the secrets were lost, we'd all be in screwed, Exim has not been replaced by something better and its vulnerable, CISA's red team reports, and attackers use drivers to attack EDR, the saga continues! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-835

Floppy Disks, Exim, Kaspersky, Darkgate, AT&T, Josh Marpet, and more are on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-398

How can LLMs be valuable to developers as an assistant in finding and fixing insecure code? There are a lot of implications in trusting AI or LLMs to not only find vulns, but in producing code that fixes an underlying problem without changing an app's intended behavior. Stuart McClure explains how combining LLMs with agents and RAGs helps make AI-influenced tools more effective and useful in the context that developers need -- writing secure code. Cloudflare's 2024 appsec report, reasoning about the Cyber Reasoning Systems for the upcoming AIxCC semifinals at DEF CON, lessons in secure design from post-quantum cryptography, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-291

Cyber insurance underwriting is all over the map. With such a variation in application requirements, how should small and medium businesses prepare to receive the best policy for the price? Brian Fritton joins Business Security Weekly to discuss a systematic approach to preparing for cyber insurance. By working with the underwriters, this approach provides implementation guidance on the controls required to maximize your coverage, including premium discounts, higher ransomware supplements, and a reduction is deductibles. If you're struggling with cyber insurance, don't miss this interview. In the leadership and communications section, The Board’s understanding of cybersecurity, What does your CEO need to know about cybersecurity?, As CISOs grapple with the C-suite, job satisfaction takes a hit, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-356

Wir fahren auf der AutoBahn, APT 40, Meliorator, RADIUS, AT&T, Apple, Josh Marpet, and More on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-397

I'm always thrilled to chat with ex-analysts, and Henrique Teixeira can cover a lot of ground with us on the topic of identity management and governance. The more I talk to folks about IAM/IGA, the more I'm shocked at how little has changed. If anything, it seems like we've gone backwards a bit, with the addition of cloud SaaS, mobile devices, and shadow IT. Identity is one of the most common entry points for attacks, so we've got to do better as an industry here. We'll cover a variety of topics in this interview, including: Why Henrique chose to go to Saviynt from Gartner Vendor risk concentration in identity Resilience in identity, especially when depending on a SaaS IdP Identity attack evolution (and the creation of the ITDR category) What's working in identity to move things forward, and what is holding us back This segment is sponsored by Saviynt. Visit https://securityweekly.com/saviynt to learn more about them! In this week's enterprise security news, Seed rounds are getting huge Lots of funding for niche security vendors Rapid7 acquires Noetic Cyber but Rapid7 is also rumored to sell itself! Slack battles infostealers The loss of Chevron deference impacts cyber Should cybersecurity put up a no vacancy sign? Figma and Google both make some embarrassing mistakes The RockYou2024 file does NOT contain 10 billion passwords I introduce a new news category: AI indegestion All that and more, on this episode of Enterprise Security Weekly! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-367

Bats in your headset, Windows Wifi driver vulnerabilities, Logitech's dongles, lighthttpd is heavy with vulnerabilities, node-ip's not vulnerability, New Intel CPU non-attacks, Blast Radius, Flipper Zero alternatives, will OpenSSH be exploited, emergency Juniper patches, and the D-Link botnet grows. Iceman comes on the show to talk about RFID and NFC hacking including the tools, techniques, and hardware. We'll also talk about the ethics behind the disclosure of vulnerabilities and weaknesses in these systems that are used in everything from building access to cars. Segment Resources: Youtube channel - https://www.youtube.com/@iceman1001 Proxmark3 forums - http://www.proxmark.org/forum/index.php Proxmark3 Repository - https://github.com/rfidresearchgroup/proxmark3 Awesome RFID talks - https://github.com/doegox/awesome-rfid-talks Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-834

Sandy Carielli and Janet Worthington, authors of the State Of Application Security 2024 report, join us to discuss their findings on trends this year! Old vulns, more bots, and more targeted supply chain attacks -- we should be better at this by now. We talk about where secure design fits into all this why appsec needs to accelerate to ludicrous speed. Segment resources https://www.forrester.com/blogs/ludicrous-speed-because-light-speed-is-too-slow-to-secure-your-apps/ They're also conducting a survey on how orgs use Top 10 lists. Provide your response at https://forrester.co1.qualtrics.com/jfe/form/SV_9Z7ARUQjuzNQf0q Polyfill loses trust after CDN misuse, an OpenSSH flaw reappears, how to talk about secure design from some old CocoaPods vulns, using LLMs to find bugs, Burp Proxy gets more investment, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-290

Zotac, Eldorado, Donex, Qlins, Ticketmaster, AI, Physical Security, Aaran Leyland, and more, are on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-396

On average, CISOs manage 50-75 security products. Many of these products have either not been deployed or only partially deployed, while others overlap of products. How do CISOs effectively consolidate their products to a manageable size? Max Shier, Chief Information Security Officer at Optiv Security, joins Business Security Weekly to discuss technology rationalization within cybersecurity. Max will discuss how to inventory your security products, identify overlap, and pick the right products for your organization. In the leadership and communications section, Bringing the boardroom to the cyber battlefield, Navigating the CISO Role: Common Pitfalls for New Leaders, Ask Better Questions to be a Better Leader, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-355

Check out this interview from the SWN Vault, hand picked by main host Doug White! This segment was originally published on July 20, 2017. Doug talks about how to count from zero to one! Show Notes: https://securityweekly.com/vault-swn-18

Exploring the Hardware Hacking Realm with Joe Grand, AKA Kingpin Joe Grand, also known by his hacker pseudonym "Kingpin," stands as a prominent figure in the cybersecurity landscape. With an extensive background in hardware hacking, reverse engineering, and embedded systems, Joe has carved a niche for himself as a respected authority in the field. As a seasoned security professional, Joe has contributed significantly to the cybersecurity community through his expertise and innovation. With a career spanning decades, he has become a go-to resource for insights into the intricacies of hardware security, emphasizing the critical intersection between hardware and software vulnerabilities. In our podcast interview, we delve into Joe's journey – from his early forays into hacking to his current role as a thought leader in cybersecurity. Gain a unique perspective on the evolving challenges faced by security professionals, especially in the context of hardware-based threats. Joe's expertise extends beyond theoretical knowledge, as he has been actively involved in hands-on research and development. As a co-founder of Grand Idea Studio, he has played a pivotal role in developing cutting-edge hardware security tools, contributing to the arsenal of cybersecurity professionals worldwide. Join us as we explore the world of hardware hacking, reverse engineering, and the broader cybersecurity landscape with Joe Grand. Whether you're an aspiring hacker, a seasoned security professional, or simply curious about the intricacies of cybersecurity, this podcast episode promises deep insights into the mind of a true cybersecurity luminary. Show Notes: https://securityweekly.com/vault-psw-11

Check out this interview from the SWN Vault, hand picked by main host Doug White! This Secure Digital Life segment was originally published on March 6, 2017. Have you ever wondered what phishing is? Do you know what spear phishing attacks are? Doug and Russ explain how to protect yourself from phishing scams in the inaugural episode of Secure Digital Life! Show Notes: https://securityweekly.com/vault-swn-17

Check out this interview from the BSW Vault, hand picked by main host Matt Alderman! This segment was originally published on October 11, 2022. As 2023 approaches, security leaders are hard at work preparing their budgets, identifying their projects, and setting their priorities for the next twelve months. At the same time, the growth mode days of cybersecurity spending appear to be over as budgets receive more scrutiny than ever. Join us as we discuss the pressures and problems that CISOs will encounter in 2023, and how they can best defend their cybersecurity budgets while the economy slips into a downturn. Show Notes: https://securityweekly.com/vault-bsw-12

Healthcare and malware, MoveIT, Chrome won't trust Entrust, the discovery of Volt Typhoon, & more on this episode of the Security Weekly News! Segment Resources: https://therecord.media/volt-typhoon-targets-underestimated-cisa-says Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-395

We all might be a little worn out on this topic, but there's no escaping it. Executives want to adopt GenAI and it is being embedded into nearly every software product we use in both our professional and personal lives. In this interview, Anurag joins us to discuss how his company evaluated and ultimately integrated AI-based technologies into their products. We discuss: What to be aware of when deploying GenAI Key use cases and successes organizations are having with GenAI Some of the risks to be aware of How to prepare employees for GenAI Best practices to prepare for evolving threats For decades, security teams have been focused on preventing and detecting threats, only to find themselves buried so deep in alerts, they can't detect anything at all! We clearly need a different approach, which will be the topic of our conversation today with Marty. We'll be discussing a shift in philosophy and tactics. We'll discuss whether SecOps has a hoarding problem, and possible paths out of the current situation preventing today's teams from successfully detecting attacks. Finally, we'll discuss the impact AI has on all this (if any). Segment Resources: Why It’s Time to Evolve from Threat-centric to Compromise-centric Security Evolve from Threat-Centric to Compromise-Centric Security How to Close the Visibility Gaps Across Your Multi-Cloud Environment Defend HPC Data Centers with Frictionless Security & Observability We've made a slight tweak to the news format, only focusing on the most interesting funding and acquisition stories. As always, you can go check out Mike Privette's Return on Security newsletter for the full list of funded and acquired companies every week. This week, we discuss two $100M+ rounds, from Huntress and Semperis. We also discuss NetSPI's acquisition of Hubble, and the future of the CAASM market. We focus on the important of detection engineering, echoing some of Martin Roesch's thoughts from our interview with him just before the news. One story is from the excellent DFIR report, a website and newsletter you should absolutely be subscribed to if detection engineering is important to you. The other story is from Thinkst, and showcases their ability to create file share honeypots with file listings that can now be tailored to specific industries. We discuss the results of some polls that RSnake ran on Twitter, to get feedback from folks on what they think about these models where CISOs are reportedly getting kickbacks for buying products from companies they advise. We also discuss the latest whistleblower insights about Microsoft and the state of security there, and the recent Polyfill.io incident that targeted over 100k websites with malware. Finally, we spend the rest of the news segment discussing the current state of Generative AI, from our own perspectives, but also through the lens of Bruce Schneier's latest blog post, a year old post from Marc Andreesen, and a rage-fueled rant from an angry Aussie. Don't miss the squirrel story - we highly recommend sending it to all your PhD friends (or not, if they're easily insulted and/or likely to hold a grudge). Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-366

This may be controversial, however, we've been privately discussing how organizations benefit from penetration testing and vulnerability scanning. Do you still need these services as a critical part of your security program? Can't you just patch stuff that is missing patches? Tune in for a lively debate! Zyxl NAS devices are under attack and the exploit is pretty simple, A new UEFI vulnerability with a name that some people don't like, that time you setup a load balancer and forgot about it, I love it when there is a vulnerability in a Wifi driver, Polyfill is filling the Internet with supply chain vulnerabilities, open source doesn't mean more secure, what happens when there is a vulnerability in your bootload, The Red Hat Linux kernel model is broken, when disclosure goes wrong, and more IoT router vulnerabilities. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-833

Baltimore, GPS Jammed, US bans, ARM, YouTube, Kraken and Joshua Marpet, and More, on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-394

With 71% of web traffic coming from API calls last year and the average organization maintaining 613 API endpoints, a robust strategy is needed to protect APIs against automated threats and business logic attacks. Tune in as Luke Babarinde, Global Solution Architect, shares the key steps to building a successful API security strategy. This segment is sponsored by Imperva. Visit https://www.securityweekly.com/imperva to learn more about them! In the age of AI, driving a business forward requires balancing three very significant considerations: growth through innovation, productivity through operational efficiency, and trust through security. To better understand how AI impacts the intersection of security, innovation, and operational efficiency, Okta commissioned an AlphaSights survey of 125 executives across three regions, targeting the decision-makers typically tasked with helming those efforts at companies: CSOs/CISOs for their focus on security CTOs for their focus on innovation CIOs for their focus on operational efficiency Bhawna Singh, Chief Technology Officer at Okta, is here to discuss the results. Segment Resources: www.okta.com/resources/whitepaper-ai-at-work-report/ www.okta.com/blog/2024/06/ai-at-work-2024-a-view-from-the-c-suite/ This segment is sponsored by Okta. Visit https://www.securityweekly.com/okta to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-354

OAuth 2.0 is more than just a single spec and it's used to protect more than just APIs. We talk about challenges in maintaining a spec over a decade of changing technologies and new threat models. Not only can OAuth be challenging to secure by default, but it's not even always inter-operable. Segment Resources: https://oauth.net/2.1 https://oauth.net/specs/ https://oauth2simplified.com/ https://oauth.net/2/dpop/ https://oauth.net/2/oauth-best-practice/ https://oauth.net/fapi/ https://developer.mozilla.org/en-US/docs/Web/API/FedCM_API Thoughts on shared responsibility models after the Snowflake credential attacks, looking at AI's current and future role in offensive security, secure by design lessons from Apple's Private Cloud Computer, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-289

Traditional approaches to access management are no longer sufficient to safeguard enterprise security. Tim will explain why the most effective approach to modern enterprise security requires a Zero Trust model that extends beyond just access to encompass every action, no matter how minor. Tim will describe the importance of implementing a Zero Trust framework that evaluates each command, query, and configuration change in real-time, and how that delivers the most effective and complete security solution. Doing so involves the application of fine-grained authorization policies that adapt to the context of the user, the sensitivity of the action, and the prevailing threat landscape. Segment Resources: https://www.strongdm.com/blog/pam-was-dead-strongdm-just-brought-it-back-to-life https://www.strongdm.com/whitepaper/technical-overview This segment is sponsored by StrongDM. Visit https://securityweekly.com/strongdmidv to learn more about them! Traditional IGA solutions are not risk-focused by design, and as audit and compliance focus continues to expand beyond core ERP systems and into line of business apps and point solutions, organizations must plan holistically how to address risk across their application landscape. It’s never too late to start kicking off your risk reduction journey, and utilizing an innovative, unified platform for both identity and access risk governance has significant, compounding benefits and helps organizations realize faster time to value, lower TCO and longer term consistent risk exposure reduction. Ensuring access to all of your business-critical applications is provisioned seamlessly, efficiently, and cost-effectively while meeting risk, audit and compliance requirements should be the primary goal of any identity and access risk governance solution implementation. Segment Resources: https://get.pathlock.com/demo-sem-kuppingercole-access-control-tools-multi-vendor-lob https://pathlock.com/learn/access-provisioning/ https://pathlock.com/compliant-provisioning-copy/ https://pathlock.com/learn/what-is-identity-governance-and-administration/ https://pathlock.com/distressed-iga-deployments/ This segment is sponsored by Pathlock. Visit https://securityweekly.com/pathlockidv to learn more about them! Remote identity verification is one of the biggest challenges in the digital age, especially with the use of AI-generated deepfakes which are now impossible to distinguish from real imagery with the human eye. AI-powered biometrics have emerged as the most robust defense against deepfakes - and therefore, the only reliable method for remote identity verification. Segment Resources: iProov.com https://www.iproov.com/ iProov Threat Intelligence Report 2024: The Impact of AI on Remote Identity Verification - https://www.iproov.com/reports/iproov-threat-intelligence-report-2024 This segment is sponsored by iProov. Visit https://securityweekly.com/iproovidv to learn more about them! The criminal opportunity shaping the landscape today and how authoritative, accurate and automated processes are helping others increase their conversion rates by 20% while preventing 99% of all fraudulent attempts. What is the Criminal Opportunity facing us all right now? Data breaches and mail theft have resulted in a record level of available compromised Identity Information, payment information, and login information and even stolen checks. It has been said that ’At this point, all of our information is out on the dark web and it's now just a matter of when is it going to be used against us.’ Combined with inadequate fraud strategies, fraudsters have the key to the castle, it’s a perfect scenario of having the answers to the quiz ahead of time. This segment is sponsored by Intellicheck. Visit https://securityweekly.com/intellicheckidv to learn more about them! Show Notes: https://securityweekly.com/vault-esw-14

Check out this interview from the SWN Vault, hand picked by main host Doug White! This Secure Digital Life segment was originally published on June 19, 2018. This week, Doug and Russ interview Matthew Silva, President and Founder of the Cybersecurity and Intel Club at Roger Williams University! They talk about majoring in Cybersecurity vs. Computer Science, gaining experience vs. book learning, and more on this episode of Secure Digital Life! Show Notes: https://securityweekly.com/vault-swn-16

FIDO security keys are not new in the authentication workflow. They have been around now for 10 years. What is new is the combination of the most secure multi-factor authentication method not only for logical but also for physical access control with the highest FIPS140-3 security certification in the market. Segment Resources: Video "Swissbit iShield Key Pro: Protecting Digital Identities" https://www.youtube.com/watch?v=kxtqOyZ6e80 This segment is sponsored by Swissbit. Visit https://securityweekly.com/swissbitidv to learn more about them! While AI artificial intelligence is up-and-coming, automating your organization's PKI infrastructure is very much a reality, and can help save your IT team on hardware costs and employee costs in the long term. Additionally, a powerful PKI-as-a-Service solution provides the cryptoagility your organization can rely on as artificial intelligence, post-quantum computing, and shortened certificate validity periods become reality. This segment is sponsored by HID. Visit https://securityweekly.com/hididv to learn more about them! Cyberattacks, fraud and breaches, we’ve all studied them, and we are all aware that identity is under attack. And if we thought it was bad up until now, we haven't fully seen the impact of GenAI based identity attacks. Going beyond just Deepfakes, GenAI-powered malicious services such as FraudGPT, lets novices craft targeted and sophisticated attacks that bypass common IAM and security controls. Identity and security leaders must brace themselves for an increase in the volume, velocity and variety of attacks ("the three V's:). In this talk, former Gartner analyst David Mahdi and CIO of Transmit Security cover what you need to know about GenAI these attacks, and what you can do about it. Specifically, the types of attacks fraudsters are conducting across the identity lifecycle, insight into their tactics and services, and finally recommendations for a path forward. This segment is sponsored by Transmit Security. Visit https://securityweekly.com/transmitidv to learn more about them! Show Notes: https://securityweekly.com/vault-esw-13

Log4j, solar winds, tesla hacks, and the wave of high profile appsec problems aren’t going to go away with current approaches like SAST and SCA. Why? They are: -40 years old, with little innovation -Haven’t solved the problem. In this segment, we talk about fully autonomous application security. Vetted by DARPA in the Cyber Grand Challenge, the approach is different: -Prove bugs, rather than trying to list all of them. -Zero false positives, which leads to better autonomy. Segment Resources: Article on competition: https://www.darpa.mil/about-us/timeline/cyber-grand-challenge Technical article on approach: https://spectrum.ieee.org/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them Example vulns discovered: https://forallsecure.com/blog/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot https://github.com/forallsecure/vulnerabilitieslab Show Notes: https://securityweekly.com/vault-esw-12

Exploring the Strategic Minds in Cybersecurity: A Conversation with Dave Aitel Welcome to an enlightening episode of our podcast, where we sit down with Dave Aitel, a prominent figure in the cybersecurity landscape. With a robust background in offensive security and an extensive career spanning various facets of the industry, Dave brings a wealth of knowledge and strategic insights to our discussion. As the Founder and CEO of Immunity Inc., a leading cybersecurity company, Dave has played a pivotal role in shaping the cybersecurity landscape. Join us as we delve into his journey, from his early experiences in cybersecurity to the strategic decisions that have defined his role as a thought leader in the field. In this episode, we explore Dave's perspectives on the ever-evolving threat landscape, offensive security strategies, and the intricate balance between security and privacy. Gain valuable insights into the methodologies and philosophies that underpin his approach to addressing the challenges posed by cyber threats. Dave Aitel's expertise extends beyond technical domains; he is also recognized for his contributions to policy discussions on cybersecurity. Discover how his experiences and viewpoints contribute to the broader discourse on cybersecurity policy, technology, and the future of digital defense. Whether you're a cybersecurity professional, an industry enthusiast, or someone keen on understanding the strategic dimensions of cybersecurity, this podcast episode with Dave Aitel is bound to offer thought-provoking perspectives and strategic insights. Tune in to explore the intersection of technology, security, and strategy with one of the industry's strategic minds, Dave Aitel. Show Notes: https://securityweekly.com/vault-psw-10

Check out this interview from the SWN Vault, hand picked by main host Doug White! This Secure Digital Life segment was originally published on September 25, 2018. This week, Russ takes the reigns in the absence of Dr. Doug to talk about Networking 101! We are going to go back to school to examine how networking and the internet actually work. Russ looks at MAC addresses, IP Addressing (Private/Public), DHCP, routing, and DNS. Show Notes: https://securityweekly.com/vault-swn-15

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on April 4, 2023. Following on from her successful title "Container Security", Liz has recently authored "Learning eBPF", published by O'Reilly. eBPF is a revolutionary kernel technology that is enabling a whole new generation of infrastructure tools for networking, observability, and security. Let's explore eBPF and understand its value for security, and how it's used to secure network connectivity in the Cilium project, and for runtime security observability and enforcement in Cilium's sub-project, Tetragon. Segment Resources: Download "Learning eBPF": https://isovalent.com/learning-ebpf Buy "Learning eBPF" from Amazon: https://www.amazon.com/Learning-eBPF-Programming-Observability-Networking/dp/1098135121 Cilium project: https://cilium.io Tetragon project: https://tetragon.cilium.io/ Show Notes: https://securityweekly.com/vault-asw-11

Check out this interview from the BSW Vault, hand picked by main host Matt Alderman! This segment was originally published on August 9, 2022. Zero Trust is the security buzzword of the moment, and while it is a very powerful approach, nearly every enterprise security product on the market – and some that aren’t even security products — are saying they enable Zero Trust. The problem is this: you can’t buy zero trust. It’s an approach, an architecture, and a journey, not software, hardware, or a service to deploy. Zero Trust also provides a rare opportunity in security - to reduce cost, improve security AND enhance end-user and customer experience. Show Notes: https://securityweekly.com/vault-bsw-11

This week, we've got data security being both funded AND acquired. We discuss Lacework's fall from unicorn status and why rumors that it went to Fortinet for considerably more than Wiz was willing to pay make sense. Microsoft Recall and Apple Intelligence are the perfect bookends for a conversation about the importance of handling consumer privacy concerns at launch. How can the Snowflake breach both be one of the biggest breaches ever, but also not a breach at all (for Snowflake, at least). It's time to have a conversation about shared responsibilities, and when the line between CSP and customer needs to shift. The CSA's AI Resilience Benchmark leaves much to be desired (like, an actual usable benchmark) and Greg Linares tells a wild story about how the first Microsoft Office 2007 vulnerability was discovered. Finally, the Light Phone III was announced. Do we finally have a usable minimalist, social media detox-friendly phone option? Will Adrian have to buy one to find out? Several recent trends underscore the increasing importance of Know Your Business (KYB) practices in today's business landscape. One significant trend is the rise in financial crimes, including money laundering, fraud, and terrorist financing. Technological advancements have transformed the way businesses operate, leading to increased digitization, online transactions, and remote customer interactions. While these developments offer numerous benefits, they also create opportunities for criminals to exploit vulnerabilities. Higher value remote transactions are performed at higher volumes. In addition, government programs such as the PPP program created a need for onboarding business quickly. This created a influx of fraudulent entities and claim who are now exploiting other channels. The convergence of these trends highlights the critical role of KYB in safeguarding businesses, ensuring regulatory compliance, and fostering trust among stakeholders in today's dynamic and interconnected business environment. Segment Resources: https://files.scmagazine.com/wp-content/uploads/2024/05/idi-Identiverse-Brochure_05-2024-KYB-PRINT.pdf This segment is sponsored by IDI. Visit https://securityweekly.com/idiidv to learn more about them! From wrestling with integration complexities to managing unexpected glitches, the realities of SSO implementation can produce very different results than what you want. Are users actually using SSO to login or are they still using the direct logins they gained before enabling SSO? We explore the reasons behind why SSO efficacy isn't always what it seems and what you can do about it. This segment is sponsored by Savvy. Visit https://securityweekly.com/savvyidv for a no cost SaaS-Identity checkup! With identity being the new security perimeter, identity platforms are now an integral part of the core security stack. Inherently these platforms are complex and it takes months and years for organizations to realize the business value. And this is going to get worse. The sheer volume and velocity with which new identity types are being added, as well the sophistication of attacks on identity platforms, requires a transformational shift to Identity security and governance. 50% operational efficiency and delivering security at scale are the two big initiatives which organizations have embarked on. In this session, Vibhuti Sinha, Chief Product Officer of Saviynt will share his insights and discuss how Saviynt is at the forefront of this transformation. This segment is sponsored by Saviynt. Visit https://securityweekly.com/saviyntidv to learn more about them! Enterprises often struggle with achieving business value in identity programs. This is typically the result of technology choices that require a disproportionately greater amount of effort and focus and underestimating the workforce required for organizational change management. With 30 years in the industry and a depth of accumulated knowledge working with large, global customers and vendors, we share how to identify and realize the business value in your organization’s identity program. Segment Resources: https://files.scmagazine.com/wp-content/uploads/2024/05/SDG-IAM-Brief-1.pdf https://files.scmagazine.com/wp-content/uploads/2024/05/SDG-IAM-Modernization-Service-Brief-1-1.pdf This segment is sponsored by SDG. Visit https://securityweekly.com/sdgidv to learn more about them! In today’s increasingly complex cloud environments, ensuring continuous access to identity services is critical for maintaining business operations and security. Gerry Gebel, VP of Product and Standards at Strata Identity, will discuss the recently announced Identity Continuity product, designed to provide uninterrupted identity services even during outages. Unlike traditional disaster recovery solutions, Identity Continuity autonomously fails over to alternate identity providers, ensuring seamless access management. Join us to explore how Strata Identity is enhancing resilience in the identity management space. Segment Resources: Strata Identity Continuity Product page: https://www.strata.io/maverics-platform/identity-continuity/ State of Multi-Cloud Identity report: https://strata.io/wp-content/uploads/2023/08/State-of-multi-cloud-identity-2023_Strata-Identity.pdf Parametrix Survey = https://www.reinsurancene.ws/leading-cloud-service-providers-faced-1000-disruptions-in-2022-parametrix/ This segment is sponsored by Strata. Visit https://securityweekly.com/strataidv to learn more about them! Digital businesses are under attack from account and platform fraud, including Account Takeover (ATO), account opening fraud, and many variations of fraudulent account scams, impersonations, transactions and collusions. Learn best practices to stop fraud with better detection and prevention that can also improve customer satisfaction and operating efficiencies. This segment is sponsored by Verosint. Visit https://securityweekly.com/verosintidv to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-365

Trust in Microsoft, Apple, and the Holy AI, Amen, Moonstone Sleet, Cheating, Joshua Marpet, and More, on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-393

We will discuss LLM security in general and some of the issues covered in the OWASP Top 10 for LLMs! Segment Resources: https://genai.owasp.org/ Skyrocketing IoT vulnerabilities, bricked computers?, MACBORG!, raw dogging source code, PHP strikes again and again, if you have a Netgear WNR614 replace it now, Arm Mali, new OpenSSH feature, weird headphones, decrypting firmware, and VPNs are still being hacked! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-832

Buzz Aldrin punches me in the face, the Gray Lady, Veeam, Microsoft squared, Nvidia, Hardware, Pentests, Josh Marpet, and more on this Edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-392

Looking at use cases and abuse cases of Microsoft's Recall feature, examples of hacking web APIs, CISA's secure design pledge, what we look for in CVEs, a nod to PHP's history, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-288

Did you miss Gartner Security & Risk Management last week in National Harbor, MD? Don't worry, Padraic O'Reilly, Founder and Chief Innovation Officer at CyberSaint, joins us to discuss the hot topics that were presented at the conference last week, including: Artificial Intelligence(AI) Continuous Threat Exposure Management(CTEM) Identity & Access Management (IAM) Cyber Risk Padraic will also discuss the changing role of the CISO, at least in the eyes of Gartner. Don't miss this recap. This segment is sponsored by CyberSaint . Visit https://securityweekly.com/cybersaint to learn more about them! The recent rise in adversarial AI has made it clear: organizations must fight AI with better AI. Gone are the days of relying on legacy, antiquated endpoint detection and response offerings, or cybersecurity tools that are based on ineffective machine learning models. In this interview, Deep Instinct CIO Carl Froggett will explain why Deep Learning is the most superior form of AI, and the technology’s role in powering predictive prevention. This segment is sponsored by Deep Instinct. Visit https://securityweekly.com/deepinstinctrsac to learn more about them! Attackers are targeting enterprise users when they are online via attacks like spear phishing, malicious docs infected with malware/ransomware. Today SASE/SSE’s Secure Web Gateway (SWG) component is touted as the solution to this problem. These SWGs look at traffic between the enterprise users and websites and try to infer attacks. Unfortunately, attackers are subverting these SWGs and breaking into enterprises. There is an urgent need to stop this and the solution seems to be to have a browser native security agent which can detect-mitigate attacks happening on the users browser and allow enterprises to threat hunt web attacks company wide. Segment Resources: Why Browser Native Solutions are better than Cloud Based Proxies: https://drive.google.com/file/d/1cItXj1KEm45ZNklASFmcvprbPqZChcMn/view?usp=sharing Data Sheet: https://drive.google.com/file/d/1tv3q2iTFROJPceq2b9SJtzkdHD9J6mvC/view?usp=sharing Blog on the Many Failures of Secure Web Gateways: https://labs.sqrx.com/the-unspoken-challenges-of-secure-web-gateways-c516bc287a6d Latest Press Release: Forbes: Critical Security Flaws Found In Email Top 4—Apple, Gmail, Outlook & Yahoo: https://www.forbes.com/sites/daveywinder/2024/04/04/critical-security-flaw-in-apple-icloud-google-gmail-microsoft-outlook-yahoo-mail-aol-mail-email/ This segment is sponsored by Square X. Visit https://securityweekly.com/squarexrsac to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-353

Burning AI, Lockbit, Veeam, Club Penguin, Kali, Commando Cat, HugeGraph, Aaran Leyland, and More, on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-391

"Identity security has been around forever though", you might be thinking. Allow me to clarify. Identity is the largest cybersecurity product category, but most of it is focused on identity governance, authentication, multi-factor, etc. Very little of it is focused on operational identity security. It's this trend, where we recently (within the last 2 years) started seeing the ITDR (Identity Threat Detection and Response) acronym that we'll be focused on today. Particularly: Why is this trend/spike occurring now? What was or is missing to do identity security properly? What does the future of securing identity look like? And it's difficult to do better for this conversation than Will Lin. He spent the last half decade as a VC. On a daily basis, he was looking at the big picture of cybersecurity markets and trends. He discussed security challenges with CISOs and other security buyers on a regular basis, both directly and through the Security Tinkerers community he founded. All this led to a decision to quit the VC world to become a founder himself. Of all the categories he could have chosen, he chose identity security, and that's why we're happy to have him for this conversation. Segment Resources: The Future of Identity AKA Identity promo video focused on the future of Identity We start off discussing the latest round of fundings, centered largely around data security and securing LLM use. This dovetails into a discussion about marketing language and how difficult it can be for buyers to work out what the latest round of early stage startups are doing. Next, we discuss Cloudflare and Bugcrowd's acquisitions, as well as Synopsys's divestiture of its appsec portfolio. From here, we dive into a raft of new features across both IT and cybersecurity products, like Azure, Dashlane, LastPass, and PagerDuty. Discussing Huntress's active remediation feature triggers a conversation about this latest product trend: vendors seem to think buyers are ready for fully automated remediation actions. We're not so sure they are. To wrap up the cybersecurity coverage, Brandon Dixon has an interesting tutorial regarding a Security Copilot use case that looks a LOT like the default phishing enrichment use case that has been used for every SOAR POC ever. To clarify, this is a great piece in that it is all practical, has no marketing fluff, and shows you how to do something useful with Security Copilot. Where it pulls up short is managing to live up to the hype we've been hearing about Security Copilot from day one. We agree to table the discussion on Microsoft Recall until we know more about what GA of the feature will look like, and then dig into a VERY interesting squirrel story about an audio-based hacking puzzle created by a rock band. The interview will delve into the healthcare industry's tumultuous year in 2023, marked by 124 million breached health records across 725 hacking incidents (according to The HIPAA Journal). This interview will explore the critical role that MSSPs play in safeguarding health data and systems against potential security incidents, such as ransomware and business email compromise attacks. Jim Broome will share how to proactively prepare for an incident - including establishing a comprehensive incident response plan, outlining strategies for containment, restoration, and ongoing security operations, and how an MSSP can help. Segment Resources: Tales from the Road Blog: An External Pen Test at a Healthcare Organization Reveals the Dangers of the Dark Web - https://www.directdefense.com/tales-from-the-road-an-external-pen-test-reveals-the-dangers-of-the-dark-web/ 2023 Security Operations Threat Report: https://go.directdefense.com/2023-Security-Operations-Threat-Report This segment is sponsored by DirectDefense. Visit https://securityweekly.com/directdefensersac to learn more about them! In the dynamic landscape of cybersecurity, the urgency to eliminate passwords as a security vulnerability has never been more critical. Organizations are continuing to face a surge in the variety and complexity of cyber threats at historical rates, often fueled by compromised employee login credentials – resulting from attacks such as phishing which has been exacerbated by the rise in use of Artificial Intelligence (AI). The 2023 Verizon Data Breach Investigations Report underscores the staggering impact of breaches caused by stolen credentials, accounting for a staggering 74% of incidents. Christopher Harrell, Yubico’s Chief Technology Officer, shares how organizations can achieve passwordless authentication at scale with high assurance phishing-resistant multi-factor authentication (MFA) to elevate their security posture against phishing attacks while creating phishing-resistant users. Segment Resources: https://www.yubico.com/blog/empowering-enterprise-security-at-scale-with-new-product-innovations-yubikey-5-7-and-yubico-authenticator-7/ https://www.yubico.com/press-releases/yubicos-key-product-innovations-empower-enterprise-security-and-phishing-resistant-passwordless-authentication-at-scale/ This segment is sponsored by Yubico. Visit https://securityweekly.com/yubicorsac to learn more about them! In this podcast segment, we delve into Sophos' fifth annual State of Ransomware report, exploring significant findings and trends in the evolving ransomware landscape. We'll discuss the sharp increase in recovery costs, the strategic targeting of backups by hackers, and the evolving role of cyber insurance in ransom payments. Our discussion will provide insights into how organizations can adapt their cybersecurity measures to mitigate these heightened threats and recover more effectively from attacks. Segment Resources: Blog: The State of Ransomware 2024 Report: https://assets.sophos.com/X24WTUEQ/at/9brgj5n44hqvgsp5f5bqcps/sophos-state-of-ransomware-2024-wp.pdf Press release: Ransomware Payments Increase 500% In the Last Year, Finds Sophos State of Ransomware Report This segment is sponsored by Sophos. Visit https://www.securityweekly.com/sophosrsac to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-364

Josh comes on the show to discuss all things related to vulnerability tracking and scoring, including the current issues with various systems and organizations including NIST, CVE, Mitre, CVSS, NVD, and more! Segment Resources: NVD blog post Josh wrote: https://anchore.com/blog/navigating-the-nvd-quagmire/ Josh's Latest post: https://opensourcesecurity.io/2024/06/03/why-are-vulnerabilities-out-of-control-in-2024/ Josh's podcasts: https://opensourcesecurity.io/category/podcast/ https://hackerhistory.com/ This week: Take on the upstream, how hard is it to patch end-of-life software, hack millions of routers, take over millions of routers, 0-days, and no responses, hack Taylor Swift wristbands, can you detect that covert channel?, and breach reports from Ticketmaster, Snowflake, Santander, and TikTok, and top it all of with C-level DNS servers dropping off the Internet! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-831

Gold Pressed Latinum, VBScript, ORBS, Rockwell, Chrome, SKY, Aaran Leyland, and More on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-389

Boyce Codd Normal Form, Azure, Roaring Kitty, Hugging Face, Okta, Linux, Oracle, Josh Marpet and more, are on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-390

Open source has been a part of the software supply chain for decades, yet many projects and their maintainers remain undersupported by the companies that consume them. The security responsibilities for project owners has increased not only in dealing with security disclosures, but in maintaining secure processes backed by strong authentication and trust. Segment Resources: https://www.cisa.gov/news-events/news/lessons-xz-utils-achieving-more-sustainable-open-source-ecosystem https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 https://www.cisa.gov/securebydesign/pledge https://tidelift.com/about/press-releases/tidelift-study-reveals-that-despite-increasing-demands-from-government-and-industry-60-of-maintainers-are-still-unpaid-volunteers https://blog.tidelift.com/paying-maintainers-the-howto Application security posture management has quickly become a hot commodity in the world of AppSec, but questions remain around what is defined by ASPM. Vendors have cropped up from different corners of the AppSec space to help security teams make their programs more effective, improve their security postures, and connect the dots between developers and security. Apiiro is setting the diamond standard for ASPM, combining deep code analysis, runtime context, and native risk detection with a 100% open platform approach, providing more valuable prioritization and a more powerful policy engine. This segment is sponsored by Apiiro. Visit https://securityweekly.com/apiirorsac to learn more about them! Bots accounted for nearly half of all internet traffic in 2023, with bad bot traffic rising for a fifth consecutive year. Malicious bot activity is a significant risk for businesses as it can result in account compromise, higher infrastructure and support costs, customer churn, and more. Tune in to learn about the security risks of these automated threats and what trends Imperva has monitored. This segment is sponsored by Imperva. Visit https://securityweekly.com/impervarsac to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-287

Since the 1995 publication of Daniel Goleman’s international bestseller Emotional Intelligence, Why It Can Matter More Than IQ, a global movement has developed to bring “EQ” into practice in businesses, schools, and communities around the globe. But what is its impact on Cybersecurity? In this interview, we welcome Jessica Hoffman, Deputy CISO for the City of Philadelphia, to discuss how Emotional Intelligence can be applied by CyberSecurity leadership to create a better culture and better leaders. Jessica will discuss the five skills that encompass Emotional Intelligence, including: Self Awareness Self Regulation Motivation Empathy Social Skills and examples of how to use them. If you want to be a better cyber leader, then don't miss this episode.   Semperis CISO Jim Doggett shares insights into the evolving role of the CISO. The daily onslaught of cyberattacks not only increases business risk, but also puts a company’s most important data at risk – data on the company, its employees, customers, and partners. Now, more than ever, the CISO is being asked to understand the business of cyber without being given much time to implement plans for protecting an organization’s infrastructure. There is a balance needed between being a technical and business leader, and Jim can share stories from his successful career to enlighten listeners. Segment Resources: Read: https://www.semperis.com/blog/5-itdr-steps-for-cisos/ Watch: https://www.semperis.com/resources/the-key-to-cyber-resilience-identity-system-defense/ This segment is sponsored by Semperis. Visit https://securityweekly.com/semperisrsac to learn more about them!   With new industry regulations, like the SEC’s Cybersecurity Disclosure Rules, there is an increasing demand on CISOs and security leaders to be able to quantify, communicate, and demonstrate how their cybersecurity programs and strategies are impacting the business. In this interview, Sivan Tehila, CEO and Founder of Onyxia Cyber, will discuss new advances in Cybersecurity Management and how CISOs and security leaders can harness the power of data intelligence, automation, and AI to proactively improve risk management, ensure organizational compliance, and align their security initiatives with business goals. Segment Resources: https://rsac.vporoom.com/2024-04-30-Onyxia-Introduces-AI-to-Cybersecurity-Management-Platform-to-Power-Predictive-Security-Program-Management https://www.forbes.com/sites/forbestechcouncil/2023/06/21/three-ways-to-best-communicate-the-value-of-your-security-program-to-business-stakeholders/?sh=18f0f6892e6f This segment is sponsored by Onyxia. Visit https://securityweekly.com/onyxiarsac to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-352

In this interview, join Swimlane Chief Information Security Officer, Mike Lyborg, and host Akira Brand as we discuss the value of cybersecurity marketplaces from a CISO perspective. Through insightful discussions, unpack the connection between outcomes-driven solutions and tangible business KPIs. This segment is sponsored by Swimlane. Visit https://securityweekly.com/swimlanersac to learn more about them! The past two years have witnessed an unprecedented surge in the adoption of generative artificial intelligence (AI) across various industries. And while this presents new efficiencies, with these benefits come significant security concerns. The widespread integration of AI applications increases the risk of data breaches and intellectual property theft, while also expanding organizations' vulnerability to malicious data injection and other AI-driven cyberattacks. During this interview Jim will explore why it’s imperative to implement robust security measures to mitigate these evolving risks effectively, and how working alongside an MSSP can benefit your overall security posture. Segment Resources: https://go.directdefense.com/2023-Security-Operations-Threat-Report This segment is sponsored by DirectDefense. Visit https://securityweekly.com/directdefensersac to learn more about them! In recent years, ransomware attacks have undergone a transformative evolution, shifting from indiscriminate, mass-distributed assaults to highly targeted, sophisticated campaigns. Kris Lahiri is able to discuss the dynamic landscape of ransomware and dive into the techniques he has seen cybercriminals employ, the motivations behind these attacks, and the escalating impact on individuals, businesses, and critical infrastructure. Segment Resources: https://www.egnyte.com/solutions/ransomware-detection https://www.egnyte.com/guides/governance/ransomware This segment is sponsored by Egnyte. Visit https://securityweekly.com/egnytersac to learn more about them! Show Notes: https://securityweekly.com/vault-esw-11

Check out this episode from the Secure Digital Life Vault, hand picked by main host Doug White! This segment was originally published on June 14, 2017. Doug and Russ talk about different types of backups, how they work and out-of-band strategies. Show Notes: https://securityweekly.com/vault-swn-14

Organizations today are overwhelmed with the sheer magnitude of potential cybersecurity threats and there is plenty of vendor buzz around AI in Security products, but what is the reality? Threat detection and incident response (TDIR) strategy and execution have never been more critical and are essential in maintaining cyber resilience and strengthening the security posture of every organization. TDIR aims to identify potential threats and respond before they can impact a business. A layered defense focuses on identifying threat activity, prioritizing investigations, and measuring risk. As a result, organizations can take the appropriate threat mitigation steps. These security strategies and protocols signify a step forward with a TDIR strategy where everyone from the CISO to the security analyst wins. This segment is sponsored by Graylog. Visit https://securityweekly.com/graylogrsac to learn more about them! Axur is a cost-effective external cybersecurity solution that empowers security teams to handle threats beyond the perimeter. Our platform detects, inspects, and responds to brand impersonation, phishing scams, dark web mentions, threat intel vulnerabilities, and more. This segment is sponsored by Axur. Visit https://securityweekly.com/axurrsac to learn more about them! Segment Resources: https://www.axur.com/en-us/partners https://www.axur.com/en-us/outsourced-takedown https://www.axur.com/polaris/home Vendors, sales channels, partners and other kinds of third parties are essential to most businesses. Ensuring that the information security risks of those other companies don't impact your own is the remit of Third Party Cyber Risk Management (TPCRM) teams. It is increasingly evident, however, that the existing practices and tools are not up to the challenge. They make the process even more adversarial than it needs to be, are focused on risk transfer and/or acceptance rather than reduction; are based on limited and low quality signals; and are often excruciatingly manual. We can do better as an industry, and in this conversation we are going to explore a new paradigm for TPCRM and its advantages for third and first parties. Segment Resources: Alice in Supply Chains is a monthly marketing-free newsletter with curated news and commentary on TPCRM: https://www.linkedin.com/newsletters/alice-in-supply-chains-6976104448523677696/ This segment is sponsored by Tenchi Security. Visit https://securityweekly.com/tenchirsac to learn more about them! Show Notes: https://securityweekly.com/vault-esw-10

As a special treat for this week's vault episode, we set up a conversation with Derek Manky to discuss Fortinet's FortiGuard Labs Threat Report. This is a bi-annual report put out by FortiGuard Labs, and in my opinion, it just keeps getting better and better. The report is chock full of actionable information and insights. It answered all my questions about the current state of threats and attacks, like: What is the latest big shift in strategy and focus for ransomware groups? I keep hearing that attackers are getting faster and faster - how much time to defenders actually have these days (to patch a critical vuln, for example)? What are the latest attack techniques being used? Which are used less, or never used? There's not a dull moment in this conversation - I hope you enjoy listening to or watching it as much as I did making it! Segment Resources: Fortiguard Labs 2H 2023 FortiGuard Labs Threat Report Show Notes: https://securityweekly.com/vault-esw-9

Making The World A More Secure Place: Joshua Corman's Journey and Insights Welcome to an insightful podcast episode featuring Joshua Corman, a prominent figure in the realm of cybersecurity. With a wealth of experience and a keen understanding of the evolving threat landscape, Joshua has established himself as a thought leader and influencer in the cybersecurity community. In this episode, we explore Joshua's professional journey, from his early days in the industry to his current position as a respected cybersecurity leader. With a focus on practical strategies and real-world challenges, Joshua shares valuable insights into the complexities of modern cybersecurity and the strategies organizations can employ to navigate this dynamic landscape. As a recognized authority on security, Joshua Corman's expertise spans a range of topics, including risk management, threat intelligence, and the intersection of security with technology and business. Join us as we delve into his experiences, lessons learned, and the principles that guide his approach to addressing the ever-present challenges of cybersecurity. Whether you are a cybersecurity professional, technology enthusiast, or someone keen on understanding the intricacies of safeguarding digital assets, this podcast offers a unique opportunity to gain perspective from one of the industry's thought leaders. Tune in to discover the wisdom and practical advice Joshua Corman brings to the table, shedding light on the current state of cybersecurity and its future trajectory. Show Notes: https://securityweekly.com/vault-psw-9

With hundreds or thousands of SaaS apps to secure with no traditional perimeter, Identity becomes the focal point for SaaS Security in the modern enterprise. Yet with Shadow IT, now recast as Business-Led IT, quickly becoming normal practice, it’s more complicated than trying to centralize all identities with an Identity Provider (IdP) for Single Sign-On (SSO). So the question becomes, “How do you enable the business while still providing security oversight and governance?” This segment is sponsored by Savvy. Visit https://securityweekly.com/savvy to learn more about them! CISOs encounter challenges in securing data amidst the rapid growth driven by Cloud and GenAI applications. In this segment, we will delve into how Bedrock Security powers frictionless data security, empowering CISOs to securely manage data sprawl, allowing their businesses to operate at optimal speed, without compromising security. Segment Resources: Bedrock Security: https://www.bedrock.security/ Bedrock Security X/Twitter: https://twitter.com/bedrocksec Bedrock Security LinkedIn: https://www.linkedin.com/company/bedrocksec/ House Rx (customer) Case Study: https://tinyurl.com/35v48wx7 Introductory Whitepaper: https://tinyurl.com/5yjeu92b Innovation Sandbox 2024:  https://www.businesswire.com/news/home/20240402284910/en/Bedrock-Security-Named-RSA-Conference-2024-Innovation-Sandbox-Finalist   This segment is sponsored by Bedrock Security. Visit https://securityweekly.com/bedrockrsac to learn more about them! Show Notes: https://securityweekly.com/vault-asw-10

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on April 18, 2023. We talk with Ben about the rewards, hazards, and fun of bug bounty programs. Then we find out different ways to build successful and welcoming communities. Show Notes: https://securityweekly.com/vault-asw-9

Check out this episode from the Secure Digital Life Vault, hand picked by main host Doug White! This segment was originally published on June 8, 2017. Doug and Russ swim the warm waters of academia, college degrees, types of degrees, and whether or not you need one. Show Notes: https://securityweekly.com/vault-swn-13

Explore how to transform your third party risk program from a business bottleneck to a business driver. Discover how evidence-based security documentation and AI can streamline risk assessments, completing them in days not months. This data-driven approach will reduce TPRM backlog and allow your security team to move faster, identify risk proactively, and become a business driver for your organization. This segment is sponsored by VISO TRUST. Visit https://www.securityweekly.com/visotrustrsac to learn more about them! While client-side resources enable web applications to provide a rich user experience, security teams struggle to gain visibility, insight, and enforcement over them. In this interview, Lynn Marks discusses the latest client-side attack trends observed by Imperva and the pivotal role of client-side protection within PCI DSS 4.0. This segment is sponsored by Imperva. Visit https://securityweekly.com/impervarsac to learn more about them! Show Notes: https://securityweekly.com/vault-bsw-10

Check out this interview from the BSW Vault, hand picked by main host Matt Alderman! This segment was originally published on June 27, 2022. Forgepoint Capital’s Co-Founder and Managing Director, Alberto Yépez, explains what the current economic challenges mean for innovation and the future of the cybersecurity market. Hear his perspective on what security investments, as well as mergers and acquisitions, will look like throughout the next 12-18 months, and how responsible companies are staying the course amidst layoffs and budget cuts in order to turn uncertainty into a strategic path forward. Segment Resources: Forgepoint’s new CISO security priorities model: https://forgepointcap.com/news/forgepoint-capital-builds-first-ever-ciso-security-priorities-model/ Recent exits that Forgepoint supported: - Forescout acquires Cysiv on June 6, 2022(release: https://www.cysiv.com/news/forescout-announces-intent-to-acquire-cysiv and Forgepoint’s blog: https://forgepointcap.com/news/executive-spotlight-an-interview-with-partha-panda-ceo-of-cysiv/) SentinelOne acquires Attivo Networks on May 4, 2022 (release: https://www.sentinelone.com/press/sentinelone-completes-acquisition-of-attivo-networks/ and Forgepoint’s “why we invested” blog: https://forgepointcap.com/news/attivo-networks-why-we-invested/) LexisNexis Risk Solutions Acquires BehavioSec on May 3, 2022 (release: https://risk.lexisnexis.com/about-us/press-room/press-release/20220503-behaviosec and Forgepoint’s blog: https://forgepointcap.com/news/executive-spotlight-an-interview-with-neil-costigan-of-behaviosec/ ) Cloudflare acquires Area 1 Security on April 1, 2022 (release: https://www.cloudflare.com/press-releases/2022/cloudflare-completes-acquisition-of-area-1-security/ and Forgepoint’s “why we invested” blog: https://forgepointcap.com/news/area-1-security-why-we-invested/ ) Show Notes: https://securityweekly.com/vault-bsw-9

Only one funding announcement this week, so we dive deep into Thoma Bravo's past and present portfolio. They recently announced a sale of Venafi to Cyberark and no one is quite sure how much of a hand they had in the LogRhythm/Exabeam merger, and whether or not they sold their stake in the process. We also have a crazy stat Ross Haleliuk spotted in Bessemer's analysis: "13 out of 14 cybersecurity companies acquired in the past year for over $100M were from Israel". Is this an anomaly? Does it just mean that Israel wasn't shy about selling when the market was down? We discuss. A number of new product announcements continue to trickle out post-RSA. We'll also discuss Sam Altman and OpenAI's decision to use Scarlett Johansson's voice against her will and what it could mean for deepfakes, advanced social engineering techniques, and general big tech sliminess. Do you know what a "product glorifier" is? How about a glowstacker? You will if you check out the second-to-last story in the show notes! See the show notes for individual descriptions on each RSAC interview. This week, we feature speakers from Sailpoint, Okta, Ping Identity, LimaCharlie, QwietAI, and Picus! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-363

The Security Weekly crew and special guest Seemant Sehgal explore what PTaaS involves, how it differs from traditional penetration testing, and why it's becoming a crucial service for companies of all sizes to protect their digital assets. We'll discuss the how PTaaS is using the latest technologies (e.g machine learning), the benefits of having a third-party service, and real-world scenarios where PTaaS has successfully thwarted potential security breaches. PTaaS can be a game-changer in enhancing your organization’s security posture! This segment is sponsored by Breachlock. Visit https://securityweekly.com/breachlock to learn more about them! An exploit that makes you more secure, pardon the interruption, water heater company in hot water, IoT devices are vulnerable, Squeege and RDP scraping, free laundry for everyone!, Wifi routers and Apple Air tags, North Koreans fill US IT positions, taking out drones, the NVD backlog, IBM is no longer a security company?, and DNSBombs! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-830

Big Tech, Fighting a Junta, Keylogger in Microsoft , APT Hackers, Free Laundry, Joshua Marpet & more on this edition of the Security Weekly News! Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-388

Secure coding education should be more than a list of issues or repeating generic advice. Liran Tal explains his approach to teaching developers through examples that start with exploiting known vulns and end with discussions on possible fixes. Not only does this create a more engaging experience, but it also relies on code that looks familiar to developers rather than contrived or overly simplistic examples. Segment resources: https://github.com/lirantal https://cheatsheetseries.owasp.org/cheatsheets/NPMSecurityCheat_Sheet.html https://lirantal.com/blog/poor-express-authentication-patterns-nodejs The challenge of evaluating threat alerts in aggregate – what a collection and sequence of threat signals tell us about an attacker’s sophistication and motives – has bedeviled SOC teams since the dawn of the Iron Age. Vectra AI CTO Oliver Tavakoli will discuss how the design principles of our XDR platform deal with this challenge and how GenAI impacts this perspective. Segment Resources: Vectra AI Platform Video: https://vimeo.com/916801622 Blog: https://www.vectra.ai/blog/what-is-xdr-the-promise-of-xdr-capabilities-explained Blog: https://www.vectra.ai/blog/xdr-explored-the-evolution-and-impact-of-extended-detection-and-response MXDR Calculator: https://www.vectra.ai/calculators/mxdr-value-calculator This segment is sponsored by Vectra AI. Visit https://securityweekly.com/vectrarsac to learn more about them! In this interview, we will discuss the network security challenges of business applications and how they can also be the solution. AlgoSec has spent over two decades tackling tough security issues in some of the world’s most complex networks. Now, they’re applying their expertise to hybrid networks—where customers are combining their on-premise resources along with multiple cloud providers. Segment Resources: https://www.algosec.com/resources/ This segment is sponsored by AlgoSec. Visit https://securityweekly.com/algosecrsac to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-286

This week, it’s time for security money, our quarterly review of the money of security, including public companies, IPOs, funding rounds and acquisitions from the previous quarter. This quarter, Rubrick's IPO saves the index, as Cisco finishes the acquisition of Splunk. The index is now made up of the following 25 pure play cybersecurity public companies: Secureworks Corp Palo Alto Networks Inc Check Point Software Technologies Ltd. Rubrik Inc Gen Digital Inc Fortinet Inc Akamai Technologies, Inc. F5 Inc Zscaler Inc Onespan Inc Leidos Holdings Inc Qualys Inc Verint Systems Inc. Cyberark Software Ltd Tenable Holdings Inc Darktrace PLC SentinelOne Inc Cloudflare Inc Crowdstrike Holdings Inc NetScout Systems, Inc. Varonis Systems Inc Rapid7 Inc Fastly Inc Radware Ltd A10 Networks Inc In this segment, Theresa will unpack the complexities of cyber resilience, and dive into new research that examines dynamic computing. She’ll discuss how it merges IT and business operations, taps into data-driven decision-making, and redefines computing for the modern era. This segment is sponsored by LevelBlue. Visit https://www.Securityweekly.com/levelbluersac to learn more about them! In this segment, Jim can discuss how organizations can enhance their cybersecurity posture with Blumira’s automated threat monitoring, detection and response solutions. Jim can talk about the exciting plans Blumira has in store for the next 3 years, emphasizing how the company is lowering the barrier to entry in cybersecurity for SMBs. Segment Resources: https://www.blumira.com/customer-stories/ https://www.blumira.com/why-blumira/ This segment is sponsored by Blumira. Visit https://securityweekly.com/blumirarsac to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-351

Microsoft, North Korea, Santander, CISA, Deepfakes, Aaran Leyland & more on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-387

Suddenly SIEMs are all over the news! In a keynote presentation, Crowdstrike CEO George Kurtz talked about the company's "next-gen" SIEM. Meanwhile, Palo Alto, who was taken to task by some for not having an active presence on the RSAC expo floor, hits the headlines for acquiring IBM's SIEM product, just to shut it down! Meanwhile, LogRhythm and Exabeam merge, likely with the hopes of weathering the coming storm. The situation seems clear - there's no such thing as "best of breed" SIEM anymore. It's a commodity to be attached to the existing dominant security platforms. Are the days numbered for the older pure-play SIEM/SOAR vendors out there? Crowdstrike and Palo Alto alone could displace a lot of incumbents, even with a less than stellar product. Visit the show notes for full descriptions on each RSAC executive interview! Show Notes: https://securityweekly.com/esw-362

Has cryptocurrency done more harm than good? Our guest for this segment has some interesting views on its impacts! Vulnrichment (I just like saying that word), Trustworthy Computing Memo V2, SSID confusion, the Flipper Zero accessory for Dads, the state of exploitation, Hackbat, Raspberry PI Connect, leaking VPNs, exploiting faster?, a new Outlook 0-Day?, updating Linux, and a 16-year-old vulnerability. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-829

3000 Years Ago, Dell, Robocalls, PyPI, Cinterion, Cacti, Chat-GPT, Windows, Josh Marpet, and more, on this Edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-386

Everyone is interested in generative AIs and LLMs, and everyone is looking for use cases and apps to apply them to. Just as the early days of the web inspired the original OWASP Top 10 over 20 years ago, the experimentation and adoption of LLMs has inspired a Top 10 list of their own. Sandy Dunn talks about why the list looks so familiar in many ways -- after all, LLMs are still software. But the list captures some new concepts that anyone looking to use LLMs or generative AIs should be aware of. https://llmtop10.com/ https://github.com/OWASP/www-project-top-10-for-large-language-model-applications/wiki/Educational-Resources https://owasp.org/www-project-ai-security-and-privacy-guide/ https://gandalf.lakera.ai/ https://quarkiq.com/blog How companies are benefiting from the enterprise browser. It's not just security when talking about the enterprise browser. It's the marriage between security AND productivity. In this interview, Mike will provide real live case studies on how different enterprises are benefitting. Segment Resources: https://www.island.io/resources https://www.island.io/press This segment is sponsored by Island. Visit https://www.securityweekly.com/islandrsac to learn more about them! The cybersecurity landscape continues to transform, with a growing focus on mitigating supply chain vulnerabilities, enforcing data governance, and incorporating AI into security measures. This transformation promises to steer DevSecOps teams toward software development processes with efficiency and security at the forefront. Josh Lemos, Chief Information Security Officer at GitLab will discuss the role of AI in securing software and data supply chains and helping developers work more efficiently while creating more secure code. This segment is sponsored by GitLab. Visit https://securityweekly.com/gitlabrsac to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-285

In today's enterprises, the Identity Access Management (IAM) System is the key to a business' critical operations. But that IAM environment is more vulnerable than most security executives realize. Segment Resources: https://www.mightyid.com/articles/the-r-in-itdr-the-missing-piece-in-identity-threat-detection-and-response https://www.mightyid.com/download-am-i-covered https://www.mightyid.com/articles/business-continuity-and-cyber-security-the-crucial-role-of-identity-resilience https://www.mightyid.com/articles/vegas-under-cyber-attack-what-went-wrong This segment is sponsored by MightyID. Visit https://securityweekly.com/mightyid to learn more about them!   AI is more than just a buzzword. Done right, AI can improve decision making and scale your identity security platform to manage every identity, human and machine, physical and digital. Learn about how Saviynt’s #1 Identity Security platform is leveraging a variety of AI capabilities to enhance the user experience and improve identity security and compliance, bringing AI to life in a practical, market leading way to drive value for our customers. Segment Resources: https://saviynt.com/blog/analytics-ai-automation-and-abstraction-pioneering-the-next-chapter-in-identity-security/ This segment is sponsored by Saviynt. Visit https://www.securityweekly.com/saviyntrsac to learn more about them!   The common misperception that identity infrastructure and IAMs like Active Directory, Okta, or Ping can adequately secure the entire identity infrastructure is to blame for the continued barrage of cyber and ransomware attacks. Yes, each of these vendors has security controls baked into their solution, however they cannot extend those controls outside their environments to provide visibility, context, and protection beyond their walls. Hackers use the gaps between these tools to move throughout a company and evade detection. We don't expect Dell or Lenovo to protect our entire suite of endpoints. Nor do expect a single cloud provider to protect all your clouds; we rely on Wiz for that. Identity infrastructure remains the most unprotected part of the technology stack and needs dedicated protection, as organizations already apply for cloud, endpoints, or networks. Watch this conversation with Hed Kovetz as he takes us through why identity security remains the most unprotected part of the security stack, and what needs to change to advance the state of cybersecurity. Segment Resources: https://www.silverfort.com/the-identity-underground-report/ https://www.forbes.com/sites/forbestechcouncil/2023/11/16/rethinking-the-framework-around-identity-security/  https://techcrunch.com/2024/01/23/silverfort-now-valued-at-1b-after-raising-116m-for-its-holistic-approach-to-identity-security/ This segment is sponsored by Silverfort. Visit https://securityweekly.com/silverfortrsac to learn more about them!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-350

Easy Passwords, BIG-IP, Ascension, Lockbit, Google, Poland, ZScaler, Aaran Leyland, and More, on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-385

Tune in to hear 9 executive interviews from RSA Conference 2024, featuring speakers from Zscaler, Open Systems, Aryaka, OpenText, Hive Pro, Critical Start, Anomali, Cyware, and Pentera! Find individual descriptions for each interview on the show notes. Show Notes: https://securityweekly.com/esw-361

In this RSAC 2024 South Stage Keynote, Mikko Hyppönen will look back at the past decade of ransomware evolution and explore how newer innovations, like AI, are shaping its future.   Illuminating the Cybersecurity Path: A Conversation with Jeremiah Grossman Join us for a compelling episode featuring Jeremiah Grossman, a prominent figure in the cybersecurity landscape. As a recognized expert, Jeremiah has played a pivotal role in shaping the discourse around web security and risk management. Jeremiah's journey in cybersecurity is marked by a series of influential roles, including Chief of Security Strategy at SentinelOne and Founder of WhiteHat Security. With a focus on web application security, he has been a driving force in advocating for innovative approaches to protect organizations from cyber threats. In this episode, we explore Jeremiah's vast experience and delve into his insights on the ever-evolving cybersecurity challenges. From his early days as a hacker to his current position as a sought-after industry thought leader, Jeremiah shares valuable perspectives on the strategies and philosophies that underpin effective cybersecurity practices. As a pioneer in the field, Jeremiah has contributed significantly to the development of best practices for identifying and mitigating web-related vulnerabilities. Tune in to gain a deeper understanding of the evolving threat landscape and the proactive measures organizations can take to secure their digital assets. Whether you're a cybersecurity professional, tech enthusiast, or someone eager to comprehend the complexities of online security, this podcast with Jeremiah Grossman promises to be an illuminating exploration of the past, present, and future of cybersecurity. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-828

Tetris, APT42, Kimsuky, Android, ChatRTX, MITRE, Computer Dating, Josh Marpet, and more, on this Edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-384

A lot of AI security has nothing to do with AI -- things like data privacy, access controls, and identity are concerns for any new software and in many cases AI concerns look more like old-school API concerns. But...there are still important aspects to AI safety and security, from prompt injection to jailbreaking to authenticity. Caleb Sima explains why it's important to understand the different types of AI and the practical tasks necessary to secure how it's used. Segment resources: https://calebsima.com/2023/08/16/demystifing-llms-and-threats/ https://www.youtube.com/watch?v=qgDtOu17E&t=1s We already have bug bounties for web apps so it was only a matter of time before we would have bounties for AI-related bugs. Keith Hoodlet shares his experience winning first place in the DOD's inaugural AI bias bounty program. He explains how his education in psychology helped fill in the lack of resources in testing an AI's bias. Then we discuss how organizations should approach the very different concepts of AI security and AI safety. Segment Resources: https://securing.dev/posts/hacking-ai-bias/ https://www.defense.gov/News/Releases/Release/Article/3659519/cdao-launches-first-dod-ai-bias-bounty-focused-on-unknown-risks-in-llms/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-284

Inspired by my co-host Jason Albuquerque, this quarter's Say Easy, Do Hard segment is Train How You Fight. In part 1, we discuss the importance of training for a cyber incident. However, lots of organizations do not take it seriously, causing mistakes during an actual cyber incident. How will the lack of preparation impact your organization during an incident? Inspired by my co-host Jason Albuquerque, we dig into the hard part of our Say Easy, Do Hard segment. In part 2, we discuss how to train for a cyber instance. We'll cover the elements of a training program that will prepare you for responding to a cyber incident, including: Developing the training program Practice, practice, practice Imposing corrective actions Constantly evaluating/reviewing the success of the training program Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-349

Weird Al, Docker, OT, Gitlab, Credit Monitoring, Dropbox, Cisco, AI, Aaran Leyland, and More, on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-383

It's the most boring part of incident response. Skip it at your peril, however. In this interview, we'll talk to Joe Gross about why preparing for incident response is so important. There's SO MUCH to do, we'll spend some time breaking down the different tasks you need to complete long before an incident occurs. Resources 5 Best Practices for Building a Cyber Incident Response Plan This segment is sponsored by Graylog. Visit https://securityweekly.com/graylog to learn more about them!   It's the week before RSA and the news is PACKED. Everyone is trying to get their RSA announcements out all at once. We've got announcements about funding, acquisitions, partnerships, new companies, new products, new features... To make things MORE challenging, everyone is also putting out their big annual reports, like Verizon's DBIR and Mandiant's M-Trends! Finally, we've got some great essays that are worth putting on your reading list, including a particularly fun take on the Verizon DBIR by Kelly Shortridge. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-360

The Security Weekly crew discusses some of the latest articles and research in cryptography and some background relevant subtopics including the race against quantum computing, key management, creating your own crypto, selecting the right crypto and more! https://www.globalsecuritymag.com/keysight-introduces-testing-capabilities-to-strengthen-post-quantum.html https://malware.news/t/reversinglabs-hashing-algorithm/81418 https://www.bleepingcomputer.com/news/security/google-chromes-new-post-quantum-cryptography-may-break-tls-connections/ https://www.finextra.com/newsarticle/44060/hsbc-and-paypal-tackle-quantum-safe-cryptography-in-payments https://blog.trailofbits.com/2024/04/26/announcing-two-new-lms-libraries/ https://blog.cryptographyengineering.com/2024/04/16/a-quick-post-on-chens-algorithm/ ChatGPT writes exploits, banning default and weak passwords, forget vulnerabilities just get rid of malware, IR blasting for fun and not profit, creating fake people, shattered dreams and passkey, and removing chips. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-827

AI, Okta, Chrome, Quantum, Kaiser Permanente, FTC, FCC, NCSC, Josh Marpet, and more, are on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-382

Companies deploy tools (usually lots of tools) to address different threats to supply chain security. Melinda Marks shares some of the chaos those companies still face when trying to prioritize investments, measure risk, and scale their solutions to keep pace with their development. Not only are companies still figuring out supply chain, but now they're bracing for the coming of genAI and how that will just further highlight the current struggles they're having with data security and data privacy. Segment Resources: Complete Survey Results: The Growing Complexity of Securing the Software Supply Chain https://research.esg-global.com/reportaction/515201781/Toc  Misusing random numbers, protecting platforms for code repos and package repos, vulns that teach us about designs and defaults, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-283

A hybrid workforce requires hybrid identity protection. But what are the threats facing a hybrid workforce? As identity becomes the new perimeter, we need to understand the attacks that can allow attackers access to our applications. Eric Woodruff, Product Technical Specialist at Semperis, joins Business Security Weekly to discuss those attacks, including a new attack technique, dubbed Silver SAML. Join this segment to learn how to protect your hybrid workforce. Segment Resources: https://www.semperis.com/blog/meet-silver-saml/&utmsource=cra&utmcampaign=bsw-podcast This segment is sponsored by Semperis. Visit https://securityweekly.com/semperis to learn more about them! In the leadership and communications section, The Board's Pivotal Role in Steering Cybersecurity, CISO-CEO communication gaps continue to undermine cybersecurity, The Essence of Integrity in Leadership: A Pillar of Trust and Excellence, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-348

TikTok, Flowmon, Arcane Door, Brokewell, RuggedCom, Deepfakes, Non-Competes, Aaran Leyland, and More, on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-381

On February 27, 2024, PCAST (President’s Council of Advisors on Science and Technology) sent a report to the President with recommendations to bolster the resilience and adaptability of the nation’s cyber-physical infrastructure resources. Phil was part of the team that worked on the report and comes on the show to talk about what was recommended and how we implement the suggestions. This week the crew discusses: When TVs scan your network, bad things can happen, PuTTY is vulnerable, Crush FTP, vulnerabilities that will never be fixed, CVEs are for vulnerabilities silly, you can test for easily guessable passwords too, FlipperZero can steal all your passwords, more XZ style attacks, more reasons why you shouldn't use a smart lock, and your keystrokes are showing! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-826

A clear pattern with startups getting funding this week are "autonomous" products and features. Automated detection engineering Autonomously map and predict malicious infrastructure ..."helps your workforce resolve their own security issues autonomously" automated remediation automated compliance management & reporting I'll believe it when I see it. Don't get me wrong, I think we're in desperate need of more automation when it comes to patching and security decision-making. I just don't think the majority of the market has the level of confidence necessary to trust security products to automate things without a human in the loop. The way LimaCharlie is going about it, with their new bi-directional functionality they're talking up right now, might work, as detections can be VERY specific and fine-grained. We've already seen a round of fully automated guardrail approaches (particularly in the Cloud) fail, however. My prediction? Either what we're seeing isn't truly automated, or it will become a part of the product that no one uses - like Metasploit Pro licenses.   We've talked about generative AI in a general sense on our podcast for years, but we haven't done many deep dives into specific security use cases. That ends with this interview, as we discuss how generative AI can improve SecOps with Ely Kahn. Some of the use cases are obvious, while others were a complete surprise to me. Check out this episode if you're looking for some ideas! This segment is sponsored by SentinelOne. Visit https://securityweekly.com/sentinelone to learn more about them!   This is a great interview with Adam Shostack on all things threat modeling. He's often the first name that pops into people's heads when threat modeling comes up, and has created or been involved with much of the foundational material around the subject. Adam recently released a whitepaper that focuses on and defines inherent threats. Resources: Here's the Inherent Threats Whitepaper Adam's book, Threat Modeling: Designing for Security Adam's latest book, Threats: What Every Engineer Should Learn from Star Wars We mention the Okta Breach - here's my writeup on it We mention the CSRB report on the Microsoft/Storm breach, here's Adam's blog post on it And finally, Adam mentions the British Library incident report, which is here, and Adam's blog post is here Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-359

Robofly, CRUSHFTP, Github, Palo Alto, MITRE, Fancy Bear, Deepfakes, Aaran Leyland, and more, on this Edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-380

How can open source projects find a funding model that works for them? What are the implications with different sources of funding? Simon Bennetts talks about his stewardship of Zed Attack Proxy and its journey from OWASP to OpenSSF to an Open Source Fellowship with Crash Override. Mark Curphy adds how his experience with OWASP and the appsec community motivated him to create Crash Override and help projects like ZAP gain the support they deserve. Segment resources: https://crashoverride.com/blog/welcome-zap-to-the-open-source-fellowship https://www.zaproxy.org https://crashoverride.com/blog/are-there-too-many-bubbles-of-similar-security-efforts CISA chimes in on the XZ Utils backdoor, PuTTY's private keys and maintaining a secure design, LeakyCLI and maintaining secure secrets in CSPs, LLMs and exploit generation, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-282

Since 2016, we been hearing about the impending impact of CMMC. But so far, it's only been words. That looks to be changing. Edward Tourinsky, Founder & Managing Principal at DTS, joins Business Security Weekly to discuss the coming impact of CMMC v3. Edward will cover: The background of CMMC Standardization of CMMC CMMC v3 changes and implementation timelines Best practices to prepare Segment Resources: https://www.federalregister.gov/documents/2023/12/26/2023-27280/cybersecurity-maturity-model-certification-cmmc-program https://www.forbes.com/sites/forbesbusinesscouncil/2024/02/13/the-department-of-defenses-cmmc-requirement-and-what-it-means-for-american-businesses/?sh=7ccbc268b7b5 https://consultdts.com/demystifying-the-cmmc-rule-a-breakdown-of-proposed-regulation/ The new SEC Cyber Security Rules require organizations to be ready to report cyber incidents. But what do you actually need to do? Mike Lyborg, Chief Information Security Officer at Swimlane, joins Business Security Weekly to discuss how to prepare. In this interview he'll discuss the key element of your preparation, including: Quantification Materiality Evidence Disclosure Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-347

Win 95, Cheat Lab, LastPass, Kubernetes, Sandworm, Bloomtech, Frontier, 911, Aaran Leyland, and More, on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-379

Protecting a normal enterprise environment is already difficult. What must it be like protecting a sports team? From the stadium to merch sales to protecting team strategies and even the players - securing an professional sports team and its brand is a cybersecurity challenge on a whole different level. In this interview, we'll talk to Joe McMann about how Binary Defense helps to protect the Cleveland Browns and other professional sports teams. This week, Adrian and Tyler discuss some crazy rumors - is it really possible that a cloud security startup valued at over $8 billion in November 2021 just got bought for $200 million??? Some healthy funding for Cyera and Cohesity ($300m and $150m, respectively) Onum, Alethea, Sprinto, Andesite AI, StrikeReady, YL-Backed Miggo, Nymiz, Salvador Technologies, and Simbian all raise smaller seed, A, or B rounds. Akamai picks up API security startup, Noname Security, Zscaler picks up Airgap networks, and it's rumored that Armis will acquire Silk Security for $150M. LimaCharlie seems to be doing some vertical growth, adding its own response and automation capabilities (what they call "bi-directional" capabilities). CISA releases a malware analysis system to the general public. Boostsecurity.io releases "poutine", an open source CI/CD pipeline vulnerability scanner. Some great essays this week, with Phil Venables' Letter from the Future, Ben Hawkes' Robots Dream of Root Shells, and Aileen Lee's 10 year Unicorn anniversary piece. We briefly discuss the 3rd party breach that affected Cisco Duo customers, and the financial impact of Change Healthcare's highly disruptive ransomware incident. Finally, we talk about the latest research on the security of LLMs and the apps using them. It's not looking great. For more details, check out the show notes here: https://www.scmagazine.com/podcast-episode/3188-enterprise-security-weekly-358 Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-358

Version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS) puts greater emphasis on application security than did previous versions of the standard. It also adds a new “customized approach” option that allows merchants and other entities to come up with their own ways to comply with requirements, and which also has implications for application security. Specifically, PCI DSS 4.0 requires that by March 31, 2025, more testing of public-facing applications related to payment processing or other activities be considered “in scope” for compliance. Generally, any system that touches payment-card data is in scope for PCI DSS compliance, whether or not the system or function is public-facing. We'll talk through what organizations should have gotten done by March 31, 2024, and what needs to happen by March 31, 2025. Segment Resources: https://info.obsglobal.com/pci-4.0-resources Pioneering the Cyber Battlefield: A Deep Dive with Winn Schwartau, Cybersecurity Luminary Get ready for an extraordinary episode as we sit down with Winn Schwartau, a true pioneer and luminary in the world of cybersecurity. Winn's impact on the field is nothing short of legendary, and in this podcast interview, we uncover the profound insights and experiences that have shaped his unparalleled career. Winn Schwartau's journey began long before the mainstream recognition of cybersecurity as a critical discipline. As a thought leader and visionary, he foresaw the digital threats that would come to define our interconnected age. Join us as we delve into the early days of cybersecurity and explore the foresight that led Winn to become a trailblazer in the industry. An accomplished author, speaker, and strategist, Winn Schwartau has been at the forefront of shaping cybersecurity policies and practices. From his groundbreaking book "Information Warfare" to his influential work on the concept of the "Electronic Pearl Harbor," Winn has consistently pushed the boundaries of conventional thinking in cybersecurity. In this podcast episode, Winn shares his unique perspective on the evolution of cyber threats, the challenges faced by individuals and organizations, and the urgent need for a paradigm shift in cybersecurity strategy. Prepare to be captivated by the stories and experiences that have fueled Winn's advocacy for a more resilient and secure digital world. Whether you're a cybersecurity professional, an enthusiast, or simply intrigued by the profound impact of technology on our lives, this conversation with Winn Schwartau promises to be a journey through the past, present, and future of cybersecurity. Don't miss the chance to gain unparalleled insights from a true cybersecurity luminary. Tune in and discover the wisdom that only Winn Schwartau can bring to the table in this illuminating podcast interview. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-825

Duo, Steganography, Roku, Palo Alto, Putty, Cerebral, IPOs, SanDisk, Josh Marpet, and more, on this Edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-378

There are as many paths into infosec as there are disciplines within infosec to specialize in. Karan Dwivedi talks about the recent book he and co-author Raaghav Srinivasan wrote about security engineering. There's an appealing future to security taking on engineering roles and creating solutions to problems that orgs face. We talk about the breadth and depth of security engineering and ways to build the skills that will help you in your appsec career. Segment resources: https://kickstartseceng.com A Rust advisory highlights the perils of parsing and problems of inconsistent approaches, D-Link (sort of) deals with end of life hardware, CSRB recommends practices and processes for Microsoft, Chrome’s V8 Sandbox increases defense, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-281

Startup founders dream of success, but it's much harder than it looks. As a former founder, I know the challenges of cultivating an idea, establishing product market fit, growing revenue, and finding the right exit. Trust me, it doesn't always end well. In this interview, we welcome Seth Spergel, Managing Partner at Merlin Ventures, to discuss how to accelerate that journey to lead to a successful outcome. Seth will share Merlin Venture's approach to helping startups tackle the largest markets in the world, including US enterprises and federal. He will also share what success looks like. Segment Resources:  https://merlin.vc/advice-for-young-startups-eyeing-federal-what-kind-of-tech-does-the-u-s-government-need/ https://merlin.vc/we-have-liftoff/  https://merlin.vc/portfolio/  https://merlin.vc/dig-security-talon-cyber-security-acquired-by-palo-alto-networks/ https://innovationisrael.org.il/en/digital-reports/ In the leadership and communications section, Navigating Legal Challenges of Generative AI for the Board, Winds of Warning? SEC Charges Threaten to Disrupt Role of CISO, 6 Common Leadership Styles — and How to Decide Which to Use When, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-346

Combadges, SISENSE, Microsoft, Malware Next-Gen, Lastpass, Palo Alto, Broadband, Aaran Leyland, and More, on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-377

In the days when Mirai emerged and took down DynDNS, along with what seemed like half the Internet, DDoS was as active a topic in the headlines as it was behind the scenes (check out Andy Greenberg's amazing story on Mirai on Wired). We don't hear about DDoS attacks as much anymore. What happened? Well, they didn't go away. DDoS attacks are a more common and varied tool of cybercriminals than ever. Today, Michael Smith is going to catch us up on the state of DDoS attacks in 2024, and we'll focus particularly on one cybercrime actor, KillNet. Segment Resources: Understanding DDoS Attacks: What is a DDoS Attack and How Does it Work? - I know the title makes this blog post sound rather basic, but it will get you up to speed on all the latest DDoS types, actors, and terminology pretty quickly! What is An Application-Layer DDoS Attack, and How Do I Defend Against Them? 2023 DDoS Statistics and Trends https://en.wikipedia.org/wiki/Killnet This week, Tyler and Adrian discuss Cyera's $300M Series C, which lands them a $1.4B valuation! But is that still a unicorn? Aileen Lee of Cowboy Ventures, who coined the term back in 2013, recently wrote a piece celebrating the 10th anniversary of the term, and revisiting what it means. We HIGHLY recommend checking it out: https://www.cowboy.vc/news/welcome-back-to-the-unicorn-club-10-years-later They discuss a few other companies that have raised funding or just come out of stealth, including Scrut Automation, Allure Security, TrojAI, Knostic, Prompt Armor. They discuss Eclipsium's binary analysis tooling, and what the future of fully automated security analysis could look like. Wiz acquired Gem, and Veracode acquired Longbow. Adrian LOVES Longbow's website, BTW. They discuss a number of essays, some of which are a must read: Daniel Miessler's Efficient Security Principle Subsalt's series on data privacy challenges Lucky vs Repeatable, a must-read from Morgan Housel AI has Flown the Coop, the latest from our absent co-host, Katie Teitler-Santullo Customer love by Ross Haleliuk and Rami McCarthy We briefly cover some other fun - reverse typosquatting, AI models with built-in RCE, and Microsoft having YET ANOTHER breach. We wrap up discussing Air Canada's short-lived AI-powered support chatbot. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-357

Jim joins the Security Weekly crew to discuss all things supply chain! Given the recent events with XZ we still have many topics to explore, especially when it comes to practical advice surrounding supply chain threats. Ahoi new VM attacks ahead! HTTP/2 floods, USB Hid and run, forwarded email tricks, attackers be scanning, a bunch of nerds write software and give it away for free, your TV is on the Internet, Rust library issue, D-Link strikes again, EV charging station vulnerabilities, and rendering all cybersecurity useless. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-824

Dronepocalypse, Privacy, Microsoft, DLINK, Home Depot, Phishing, NIST, VenomRat, Josh Marpet, and more, are on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-376

We look into the supply chain saga of the XZ Utils backdoor. It's a wild story of a carefully planned long con to add malicious code to a commonly used package that many SSH connections rely on. It hits themes from social engineering and abuse of trust to obscuring the changes and suppressing warnings. It also has a few lessons about software development, the social and economic dynamics of open source, and strategies for patching software. It's an exciting topic partially because so much other appsec is boring. And that boring stuff is important to get right first. We also talk about what parts of this that orgs should be worried about and what types of threats they should be prioritizing instead. Segment Resources: https://tukaani.org/xz-backdoor/ https://news.risky.biz/risky-biz-news-supply-chain-attack-in-linuxland/ https://www.zdnet.com/article/this-backdoor-almost-infected-linux-everywhere-the-xz-utils-close-call/#ftag=RSSbaffb68 https://therecord.media/malicious-backdoor-code-linux-red-hat-cisa https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 https://duo.com/decipher/carefully-crafted-campaign-led-to-xz-utils-backdoor https://boehs.org/node/everything-i-know-about-the-xz-backdoor OWASP leaks resumes, defining different types of prompt injection, a secure design example in device-bound sessions, turning an ASVS requirement into practice, Ivanti has its 2000s-era Microsoft moment, HTTP/2 CONTINUATION flood, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-280

In this discussion, we focus on vendor/tool challenges in infosec, from a security leader's perspective. To quote our guest, Ross, "running a security program is often confused with shopping". You can't buy an effective security program any more than you can buy respect, or a black belt in kung fu (there might be holes in these examples, but you hopefully get the point). In fact, buying too much can often create more problems than it solves, especially if you're struggling to fill your staffing needs. In this 2-part episode, we'll discuss: - The current state of vendor offerings in cybersecurity - The difficulties of measuring value and efficacy in a product - How to avoid building a security program that centers around managing products - Shelfware - Minimizing product overhead - The pros and cons of buying from different types of companies - Who to look to for product recommendations - Is making a plan to "ditch before you hitch" a good or bad idea? - What to do when you inherit a mess Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-345

SEXi, AI Dreams, Powerhost, Acuity, Layerslider, JSOutProx, Byakugan, Josh Marpet, and More, on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-375

As most of you have probably heard there was a scary supply chain attack against the open source compression software called "xz". The security weekly hosts will break down all the details and provide valuable insights. https://blog.qualys.com/vulnerabilities-threat-research/2024/03/29/xz-utils-sshd-backdoor https://gynvael.coldwind.pl/?id=782 https://isc.sans.edu/diary/The+xzutils+backdoor+in+security+advisories+by+national+CSIRTs/30800 https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor https://github.com/amlweems/xzbot https://unit42.paloaltonetworks.com/threat-brief-xz-utils-cve-2024-3094/ https://unicornriot.ninja/2024/xz-utils-software-backdoor-uncovered-in-years-long-hacking-plot/ https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504 https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/ https://xeiaso.net/notes/2024/xz-vuln/ https://infosec.exchange/@[email protected] https://github.com/notselwyn/cve-2024-1086?tab=readme-ov-file https://doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd pfSense switches to Linux (April Fools?), Flipper panic in Oz, Tales from the Krypt, Funding to secure the Internet, Abusing SSH on Windows, Blinding EDR, more hotel hacking, Quantum Bleed, and more! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-823

NVD checked out, then they came back? Maybe? Should the xz backdoor be treated as a vulnerability? Is scan-driven vulnerability management obsolete when it comes to alerting on emerging threats? What were some of the takeaways from the first-ever VulnCon? EPSS is featured in over 100 security products, but is it properly supported by those that benefit from it? How long do defenders have from the moment a vulnerability is disclosed to patch or mitigate it before working exploits are ready and in the wild? There's SO much going on in the vulnerability management space, but we'll try to get to the bottom of some of in in this episode. In this interview, we talk to Patrick Garrity about the messy state of vulnerability management and how to get it back on the rails. Segment Resources: Exploitation TImelines NVD Sources for known exploitation Exploitation in the Wild - Rockstar As we near RSA conference season, tons of security startups are coming out of stealth! The RSA Innovation Sandbox has also announced the top 10 finalists, also highlighting early stage startups that will be at the show. In this week's news segment, We discuss the highlights of the Cyber Safety Review Board's detailed and scathing report on Microsoft's 2023 breach We spend a bit of time on the xz backdoor, but not too much, as it has been covered comprehensively elsewhere We discover half a dozen of the latest startups to receive funding or come out of stealth: Coro, Skyflow, Zafran, Permiso, Bedrock Security, Abstract Security, and Sandfly Apple is reportedly going to have some big AI announcements this summer, and we discuss how overdue voice assistants are for an LLM makeover. Finally, we discuss the amazing innovation that is the Volkswagen RooBadge! By the way, the thumbnail is a reference to the xz backdoor link we include in the show notes: https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-356

Lena, XZ, WallEscape, AT&T, OWASP, Google, Microsoft, AI, Josh Marpet, and more, on this Edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-374

Sometimes infosec problems can be summarized succinctly, like "patching is hard". Sometimes a succinct summary sounds convincing, but is based on old data, irrelevant data, or made up data. Adrian Sanabria walks through some of the archeological work he's done to dig up the source of some myths. We talk about some of our favorite (as in most disliked) myths to point out how oversimplified slogans and oversimplified threat models lead to bad advice -- and why bad advice can make users less secure. Segment resources: https://www.oreilly.com/library/view/cybersecurity-myths-and/9780137929214/ The OWASP Top 10 gets its first update after a year, Metasploit gets its first rewrite (but it's still in Perl), PHP adds support for prepared statements, RSA Conference puts passwords on notice while patching remains hard, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-279

Harold Rivas has held multiple CISO roles. In his current CISO role, he's championing Trellix's overall mission to address the issues CISOs face every day, encouraging information sharing and collaborative discussions among the CISO community to help address challenges and solve real problems together - part of this is through Trellix's Mind of the CISO Initiative and the Trellix CISO Council. In this interview, we do a little CISO soul-searching. Harold will bring insights from the initiative to cover some of the top challenges CISOs face in this ever-evolving role, including: Earning a seat at the table Talking the language of business Addressing the risks and opportunities of business evolution Reading the tea leaves of the future and more! If you're a CISO or want to be a CISO, don't miss this episode. Segment Resources: https://www.trellix.com/blogs/perspectives/introducing-trellixs-mind-of-the-ciso-initiative/ https://www.trellix.com/solutions/mind-of-the-ciso-report/ https://www.trellix.com/solutions/mind-of-the-ciso-behind-the-breach/ In the leadership and communications section, The Strategic Implications of Cybersecurity: A C-Level Perspective, Leadership Misconceptions That Hinder Your Success , "Mastering Communication: Lessons from Two Years of Learning", and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-344

Many years ago, I fielded a survey focused on the culture of cybersecurity. One of the questions asked what initially drew folks to cybersecurity as a career. The most common response was a deep sense of curiosity. Throughout my career, I noticed another major factor in folks that brought a lot of value to security teams: diversity. Diversity of people, diversity of background, and diversity of experience. I've seen auto mechanics, biologists, and finance experts bring the most interesting insights and forehead-slapping observations to the table. I think part of the reason diversity is so necessary is that security itself is incredibly broad. It covers everything that technology, processes, and people touch. As such, cybersecurity workers need to have a similarly broad skillsets and background. Today, we talk to someone that embodies both this non-typical cybersecurity background and sense of curiosity - Clea Ostendorf. We'll discuss: The importance for organizations to actively seek and welcome curious newcomers in the security field who may not conform to traditional cybersecurity norms. Strategies for organizations to foster an environment that encourages individuals with curiosity, motivation, and a willingness to challenge conventional norms, thereby promoting innovative thinking in addressing security risks. Segment Resources: Evolving Threats from Within - Insights from the 2024 Code42 Data Exposure Report This week, in the enterprise security news: Early stage funding is all the rage AI startups continue to pop out of stealth The buyer's market continues with more interesting acquisitions Purpose-built large language models for security Benchmarking LLMs for security GoFetch? More like... Get outta here (I couldn't think of anything clever) Crowdstrike and NVIDIA team up Why do people trust AI? What do Google Sheets and Carlos Sainz Jr. have in common? All that and more, on this episode of Enterprise Security Weekly! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-355

AI Dreams of Electric Sheep, Exchange, Darcula, NuGet, Rockwell, FTX, Aaran Leyland, and More, on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-373

Jason Healey comes on the show to discuss new ideas on whether the new national cybersecurity strategy is working. Segment Resources: DEFRAG Hacker Film Festival short documentary (https://youtu.be/NYvHWcQsIRE) on hackers and their favorite films. For educational purposes only, as we don’t have the rights to the clips. YouTube link to Wargames event with Jen Easterly, Matt Devost, Amelia Koran and Kevin Huyck (head of ops for NORAD) (https://youtu.be/iqx6STDYJ7c?si=73WQtSG4RnCGsBcT). https://www.lawfaremedia.org/article/which-cyber-regulations-fit-which-sectors https://www.lawfaremedia.org/article/the-national-cybersecurity-strategy-breaking-a-50-year-losing-streak https://www.lawfaremedia.org/article/twenty-five-years-of-white-house-cyber-policies https://www.lawfaremedia.org/article/understanding-offenses-systemwide-advantage-cyberspace The PSW crew discusses some crypto topics, such as post-quantum and GoFetch, new Flipper Zero projects, RFID hacking and hotel locks, BlueDucky, side channel attacks and more! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-822

Patrick Stewart, Colorama, Strelastealer, CVSS scores, CHUDS, Josh Marpet, and more, on this Edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-372

With hundreds or thousands of SaaS apps to secure with no traditional perimeter, Identity becomes the focal point for SaaS Security in the modern enterprise. Yet with Shadow IT, now recast as Business-Led IT, quickly becoming normal practice, it’s more complicated than trying to centralize all identities with an Identity Provider (IdP) for Single Sign-On (SSO). So the question becomes, “How do you enable the business while still providing security oversight and governance?” This segment is sponsored by Savvy. Visit https://securityweekly.com/savvy to learn more about them! In the leadership and communications section, The CISO Role Is Changing. Can CISOs Themselves Keep Up? , Why do 60% of SEC Cybersecurity Filings Omit CSO, CISO Info?, How Co-Leaders Succeed, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-343

One of the biggest failures in appsec is an attitude that blames users for security problems. A lot of processes and workflows break down because of an insecure design or insecure defaults. Benedek Gagyi chats with us about the impact of the user experience (UX) on security and why it's not only important to understand how to make a user's life easier, but in defining who that user is in the first place. Segment resources: https://www.usenix.org/conference/8th-usenix-security-symposium/why-johnny-cant-encrypt-usability-evaluation-pgp-50 The GoFetch side channel in Apple CPUs, OpenSSF's plan for secure software developer education, fuzzing vs. formal verification as a security strategy, hard problems in InfoSec (and AppSec), and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-278

While awareness and attention towards cybersecurity are on the rise, some popular and persistent myths about cybersecurity have almost become threats themselves. API security requires a modern understanding of the threat landscape, with the context that most API providers desire to be more open and accessible to all. We will debunk the 5 worst myths about protecting your APIs. Segment Resources: API Security Basics - Everything You Need to Know Graylog API Security - Gain Visibility & Control Over Your API Attack Surface This segment is sponsored by Graylog. Visit https://securityweekly.com/graylog to learn more about API security! In the enterprise security news, Lots of funding news, including: - Nozomi Networks Raises $100 Million to Expand Industrial Cybersecurity Business - BigID Raises $60 Million at $1 Billion Valuation - J.P. Morgan Growth Leads $39 Million Investment in Eye Security - CyberSaint raises $21 million to accelerate market expansion Zscaler Acquires Avalor for $350 Million Cisco completes $28 bn acquisition of cybersecurity firm Splunk Airbus Calls Off Planned Acquisition of Atos Cybersecurity Group Cybersecurity firm Cato Networks hires banks for 2025 IPO, sources say Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-354

Robots gone wild, UDP, GoFetch, Domain Controllers, Pwn2Own, Verner Vinge, Reddit, Aaran Leyland, and More on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-371

Josh Corman joins us to explore how we can make things more secure, making companies make things more secure, and making regulations that make us make things more secure! We will also touch on supply chain security and the state of vulnerability tracking and scoring. We discuss the always controversial Flipper Zero devices the hidden risks in the undersea cables, and the landscape of government oversight, revealing the intricacies of CVE, KEV, and NVD systems that are the linchpins of our digital safety. The conversation takes a turn to the practicalities of risk management and the impact of individuals on the industry, like Daniel from the curl project, striking a chord with the significance of cybersecurity vulnerabilities compared to environmental pollution. We tackle the challenges of vulnerability prioritization and the importance of a comprehensive approach to managing the ever-evolving threats that target our digital infrastructure. (00:01) Security Practices and Flipper Zero (07:01) Technology and Privacy Concerns in Cars (17:33) Undersea Cables and NVD Issues (27:45) Government Oversight and Funding for Cybersecurity (33:33) Improving Vulnerability Prioritization in Cybersecurity (45:37) Risk Management and CVE Implementation (58:06) Cybersecurity Budget and Risk Management (01:10:48) Unique Challenges in Cybersecurity Industry (01:16:41) Discussion on Open Source and CNAs (01:26:44) Bluetooth Vulnerabilities and Exploits Discussed (01:39:46) Email Security and Compromised Accounts (01:46:23) Cybersecurity Threats and Vulnerabilities (01:52:06) GPU Security Vulnerabilities Explained Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-821

Sick Jokes, WEBGPU, Fortra, Azorult, Fujitsu, Conversation Overflow, Phishing, Josh Marpet, and more on this Edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-370

Lots of companies need cybersecurity programs, as do non-profits. Tyler Von Moll talks about how to get small organizations started on security and how to prioritize initial investments. While an appsec program likely isn't going to be one of the first steps, it's going to be an early one. What decisions can you make at the start that will benefit the program in the years that follow? What does an appsec program look like at a small scale? Segment Resources: "Cybersecurity for Nonprofits", https://docs.google.com/presentation/d/18HuKtwgwGMtEJ87CgkMqHp1JDVRUXPP--zptjMpF0/edit?usp=sharing https://www.verizon.com/business/resources/reports/dbir/2023/master-guide/ Insecure defaults and insecure design in smart locks, FCC adopts Cyber Trust Mark labels for IoT devices, the ZAP project gets a new home, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-277

Dave DeWalt needs no introduction. A four-time CEO and currently the Founder and CEO of NightDragon, Dave collects, analyses, and disseminates more intelligence on the cybersecurity industry in a year than most of us ever will in a lifetime. We've invited Dave to Business Security Weekly to share some of that intelligence with our audience. Specifically, we'll hear about: The evolving threat landscape, including impacts of Artificial Intelligence The latest cybersecurity innovation, including what's working and what's NOT working The impact of budgets on buying decisions, including whether "best of breed" is dead in lieu of platforms Tune in for this insightful discussion before you make your next strategic cybersecurity decisions. Piggybacking off of our interview with Dave DeWalt, Tom Parker from Hubble joins Business Security Weekly to discuss a few of the key trends CISOs should be paying attention to. Yes, we'll cover Artificial Intelligence, but more from a business risk and governance perspective. We'll also cover quantum computing, technical debt, and how budgets will impact how organizations can or cannot prepare for these emerging trends. Buckle up and hang on for part two of our jam packed episode. Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-342

In this interview, we talk to Rod Simmons, the VP of Product Strategy at Omada. We'll discuss the complex topic of securing identities against ever growing threats. We'll discuss challenges like unnecessary access, accounts with too many permissions, and a threat landscape that is increasingly finding success from targeting identities. Finally, we'll discuss where the Identity Governance and Administration (IGA) market is going. Segment Resources: Analyst Report: The State of Identity Governance 2024 We don't cover a lot of stories in this week's episode, but we go deep on a few important ones. I'm biased, but I think it's a good one, especially having Darwin's input and encyclopedic knowledge available to us. Also in this week's news: Homomorphic encryption pops up again! Microsoft Security Copilot has a release date! Sudo for Windows Microsegmentation pops up again! The TikTok Ban Darwin's Newsletter: The Cybersecurity Pulse All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-353

Cynicism, TikTok, Redline, Securam, Ghostrace, MicroOrange, eSim Swaps, Aaran Leyland, and More on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-369

Omkhar Arasaratnam is the General Manager of the Open Source Software Foundation (OpenSSF) and appears on the show to discuss memory safety, why re-writing software isn't always the best option, open-source software supply chains, and more! Segment Resources: https://openssf.org/blog/2024/02/26/openssf-supports-efforts-to-build-more-secure-and-measurable-software/ https://www.whitehouse.gov/wp-content/uploads/2024/02/Final-ONCD-Technical-Report.pdf In the security News end of life routers and exploits, SCCM mis-configurations lead to compromise, apparently you can hack anything with a Flipper Zero, do source code leaks matter?, visibility is important, printer vulnerabilities that no one cares about, friendship gets you firmware, lock hacking continues, VM escapes and risk, and multiple really cool Bluetooth hacking stories. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-820

Dem Bones, Leather, QNAP, CISA, Microsoft, PyPI, France, AirBnB, Josh Marpet, and More are on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-368

When you think of executive protection, you think of work related activities such as security details, travel planning, and other physical security protections. But in the world of Artificial Intelligence and DeepFakes, the risk landscape for executives goes far beyond work and into their personal lives. The home is now the new battle field and family life will never be the same. Chris Pierson, CEO at BlackCloak, joins Business Security Weekly to discuss the changes in the risk landscape for executives, including Generative AI, and its impacts on social engineering, personal attacks, and family threats. Executive protection must now include digital protection, both at work and at home. This segment is sponsored by BlackCloak. Visit https://securityweekly.com/blackcloak to learn more about them! In the leadership and communications section, Cybersecurity in the C-Suite: A CISO’s Guide to Engaging the Board, The CISO's Guide to AI: Embracing Innovation While Mitigating Risk, Cyber Insurance Strategy Requires CISO-CFO Collaboration, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-341

A majority of internet traffic now originates from APIs, and cybercriminals are taking advantage. Increasingly, APIs are used as a common attack vector because they’re a direct pathway to access sensitive data. In this discussion, Lebin Cheng shares what API attack trends Imperva, a Thales Company has observed over the past year, and what steps organizations can take to protect their APIs. This segment is sponsored by Imperva. Visit https://www.securityweekly.com/imperva to learn more about them! The trivial tweaks to bypass authentication in TeamCity, ArtPrompt attacks use ASCII art against LLMs, annoying developers with low quality vuln reports, removing dependencies as part of secure by design, removing overhead with secure by design, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-276

Star Trek, JetBrains, Facebook, Chrome, FBI, USBs, TikTok, Aaran Leyland, and More on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-367

Defenders spend a lot of time and money procuring and implementing security controls. At the heart of SecOps and the SOC are technologies like XDR, SIEM, and SOAR. How do we know these technologies are going to detect or prevent attacks? Wait for the annual pen test? Probably not a good idea. In this segment, we'll talk with Michael Mumcuoglu about how MITRE's ATT&CK framework can help defenders better prepare for inevitable attack TTPs they'll have knocking on their doors. Segment Resources: CardinalOps Contributes to MITRE ATT&CK for Fourth Consecutive Release ESG Report: Operationalize MITRE ATT&CK with Detection Posture Management Report: Enterprise SIEMs offer inadequate threat detection 2023 State of SIEM Detection Risk Report In the enterprise security news, Axonius raises $200M and is doing $100M ARR! Claroty raises $100M and is doing $100M ARR! Crowdstrike picks up DSPM with Flow Security CyCode picks up Bearer Are attackers like lawyers? How a bank failed (with no help from a cyber attack) the FTC cracks down on customer data collection Apple’s car sadly won’t be a thing any time soon or maybe ever. All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-352

Public information about exploits and vulnerabilities alone is not enough to inform prioritization, especially with the growing rate and variety of CVEs. Dan DeCloss, founder and CTO of PlexTrac, joins the show to discuss solving the challenges of risk prioritization to drive faster, more strategic assessment cycles. Spoiler: The key is adding context and prioritization to risk-scoring equations.   Segment Resources: https://plextrac.com/get-ready-to-prioritize-risk-with-our-new-contextual-scoring-engine/?utm_medium=tech_ptr&utm_source=security_weekly  https://plextrac.com/video/priorities/?utm_medium=tech_ptr&utm_source=security_weekly  This segment is sponsored by PlexTrac. Visit https://securityweekly.com/plextrac to learn more about them! BiaSciLab from DEF CON joins us to discuss DCNextGen! In the security News: MouseJacking still works, CISA recommends a complete rebuild, memory safety and re-writing code, not all doorbells are created equal, putting a firewall in front of your LLM, rugged gear and vulnerabilities, PLCs are not safe, neither are Windows kernels.. Segment Resources: https://www.defcon.kids  https://www.BiaSciLab.com  https://www.GirlsWhoHack.com  https://www.SecureOpenVote.com  Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-819

ToddleShark, Zeek, Stuxnet revisited, ICS, AMEX, Apple, Change, Josh Marpet, and More on this Edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-366

The need for vuln management programs has been around since the first bugs -- but lots of programs remain stuck in the past. We talk about the traps to avoid in VM programs, the easy-to-say yet hard-to-do foundations that VM programs need, and smarter ways to approach vulns based in modern app development. We also explore the ecosystem of acronyms around vulns and figure out what's useful (if anything) in CVSS, SSVC, EPSS, and more. Segment resources: https://www.redhat.com/en/blog/patch-management-needs-a-revolution-part-1 https://next.redhat.com/blog/ https://www.first.org/cvss/v4-0/ https://www.first.org/epss/ https://deadliestwebattacks.com/appsec/2010/02/19/primordial-cross-site-scripting-xss-exploits -- For a bit of history, one of the earliest "bugs bounty" from 1995. A SilverSAML example similar to the GoldenSAML attack technique, more about serializing AI models for Hugging Face, OWASP releases 1.0 of the IoT Security Testing Guide, the White House releases more encouragement to move to memory-safe languages, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-275

The SEC's new cyber reporting requirements are forcing organizations to rethink their compliance and risk programs. No longer can compliance and risk be static, point in time assessments. Instead they need to match the speed of security which is dynamic and real-time. Couple the difference in speeds with whistleblowers and attack groups reporting non-compliance with the new SEC rules and organizations find themselves in a regulatory nightmare. Igor Volovich, VP of Compliance Strategy for Cyber Compliance at Qmulos, joins BSW to share his "Notes from the battlefield" on how automation is the only way to effectively converge security, risk, and compliance into a dynamic, real-time discipline. In the leadership and communications section, Effective cyber security starts at the top, CISOs Struggling to Balance Regulation and Security Demands With Rising Cybersecurity Pressures, Unlocking Leadership Excellence: Data-Driven Practices That Set Elite Leaders Apart, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-340

Clueless pols, Lazarus, Ubiquity, UAMPQP, BlackCat, CryptoChameleon, Airlines, Aaran Leyland, and More on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-365

Pascal Geenens from Radware joins us to discuss the latest research findings relating to hacktivists an other actors using volumetric and other network-based attacks. We'll discuss everything from the current state of DDoS attacks to use in the military and even the impact of cyberattacks on popular culture! You can find the report Pascal mentions here, on Radware's website: https://www.radware.com/threat-analysis-report/ In this week's news segment, we discuss the lack of funding announcements, and the potential effect RSA could have on the timing of all sorts of press releases. We also discuss 1Password's potential future with its sizable customer base and the $620M it raised a few years back. Some other topics we discuss: NIST CSF 2.0 insider threats Ivanti Pulse Secure's appliance software found to be running positively ancient software (11 year old Linux distro, 5-20+ year old libraries & components) Nevada AG trying to get messaging decrypted for children, to "protect them" Kelly Shortridge's response to CISA's secure development RFI OpenAI's new GenAI video product, Sora and the potential impact it could have on cybersecurity Instacart spews out crappy AI recipes and photos Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-351

Jayson joins us to discuss how he is using, and social engineering, AI to help with his security engagements. We also talk about the low-tech tools he employs to get the job done, some tech tools that are in play, and the most important part of any security testing: Talking to people, creating awareness, and great reporting. The latest attacks against WiFi, its illegal to break encryption, BLE Padlocks are as secure as you think, when command not found attacks, how did your vibrator get infected...with malware, the OT jackpot, the backdoor in a random CSRF library, it’s a vulnerability but there is no CVE, car theft and Canada, Glubteba, and settings things on fire! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-818

This week in the Security Weekly News: Avast fines, HackerGPT innovations, DDoS threats, encryption updates, Josh Marpet, and more! Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-364

Farshad Abasi joins us again to talk about creating a new OWASP project, the Secure Pipeline Verification Standard. (Bonus points for not being a top ten list!) We talk about what it takes to pitch a new project and the problems that this new project is trying to solve. For this kind of project to be successful -- as in making a positive impact to how software is built -- it's important to not only identify the right audience, but craft guidance in a way that's understandable and achievable for that audience. This is also a chance to learn more about a project in its early days and the opportunities for participating in its development! Segment resources https://github.com/OWASP/www-project-secure-pipeline-verification-standard--spvs- (coming soon!) PrintListener recreates fingerprints, iMessage updates key handling for a PQ3 rating, Silent Sabotage shows supply chain subterfuge against AI models, 2023 Rust survey results, the ways genAI might help developers, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-274

Released on January 26, 2023, the NIST AI RMF Framework was developed through a consensus-driven, open, transparent, and collaborative process that included a Request for Information, several draft versions for public comments, multiple workshops, and other opportunities to provide input. It is intended to build on, align with, and support AI risk management efforts by others. Padraic O'Reilly, Founder and Chief Innovation Officer at CyberSaint, joins BSW to discuss why AI risks are a unique challenge and how they can impact both organizations and society. Without proper controls, AI systems can amplify, perpetuate, or exacerbate inequitable or undesirable outcomes for individuals and communities. With proper controls, AI systems can mitigate and manage inequitable outcomes. This segment is sponsored by CyberSaint . Visit https://securityweekly.com/cybersaint to learn more about them! Panoptica, Cisco’s cloud application security solution, was born out of Outshift, Cisco's incubation engine. Shibu George, Engineering Product Manager at Outshift, joins Business Security Weekly to discuss his transition from application performance monitoring to application security and how Panoptica was born. This segment is sponsored by Panoptica. Visit https://securityweekly.com/panoptica to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-339

Check out this interview from the SWN Vault, hand picked by main host Doug White! This segment was originally published on November 2, 2018. This week, Dr. Doug and Russ talk about the mysterious world of Two-Factor Authentication. This is something you hear all the time, and more and more sites are requiring and supporting it. The real question is, should you be using it? Show Notes: https://securityweekly.com/vault-swn-12

Check out this interview from the ESW Vault, hand picked by main host Adrian Sanabria! This segment was originally published on September 22, 2021. Chris will discuss the relevance of intelligence and threat hunting today and how they work together. He will also talk about his EASY framework for creating impactful intelligence and its relation to hunting! Show Notes: https://securityweekly.com/vault-esw-8

Join us in this illuminating podcast episode as we sit down with Wendy Nather, a distinguished thought leader and cybersecurity strategist, who has left an indelible mark on the ever-evolving landscape of digital security. Wendy's journey in cybersecurity is a narrative woven with expertise, innovation, and a deep understanding of the intersection between technology and risk. With a career that spans strategic roles in both the public and private sectors, Wendy has become a trusted voice in the industry, offering insights that resonate with cybersecurity professionals and enthusiasts alike. As the Head of Advisory CISOs at Cisco, Wendy Nather brings a unique perspective to our conversation. Explore with us as she shares her experiences navigating the complex cybersecurity challenges faced by organizations today. Wendy's strategic vision has helped shape cybersecurity policies, risk management frameworks, and resilient strategies for a myriad of enterprises. Dive into Wendy's wealth of knowledge as she discusses the dynamic nature of cyber threats, the importance of proactive cybersecurity measures, and the evolving role of technology in safeguarding our digital future. Her commitment to demystifying complex security concepts and fostering a culture of resilience makes this podcast episode a must-listen for anyone passionate about cybersecurity. Beyond her corporate role, Wendy is a prolific writer, speaker, and educator, contributing to the collective cybersecurity knowledge base. Join us as we explore her insights on emerging trends, best practices, and the human element in cybersecurity—a facet often overlooked but crucial in building robust defense strategies. Don't miss this opportunity to gain valuable perspectives from one of the industry's leading minds. Tune in to our podcast and discover the wisdom and foresight that Wendy Nather brings to the world of cybersecurity. Show Notes: https://securityweekly.com/vault-psw-8

Check out this interview from the SWN Vault, hand picked by main host Doug White! This segment was originally published on October 4, 2018. This week, Russ takes the reigns in the absence of Dr. Doug to talk about Networking 101! We are going to go back to school to examine how networking and the internet actually work. Russ looks at MAC addresses, IP Addressing (Private/Public), DHCP, routing, and DNS. Show Notes: https://securityweekly.com/vault-swn-11

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on Dec 13, 2022. Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottleneck. What if I told you, you can have your cake and eat it too. It is possible to scale your program and deliver higher quality threat models. Segment Resources: - Original blog: https://segment.com/blog/redefining-threat-modeling/ - Open Sourced slides: https://github.com/segmentio/threat-modeling-training Show Notes: https://securityweekly.com/vault-asw-8

Check out this interview from the BSW Vault, hand picked by main host Matt Alderman! This segment was originally published on February 22, 2022. The Business Information Security Officer, or BISO, is relatively new and somewhat controversial role. Does this role act as the CISO's non-technical liaison to the business units or as the CISO's deputy to oversee strategy implementation at a granular level? Is this new role a necessary career path for future CISOs or an entry point into security? The BSW hosts debate! Show Notes: https://securityweekly.com/vault-bsw-8

Batman, Microsoft, War Driving, OpenAI, DevDrive, Scams, The Dead, Aaran Leyland, and more are on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-363

In this segment, featuring guest Amer Deeba, we'll explore how the SEC's new breach reporting rules will affect companies. We've got a ton of questions: What behavior has to change? What additional preparation needs to take place? How does this rule affect data security? How does it affect crisis communications? And most importantly, when is an incident "material"? This is almost a special episode on crazy new products. For the first half of the show, we discuss startup funding, market forces, acquisitions - stuff we usually discuss. Then we get into all the crazy new AI and non-AI products being announced and coming out. Have some disposable cash to pre-order crazy gadgets? This is the episode for you! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-350

In this segment, we discuss topics related to physical security and social engineering. We also touch on the challenges and strategies for implementing effective security measures. The discussion highlights the importance of understanding the relationship between physical security and social engineering. The panel emphasizes the need for a comprehensive approach to security, acknowledging that social engineering and physical security often go hand in hand. We stress the significance of testing physical security measures and conducting threat assessments to ensure robust protection against potential threats. The conversation touches on the concept of usability versus security, acknowledging that security measures should provide a balance between effective protection and practical usability. We explore the vulnerabilities of certain security technologies, such as biometrics, and underscore the need for continuous evaluation and adaptation of security measures to mitigate emerging threats. Welcome to a riveting episode of Hacker Heroes, where we sit down with Toby Miller, a distinguished figure in the realm of cybersecurity. Toby brings a wealth of experience and a passion for fortifying digital landscapes against ever-evolving threats. Armed with a profound understanding of cybersecurity intricacies, Toby has spent years honing his skills in the field. As a seasoned professional, he has not only weathered the storms of the digital frontier but has emerged as a beacon of knowledge and resilience in the face of cyber challenges. Join us as we delve into Toby's journey, from the early days of his career to his current role as a cybersecurity expert. Gain valuable insights into the dynamic nature of cyber threats, the evolving tactics employed by malicious actors, and the strategies Toby employs to stay one step ahead in the ever-changing cybersecurity landscape. Toby's expertise extends across a spectrum of cybersecurity domains, including risk management, threat intelligence, and incident response. Discover the mindset that propels him forward in the pursuit of securing digital infrastructures and safeguarding sensitive information. In this podcast episode, Toby Miller shares anecdotes from the front lines of cybersecurity, offering our listeners a firsthand account of the challenges faced by professionals in the industry. Whether you're a cybersecurity enthusiast, a fellow professional, or someone navigating the digital landscape, Toby's insights are sure to enlighten and inspire. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-817

In the leadership and communications section, SEC’s Enforcement Head: It’s Time for ‘Proactive Compliance’, Improving cybersecurity culture: A priority in the year of the CISO, Breaking Down Barriers: 6 Simple Measures to Overcome Communication Barriers, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-338

We've been scanning code for decades. Sometimes scanning works well -- it finds meaningful flaws to fix. Sometimes it distracts us with false positives. Sometimes it burdens us with too many issues. We talk about finding a scanning strategy that works well and what the definition of "works well" should even be. Segment Resources: https://www.lacework.com/blog/introducing-a-new-approach-to-code-security/ LLMs improve fuzzing coverage, the Shim vuln threatens Linux secure boot, considering AI application threat models, a new language for a configuration file format, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-273

Angry mobs, Azure, Avanti, Rhysida, Warzone, Flipper Zero, Bitlocker, Josh Marpet, and more are on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-362

Panoptica, Cisco’s cloud application security solution, was born out of Outshift, Cisco's incubation engine. Shibu George, Engineering Product Manager at Outshift, joins Business Security Weekly to discuss his transition from application performance monitoring to application security and how Panoptica was born. This segment is sponsored by Panoptica. Visit https://securityweekly.com/panoptica to learn more about them! In the leadership and communications section, SEC’s Enforcement Head: It’s Time for ‘Proactive Compliance’, Improving cybersecurity culture: A priority in the year of the CISO, Breaking Down Barriers: 6 Simple Measures to Overcome Communication Barriers, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-338

RoboJoe, SHIM, Fortinet, FaceOff, Simswap, sudo in Windows, Aaran Leyland, and More on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-361

Legacy systems are riddled with outdated and unreliable cryptographic standards. So much so that recent proprietary research found 61 percent of the traffic was unencrypted, and up to 80% of encrypted network traffic has some defeatable flaw in its encryption No longer can enterprises take their cryptography for granted, rarely evaluated or checked. Knowing when, where and what type of cryptography is used throughout the enterprise and by which applications is critical to your overall security policy, zero-trust approach, and risk management strategy. After all, zero-trust is meaningless if your cryptography isn't working. Segment Resources: https://www.businesswire.com/news/home/20231030166159/en/Proprietary-Research-from-Quantum-Xchange-Shows-the-Dreadful-State-of-Enterprise-Cryptography https://www.forbes.com/sites/forbestechcouncil/people/vincentberk/?sh=3d88055852c1 This segment is sponsored by Quantum Xchange. Visit https://securityweekly.com/quantumxchange to learn more about them! This week, we discussed how a quick (minutes) and cheap ($15 a pop) fake ID service creates VERY convincing IDs that are possibly good enough to fool ID verification services, HR, and a load of other scenarios where it's common to share images of an ID. Kudos to 404Media's work there. In the security market, we discuss who might be the first cybersecurity unicorn to go public in 2024, Oasis Security and Tenchi's funding rounds, Protect AI's acquisition of Laiyer AI and their FOSS project, LLM Guard. We discussed the seemingly inevitable M&A activity as unfunded security startups NEED to find a sale. Ross Haleliuk had an interesting LinkedIn post that goes deeper on this topic. Finally, we discussed Tyler's observation that Palo Alto Networks did the seemingly impossible - increased their valuation from $19B to over $100B in 5 years, despite having to weather a pandemic and market downturn along the way! Ryan pointed out that PANW joined the S&P 500 somewhere along the way - a watershed moment for them. We discussed Bluesky and how it's likely too little too late when it comes to building back the community we lost when much of the InfoSec community left Twitter. We also discussed a cybersecurity training scammer, Daniel Miessler's new Fabric tool, AnyDesk getting hacked, The Real Shim Shady vuln, new (voluntary) cybersecurity goals for healthcare, and the lack of toothbrush-enabled DDoS attacks! Full show notes here: https://www.scmagazine.com/podcast-episode/3061-enterprise-security-weekly-349 Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-349

As a computer-smitten middle-schooler in the former Soviet Union in the 1970s, to his current and prominent role in the cybersecurity research community, Bratus aims to render the increasingly prevalent and perilous software, hardware, and networks in our lives much safer to use. His fascination with computer security started for real in the 1990s as a mathematics graduate student when a computer he was programming and responsible for at Northeastern University in Boston was taken over by a hacker. That experience set him on his life’s mission to learn as much as he can about the vulnerabilities of software and hardware with the goal of learning how to best minimize or eliminate those vulnerabilities. Noting his embrace of the hacker community for its deep and innovative expertise in this context, Bratus’s portfolio at DARPA could help reduce or entirely remove even some of the most stealthy and unexpected vulnerabilities that reside in software and its logical, computational, and mathematical foundations. Segment Resources: • Overall Portfolio: https://www.darpa.mil/staff/dr-sergey-bratus • Safe Documents: https://www.darpa.mil/news-events/2023-06-14 • Enhanced SBOM for Optimized Software Sustainment: https://sam.gov/opp/d0af3e325a594a8191b94e3f80b6bdcd/view • V-SPELLS program:  https://www.theregister.com/2023/08/18/darpalegacybinary_patching/ • Digital Corpora Project:  https://www.jpl.nasa.gov/news/jpl-creates-worlds-largest-pdf-archive-to-aid-malware-research • SocialCyber:  https://www.technologyreview.com/2022/07/14/1055894/us-military-sofware-linux-kernel-open-source/ • Weird Machines:  https://www.darpa.mil/program/hardening-development-toolchains-against-emergent-execution-engines • Safe Docs: https://www.darpa.mil/news-events/2023-06-14 • Exploit programming:  https://www.usenix.org/publications/login/december-2011-volume-36-number-6/exploit-programming-buffer-ove   In the Security News: - Shim Shady, Up Shims Creek, whatever you want to call it, there’s a vulnerability affecting pretty much all Linux distributions (and other operating systems as well), when your toothbrush attacks the Internet, or some claim, glibc has some vulnerabilities, not all got a CVE, and one is for the algorithm lovers, Google shows some love for Rust, beating Bitlocker in 43 seconds, DEF CON was canceled, then uncancelled, and I’m not even joking this time, and the Government is here to "unhack" your router, Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-816

Teens Gone Wild, Nintendo, Anydesk, RUST, Google, Deepfakes, Jason Wood, and more are on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-360

We can't talk about OWASP without talking about lists, but we go beyond the lists to talk about a product security framework. Grant shares his insights on what makes lists work (and not work). More importantly, he shares the work he's doing to spearhead a new OWASP project to help scale the creation of appsec programs, whether you're on your own or part of a global org. Segment Resources: https://owasp.org/www-project-product-security-capabilities-framework/ https://github.com/OWASP/pscf https://prods.ec/ https://owaspsamm.org https://iso25000.com/index.php/en/iso-25000-standards/iso-25010 https://www.scmagazine.com/podcast-episode/application-security-weekly-242 Qualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-272

It's time to review the money of security, including public companies, IPOs, funding rounds and acquisitions from the previous quarter. We also update you on the Security Weekly 25 index. The index came roaring back last quarter. Here are the stocks currently in the index: SCWX Secureworks Corp PANW Palo Alto Networks Inc CHKP Check Point Software Technologies Ltd. SPLK Splunk Inc GEN Gen Digital Inc FTNT Fortinet Inc AKAM Akamai Technologies, Inc. FFIV F5 Inc ZS Zscaler Inc OSPN Onespan Inc LDOS Leidos Holdings Inc QLYS Qualys Inc VRNT Verint Systems Inc. CYBR Cyberark Software Ltd TENB Tenable Holdings Inc DARK Darktrace PLC S SentinelOne Inc NET Cloudflare Inc CRWD Crowdstrike Holdings Inc NTCT NetScout Systems, Inc. VRNS Varonis Systems Inc RPD Rapid7 Inc FSLY Fastly Inc RDWR Radware Ltd ATEN A10 Networks Inc Large security vendors and hyperscalers, including Microsoft, continue to expand their cybersecurity product and service portfolios. Microsoft’s extensive enterprise reach, massive partner network, and enormous influence in the C-suite puts pressure on CIOs and CISOs to consolidate on it as much as possible for cybersecurity. This report helps security leaders understand Microsoft’s cybersecurity portfolio, the tactics it uses, and how to manage peer and executive pressure to single-source security technology. Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-337

E-Coli, Mercedes, Cloudflare, Ivanti, Volt Typhoon, GIGO, AI, Congress, Aaran Leyland, and more are on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-359

We've seen general users targeted with phishing, financial employees targeted for BEC scams, and engineers targeted for access to infrastructure. The truly scary attacks, however, are the indirect ones that are automated. The threats that come in via software updates, or trusted connections with third parties. The software supply chain is both absolutely essential, and fragile. A single developer pulling a tiny library out of NPM can cause chaos. A popular open source project changing hands could instantly give access to millions of systems. Every day, a new app store or component repository pops up and becomes critical to maintaining infrastructure. In this interview, we'll chat with Pete Morgan about how these risks can be managed and mitigated. Segment Resources: https://blog.phylum.io/q3-2023-evolution-of-software-supply-chain-security-report/ https://blog.phylum.io/software-supply-chain-security-research-report-q2-2023/ https://blog.phylum.io/q1-2023-evolution-of-software-supply-chain-security/ Segment description coming soon! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-348

When an RCE really isn’t, your kernel is vulnerable, calling all Windows 3.11 experts, back to Ebay, Turkish websites and credentials, 10 public exploits for the same vulnerability, hacking Bitcoin ATMs, another vulnerability disclosure timeline gone wrong, Flipper Zero tips and how you should not use it to change traffic lights, Windows 11 S mode, and you’re dead (but like in the movie Hackers dead), and more! Danny Jenkins, CEO & Co-Founder of ThreatLocker, a cybersecurity firm providing Zero Trust endpoint security, is a leading cybersecurity expert with over two decades of experience building and securing corporate networks, including roles on red and blue teams. He is dedicated to educating industry professionals about the latest cyber threats and frequently speaks on the topics of ransomware and Zero Trust. This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-815

We return to the practice of presentations, this time with a perspective from a conference organizer. And we have tons of questions! What makes a topic stand out? How can an old, boring topic be given new life? How do you prepare as a first-time presenter? What can conferences do to foster better presentations and new voices? Segment resources: https://bsidessf.org https://infosec.exchange/@worldwise001/111280163638514582 https://www.youtube.com/watch?v=1lVIeh5f4Rg Vulns in Jenkins code and Cisco devices that make us think about secure designs, MiraclePtr pulls off a relatively quick miracle, code lasts while domains expire, an "Artificial Intelligence chip" from the 90s, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-271

This week in the Security Weekly News: the NSA admits to secretly buying your internet browsing data, malicious Google ads target Chinese users, Juniper releases update for Junos OS flaws, Outlook could be leaking your NTLM passwords, WhiteSnake malware on Windows, Jason Wood discusses new guidance on the Microsoft "Midnight Blizzard" attack, and more! Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-358

How do you prepare for a cyber incident? You train as you fight, but in what environment? William "Hutch" Hutchinson, CEO and co-founder of SimSpace, joins BSW to share cyber best practices and why testing in your operational environment not a good idea. Learn what it takes to be Cyber Ready. In the leadership and communications section, A tougher balancing act in 2024, the year of the CISO, CISOs Struggle for C-Suite Status Even as Expectations Skyrocket, Want to Be a Better Leader? Stop Thinking About Work After Hours, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-336

Visa RB Cash AP Formula 1 Team, Veolia, FeverWarn, SystemK, Fortra, GitLab, Ring, Trickbot, Aaran Leyland, and More News on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-357

Matt Coose is the founder and CEO of cybersecurity compliance firm Qmulos, previously the director of Federal Network Security for the National Cyber Security Division of the (DHS). CISOs carry the ultimate burden and weight of compliance and reporting and are often the last buck. Says Coose, best-of-breed is better described as best-to-bleed-the-budget: it’s a bottom-up, tech-first, reactive approach for acquiring technology as opposed to managing risk. Choose shares his top considerations below for how CISOs can navigate the crowded market of cybersecurity tools when cost is highly scrutinized, but regulations keep growing. Platforms are what every vendor dreams of being called, but no platform does it all, says Coose. Coose shares what smart CISOs and mature organizations understand, that others don’t: • There’s no “buying their way out of security issues or into a better risk posture.” They understand the need to evolve to a top-down, risk-driven, inherently business-aligned, dynamically adaptable, and evidence-based security management strategy. • That looking at technology choices through the lens of risk controls (and the related data provided by technology that implements those controls) enables credible and transparent strategic tech portfolio management decisions that are immune to vendor preferences or the latest market(ing) fads. • The need for meaningful security and risk measurement and the difference between leading and lagging indicators. • The original intent of security and regulatory compliance as a model for proactive and consistent risk management (leading indicator), not just a historical reporting and audit function (lagging indicator). • That managing risk, compliance, and security as distinct and separate functions is not only wasteful and inefficient, but denies the enterprise the ability to cross-leverage significant people, process, and technology investments In the Security News: Don’t expose your supercomputer, auth bypass and command injection FTW, just patch it, using OSQuery against you, massive credential stuffing, backdoors in Harmony, looking at Android, so basically I am licensing my printer, hacking Tesla, injecting keystrokes over Bluetooth, and remembering the work of David L. Mills. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-814

We interview the co-founder and CTO of Fleet to understand why good, cross platform MDM/EMM has been such a challenge for so many years. Want good Windows device management? You're probably going to compromise on MacOS management. Ditto for Windows if you prioritize your Macs. Want good Linux device management? It doesn't exist. Hopefully, Fleet can change all that in 2024, as they aim to complete their support for all major platforms, using the open source OSQuery project as their base. Segment Resources: Zach's GitHub Zach's Conf42 DevSecOps Presentation on Securing the endpoint with open source software GopherCon 2022: Collect First, Ask Questions Later Glitches in the Matrix, or Taming Agent Chaos Oleria, Vicarius, and Secret Double Octopus raise funding (NOTE: Secret Double Octopus is a real company that chose Secret Double Octopus as their name, I’m making none of this up). Rumors about Zscaler’s next 9-digit acquisition, 2 new security vendors and demystifying public cybersecurity companies. Chrome gets AI features, security teams have TOO much data, and a new threat intel database from Wiz. Is bootstrapping a cybersecurity startup a realistic option? Finally, remember Furbies? NSA’s furby docs just dropped, and they are HILARIOUS. Thanks to Jason Koebler from 404Media for that. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-347

RoboJoe, Apple, VMWARE, AI Vision, Confluence, Scarcruft, Microsoft, Jason Wood, and more on this Edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-356

Where apps provide something of value, bots are sure to follow. Modern threat models need to include scenarios for bad bots that not only target user credentials, but that will also hoard inventory and increase fraud. Sandy shares her recent research as we talk about bots, API security, and what developers can do to deal with these. Segment resources https://www.forrester.com/blogs/avoid-a-bot-waterloo/ https://www.forrester.com/blogs/are-your-bot-management-tools-up-to-date-to-handle-the-holiday-season/ In the news, vulns throw a wrench in a wrench, more vulns drench Atlassian, vulns send GitLab back to the design bench, voting for the top web hacking techniques of 2023, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-270

Inspired by my co-host, Jason Albuquerque, we get our hands dirty and discuss the challenges of hiring a CISO. How will the new SEC regulations impact the role for both organizations and individuals? In part 2, we get our hands dirty by addressing CISO hiring from the individual CISO. What should you look for in a CISO role? What questions should you be asking during the interview process? What are the non-negotiable items that must be part of the offer? Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-335

Google, Pax, LeftOverlocals, Mint Sandstorm, DJI, Colossus, JelloRain, Aaran Leyland, and More News on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-355

The general public has varied opinions of biometric authentication, and an increasingly reluctant relationship with it, as more and more facial recognition is forced upon us (especially those of us that travel frequently). Facial recognition doesn't work for everyone, so what other options do we have? In this interview, we'll explore accessibility in identity verification and the viability of voice-based authentication. How big an issue are AI-powered voice imposters? How will companies like Veridas combat these threats? We'll ask all these questions and more in this ESW interview. On this segment, we talk a lot about AI, new technologies, and the future from a personal and consumer standpoint. Not a lot of enterprise-relevant stuff in the news today, but consumer products and AI will have a HUGE long-term impact, so that's how we're justifying today's topical focus ;) Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-346

With a recent increase in government attention on K–12 cybersecurity, there is a pressing need to shed light on the challenges school districts face in implementing necessary security measures. Why? Budgeting constraints pose significant obstacles in meeting recommended cybersecurity standards. Brian Stephens of Funds For Learning will discuss: The financial constraints K–12 schools face and the critical role of funding from federal and state governments in addressing cybersecurity concerns. Efforts by Funds For Learning to petition the FCC to expand E-rate funding to support next-generation firewalls and other cybersecurity services. By expanding the technologies and solutions eligible for E-rate funding, schools can obtain the necessary resources to protect against the growing threat of third-party data breaches. Here are links to the most current blog posts about Cybersecurity Notice of Proposed Rulemaking  https://www.fundsforlearning.com/news/2023/11/dont-miss-your-chance-to-impact-e-rate-cybersecurity/, Wi-Fi hotspots https://www.fundsforlearning.com/news/2023/11/wi-fi-hotspots-proposed-for-e-rate-program/ and school bus Wi-Fi https://www.k12dive.com/news/fcc-approves-school-bus-wifi-e-rate/697337/. Funds For Learning also facilitated an informational webinar on the Cyberserucrity Notice for Proposed Rulemaking https://fundsforlearning.app.box.com/s/5gp9qr938qtgs0ug92nkgfvrjvtil4sf. Funds For Learning also conducts an annual survey for E-rate applicants to provide their feedback on the E-rate program. The responses are shared with the FCC through the Funds For Learnings annual E-rate Trends Report. https://www.fundsforlearning.com/e-rate-data/trendsreport/. Lastly, here is an article from Brian about cybersecurity and why it should be funded through E-rate https://www.eschoolnews.com/it-leadership/2023/09/29/will-cybersecurity-receive-e-rate-funding/ In the Security News: Bricked Xmas, If you can hack a wrench, PixieFail and disclosure woes, exposing Bigpanzi (more Android supply chain issues, 20 years of OpenWRT, Jamming, traffic lights, and batteries don’t work that well in the extreme cold. All that and more on this episode of Paul’s Security Weekly! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-813

Atari 400, Gitlab, Sonicwall, Juniper, Ransomware stats, Ivanti, Sharepoint, Jason Wood, and more are on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-354

Smart Cars, Microsoft, Layoffs, PyTorch, Mandiant, SEC, Aaran Leyland, and More News on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-353

It's time to start thinking about CFPs and presentations for 2024! Eve shares advice on delivering technical topics so that an audience can understand the points you want to make. Then we show how developing these presentation skills for conferences helps with presentations within orgs and why these are useful skills to build for your career. Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-269

Inspired by my co-host, Jason Albuquerque, we get our hands dirty and discuss the challenges of hiring a CISO. How will the new SEC regulations impact the role for both organizations and individuals? In part 1, we discuss the challenges of hiring a CISO from the organization's perspective. Do I need a CISO? What are the responsibilities of a CISO? Who should the CISO report to? Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-334

GenAI hype is still at peak levels, but clearly some of the hopes and dreams pinned on it will fail, while other use cases we haven't even imagined will become commonplace. Greg Notch joins us to share his thoughts on what security leaders and the general public should be more or less worried about when it comes to GenAI. Many founders and early stage startups closely guard product details and information about their roadmap and go-to-market plan. Is it a bad idea then to build a company based around an open source project? Not at all, according to Ev Kontsevoy, whose company Teleport has done just that. Building a security vendor around open source isn't a magic formula for success, however, so we'll discuss the pros and cons of this approach. We'll also discuss best practices for securing infrastructure at scale and Teleport's journey in enabling a different and more secure approach to managing remote infrastructure. The year kicks off with TWELVE funding announcements and NINE acquisitions! Several new companies have merged, we already have a few dumpster fires burning and there is plenty of AI news to kick off the year. The annual Consumer Electronics Show gives us previews of the invasive and insecure horrors that will be unleashed upon us this year, New Yorkers get right to repair, and Polish trains don’t. (see the show notes for more) Finally, we talk Apple Vision Pro, Tetris, and skydiving iPhones. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-345

Jared would like to discuss the evolution of purple teaming. Put bluntly, he believes traditional purple team approaches don’t test enough variations of attack techniques, delivering a false sense of detection coverage. He would like to talk about: The shortcomings of red team assessments and why most purple team assessments are too limited. How the testing landscape and requirements have changed (especially as organizations now look to validate vendor tools defense claims). How purple team assessments are evolving with the use of new frameworks like Atomic Testing. And the importance of building and selecting good test cases that cover the many ways attack techniques can be modified. The Exploit Prediction Scoring System is Awesome, or so some say, Reflections on InfoSec, Why some people don’t trust science, SSH-Snake, Back in the Driver’s seat, I Hacked My Internet Service Provider, States & Congress wrestle with cybersecurity, Combining AI with human brain cells, analyzing linux-firmware, detecting BLE SPAM, and The I in LLM. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-812

Jobs and Money, QNAP, NIST, Spectral Blur, Stuxnet, Swatting, Volkswagen, Jason Wood, and more on this Edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-352

We kick off the new year with a discussion of what we're looking forward to and what we're not looking forward to. Then we pick our favorite responses to "appsec in three words" and set our sights on a new theme for 2024. In the news, 23andMe shifts blame to users for poor password practices, abusing Google's OAuth2 through a MultiLogin endpoint, Rustls is memory safe and fast, AI enters OSINT, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-268

Research shows that 26% of US workers currently work remotely, and there are expected to be 32.3 million American employees working remotely by 2025. To support these workers, organizations are adopting cloud solutions and migrating data to these cloud solutions. However, many businesses lack visibility into who has access to what data and when, especially in these cloud solutions. How should organizations reconcile the disconnect between data access and data security? Mike Scott, CISO at Immuta, joins Business Security Weekly to discuss best practices for moving sensitive data into the cloud, including data access and data security. If you're moving data into the cloud, listen in to learn how best to protect that data. In the leadership and communications section, Advice to Aspiring CISOs, New risk management framework helps with SEC mandate compliance, A Simple Hack to Help You Communicate More Effectively, and more! Show Notes: https://securityweekly.com/bsw-333 Visit https://www.securityweekly.com/bsw for all the latest episodes!

Jim Langevin served as a US congressman for many years and retired to become the executive director of the Institute for Cybersecurity and Emerging Technologies at Rhode Island College. Jim has been on quite a number of times and today we talk about State funded institutes and well, Cybersecurity issues. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-swn-10

This is a special episode of ESW: our year-end wrapup for 2023. Want to make sure you didn't miss any big stories in 2023? This is the episode to check out! In under an hour, we'll summarize 2023, covering things like: our mindset coming into 2023 from 2022 how 2023 kicked off some special themed episodes we recorded in 2023 the state of the fragile and recovering startup market key acquisitions in 2023 and some acquisition rumors that never led to anything breach post-mortems and special lessons learned episodes we did in 2023 some notable drama and dumpster fires 2023 themes and trends and some of our favorite newsletters, books, and tools from 2023 Enjoy! Show Notes: https://securityweekly.com/vault-esw-7

Unleashing the Power of Crowdsourced Cybersecurity: A Conversation with Casey Ellis, Founder of Bugcrowd ️Meet Casey Ellis, the visionary entrepreneur who has redefined the landscape of cybersecurity through the groundbreaking platform he built – Bugcrowd. As the Founder and Chief Technology Officer of Bugcrowd, Casey Ellis has not only revolutionized the way organizations approach cybersecurity but has also championed the concept of crowdsourced security testing. With an innate passion for hacking and a deep understanding of the evolving threat landscape, Casey embarked on a mission to democratize cybersecurity. In our upcoming podcast interview, delve into the dynamic journey of a self-proclaimed hacker turned cybersecurity pioneer. Casey's brainchild, Bugcrowd, serves as a global community of ethical hackers and security professionals who collaborate to uncover and address vulnerabilities in digital systems. Learn how this innovative approach has empowered organizations across industries to proactively secure their digital assets, embracing the power of the collective in the fight against cyber threats. A trailblazer in the cybersecurity space, Casey Ellis brings a unique perspective to the podcast as he shares insights on the challenges and triumphs of building Bugcrowd from the ground up. Explore the intersections of technology, security, and community-driven solutions with a leader who has not only disrupted the status quo but has also fostered a culture of continuous improvement and collaboration. Join us for a riveting conversation as we uncover the secrets behind Bugcrowd's success, the evolving role of ethical hacking in today's digital landscape, and Casey's vision for a more secure and interconnected future. Whether you're a cybersecurity enthusiast, a tech aficionado, or simply curious about the forces shaping our digital world, this podcast episode with Casey Ellis is a must-listen. Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-psw-7

I know, you thought we were going to renounce cigars, bourbon, and overeating, but wrong. This show is all about security. So, while we join the thousands who are walking off the pounds during their soon-to-be last visit to our new gym, join us as we provide you with something that (hopefully!) has a little more lasting power. This week, we get our year off to a secure start with our 2019 list of new security resolutions on SDL. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-swn-9

Robert Herjavec, CEO of Cyderes, was the keynote speaker at InfoSec World 2022, where he discussed the momentum we continue to see in the cybersecurity industry. Topics included mergers & acquisitions, Robert's outlook on the cyber market, staffing shortages, and nation state threats. Robert joins BSW to expand on his ISW keynote presentation. Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-bsw-7

HTTP RFCs have evolved: A Cloudflare view of HTTP usage trends, Career Advice and Professional Development, Active Exploitation of Confluence CVE-2022-26134 Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-asw-7

Doug and Russ return to the stage to talk about Living with AI in the coming years and some of the impacts. Russ is always interested in modern problems and AI is probably going to be one. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-swn-8

I once told my college advisor that I wanted to double major in computer science and jazz performance. She laughed at me. Instead, I jumped into a career in IT and played jazz - without a degree in either. Turns out, that was fine - the industry valued experience and results over academic achievement. Today's guest has two degrees, one in fine arts, one in pre-law, and that's also fine. If there's anything I've learned in InfoSec, it's the mind that matters most, less so the degrees or certs on your wall. Angela Marafino gets cybersecurity and understands what makes it tick. Using this knowledge, she has built a personal brand, network, and career in an impressively short time. She is simultaneously mentor and mentee. Today, we'll explore Angela's path into the industry as well as some of her views on challenges, like imposter syndrome. https://hbr.org/2021/02/stop-telling-women-they-have-imposter-syndrome https://www.itspmagazine.com/focal-point-podcast https://twitter.com/hackerbookclub1 Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-esw-6

Dr. Diffie is a pioneer of public-key cryptography and was VP of Information Security and Cryptography at ICANN. He is author of "Privacy on the Line: The Politics of Wiretapping and Encryption". Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-psw-6

Doug and Russ talk about digital fingerprints, hashing, digital DNA, and passwords. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-swn-7

Throughout her career, Sandy Dunn has continued to mature and refine her skills. In the early days, she describes her job as a "hostage negotiator", constantly negotiating between the business teams and the security team. But as you mature, so does your approach to security. Now, Sandy talks about simplifying "knowledge management" to make it easy to understand security and becoming a "business listener" to make the right decisions. Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-bsw-6

We will provide a short introduction to OWASP SAMM, which is a flagship OWASP project allowing organizations to bootstrap and iteratively improve their secure software practice in a measurable way. Seba will explain the SAMM model, consisting of 15 security practices. Every security practice contains a set of activities, structured into 3 maturity levels. The activities on a lower maturity level are typically easier to execute and require less formalization than the ones on a higher maturity level. A the end we will cover how you can engage with the SAMM community and provide an overview of what happened at our latest SAMM User Day which happened on May 27th. Segment Resources: https://owaspsamm.org/ https://github.com/OWASPsamm https://app.slack.com/client/T04T40NHX/C0VF1EJGH -https://www.youtube.com/channel/UCEZDbvQrj5APg5cEET49A_g https://twitter.com/OwaspSAMM https://www.linkedin.com/company/18910344/admin/ Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-asw-6

Join us for our last live episode of the year as we navigate the 2023 cybersecurity landscape, covering global initiatives, deepfake concerns in the UK, NordVPN's cyber insurance expansion, China's major cyber attack on US infrastructure, successful ransomware takedowns, and the year's most bizarre scams according to Which Consumer Magazine. It's a rapid-fire exploration of the top stories shaping the digital defense narrative. Show Notes: https://securityweekly.com/swn-351

We're excited to give an end-of-year readout on the performance of the cybersecurity industry with Mike Privette, founder of Return on Security and author of the weekly Security, Funded newsletter. This year, this podcast has leaned heavily on the Security, Funded newsletter to prep for our news segment, as it provides a great summary of all the funding and M&A events going on each week. In this segment, we look back at 2023, statistics for the year, comparisons to 2022, interesting insights, predictions, and more! Segment Resources: Mike's blog; Return on Security: https://www.returnonsecurity.com/ Mike's newsletter; Security, Funded: https://www.returnonsecurity.com/subscribe Understanding how CyberRatings, NaaS, and SASE combine to make network security easier to buy and deploy. MEF is an industry association, providing standards, certifications, and facilitating community discussions. MEF has teamed up with CyberRatings.org to establish a certification program for SASE services, making it easier for buyers to understand what's included in SASE-related products and services. Segment Resources: https://www.mef.net/news/16-leading-technology-and-service-providers-launch-industrys-first-sase-product-and-services-certification/ This week, in the security market, we talk about next NEXT gen anti-virus, how Okta can (apparently) do no wrong, and a VC firm imploding. Then we discuss how smartphones and speakers are allegedly being used to spy on us, and the future of privacy and consumer tech products. The latest SSH vuln is much less concerning than media outlets and academic researchers would have you believe. The Citrixbleed vuln, however is about as bad as vulns can get, and has led to one of the biggest US consumer breaches in a while, with Comcast/XFinity losing all customer records. The SEC backpedals (again!) on requiring breached companies to provide details about how they got breached. And finally, we have some fun with some squirrel stories that you should absolutely check out by going to our show notes, here: https://securityweekly.com/esw344 Show Notes: https://securityweekly.com/esw-344

AI generated description fun: "As the glasses are filled and the mood lightens, our veteran guests, each with a legendary tale or two tucked under their virtual belts, embark on a journey through the complex landscape of supply chain security. These old dogs share war stories, anecdotes, and hard-earned wisdom about the evolving challenges and threats that have shaped their illustrious careers. From the early days of computing to the present era of interconnected systems, our panelists delve into the intricacies of securing the supply chain. Expect insights on the timeless art of social engineering, the ever-expanding attack surface, and the unforeseen vulnerabilities that emerge when least expected." Talking points: Define the different areas of supply chains * Hardware * Firmware / Low-Level Software * Operating systems and applications * Software you develop yourself Open-source software supply chains have interesting problems Detecting supply chain issues Who is responsible for supply chain security? Firmware security is a deeply technical topic that's hard to get started in. In this episode of Below the Surface, Xeno will discuss some past work in firmware security, and how he has organized resources such as a low level timeline (with over 300 talks), and free MOOC classes, to help teach people about firmware security. Segment Resources: https://ost2.fyi https://darkmentor.com/timeline.html This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/psw-811

Cyber has been an historically hermetic practice. A dark art. Full of mysteries and presided over by magicians both good and bad. This is a bit of an exaggeration, yet there is some truth to it. Many in our industry knew that the SEC was evaluating the role that cyber risk management and incident disclosure plays in the pricing mechanism for an equity. Many of the participants in GRC, IRM, and Cyber Risk anticipated this before the SEC had even proposed such rules. Boards, C-Suites, and Information security teams within publicly traded companies brought it up occasionally in the year preceding its adoption. Lawyers on K Street actively advocated in the press against enacting such rules, and there is still a hearty back and forth concerning the merits of SEC involvement in cyber risk. But more transparency is a very welcome development. For investors, it’s essential. Industry veterans say that this development hearkens back to Sarbanes Oxley, which had very big implications for Governance, Risk, and Compliance. This is likely cyber risk’s SOX moment, and the drop date is December 15th of this year on all 10-K filings. The SEC will not look kindly upon boilerplate disclosures, particularly if a cyber attack with significant losses occurs. So where do you start? This segment is sponsored by CyberSaint . Visit https://securityweekly.com/cybersaint to learn more about them! In the leadership and communications section, Building an Effective Information Security Strategy, What Makes a Company Great at Producing Leaders?, 80 Fun Meeting Icebreakers Your Team Will Love, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-332

Santa, SEC, Google, Qakbot, VMWARE, AI, Turing, Voight-Kampff, Jason Wood, and more are on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-350

Service meshes create the opportunity to make security a team sport. They can improve observability and service identity. Turning monoliths into micro services sounds appealing, but maybe not every monolith needs to be broken up. We'll also talk about the maturity and design choices that go into service meshes and when a monolith should just remain a monolith. Segment Resources: https://www.solo.io/blog/kubernetes-security-cloud-native-applications/ https://www.solo.io/blog/apis-data-breach-zero-trust/ https://www.solo.io/blog/api-gateways-productivity-resilience-security-cloud-applications/ In the news, Nagios gets a review from NCC Group, hackers hack some anti-fixing code to fix trains in Poland, abusing OAuth post-compromise, 5Ghoul flaws in 5G networks, MITRE teases a new threat model for embedded systems, a conversation on vuln scoring systems, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Instagram: https://www.instagram.com/secweekly/ Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-267

On this podcast, we've often struggled with whether or not to include stories and discussion on identity verification. Is identity verification cybersecurity proper, or cybersecurity adjacent as part of fraud prevention? As always, when we're unsure, we find folks to talk to and learn more. Today, we'll be learning about weak points in the identity verification chain from Rob O'Farrell. He'll also be helping us to understand what identity verification is, and why it's important to cybersecurity overall. As more and more of the world is digitized (especially the lagging healthcare industry in the US), reliable identity verification seems more important every day. Segment Resources: Living Information Security: An Integrated Approach to ISO-27001 The Foundations of Identity Verification: Trust and Its Pillars IBS Intelligence Podcasts Ep552: Is self-sovereign identity the next step in secure ID management? Are We Being Lax with Fraud? What is telemetry data and why is it important to cybersecurity? Why is it such a pain to collect, store and use? How do we improve our ability to gather and benefit from this data? Today, Tucker Callaway, the CEO of Mezmo joins us to answer all these questions and help us understand the future of the SIEM and other cybersecurity data tools. On this week's news segment, we pick up where we left off with Doug running the show last week. We discuss current early stage categories, AD canarytokens, and low hanging vulns. We talk about why cybersecurity is important, but not nearly as unique or special as some might have you think. The goal of patching faster than exploits can be used - is it a fool's errand? Also, pickleball - the country's fastest growing sport, is causing chaos across the nation. Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-343

Tesla, TikTok, Karakurt, VISS, Volt Typhoon, Cozy Bear, GambleForce, Aaran Leyland, and More News on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn-349

Mr. Sharpe is a long-time (+30 years) Cybersecurity, Governance, and Digital Transformation expert with real-world operational experience. Mr. Sharpe has run business units and has influenced national policy. He has spent much of his career helping corporations and government agencies create value while mitigating cyber risk. This gives him a pragmatic understanding of the delicate balance between Business realities, Cybersecurity, and Operational Effectiveness. He began his career at NSA, moving into the Management Consulting ranks building practices at Booz Allen and KPMG. He subsequently co-founded two firms with successful exits, including the Hackett Group (NASDAQ HCKT). He has participated in over 20 M&A transactions. He has delivered to clients in over 20 countries on 6 continents. Analyzing firmware with EMBA, TinyXML, and the ugly supply chain, ignoring vulnerabilities that allow attackers to turn off your vehicle, Android lock screen bypass and running water, LogoFAIL updates, and the confusing severity, you still haven’t patched Log4Shell, the password is 123456, and an amazing Bluetooth hack that affects you! Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw-810

Cybertruck, Viagra, Struts, Atlassian, Log4Shell, Pharmacies, Security Clearances, Naughty Bots, Jason Wood, and more on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-348

We have a lot of questions about standards. How do standards emerge? How do standards encourage adoption? How do they stay relevant as development patterns change and security threats evolve? We have standards for web appsec (HTML, HTTP), all sorts of protocols, and all sorts of authentication (OAuth, OpenID). Learning how these standards come about can also inform how your own org documents designs and decisions. Segment resources https://datatracker.ietf.org/doc/html/rfc3552 https://identiverse.com/video/the-butterfly-effect-of-standards-development/ https://sphericalcowconsulting.com https://datatracker.ietf.org/doc/html/rfc6919 In the news, benchmarking prompt injection scanners, using generative AI to jailbreak generative AI, Meta's benchmark for LLM risks, tapping a protocol to hack Magic the Gathering, and more!   Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-266

Materiality, Disclosure, and Evidence...  New terms for cybersecurity professionals to understand under the new SEC Regulations for Cybersecurity.  And the Solarwinds indictment is just the beginning. Join the BSW crew as they tackle each of these new terms in preparation for SEC enforcement which starts this week. In the leadership and communications section, Steve Katz, World's First CISO, Dies in Hospice Care, Top CISO Communities to Join in 2024, Workplace Culture 101: How to Create Positivity at Work, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw-331

Join us for a special extended holiday edition of Paul's Security Weekly! Hosts from all the Security Weekly shows join us from around the country to kick off the end of the year in style. We begin with our first panel on Supply Chain, then discuss Hardware Hacking, Vulnerability Management and Disclosure, and wrap up with the news. Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw-809

Q*, Water Wars, Unitronics, SLAM, Bluetooth, Cold Fusion, Google Drive, Push notifications, Aaran Leyland, and More News on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn-347

Surprise Cam Nudes, Staples, Turtle, Apple, 23andme, P2Pinfect, Sellafield, Gmail, Jason Wood, and more on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn-346

Bob Ackerman argues that, from an investment perspective, cybersecurity is like life sciences - a complex, nuanced field that is difficult field to invest in part-time. So his firm, Allegis Cyber, became one of the first to focus exclusively on investing in cyber startups. In this segment, we'll discuss one of Allegis's recent investments, SixMap, and Bob's other investment/accelerator vehicle, Data Tribe. Data Tribe sources investments from national intelligence, with examples like Dragos that came through this program. This week in the enterprise news, we explore the harsh realities of the startup world with a look at recent failures and shutdowns, investigating the factors leading to these setbacks. Meanwhile, Carbon Black makes headlines by breaking away from VMware in what seems like a divestiture within an acquisition, raising questions about the future of the company. We'll also discuss the European Space Agency's venture into cybersecurity for the space industry, revealing that even the vastness of outer space isn't immune to digital threats. Tune in for all this and more! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw-342

We cover appsec news on a weekly basis, but sometimes that news is merely about the start of a new project, sometimes it's yet another example of a vuln class, and sometimes it's a topic we hope doesn't become a trend. So, what themes have we seen and where do we see them going? Here are a few headline topics that have alternately generated yays and yawns. CISA's Secure by Design and Secure by Default CVSS 4.0 Generative AI MFA mandates Microsoft, Rust, and Memory Safety New TLDs OAuth OpenSSF and OWASP In the news, repetition extracts data from ChatGPT, more vulns in the software that surrounds AI, guidelines for secure AI, LogoFAIL trips a boot, BLUFFS attack on Bluetooth, CISA's first secure by design alert, Okta's updated breach disclosure, and more!   Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw-265

Surprise Cam Nudes, Staples, Turtle, Apple, 23andme, P2Pinfect, Sellafield, Gmail, Jason Wood, and more on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn-346

Theresa Lanowitz joins Business Security Weekly to review real edge computing use cases from the AT&T Cybersecurity Insights Report. Specifically, we'll cover the following industry sector reports, including: Healthcare Manufacturing Retail US SLED Transportation Research for the AT&T Cybersecurity Insights Report was conducted during July and August 2022. AT&T surveyed 1,418 security practitioners from the United States, Canada, the United Kingdom, France, Germany, Ireland, Mexico, Brazil, Argentina, Australia, India, Singapore, and South Korea. Respondents come from organizations with 1,000+ employees except for US SLED and energy and utilities verticals. Respondents were limited to those whose organizations have implemented edge use cases that use newer technologies such as 5G, robotics, virtual reality, and/or IoT devices. Respondents are involved in decision-making for edge use cases, including cybersecurity, that involves new technologies such as 5G and IoT devices. This segment is sponsored by AT&T Cybersecurity. Visit https://securityweekly.com/attcybersecurity to learn more about them!   In the leadership and communications section, A Letter from the CISO to the CEO, The High Cost Of Ignoring Cybersecurity: Why Your Business Needs Protection, The Art of Speaking Cadence: Unleashing a Powerful Leadership Tool, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-330

Cybertruck, Okta, Google and More Google, Black Basta, Zoom, Unitronics, Aaran Leyland, and More News on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-345

While non-profit doesn't mean "no budget" when it comes to cybersecurity, a lot of smaller to mid-sized non-profits operate on a shoestring, with little to no money for cybersecurity talent or spending. This is where Sightline Security steps in. Sightline's founder and CEO, Kelley Misata joins us today to explain how her own non-profit helps other non-profits improve their cybersecurity posture. As with any category of trends, the success rate of cybercrime ebbs and flows. As Russia seems be a safe haven for cybercriminals, it seemed for a while that the war in Ukraine might disrupt this activity. It did, but only for a short while. Keith Jarvis walks us through the latest types, tactics, and trends in cybercrime. Secureworks' latest State of the Threat report reveals a disturbing dichotomy: how is it we understand our adversaries' so well, but continue to fail to stop them? In this interview, we aim to understand what needs to happen to tilt the odds a bit back in our favor. Segment Resources: Secureworks State of the Threat Report Press Release Segment description coming soon! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-341

What will the future bring with respect to AI and LLMs? Josh has spent some time thinking about this and brings us some great resources. We'll discuss how to get students involved with AI in a safe and ethical manner. How can we use AI to teach people about cybersecurity? What tools are available and where do they fit into our educational systems that must change and adapt to the times? Join us for a fun discussion on what the future looks like with AI and the youth of today. Segment Resources: https://docs.google.com/document/d/103FLvNRSwBhq-WgCbuykMvweT6lKf2lAASuP8OuuKIw/edit#heading=h.3inodmot2b77 Our good friend Matt Carpenter joins us to share his thoughts on what's going on in the world of AI and LLMs. Matt is also a hacker specializing in hardware and the crew has some amazing hardware hacking topics to discuss (as usual). Segment Resources: https://garymarcus.substack.com/p/has-sam-altman-gone-full-gary-marcus We navigate through dangerous cyber terrain, examining real-world examples like the WebP library and the Curl vulnerability. Critical issues in Zyxel firewalls will also be unmasked as we shed light on the urgency of improving vulnerability reporting and cataloging and addressing the often-overlooked problem of overclassifying harmless software bugs. We then shifted gears to tackle the tricky subject of software vulnerability identification, focusing on a specific CVE that sparked intriguing debates. Learn why pinpointing the source of the vulnerability is vital to effective SBOMs. The journey doesn't end there - we'll uncover a newly discovered Bluetooth vulnerability, aptly named 'BLUFFS', and discuss its potential for exploitation, along with the ingenious solutions proposed by the researchers who unearthed it. Brace yourself for a riveting finale as we delve into Akamai's recent research on DVR and router attacks, explore the risks of GPS spoofing, and discuss the importance of detection mechanisms. We'll also scrutinize the stereotype of hackers in pop culture, address the importance of handling vulnerabilities in software, and highlight the pressing issue of ransomware targeting healthcare. So buckle up and join us for this critical exploration into the world of software vulnerabilities as we decode the complexities and debunk some security myths. Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw-808

This year we've talked about vulns, clouds, breaches, presentations, and all the variations of Dev, Sec, and Ops. As we end the year, let's talk about starting things -- like starting an appsec program or an appsec career. But is there still a need for an appsec team? Or has it turned into specializations for areas like cloud security and bug bounty programs? We'll cover careers and coding, with an eye towards figuring out what modern software development looks like and where application (or product!) security fits in that model. Segment resources https://owaspsamm.org https://www.microsoft.com/en-us/security/blog/2023/11/02/announcing-microsoft-secure-future-initiative-to-advance-security-engineering/ https://www.cisa.gov/resources-tools/resources/secure-by-design Weak randomness in old JavaScript crypto, lack of encryption in purported end-to-end encryption, a platform engineering maturity model, PyPI's first security audit, vision for a Rust specification, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-264

Chimera, Aliquippa, FNF, Lazarus, DARPA, Ransom Payments, Namedrop, Google, Aaran Leyland, and more are on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-344

Most leadership books suffer from one of two critical failures (and sometimes both). The book might be a hagiography: telling you the biography of some amazing leaders, pretending there is one secret trick that will let you emulate that leader. Or the lesson of book should have been written as a tweet: in 280 characters you could have learned one lesson, but instead you have to fight through 300 pages of obfuscation to decipher the lesson. 1% Leadership is the antidote to these approaches. There is no secret. Instead, 1% Leadership provides 54 distinct lessons on leadership, that apply to individuals, teams, and organizations. Each lesson is presented in a self-contained chapter, averaging under 800 words. The lessons are summarized in a tweet-length pithy summary, which is also the chapter title. The table of contents thus serves as a quick reference guide for leaders. Segment Resources: csoandy.com/book/ In the leadership and communications section, Clorox Scapegoats Cyber Chief, Rewards Board After Crisis, The SEC To CISOs: Welcome To The Big Leagues, SolarWinds: SEC lacks 'competence' to regulate cybersecurity, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly 

From Russia With Love, come Doug and Russ, doing a segment on spying! Not the 007 spying, but spying when it comes to cyber warfare. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-swn-6

High School students represent the very beginning of the pipeline for the Cyber industry. What are the attitudes and perspectives of these young people? How can we attract the best and brightest into our industry? Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-esw-5

Brian Snow spent his first 20 years at NSA doing and directing research that developed cryptographic components and secure systems. Many cryptographic systems serving the U.S. government and military use his algorithms; they provide capabilities not previously available and span a range from nuclear command and control to tactical radios for the battlefield. He created and managed NSA's Secure Systems Design division in the 1980s. He has many patents, awards, and honors attesting to his creativity. Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-psw-5

Russ runs the show solo with the absence of Dr. Doug to talk about Travel Security! He explains different aspects such as Personal Security, Asset Security, and Digital Security! Traveling is a lot of fun, but also requires a lot of responsibility. Don't be intimidated, use common sense, adhere to all of the points we mentioned above, stay away from problem areas, and we ensure you’ll have a great time! Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-swn-5

We often think "this would be so much better if done properly from the beginning", but the reality is, doing things from scratch comes with different challenges. Managing priorities, deciding what you tackle on from the absolute beginnings of a company in terms of security is a fun challenge. Segment Resources: Full session at the upcoming GoSec Conference: https://www.gosec.net/sessions/ Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-bsw-5

Firmware security is complex and continues to be an industry challenge. In this podcast we'll talk about the reasons firmware security remains a challenge and some best practices around platform security. Segment Resources: https://www.helpnetsecurity.com/2020/04/27/firmware-blind-spots/ https://www.helpnetsecurity.com/2020/09/28/hardware-security-challenges/ https://darkreading.com/application-security/4-open-source-tools-to-add-to-your-security-arsenal https://chipsec.github.io Hardware Hacking created by Maggie: https://securityweekly.com/wp-content/uploads/2021/08/eArt-2.png Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-asw-5

Cashwarp vs. Reptar, Rackspace, BlackCat, Intel, AMD, Bots and more bots, Aaran Leyland, and More News on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-343

Once again, Theresa Lanowitz joins us to discuss Edge Computing, but with a twist this time, as Mani Keerthi Nagotu from SentinelOne joins us as well! As a field CISO, Mani knows all too well the struggles security leaders are going through, given the current market and threat landscape: Maybe not less budget, but more pressure to produce results and justify spending Security leaders being held personally accountable for performance Potential layoffs, and the need to achieve the same goals with less labor and tool overhead Segment Resources https://cybersecurity.att.com/insights-report This segment is sponsored by AT&T Cybersecurity. Visit https://securityweekly.com/attcybersecurity to learn more about them! We regularly cover significant breaches on this podcast, but it is rare that we have enough information about a major breach to cover in enough detail to devote an entire segment to. Today, we dive into lessons learned from the breach of Okta's customer support system that targeted some other major security vendors. This is part of a troubling trend, where the target of an attack only serves as a jumping off point to other organizations. China's 2023 attack of Microsoft is an example of this. It was easier to attack Microsoft 365, one of the world's largest business SaaS platforms, than to go after each of the 25 individual targets these Chinese actors needed access to. Traditionally, we've thought of lateral movement as something that happens within a network segment, or even within a single organization. Now, we're seeing lateral movement between SaaS platforms, between clouds, from third party vendors to customer, and even from open source project to open source adopters. In this segment, we'll cover five key lessons learned from Okta's breach, from information shared by Okta and three of its customers: 1Password, Cloudflare, and BeyondTrust. Protect Your Session Tokens Monitor for Unusual Behavior SaaS Vendors Are Common Targets Zero Trust Principles Work MFA Isn't a Binary (on or off) Control Segment Resources https://www.valencesecurity.com/resources/blogs/five-lessons-learned-from-oktas-support-site-breach Finally, in the enterprise security news, Lots of new security startups with early stage funding SentinelOne picks up Chris Krebs and Alex Stamos’s consulting firm PE firm picks up ActiveState - a company I haven’t thought about since I last downloaded ActiveState Perl 1000 years ago Microsoft announces the limited release of Security Copilot Semgrep releases a secrets scanner AGI predicted to come much sooner than you might expect NY State doubles down on cybersecurity regulations to protect its hospitals the young hackers behind Mirai, one of the biggest botnets ever Ransomware groups snitch on businesses to the SEC Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-340

Attackers pursue the shortest path to achieve their goals in your app. With a tri-layered security architecture, you can force hackers to crawl through a triathlon in your app. What’s in the three layers, to detect attacks sooner, slow attackers down, and stop them fast? Let’s take a journey across the three layers and discuss how to gain control of user permissions, secure your cloud computing, and keep your customers and their users safe. Segment description coming soon! Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw-807

In the rapidly evolving landscape of application security, 2023 brought significant changes with the rise of generative AI tools and an increase in automated threats. In this discussion, Karl Triebes takes a deep dive into the major trends of the past year, examining their impact on the industry and shedding light on what security professionals can anticipate moving forward into 2024. This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them! CNCF's releases a handbook on fuzzing, OpenSSF and OWASP respond to CISA's Open Source Software Security RFI, 14 years of Go, lessons for today from an internet worm from 35 years ago, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-263

This week Dr. Doug quacks: Cybertruck, Solarwinds, Bitcoin, Docker, Ducktail, Experian, More News and Jason Wood, on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-342

Inspired by my co-host, Jason Albuquerque, we get our hands dirty and discuss the challenges of cyber risk management. Why is cyber risk management so elusive and what can we do to solve it? In part 1, we discuss the challenges of cyber risk management and quantification. Do risk scores really work? What do CEOs and Boards really need to understand cyber risks? Inspired by my co-host, Jason Albuquerque, we get our hands dirty and discuss the challenges of cyber risk management. Why is cyber risk management so elusive and what can we do to solve it? In part 2, we get our hands dirty by walking through ways to quantify cyber risks in business terms. What risks are truly worth mitigating vs. accepting or transferring? And if we do mitigate them, how do we track progress and impact? Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-328

Today, we discuss the state of attack surface across the Internet. We've known for decades now that putting an insecure service on the public Internet is a recipe for disaster, often within minutes. How has this knowledge changed the publicly accessible Internet? We find out when we talk to Censys's Aidan Holland today. We've reached an inflection point in security. There are a handful of organizations regularly and successfully stopping cyber attacks. Most companies haven't gotten there, however. What separates these two groups? Why does it seem like we're still failing as an industry, despite seeming to collectively have all the tools, intel, and budget we've asked for? Kelly Shortridge has studied this problem in depth. She has created tools (https://www.deciduous.app/), and written books (https://www.securitychaoseng.com/) to help the community approach security challenges in a more logical and structured way. We'll discuss what hasn't worked for infosec in the past, and what Kelly thinks might work as we go into the future. During the news today, we went deep down the rabbithole of discussing security product efficacy. Adrian still doesn't believe in enterprise browsers beyond Google Chrome, but can't deny that Talon got a pretty favorable exit considering the state of the market. We see the first major exit for cybersecurity insuretechs, and discuss a few notable funding rounds. We discuss Kelly Shortridge's essay on the origins and nature of the term "security" and what it means. Stephen Schmidt suggests 6 questions every board should ask their CISO, we explore Cyentia Labs' meta analysis of MITRE ATT&CK techniques, and Phil Venables shares some hilarious takes on infosec stereotypes.   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-339

This week Dr. Doug discusses: Fakes, Sysaid, Sumo, farnetwork, CPU-Z, Google, Chat-GPT, Aaran Leyland, and More News on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-341

Austin spends the majority of his time thinking about ways to abuse LLMs, the impact of the attacks, and the effects on society. He brings a truly unique perspective to the way to use, attack, and verify output from AI LLM models. Whether you are just learning the ins and outs of LLMs or you were an early adopter, this segment is for you! In the security news: do people still use mainframes? IoT and firmware security, Apple Find my, Bluetooth is the gift that keeps on giving, to hackers that is, and more!   Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw-806

A lot of appsec conferences have presentations for appsec audiences -- but that's not often the group that's building apps. What if more developer conferences had appsec content? We talk with Josh about security from the developer's point of view, both as an audience hearing about it and as a presenter talking about it. We discuss the importance of knowing your audience and finding the hooks in security tools and topics that can resonate with developers. Segment resources: https://www.joshuakgoldberg.com/speaking/ Details of the Citrix Bleed vuln, exploitation of the Atlassian improper authorization vuln, so many jQuery installations to upgrade, the price of bounties and the cost of fixes, Microsoft's Secure Future Initiative, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-262

This week Dr. Doug expounds: Grok, Okta, Looney Tunables, HelloKitty, Gootbot, Veeam, More News and Jason Wood, on this edition of the Security Weekly News! Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-340

It's time to review the money of security, including public companies, IPOs, funding rounds and acquisitions from the previous quarter. We also update you on the Security Weekly 25 index. The index is rebounding, but there's a long way to go to get back to the top. In the leadership and communications segment, SolarWinds Is A Game Changer - You Cannot Sugarcoat Cybersecurity, Rethinking CISO Accountability: A Call for Balance in Cybersecurity Leadership, How to improve communication in the workplace: Strategies for enhanced productivity, and more. Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-327

In this segment, we discuss the current state of the market recovery with Hank Thomas, founder of Strategic Cyber Ventures. We've got market questions, like: What has changed in the last year? Are IPOs coming back any time soon? How large is the cybersecurity death pool? What do early and mid-sized startups need to do to survive in the current market? There is little to no organization of data within companies in 2023. We're all guilty of this at some level. The download folders and desktops on our personal machines are a mess. File servers, and cloud storage services are a mess. In Microsoft's recent data leak, AI researchers even had PC backups stored along side machine learning models for whatever reason. Data is hard to classify, organize, and monitor. By designing for convenience, we've created convenience debt that now has to be paid down. In this segment we talk to Jackie McGuire about what needs to happen to accomplish this, at the enterprise level, and at scale. Even if we can one day address the challenge of tracking and labeling data, we'll still have the challenge of addressing data integrity and resilience, which we'll also discuss if we have time! Segment Resources: https://www.darkreading.com/risk/it-s-time-to-assess-the-potential-dangers-of-an-increasingly-connected-world- Oh, the HARror! Sanitizing HAR files is not as easy as some might lead you to believe. CISA funds Cyber.org for K-12 cyber education and ORNL creates a Center for AI Security Research (CAISER). Cloudflare creates a tool out of spite, and CISA creates a tool you shouldn't use in production? Biden's EO on "Safe, Secure, and Trustworthy AI" and the Top Five Things you need to know about how GenAI is used in Security Tools. Five lessons learned form Okta's latest breach, should ransom payments be illegal, and why ransomware victims can't stop paying ransoms. We discuss the impact of the charges made against Solarwinds and its CISO by the SEC, the 2023 ISC2 Cybersecurity Workforce Survey, and Microsoft's latest open letter on security. Finally we wrap up discussing a delicious $8M Series A for better bagels! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-338

This week Dr. Doug talks: Bots, Citrix, Mitre, Solarwinds, Naked Nudes, Scarlett, and is joined by Aaran Leyland, on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-339

AI/ML is providing significant benefits in a wide range of application domains but also provides adversaries with a new attack surface. Learn about DARPA's efforts to help evaluate AI/ML and work towards a trust model that will allow us to use these valuable tools safely. Segment Resources: Identifying and Mitigating the Security Risks of Generative AI paper (co-authored by Kathleen): https://arxiv.org/abs/2308.14840 DARPA’s AI Forward, which will include AI Exploration opportunities and resource material: https://www.darpa.mil/work-with-us/ai-forward I2O webpage, important to include because this hosts links to many of the programs Dr. Fisher will discuss: https://www.darpa.mil/i2o In the Security News: If an exploit falls in the forest do I still need to patch?, Reflections on trusting trust: the source code revealed, prompt injection in your resume, iPhones be updating, a deep dive into vulnerable kernel drivers and wiping SPI flash, cheap to exploit software, to ransom or steal?, oh OAuth, Florida man, door bell shenanigans, don’t pay the ransom, the White House and AI, and quantum teleportation via measurement-induced entanglement. All that and more on this episode of Paul’s Security Weekly! Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw-805

The categories of security tools that we're most familiar with have struggled to keep up with how modern apps are designed and what modern devs need. What if instead of being beholden to categories, we created tools that solved problems devs have today in the types of apps they build today? And what if we had more dev leadership to influence security tools as well as secure by design? What would that leadership look like? Segment Resources: https://danondev.com/youtube In the news, OAuth implementation failures, the State of DevOps report, data poisoning generative AIs with Nightshade, implementing spectre attacks with JavaScript and WebAssembly against WebKit, sandboxing apps Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-261

This week our own Dr. Doug talks: Dr. Who, iLeakage, Canada, AI, Killnet, NuGet, You might be a North Korean, Jason Wood, and more Spooky News on this Halloween edition of the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-338

As the workforce increasingly relies on the cloud, the browser has become a critical aspect of enterprise security. Employees now use browsers to access data and applications from various devices and locations, making browsers the primary target for cyber attackers. Enterprise browsers are specifically designed to address the security challenges of the modern and complex workforce. According to Gartner, "By 2030, enterprise browsers will be the core platform for delivering workforce productivity and security software on managed and unmanaged devices, ensuring a seamless hybrid work experience." Tune in to a discussion with Chrome Enterprise's Robert Shield, where he discusses the importance of an enterprise browser for modern businesses and shares insights on how to improve browser security. Segment Resources: 1. Here’s how you can get started with Chrome Enterprise for free: https://chromeenterprise.google/browser/security/?utmsource=cra&utmmedium=podcast&utmcampaign=2023-H2-chromebrowser-brand-ispcon&utmterm=isp-chrome-browser-download&utm_content=GCEC&brand=GCEC 2. Chrome Enterprise Landing Page: https://chromeenterprise.google/browser/security 3. Complimentary Gartner report (Gartner® Emerging Tech: Security – The Future of Enterprise Browsers Report): https://chromeenterprise.google/gartner-report-enterprise-browsers/ This segment is sponsored by Google Chrome Enterprise. Visit https://securityweekly.com/chromeenterprise to learn more about them! In the leadership and communications section, Proactive Boards Enable More Reliable Cyber Governance, CISO Best Practices for Managing Cyber Risk, The Evolution of Work: How Can Companies Prepare for What’s to Come?, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-326

This week Dr. Doug talks: Pumpkin Spice, VMWARE, Winter Vivern, RoundCube, Apple, Big-IP, Oktapus, is joined by an eight-armed Aaran Leyland, and More on the Security Weekly News! Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-337

In the age of remote and hybrid work, employees are now spending most of their time in the browser or virtual meetings, making the browser an increasingly important part of an enterprise's security strategy. According to Gartner, “By 2030, enterprise browsers will be the core platform for delivering workforce productivity and security software on managed and unmanaged devices for a seamless hybrid work experience.” Learn more about: The browser's role in a business's security strategy How an enterprise browser can support your workforce Zero Trust Architecture and how businesses can enforce context-aware access controls and add customizable data loss prevention Segment Resources: Complimentary Gartner Emerging Tech: Security – The Future of Enterprise Browsers Report Get started with Chrome Enterprise for free Learn about Google's Zero Trust solution, BeyondCorp Enterprise Customer spotlight: Check out the Google Cloud Next recording to hear how Snap is leveraging our secure enterprise browsing solution to protect their workforce How to contact us This segment was sponsored by Google Chrome Enterprise. Visit https://securityweekly.com/chromeenterprise to learn more! In this interview, we talk to Chad Cardenas about why he created The Syndicate Group, which operates very differently from the typical VC firm with LPs and a collective fund to draw from. We'll discuss how the investor/startup relationship differs, and what the advantages of this model are. This week, we discuss Island's raise, unicorn status, and what that means for both the enterprise browser market and the cybersecurity market in general. We discuss Censys and the state of the external attack surface management market, or what they're trying to call, "exposure management". We discuss the details of the Okta breach in depth, and why we're worried about the larger impact it could have on the industry and vendor trust in general. Finally, we wrap up with some fun squirrel stories.   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-337

For the Security News, we officially welcome Bill Swearingen to our expert panel of PSW hosts, and discuss the news including hacking shenanigans, QNAP, recovering crypto currency, Android malware, and more! Then in a pre-recorded segment: Sonar Vulnerability Researchers Thomas Chauchefoin and Paul Gerste conducted research on the security of Visual Studio Code — the most popular code editor out there — which was presented at DEF CON 31 in August. The pair uncovered a few ways for attackers to gain code execution on a victim's computer if they clicked on a specially crafted link or opened a malicious folder in Visual Studio Code, bypassing existing mitigations like Workspace Trust. Developers tend to trust their IDEs and do not expect such security issues to exist. As developers have access to source code and production systems, they make for very interesting targets for threat actors. Important to note is that the security concepts that the two are able to demonstrate apply not just to Visual Studio Code, but to most other code editors. This is also the story of how the researchers got an unexpected $30,000 bounty from Microsoft for these bugs, by mistake! Segment Resources: BLOG POSTS Securing Developer Tools: Argument Injection in Visual Studio Code (https://www.sonarsource.com/blog/securing-developer-tools-argument-injection-in-vscode/) Securing Developer Tools: Git Integrations (https://www.sonarsource.com/blog/securing-developer-tools-git-integrations/) CVEs CVE-2023-36742 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36742) CVE-2022-30129 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-30129) CVE-2021-43891 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-43891)   Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw-804

We return to discussions of OAuth and all sorts of authentication. This time around we're looking at the design of authentication protocols, the kinds of trade-offs they weigh for adoption and security, and how a standard evolves over time to keep pace with new attacks and put to rest old mistakes. Segment resources: https://fusionauth.io/docs/v1/tech/core-concepts/modes https://webauthn.wtf/ https://datatracker.ietf.org/doc/html/rfc7636 https://www.ietf.org/about/participate/tao/ In the news, appsec lessons from the Okta breach, directory traversal (and appsec) lessons from SolarWinds, how CISOs and Boards rank factors around vulns and patching, revisiting cryptocurrency attacks for lessons in business logic and threat modeling, CISA and friends update guidance on Secure Design, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-260

This week Dr. Doug bleats: Goatse, Okta, Cisco, Ducktail, 0Auth, China, Spain, More News and is joined by the woolly Aaran Leyland!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-336

As the CISO role continues to transform from a technician to a risk manager, how do you secure emerging technologies, such as edge computing? By aligning to business objectives. In this segment, Theresa Lanowitz from AT&T Cybersecurity and Scott Stout From Cisco help us break down the challenges of the CISO and how to align security requirements to business outcomes to solve the emerging edge computing use cases. During the interview, we will tackle the Hospital at Home and Manufacturing edge computing uses cases. Tune in for this collaborative session from two of the leading cybersecurity giants. This segment is sponsored by AT&T Cybersecurity. Visit https://securityweekly.com/attcybersecurity to learn more about them! In the leadership and communications section, Cybersecurity should be a business priority for CEOs, What CISOs Should Exclude From SEC Cybersecurity Filings, Effective Communication: The Key to Workplace Success, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-325

Today we interview Shane Sims, CEO of Kivu Consulting. We'll be talking about the current state of cybercrime and insights from incidents his consulting firm has recently worked. We'll discuss some of the latest stats and trends related to ransomware, as well as thoughts on future cybercrime trends. Shane will also share some stories from his time as an FBI agent, working undercover as a cybercriminal. Segment Resources: Report - Mitigating Ransomware Risk: Determining Optimal Strategies for Business One of the biggest challenges in security today is organizations' reluctance to share attack information. Perhaps legal teams are worried about liability, or maybe execs are just embarrassed about security failures. Whatever the reason, this trend makes it difficult for organizations to help each other. CrowdSec's mission is to make this process automated, anonymized, and seamless for security teams. We talk to Phillip Humeau, one of CrowdSec's founders, about what it's like to build a such an unconventional cybersecurity business - one based around crowdsourcing and open source software. This week, in the enterprise security news, AI dominates new funding rounds (I’m shocked. This is my shocked face.) The buyer’s market continues, with lots of small acquisitions SingTel sells off Trustwave at a significant loss Yubico goes public (actually, a month ago, sorry we missed it) Yubico can also now ship pre-registered security keys New cybersecurity tools for board and exec-level folks Lessons learned from recent ransomware attacks Healthcare is increasingly under attack A study on CISO tenure - longer than you might think! Don’t miss today’s squirrel stories at the end! All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-336

This week Dr. Doug talks: Skynet, India, North Korea, China, passwords, KeePass, Cisco, AI, expert commentary from suspected Chicken Man accomplice Aaran Leyland, and More on the Security Weekly News! Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-335

Chris Rock is a Cyber Mercenary who has worked in the Middle East, US and Asia for the last 30 years working for both government and private organizations. ˇHe is the Chief Information Security Officer and co-founder of SIEMonster. Chris has presented three times at the largest hacking conference in the world, DEFCON in Las Vegas on controversial vulnerabilities. Chris is also the author of the Baby Harvest, a book based on criminals and terrorists using virtual babies and fake deaths for financing. He has also been invited to speak at TED global. In the Security News: Fried squid is tasty, but the squid proxy is vulnerable, Flipper zero and other tools can now BLE Spam more than just Apple devices, Cisco IOS vulnerability in the web interface, again, is Signal vulnerable?, WinRAR being exploit, still, Math.Random is not really all that random, get your malware samples, and my inside look into Android TV devices, malware, and the horrors of the supply chain! All that and more on this episode of Paul’s Security Weekly! Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw-803

It's no surprise that OT security has fared poorly over the last 30+ years. To many appsec folks, these systems have uncommon programming languages, unfamiliar hardware, and brittle networking stacks. They also tend to have different threat scenarios. Many of these systems are designed, successfully, to maintain availability. But when a port scan can freeze or crash a device, that availability seems like it hasn't put enough consideration into adversarial environments. We chat about the common failures of OT design and discuss a few ways that systems designed today might still be secure 30 years from now. In the news, how HTTP/2's rapid reset is abused for DDoS, a look at the fix for Curl's recent high severity bug, OWASP moves to make CycloneDX a standard, Microsoft deprecates NTLM, VBScript, and old TLS -- while also introducing an AI bug bounty program. Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-259

This week in the Security News Dr. Doug talks: Cisco, Juniper, AVOSLocker, NoEscape, Valve, FreedomGPT, More News and Aaran Leyland. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-334

Do we sound like a broken record? Leadership, communication, and risk management skills are key traits of the Chief Information Security Officer. But don't just take our word for it, Jason Loomis, CISO at Freshworks, joins Business Security Weekly to discuss why companies should be hiring CISOs for their leadership talent, not their technical talent. Segment Resources: Switch Five Dysfunctions of a Team Drive Extreme Ownership Simon Sinek In the leadership and communications section, Is Your Board Cyber-Ready?, Chief security officers' salary growth slowing, The Secret to Making Difficult Decisions, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-324

The world of AI is exploding, as excitement about generative AI creates a gold rush. We've already seen a huge number of new GenAI-based startups, products, and features flooding the market and we'll see a lot more emerge over the next few years. Generative AI will transform how we do business and how we interact with businesses, so right now is an excellent time to consider how to adopt AI safely. Pamela Gupta's company literally has "trust" and "AI" in the name (Trusted.ai), so we couldn't think of anyone better to come on and have this conversation with. Interview Resources: https://trusted.ai https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf There's a lot of talk about AI, especially with the rise of apps like ChatGPT. Despite there being a huge amount of hype, there are legitimately practical applications for leveraging AI concepts in meaningful ways to improve the efficiency and effectiveness of your cybersecurity program. We'll discuss a few examples and show you some ways to bring AI out of the hype and into a proper tool to empower your security and risk program. This segment is sponsored by Tenable. Visit https://www.securityweekly.com/tenableisw to learn more about them! Threat actors don’t think in silos and neither should cybersecurity solutions. In this fireside chat with Uptycs’ newly appointed CRO, Mike Campfield, learn why organizations need to adopt a consolidation approach to win in cyber security, why it’s important to “shift up,” and what Mike is most excited about in his new role. This segment is sponsored by Uptycs. Visit https://www.securityweekly.com/uptycsisw to learn more about them! Deidre Diamond, founder & CEO of CyberSN, talks about her efforts to address InfoSec burnout and the skills shortage impacting the industry. As long as there are profits to be made, cybercriminals will continue to monetize enterprise assets—whether they be devices, applications, data, or users. It only takes one weak or unknown asset to compromise an entire organization. Brian will discuss why enterprises need to move away from assumption-based approaches to asset data and decision making to evidence-based asset intelligence to secure their environments quickly, easily, and at scale. This segment is sponsored by Sevco Security. Visit https://www.securityweekly.com/sevcoisw to learn more about them! In this ISW interview, CRA's Bill Brenner catches up with Kevin Johnson of Secure Ideas for a chat about application security. In this segment from ISW, Dakota State COO and General Counsel Stacy Kooistra talks to Bill Brenner about the university's effort create more cyber warriors. Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/esw for all the latest episodes!  

This week Dr. Doug talks: Microsoft, SeroxenRAT, Smart Links, Vogons, ToddyCAT, ShellBot, Hidden servers, Aaran Leyland, and More on the Security Weekly News! Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-333

In our first segment: the PSW hosts drop valuable insight on how to start your own journey into reverse engineering hardware! Resources we mentioned: The Hardware Hackers Handbook is a great start Do a badge challenge: https://www.cyberark.com/resources/threat-research-blog/an-introduction-to-hardware-hacking Take some classes Do some Arduino stuff: https://www.arduino.cc/ Take free courses on electrical engineering: https://ocw.mit.edu/courses/6-01sc-introduction-to-electrical-engineering-and-computer-science-i-spring-2011/ (And here: https://www.tinkerforge.com/en/doc/ and here: https://www.youtube.com/watch?v=LSQf3iuluYo&list=PLoFdAHrZtKkhcd9k8ZcR4th8Q8PNOx7iU) Building a lab - The list: Soldering iron (and tools and parts such as Solder, Flux, Tweezer, Soldering wick, Cutter, Wire stripper) Hot air rework station (can be bundled with soldering iron) Multi-meter (and lots of associated cables) Jumper and pinout wires Breadboard USB microscope Bench power supply Specific lighting (e.g. my document camera has an LED light that works great) Magnification - magnifying lenses and a headset (esp. if you are old, like us) USB serial devices (or Bus Pirate if you fancy) Then, in the Security News: Windows 11 tries to fix legacy authentication, Rapid resets and the world’s largest DDoS attack, we finally get to see the cURL vulnerability, and its pretty ugly, turns out Android TV boxes with pre-installed malware are a hot topic, patch your Netscaler, root for everyone with emergency responder software, learn THIS hacking Tools First, long live Wayland, how to actually hack a WiFi device with a Flipper Zero, scanning open source packages, GNOME bugs and a bonus, security is a great idea until there is a bypass in apparmor,a tool that everyone should have in their kit, and we could talk for hours about 25 hard hitting lessons from Cybersecurity! All that and more on this episode of Paul’s Security Weekly!   Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw-802

What if all these recommendations to shift left were more about shifting focus? It's all too easy to become preoccupied with vulns, whether figuring out how to find them earlier in the SDLC or spending time fixing them within specific number of days. Successful DevSecOps approaches can be so much more than just vulns and so much more than just tools. Sure, tools are useful for identifying known vulns in dependencies and new vulns in code, but teams that emphasize people and culture will find it easier to shift their attention to the security of their product and creating secure designs. In the news, anticipating Curl's upcoming patch for a high severity flaw, the Looney Tunables flaw in Glibc, ShellTorch flaw hits PyTorch and lots of AI, lessons from some X.Org security patches, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-258

This week Aaran Leyland rants: about Google, 23andMe, Facebook, GitHub's Secret Scanning, MGM Resorts, Grindr, More News, and is joined by the notorious Jason Wood on the Security Weekly News! Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-332

CEOs and boards struggle with their digital transformation process. Does their operations hinder or align with business initiatives? Has their security operations scaled to meet the data and digital demands to protect against business risk? In today’s episode, we’re talking to Chris Morales, CISO at Netenrich, who’ll provide compelling insights towards security transformation. Security organizations all face similar security challenges of too much data, siloed teams, underperforming legacy tools, and time-consuming and laborious threat investigation work. We’ll discuss the approach enterprises need to consider in advancing their security maturity. It’s one that’s data-driven, adaptive, and predictive. In the leadership and communications section, The Data Your Board Actually Wants to Hear About When Valuing Cybersecurity Investments, Cybersecurity is a CFO issue, Must-know insights when navigating the CISO career path, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-323

This week Dr. Doug talks: Feet, Google, Apple, Predator vs. Lemurs, r77, Qualcomm, qakbot, deepfakes, More News and with the exotic Aaran Leyland! Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-331

In this segment, we'll explore some of the most useful lessons and interesting insights to come out of the last year's worth of breaches and data leaks! We'll explain why we will NOT be covering MGM in this segment. The breaches we will be covering include: - Microsoft AI Research Data Leak - Microsoft/Storm-0558 - CommutAir - Riot Games - Lastpass - CircleCI - RackSpace - Drizly (yes, this breach is older, but the full story just wrapped a year ago!) On this week's news segment, we go down a bit of a rabbit hole on data lakes and have a GREAT conversation about where security data wrangling might or might not go in the future. We also discuss Nord Security's funding and $3B valuation, try to figure out what Synqly is doing, and discuss IronNet's demise. We also find out which email solution is more secure (at least, according to insurance claim data), Google or Microsoft!  We wrap up, learning that forms of CAPTCHAs are apparently broken now, $3800 gets you a gaming PC in the shape of a sneaker, and someone has created the DevOps equivalent of dieselgate! Each employee serves as a potential gateway to their organization, and the personal information of your workforce is readily accessible and exposed on the internet, making the organization susceptible to threats. DeleteMe is the solution that locates and eliminates personal data from the open web, safeguarding your organization. This segment is sponsored by DeleteMe. Visit https://www.securityweekly.com/deletemeisw to learn more about them! With all of the fancy tools, equipment, and logos most organizations are unable to understand where their data is and how it can be accessed. In the world of work from wherever and whenever orgs need a better handle on what this means.  Ridge has worked to curate a set of solutions to meet and implement this need! This segment is sponsored by Ridge IT Cyber. Visit https://www.securityweekly.com/ridgeitisw to learn more about them! Why are we seeing a re-emergence of the demand for packet and flow-based forensic data in cloud environments? In this session, we’ll discuss three reasons why IT leaders still need the same if not even better visibility in the cloud than they have in their data centers.  We’ll also discuss the growing demand for Threat Exposure Management (TEM). Why does a leading analyst describe this as a transformation technology and how can you quickly visualize your environment the way the attackers do?  Segment Resources: https://www.viavisolutions.com/en-us/ptv/solutions/threat-exposure-management https://www.viavisolutions.com/en-us/ptv/solutions/high-fidelity-threat-forensics-remediation This segment is sponsored by VIAVI Solutions. Visit https://www.securityweekly.com/viaviisw to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Anuj joins us to discuss recent trends in malware. What are the malware authors up to lately? What are the latest techniques for reverse engineering malware? Learn about the latest tools and techniques from Anuj! Anuj is a Principal Threat Researcher at Blackberry, where he performs malware research and reverse engineering. He has more than 15 years of experience in malware analysis and incident response. Anuj also brings his problem-solving abilities to his position as a SANS Certified Instructor and author, which gives him the opportunity to impart his deep technical knowledge and practical skills to students. Segment Resources: https://www.youtube.com/@sonianuj In the Security News: No Flipper Zero for you!, your glibc is hanging out and other Looney Tunables, and it vulnerable, for no reasons, other than the obvious ones, a Russian firm will pay $20m for Android or iPhone 0days, you do what you do and other Exim vulnerability stories, yet another way to become root on Linux, if you ever wanted to read the source code for Sub7, well, now you can, more people want to trash bug bounties (and they are wrong), Curl has something coming, and its not good, tricking AI with your dead grandma’s locket, GPU driver vulnerabilities could lead to something, and the path to the cloud is filled with holes. All that and more on this episode of Paul’s Security Weekly! Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw-801

Communication is a skill that doesn't appear on top 10 lists, rarely appears as a conference topic, and doesn't appear enough on job requirements. Yet communication is one of the critical ways that security teams influence developers, convey risk, and share knowledge with others. Even our own Security Weekly site falls a little short with only a podcast category for "Training" instead of more options around communication and collaboration. Lina shares her experience presenting to executives and boards in high-stress situations, as well as training incident responders on real-world scenarios. Segment resources https://training.xintra.org https://www.scmagazine.com/podcast-episode/2839-pointers-and-perils-for-presentations-josh-goldberg-asw-251 In the news segment, attackers impersonate Dependabot commits, an alg of "none" plagues a JWT, CISA calls for hardware bills of materials, OpenSSF lists its critical projects, Exim (finally! maybe?) has some patches, bug bounties and open source projects, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-257

This week Dr. Doug talks: Minority Report, NSA, WS_FTP, Exim, Sextortion, BunnyLoader, CISA, More News, and is joined by the illustrious Jason Wood! Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-330

As we move more infrastructure into the cloud, the traditional concepts of risk start to change. It's no longer just about networks and servers, but also needs to address identities and not just human identities. Cloud infrastructure introduces additional identity types that need to be addressed as part of your risk management program. Eric Kedrosky, CISO at Sonrai Security, joins us to discuss how to think differently about risk in the cloud. In the leadership and communications section, The CISO Carousel and its Effect on Enterprise Cybersecurity, CISOs are struggling to get cybersecurity budgets, Respectfully, I Disagree, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-322

We ALL use SaaS. It has become ubiquitous in both our personal and professional lives. Somehow, the SaaS Security market has only recently began to emerge. Today's interview with Yoni Shohet, co-founder and CEO of Valence Security, aims to understand why it has taken so long for SaaS Security products to come to market, what that market currently looks like, and what a SaaS Security product actually does. The concept of Edge computing has evolved over the years and now has a distinct role alongside public cloud. Theresa Lanowitz, from AT&T Cybersecurity, and Chris Goettl from Ivanti join us to discuss what edge computing means for the market and for cybersecurity. Specifically, we'll discuss how: Strong use cases in the market today for edge computing Security's role in edge computing, as a relative newcomer to part of the broader planning process Edge computing requires new thinking about security because of its distributed nature This segment is sponsored by AT&T Cybersecurity. Visit https://securityweekly.com/attcybersecurity to learn more about them! This week, we changed things up a bit for the news segment and Allie Mellen joins us as a surprise guest host! We discuss Cisco's Splunk acquisition and what it means for Splunk customers, and "The Blob" - Allie's term describing the negative forces responsible for much of the overhyped marketing, silly trends, and substandard products we see in the industry. Segment Resources: Allie's blog on Cisco/Splunk: https://www.forrester.com/blogs/splunk-is-good-for-cisco-but-cisco-needs-to-convince-splunk-customers-that-cisco-is-good-for-them/ Allie's blog on The Blob: https://www.forrester.com/blogs/the-blob-is-poisoning-the-security-industry/ Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-333

This week Dr. Doug talks: NarcBots, Blacktech, ZenRat, Chrome, CISO Churn, lots of privacy issues, Aaran Leyland, will Dr. Doug drink the Y3K Special Edition Coke? And more on this edition of the Security Weekly News! Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-329

This week, First up its the Security News: libwebp or die: we unravel some of the details behind the webp vulnerability first fixed by Apple and Google, then, hopefully by everyone else, attackers can steal your pixels using your GPU, someone cough China cough has been hacking Cisco routers, Kia boys are still a problem, How the Cult of the Dead Cow plans to save the internet, how iOS updates could break glucose monitors, spamming the CVE database, and when a medium is really a high! Just what are the right skills to have or acquire to work in cybersecurity today? Kayla and the Security Weekly crew talk about it in this segment. We also touch on why we get burnt out and how to avoid it, all in anticipation for SOC Analyst Appreciation Day! This segment is sponsored by Devo . Visit https://securityweekly.com/devo to learn more about them! Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw-800

Supply chain has been a hot topic for a few years now, but so many things we need to do for a secure supply chain aren't new at all. We'll cover SBOMs, vuln management, and putting together a secure pipeline. Segment resources: https://www.solarwinds.com/assets/solarwinds/swresources/whitepaper/2111swiwhitepaper_nextgenbuild.pdf https://next.redhat.com/project/tekton-chains/ https://tekton.dev/ In the news, a stroll back through the Apache Struts breach of Equifax, CISA's list of Known Exploited Vulnerabilities, Rust's replacement for OpenSSL, Go no longer throws programmers for a loop, complexity vs. design (that leads to better security), and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-256

This week Dr. Doug talks: The Year 3000, Sandman, ShadowSyndicate, National Student Clearing House, Apple, Predator, Xenomorph, Mixin, More News, and Jason Wood on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-328

In this episode, we interview Jake Wilson, Western Governor University's Security Awareness Evangelist. We'll learn about how he built up and matured WGU's security awareness program, eliminating blind spots, and improving efficacy through data analysis and better reporting. This segment is sponsored by Living Security. Visit https://securityweekly.com/livingsecurity to learn more about them! This week in the leadership and communications section: building a feedback-driven culture, letting go of the reins, 25 hard-hitting lessons from 17 years in cybersecurity, and more! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-321

Forrester Research releases a few annual reoccurring cybersecurity reports, but one of the biggest that covers the most ground is the Security Risk Planning Guide, which was recently released for 2024. One of the report's 17 authors, and research director, Merritt Maxim, will walk us through the report's most interesting insights and highlights. This is going to be considerably interesting considering some of this year's trends impacting security teams: An economic downturn, resulting in layoffs and budget freezes The widespread proliferation of generative AI technology The relentless and resilient nature of cybercrime, despite some notable law enforcement wins Ongoing discussion about the role and relevance of SOCs, CISO's, as well as the security department place in today's enterprise Increased enterprise reliance on SaaS and Cloud, as vendors and service providers continue to struggle with securing their products and services If you've ever played Dungeons & Dragons, you probably know that the quality of the experience depends on how prepared, experienced, and talented the Dungeon Master is. Today, we'll talk to InfoSec DM and practitioner extraordinaire Ryan Fried about some of the key elements that separate a good cybersecurity tabletop exercise from a bad one! This is literally his day job at Mandiant, and it doesn't hurt to have one of the world's largest libraries of attacker TTPs and the collective lessons learned from thousands of actual incident response experiences. This week we talk about finding, acquisitions and the state of the market. If you're interested in cybersecurity market discussion, this is the episode for you. We also discuss what makes a cybersecurity influencer. Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-332

This week on the Security Weekly News: Passkeys, bots, hotels, conning the con, TrendMicro, Pizza, Aaran Leyland, & more! Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-327

Nathan comes on the show to discuss LLMs, such as ChatGPT, the issues we face today and in the future. Learn about prompt injection attacks, jailbreaking, LLMs for threat actors, and more! In the Security News: LVFS is not a backdoor, attackers are in physical proximity, when you need to re-cast risk, oh Fortinet, pre-installed backdoors again, deep down the rabbit hole, the buffer overflow is in your BIOS!, what is 345gs5662d34?, a cone is all you need, we are compliant because we said so but we lied, 10 years of updates, Microsoft looks at ncurses and finds bad things, they also lost 38TB of data (Microsoft that is), when MFA isn’t really MFA, China and Russia are cyber attacking things, and MGM and Caesars are in hot water, All that and more on this episode of Paul’s Security Weekly!   Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw-799

The majority of attacks are now automated, with a growing number of attacks targeting business logic via APIs, which is unique to every organization. This shift makes traditional signature-based defenses insufficient to stop targeted business logic attacks on their own. In this discussion, Karl Triebes shares how flaws in business logic design can leave applications and APIs open to attack and what tools organizations need to effectively mitigate these threats. This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them! In the news segment, a slew of XSS in Azure's HDInsights, CNCF releases fuzzing and security audits on Kyverno and Dragonfly2, CISA shares a roadmap for security open source software, race conditions and repojacking in GitHub, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-255

This week Dr. Doug talks: SprySocks, Lazarus, Fortinet, Juniper, CISA, Transparent Tribe, AI Art, More News, and Jason Wood on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-326

Organizations still struggle with DDoS, ransomware, and personal information exfiltration. In order the prevent these attacks, we first need to understand the ‘types’ of DDoS and emerging threat techniques used by the adversary. In this interview, we explore these attacks in the context of edge computing. As edge computing use cases evolve, organizations need to understand the intersection of edge computing, networking, and cybersecurity. We discuss the risks associated with edge computing, the controls that can mitigate these risks, and how to plan for implementation, including security budgeting. Segment Resources: https://www.akamai.com/blog/security/defeating-triple-extortion-ransomware This segment is sponsored by AT&T Cybersecurity. Visit https://securityweekly.com/attcybersecurity to learn more about them! In the leadership and communications section, Board Members Struggling to Understand Cyber Risks, Cybersecurity Goals Conflict With Business Aims, Navigating Change: The Essence of Agile Leadership, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-320

Discussing ways to ensure client success with MDR and discuss the ways organizations hurt MDR efficacy with overly broad global exclusions, poor deployment practices, and poor policy hygiene. This segment is sponsored by Sophos. Visit https://securityweekly.com/sophos to learn more about them! We talk to Chris Sanders today, who has been steeped in the world of SecOps and detection/response for many years. After many years of writing books and training folks in the cybersecurity industry, he started delving into cognitive psychology and educational effectiveness. He leverages this knowledge in the training classes he builds and delivers. Today we'll discuss why it seems like defenders are still failing, despite the security industry largely (and arguably) receiving the resources it has been requesting. In this news segment, we start off by discussing funding, acquisitions, and Ironnet's unfortunate demise. We discuss Gmail's new, extra verifications for sensitive actions and Lockheed Martin's Hoppr SBOM and software supply-chain utility kit. We get into CISA's roadmap to help secure open source software, and their offer to run free vulnerability scans for the United States' 150,000+ water utilities. Then, discussion turns back to some more negative items with Brazil's self-inflicted $11 billion dollar data leak, and the MGM/Caesar's ransomware attacks, which seem like they could have a common attacker and initial attack vector (a shared IT support company, perhaps). We also discuss Microsoft's post mortem on the Storm-0558 attack. Kelly Shortridge wants to know, "why are you logging into production hosts", someone is submitting garbage CVEs, and Mozilla finds that privacy policies from auto manufacturers are a privacy TRAIN WRECK. Finally, we wrap up discussing tools that can detect deepfake audio, as well as the likelihood that this will be the start of a game of leapfrog, as deepfakes get increasingly better over time. And we discuss Delphi's offer to create a 'digital clone' of you that could live on forever, haunting your descendants. Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-331

This week Dr. Doug talks: Cyberdog, Pegasus, Webex, Peach Sandstorm, SAP, Caesar, Penn State, Aaran Leyland, and More News on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-325  

Ryan has his finger on the pulse of ransomware and response. We discuss how the initial infections are occurring, how they've changed over time, and where they are going in the future! Segment Resources: For folks to see my recent presentations: for528.com/playlist For folks to see the recordings of our recent Ransomware Summit: https://for528.com/summit23 For folks to watch my recent (free) ransomware workshop: https://for528.com/workshop23  Materials: https://for528.com/workshop Lots in the Security News this week. Stay tuned! Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/psw Show Notes: https://securityweekly.com/psw-798

Zed Attack Proxy is an essential tool for web app pentesting. The project just recently moved from OWASP to the Secure Software Project. Hear about the challenges of running an OSS security project, why Simon got involved in the first place, and why successful projects are about more than just code. Segment Resources: - https://www.zaproxy.org/  - https://softwaresecurityproject.org/blog/welcoming-zap-to-the-software-security-project/  - https://owasp.org/www-project-vulnerable-web-applications-directory/  In the news segment, a key compromised from a crash dump (and the many, many lessons that followed), more examples of mishandling secrets, URL parsing mismatches show path traversal works well in Rust, an old Linux kernel bug shows how brittle code can be (even when it's heavily audited), an example of keeping OSS projects alive, a quick note on BLASTPASS, and a look at privacy in cars, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-254

This week Dr. Doug talks: Mopria, Cisco, Seimens and Schneider, Word, AP Stylebook, DarkGate, GitHub, Chrome, More News, and Jason Wood on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-324  

Managing identities continues to add complexity for granting access to enterprise resources. Between the increasing number and expanding types of identities, including carbon-based, silicon-based, and artificial identities, and the evolution of cloud computing and remote work, managing the perimeter is now an identity problem. What risks do each of these identity types pose and how do you mitigate them? Jeff Reich, Executive Director at Identity Defined Security Alliance (IDSA), joins us to discuss the challenges of digital identities, how to discover risk with digital identities, and how best to mitigate those risks. Segment Resources: IDSA's 2023 Trends in Security Digital Identities: https://www.idsalliance.org/white-paper/2023-trends-in-securing-digital-identities/ Securing Your Remote Workforce Through Identity-Centric Security: https://www.idsalliance.org/white-paper/securing-your-remote-workforce-through-identity-centric-security/   In the leadership and communications section, The importance of CISOs is not recognised by senior leadership, The secret habits of top-performing CISOs, Get *Free* copies of two of our favorite leadership books, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw-319 

Doug talks with Chat GPT in an interview format just to see what having a conversation with the AI is like. It even gets around to asking Chat GPT the famous six questions from Paul's Security Weekly. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly \Show Notes: https://securityweekly.com/vault-swn-4 

Check out this interview from the ESW Vault, hand picked by main host Adrian Sanabria! This segment was originally published on November 18, 2022. This segment will focus on (1) Why Did Sephora Get Fined $1.2M and Why Are They on Probation? (2) Why Data Privacy is Being Overhauled in 2023 (and How You Can Be Ready) Segment Resources: https://www.consumerreports.org/electronics-computers/privacy/i-said-no-to-online-cookies-websites-tracked-me-anyway-a8480554809/  https://www.geekwire.com/2022/the-bittersweet-serendipity-that-gave-these-two-startup-leaders-a-shared-mission-in-online-privacy/ https://www.boltive.com/blog/why-having-a-consent-management-platform-is-not-enough https://www.boltive.com/blog/bracing-for-2023-privacy-laws https://ceoworld.biz/2022/07/03/three-ways-your-data-is-leaking-in-advertising-and-how-to-avoid-it/   Show Notes: https://securityweekly.com/vault-esw-4  Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly  

Check out this interview from the PSW Vault, hand picked by main host Paul Asadoorian! This segment was originally published on February 4, 2013. Dr. Spafford is one of the senior, most recognized leaders in the field of computing. He has an on-going record of accomplishment as a senior advisor and consultant on issues of security and intelligence, education, cybercrime and computing policy to a number of major companies, law enforcement organizations, academic and government agencies... [With] over three decades of experience as a researcher and instructor, Professor Spafford has worked in software engineering, reliable distributed computing, host and network security, digital forensics, computing policy, and computing curriculum design. Dr. Spafford is a professor with an appointment in Computer Science at Purdue University, where he has been a member of the faculty since 1987. Spaf's new book, Cybersecurity Myths and Misperceptions, is available at https://informit.com/cybermyths  Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-psw-4 

Check out this interview from the SDL Vault, hand picked by main host Doug White! This segment was originally published on January 22, 2019. Today, we begin the journey to the quantum realm on SDL. Marketing is telling us, everything is quantum now, don't be fooled, let us tell you how it works on SDL. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-swn-3 

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on January 10, 2022. There's an understandable focus on "shift left" in modern DevOps and appsec discussions. So what does it take to broaden what we call appsec into something effective for modern apps, whether they're on the web, mobile, or cloud? We'll talk about moving on from niche offerings into successful appsec programs. Show Notes: https://securityweekly.com/vault-asw-4 

Check out this interview from the BSW Vault, hand picked by main host Matt Alderman! This segment was originally published on March 15, 2021. In 1989, Stephen Covey first published "The 7 Habits of Highly Effective People," empowering and inspiring leaders for over 25 years. Is there an equivalent or new set of habits for CISOs? George Finney, Chief Security Officer at Southern Methodist University, joins Business Security Weekly to discuss the Nine Cybersecurity Habits. Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/vault-bsw-4 

Having direct visibility into your access data is crucial for two reasons: 1. Simplifying audit preparation and 2. Managing progress of your identity program to ensure peak performance. Internal auditors and compliance managers need easy access to granular data points to understand and demonstrate compliance to external agencies. Gaining access to real time data creates a great deal of autonomy for audit and identity teams to be able to delve deep into their identity programs and prove compliance. However, making the data available even internally can put organizations at risk for data leaks and data policy violations. Erik will outline how companies can gain access to their current identity search and dashboard data and be able to query in their preferred BI tool based on their own data privacy policies and business needs, significantly reducing risk.   This segment is sponsored by SailPoint. Visit https://securityweekly.com/sailpoint to learn more about them! There's still serious, late stage funding for compelling tech in cybersecurity, SpyCloud proves with it's $110M Series D. We discuss the SentinelOne/Wiz merger rumors. Sadly layoffs and even company failures are still occurring, thought Tyler thinks the market downturn is close to bottoming out. NordVPN spins off an AI skunkworks called NordLabs. The Browser Company has a great company vision page that's worth checking out. Two interesting LLM prompt-related tools to check out are PIPE and promptmap (both on github). Brazilian phone spyware WebDetetive (sic) gets hacked and all victim data deleted. US takes down QakBot and *removes* it from infected systems! Finally, a homing pigeon proves that birds are faster than gigabit Internet :D In this interview, Raghu discusses the specific challenges in securing the cloud and how to overcome them. He shares how to make your life easier by making security a team sport, how to gain the visibility you need across clouds, data centers, and endpoints, and how to get a return on your cloud security investments. This segment is sponsored by Illumio. Visit https://securityweekly.com/illumiobh to learn more about them! It’s no secret that the attack surface is increasing and the best defense is one that’s matched to the most relevant risks. Through proactive and reactive research, The SafeBreach Labs team helps customers discover their most critical threats and security gaps by building the industry’s most current and complete playbook of attacks. In this session, SafeBreach Director of Research Tomer Bar will share how attacks are conducted, which APT group have been the most active, and how breach and attack simulation can help teams think like an adversary and leverage recent vulnerabilities to gain accurate insights.  Segment Resources: https://www.safebreach.com/safebreach-labs/  This segment is sponsored by SafeBreach. Visit https://securityweekly.com/safebreachbh to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-330

This week Dr. Doug talks: AI vs. Hunter Thompson, Sandstorm, BGP, Earth Estries, DOE, VMWare Aria, Key Group, DSA, Aaran Leyland, and More on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-323

Amanda joins us to discuss aspects of incident response, including how to get the right data to support findings related to an incident, SMB challenges, cloud event logging, and more! Amanda works for Blumira and is the co-author of "Defensive Security Handbook: Best Practices for Securing Infrastructure." In the Security News: How not to send all your browser data to Google, apparently Microsoft needs pressure to apply certain fixes, the mutli-hundred-billion-dollar-a-year industry that tries to secure everything above the firmware, security through obscrurity doesn’t work, should you hire cybersecurity consultants, pen testing is key for compliance, defense contractor leaks, inside a McFlurry machine, Barracuda is still chasing hackers, why Linux is more secure than windows, more details on WinRar and middle-out compression, a Wifi worm?, CVE-2020-19909 is almost everything that is wrong with CVE, Tacos, and hacking through a Fire stick! All that and more on this episode of Paul’s Security Weekly!  Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw-797

We go deep on LLMs and generative AIs to shine a light on areas that security leaders should focus on. There are technical concerns like prompt injection and access controls, and privacy concerns in training and usage. But there are also areas where security tools are starting to address these concerns as well as areas where security tools are adopting AI themselves. We'll share where we see AI showing promise, as well as where we suspect it's still premature. In the news, a Go Crypto presentation from Real World Crypto, Excel releases support for Python, protecting users from malware like the Luna Grabber and WinRAR RCE, DARPA's V-SPELLS project, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-253

This week Dr. Doug rants: Mystery, Qakbot, Crates.io, VDP, NetScaler, Entra ID, SynthID, FreeBSD, More News, and Jason Wood on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/swn for all the latest episodes!  Show Notes: https://securityweekly.com/swn-322

The metaverse is an evolving storytelling environment in which humans have congregated for millennia to experience alternate, immersive, and simulated realities, with or without technology. Storytelling is designed to influence mental and physical perceptions suiting the purposes of the content creators. Metawar is the art of applying science to create and defend against the influence of alternate realities in the metaverse. What if we can longer rely on our senses to determine what is real and what is fiction? Winn's research into Metawar initially focused on metaversal technologies. Unexpectedly, it morphed into an intensely personal experience, triggering Winn's own Metanoia, which had a profound impact on the entire Metawar Thesis. Winn joins Business Security Weekly to share his Metanoia. In the leadership and communications section, A CISO's Actionable Strategy for Success, Security basics aren’t so basic — they’re hard, Building a Culture Where Employees Feel Free to Speak Up, and more!  Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-318 

Incredibly, the seemingly simple task of managing corporate-owned devices is still a struggle for most organizations in 2023. Maybe best MDM for Mac doesn't work with Windows, or the best MDM for Windows doesn't work with Mac. Maybe neither have Linux support. Perhaps they don't provide enough insight into the endpoint, or control over it. Whatever the case, security leaders never seem satisfied with their MDM solution and are always investigating new ones. Now, Kolide has stepped in with a unique approach to device management, combining the flexibility and industry support for OSQuery and built to integrate with IdP giant Okta. We discuss Kolide's entrance into the device management space and the current state of MDM - what's wrong with it, and how does Kolide propose to fix it? This segment is sponsored by Kolide. Visit https://securityweekly.com/kolide to learn more about them! Segment description coming soon! Record funding levels over the last two weeks top 2023 and the same time last year. We discuss Palo Alto's plans for the future, CISA's analysis of the LAPSUS$ hacking group, and the uselessness of Quantum Security pitches. Chrome adds the ability to alert users about malicious extensions. A great post from Thinkst has us talking about why vendors (and buyers) need to be careful about default behaviors and documentation. You won't want to miss the excellent squirrel story - a front end for Reddit that looks like Microsoft Outlook. During this segment, Jon will explore today’s ransomware economy players from IABS to RaaS affiliates, to money launders and now C2Ps. For the discussion, Jon will leverage Halcyon’s latest research, which demonstrates a new technique to uncover how C2Ps, like Cloudzy, are used to identify upcoming ransomware campaigns and other advanced attacks. The research revealed that Cloudzy, knowingly or not, provided services to attackers while assuming a legitimate business profile. Threat actors that leveraged Cloudzy include APT groups tied to the Chinese, Iranian, North Korean, Russian, Indian, Pakistani, and Vietnamese governments; a sanctioned Israeli spyware vendor whose tools are known to target civilians; several criminal syndicates and ransomware affiliates whose campaigns have spurred international headlines. This segment is sponsored by Halcyon. Visit https://securityweekly.com/halcyonbh to learn more about them! In this session, Snehal will discuss several real-world examples of what autonomous pentesting discovered in networks just like yours. You’ll hear more about how fast and easy it was to safely compromise some of the biggest (and smallest) networks in the world - with full domain takeover in a little more than a few hours. Learn how you can safely do the same in your own network today!  This segment is sponsored by Horizon3.ai. Visit https://securityweekly.com/horizon3aibh to learn more about them! In this Black Hat 2023 interview, CRA’s Bill Brenner and Sophos’ John Shier discuss the company’s latest research on the Royal ransomware gang. Though Royal is a notoriously closed off group that doesn’t openly solicit affiliates from underground forums, granular similarities in the forensics of the attacks suggest all three groups are sharing either affiliates or highly specific technical details of their activities.  This segment is sponsored by Sophos.  Visit https://securityweekly.com/sophosbh to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-329

This week in the Security News Dr. Doug talks: Openfire, Firepower, Barracuda, CosmicBeetle, Lazarus, Encryption, Network Tourism, India's on the Moon, Aaran Leyland, and More on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-321

Jared has a long, and outstanding, history in cybersecurity. Today, he works for Microsoft helping them run and respond to bug bounty reports. The scale is massive and I think we can all learn a thing or two about vulnerability management and bug bounties! Segment Resources: https://www.microsoft.com/en-us/msrc/bounty?rtc=1 https://www.microsoft.com/en-us/msrc https://msrc.microsoft.com/report/vulnerability/new https://www.microsoft.com/en-us/msrc/bounty https://msrc.microsoft.com/blog/ https://jobs.careers.microsoft.com/global/en/search?q=msrc&l=en_us&pg=1&pgSz=20&o=Relevance&flt=true https://www.microsoft.com/bluehat/  In the Security News: Lora projects are popular, simple checksums are not enough, WinRAR: shareware or native OS?, ATM software is vulnerable, attackers could learn from security researchers (but lets hope they don’t), NoFilter and behavior by design, Apple vs. A security researcher: there are no winners, sneaky npm packages, faster Nmap scans, kali on more phones, more LOl drivers, comparing security benchmarks to the real world, tunnelcrack and why VPNs are over-hyped, Ubuntu has lost its mind, and there’s a Python in the sheets! All that and more on this episode of Paul’s Security Weekly! Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw-796

Two featured interviews from this year's Black Hat. In the news, Discord.io ceases to be, Azure AD breach to get scrutiny from the CSRB, Zoom's AI stumbles show security concerns, model confusion attacks, a look at how far we have -- and haven't -- come with XSS flaws, an approachable article on AI, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-252  

This week Aaran Leyland subs in to discuss: Cold Fusion Flaw, EncroChat, sneaky Amazon and Google, Spoofing Apple devices, Telsa data breach, Space and Jason Wood on this episode of the Security Weekly News!  Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-320

The Security Weekly 25 Index is still trying to recover. Inflation fears have tampered the recovery and the NASDAQ is outperforming the Index. Fastly replaces Sumo Logic in the Index and Thoma Bravo has not acquired anyone, so hoping the index stays stable for more than a quarter :). Here's the latest list of companies in the index: Secureworks Corp Palo Alto Networks Inc Check Point Software Technologies Ltd. Splunk Inc Gen Digital Inc Fortinet Inc Akamai Technologies, Inc. F5 Inc Zscaler Inc Onespan Inc Leidos Holdings Inc Qualys Inc Verint Systems Inc. Cyberark Software Ltd Tenable Holdings Inc Darktrace PLC SentinelOne Inc Cloudflare Inc Crowdstrike Holdings Inc NetScout Systems, Inc. Varonis Systems Inc Rapid7 Inc Fastly Inc Radware Ltd A10 Networks Inc Ransomware-as-a-Service has contributed to a steady rise in sophisticated ransomware attacks. Ransomware authors are increasingly staying under the radar by launching encryption-less attacks which involve large volumes of data exfiltration. Organizations must move away from using legacy point products and instead migrate to a fully integrated zero trust platform that minimizes their attack surface, prevents compromise, reduces the blast radius in the event of a successful attack, and prevents data exfiltration. Segment Resources: https://www.zscaler.com/press/zscaler-2023-ransomware-report-shows-nearly-40-increase-global-ransomware-attacks https://www.zscaler.com/blogs/security-research/2023-phishing-report-reveals-472-surge-phishing-attacks-last-year  This segment is sponsored by Zscaler. Visit https://securityweekly.com/zscalerbh to learn more about them! The security mediascape is buzzing with discussions around the growing threat of generative AI. But, how can we use this powerful new weapon for good? In this executive interview, IRONSCALES CEO Eyal Benishti walks us through the ways in which generative AI can be used to significantly harden organizations’ cyber defenses, and even unveils the latest, cutting-edge tools to be added to IRONSCALES’ growing AI suite of capabilities. Meet IRONSCALES’ Themis Co-Pilot for Outlook and learn how your team can use artificial intelligence to tip the scales back in your favor. Segment Resources: https://ironscales.com/company/news-awards/news/ironscales-announces-themis-copilot Video: https://youtu.be/ayn8ecsNgKY This segment is sponsored by IRONSCALES. Visit https://securityweekly.com/ironscalesbh to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-317

In the Enterprise Security News, 1. Check Point buys Perimeter 81 to augment its cybersecurity 2. 2023 Layoff Tracker: SecureWorks Cuts 300 Jobs 3. Hackers Rig Casino Card-Shuffling Machines for ‘Full Control’ Cheating 4. ‘DoubleDrive’ attack turns Microsoft OneDrive into ransomware 5. NYC bans TikTok on city-owned devices As more organizations explore edge computing, understanding the entire ecosystem is paramount for bolstering security and resiliency, especially within a critical industry like healthcare. In this segment, Theresa Lanowitz, Head of Cybersecurity Evangelism at AT&T Business, will provide a deep dive into the state of edge computing—specifically, how it is revolutionizing healthcare. She will discuss key findings from the “2023 AT&T Cybersecurity Insights™ Report: Focus on Healthcare” and provide insight into how to prepare for securing the healthcare edge ecosystem. With Active Directory (AD) exploited in 9 out of 10 cyberattacks, delaying AD modernization—especially after a merger or acquisition—can compound security risks. Security is the most compelling reason to migrate to a pristine AD forest or perform an AD forest or domain consolidation, but many organizations delay such projects due to the effort and planning they require. Security Weekly talks with Semperis CEO Mickey Bresman about the keys to a smooth and secure AD modernization strategy. Security organizations are increasingly adopting data lakes and cloud services as additions or alternatives to traditional SIEMs, but face challenges like scarcity of data engineering expertise and high data ingestion and cloud compute costs. To overcome these, a new security data stack is emerging, guided by models like SecDataOps and supported by solutions like Tenzir, purpose-built for security data use cases. In this segment, we will be talking about what is driving the heavy use of data in security operations, why that is stressing traditional security operations tools and processes, and what some early-adopter organizations are doing to meet these challenges.   The rapid growth of APIs used to build microservices in cloud-native architecture has left many enterprises in the dark when it comes to knowing where, how many, and what types of APIs they have. With multiple teams creating their own API endpoints without shared visibility or governance, exposed APIs can become a critical threat vector for hackers to exploit. Edgio's new advanced API security capabilities give customers integrated and unparalleled protection at the edge, protecting APIs that are critical to modern businesses. Edgio delivers these services as part of its fully integrated holistic Web Application and API protection solutions giving customers the ability to respond to threats quicker. An edge-enabled holistic security platform can effectively reduce the attack surface, and improve the effectiveness of the defense while reducing the latency of critical web applications via its multi-layered defense approach. Edgio's security platform “shrinks the haystacks” so that organizations can better focus on delivering key business outcomes. Offensive security is a proactive approach that identifies weaknesses using the same exploitation techniques as threat actors. It combines vulnerability management with pen testing and red team operations to “expose and close” vulnerabilities before they are exploited. Join us at Black Hat as we delve into the world of Managed Detection and Response (MDR) providers. In this podcast, we'll explore the critical factors to consider when selecting an MDR provider, uncover the common shortcomings in their services, and discuss the necessary evolution required to ensure ongoing effectiveness and enhanced value for customers. Get ready to unravel the complexities of MDR and gain insights into the future of this vital cybersecurity solution. This segment is sponsored by AT&T Cybersecurity. Visit https://securityweekly.com/attcybersecuritybh to learn more about them! This segment is sponsored by Semperis. Visit https://securityweekly.com/semperisbh to learn more about them! This segment is sponsored by Tenzir. Visit https://securityweekly.com/tenzirbh to learn more about them! This segment is sponsored by Critical Start.  Visit https://securityweekly.com/criticalstartbh to learn more about them! This segment is sponsored by Edgio. Visit https://securityweekly.com/edgiobh to learn more about them! This segment is sponsored by Fortra. Visit https://securityweekly.com/fortrabh to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/esw for all the latest episodes!  Show Notes: https://securityweekly.com/esw-328

This week Dr. Doug talks: Elon Throttling, Dilithium, Africa, Suse, Citrix, QR Codes, AI Meetings, and More on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-319

The 2020 Armenian war with Azerbaijan called into action over 100 volunteer incident responders from across the country (and the globe) into action. Our guest for this segment was one of the leads during the 40-day conflict and helped organize teams that responded to everything from websites being attacked and country-wide Internet outages. In the Security News: You should read the NIST CSF, JTAG hacking the original Xbox, tricked into sharing your password, attacking power management software, the vulnerability is in the SDK, tearing apart printers to find vulnerabilities, a pain in the NAS, urllib.parse is vulnerable, hacking the subway, again, how not to implement encryption from OSDP, Intel does a good job with security, and hacking card shuffling machines! All that and more on this episode of Paul’s Security Weekly! Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw-795

This week in the Security News, Dr. Doug talks: DEFCON, ScrutisWeb, DoubleDrive, GitHub, npms, AI Cheating advice, More news and Jason Wood Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-318

In the leadership and communications section, CISO is Crisis, Will SEC Cybersecurity Regulations Make a Difference?, NIST Drafts Major Update to Its Widely Used Cybersecurity Framework, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-316

A key part of modern appsec is communication. From interpersonal skills for fostering collaborations to presentation skills for delivering a message, the ability to tell a story and engage an audience is a skill that doesn't appear on top ten lists and that doesn't come up in secure coding checklists. Josh shares his path to becoming a presenter on technical topics, including stumbles he's made along the way and how he helps others develop their skills for slides. Resources: - https://www.joshuakgoldberg.com/blog/how-i-apply-to-conferences https://www.joshuakgoldberg.com/blog/how-i-apply-to-conferences-faqs https://www.joshuakgoldberg.com/blog/how-i-apply-to-conferences-faqs/#what-are-your-favorite-conference-talks-youve-seen https://www.youtube.com/watch?v=mPPZ-NUnR-4&t=25743s&ab_channel=JSWORLDConference  Then in the news segment, DARPA unleashes an AI Cyber Challenge to find flaws, CISA asks for input on securing open source software and memory safety, what five years of vuln research shows for vuln management programs, siphoning security tokens from VS Code, and more! Follow us on Mastodon: https://infosec.exchange/@AppSecWeekly  Follow us on Twitter: https://www.twitter.com/secweekly  Like us on Facebook: https://www.facebook.com/secweekly Visit https://securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-251  

Binarly is one of only a few startups focused on highlighting security issues in firmware. The company has discovered a remarkable number of vulnerabilities in firmware in a very short time. Its' founder, Alex Matrosov, joins us to discuss insights discovered along his company's journey to convince vendors that firmware is worth securing. This week in the Enterprise News, we discuss Kubernetes attacks and CPU attacks. We also have a better idea of what valuation losses might be for security startups, thanks to the Check Point/Perimeter 81 acquisition. MITRE releases, ATLAS, an ATT&CK-style framework for machine learning models. Bloodhound's new rearchitected Community Edition is out, and Las Vegas's Sphere hasn't been hacked... yet. We discuss Ian Amit's background and what led him to want to leave the CISO life to create a startup! It's one thing for a security product to report problems to a security team. Everyone has these tools, but the problem is that someone has to analyze and triage all those findings, leading to alert fatigue and not a lot getting fixed. Gomboc is proposing to address this gap by auto-generating the fix.  https://www.blackhat.com/us-23/spotlight.html Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-327

This week: Dr. Doug talks Creepy AI, Codesys, Kyber768, .net, Gootloader, DARPA, EvilProxy, Aaran Leyland, and More on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-317  

Just how prepared are you for the next cybersecurity incident? Depending on the definition, security incidents likely happen daily at most enterprises. Because we can't prevent everything, the key to success is to be in a constant state of readiness. This means regular training with a focus on preparation. Gerard will walk us through tips and tricks to keep our incident response teams in tip-top condition. In the Security News: Hacking your Tesla to enable heated seats (and so much more), The Downfall of Intel CPUs, The Inception of AMD CPUs, that’s right we’re talking about 3 different hardware attacks in this episode! Intel issues patches and fixes stuff even though its hard to exploit, Rubber Ducky you’re the one, history of Wii hacking, don’t try this at home Linux updates, we are no longer calling about your vehicle warranty, cool hardware hacking stuff including building your own lightsaber, you Wifi keys are leaking again, the evil FlipperZero, Buskill, complaining publicly works sometimes, these are not the CVSS 10.0 flaws you are looking for, when side channel attacks, dumpster diving for plane ticks, and go ahead, try and hack a robo-taxi! All that and more on this episode of Paul’s Security Weekly! Visit https://www.securityweekly.com/psw for all the latest episodes!  Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-794

Mature shops should be looking to a security architecture process to help scale their systems and embrace security by design. We talk about what it means to create a security architecture process, why it's not just another security review, and why it requires security to dig into engineering. Segment Resources: - https://www.lacework.com/ciso-boardbook/ciso/merritt-baer Zap gets a jolt of new support, using Clang for security research, LLM attacks learn models, Rust visualizes dependencies, a National Cyber Workforce and Education Strategy, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-250  

This week in the Security News, Dr. Doug talks: BilDad the Shuhite, Points.com, Papercut, Prospect Medical, SMS, Microsoft, DAAS, Chatbots, More News, and Jason Wood.  Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly  Show Notes: https://securityweekly.com/swn-316

On July 31st, 2023, the Biden administration released a national strategy addressing cyber workforce shortages, calling long-standing vacancies a national security imperative. The National Cyber Workforce and Education Strategy focuses on four major pillars: equipping every American with cyber skills, transforming cyber education, expanding and enhancing the national cyber workforce and strengthening the federal cyber workforce. The strategy relies heavily on non-governmental and private sector entities to provide funding, internship and apprenticeship programs to increase the number of workers with cybersecurity skills. One of those entities referenced in the strategy is Dakota State University. Dr. José-Marie Griffiths joins us to discuss education's role in the strategy, but offers other insights, including: - immigration policies and how it limits the current cyber workforce, - diversity, equity, and inclusion initiatives and the reduction of women in the cyber workforce, and - what can the cyber community do to help.  Segment Resources: https://www.dsucyber27.com/  https://dsu.edu/programs/artificial-intelligence-bs.html  https://dsu.edu/programs/computer-science-artificial-intelligence.html  In the leadership and communications section, How CISOs can engage the C-suite and Board to manage and address cyber risk, CISOs Need Backing to Take Charge of Security, It’s OK to Fail, but You Have to Do It Right, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-315  

While malware and ransomware tend to dominate cybersecurity headlines, Fortra’s research shows that nearly 99% of email threats reaching corporate inboxes utilize impersonation rather than malware. Email impersonation is a key component of credential phishing, advance fee fraud, hybrid vishing, and business email compromise schemes. Because email impersonation scams rely on social engineering rather than technology, the barrier to entry for an aspiring cybercriminal is almost non-existent. In this segment, we’ll explore strategies for defending against email impersonation. Segment Resources: [Fortra Cybersecurity Learning Resources](https://www.fortra.com/resources/cybersecurity-education?code=cmp-0000012210&ls=717710002&utm_source=cyberrisk-alliance&utm_medium=contsynd&utm_campaign=ft-brand-awareness) [2023 BEC Trends, Targets, and Changes in Techniques](https://static.fortra.com/agari/pdfs/report/fta-ag-2023-bec-trends-targets-changes-in-techniques-rp.pdf) This segment is sponsored by Fortra. Visit https://securityweekly.com/fortra to learn more about them! Fareedah Shaheed, aka CyberFareedah, has dedicated herself to educating the public on online safety. Today, we'll talk about the challenges she has faced in building a training company from scratch, targeting both consumers, and private business. Her journey is interesting from multiple perspectives: as a business owner, an immigrant, becoming an influencer, and establishing herself as a cybersecurity thought leader - all within less than half a decade! This week in the Enterprise Security News: we discuss securing open source, Cyberinsurance, Hackerone Layoffs, and whether or not Sharks have noses!  Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-326

Midnight Blizzard, Citrix, Bloodhound, Five Eyes, Canon, Cult of the Dead Cow, AI Shopping, Aaran Leyland, and More on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-315

Our good friend Bill Swearingen joins us to talk about some of the incident response work he's been doing lately. Many people have it wrong, you don't need to be a cybersecurity ninja to respond to a security incident. Its about knowing who does what in your organization and executing a plan. Bill has put together a a set of free resources to help the community with incident response as well! Vistit the Awesome Incident Response project here: https://github.com/hevnsnt/Awesome_Incident_Response/ In the Security News: Canon shoots out your Wifi password, I want to be Super Admin, you don’t need fancy hacks to bypass air gaps, U.S. Senator attacks Microsoft, Tenable CEO attacks Microsoft, we should all be hopeful despite the challenges in infosec, SEC requires reporting Cyberattacks within 4 days, Mirai attacks Tomcat, scanning a car before stealing it, a little offensive appliance, no Internet access for you and that will solve the problem, Ubuntu blunders, it’s so secure no one can actually use it, and yet another CPU data leak! All that and more on this episode of Paul’s Security Weekly! Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw-793

Identity isn't new, but we do have new ways of presenting and protecting identity with things like payment wallets and verifiable credentials. But we also have identity in surprising places -- like cars. We'll answer some questions like: - Why do we even have identities in cars? - What else is your car connected to? - How should devs be thinking about security in this space? In the news segment, Zenbleed in AMD, Google's TAG sees a drop in zero-days, new security testing handbook from Trail of Bits, Phil Venables' advice on public speaking, car battery monitor that monitors location(!?), more news on TETRA, Visit https://securityweekly.com/asw for all the latest episodes!  Follow us on Mastodon: https://infosec.exchange/@AppSecWeekly  Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-249

This week in the Security News: Throbbing Gristle, China, Dragos, Ransomware, Tomcat, Ivanti, Radio Radio, My Mother the Car, Jason Wood, and More!  Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly  Show Notes: https://securityweekly.com/swn-314

Some organizations are banning ChatGPT and other generative AI models out of fear of the risks they could introduce. While this is understandable, the reality is generative AI is accelerating so fast that, very soon, banning it in the workplace will be like blocking employee access to their web browser. Randy Lariar, Practice Director of Big Data, AI and Analytics at Optiv, will discuss how to embrace the new technology and shift the focus from preventing it in the workplace to adopting it safely and securely. We will discuss the challenges and benefits of generative AI, including: - How to detect AI tools and usage - How to develop policies and procedures for using AI tools - How the protect the models, data, and infrastructure to support AI tools - What are the regulatory requirements that may impact AI tools and usage - What are the benefits of using AI tools Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly  Show Notes: https://securityweekly.com/bsw-314

Once an incident has occurred and you've responded, then what? Join us for a chat with Sean Metcalf on what we can do to ensure our infrastructure remains resilient after a security incident. Segment description coming soon! Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly  Show Notes: https://securityweekly.com/psw-792

The traditional concept of the CISO may literally be 'too much', according to Nathan Case. It's based on systems of control and unrealistic assumptions that don't survive contact with real life. In this conversation, we'll discuss what the top security leadership role should be, and how it differs from the current/old school concept. The concept of Edge computing has evolved over the years and now has a distinct role alongside the public cloud. AT&T Cybersecurity just released their 12th report on this market, which explores insights from a massive, 1400 respondent survey. Theresa Lanowitz joins us to discuss the findings of the report, and the future of this market. https://cybersecurity.att.com/insights-report This segment is sponsored by AT&T Cybersecurity.  Visit https://securityweekly.com/attcybersecurity to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-325

GameOver(lay), ZenBleed, Maximus, Redline and others, the SEC, SiegedSec, Microsoft, Aaran Leyland, and More on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly  

Once an incident has occurred and you've responded, then what? Join us for a chat with Sean Metcalf on what we can do to ensure our infrastructure remains resilient after a security incident. Then, In the Security News: Cisco hates patching stuff, they hacked a Peleton, so what?, Zenbleeding, stopping Kia Boys, Your BMC is showing, Hacking your toothbrush, Flipper Zero Smoking a Smart Meter was a fake, RFID Tags Inside Amazon Products, Backdoors in Encrypted Police Radios, The Death of Infosec Twitter, and just stop people from accessing the Internet! All that and more on this episode of Paul’s Security Weekly! Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw-792

Appsec teams and developers must both understand the consequences of what they're doing when building APIs. Appsec teams need to push for collaboration and help implement tools that augment the development process. Dev teams need to wrangle complex architectures and work on addressing classes of vulns rather than just playing BugOps with scanner outputs. In the news, there's a (non-critical, but cool) RCE in ssh-agent forwarding, Node's vm2 bids adieu, zero-day from a CTF eventually makes it to a bug bounty program, Bad.Build, and more! This segment is sponsored by GuidePoint.  Visit https://securityweekly.com/guidepoint to learn more about them! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-248

CYBER.ORG, in partnership with CISA, is helping create a diverse cyber workforce by breaking down the barriers to cybersecurity education by improving access for all K-12 students nationwide. CYBER.ORG’s HBCU feeder program Project REACH was recently highlighted in CISA’s 2022 Year in Review as part of the agency’s commitment to improving diversity and accessibility in the field. Laurie Salvail, Director of CYBER.ORG, joins BSW to discuss: - Why the expansion of K-12 cybersecurity education is the first step toward building a diverse talent pipeline. - How CYBER.ORG has implemented initiatives to drive diversity in cybersecurity including: - Project REACH, the HBCU feeder program launched across the country to build the next-gen workforce, and its plans to expand kickoff events in 2023. - Project Access, a program for the blind and visually impaired who are in pre-employment transition (Pre-ETS), and the summer camps on the horizon. - CYBER.ORG’s plans to expand diversity and inclusion efforts in the coming year to Hispanic-serving institutions. Segment Resources: To learn more about CYBER.ORG or to get involved, visit: https://www.cyber.org This week in the leadership and communications section: the SEC is asking for comments on Cybersecurity on Wednesday, July 26, 2023 at 10:00 a.m - Be there and tell them what you think of their cybersecurity regulations! Google has a new AI tool for journalism, Sergey Brin is back at Google, paving the path for "Blue-Collar AI" professionals, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-313

Citrix, Ivanti, DOJ changes, Elon X, TETRA Radio, Google WEI, Jason Wood, and More on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-312

Today, we talk to Juliet about what's wrong with security programs today and what security leaders should be doing to fix them. We'll discuss how security programs can look rosy... until the incident hits, and the true posture of the organization is laid bare. How can CISOs still look good and maintain the org's trust under the worst of circumstances? In this interview, Jules will tell us how. Zero Trust is an imperfect concept and is often impractical to deploy comprehensively at scale, but that doesn't mean it can't do any good. In this interview, we talk with practitioner Ryan Fried about his experiences implementing Zero Trust in real life. We'll also discuss his new role at Mandiant, and why the glue that holds together people, process, and tools is so important. Finally, in the enterprise security news, Secure Code Warrior raises $50M to continue educating developers on best security practices, Jamf acquires dataJAR, IronNet’s public run ends soon, Microsoft puts pressure on other cybersecurity stocks, We discuss the Microsoft Storm breach, How to make engineers not hate you, Securely build features using AI APIs WormGPT, National Cybersecurity Strategy Implementation Plan, Cybersecurity labels Google plans to scrape everything you post for AI, & the Year of the Linux Desktop! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly  Show Notes: https://securityweekly.com/esw-324

AirGaps, Slackware, Kevin Mitnick, Awareness, Microsoft, Bad API, JumpCloud, Megarac, Aaran Leyland, and More on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-311

This week, up first is the Security News: Microsoft lost its keys, LOL drivers, If you were the CSO, try to keep employees happy but remove their accounts when they leave, gaming device finds a missing child, $3 brute forcing, undocumented instructions are sometimes the best instructions, remote code on your Oscilloscope, fuzzing satellites, routers are great places to hide, typos lead to information leaks of US military emails, pwning yourself, pwning security researchers, getting pwned by a movie, and WormGPT! Sumit comes on the show to teach us a little about PHP type-juggling, introduce a free online security lab, and discuss the new certifications being offered in collaboration with Blackhat. Segment Resources: Our SecOps exams: https://secops.group/cyber-security-certifications/  Black Hat's Certified Pentester exam: https://www.blackhat.com/us-23/certified-pentester.html Vulnmachines platform: https://www.vulnmachines.com/ Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw-791  

While much has been written and argued about the security of election systems - the things that do the actual ballot counting - there's other systems that have to be in place and secured before the vote can occur - voter registration databases, ballot delivery systems, etc. Might it be possible to use modern appsec concepts OWASP SAMM to secure them in a more efficient, targeted, cost-effective manner? Brian Glas joins us to talk about this and his ongoing work around providing students with a modern application security education. It's a busy news week - We explore what happens when people trust plugging cables into their EVs in public, how an APT is leveraging docker and kubernetes to build a botnet, why you should be careful running code from "researchers," and much more Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly  Like us on Facebook: https://www.facebook.com/secweekly Visit https://securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-247

Scotty in Hell, CISA, S3, the White House, Risky Devices, Microsoft, Mali, Virus Total, Jason Wood, and More on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/swn for all the latest episodes!  Show Notes: https://securityweekly.com/swn-310

Less than 50% of the Fortune 500 have a Chief Information Security Officer (CISO) or Chief Security Officer (CSO) listed on their executive team. Why is that? Is this role not considered an executive position? In part 1, we debate the role of the CISO/CSO and whether it is or is NOT and executive position. We've made a lot of progress over the last 20+ years, but has the role peaked? Will the role continue to get a seat at the table as a C-level executive or will it atrophy back to a VP or Director role? If the CISO/CSO is still an executive position, then what are the requirements of this role? In part 2, we debate the requirements of the CISO/CSO role and expectations of the organization. To be a true executive role, the CISO/CSO needs to have the decision making authority with the same protections of other officers. Will they get it? We debate. Visit https://www.securityweekly.com/bsw for all the latest episodes!  Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly  Show Notes: https://securityweekly.com/bsw-312

InfoSec might have a hoarding problem, but it’s easy to understand why. It’s almost impossible to know what logs you’re doing to need, when you’re going to need them, or for what reason. SIEM vendors have taken advantage of these InfoSec data FOMO tendencies, however, and are making a killing charging a premium for storage - even when the storage in question is your own on-prem hardware. There ARE alternatives, however, but it seems most folks aren’t aware of this. In this interview with Eric Capuano, we’ll discuss both the practical and economic shortcomings of the traditional SIEM model. We’ll discuss the challenges of various SIEM use cases. Most importantly, we’ll discuss the new models actively replacing them. (No, they’re not branded as next-gen SIEMs) Tim MalcolmVetter has been alternating between blue team and red team roles for years. Moving between the two has had its advantages, giving Tim a better understanding of what works, what doesn’t and why. We’ll discuss a variety of topics, including the pros and cons of industry talent pipelines, Kerberoasting, and AI trends. 2023 Cybersecurity Conversations Report: https://eb1x.co/NWn0RHK Segment description coming soon! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly  Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-323

Microsoft, Zimbra, Rockwell, Joe Biden, Tax Software, Black Mirror, Aaran Leyland, and More on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn-309

Getting the correct data in the right place for incident response is challenging. JP comes on the show to talk about how he is helping companies with these challenges, getting control of the security data pipeline while helping save costs! In the security news: Someone is going to get hurt, slow migrations, hiding on the Internet is hard, more Fortinet vulnerabilities, BLackLotus source code, the difficulties with roots of trust, stealthy rootkits, patching made easy?, rowhammer and gaslighting, signing with time machines, memory is complicated, and it’s alive!!! It's alive!!! Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly  Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Show Notes: https://securityweekly.com/psw-790

Infosec is still figuring out useful metrics, how to talk about risk, and how to make resilience more relevant. Shannon talks about a new community effort to measure software trust. She also covers threat modeling and adversary management as steps towards determining an org's resiliency and security. Segment Resources: https://community.ravemetrics.com  Melinda will share results from her study last year on developer-focused security, "Walking the Line: Shift Left and GitOps Security" and discuss trends to help security keep up with modern software development. Segment Resources: ESG Complete Survey Results: Walking the Line: GitOps and Shift Left Security: https://research.esg-global.com/reportaction/515201532/Toc  Addressing the confusion around shift-left cloud security | TechTarget: https://www.techtarget.com/searchsecurity/opinion/Addressing-the-confusion-around-shift-left-cloud-security  Melinda Marks’s Most Recent Content: https://www.techtarget.com/contributor/Melinda-Marks  Visit [securityweekly.com/asw](https://securityweekly.com/asw) for all the latest episodes! Follow us on Twitter: [@SecWeekly](https://www.twitter.com/secweekly) Like us on Facebook: [facebook.com/secweekly](https://www.facebook.com/secweekly) Visit https://securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-246  

Green, Hairy Tongue, MoveIt redux, HCA, Apple, Threads, Jason Wood, and More on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-308

A golden age is a time of great achievement in a society or industry — a time of innovation and the furthering of new ideas via new mediums or technological advancements. Email security is now entering a golden age after stagnating for the better part of a decade. Is it time to celebrate? Customers have more choice than ever when it comes to protecting how employees, customers, and partners communicate and collaborate. Often, those customers are choosing more than one email security partner in a layered or multilayer approach to protection, as it provides greater efficacy — and peace of mind. But is that sustainable in a consolidating market? Jess Burn, Senior Analyst from Forrester Research, joins us to discuss the results of The Forrester Wave on Enterprise Email Security for Q2 2023. Segment Resources: https://www.forrester.com/blogs/announcing-the-forrester-wave-enterprise-email-security-q2-2023/?ref_search=604835_1688574622533 In the leadership and communications section, CISO as a Business Executive: 5 areas to focus on and 5 actions you can take to run cybersecurity…, How to win the battle for cybersecurity budgets, Mastering Effective Communication Skills with the Dale Carnegie Method, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly  Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-311  

Robots have always had a kind of scaling from very mechanical to autonomous devices that are self aware. On this episode of SDL, Russ and Doug discuss AI, how bots work, and botnets in general.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-swn-2 

Check out this interview from the ESW Vault, hand picked by main host Adrian Sanabria! This segment was originally published on August 11, 2022. Following in the footsteps of an attacker and uncovering their digital footprints, this episode will uncover an attacker’s techniques used and how they went from zero to full domain admin compromise, which resulted in a nasty ransomware incident. It will also cover general lessons learned from Ransomware Incident Response.   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/vault-esw-3 

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on May 23, 2022. Developers want bug-free code -- it frees up their time and is easier to maintain. They want secure code for the same reasons. We'll talk about how the definition of secure coding varies among developers and appsec teams, why it's important to understand those perspectives, and how training is just one step towards building a security culture.   Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-asw-3 

Welcome to another edition of a Paul's Security Weekly Vault episode! This episode was previously recorded on April 5, 2012 and features an interview with none other than Dan Geer. Unfortunately there is no video for this episode, but the content is still relevant today.  Dan Geer is a renowned cybersecurity expert and visionary. With a wealth of knowledge and experience in the field, Dan has made significant contributions to our understanding of information security and its implications. In this interview, we'll explore his background, education, and delve into some of his most influential works, such as his paper on the security implications of mono-culture. My co-hosts for this interview included Jack Daniel and John Strand. At the very end of the interview we talk about Dan giving the keynote at the Source Boston 2012 event. I've included a link to the video of that talk in the show notes for historical reference. ChatGPT summarized this keynote as follows stating: "Dan Geer discusses the claim that the internet is critical infrastructure and explores the potential hypocrisy involved in this assertion." So, without further ado, enjoy our interview with Dan Geer! Link to Dan Geer's 2012 Source Boston Keynote: https://www.youtube.com/watch?v=Qb8r0XoNd60   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/vault-psw-3 

AI, machines, and killer robots, oh my! Elon Musk and 116 people sent a letter to the UN asking that Autonomous Weapons be banned.   Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/vault-swn-1

This week in the Security News, Dr. Doug talks: Russian Satellites, Cl0p, CISA, YouTube, ArcServ, EarlyRat, Aaran Leyland, and More on this edition of the Security Weekly News! Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly  Visit https://www.securityweekly.com/swn for all the latest episodes!  Show Notes: https://securityweekly.com/swn-307  

This week, we welcome Dick Clarke to discuss his new book, The Fifth Domain, and the need for cyber resilience, especially these days! In the Leadership and Communications segment, 4 Behaviors That Help Leaders Manage a Crisis, The Right Way to Keep Your Remote Team Accountable, 15 Steps to Take Before Your Next Video Call, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/vault-bsw-3 

Securing data is hard. Business stops when data flows are hindered, stopped, sometimes even slowed. Placing controls around data traditionally leads to more friction and less productivity. Can it be a different story in the cloud? Today, we find out when we talk to Dan Benjamin about why he founded Dig and the space they're trying to fill in public cloud services. Paddy Harrington joins us from Forrester research to discuss his findings in this year's state of IoT security report. Computers have been shoved into anything and everything, both in the home and in the workplace. Paddy will share some interesting insights from the report, and we'll discuss why some of the results seem to conflict. Segment description coming soon! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-322

In this segment we welcome Carlos Perez back to the show! Carlos will discuss the different types of penetration testing, including adversary emulation, and a cool method we can use to cover our tracks on Windows systems. In the security news: You got so many CVEs you need your own, dedicated, vulnerability scanner, melting your neighbors with hacking, The FDA’s SBOM and OSS, when the vulnerability scanner has a vulnerability, violating CISA directives at scale, make 2FA a little easier with this device, NSA’s BlackLotus mitigation guide: who needs those certificates anyhow? Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly  Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Show Notes: https://securityweekly.com/psw-789

Without visibility and continuous monitoring, dangerous threats expose our blind spots and create risk. Invicti, who brought together Acunetix and Netsparker, analyzes common web application vulns across thousands of assets yearly and releases the Invicti AppSec Indicator for a holistic view of vulnerability trends from automated scan results. In this talk, Invicti Director of Product Patrick Vandenberg shares a deep dive into the trends currently impacting AppSec programs and discusses some of the best practices that will help organizations achieve efficiencies in their programs. Segment Resources: - [AppSec Indicator Spring 2023 edition | Invicti](https://www.invicti.com/clp/appsec-indicator/?utm_medium=contentsyn&utm_source=sc_media&utm_campaign=i-syn_CRA-ASW-Jun2023&utm_content=230424-ga_spring-appsec-indicator&utm_term=brand) This segment is sponsored by Invicti. Visit [securityweekly.com/invicti](https://securityweekly.com/invicti) to learn more about them!  In the news, two XSS vulns via postMessage methods in Azure, how to choose (and move on from) a web research topic, OpenSSF finances a security developer-in-residence for Python, more infosec myths, free cybersecurity training resources. Visit [securityweekly.com/asw](https://securityweekly.com/asw) for all the latest episodes! Follow us on Twitter: [@SecWeekly](https://www.twitter.com/secweekly) Like us on Facebook: [facebook.com/secweekly](https://www.facebook.com/secweekly) Visit https://securityweekly.com/asw for all the latest episodes!  Show Notes: https://securityweekly.com/asw-245

This week in the Security News, Dr. Doug talks: Win 3.1, Fortinet, Women in Cyber nominations, Teams, IOS, Mockingjay, Jason Wood and More! Visit https://www.securityweeky.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly  Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-306

In a tight economy, security budgets have been under scrutiny. Vendor consolidation strategies are real, but what are the pros and cons of this strategy? Shawn Surber from Tanium joins us to discuss how vendor consolidation is playing out and what to look for. It's not just an expense exercise, it's also a strategic alignment exercise. This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them! In the Leadership and Communications section, CISO Burnout Prevention: Tips for Work-Life Balance, Maximizing Leadership Potential, The Essence of Effective Management: Commitment, Foresight, and Leadership, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly  Show Notes: https://securityweekly.com/bsw-310

Emilie comes on the show to talk about penetration testing and share her knowledge and stories! In the Security News: There is no national cyber director, time to move away from MoveIT, update Microsoft IIS at least every 6 years, your security system is not secure, for that matter neither is your smart pet feeder, identity management is hard, at least for some, spies using spy gadgets to spy on spies, go ahead and just replace your hardware, secure boot is hard, bypassing the BIOS password (but don’t try this at home, or work for that matter), Rob shaved his beard, what’s new in PCI (drink, are we still drinking on PCI? If so, drink again), if your firmware isn’t patched, no cloud updates for you, and Gigabyte has a backdoor! Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! FShow Notes: https://securityweekly.com/psw-788

Check out this interview from the ESW Vault, hand picked by main host Adrian Sanabria! This segment was originally published on September 29, 2021.   No Man is an Island. Neither can a security program exist without interconnections and strong relationships to the rest of the business. Yet, over and over again I meet Security Leaders that thrive on designing security fiefdoms with large moats, and one bridge that they roll down only when they intend to roll out a new technology, initiative or need budget authority. There is no amount of authority or power that can provided to a CISO that makes he or she immunized against the need for communication, collaboration and diplomacy with peers, users and Senior Executives.   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/vault-esw-2 

Security is one of the most evolving and impactful landscapes in the regulatory sphere. Proposed initiatives in the areas of Incident Response, Software and Product Assurance, Coordinated Vulnerability Disclosure (CVD), and IoT or Connected Products Regulations are among the most active and developing areas of security policy around the world. This evolving landscape also serves as an opportunity for innovation and research collaboration. Elazari will walk us through some of the most recent trends in policy proposals shaping the future of security. We will also talk about bug bounties and vulnerability disclosure, what are some of the industry's best practices in this area, how to implement these programs to foster security, collaboration and transparency, and how this connects to the policy momentum and its impact on security researchers. Segment Resources: Project Circuit Breaker: https://www.intel.com/content/www/us/en/newsroom/news/intel-launches-project-circuit-breaker.html Project Circuit Breaker Landing Page: https://www.projectcircuitbreaker.com/ Intel’s 2021 Product Security Report: https://www.intel.com/content/www/us/en/security/intel-2021-product-security-report.html   Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/vault-asw-2 

Check out this interview from the BSW VAULT, hand picked by main host Matt Alderman! This segment was originally published on October 12, 2020.    We go off script. Michael Santarcangelo joins me for a discussion on leadership. We review the 4 C's of Leadership: 1. Culture 2. Collaboration 3. Communication 4. Cultivation - and Michael shares some of his leadership approaches and ideas.   Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/vault-bsw-2 

The WAF has a relatively long history with InfoSec. A few years back, we saw the traditional architecture separated by new technologies and philosophies on the best way to detect and stop web-borne attacks. In this episode with Daniel Corbett, we'll take a deep dive into the latest on WAF capabilities, what it means to be 'next-gen' in the WAF world, and how LLM AI like ChatGPT could influence the attacks we see (and have to defend against) in the near future. Explore the rapidly-evolving landscape of Managed Detection and Response (MDR) with insights from Sophos, a pioneering MDR provider. Understand how businesses can gain superior security outcomes and better value from their investments by integrating 3rd party products natively into an adaptive ecosystem backed up by 24/7/365 threat detection, incident response and proactive threat hunting from one of the largest global providers of MDR services.  Finally in the Enterprise News segment, we discuss the user-facing security trend, bad ideas in company naming/branding, and why you might not want to be on a list of the top 200 most secure companies. We also discuss the right way to treat employees when doing layoffs, and the future for companies that probably shouldn't have received funding before the market downturn. Finally, France uses AI to discover untaxed pools! This segment is sponsored by Fastly. Visit https://securityweekly.com/fastly to learn more about them! Segment Resources: http://sophos.com/mdr  https://www.sophos.com/en-us/x-ops  This segment is sponsored by Sophos. Visit https://securityweekly.com/sophos to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-321

This week Dr. Doug talks: Killer Robots, ESXI, Lockbit, MoveIt, CISA, SEC, Texas, Aaran Leyland, and More on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes!  Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly  Show Notes: https://securityweekly.com/swn-305

Eric Olden, CEO and Co-Founder of Strata Identity, discusses the concept of Identity Orchestration. He covers the evolving identity landscape and how it has evolved to keep pace with modern apps, the challenges encountered during an identity modernization project, how Identity Orchestration helps those modernization projects, and best practices for implementing secure identity. Segment Resources: - [Identity Orchestration Use Cases](https://www.strata.io/use-cases/) - [What is Identity Orchestration WhitePaper](https://www.strata.io/resources/whitepapers/what-is-identity-orchestration-and-why-you-need-it-to-succeed-with-multi-cloud/) This segment is sponsored by Strata.  Visit https://securityweekly.com/strata to learn more about them!  This year's Verizon DBIR is out, CVSS is updating its methodology, poor password reset design, SQL injection in MOVEit, a CTF for AWS IAM Visit https://www.securityweekly.com/asw for all the latest episodes!  Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-244

Check out this interview from the PSW VAULT, hand picked by main host Paul Asadoorian! This segment was originally published on April 9, 2013.   Bill Cheswick logged into his first computer in 1968. Seven years later, he was graduated from Lehigh University in 1975 with a degree resembling Computer Science. Ches has worked on (and against) operating system security for over 35 years. He is probably best known for "Firewalls and Internet Security; Repelling the Wily Hacker", co-authored with Steve Bellovin, which help train the first generation of Internet security experts.    Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/vault-psw-2 

This week Dr. Doug talks: Mad dogs and paper clips, Fortinet, MoveIt, BatCloak, China, More News, and Jason Wood on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-304

The Gartner definition of integrated risk management is a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks. Enterprises typically have a broad coverage of the risks that face the business including cybersecurity risk, however, its 2023 and after more than a decade of requiring training compliance for our people, the Verizon DBIR reports this year that 74% of breaches involved human error. It's clear that compliance is not the answer for where to include the human in an IRM strategy, so what's next? In the leadership and communications section, Only one in 10 CISOs today are board-ready, study says, Why Conflicting Ideas Can Make Your Strategy Stronger, How to Overcome Communication Barriers in Your Teamwork, and more! This segment is sponsored by Living Security. Visit https://securityweekly.com/livingsecurity to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-309

Phrenology, Barracuda, MoveIt, Lazarus, Minecraft, ChatGPT, Adrian Sanabria, and More on this edition of the Security Weekly News.  Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly  Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-303

This is the first interview in a two-part AI special! First up, we talk with Daniel Miessler, who has been following the generative AI trend very closely and is one of the most prolific writers and thought leaders on the topic. It's a massively divisive topic with the most successful product ever launched (ChatGPT). Some folks think it's overhyped, some think it's going to replace all the worst parts of the worst jobs, and others think it could be the beginning of the end for humanity. While other interviews on GenAI get deep into conversations on the future of humanity, we're going to stay closer to home on this one. It seems clear that GenAI will transform the enterprise more quickly than any other technology trend we've seen. We'll discuss what security needs to do to prepare for this shift, and why security teams should begin exploring GenAI themselves as soon as possible. Generative AI is taking the world by storm. Naturally, enterprises are looking for ways to integrate the innovative technology into their techstack, boost productivity of the knowledge workers and overall increase their ROI. The question is, how to do it without compromising data privacy and security standards of the enterprises. Segment Resources: https://zerosystems.com/ In this episode we briefly cover funding, and discuss Snyk's acquisition of Enso Security and Cisco's Armorblox buy. We discuss some new open source AI tools: privateGPT, llm, ttok, and strip-tags. We discuss the death of Meta's massive Metaverse movement and go DEEP down the rabbithole on the new Stop Silly Security Awards website. Artifact's AI rewrites clickbaity headlines and we wrap up by exploring a very entertaining Map of GitHub communities: https://anvaka.github.io/map-of-github/  Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw-320

Check out this interview from the PSW VAULT, hand picked by main host Paul Asadoorian! This segment was originally published on October 18, 2015. L0pht Heavy Industries was a hacker collective active between 1992 and 2000 and located in the Boston, Massachusetts area. We learn about the history of the L0pht and the future.   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/vault-psw-1

Ducking AI, Kimsuky redux, SMB signing, MoveIt, Gigabyte, Splunk, Chrome Extensions, AI, Jason Wood and more on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn-302

The American Data Privacy and Protection Act introduces oversight of how companies handle the data they collect and process from U.S. citizens, including AI algorithms used to uncover insights that can be monetized. Security professionals should prepare now for the legislation by understanding how to audit algorithms and implement compliance processes. Even if this version of privacy legislation doesn’t pass, similar legislation will likely pass soon.   Segment Resources: Forbes Tech Council article: Why You Need to Prepare Now for Privacy Legislation That May Not Pass https://www.senecaglobal.com/media-mentions/ftc-why-you-need-to-prepare-now-for-privacy-legislation-that-may-not-pass/ Enterprise Security Tech - American Data Privacy Protection Act: What, Who, How https://www.enterprisesecuritytech.com/post/american-data-privacy-protection-act-what-who-how Security Info Watch - What the American Data and Privacy Act means for businesses https://www.securityinfowatch.com/security-executives/article/21295869/what-the-american-data-and-privacy-act-means-for-businesses   In the leadership and communications section, Cybersecurity Starts with the Board and C-Suite, How CISOs can achieve more with less during uncertain economic times, Why Authentic Leadership Is So Hard, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw-308 

Walking the show floor at RSA Conference, you couldn't trip without falling into an application security vendor booth ... and API security specialists were especially plentiful. Join Forrester Principal Analyst Sandy Carielli for her thoughts on RSA Conference and a deep dive into the challenges of API security. Segment Resources: https://www.forrester.com/blogs/insights-from-the-2023-rsa-conference-generative-ai-quantum-and-innovation-sandbox/   OWASP has a draft for the LLM Top 10, simple vulns in a modern SaaS app, ancient vuln in a Wordpress plugin, PyPI moves to secure its package manager accounts, ThinkstScape Quarterly research report, having fun with memory variables, DNS, and logins.   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw-243 

Penetration Tester stories, dumb and funny stuff that's crazier than movies. Segment Resources: https://www.cyberpointllc.com/index.php https://www.cyberpointllc.com/srt.php In the security news: keystroke logs are stored in plain-text (and other atrocities in software used in schools), WPBT is the gift that keeps on giving and this time it's Gigabyte, PCI DSS 4.0 (drink!), immutable linux desktops, one packet exploits, neat linux malware, sock puppets, a must read new book about hacks, why SMB why?, boot girls, exposing customers....data, cracking GSM, you MUST use 2fa (not should, must), old wine in a new bottle, lab grown "meat", malicious bookmarks, and ChatGPT's secret reading list! All that and more on this episode of Paul’s Security Weekly. Visit https://www.securityweekly.com/psw for all the latest episodes!   Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Check out this interview from the ESW VAULT, hand picked by main host Adrian Sanabria! This segment was originally published on October 21, 2021. The Record has published several interviews with cybercriminals, courtesy The Record's Russian-speaking analyst, Dmitry Smilyanets (https://therecord.media/author/dmitry-smilyanets). These interviews have included representatives from REvil, BlackMatter, and Marketo. The interviews have uncovered the gangs' motivations, targets, and tactics, and have been cited by officials, including White House Deputy National Security Advisor Anne Neuberger. We talk with Adam Janofsky, founder and Editorial Director of The Record about what it's like to start a vendor-sponsored media outlet (The Record is funded by Recorded Future), and what they've learned by interviewing the bad guys. This segment is sponsored by Devo. Visit https://securityweekly.com/devo to learn more about them!   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/vault-esw-1 

Check out this interview from the BSW VAULT, hand picked by main host Matt Alderman! This segment was originally published on June 8, 2020.  Marc French has more than 25 years of technology experience in engineering, operations, product management, and security. Prior to his current role at CISO at Product Security Group, Marc was the SVP & Chief Trust Officer at Mimecast, Inc. and has held a variety of senior security roles at Endurance/Constant Contact, EMC/RSA, Iron Mountain, Digital Guardian, and Dun & Bradstreet.  With all this security experience, Marc has created a series of career ladders to help guide infosec professionals with their job journey, including the illustrious CISO position. We will also cover whether you really want to be a CISO...   All of the open source career ladders can be found here: https://github.com/product-security-group/Security_Ladders   Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/vault-bsw-1 

Check out this interview from the BSW VAULT, hand picked by main host Matt Alderman! This segment was originally published on June 8, 2020. Marc French has more than 25 years of technology experience in engineering, operations, product management, and security. Prior to his current role at CISO at Product Security Group, Marc was the SVP & Chief Trust Officer at Mimecast, Inc. and has held a variety of senior security roles at Endurance/Constant Contact, EMC/RSA, Iron Mountain, Digital Guardian, and Dun & Bradstreet. With all this security experience, Marc has created a series of career ladders to help guide infosec professionals with their job journey, including the illustrious CISO position. We will also cover whether you really want to be a CISO... All of the open source career ladders can be found here: https://github.com/product-security-group/Security_Ladders

Check out this interview from the ASW VAULT, hand picked by main host Mike Shema! This segment was originally published on March 14, 2022. Cybersecurity is a large and often complex domain, traditionally focused on the infrastructure and general information security, with little or no attention to Application Security. Security providers usually tack-on AppSec services to their existing menu of offering without understanding the domain, and their team of professionals have little or no experience with software development or inner workings of modern application architectures. As the world turns Digital at a rapid pace accelerated by the recent pandemic, applications become common place in our lives, providing attackers more opportunities to exploit these poorly protected applications. As such, it is important to know what is actually required to build and run software securely, and how to do application security right. Segment Resources: https://forwardsecurity.com/2022/03/07/application-security-for-busy-tech-execs/ Show notes: https://www.scmagazine.com/podcast-episode/asw-188-farshad-abasi 

Ferret Legging, Elon's Brain Implants, Volt Typhoon, CosmicEnergy, OAuth, ILoveYou (and that's not just the Molly talking), Aaran Leyland, and More on this episode of the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn301 

On this edition of the ESW news, we're all over the place! Funding and acquisitions are a little sad right now, but AI and TikTok bans raise our spirits. The hosts are split on feelings about the new .zip gTLD, there's a new standard for scoring an "AI Influence Level" (AIL), and lessons learned from Joe Sullivan's case and other Uber breaches. Also, don't miss the new AI tool DragGAN, which enables near magical levels of ease when manipulating photos.   What's even real anymore? We might not be able to tell for long... The reality is no organization is insusceptible to a breach – and security teams, alongside the C-suite, should prepare now to make the response more seamless once a crisis does happen. Based on his experience working 1:1 with security leaders in the private and public sectors, Jon Check, executive director of Cyber Protection Solutions at Raytheon Intelligence & Space, will share the critical steps organizations must take to best prepare for a security breach. This segment is sponsored by Raytheon. Visit https://securityweekly.com/raytheonrsac to learn more about them!   While companies utilize dozens of security solutions, they continue to be compromised and are continually searching for their real cybersecurity gaps amongst the overload of vulnerability data. A primary issue security teams face is that they lack a way to continuously validate the effectiveness of the different security solutions they have in place. Automated Security Validation is revolutionizing cybersecurity by applying software validation algorithms, for what was once manual penetration testing jobs. It takes the attacker's perspective to challenge the integrity and resilience of security defenses by continuously emulating cyber attacks against them. This segment is sponsored by Pentera. Visit https://securityweekly.com/penterarsac to learn more about them!   Security teams are always on the lookout for external threats that can harm our organizations. However, an internal threat can derail productivity and lead to human error and burnout: repetitive, mundane tasks. To effectively defend against evolving threats, organizations must leverage no-code automation and free analysts to focus on higher-level projects that can improve their organization’s security posture. This segment is sponsored by Tines. Visit https://securityweekly.com/tinesrsac to learn more about them!   In today’s hyper-connected world, devices are everywhere, people are online constantly and sensitive data has moved to the cloud. Given these trends, organizations are making digital trust a strategic imperative. More than ever, companies need a unified platform, modern architecture and flexible deployment options in order to put digital trust to work. This segment is sponsored by DigiCert. Visit https://securityweekly.com/digicertrsac to learn more about them!   Bill Brenner, VP of content strategy at CyberRisk Alliance, and Cisco storyteller/team leader/editor Steve Ragan discuss the issues security professionals are sinking their teeth into at RSA Conference 2023, including: Threats organizations face amid geopolitical strife (Russia/Ukraine, China, North Korea) What SOCs need to respond to a world on fire (training for cloud-based ops, XDR) Challenges of identity and access management (zero trust, MFA, hybrid work environments) Challenges of vulnerability management (finding the most critical flaws in the cloud, key attack vectors in 2023, ransomware) This segment is sponsored by Cisco. Visit https://securityweekly.com/ciscorsac to learn more about them!   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw319 

Liam Mayron from Fastly comes on the show to talk about his unique path into information security, the security implications of generative AI, advances in technologies to protect web applications, detecting bots, and enabling better MSP services! This segment is sponsored by Fastly. Visit https://securityweekly.com/fastly to learn more about them!   In the Security News: a cross-platform, post-exploit, red teaming framework, cover your backups, your voice should never be your passport, time to change your fingerprints, a drop in the bucket sucka, Thor will take out those pesky drones, never give your AI friends money, bye-bye PyPi for a while anyhow, bug bounties are broken, you say you want people to update routers, not-too-safe-boot, mystery microcode, Cisco listens to the podcast (they must have heard it from Microsoft), will it run DOOM?, your server is bricked, permentantly, Hell never ends on x86, and coldplay lyrics in your firmware.   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw786 

Space, the final frontier, Naughty Cell Phones, HP, ASUS, Meta, Google, Gil Kirkpatrick, and more on this edition of the Security Weekly News.   Segment Resources:  https://www.darkreading.com/cloud/microsoft-azure-vms-highjacked-in-cloud-cyberattack   This segment is sponsored by Semperis. Visit https://securityweekly.com/semperis to learn more about them!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn300

The OWASP Top 10 dates back to 2003, when appsec was just settling on terms like cross-site scripting and SQL injection. It's a list that everyone knows about and everyone talks about. But is it still the right model for modern appsec awareness? What if we put that attention and effort elsewhere? Maybe we could have secure defaults instead. Or linters and build tools that point out these flaws. We'll talk about top 10 lists, what we like about them, what we don't like, and what we'd like to see replace them. We'll also test our hosts' knowledge of just how many top 10 lists are out there.   Segment resources: [OWASP Top 10:2021](https://owasp.org/Top10/)  [OWASP API Security Project](https://owasp.org/www-project-api-security/) [OWASP Top 10 Mobile Risks](https://github.com/OWASP/www-project-mobile-top-10/blob/master/2016-risks/index.md) [OWASP Top 10 CI/CD Security Risks](https://owasp.org/www-project-top-10-ci-cd-security-risks/) and [ASW #220](https://www.scmagazine.com/podcast-episode/asw-220-daniel-krivelevich) [OWASP Low-Code/No-Code Top 10](https://owasp.org/www-project-top-10-low-code-no-code-security-risks/) [OWASP Top 10 Privacy Risks](https://owasp.org/www-project-top-10-privacy-risks/) [OWASP Proactive Controls](https://owasp.org/www-project-proactive-controls/) [OWASP AI Security and Privacy Guide](https://owasp.org/www-project-ai-security-and-privacy-guide/) [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org) [OWASP Application Security Verification Standard](https://owasp.org/www-project-application-security-verification-standard/) and [ASW #232](https://www.scmagazine.com/podcast-episode/asw-232-josh-grossman) [Moving on from the OWASP Top 10](https://deadliestwebattacks.com/appsec/2023/03/30/reflecting-on-the-owasp-top-10)   New TLDs are already old news, fuzzing eBPF validators, Microsoft sets to kill bug classes, draft RFC to track location trackers, a top ten list with directory traversal on it, conference videos from Real World Crypto and BSidesSF, and an attack tree generator from markdown.   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw242 

You can rebuild infrastructure. But you can’t un-breach data – Data sits at the core of an organization and is often the most open and vulnerable. This is why data security is the most important and urgent security problem to solve right now. We’re joined by Matt Radolec, Senior Director of Incident Response and Cloud Operations at Varonis, to walk through the blast radius concept – from what it is and how to use it to understand your organization's risk, to how it can serve as a guide to securing data from insiders and external attackers.   Segment Resources: The Great SaaS Data Risk Exposure report: https://info.varonis.com/hubfs/Files/docs/research_reports/Varonis-The-Great-SaaS-Data-Exposure.pdf The Forrester Wave™: Data Security Platforms, Q1 2023 https://reprints2.forrester.com/#/assets/2/1646/RES178465/report Learn more about the Varonis Data Security Platform https://www.varonis.com/products/data-security-platform   This segment is sponsored by Varonis. Visit https://securityweekly.com/varonis to learn more about them!   In the leadership and communications section: Do You Really Need a CISO?, A CISO Employment Contract May Mean the Difference Between Success and Jail, When Your Employee Tells You They’re Burned Out, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw307 

$10M reward, a serious wemo vulnerability, EXSI threats, critical Cisco flaws, millions of smart phones with preinstalled malware and Bill Brenner   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn299 

This week, we discuss fundings, acquisitions (TWO DSPM exits!), the ongoing market downturn/weirdness, and surprise - LLM-based AIs! We spend a fair amount of time talking about the importance of breach transparency - we need to be able to learn from others' failures to improve our own defenses. We also discuss the inevitable 'One App To Rule them All' that will serve as an all-knowing personal assistant. It will integrate with all our comms, calendars, and notes, which will be scary and fraught with privacy and security issues. But Tyler and Adrian still yearn for it, as their pre-frontal cortexes become increasingly dulled by scotch and beer.   Enterprises are struggling to manage and reduce their organizational attack surface, especially with a shortage of skilled staff. Find out how some security executives are tackling this challenge by automating their IT and vulnerability management. This segment is sponsored by Syxsense. Visit https://securityweekly.com/syxsensersac to learn more about them!   Cars have evolved from a physical mode of transportation to a digitized experience, bringing with it new risks and challenges in security, privacy and user experience. Putting identity at the center of the connected world solves simplicity and safety challenges, including physical safety, digital security and data privacy. Furthermore, decentralized identity plays a major role in a better, more secure seamless experience – not just for vehicles, but for society at large. This segment is sponsored by ForgeRock. Visit https://securityweekly.com/forgerockrsac to learn more about them!   There is a war on trust in the digital world, and people are caught in the crosshairs. Everywhere we look, there are identity risks with crippling repercussions for businesses, whether fake people, fake content, or insecure web links. With the rise of generative AI tools in business, threat actors are utilizing these technologies to create more sophisticated phishing emails – mimicking brands and tone or more easily translating copy into several languages making them more difficult to identify and easily connecting hackers with global audiences. Now is the time to implement solutions that empower a connected thread of trust between businesses and users – before all trust is lost. This segment is sponsored by OneSpan. Visit https://securityweekly.com/onespanrsac to learn more about them!   Semperis CEO Mickey Bresman sits down with SC Magazine to share practical steps for improving Active Directory resilience in the face of escalating cyberattacks, using real-world examples. With cybercrime costs projected to reach $8 trillion in 2023 and AD being the top target for attackers, organizations must prepare to detect, respond, and recover from AD-based attacks. Learn how InfoSec and IAM teams can operationalize the Gartner "top trending" topic of identity threat detection and response (ITDR) to ward off attackers and take back the advantage. This segment is sponsored by Semperis. Visit https://securityweekly.com/semperisrsac to learn more about them!   Today’s CISOs are laser focused on three imperatives: reducing risk; reducing operational costs, and attracting or retaining top talent. All three priorities are driven by creating a better SOC analyst experience which translates to less time to detect and respond to an attack. In this discussion, we’ll uncover how Extended Detection & Response (XDR) can drastically improve the SOC analyst experience and alleviate CISOs’ top challenges. This segment is sponsored by VMware. Visit https://securityweekly.com/vmwarecarbonblackrsac to learn more about them!   While emerging cyber threats and vulnerabilities tend to dominate headlines, criminals often exploit known vulnerabilities to gain access to critical systems and data for nefarious purposes. And with the number of vulnerabilities rising constantly, they can pose significant risk to organizations, especially if defenders don’t know which ones are critical. Learn how Expel is helping to pull back the curtain on how organizations can more effectively prioritize their most critical vulnerabilities. This segment is sponsored by Expel. Visit https://securityweekly.com/expelrsac to learn more about them!   Visit https://www.securityweekly.com/esw\ for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw318 

Kevin Johnson joins us to discuss pen testing, automated testing, why AI testing is not pen testing!   In the security news: How AI Knows Things No One Told It, Dragos Employee Gets Hacked, VMProtect Source Code Leaks, CISA Vulnerabilities, SHA-1 is a Shambles, Microsoft Scans Inside Password Protected Files, Geacon Brings Cobalt Strike Compatability to MacOS, Google Launches Tools to Identify Misleading & AI Images, Cyberstalkers Use New Windows Feature to Spy on iPhones, Texas A&M Prof Flunks all his Students, Wemo Won’t Fix Smart Plug Vulnerability, Catfishing on an industrial scale, and Hacking the Ocean to store Carbon Dioxide   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw785 

This week in the Security News, Aaran Leyland joins remotely to dish out the latest news: Cyber Resilience Act contains a poison pill, a powerful backdoor, Malicious Actors and Jason Wood - Valued Co-Host OR Malicious Actor? All that and more on this episode of SWN!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn298 

What happens to an app's security after six months? What about a year or two years? A Secure SDLC needs to maintain security throughout an app's lifetime, but too often the rate of new flaws can outpace the rate of new code within an app. Appsec teams need strategies and processes to keep software secure for as long as possible. Segment Resources: https://www.veracode.com/state-of-software-security-report   Learn how hackers are exploiting the trust that mobile app owners place in their customers. Hackers are increasingly modifying app code, posing as trusted customers, and infiltrating IT infrastructure. This segment is sponsored by Verimatrix. Visit https://securityweekly.com/verimatrixrsac to learn more about them!   Unlike vulnerabilities, which can and do often exist for months or years in application code without being exploited, a malicious package represents an immediate threat to an organization, intentionally designed to do harm. In the war for cybersecurity, attackers are innovating faster than companies can keep up with the threats coming their way. A new approach is needed to stay ahead of the impacts of malicious packages within applications. Findings from our latest report "Malicious Packages Special Report: Attacks Move Beyond Vulnerabilities" illustrate the growing threat of malicious packages. From 2021 to 2022, the number of malicious packages published to npm and rubygems alone grew 315 percent. Mend.io technology detected thousands of malicious packages in existing code bases. The top four malicious package risk vectors were exfiltration, developer sabotage, protestware, and spam. Nearly 85 percent of malicious packages discovered in existing applications were capable of exfiltration – causing an unauthorized transmission of information. Threat actors leveraging this type of package can easily collect protected information before the package is discovered and removed. We’ll share why as long as open source means open, the door will be left open to bad actors, so it’s especially critical to know when things are being brought into your code. Malicious packages represent an immediate threat, unlike vulnerabilities, and can not be taken lightly. This segment is sponsored by Mend.io. Visit https://securityweekly.com/mendrsac to learn more about them!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw241 

Medtronic's Security Ambassador program has seen tremendous growth and engagement in recent years. Learn how they gave their program a shot of adrenaline and haven't looked back since.   Cybersecurity teams today are inundated with tools that provide an abundance of alerts and data about threats, gaps, vulnerabilities and everything in between. While security tools are critical to operating a cybersecurity program and produce helpful data, they should never dictate an organization’s cybersecurity strategy. Instead, Amad Fida, CEO & Founder of Brinqa, explains why business priorities should be the foundation for any company’s cybersecurity strategy. This segment is sponsored by Axonius. Visit https://securityweekly.com/axoniusrsac to learn more about them!   Economic uncertainty has forced IT and security leaders to be more cautious than ever when increasing spending and team size. Suh dynamics give CISOs and CIOs an opportunity to demonstrate value by going beyond “merely” defending the organization from threats. We can contribute toward the organization’s efforts to constrain costs by looking inward at existing tools and assets to understand deployment, usage, and value. We can do this by ensuring the company is making the most of what it already has – and eliminating the spend that’s not being utilized in the most effective way. This segment is sponsored by Brinqa. Visit https://securityweekly.com/brinqarsac to learn more about them!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw306 

Singing Terminators, Gmail, Joe Sullivan, Dragos, ESXi, Microsoft, Greatness, Jessica Davis, and More on this episode of the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn297 

We are nearly half way through 2023, and we're seeing some new trends surface in the cyber landscape. These include generative artificial intelligence, which was everywhere at RSA Conference this year, as well as automation across security operations and the continued need for skilled expertise. Join Matt Alderman from CyberRisk Alliance and Antonio Sanchez, Principal Evangelist at Fortra, as they dive into 2023 cybersecurity trends and observations. Segment Resources: https://www.fortra.com/resources/cybersecurity-education?code=cmp-0000011812&ls=717710002&utm_source=cyberrisk-alliance&utm_medium=contsynd&utm_campaign=ft-brand-awareness https://www.fortra.com/products/bundles?code=cmp-0000011812&ls=717710002&utm_source=cyberrisk-alliance&utm_medium=contsynd&utm_campaign=ft-brand-awareness   This segment is sponsored by Fortra. Visit https://securityweekly.com/fortra to learn more about them!   In the enterprise security news, A slow week for funding, but, as always, a busy week for AI news! Databricks acquires Okera, CrowdStrike, Fortinet and other cybersecurity shares rise, Merck might finally see that $1.4 billion dollar NotPetya payout, Ex-Uber CISO Joe Sullivan won’t go to jail, Google rolls out passkey support, Do Bartenders make good pen testers?, ICS using steganography to hide data, DEF CON will unleash hackers on Large Language Models, and Security’s eternal prioritization problem!   The browser is the most used application, but was never built with the needs of the enterprise in mind. The Enterprise Browser delivers a whole new level of visibility, security and governance. This conversation will explore the benefits of the Enterprise Browser and the gaps it is filling for enterprises around the world. This segment is sponsored by Island. Visit https://securityweekly.com/islandrsac to learn more about them!   Resilience and the capacity for reinvention have never been more important. In a world evolving at the speed of tech and roiled by the pandemic, enterprises that have security innovation woven into their DNA enjoy a distinct advantage. Learn more. This segment is sponsored by Sumo Logic. Visit https://securityweekly.com/sumologicrsac to learn more about them!   The increased prevalence of phishing kits sourced from black markets and chatbot AI tools like ChatGPT has seen attackers quickly develop more targeted phishing campaigns. This improved targeting has simplified the process of manipulating users into taking actions that compromise their security credentials, leaving them and their organizations vulnerable. This segment is sponsored by Zscaler. Visit https://securityweekly.com/zscalerrsac to learn more about them!   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw317 

In this talk, Paula Januszkiewicz, renowned cybersecurity expert with years of experience in the field, shares her insights on critical tasks that must be included in any successful penetration testing checklist. She will offer the listeners a sneak peek into her pentesting trick book, discuss the special tools she is using, and highlight the importance of diversifying your pentester's toolkit. This episode is a must-listen for anyone interested in mastering the art of penetration testing.   In the security news: feel free to cry a bit, honeytokens are the shiny new hotness, it's fixed in the future, backdooring electron, should we move to passkeys, the turbo button, why Cisco hates SMBs, old vulnerabilities are new again, MSI, Boot Guard and some FUD, fake tickets, AI hacking, prompt injection, and the SBOM Bombshell!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw784 

Poisonous Parsley and Chat GPT, QR codes, Boot Guard, Akira, Wanted Posters, SuperCare, VPNS, Jason Wood, and more on this edition of the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn296 

What does software resilience mean? Why is status quo application security unfit for the modern era of software? How can we move from security theater to security chaos engineering? This segment answers these questions and more. Segment Resources: Book -- https://securitychaoseng.com Blog -- https://kellyshortridge.com/blog/posts/   In the ever-evolving world of cybersecurity, attackers are constantly finding new ways to infiltrate your software supply chains. But with GitGuardian's Honeytoken, you can stay ahead of the game. Deploy honeytokens at scale, monitor for unauthorized use, and detect intrusions before they can wreak havoc on your system. With Honeytoken, you'll have the insight you need to protect your confidential data and know where, who, and how attackers are trying to access it. This segment is sponsored by GitGuardian. Visit https://securityweekly.com/gitguardianrsac to learn more about them!   In light of the constant change in the threat landscape, how does an organization keep up with the attackers who're always innovating? New specialized security solutions are regularly being introduced to address new threats, increasing complexities and the non-functional requirement(NFRs) associated with integration of these systems to already complicated enterprise web applications. How does an organization implement holistic defense without increasing cost, complexity and impacting user experience? Edgio will address how an edge-enabled holistic security platform can effectively reduce the attack surface, improve the effectiveness of the defense while reducing the latency of critical web applications via it’s multi-layered defense approach. It also offers the ability to integrate with an enterprises' DevSecOps workflow to achieve better security practices. Edio will discuss how its security platform “shrinks the haystacks” so that organizations can better focus on delivering key business outcomes. This segment is sponsored by Edgio. Visit https://securityweekly.com/edgiorsac to learn more about them!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw240 

Each year, Forrester tracks the top systemic risks — external events that impact your firm and customers but are out of your control — facing organizations. The impacts of climate change are both short-term, in the form of severe weather, drought, and heat waves, and long-term, in the form of biodiversity loss, sea-level rise, and rising temperatures. Want to see where climate risk ranked on the list? Read The Top Systemic Risks, 2023 (https://www.forrester.com/report/the-top-systemic-risks-2023/RES179156) or listen to this segment on Business Security Weekly.   A resilient cybersecurity strategy is essential to running your business while protecting against security threats and preventing data breaches. For CISOs, partnering with a managed service security provider (MSSP) means you can be in control of your organization’s information and infrastructure security without placing a strain on internal personnel or resources which is critical in today’s uncertain economy. With an MSSP on board, CISOs are better equipped to meet strategic and business goals, while improving operations and reducing expenses. This interview will discuss not only why to consider an MSSP but how to choose the right one for the job. This segment is sponsored by Direct Defense. Visit https://securityweekly.com/directdefensersac to learn more about them!   Insider Risk is a problem that continues to grow - and that companies are still struggling to solve. CISOs state that it is the number one most difficult threat to detect, placing it over malware and ransomware. Code42 President and CEO Joe Payne will explain why the Insider Risk problem is so challenging and will offer guidance on how to solve it. This segment is sponsored by Code42. Visit https://securityweekly.com/code42rsac to learn more about them!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw305 

St. Alban's Day, Kimsuky, WinRAR, Microsoft, fake AI, Siemens, Apple, and More on this episode of the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn295 

This week, we start with the news: 2 weeks of news to catch up on! 16 funding stories, 4 M&A stories, Cybereason prunes its valuation… a lot, First Republic Bank seized by FDIC, Ransomware is irrelevant Sun Tzu hates infosec, AI Trends, Kevin Mandia’s 7 tips for defense, & How much time should we spend automating tasks?   Christopher will delve into what lateral security/lateral movement are and identify key lateral security tools (network segmentation, micro-segmentation, advanced threat prevention systems, network sandboxes, and network traffic analysis/network detection and response). He will also touch on why automation is important when it comes to consistent security and the current threat landscape.  This segment is sponsored by VMware. Visit https://securityweekly.com/vmwarenetsecrsac to learn more about them!   AT&T Cybersecurity released its 12th annual Cybersecurity Insights Report, “Edge Ecosystem,” which highlights the dramatic shift in computing underpinned by 5G, the edge, and the convergence of networking and security. The report found that business and technology leaders are finally coming together not just to understand the new edge computing ecosystem, but to make more predictable, data-informed business decisions. Collaboration among these leaders, as well as external partners in the ecosystem, will be critical for the edge journey ahead – but more progress must be made to better leverage the edge and transform the business. This segment is sponsored by AT&T Cybersecurity. Visit https://securityweekly.com/attrsac to learn more about them!   EASM is a critical component of continuous threat exposure management and a necessary step in improving validation and vulnerability management processes. Gartner recently published a report describing the evolution of EASM and where it's headed in the market. We're excited to see the market move in this direction because, at NetSPI, we're already committed to investing in our team and technology to stay ahead of these trends. We already have a head start. This segment is sponsored by NetSpi. Visit https://securityweekly.com/netspirsac to learn more about them!   “Man plans, the Universe laughs” - unfortunately, that’s been the saying for far too long when it comes to cybersecurity. Security leaders know it's only a matter of time before their organization gets breached, but instead of being ready for it, they rely on fixing the problem after it happens. In Cisco’s newest report, the first ever Cybersecurity Readiness Index, it was found that a small minority of businesses globally (15%) consider themselves to be ready and able to defend against the expanding array of cybersecurity risks and threats of today. Organizations need to get ready and stay ready with solutions they can trust. This segment is sponsored by Cisco. Visit https://securityweekly.com/ciscorsac to learn more about them!   OpenText Cybersecurity is on a mission to simplify security by delivering smarter, innovative solutions. Geoff Bibby, the SVP of OpenText Cybersecurity Marketing & Strategy, will offer insight into the company’s purpose-built approach to create a powerhouse cybersecurity portfolio that scales to meet the security needs of large enterprises down to individual consumers.  This segment is sponsored by OpenText. Visit https://securityweekly.com/opentextrsac to learn more about them!   The continued headcount shortage facing cybersecurity teams is driving many organizations to embrace Managed Detection and Response (MDR) as a way to combat cyber threats. With this demand, dozens of MDR companies have emerged over the past two years. Critical Start’s CTO, Randy Watkins, will discuss the origin of MDR, share evaluation tips, and reveal some of the potential pitfalls. This segment is sponsored by Critical Start. Visit https://securityweekly.com/criticalstartrsac to learn more about them!   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw316 

Rob "Mubix" Fuller comes on the show to talk about penetration testing, what's changed over the years? He'll also discuss "Jurassic Malware" and creating games in your BIOS.   This week in the Security News: 5-year old vulnerabilities, hijacking packages, EV charging apps that could steal stuff, do we even need software packages, selling hacking tools and ethics, I hate it when vendors fix stuff, HTTPS lock status, no pornhub for you!    Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw783 

Pornhub, LobShot, TMobile, lawsuits, CISA, CERN, AI, Jason Wood, and more on this edition of the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly    Show Notes: https://securityweekly.com/swn294 

Application security is messy and is getting messier. Modern application security teams are struggling to identify what's more important to fix. Cloud security and application security is getting squeezed all together. Modern vulnerability maturity needs a new approach and guidance. Vulnerability management framework and mature defect management is often overlooked as organizations tend to identify issues and stop there. The devil is usually in the details and time gets burned down in identifying who needs to solve what where. Vulnerability Management Maturity Framework has been created to address that. Segment Resources: Framework: https://phoenix.security/vulnerability-management-framework/ Books on metrics: https://phoenix.security/whitepapers-resources/data-driven-application-security-vulnerability-management-are-sla-slo-dead/ Vulnerability aggregation and prioritization https://phoenix.security/whitepapers-resources/whitepaper-vulnerability-management-in-application-cloud-security/ Shift left: https://phoenix.security/shift-everywhere/ Vulnerability management talk: https://phoenix.security/web-vuln-management/ Vulnerability management framework playlist (explained) https://www.youtube.com/playlist?list=PLVlvQpDxsvqHWQfqej5Gs7bOd-cq8JO24 How to act on risk: https://phoenix.security/phoenix-security-act-on-risk-calculation/   Without visibility into your entire web application attack surface and a continuous find and fix strategy, dangerous threats can expose your organization's blind spots and create risk. Invicti analyzes common web application vulnerabilities across thousands of assets yearly and releases the Invicti AppSec Indicator for a holistic view of application vulnerability trends from automated scan results across regions. In this interview, Invicti's Patrick Vandenberg zooms in on the vulnerabilities plaguing organizations, providing insight into this year's report trends, and guidance on how CISOs and AppSec program leaders can create an environment for their teams that mitigates risk. Segment Resources: https://www.invicti.com/clp/appsec-indicator/?utm_medium=contentsyn&utm_source=sc_media&utm_campaign=i-syn_RSA-CRA-interview-2023&utm_content=230424-ga_spring-appsec-indicator&utm_term=brand T his segment is sponsored by Invicti. Visit https://securityweekly.com/invictirsac to learn more about them!   Flaws in the design and implementation of an application can create business logic vulnerabilities that allow attackers to manipulate legitimate functionality to achieve a malicious goal. What’s more, API-related security incidents exploit business logic, the programming that manages communication between the application and the database. In this discussion, Karl Triebes shares what you need to know about business logic attacks to effectively protect against them. This segment is sponsored by Imperva. Visit https://securityweekly.com/impervarsac to learn more about them!    Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw239 

This week, it's time for Security Money. We recap Q1 2023 with the latest financial results, funding announcements, and layoffs. Don't miss this quarterly update. At the market close on April 28th 2023: - SW25 Index is 1,404.31, which is an increase of 40.43% (up from last Q) since inception. - NASDAQ Index is 12,226.58, which is an increase of 84.27% (up from last Q) during the same period.   CISOs face the complex challenge of protecting organizations against an expanding array of cybersecurity risks. While the role requires constant adaptation to protect against new threats, CISOs often bear the blame when defenses are breached. In this segment Kunal Anand, CTO & CISO, Imperva, discusses the evolution of the role and what aspiring professionals need to know if they want to hold the title. This segment is sponsored by Imperva. Visit https://securityweekly.com/impervarsac to learn more about them!   Today’s security products are evolving to meet the changing attack surface, each one targeting a specific set of risks. For organizations, this typically means that to increase security maturity, they need to implement a number of different solutions, and as the attack surface continues to expand, their tech stack quickly becomes difficult to manage. It’s time for the industry to help security teams achieve a better balance and reduce this operational burden. Segment Resources:  https://www.fortra.com/resources/cybersecurity-education?code=cmp-0000011766&ls=717710002&utm_source=cyberrisk-alliance&utm_medium=video&utm_campaign=ft-rsa-conference This segment is sponsored by Fortra. Visit https://securityweekly.com/fortrarsac to learn more about them!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw304 

Github, FIN7, Banks, Minecraft, Google Authenticator, Qualcomm, TenCent, BlueSky, Derek Johnson talks about China and More on this episode of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly  Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn293

STM32 boards, soldering, decapping chips, RTOS development, lasers, multiple flippers and for what you ask? So I can be alerted about a device I already know is there. The Flipper Zero attracted the attention of news outlets and hackers alike as people have used it to gain access to restricted resources. Is the Flipper Zero that powerful that it needs to be banned? This is a journey of recursion and not taking “no” for an answer. Kailtyn Hendelman joins the PSW crew to discuss the Flipper Zero and using it to hack all the things. In the Security News: SSDs use AI/ML to prevent ransomware (And more buzzword bingo), zombie servers that just won't die, spectral chickens, side-channel attacks, malware-free cyberattacks!, your secret key should be a secret, hacking smart TVs with IR, getting papercuts, people still have AIX, ghosttokens, build back better SBOMs, Salsa for your software, Intel let Google hack things, and they found vulnerabilities, and flase positives on your drug test, & more! Flipper resources: * [Changing Boot Screen Image on ThinkPad's UEFI](https://www.youtube.com/watch?v=kvqZRTMAlMA -Flipper Zero) * [A collection of Awesome resources for the Flipper Zero device.](https://github.com/djsime1/awesome-flipperzero) * [Flipper Zero Unleashed Firmware](https://github.com/DarkFlippers/unleashed-firmware) - This is what Paul is using currently. * [A maintained collective of different IR files for the Flipper!](https://github.com/UberGuidoZ/Flipper-IRDB) - Paul uses these as well. * [Alternative Infrared Remote for Flipperzero](https://github.com/Hong5489/ir_remote) Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly  Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw782

Teenage Mutant Ninja Hackers, Mark Twain, TP-Link, Intel, Papercut, Rustbucket, Solarwinds, Blue Check Marks, Jason Wood, and more on this edition of the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn292 

Jeff Moss shares some of history of DEF CON, from CFPs to Codes of Conduct, and what makes it a hacker conference. We also discuss the role of hackers and researchers in representing users within policy discussions.   Segment links https://defcon.org  https://forum.defcon.org https://media.defcon.org https://defcon.social/about   Microsoft turns to a weather-based taxonomy, k8s shares a security audit, a GhostToken that can't be exorcised from Google accounts, BrokenSesame RCE, typos and security, generative AI and security that's more than prompt injection   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw238 

We talk a lot about closing the skills gap, but it's harder said than done. So we thought we'd tackle the problem in our 2nd episode os Say Easy, Do Hard. Part 1 will discuss the skills needed, the requirements of the position, and the real qualifications for cybersecurity jobs. We will discuss the practical, realistic expectations of working in cybersecurity, not the hyped stereotypical positions.   After discussing the requirements for working in cybersecurity, part 2 will tackle where to find the talent. We will explore education, apprenticeships, mentorships, and training. We will also identify areas within the business that have resources with skills that are very complementary with cybersecurity that also make great recruiting areas.   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw303 

Elon, Clop, EvalPhP, VMWare, Google, Fancy Bear, Routers, 3CX, Aaran Leyland, and More on this episode of the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn291 

Discuss observations and trends across the venture capital ecosystem as it pertains to cybersecurity. This will include a re-cap in how 2022 ended, what we saw in Q12023, and what we expect from an investing standpoint. Segment Resources: https://forgepointcap.com/   With over 1 billion records exposed in just the top 35 breaches, over $2.6 billion stolen in the top nine cryptocurrency breaches, and over $2.7 billion in fines levied to the top 35 violators, lessons abound for security teams. We will walk through some of the biggest trends in last year's data breaches and privacy violations, and we'll talk about what security leaders can learn from these events. Segment Resources: https://www.forrester.com/blogs/2022-breaches-and-fines-offer-lessons-to-security-leaders   In the Enterprise Security News, Lots of funding announcements and new companies, Private Equity acquires Maltego, Cinven acquires RSA Archer Comcast launches a security product, Zscaler has beef with Gartner, CISA releases updated Zero Trust Model, Amazon jumps into the AI LLM fray, AutoGPT stretches the imagination and potential use cases, The Ever Changing API security market, New security books just released, Zombie birds!    Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw314 

Quantum computing is a rapidly emerging technology that harnesses the laws of quantum mechanics to solve problems that today’s most powerful supercomputers cannot practically solve. IBM's Dr. Kayla Lee will explain how close we are to a computational quantum advantage: the point where a computational task of business or scientific relevance can be performed more efficiently, cost-effectively, or accurately using a quantum computer than with classical computations alone.  Segment Resources: What is quantum computing? https://www.ibm.com/topics/quantum-computing About IBM Quantum: https://www.ibm.com/quantum About the IBM Quantum Development Roadmap: https://www.ibm.com/quantum/roadmap Access and program a quantum computer: https://quantum-computing.ibm.com/   Quantum computers are scaling rapidly. Soon, they will be powerful enough to solve previously unsolvable problems. But they come with a global challenge: fully-realized quantum computers will be able to break some of the most widely-used security protocols in the world. Dr. Vadim Lyubashevsky will discuss how quantum-safe cryptography protects against this potential future. Segment Resources: IBM Quantum Safe: https://www.ibm.com/quantum/quantum-safe IBM scientists help develop NIST’s quantum-safe standards: https://research.ibm.com/blog/nist-quantum-safe-protocols Government and industry experts recommend moving to quantum-safe cryptography: https://research.ibm.com/blog/economist-quantum-safe-replay   We're talking with Matt Johansen about his new newsletter, Vulnerable U. We'll discuss his journey from vendors to massive enterprises to less massive enterprises and what he's learned about InfoSec along the way. Like us, Matt has some strong takes on many InfoSec topics, so this conversation could go down many paths. Regardless, we're excited about the journey and the destination with this interview. Subscribe to [Vulnerable U] https://link.mail.beehiiv.com/ss/c/CygrK4bVgDWxdDLo_7X0UUe8u_TcBPAeAQlRvYdH5hN2mTxFi32BUXbh9K9a2mS8ILJXWKo4rmayv53niV3c6NrsGo7UAp6yFd9EScNQoNwURBhep7S6sIyNBsEMNJ7Z/3v8/6L9W-AB2Sx6Ts9cCBWFiYw/h9/mYsvCYdHno82QRYGHJuyaUZtu8PbgH5PWFi3mLY1CNg    Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw315 

We will talk about Supply chain security, the TPM 2.0 vulnerabilities recently discovered by a Quarkslab researcher, bugs in reference implementations, vulnerability disclosure and perhaps various other topics. Segment Resources: Vulnerabilities in the TPM2.0 reference implementation https://blog.quarkslab.com/vulnerabilities-in-the-tpm-20-reference-implementation-code.html Vulnerabilities in High Assurance Boot of NXP i.MX microprocessors https://blog.quarkslab.com/vulnerabilities-in-high-assurance-boot-of-nxp-imx-microprocessors.html Heap memory corruption in ASN.1 parsing code generated by Objective Systems Inc. ASN1C compiler for C/C++ https://github.com/programa-stic/security-advisories/blob/master/ObjSys/CVE-2016-5080/README.md   In the security news: Blizzards, Sleet, Typhoons, Sandstorms and Tsunamis, masking your car stealing tech in a Nokia phone, kill -64, Google doesn't want to fix an RCE, hijacking packages, monitoring macs, beating Roulette, lame advice from Microsoft, are post-authentication vulnerabilities even vulnerabilities?, Ghosts, burpgpt, and do you trust Google? All that and more on this episode of Paul’s Security Weekly.   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw781 

Securing the business can often come at a cost of employee productivity, but it doesn’t have to be this way. Especially in today’s economic climate, the security team cannot be seen as a blocker to business. Aviv discusses how to find that balance in today’s episode. This segment is sponsored by Votiro. Visit https://securityweekly.com/votiro to learn more about them!   In the leadership and communications segment, Security Is a Revenue Booster, Not a Cost Center, How cybersecurity leaders can tackle the skills shortage, Engaged Employees Create Better Customer Experiences, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw302 

We talk with Ben about the rewards, hazards, and fun of bug bounty programs. Then we find out different ways to build successful and welcoming communities. A new deps.dev API for supply chain enthusiasts, hacking and modding agricultural devices, guidance from CISA on secure by design (and by default!), Glaze brings adversarial art to AI training, key transparency for WhatsApp, a new appsec myth(?), Android hacking tool list, and a Chrome extension to find web debugging behavior.   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw237

Sisyphus and Elon, Action1, Cyber insurance, CISA, LockBit, AI, Jason Wood, and more on this edition of the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn290

MSMQ, CLFS, Fortinet, Spectre redux, Google Pay, BingBots, Aaran Leyland, and More on this episode of the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn289 

Fortra's Core Security has conducted it's fourth annual survey of cybersecurity professionals on the usage and perception of pen testing. The data collected provides visibility into the full spectrum of pen testing’s role, helping to determine how these services, tools, and skills must evolve.   Segment Resources:  https://www.fortra.com/resources/guides/2023-pen-testing-report   This segment is sponsored by Fortra's Core Security. Visit https://securityweekly.com/fortracoresecurity to learn more about them!   Compliance with cyber security frameworks such as NIST, PCI, HIPAA, etc. have largely been driven by paper-based processes in Word and Excel. With the rise of cloud computing, containers, and ephemeral systems, paper-based processes can no longer keep up with the speed of business and compliance has become the new bottleneck to progress for highly regulated industries such as government, finance, and energy sector. This session will cover how RegScale is leading a RegOps movement to bring the principles of DevOps to compliance with the world’s first real-time GRC system that enables compliance as code via NIST OSCAL. RegOps seeks to shift compliance left to make it real-time, continuous, and complete so that paperwork is always up to date, self-updating, and takes less manual resources to manage.  Segment Resources: Website – https://www.regscale.com Documentation/Learn More – https://regscale.readme.io   In this news segment, we discuss the art of branding/naming security companies, some new cars just out of stealth, 5 startups just out of Y Combinator, and Cybereason's $100M round from Softbank. We also talk new features (Semgrep's new GPT-4 use case), new newsletters, and new reports. We break down Nexx's broken vulnerability disclosure program and its broken products. We also discuss the FDA's new ability to block device certification for security reasons. Android announces rules to make it easier for consumers to delete accounts and remove data when they uninstall apps. IT and Security professionals everywhere are asked not to report breaches, but in some countries more than others. CISOs are more prone to drinking problems, and finally, for our squirrel stories, we discuss a crazy app called Newnew and new ideas in prosthetics.   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw313 

Imagine an illness that requires surgery a few times a month and restricts your mobility. What would that do to your career? In our chat with Billy Boatright today, we'll find out how he not only switched careers despite his illness, he found an advantage in his weaknesses: he turned them into effective social engineering skills.   In the security news, FBI seizes one of the biggest stolen credential markets, Is catching ransomware the baseline for detection and response? Potential outcomes of the US National Cybersecurity Strategy, Thieves are using headlights to steal cars, China wants to censor generative AI, Tesla sued for snooping on owners through built-in cameras, All that and more, on this episode of Paul’s Security Weekly.    Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw780 

Application security in the cloud is a crucial aspect of protecting data and preventing unauthorized access to applications hosted on cloud platforms. As cloud computing becomes more prevalent, ensuring the security of applications has become a top priority for organizations. This is because cloud environments present unique security challenges, such as shared resources, multi-tenancy, and a lack of physical control. Therefore, it is essential to implement security measures that are specific to cloud-based applications. Segment Resources: - https://www.youtube.com/@Infosecvandana/videos   Lessons from an old 2008 JSON.parse vuln, opening garage doors with a password, stealing cars with CAN bus injection, manipulating Twitter's recommendation algorithm, engineering through complexity, successful tabletop exercises, and the anniversary of Heartbleed.   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw236 

FTX, CISA, Apple, RPKI, Circle, NEXX, MSI, Jason Wood, and more on this edition of the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn288

Barracuda just released a report on Ransomware findings, here: https://assets.barracuda.com/assets/docs/dms/2023 -Ransomware-insights-report.pdf. Here are a few of the highlighted stats: Barracuda international survey finds 73% of organizations experienced a successful ransomware attack in 2022 — 38% were hit more than once. 42% of those hit three times or more paid the ransom to restore encrypted data — compared to 31% of victims hit just once. 69% of ransomware attacks began with an email. 27% of organizations feel underprepared to tackle ransomware.   Fleming Shi joins Business Security Weekly to discuss the findings and ways to better prepare for these attacks. In the leadership and communications segment, How to Succeed As a New Chief Information Security Officer, Lead by Example: What Army Special Forces Can Teach You About Leadership, How to Take Risks & Conquer Fears, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw301

Naughty Tesla, Flipper Zero, Rilide, Styx, Genesis, Sophos, Cisco, Meta, Aaran Leyland, and More on this episode of the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn287

The approach of cybersecurity workforce development and how someone with such technical background come to designing a degree program with non-traditional approach. What it takes to keep it going? Segment Resources: https://go.boisestate.edu/ucore https://go.boisestate.edu/gcore   In the Security News: Rorschach, QNAP and sudo, why bother signing things, why bother having a password, why bother updating firmware, smart screenshotting, TP-Link oh my, music with Grub2, byte arrays and UTF-8, what is my wifi password, Debian and systemd, opening garage doors, downgrade your firmware to be more secure, exploit databases, this is like a movie, unsolved CTFs, and Near-Ultrasound Inaudible Trojans! All that and more on this episode of Paul’s Security Weekly!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw779

Kellermann will discuss the recently published report “Cyber Bank Heist” that exposes the cybersecurity threats facing the financial sector. Security must be a top-of-mind issue amid rising geopolitical tensions, increased destructive attacks utilizing wipers and a record-breaking year of zero-day exploits. Podcast listeners will learn what financial sector security leaders from around the world revealed in a series of interviews about specific trends when it comes to notable cyberattacks, e-fraud and cyber defense. Segment Resources:  - https://www.contrastsecurity.com/cyber-bank-heists-report - https://www.contrastsecurity.com/security-influencers/cyber-bank-heists-report-code-patrol-podcast-contrast-security   Overall increase in government regulations. EU as well. Shift in liability from consumers to organizations.How to take advantage of safe harbor protections and reduce organizational risk and liability. NIST SSD Framework - how do you understand the security practices of the open source packages you use in your applications and ensure they are following the NIST practices (so you can take full advantage of safe harbor protections and reduce potential liability). Creating a network of open source maintainers, documenting and attesting to their security practices, is a solution. Work with the maintainers to be able to provide documentation. How to get more involved with development in open source security. What is the mechanism? Segment Resources: https://tidelift.com/government-open-source-cybersecurity-resources https://blog.tidelift.com/webinar-how-the-nist-secure-software-development-framework-impacts-open-source-software https://blog.tidelift.com/webinar-recap-what-the-new-u.s.-national-cybersecurity-strategy-means-for-open-source-software https://blog.tidelift.com/tidelift-advisory-impact-of-new-u.s.-national-cybersecurity-strategy-on-organizations-building-apps-with-open-source-software   In this week's enterprise security news, we talk about new companies and funding, trends in the deception and SaaS Security/SSPM space. We discuss Andy Ellis's "10 plagues of cloud security" and Kelly Shortridge's 69 ways to F*&$ up your deploy. We discuss rolling out Yubikeys and the pros/cons of using biometrics instead of security keys. There have been some bad takes in the media on how OpenAI uses your ChatGPT prompts, so we set the record straight there. Cybersecurity is a new requirement for K-12 students in North Dakota, and you've got to see this week's security story - a rogue tire sends a Kia Soul FLYING.* * - but no one was hurt!   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw312

Following on from her successful title "Container Security", Liz has recently authored "Learning eBPF", published by O'Reilly. eBPF is a revolutionary kernel technology that is enabling a whole new generation of infrastructure tools for networking, observability, and security. Let's explore eBPF and understand its value for security, and how it's used to secure network connectivity in the Cilium project, and for runtime security observability and enforcement in Cilium's sub-project, Tetragon.   Segment Resources:  Download "Learning eBPF": https://isovalent.com/learning-ebpf   Buy "Learning eBPF" from Amazon: https://www.amazon.com/Learning-eBPF-Programming-Observability-Networking/dp/1098135121 Code examples accompanying the book: https://github.com/lizrice/learning-ebpf= Cilium project: https://cilium.io Tetragon project: https://tetragon.cilium.io/   BingBang and Azure, Super FabriXss and Azure, reversing the 3CX trojan on macOS, highlights from Real World Crypto, fun GPT prompts, and a secure code game   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw235

Why 300? 300 is a perfect game in bowling, a milestone few have achieved (unless you're Brendan Alderman who has done it twice before the age of 20). 300 podcast episodes is almost 7 years of recording, a milestone most podcasts haven't achieved. So we thought is was worth celebrating! Join current and former BSW hosts to get a brief history of Business Security Weekly, including:   Paul's resignation from Tenable in 2016 to expand the Security Weekly podcast Michael and Paul launching Start-up Security Weekly in 2016 The switch to Business Security Weekly in 2018 Matt's first episode (105) in 2018 as the new CEO of Security Weekly  The premier episode of Security Money (113) in 2019 Jason's first episode (101) in 2018 The sale of Security Weekly to CyberRisk Alliance in 2020 Ben's first episode (231) in 2021 The premier episode of Say Easy, Do Hard (289) in 2023   You ask, we respond. This Ask Me Anything (AMA) segment allows the audience to ask the BSW hosts anything. From leadership skills to career advice or even why Alderman keeps moving, this segment answers the questions you want to know.   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw300

ProtoCell Phones, KEV, Efile, 3CX, Western Digital, NATO, Jason Wood, and More on this edition of the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn286

Flappy TREX lips, WooCommerce, 3CX, Zimbra, OneNote, ChatGPT, ProPump, Aaran Leyland, and More on this episode of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes!  Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn285

So much of the tech world went remote at the start of the pandemic, and many of those jobs (and engineers) show no sign of ever going back into an office. Building successful teams in this environment takes a different approach, one defined by autonomy and trust. In this segment, Nickolas Means, VP of Engineering at Sym, will share insights from more than a decade of leading distributed teams to help us all thrive in a world where distributed is the new normal.   The White House recently revealed their National Cybersecurity Strategy and its 5 pillars. Some is straightforward - some is more controversial. Josh helped with it and wrote a blog about it. Adrian read that post and asked Josh to come discuss it. So here we are. Segment Resources: https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf https://claroty.com/blog/consequential-cybersecurity-brace-yourself-for-the-white-house-national-cybersecurity-strategy   In the enterprise security news, early stage startup funding stays constant, but late stage is nowhere to be found. Cisco, XM Cyber, and Mastercard make acquisitions. YouTube channels keep getting hacked. Microsoft fails to use Azure securely. Organizations are making progress on zero trust, but slowly. Finally, more discussion on AI threats, concerns, and predictions.   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw311

How to get into reversing embedded firmware? Can the planet really be hacked? We'll go over a couple of fun exploitation examples, see what mistakes were made and maybe what could have been done better to make these devices tougher to break into.   Segment Resources: Voip phone hacking: Blog: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/avaya-deskphone-decade-old-vulnerability-found-in-phones-firmware/ Def Con presentation (intro to hardware hacking): https://www.youtube.com/watch?v=HuCbr2588-w&ab_channel=DEFCONConference Medical Research: BBraun infusion pump: https://www.youtube.com/watch?v=6agtnfPjd64&ab_channel=hardwear.io Medical devices under attack: https://www.rsaconference.com/USA/agenda/session/Code%20Blue%20Medical%20Devices%20Under%20Attack Hacking DrayTek routers: https://www.youtube.com/watch?v=CD8HfjdDeuM&ab_channel=Hexacon Philippe's public work: https://github.com/philippelaulheret/talks_blogs_and_fun   In the Security News: Turning traffic lights green with the flipperzero (and a bunch of other hardware), suspending AV and EDR, Test signing mode, Linux control freaks, hacking the Apple Studio Disaply, Intel;s attack surface reduction claim, the truth about TikTok that everyone is missing, just stop developing AI, but only for 6 months, anyone can connect to Amazon's wireless network, revoking the wrong things, losing your keys, the funny, not-so-funny things about firmware encryption, and exploding thumb drives. All that, and more, on this episode of Paul’s Security Weekly!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw778

With the increased interest and use of AI such as GTP 3/4, ChatGPT, GitHub Copilot, and internal modeling, there comes an array of use cases and examples for increased efficiency, but also inherent security risks that organizations should consider. In this talk, Invicti’s CTO & Head of Security Research Frank Catucci discusses potential use cases and talks through real-life examples of using AI in production environments. Frank delves into benefits, as well as security implications, touching on a number of security aspects to consider, including security from the supply chain perspective, SBOMs, licensing, as well as risk mitigation, and risk assessment. Frank also covers some of the types of attacks that might happen as a result of utilizing AI-generated code, like intellectual property leaking via a prompt injection attack, data poisoning, etc. And lastly, Frank shares the Invicti security team's real-life experience of utilizing AI, including early successes and failures.   Segment Resources: On-demand webinar on the topic of generative AI - https://www.scmagazine.com/cybercast/generative-ai-understanding-the-appsec-risks-and-how-dast-can-mitigate-them Invicti Research - https://www.invicti.com/blog/web-security/analyzing-security-github-copilot-suggestions/ - https://github.com/svenmorgenrothio/Prompt-Injection-Playground This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more about them!    Ferrari refuses ransomware, OpenAI deals with security issues from cacheing, video killed a crypto ATM, GitHub rotates their RSA SSH key, bypassing CloudTrail, terms and techniques for measuring AI security and safety   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw234

Twitter, Tax Scams, Microsoft, Executive Orders, Pwn2Own, French Bans, and more on this edition of the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn284

We often see security as a thing that has definitive check boxes, end states and deliverables. Audits "end" and then start again, but if you are looking at security as a noun -- as in, a thing that gets done, you are falling short. Security must be a verb. You DO security, you do not HAVE security. Security weaves through every layer and goes beyond the IT assets or codebase. This includes: Guerrilla marketing of gaining end-user buy-in for initiatives Iterative tuning of your data sources Active engagement with real-time feedback from the user base and technical teams Threat- and risk-informed decisions need to be capable of adapting when things get turned upside down. You need to create a culture and the associated processes to look at security like you do. Security teams and roadmaps are designed to look (often myopically) at specific "deliverables" and not so much at the vital signs of the security ecosystem in any given moment (and what that looks like OVER TIME, not at a moment IN time). This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them!   In the leadership and communications section, CISO, The Board, and Cybersecurity, How CISOs Can Work With the CFO to Get the Best Security Budget, Building Effective and Skilled Teams Through Networking, Connectivity, and Communication, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw299

SafeLiShare delivers tamperproof security from inside out across clouds and eliminate algorithmic complexity attacks and reverse never-ending cycles of defense using policy controlled Confidential Computing with secure enclave technology. Segment Resources: Presentation - https://1drv.ms/p/s!AqqNWej5CK8uhEoIZW5MUxMTQLJU Blog - https://safelishare.com/blog/defining-confidential-computing/ Video - https://safelishare.com/data-privacy-resources/   The ioXt Alliance is a group of manufacturers, industry alliances, labs, and government organizations, dedicated to harmonizing best security practices and establishing testable standards. Our goal is to bring security, upgradability and transparency to the market and directly into the hands of consumers. Come learn about Smart Product security and what consumers should be asking for. Segment Resources: https://www.ioxtalliance.org/   This week in the Enterprise News: Dope Security nabs $16M led by GV to build out secure web gateways designed to work on endpoints, not in the cloud, Introducing Microsoft 365 Copilot: your copilot for work, A Tweet from Daniel Feldman, A simple test, given to both GPT 3.5 and GPT 4, AI Hires a Human to Solve Captcha, Because It Couldn’t Solve It Itself, You know what's different between AI and you? Those goosebumps on your arms right now and the ice water in your veins. AI can't do that. Amazing Invention- This Drone Will Change Everything, & Cyber Startup Buzzword Bingo: 2023 Edition    Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw310

This week Dr. Doug talks: TikTok, Github, CISA and More CISA, Netgear, Do Kwon and More on this episode of the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn283

We sit down with Nico Waisman to discuss vulnerability research and other security-related topics!   In the Security News: Windows MSI tomfoolery, curl turns 8...point owe, who doesn't need a 7" laptop, glitching the ESP, your image really isn't redacted or cropped, brute forcing pins, SSRF and Lightsail, reversing D-Link firmware for the win, ICMP RCE OMG (but not really), update your Pixel and Samsung, hacking ATMs in 2023, breaking down Fortinet vulnerabilities, Jamming with an Arduino, it 315 Mega hurts, analyzing trojans in your chips, and the 4, er 1, er 3, okay well how to suck at math and the 4 Cs of Cybersecurity! All that, and more, on this episode of Paul’s Security Weekly!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw777

When CISOs report into CEOs it gives them more autonomy, empowers them with more decision making authority, and eliminates the inherent conflict of interest present when CISOs report into IT leaders like the CIO. Segment Resources: https://www.forrester.com/blogs/five-reasons-why-cisos-should-report-to-ceos   In the leadership and communications section, CISO: A Job in Search of a Description, The Rise of the BISO in Contemporary Cybersecurity, When More is Less: The Dangers of Over-Communication in Teams, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw298

Static analysis is the art of scrutinizing your code without building or running it. Common static analysis tools are formatters (which change whitespace and other trivia), linters (which detect likely best practice and style issues), and type checkers (which detect likely bugs). Each of these can aid in improving application security by detecting real issues at development-time. Segment Resources: https://typescript-eslint.io  https://eslint.org https://blog.joshuakgoldberg.com   Outlook can leak NTLM hashes, potential RCE in a chipset for Wi-Fi calling in phones (and autos!?), the design of OpenSSH's sandboxes, more on the direction of OWASP, celebrating 25 years of Curl.   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw233

Dr. Doug talks: The Tang Dynasty, ZippyShare, NuGet, PinDuoDuo, Ernie, Lantern, HDD hard drives, and more on this edition of the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn282  Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly 

Financial Scams, Microsoft, BianLian, Leihigh Medical, CISA, Vile, and More on this episode of the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn281

The CI/CD pipeline is the backbone of the software development process, so it's critical to ensure you are meeting and exceeding the most critical security measures. Throughout this podcast, Tal Morgenstern, Co-founder and CSO of Vulcan Cyber, will break down the process of how organizations can properly secure a CI/CD pipeline into a checklist of four key steps, as well as offer a handful of tools and tactics security leadership can use to bake risk-based vulnerability management into their CI/CD pipelines. He will explain how securing your CI/CD pipelines alone is not enough to reduce the chances of cyber attacks and the importance for organizations to not only maintain security at speed and scale, but quality at speed and scale. Finally, Tal will dive into how Vulcan Cyber helps organizations to streamline security tasks in every stage of the cyber-risk management process, integrating with their existing tools for true end-to-end risk management. Segment Resources: https://vulcan.io/ https://vulcan.io/platform/ https://vulcan.io/blog/ci-cd-security-5-best-practices/  https://www.youtube.com/watch?v=nosAxWc-4dc   Tap, tap - is this thing on? Why do defenders still struggle to detect attacks and attacker activities? Why do so many tools struggle to detect attacks? Today, we've got an expert on detection engineering to help us answer these questions. Thinkst's Canary and Canarytokens make in catching penetration testers and attackers stupidly simple. Thinkst Labs aims to push these tools even further. Casey will share some of the latest research coming out of labs, and we'll ponder why using deception for detection isn't yet a de facto best practice. Segment Resources:  https://canary.tools https://canarytokens.org https://blog.thinkst.com   Finally, in the enterprise security news, We quickly explain the SVB collapse, A few interesting fundings, Rapid7 acquires Minerva who? We’ll explain. GPT-4 - what’s new? Detect text written by an AI! Then, produce text that can’t be detected as written by an AI! The K-Shaped recovery of the cybersecurity industry, Software Security is More than Vulnerabilities, Microsoft Outlook hacks itself, Robert Downey Jr. gets into teh cyberz, & Reversing intoxication!   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw309

Software supply chain attacks, those in which hackers target the "water supply" of software are on the rise. This makes software developers everywhere valid targets. We will discuss the developer perspective on software supply chain attacks. Segment Resources: https://in-toto.io https://sigstore.dev   In the security news: AI on your PI, no flipper for you, stealing Tesla's by accident, firmware at scale, the future of the Linux desktop, protect your attributes, SOCKS5 for your Burp, TPM 2.0 vulnerabilities, the world's most vulnerable door device and hiding from "Real" hackers, sandwiches, robot lawyers, poisonis epipens, and profanity in your code! All that, and more, on this episode of Paul’s Security Weekly!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw776

In this segment, Josh will talk about the OWASP ASVS project which he co-leads. He will talk a little about its background and in particular how it is starting to be used within the security industry. We will also discuss some of the practicalities and pitfalls of trying to get development teams to include security activities and considerations in their day-to-day work and examples of how Josh has seen this “in the wild”.   Segment Resources: Josh's personal website, https://joshcgrossman.com  Josh's mastodon handle, https://infosec.exchange/@JoshCGrossman OWASP ASVS site, https://owasp.org/asvs More detailed talk about ASVS v4.0.3, https://www.youtube.com/watch?v=zqj4YuoAlcA The most recent, stable version of the standard (v4.0.3), https://github.com/OWASP/ASVS/tree/v4.0.3/4.0 The “bleeding edge”/in-progress version, https://github.com/OWASP/ASVS/tree/master/5.0 Loom provides transparency on mishandling cookies, GitHub moves to require 2FA, TPM reference implementation includes a buffer overflow, Dropbox shares their security engineer ladder, multiple flaws in a smart intercom   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw232

Natural language processing AI will be at the forefront in 2023, as it will enable organizations to better understand their customers and employees by analyzing their emails and providing insights about their needs, preferences or even emotions. As AI voice cloning technology becomes more powerful and readily available, we will see an increase in impersonation attacks that utilize audio deepfakes. Join Dr. Kiri Addison, Threat Detection and Efficacy Product Manager, Mimecast to discuss how you can prepare and protect your organization from these types of business email compromises with the right cybersecurity products that can effectively protect them against attacks like these. ​   This segment is sponsored by Mimecast. Visit https://securityweekly.com/mimecast to learn more about them!   In this week's leadership and communications segment, we discuss overemphasizing metrics, delegation drawbacks, security culture starts at the top, and succeeding in security with economic insecurity.   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw297

Casper, Flipper, NordVPN, Ring, Silicon Valley Bank, GoBruteforcer, Aaran Leyland, and more on this edition of the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly  Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn280

You know SBOMs can help you keep track of your software assets and therefore, their vulnerabilities. Despite even the White House pressing the issue, many vendors aren't forthcoming with SBOMs, and you can't afford to wait. With Tanium's Roland Diaz, we'll discuss the most important considerations when generating your own SBOMs (which is now something their product can also do!). This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more!   Looking at topics around go-to-market strategy and product management, including: how building products is unique in cybersecurity compared to other industries, what is product-led growth and what shape it takes in security, and how to do it right. Touching on the broader and adjacent topics of writing, supporting cybersecurity startups, investing, and the like. Segment Resources: Venture in Security blog: https://ventureinsecurity.net/ Venture in Security Angel Syndicate: https://www.visangels.com/ Building Cyber Collective: https://ventureinsecurity.net/p/buildingcyber Top Venture in Security Articles: https://ventureinsecurity.net/p/top-posts   Finally, in the enterprise security news, A light week in funding, after last week’s mega raises from Wiz and Sandbox AQ HP acquires some Zero Trust and CASB with Axis Security InfoSec-themed Table Top gaming is really catching on The White House’s updated cybersecurity strategy is more of an update than a game changer I go a bit nuts with AI news and essays, but a lot of it is really worth your time, I promise Doing evil things with chrome extensions Women in cybersecurity Letting strangers call you, on purpose All that and more, on this episode of Enterprise Security Weekly.    Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw308

Selling your soul to the company store, Xenomorph, Sonicwall, Github, Veeam, TSA, Ring, Aaran Leylan, and More on this episode of the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn279

Tune in to ask our PSW hosts anything you want to know! Join the live discussion in our Discord server to ask a question. Visit securityweekly.com/discord for an invite! Larry Pesce, Jeff Man, Tyler Robinson, and more will be answering your questions, including: What is your advice on avoiding burnout? If each of the hosts had to be a distribution of Linux, which one would each of them be? Which host is the worst influence? Why is security so hard? Will any of you be at RSAC this year and where can we come see you? What current projects are you working on?    In the Security News: Using HDMI radio interference for high-speed data transfer, Top 10 open source software risks, Dumb password rules, Grand Theft Auto, The false promise of ChatGPT, The “Hidden Button”, How a single engineer brought down twitter, Microsoft’s aim to reduce “Tedious” business tasks with new AI tools, The internet is about to get a lot safer, All that, and more!    Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw775

In this episode, Neatsun Ziv, co-founder and CEO of OX Security, takes a deep dive into software supply chain security. He focuses on the new Open Software Supply Chain Attack Reference (OSC&R), a first-of-its-kind framework for understanding techniques, tactics, and procedures (TTPs) used by attackers to compromise supply chains. OSC&R was forged by a group led by OX Security with cybersecurity pros from a number of companies, including Google, GitLab, FICO, Check Point, VISA and Fortinet. Segment Resources: https://pbom.dev/ -https://github.com/pbomdev/   OSCAR WebSocket hijack that leads to a full workspace takeover in a cloud IDE, malicious packages flood public repos, side-channel attack on a post-quantum algorithm, looking at OWASP's evolution, OAuth misconfigs lead to account takeover, AI risk management framework, Zed Attack Proxy   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly   Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw231

Lots of AI, Deepfakes, Microsoft Word, OneNote, Russian Pranksters, FIXS, Wago, Water, Aaron Leyland, and more on this edition of Security Weekly News.    Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn278

From protecting application and data from cyberattacks to meeting compliance regulations, healthcare providers face the complex challenge of providing secure and reliable access to medical data. In this segment, Terry Ray joins Business Security Weekly to discuss common attack trends and security challenges that healthcare providers face along with guidance for securing healthcare data and applications. This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them!   In the leadership and communications section, Your Biggest Cybersecurity Risks Could Be Inside Your Organization, Subtracting: The Simplest Path to Effective Leadership, How to Be a Good Interviewer, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw296

Human brain bots grown in petri dish, CISA Decider, BlackLotus, Mustang Panda, Ex22, Dish and Aaran Leyland, and more on the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn277

The MSP space has undergone a lot of changes in the past few decades, with the emphasis on security increasing dramatically in the last 5-10 years. We discuss how ConnectWise, which builds and sells solutions to MSPs, has tackled this challenge. We'll be asking questions both from Raffael's point-of-view, selling to MSPs, but also from the customer point-of-view - small to medium businesses with a need to outsource IT and security functions.   Today, we talk to Jim Routh - a retired CISO who survived the job for over 20 years! He'll be sharing some wisdom with us, like how analytics and data science can help detect malicious insiders. Also, more generally, Jim will help us understand how data-science-backed tooling can help move the security market forward and help security teams and programs mature.   Segment Resources:  https://www.reveal.security/resources/whitepapers/   This week in the Enterprise News: Deepwatch Announces $180 Million in Investments, VulnCheck Raises $3.2 Million to Solve Prioritization Challenge for Enterprise, Government and Cybersecurity Solution Providers, Zscaler to Acquire Israeli Startup Canonic Security, Palo Alto Q2 Fiscal Year 2023 Earnings Call, Tech’s hottest new job: AI whisperer. No coding required, How data breaches affect stock market share prices, & Kenyan Innovator Creates Smart Gloves That Translate Sign Language Into Audible Speech!   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw307

Barracuda published its 2023 Email Security Trends report that shows how email-based security attacks affect organizations around the world. 75% of the organizations surveyed for the report had fallen victim to at least one successful email attack in the last 12 months, with those affected facing average costs of more than $1 million for their most expensive attack. 23% said that the cost of email-based attacks has risen dramatically over the last year.   Segment Resources:  https://assets.barracuda.com/assets/docs/dms/2023-email-security-trends.pdf   This segment is sponsored by Barracuda. Visit https://securityweekly.com/barracuda to learn more about them!   In the Security News for this week: indistinguishable classifiers, screenshot the /etc/passwd file, what the Zimbra, couple of cool Burp plugins, my voice is my passport. verify me, software is harder to exploit, unless its in firmware, when ChatGPT writes an article, becoming a trusted installer, not the last breach for lastpass, getting fried at the charger, and why hackers love stickers!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw774

ClippyNator, NewsCorp, Lastpass, US Marshals, Housez, PureCryptor, CyberStrategy, Jason Wood and more on this edition of Security Weekly News. show.fullaudio_desc_addendum   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn276

Join us for this segment with Lina Lau to learn lessons from real incident response engagements covering types of attacks leveraged against the cloud, war stories from supply chain breaches seen in the last 1-2 years, and how defenders and enterprises can better protect and proactively defend against these attacks.   Segment Resources: Attacking and Defending the Cloud (Training) https://training.xintra.org/ Blackhat Singapore 2023 Training ADVANCED APT THREAT HUNTING & INCIDENT RESPONSE (VIRTUAL) https://www.blackhat.com/asia-23/training/schedule/index.html#advanced-apt-threat-hunting--incident-response-virtual-29792 Blackhat USA 2023 Training ADVANCED APT THREAT HUNTING & INCIDENT RESPONSE (IN-PERSON) https://www.blackhat.com/us-23/training/schedule/#advanced-apt-threat-hunting--incident-response-30558     Twitter 2FA goes away, safe testing for server-side prototype pollution, OWASP's guide on AI security & privacy, Adobe's approach to smarter security testing, a fast web fuzzer   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw230

Lots of press lately regarding ChatGPT and its impact on cybesecurity. Some say it will help us fight adversaries, while others say it will only make adversaries more sophisticated. Lot's of FUD on both sides of the discussion. BSW hosts debate the pros and cons of ChatGPT (and other AI) to truly understand its impact and what we, as security leaders, need to know. In the leadership and communications section, Leaders Are Feeling the Pressure of an Uncertain, Dynamic Risk Landscape, Gartner Predicts Nearly Half of Cybersecurity Leaders Will Change Jobs by 2025, How to Empower Teams, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw295

It's another holiday week, so enjoy this episode from the ESW archives!   The cloud and SaaS were supposed to make things easier, simpler, more scalable. Arguably, they _have_ done all those things, but traditional, legacy networks linger. Migrations are messy and take time. Nearly everything is encrypted in transit by default. Today, we interview Marty Roesch, the creator of Snort and founder of SourceFire, to discuss how things have changed and what defenders can do to catch up and restore some order to the madness. We'll step through some history along the way - listeners might be surprised at how much our current situation mirrors the reasons behind why Marty created Snort in the first place.

It's another holiday week, so enjoy this interview from the PSW archives!   We chat with Marcus J. Ranum of Tenable, pit ODROID against Raspberry Pi, and introduce you to USBee in our security news. All that and more, so stay tuned!

It's another holiday week, so enjoy this episode from the BSW archives!   This week, we welcome Graeme Payne, President at Cybersecurity4Executives, to discuss Impacts of a Data Breach! During the Equifax 2017 Data Breach, Graeme Payne was Senior Vice President and CIO of Global Corporate Platforms. He was fired the day before the former Chairman and CEO of Equifax testified to Congress that the root cause of the data breach was a human error and technological failure. Graeme would later be identified as the human error.   Show Notes: https://securityweekly.com/BSW172 Visit https://www.securityweekly.com/bsw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

It's another holiday week, so enjoy this episode from our archives! What does a collaborative approach to security testing look like? What does it take to tackle an entire attack class as opposed to fixing a bunch of bugs? If we can shift from vulnerability mitigation to vulnerability elimination, then appsec would be able to demonstrate some significant wins -- and they need a partnership with DevOps teams in order to do this successfully. Log4j has more updates and more vulns (but probably not more heartburn...), revisiting outages and whether availability has made it into your threat models, deep dive into hardware security, another data point on bug bounty awards, and looking at risk topics for the next year. This completes another year of the podcast! A very heartfelt thank you to all our listeners! And a special thank you and shout out to the crew that helps make this possible every week -- Johnny, Gus, Sam, and Renee. We'll keep the New Wave / Post-Punk, movie, and pop culture references coming for all the appsec and DevOps topics you can throw our way. Thanks again everyone!!   Segment Resources: - https://blog.trailofbits.com/   Show Notes: https://securityweekly.com/asw178

This week Dr. Doug civilly discusses: a Liquid Robot Death Punch, Korean cars, Fortinet, Frebniis, Atlassian, BingBots, Hacking Back, Derek Johnson covers the National Cyber Strategy documents and more on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn275

Organizations today operate under the constant looming threat of cyber attacks. While reactive cybersecurity measures will help organizations respond to past and present threats, offensive measures are the only chance to get ahead of attackers and beat them to the punch. There is now a greater call for offensive solutions like penetration testing and red teaming to evaluate environments so security gaps can be identified and closed before a breach. Join us as we discuss how these solutions work both independently and together, as well as practical ways organizations can build or mature an offensive security strategy.  Segment Resources:  https://www.coresecurity.com/resources/videos/when-use-pen-testing-red-teaming-or-both?code=cmp-0000011540&ls=717710006&utm_source=hubspot&utm_medium=email&utm_campaign=cts-security-weekly  https://www.coresecurity.com/resources/guides/complete-guide-layering-offensive-security?code=cmp-0000011540&ls=717710006&utm_source=hubspot&utm_medium=email&utm_campaign=cts-security-weekly  https://www.coresecurity.com/resources/datasheets/offensive-security-advanced-bundle?code=cmp-0000011540&ls=717710006&utm_source=hubspot&utm_medium=email&utm_campaign=cts-security-weekly   This segment is sponsored by Fortra. Visit https://securityweekly.com/fortra to learn more about them!   The memoir of world-renowned hacker Cris Thomas “Space Rogue: How the Hackers Known as L0pht Changed the World” is available for pre-order now. The new book, to be released on February 16, 2023, will cover the influential hacking group L0pht Heavy Industries, the hacker underground of the 1990s, the L0pht’s rise to prominence, their testimony in front of the US Senate, their claim of being able to “take down the Internet”, and how their legacy continues to shape the security of the online world today. Segment Resources: https://securityweekly.com/spacerogue  http://www.spacerogue.net   Inka talks about harnessing Behavioural Science (BS) to influence people’s cyber security behaviours. Focusing on psychology theories (e.g. Behaviour change wheel) she explores some of our barriers (and motivations) to cybersecurity. What are our FMEs ('frequently made excuses') to taking protective action online and how organisations' could create a supportive security culture. Segment Resources: Lead researcher for RISCS / UK Home Office funded research project: Cyber Security Quirks: Personalised Interventions for Human Cyber Resilience https://www.riscs.org.uk/project/cyber-security-quirks-personalised-interventions-for-human-cyber-resilience/ Inka will be presenting this research at the Impact Conference on 2.3.2023 https://www.theimpactconference.com/ Lead researcher/author of the Annual Cybersecurity Attitudes and Behaviours Report (2021 and 2022) https://www.cybsafe.com/whitepapers/cybersecurity-attitudes-and-behaviors-report/ SebDB (most comprehensive cyber security behaviour database) https://www.cybsafe.com/research/security-behaviour-database/ Personality and digital footprints whitepapers: https://www.cybsafe.com/whitepapers/personality-and-digital-footprints/ How to measure security behaviour https://www.cybsafe.com/e-books/how-to-measure-behavior-long-read/      Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw306

Zero Trust is the buzzword of the 2020’s. Vendors are selling it, the US Federal Government is requiring it, and organizations are implementing it, but what does it really mean (I mean really beyond the hype)? In this segment, Paul and Ron will talk ways combat threats through people, process, and technology Zero Trust Risk Management. Segment Resources: Forrester Research Zero Trust blogs: https://www.forrester.com/blogs/category/zero-trust-security-framework-ztx/ Ron Woerner YouTube: https://www.youtube.com/user/ronw68123 VetSec: https://veteransec.org/ Free CISSP Training Program: https://frsecure.com/cissp-mentor-program/   In the Security News: If it can run Linux, it should, TikTok thefts, significant vulnerability findings, and I'm not even joking, typo squatting is lame, what will it take Bruce!, stealing from the TPM, GoAnywhere, including root, what if attackers targeted your yacht?, two for the price of one (exploits), X is really old, and vulnerable, come for a ride on a CHERI-OT and be memory safe, codebreaking old letters, and vulnerable wienermobiles! All that, and more, on this episode of Paul’s Security Weekly!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw773

Organizations spend hundreds of work hours to build applications and services that will benefit customers and employees alike. Whether the application/service is externally facing or for internal use only, it is mandatory to identify and understand the scope of potential cyber risks and threats it poses to the organization. But where and how do you start with an accurate threat model? Nick can discuss how to approach this and create a model that's useful to security and developers alike. Segment Resources https://github.com/trailofbits/publications/blob/master/reviews/2022-12-curl-threatmodel.pdf   Reddit's breach disclosure, simple vulns in Toyota's web portals, OpenSSL vulns, voting results for Portswigger's top 10 web hacking techniques of 2022, tiny IoT cryptography implementations, real world migration of a million lines of code    Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw229

This week, guest host Aaran Leyland takes over with expert commentator Josh Marpet! Tune in for Clipper malware, Chinese hackers, record DDoS attack, Apple patch zero day flaw and more!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn274

How do you manage the human side of cybersecurity? Traditionally, security awareness programs have checked this box from a compliance angle but had minimal impact on cyber risk. Human Risk Management (HRM) is transforming this space by connecting an integrated, data-driven approach with personalized security training to deliver quantifiable results. In this session, we'll define HRM, explore how it is being adopted, and review the business case supporting the change.   This segment is sponsored by Living Security. Visit https://securityweekly.com/livingsecurity to learn more about them!   In the leadership and communications section, What CISOs Should Know About Hacking in 2023, Getting Employee Buy-In for Organizational Change, Listening — The most important communication skill, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw294

Dysentery, Healthcare Privacy, Gootloader, Bing AI, Vela, Russian jobs, Reddit, and Bradley Barth discusses his series on Walmart. All this and more on the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn273

Tanium has recently released a new capability called Tanium Software Bill of Materials (SBOM) to help customers identify third-party libraries associated with software packages. • What is Tanium SBOM • Why is it different and why do you need it • How to configure SBOM • How to query for the details about every software application in your environment • Where your vulnerable packages exist • Ways that Tanium can remediate vulnerabilities from OpenSSL to Struts to Log4j today as well as new supply-chain vulnerabilities in the future   No one knows what the next supply chain vulnerability is going to be, but with Tanium, you will have access to data about how your applications are affected before it happens so that when it does, you're ready to take action to remediate the issue from within the Tanium XEM platform.   Segment Resources: https://www.tanium.com/products/tanium-sbom/  https://www.tanium.com/press-releases/tanium-launches-software-bill-of-materials-for-unprecedented-visibility-to-combat-supply-chain-threats/  https://www.tanium.com/blog/software-bill-of-materials-openssl/   This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them!   Syxsense and Enterprise Management Associates (EMA) recently teamed up to publish a survey around the current state of Zero Trust within enterprises as well as where it’s going. This interview will discuss the key findings and insights into the challenges many organizations face around Zero Trust, as well as endpoint security and network access. Segment Resources: https://www.syxsense.com/advancing-zero-trust-priorities   In the Enterprise News: Whether you want insurtechs or not, they’re here and you’re getting them! Don't worry - we’ll explain what insurtechs are. Two potential deals to take security companies private: Sumo Logic and Rapid 7! Looks like 32 year old security company Cyren is shutting down, hoping for an asset sale. They've already laid off all their employees. Big drama: a firm shorts Darktrace and releases a scathing report. We've got yet more more layoffs this week, but don't fret - the NSA is hiring!  For our squirrel stories, we'll be deciding between three stories: codebreakers solve 500 year old ciphers, the real cost of meetings visualized, and sushi terrorists! All that and more, on this episode of Enterprise Security Weekly.   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw305

Linux systems are a collection of free and Open Source software-- some packaged by your distro, some built from source. How do you verify that your upstream isn't polluted by bad actors? Segment Resources: https://github.com/evilsocket/opensnitch  https://securityonionsolutions.com/software/ https://deer-run.com/users/hal/  https://archive.org/details/HalLinuxForensics   In the Security News: VMware and Ransomware makes you want to run some where, double-free your OpenSSH, download the RIGHT software, you have Docker, I have root, we don't talk about CORS, to vulnerability or not to vulnerability, vulnerability risk scoring, a matter of perspective, very persistent Cisco attacks, running UPNP without all the protections, overflowing a buffer in your bootloader over HTTP, C can be memory safe (but developers will still screw it up), and lasers, microwaves, satellites and the Sun! All that, and more, on this episode of Paul’s Security Weekly!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw772

Linux systems are a collection of free and Open Source software-- some packaged by your distro, some built from source. How do you verify that your upstream isn't polluted by bad actors?  Segment Resources: https://github.com/evilsocket/opensnitch  https://securityonionsolutions.com/software/  https://deer-run.com/users/hal/  https://archive.org/details/HalLinuxForensics  In the Security News: VMware and Ransomware makes you want to run some where, double-free your OpenSSH, download the RIGHT software, you have Docker, I have root, we don't talk about CORS, to vulnerability or not to vulnerability, vulnerability risk scoring, a matter of perspective, very persistent Cisco attacks, running UPNP without all the protections, overflowing a buffer in your bootloader over HTTP, C can be memory safe (but developers will still screw it up), and lasers, microwaves, satellites and the Sun! All that, and more, on this episode of Paul’s Security Weekly!  Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw772

Chat-GPT fails, Ernie, Bard, Chinese Androids, Fortra, Sunlogin, Dingo Token, Google Ads, Jason Wood and More on this edition of Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly    Show Notes: https://securityweekly.com/swn272

Most of the myths and lies in InfoSec take hold because they seem correct or sound logical. Similar cognitive biases make it possible for even the most preposterous conspiracy theories to become commonly accepted in some groups. This is a talk about the importance of critical thinking and checking sources in InfoSec. Our industry is relatively new and constantly changing. Too often, we operate more off faith and hope than fact or results. Exhausted and overworked defenders often don't have the time to seek direct evidence for claims, question sources, or test theories for themselves. Resources - https://www.usenix.org/conference/enigma2023/presentation/sanabria - https://www.usenix.org/sites/default/files/conference/protected-files/enigma2023_slides_sanabria.pdf - https://yourbias.is - Discuss: What Makes a Good Breach Response? - ESW #303: https://www.youtube.com/watch?v=5RpZiVu3xEs   The aviation equivalent of ASCII art, a memory safety issue in OpenSSH that might not be terrible, a format string in F5 that might be terrible, a new MITRE framework for supply chain security, programming languages and secure code   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw228

This week, it's Security Money. While the major indexes have improved, the SW25 index has not. Pressures from the macro economic conditions appear to have a greater impact on cybersecurity. We'll dig in and review.   In the leadership and communications section, Who Does Your CISO Report To?, 5 CISO Traps to Avoid and Truths to Embrace, How to effectively communicate cybersecurity best practices to staff, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw293

This week in the Security News Doug Chides: Chat-GPT, QNAP, Google FI, REDIS, Headcrab, Banner, GoodRx, Oracle, GoAnywhere, & more!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn271

Cyber insurance is a must-have, but organizations are finding that cyber insurance premiums are more costly, policies are more difficult to obtain, and policies attach more limitations and exclusions than before. We will discuss cyber insurance’s role in risk management and trends.   Segment Resources: https://www.forrester.com/report/q-and-a-cyber-insurance/RES178563?ref_search=3185990_1675109251447 https://www.forrester.com/report/tech-execs-guide-to-cyber-insurance/RES178564?ref_search=3185990_1675109251447 https://www.forrester.com/blogs/whos-responsible-for-cyber-insurance-policy-misrepresentations-it-depends/?ref_search=3185990_1675109251447   Insiders - employees, contractors, and partners - are responsible for almost a quarter of data breaches. Reducing insider risk requires a dedicated approach, including user monitoring. But be careful, Forrester predicts that a C-level executive will be fired for their firm’s use of employee monitoring in 2023.   Segment Resources: https://www.forrester.com/blogs/predictions-2023-security/?ref_search=3092262_1675290315432 https://www.forrester.com/blogs/apply-critical-thinking-and-culture-to-reduce-insider-risk/ https://www.forrester.com/blogs/practice-empathy-to-reduce-insider-risk/ https://www.forrester.com/blogs/pandemic-fallout-creates-perfect-conditions-for-insider-threat/     In the Enterprise News: There's lots of executive shuffling going on! Saviynt gets a new CEO and $205M in funding, Forescout appoints its 4th CEO in as many years, and Mudge finds a place at Rapid 7. We've got some interesting trends, like more focus on securing small businesses, and more cybersecurity startups pairing technology with cyber insurance. It seems like only yesterday, we were shocked to hear that Microsoft was running a $10B security business, but Microsoft has apparently now grown security revenue to $20 BILLION DOLLARS. Also, Tyler explains what Herman Miller chairs have to do with spotting market trends, we note the 20 year anniversary of SQL Slammer, and discuss why consumers don’t want smart appliances shoved down their throats!   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw304

In a recent survey on purple teaming, 89 percent of respondents who had used the method deemed purple teaming activities “very important” to their security operations. Purple teaming exercises conducted regularly have the power to improve collaboration across teams, ensure issues are identified and remediated more proactively, and provide a means to measure progress over time. With all these benefits, why isn’t everyone doing it? Purple teaming doesn’t have to be such a heavy lift. With the right mindset and tools, any team can get started regardless of resources. This talk will highlight practical tips for getting started with purple teaming exercises and show off PlexTrac Runbooks, a platform designed to plan, execute, report, and remediate collaborative purple teaming engagements so teams can maximize their efforts and improve their security posture.   Segment Resources: Learn more and book a demo: https://plextrac.com/securityweekly More information on Runbooks: https://plextrac.com/platform/runbooks/   This segment is sponsored by PlexTrac. Visit https://securityweekly.com/plextrac to learn more about them!   In the Security News for this week: defending against cleaning services, catastrophic mutating events and the future, myths and misconceptions, finding vulnerabilities in logs (And not log4j), SSRF leads to RCE with a PoC, SQLi with XSS bypasses WAF FTW, thinkpad as a server, RPC directory traversal for the win, just directory traversal for the win, Paul gets a Flipper Zero and how he thinks he's some sort of hero, sh1mmer your chromebook, and superconductive magic angle graphene!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw771

A $10M ransom demand to Riot Games, a DoS in BIND and why there's no version 10, an unexpected refactor at Twilio, insights in Rust from the git security audit, SQL Slammer 20 years later, the SQLMap tool   We talk with Dr. David Movshovitz about There Is No Average Behavior! Segment Resources: White paper: https://www.reveal.security/lp/white-paper/   Visit https://www.securityweekly.com/asw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw227

This week Dr. Doug talks: Chat-GPT, Graphing calculators, Swiftslicer, VRealize, Google play, KeePass, Huawei, Github, flying cars, Jason Wood, and More on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn270

What keeps the cyber C-Suite up at night? What are their main priorities, and how do they articulate them to board? In this session, we’ll go behind the screens and find out what CISOs from all over the world really think in terms of making turning cyber risk into business risk.   This segment is sponsored by Mimecast. Visit https://securityweekly.com/mimecast to learn more about them!   In the leadership and communications section, Why CISOs Make Great Board Members, Unlock Your Leadership Potential: 12 Must-Read Books to Take Your Skills to the Next Level, How To Get People To Listen To You, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw292

This week Dr. Doug discusses: Empathy, hacking back, typosquatting, Bitwarden, Lexmark, Exchange, Russians, Iranians, Dragonbridge, Derek Johnson talks about Hive and more on the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn269

What makes a good breach response? What makes a bad one? Could we objectively measure them? How would we break down and rate a company’s breach response performance?   This is the first in our 2 segment Enterprise News special! Stay tuned for segment 2!   This is the 2nd segment in our 2 segment Enterprise News special!   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw303

This week in the Security News: GetVariable strikes again, attackers could blow up your computer remotely, escaping containers, null-dereferences and faulty evaluations, 31 new CPU vulnerabilities for AMD, a look into Chrome, santa, not-so-secure secure booting, and malware included!   Open source is the bedrock of most of the world’s software today, so how to raise the floor on software quality across the industry? First, we need better tools to measure the trustworthiness of code based on objective measures, processes that encourage better security practices by developers, and tools and processes that encourage teamwork and shared responsibility for security. Several efforts are underway in major open source communities to address these issues. At the Open Source Security Foundation (OpenSSF), major companies, open source software maintainers, startup companies and government actors are working together to improve open source software supply chain security. Brian will share his view of this landscape, detail the work being done at the OpenSSF, show where those efforts are already bearing fruit, and demonstrate what you and your organization can (must!) do to participate in these efforts. Segment Resources: https://openssf.org/   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw770

Breach disclosures from T-Mobile and PayPal, SSRF in Azure services, Google Threat Horizons report, integer overflows and more, Rust in Chromium, ML for web scanning, Top 10 web hacking techniques of 2022 Developers write code. Ideally, secure code. But what do we mean by secure code? What should secure code training look like? Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw226

Richard Seiersen and our guest, Doug Hubbard, are finishing the second edition of How to Measure Anything in Cybersecurity Risk. Doug is here to share the success of the first edition and preview the second edition. With more insights, the second edition will share more more research data, free tools, and new concepts like FrankenSME. If you're a risk management professional or want to learn more about risk management, don't miss this interview. In the leadership and communications section, 8 Questions to Ask Before Selecting a New Board Leader, How Cybersecurity Leaders Can Build Employee Trust—And Why It Is Important, 7 rules to communicate the business value of IT, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw291

This Week Dr. Doug talks: Chick-Fil-A, OneNote, XLLs, VastFlux, Tmobile, ChatGPT, Ukraine, Microsoft, Jason Wood, and More on the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn268 Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn268

There's a LOT of noise in the security industry. We've catalogued over 10,000 cybersecurity products and each of the companies behind these products has a marketing team, a twitter account, a blog, and a ton of content to blast at enterprise security buyers. There's an interesting connection between GreyNoise's product, founder, and principles. While building a product that filtered out the noise that wastes most security operations teams' time, Andrew was dead set against building a startup that resembled the typical security startup. We'll discuss Andrew's unique path to market, the latest features of GreyNoise, and where the lines are drawn between malicious and benign scanning.    Show Notes: https://securityweekly.com/esw264   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

We're aren't recording this holiday week, so enjoy this PSW throwback episode! Main host Paul Asadoorian selected this episode to share as it's still relevant to the hacker community today. PSW366 was recorded June of 2016 with Gary McGraw. 

We're aren't recording this holiday week, so enjoy this BSW throwback episode! Main host Matt Alderman selected this episode to share as it's still relevant to the InfoSec business community today.    This week, we welcome Jim Routh, Former CSO, Board member, Advisor at Virsec, to discuss The 3 Mistakes All First Time CISOs Make That No One Tells You!    Show Notes: https://securityweekly.com/bsw227 Visit https://www.securityweekly.com/bsw for all the latest episodes!   Follow us on Twitter: https://twitter.com/securityweekly Follow us on Facebook: https://facebook.com/secweekly

We're aren't recording this holiday week, so enjoy this ASW throwback episode! Main host Mike Shema selected this episode to share as it's still relevant to the AppSec community today.    This week, we welcome Nuno Loureiro, CEO at Probely, and Tiago Mendo, CTO at Probely, to talk about Dev(Sec)Ops Scanning Challenges & Tips! There's a plenitude of ways to do Dev(Sec)Ops, and each organization or even each team uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important to understand how to integrate a security scanner in your DevSecOps processes. It all comes down to speed, how fast can I scan the new deployment? Discussion around the challenges on how to integrate a DAST scanner in DevSecOps and some tips to make it easier.   In the AppSec News: View source good / vuln bad, IoT bad / rick-roll good, analyzing the iOS 15.0.2 patch to develop an exploit, bypassing reviews with GitHub Actions, & more NIST DevSecOps guidance!   Show Notes: https://securityweekly.com/asw170   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Dr. Doug talks: Frozen, Fortinet, Scattered Spider, Cisco, Juniper, Apache no more, Telegram, Control Web Panel, and more on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn267

Europe is a global driver for privacy rules and digital legislation. Which means it is also a force to be reckoned with when it comes to enforcement. With privacy and security being so intertwined, this conversation will focus on the current mindset in Europe and discuss recent regulators’ decision e.g. on Microsoft 365. Segment Resources: The International Association of Privacy Professionals (IAPP) is the world’s largest global information privacy community. IAPP website https://iapp.org/ About membership: https://iapp.org/join/ IAPP training is a path to professional advancement and ANSI/ISO-accredited certification. Developed with leading privacy and data protection experts, our in-depth courses span legal, regulatory, governance, and operational issues. Choose the subjects and training modalities that fit your career goals. More info about all IAPP trainings: https://iapp.org/train/ For example: • IAPP Foundations of Privacy and Data Protection (Your Starting Point in Privacy Education): https://iapp.org/train/foundations/ • IAPP Privacy in Technology training – CIPT (for Software developers, information security professionals, data architects…): https://iapp.org/train/cipt-training/ Check out IAPP news and resources: https://iapp.org/news/ and https://iapp.org/resources/     Military-grade xIoT hacking tools are in use, cybercrime for hire that’s predicated on compromised xIoT devices has been monetized, and organizations worldwide are already “pwned” without even knowing it. Bad actors are counting on you being passive when it comes to xIoT security. Disappoint them! Segment Resources: xIoT Threat & Trend Report https://phosphorus.io/xiot-threat-and-trend-report-2022/ xIoT Security Podcast https://phosphorus.io/podcast/ Phosphorus Labs https://phosphorus.io/labs/   Finally, in the enterprise security news, Not much funding this week, but Netskope raises $400M, and Hack the Box raises $55M! Also, what went wrong with IronNet? The Open Source Index highlights popular security projects, Windows 7 and Windows 8.1 have been put out to pasture, Predictions about personal cybersecurity, Cloud security trends, The ongoing impact of ChatGPT on the security industry, Password hygiene revealed to be terrible in the US Government, All that and more, on this episode of Enterprise Security Weekly.   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw302

Over the last few years, the trend to use Open Source has been migrating into safety-critical applications, such as automotive and medical, which introduces system-level analysis considerations. In a similar fashion, these components are now being considered for the evolution of critical infrastructure systems. In the US, security concerns have prompted some emerging best practices, such as increased transparency of components, via software bill of materials (SBOMs), but this is not the only aspect to keep in mind. Segment Resources: * https://www.linux.com/featured/sboms-supporting-safety-critical-software/ * https://elisa.tech/ * https://www.zephyrproject.org/ * https://spdx.dev/   Then, in the Security News: In the security news: Do not panic about RSA encyption, the age old debate: Security vs. Compliance, Cold River, and no not the vodka although it has to do with Russia, the exploit party is happening and someone invited vulnerable drivers, ChatGPT being used to deploy malware, chip vulnerabilities impacting ARM: what you need to know, admin versus admin with Intel AMT and does password expiration help or hurt security?   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw769

Exposed secrets from CircleCI, web hackers target the auto industry, $100K bounty for making Google smart speakers listen, inspiration from Office Space, AWS making better defaults for S3, resources for learning Rust   This segment will discuss options for protecting your APIs. First, why protect them? Second, what are the options and the tradeoffs. Segment Resources: - https://stackoverflow.blog/2022/04/11/the-complete-guide-to-protecting-your-apis-with-oauth2/ - https://fusionauth.io/learn/expert-advice/ - https://fusionauth.io/learn/expert-advice/oauth/modern-guide-to-oauth - https://oauth.net/2/ - https://tools.ietf.org/html/rfc6749 - https://datatracker.ietf.org/doc/id/draft-ietf-oauth-v2-1-07.html - https://paseto.io - https://securityboulevard.com/2021/11/biggest-api-security-attacks-of-2021-so-far/   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw225

CodeQL, Kinsing, Bit Buckets, Win 7 is dead, Spynote, Vall-E, Aaran Leyland and More on the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn266

In the leadership and communications section, The CISO Role is Broken, Five Cybersecurity Resolutions CISOs Can Actually Keep In 2023, Are Cyber Attacks at Risk of Becoming ‘Uninsurable’?, and more! SolarWinds has been on the journey of Secure by Design since the Sunburst incident in late 2020. Secure by Design is a practical approach to minimizing risk. It involves advanced build systems, an assumed breach model, proactive testing, audit, increased visibility and sharing lessons externally. Segment Resources: https://www.solarwinds.com/secure-by-design-resources   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw290

This week in the Security News: Virtual Smells, Werfault, Server 2012, ChatGPT, Captcha, Rust Hyper, Qualcomm, and more on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn265

If you’ve ever worked on a red or purple team, you know scaling engagements to production is an intensive, unwieldy process. Technology pitfalls may exist, but the fundamental problem is this: the process of writing, testing, deploying, and verifying the efficacy of TTPs is highly flawed and inconsistent. This conversation will focus on applying a scientific process to security testing in order to achieve production scale. Segment Resources: Prelude Build GitHub: https://github.com/preludeorg/build Prelude Docs: https://docs.prelude.org/docs Introducing Prelude Build: An Open Source IDE Purpose Built for Security Engineers: https://www.preludesecurity.com/blog/introducing-prelude-build-an-ide-purpose-built-for-security-engineers A Practical Guide for Scaling Continuous Security Testing: https://www.preludesecurity.com/blog/scaled-security-testing-a-practical-guide Prelude Build: https://www.preludesecurity.com/products/build   We will discuss the migration of the security community from Twitter to Mastodon, logistical challenges, and related matters of managing the community.   Finally, in the enterprise security news, Security funding is back, baby! Security Unicorn layoffs continue though! We talk Zombiecorns, IronNet struggles, Netwrix acquires Remediant, We talk breaches: Lastpass, Rackspace, Okta via Github, Slack via Github, Github announces 2FA improvements, AI generates insecure code, Cyberinsurance challenges, Fyre Festival Fraudster Funding more Frauds All that and more, on this episode of Enterprise Security Weekly.   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw301

In the Security News: The Roblox prison yard, password manager problems, PyTorch gets torched with a supply chain attack, Oppenheimer cleared, Puckungfu, spice up your persistence with PHP, turning Google home into a wiretap device, Nintendo 3DS remote code execution, Linux kernel remove code execution, steaking cards in 2022 - The API way, and there is no software supply chain... and more!   This session explores software supply chain security and the details of System of Trust, a community effort to develop and validate a process for integrating evidence of the organizational, technical, and transactional trustworthiness of supply chain elements for decision makers dealing with supply chain security. This framework is defining, aligning, and addressing the specific concerns and risks that stand in the way of organizations’ trusting suppliers, supplies, and service offerings. More importantly, the framework offers a comprehensive, consistent, and repeatable methodology – for evaluating suppliers, supplies, and service offerings alike – that is based on decades of supply chain security experience, deep insights into the complex challenges facing the procurement and operations communities, and broad knowledge of the relevant standards and community best practices. Segment Resources: - https://sot.mitre.org/overview/about.html - https://shiftleft.grammatech.com/automating-supply-chain-integrity - https://www.reversinglabs.com/conversinglabs/robert_martin_mitre_software_supply_chain_system_of_trust - https://www.mitre.org/sites/default/files/2022-11/PR-22-01488-20-cybersecurity-benefits-of-sbom-september-2022.pdf - https://www.mitre.org/sites/default/files/2021-11/prs-21-0278-deliver-uncompromised-securing-critical-software-supply-chain.pdf   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/ Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw768

How do you mature a team responsible for securing software? What are effective ways to prioritize investments? We'll discuss a set of posts on building talent, building capabilities, and what mature teams look like. Segment resources: - https://securing.dev/categories/essentials/   Metrics for building a security product, hands-on image classification attacks, a proposed PEACH framework for cloud isolation, looking back at Log4Shell, building an appsec toolbox   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw224

Office Space, Rest assured, your insurance may not ensure anything, Lockbit, Thrilla in Manilla, PyTorch, non-binary ddr5, Jason Wood, and more on the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn264

With the current macro economic head winds, 2023 budgets are either frozen or are flat. Where should CISOs focus these limited budgets to maximize the most out of their security program? In this segment, we invite Jon Fredrickson, Chief Risk Officer at Blue Cross Blue Shield of Rhode Island, to debate what should be in your minimum viable security program. This segment is part 1 of 2 parts and focuses on the minimum viable security capabilities.   With the current macro economic head winds, 2023 budgets are either frozen or are flat. Where should CISOs focus these limited budgets to maximize the most out of their security program? In this segment, we invite Jon Fredrickson, Chief Risk Officer at Blue Cross Blue Shield of Rhode Island, to debate what should be in your minimum viable security program. This segment is part 2 and focuses on the minimum viable security vendors for our top 6 capabilities: 1. Asset Management 2. Patch Management 3. IAM/MFA/PIM/PAM 4. EDR/MDR/XDR 5. Backup/Recovery 6. Risk Management   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw289

Security teams struggle with managing cyber risk across cloud workloads, services, resources, users, and applications. Parag will discuss the issues this presents and how Qualys’ new TotalCloud solution allows organizations to see all their cloud resources, relationships between resources, the external attack surface, and attack path mapping all delivered via one platform. Segment Resources: Qualys TotalCloud free trial: https://www.qualys.com/forms/totalcloud/ TotalCloud Video: https://vimeo.com/765771406 Blogs: https://blog.qualys.com/product-tech/2022/11/01/introducing-totalcloud-cloud-security-simplified https://blog.qualys.com/product-tech/2022/11/01/why-is-snapshot-scanning-not-enough   This segment is sponsored by Qualys. Visit https://securityweekly.com/qualys to learn more about them!   A brief roundup of our favorite news, trends, and interviews in 2022! See what Adrian, Katherine, and Sean have to say about 2022's best interviews and news stories!   Finally, in the last Enterprise Security News of 2022, We see our first Security Unicorn with a down round, A few new fundings and new companies emerging, Ninjas emerge from stealth, Proofpoint acquires deception detection vendor Illusive, Veracode picks up Crashtest Security, Apple encrypts more consumer data, Passkeys introduced in Chrome, Texas bans TikTok, A great post-mortem of the Joe Sullivan case, Infragard gets hacked, KringleCon 2022.   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw300

While we most likely do not believe that penetration testing is dead it continues to evolve over time. What do penetration tests look like today? Have they become more or less specialized? What is the continuing value of penetration testing? With development and IT moving so fast, how have penetration tests adapted? This discussion will dive into the details of penetration testing today and provide you with a guide to make the most of this activity.   Without question, we need more people working in cybersecurity today. Our culture has come a long way to be more open and inviting to new folks, but we still have a lot of work to do. What can you do if you want to break into the field of cybersecurity today? While there is no shortage of resources our experienced hosts will offer their thoughts, opinions, and advice on how you can become the next cybersecurity pro!   How well do you know your hacker history and trivia? See how you compare to our hosts as we tackle hacker trivia live on the air! Categories will include hacker movies, hacker history, and hacker tools.   This week, we round out the Holiday Special 2022 with a special guest appearance by Ed Skoudis, where he joins to fill us in on the Holiday Hack Challenge! Then, an utterly chaotic session of security news to close out 2022!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw767

AI Terrors, Infragard, Microsoft, HIPAA, GitHub, NIST, and more on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn263

In the Leadership and Communications section, CISOs of the World, Unite!, 8 things to consider amid cybersecurity vendor layoffs, The Best Public Speakers Put the Audience First, and more! Barracuda just finished an email security survey. We start to dig into the results and the impact for 2023, including: - 86% of respondents in all the countries surveyed said third party email security solutions are essential to keep our Microsoft 365 environment secure - This rises to 92% for respondents in the U.S. - And to 91% for companies with between 250 and 499 employees Also: - Just under one in five (19%) of all respondents said their top email security concern with Microsoft 365 was data protection and the risk of data loss - This rises to one in four (25%) among the frontline IT managers and professionals surveyed   This segment is sponsored by Barracuda. Visit https://securityweekly.com/barracuda to learn more about them!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw288

Your money is gone, Chaos, Ublerleaks, Esxi, Fortinet, Cloudflare, Praetorian, Jason Wood, and more on the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn262

FreeBSD joins the ping of death list, exploiting a SQL injection through JSON manipulation, Apple's design for iCloud encryption, attacks against machine learning systems and AIs like ChatGPT   Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottleneck. What if I told you, you can have your cake and eat it too. It is possible to scale your program and deliver higher quality threat models. Segment Resources: - Original blog: https://segment.com/blog/redefining-threat-modeling/ - Open Sourced slides: https://github.com/segmentio/threat-modeling-training   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw223

Is there still a network or has it slipped away from us entirely? What about efforts for localization because people do not trust the cloud, its providers or its reliability (ala Twitter vs. the Fediverse?). Do you still need actual hardware firewalls? What about VPNs? How long will these devices still be around as everyone goes to the cloud and SDWAN technologies? And what about identity? If you can nail identity, doesn't that set you up to be a cloud-first organization? Join us for a discussion with Sinan and the security weekly hosts as we tackle these questions! This segment is sponsored by Barracuda. Visit https://securityweekly.com/barracuda to learn more about them!   Eclypsium's research team has discovered 3 vulnerabilities in BMCs. Nate Warfield comes on the show to tell the full story! This has garnered much attention in the press: * Original research post: https://eclypsium.com/2022/12/05/supply-chain-vulnerabilities-put-server-ecosystem-at-risk/ * https://www.securityweek.com/security-flaws-ami-bmc-can-expose-many-data-centers-clouds-attacks * https://thehackernews.com/2022/12/new-bmc-supply-chain-vulnerabilities.html * https://therecord.media/three-vulnerabilities-found-in-popular-baseboard-software/ * https://www.bleepingcomputer.com/news/security/severe-ami-megarac-flaws-impact-servers-from-amd-arm-hpe-dell-others/ * https://duo.com/decipher/trio-of-megarac-bmc-flaws-could-have-long-range-effects * https://www.csoonline.com/article/3682137/flaws-in-megarac-baseband-management-firmware-impact-many-server-brands.html   In the Security News: ping of death returns, remembering when the Internet disconnected if your Mom picked up the phone, a 500-year-old cipher is cracked, VLC is always up-to-date, SIM swapper goes to prison, Rust is more secure but your supply chain is not, if you pwn the developer you win, you have too many security tools, Chrome zero days are not news, Log4Shell what changed?, Hive social again, ChatGPT, there's a vulnerability in your SDK, and it takes 3 exploits to pwn Linux, All that, and more, on this episode of Paul’s Security Weekly!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw766

Ban this, Rackspace, Agrius, Antwerp, New Zealand redux, Royal, Lensa, Chat-GPT, and more on the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn261

Announcing Drata’s Series C, Milton Security announces new name, Threathunter.ai, Germany Forces a Microsoft 365 Ban Due to Privacy Concerns – Best of Privacy, New Communication Protocol “Ibex” and Extended Protocol Suite, Gepetto uses OpenAI models to provide meaning to functions decompiled by IDA Pro, Stack Overflow bans ChatGPT, French man wins compensation as judge awards him the right to refuse to be fun at work.   Let’s be honest: people can frustrate us. They don’t always do the things we’d like, and they often do some things we’d rather they didn’t. New research from the National Cybersecurity Alliance reveals insights about the public’s attitudes and beliefs about security. We’ll explore the 2022 Oh Behave! Cybersecurity Attitudes and Behaviors Report and some of the findings may surprise you! We’ll also give you practical, actionable advice on how you can better communicate to influence the behavior change you want to see. Segment Resources: https://staysafeonline.org https://staysafeonline.org/programs/cybersecurity-awareness-month/teach-others-how-to-stay-safe-online/ https://staysafeonline.org/programs/hbcu-see-yourself-in-cyber/ https://staysafeonline.org/programs/events/convene-clearwater-2023/   Estonia is a small country in the Baltics; however, it has been at the forefront of technology for many years. This session traces Estonia’s journey from independence in 1991 to its current use of digital identities for the systems that allow citizens to vote, check online banking, e-residency, and tax returns. I’ll share lessons learned and key takeaways from incidents that happened along the way, examine what the future holds, and discuss the impact of incorporating AI into a digital society.   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw299

This week Dr. Doug tells us Where baby chips come from, PhilTel, AMI, Proot, Magecart, LockBit, scattered spider, Jason Wood, and more on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn260

Android platform certs leaked, SQL injection to leaked credentials to cross-tenant access in IBM's Cloud Database, hacking cars through web-based APIs, technical and social considerations when getting into bug bounties, a brief note on memory safety in Android   Finding the balance between productivity and security is most successful when it leads to security solutions that help users rather than blames them for security failures. We'll talk about the security decisions that go into handling potentially malicious files so that users can stay calm and carry on. This segment is sponsored by Votiro. Visit https://securityweekly.com/votiro to learn more about them!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw222

In the leadership and communications section, 5 top qualities you need to become a next-gen CISO, Ego Is the Enemy of Good Leadership, How To Explain Things Better, and more!   The U.S. is at an inflection point in terms of cyber threats; Critical infrastructure attacks are growing more frequent and consequential, and the White House recently called the cyber talent gap of nearly 770,000 open positions a “national security challenge.” Kelly Rozumalski, SVP at Booz Allen Hamilton leading the firm’s national cyber defense business, joins BSW to discuss why upskilling and reskilling are key to closing the cyber talent gap at the federal level and how a collective defense posture across government and private sector can enable us to better secure U.S. critical infrastructure.   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw287

This week, Dr. Doug raves about: 'The Orgy of the Walking Dead' or Elon is controlling my brain, Schoolyard Bully, Redigo, DuckLogs, Dod Alphabet soup, Sirius XM, Pixel Tracking, TSA, Single Sign-on rants, and more on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn259

Despite certain economic indicators warning that a recession is on the horizon, investment remains healthy within the security market amid thirst for cloud security, in particular. One such emerging field is data security posture management (DSPM), which aims to bridge the gap between business goals and a comprehensive security mechanism that leaves no data behind as organizations scale in the cloud.   A deep-rooted cyber security culture is crucial, and it goes as far back as the hiring process… 10 years ago, a typical hiring process consisted of working your way through a checklist, hiring individuals based solely on a CV. Today, the ‘Simon Sinek’ culture is gaining more prevalence, with employers realizing that hiring the right person, rather than the CV, can have immeasurable benefits for business. Ryan will talk about why this is particularly true within the cyber security sphere, and why business leaders should follow this particular ‘Simon Sinek’ strategy to build a successful security operation, and secure business, starting directly with the human’s that run it. You will walk away from this session knowing why it is important to employ the right individual rather than the CV, and how adopting this approach can drastically improve how a business responds to and manages security threats, company wide. Segment Resources: Github: https://github.com/stripesoc TEDx Talk, How clicking a link can cost millions: https://www.youtube.com/watch?v=OI9n2tLf0Tg&list=PLcR8SW0W6hdAQvxYI9XJUEe50zFln6QMY&index=1 I   n the enterprise security news, Funding announcements take a bit of a break, We explore a few new vendors and organizations that have come to our attention recently, Wiz researchers annoy yet another cloud service by pointing out ridiculous vulnerabilities - IBM Cloud, this time, Docker Hub has tons of shady stuffs going on, EU strengthens cybersecurity with new legislation, The US Department of Defense releases Zero Trust strategy (no more Five E   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw301

We are joined by Josh and Kurt from the amazing Open Source Security Podcast! We're talking about supply chain risks, threats and vulnerabilities in this segment! Segment Resources: https://opensourcesecurity.io/   This week in the Security News: When you just wanna hurl, malicious containers, FCC bans stuff, these are not the CVE's you're looking for, Linux password mining, mind the gap, hacking smart watches, & more!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw765

This week Dr. Doug talks: Lots of nudity, Tik Tok, Twitter, Festo, IABs, Meta, Jason Wood & more on the Security Weekly News! Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn258

Todd Fitzgerald, author of CISO Compass and host of CISO Stories, joins BSW to share his top leadership lessons from the first 100 episodes of CISO Stories. Todd interviews CISOs and gains insights into their challenges and how they are solving them. Don't miss this recap!   In the leadership and communications section, The Sacrificial CISO heralds a new age for cybersecurity, To Coach Leaders, Ask the Right Questions, How to Handle Criticism Gracefully: 12 Pro Tips, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw286

Crossing tenants with AWS AppSync, more zeros in C++ to defeat vulns, HTTP/3 connection contamination, Thinkst Quarterly review of research, building a research team   MongoDB recently announced the industry’s first encrypted search scheme using breakthrough cryptography engineering called Queryable Encryption. This technology gives developers the ability to query encrypted sensitive data in a simple and intuitive way without impacting performance, with zero cryptography experience required. Data remains encrypted at all times on the database, including in memory and in the CPU; keys never leave the application and cannot be accessed by the database server. While adoption of cloud computing continues to increase, many organizations across healthcare, financial services, and government are still risk-averse. They don’t want to entrust another provider with sensitive workloads. This encryption capability removes the need to ever trust an outside party with your data. This end-to-end client-side encryption uses novel encrypted index data structures in such a way that for the first time, developers can run expressive queries on fully encrypted confidential workloads. Queryable Encryption is based on well-tested and established standard NIST cryptographic primitives to provide strong protection from attacks against the database, including insider threats, highly privileged administrators and cloud infrastructure staff. So even another Capital One type breach is not possible. Segment Resources: - https://www.mongodb.com/products/queryable-encryption - https://www.wired.com/story/mongodb-queryable-encryption-databases/ - https://www.youtube.com/watch?v=mDKfZlQJO3k - https://thenewstack.io/mongodb-6-0-offers-client-side-end-to-end-encryption/   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw221

Arrrrr mateys! This week Dr.Doug will keel-haul a first-rate plunder of yarns including: pirate booty, phishing kits, CSC, Hive, HHS, Z-library, Iran, FTX, and more on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn257

Infrastructure-as-code (IaC) allows for quick and consistent configuration and deployment of infrastructure components because it’s defined through code. It also enables repeatable deployments across environments. IaC is seeing significant attention in the cloud security space, but why now? This conversation will dig into how Infrastructure-as-code is enabling faster innovation on application development with security built in. Segment Resources: - https://www.lacework.com/solutions/infrastructure-as-code/ - https://www.lacework.com/blog/introducing-secure-automated-iac-deployments-with-terraform/  - https://info.lacework.com/cloud-threat-report.html    We catch up on 2 weeks of news, starting with 18 funding rounds and several new products! Splunk acquires Twinwave Another ASM vendor, Templarbit, gets acquired into the Cyberinsurance industry, InfoSec Layoffs continue in a big way alongside huge cuts at Facebook, Twitter, and Amazon, Microsoft sued for stealing code to train GitHub Copilot, Google sued for tracking when users asked them not to, Apple sued for violating privacy when users asked them not to, Taking away kids’ smartphones, Stealing passwords from Mastodon, Should Cryptocurrency die in a fire? All that and more, on this episode of Enterprise Security Weekly.   This segment will focus on (1) Why Did Sephora Get Fined $1.2M and Why Are They on Probation? (2) Why Data Privacy is Being Overhauled in 2023 (and How You Can Be Ready) Segment Resources: - https://www.consumerreports.org/electronics-computers/privacy/i-said-no-to-online-cookies-websites-tracked-me-anyway-a8480554809/ - https://www.geekwire.com/2022/the-bittersweet-serendipity-that-gave-these-two-startup-leaders-a-shared-mission-in-online-privacy/ - https://www.boltive.com/blog/why-having-a-consent-management-platform-is-not-enough - https://www.boltive.com/blog/bracing-for-2023-privacy-laws - https://ceoworld.biz/2022/07/03/three-ways-your-data   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw297

In the Security News: Stealing Mastodon passwords, reporting vulnerabilities in open-source privately, labeling does not solve problems, or does it? will it every get patched? geolocating people from photos, no meta-data required, update your firmware on Linux, hacking flow computers, when a driver isn't really a driver, well, its a driver, but not the one you may be thinking of, oops I leaked it again, misconfiguration leads to compromise, harden runner, guard dog and hacking spacecraft via Ethernet! Navigating the UEFI waters is treacherous. While UEFI has become the standard on most PCs, servers, and laptops, replacing legacy BIOS, it is a complex set of standards and protocols. Jesse joins us to help explain how some of this works and describe how vulnerabilities, specifically with SMM, can manifest and be exploited. Segment Resources: [CHIPSEC GitHub] https://github.com/chipsec/chipsec    Visit https://www.securityweekly.com/psw for all the latest episodes!   Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw764

CosMiss in Azure, $70k bounty for a Pixel Lock Screen bypass, finding path traversal with Raspberry Pi-based emulators, NSA guidance on moving to memory safe languages, implementing phishing-resistant MFA, egress filtering, and how to approach code reviews   Cider Security’s recently published research of the Top 10 CI/CD Security Risks acts to identify vulnerabilities to help defenders focus on areas to secure their CI/CD ecosystem. They created a free learning tool with a deliberately vulnerable environment to demonstrate these flaws -- “CI/CD Goat”. Like similar tools, this helps appsec and devops teams gain a better understanding of major CI/CD security risks and, importantly, their appropriate countermeasures. Segment Resources: - https://www.cidersecurity.io/top-10-cicd-security-risks/ - https://github.com/cider-security-research/top-10-cicd-security-risks - https://www.cidersecurity.io/blog/research/ci-cd-goat/ - https://github.com/cider-security-research/cicd-goat   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw220

This week Dr. Doug talks: Billbug, Pushwoosh, GitHub, FTX, K-12 schools without security, say it isn't so, Eli Lilly, and is joined by Peter Klimek for Expert Commentary! All that and more on the Security Weekly News! This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn256

In the leadership and communications section, Is Your Board Prepared for New Cybersecurity Regulations?, 32% of cybersecurity leaders considering quitting their jobs, 40 Jargon Words to Eliminate from Your Workplace Today, and more!   Positive change is coming to cybersecurity. In this segment, Mike Devine (CMO) and John Grancarich (EVP of Strategy) at Fortra discuss the business of leading a cybersecurity company, the reasons behind our recent rebrand, and our plans for continuing as a people-first company that collaborates with our customers to combat the threat landscape with confidence. This segment is sponsored by Fortra. Visit https://securityweekly.com/fortra to learn more about them!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw285

This week in the Security News: Twitlegit, Liability, Venus, Steganography, C++ death knell, the EU, CISA, and show Wrap-Ups on this edition of the Security weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn255

Don’t leave the door open. Modern systems are complex and require you to consider many aspects. Here are some aspects we consider critical: - APIs are the dominant software development direction/trend. Traditional/legacy ways to grant access is not fit for purpose of protecting this new way of delivering products and services. - Customers are demanding better digital experiences. To maintain a competitive edge and drive brand loyalty businesses need to provide great online experiences. - Standards (such as OAuth and OpenID Connect) are important to ensure high-security levels. Also enables scalability and helps future-proof your infrastructure. For example in the financial sector, these standards play a key role in the drive toward open banking. - A modern architecture is a zero trust architecture. In a zero trust architecture, the new perimeter hinges on identity.   Segment Resources: https://thenewstack.io/zero-trust-time-to-get-rid-of-your-vpn/ This segment is sponsored by Curity. Visit https://securityweekly.com/curity to learn more about them!   In this panel discussion, we'll discuss the polarizing case of Joe Sullivan that has rattled the CISO community. Was the Sullivan case a rare anomaly? Were his actions in this scenario typical or unconscionable for the average CISO? Is it okay for Sullivan to take the fall while the rest of Uber and involved parties plead out with little to no punishment? We'll tackle all these questions and more with our excellent panel, comprised of: Sounil Yu, CISO and Head of Research at JupiterOne Brian Markham, CISO at EAB Rich Friedburg, CISO at Live Oak Bank Robert Graham, Owner at Errata Security    Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw296

Every penetration test should have specific goals. Coverage of the MITRE ATT&CK framework or the OWASP Top Ten is great, but what other value can a pentest provide by shifting your mindset further left or with a more strategic approach? How often do you focus on the overall ROI of your penetration testing program? This talk will explore what it means to “shift left” with your penetration testing by working on a threat informed test plan. Using a threat informed test plan will provide more value from your pentesting program and gain efficiency in your security testing pipeline. This talk applies to both consultants and internal security teams. Segment Resources: Hack Your Pentesting Routine WP: https://plextrac.com/resources/white-papers/hack-your-pentesting-routine/ Effective Purple Teaming WP: https://plextrac.com/effective-purple-teaming/ This segment is sponsored by PlexTrac. Visit https://securityweekly.com/plextrac to learn more about them!   In the Security News: submerged under blankets in a popcorn tin is where they found it, Indirect Branch Tracking, don't hack me bro, we're here from the government to scan your systems, Fizzling out security, static and dynamic analysis for the win, BYODC, Bring your own domain controller, application context matters, if you want an update better have an Intel CPU, one-time programs, urlscan is leaking, hacking load balancers, and its all about the company you keep.   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw763

Threat actors use automation and technology to do evil at scale. Yet, even with cutting edge technology available to them, smaller organizations feel overwhelmed. Analysts struggle from the “alt-tab, swivel-chair” problem, and security products just don’t feel… powerful. So how does a SOC maximize its most valuable asset–the humans–in combination with technology to overachieve? This talk will teach you a new way to model out your team's resources, assets, and capabilities to defend against various levels of adversaries to determine where you have operational capability, where you have gaps, and how to tell the difference. This segment is sponsored by ExtraHop Networks. Visit https://securityweekly.com/extrahop to learn more about them!   After years of increases, security budgets are coming under scrutiny. Cybersecurity professionals need practical guidance on how to manage existing budget allocations and new requests for funding. This segment provides Forrester's spending benchmarks, insights, and recommendations to future-proof your security investments in ways that keep you on budget while simultaneously mitigating the risks facing your organization. Segment Resources: https://www.forrester.com/blogs/new-security-risk-planning-guide-helps-cisos-set-2023-priorities/   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw284

This week Dr. Doug talks: Exploding heads, Mastodon, James Zhong, Azov, Zlibrary, Siemens and Schneider, Chinese AI, Jason Wood, and more on the Security Weekly News! Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn254

While APIs enable innovation, they’re increasingly targeted as a pathway to data. API abuses are often carried out through automated attacks, in which a botnet floods the API with unwanted traffic—seeking vulnerable applications and unprotected data. In this discussion, Karl Triebes shares what you need to know about the automated bot threats targeting your APIs with guidance on how to protect your applications and APIs from these attacks. This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them!   The punycode parsing in OpenSSL, missing authentication in Azure Cosmos DB Notebooks, the importance of documentation in security, labeling IoT security, bad response to a security disclosure   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw219

Positive change is coming to cybersecurity. In this segment, John Grancarich, EVP of Strategy at Fortra, explains what it means when we say we’re tenacious in our pursuit of a stronger, simpler future for cybersecurity, and that our advanced threat research and intelligence informs everything we do. This segment is sponsored by Fortra. Visit https://securityweekly.com/fortra to learn more about them!   Gartner recently reported that the RPA software market will reach $2.9 billion by the end of 2022, up 19.5% from 2021. But, despite Airlines adopting it to help with cancellations and retail for inventory management, we’re not talking about the security risk this tech will cause. Alan Radford, Global IAM Strategist at One Identity discusses the truly devastating impact that can occur when an organization leaves its RPA program vulnerable and without any identity and access protection, why realizing that machines have identities too could save us from dangerous RPA breaches in the future, and steps companies can take to secure their RPA technology as more companies continue to implement it.   Finally, in the enterprise security news, 12 funding announcements, 1Password acquires Passage, Layoffs continue with another round at Cybereason, FTC takes action against Drizly’s CEO, everything you need to know about new US data privacy legislation, Cisco Meraki devices in Russia go POP! Young silicon valley workers are in for a shock, Ransomware trends, MFA trends, US officials say tech companies need to build secure products, All that and lots more, on this episode of Enterprise Security Weekly!   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw295

Android Apps send users to Weaponized websites, Dropbox hacked, OpenSSL high severity Vulnerabilities and UK spies help Ukraine defeat Russia, along with show wrap-ups on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly    

Blenster comes on to talk about the Maker Movement, Hackerspaces, community and inclusive cultures, intentionality and kindness as a social cheat code, the right to repair movement, and using tools like the arduino/raspberry Pi to bring your projects to the next level!   In the Security News: last year's open source is tomorrow's vulnerabilities, RepoJacking, I feel like there will always be authenitcation bypass, super charge your hacking, do you have your multipath, RC4 and why not to use it, here's the problem with vulnerability scanners, packages and expired domains, initrd should not be trusted, Apple kernels, oh and did you hear there is a vulnerability in OpenSSL!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly/ Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw762

This week in the news, Dr. Doug talks: Elon Tweets, Microsoft, KELA, Chegg, Overclocking, Connectwise, and phone repairs, along with Aaran Leyland on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn252

In the leadership and communications section, Is Cybersecurity Leadership Broken?, Cybersecurity career mistakes, 13 Cybersecurity Horror Stories to Give you Sleepless Nights, and more!   Cyber risk quantification should be at the center of an enterprise's actions to understand and measure risk posed in the event of a cyberattack. That data should then be used to estimate - financially - cyber risk exposure. To start this process, enterprises need 3 pillars to build a good cyber risk quantification program: the right data, appropriately skilled people and a methodology.   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly     Show Notes: https://securityweekly.com/bsw283

This week in the Security News: A Security Maturity Model for Hardware Development, Palo Alto Networks fixed a high-severity auth bypass flaw in PAN-OS, New UEFI rootkit Black Lotus offered for sale at $5,000, What are SBOMS, & Critical Remote Code Execution issue impacts popular post-exploitation toolkit Cobalt Strike   Chris Crowley, SOC-Class Course Author, SANS Senior Instructor, and Consultant at Montance® LLC, joins PSW to discuss SOC training and development best practices, including insights from the SANS annual SOC survey. This segment is sponsored by Devo. Visit https://securityweekly.com/devo to learn more about them!   Michael Meis, associate CISO at the University of Kansas Health System, joins PSW to discuss how the history of warfare has influenced modern-day cybercrime and how cyber leaders can shift to a victory mindset. This segment is sponsored by Devo. Visit https://securityweekly.com/devo to learn more about them!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw760

A critical OpenSSL vuln is coming this Tuesday, a SQLite vuln, Apple blogs about memory safety and bug bounties, determining a random shuffle   The Web3 ecosystem is chock full of applications and projects that have lost money (and their customers’ money) due to breaches, code flaws, or outright fraud. How can security teams do a better job of protecting Web3 apps? Web3 applications (including NFTs) aren’t just vulnerable to attack, they often present a broader attack surface (due to the distributed nature of blockchains) at the same time as being a desirable target because of the value association with tokens. Join us for a lively discussion about key threats to Web3 apps – both on-chain and off-chain - what we can do to mitigate them…and what we absolutely should not do. Additional resources - https://www.bloomberg.com/features/2022-the-crypto-story/ - https://web3isgoinggreat.com - https://blog.trailofbits.com/2022/06/21/are-blockchains-decentralized/   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly     Show Notes: https://securityweekly.com/asw218

This week we're joined by Fleming Shi from Barracuda Networks - and Doctor Doug pontificates on: Fodcha , Cranefly, linkedin, CISA, really high speeds, Elon, and more on the Security Weekly News. This segment is sponsored by Barracuda Networks. Visit https://securityweekly.com/barracuda to learn more about them!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn251

For many companies, the pretenses of separation between work and home have completely disappeared. This has huge security implications for organizations, but creates some opportunities as well. How should organizations and vendors approach the new paradigm of shared devices and identities?   Economic tides are changing, making profitability and identifying efficiencies a priority for many IT teams. Reducing IT costs by modernizing and migrating identity infrastructure to the cloud is one of those projects to be considered. No more wasted time and effort on maintenance, patching, and upgrades. Join us as VP of Product Management at Ping Identity, Jason Oeltjen, will discuss cloud migration benefits, timelines, and how you can improve TCO by migrating your identity to the cloud as leadership seeks the most critical initiatives to fund. Segment Resources: https://www.pingidentity.com/en/lp/migrate-to-pings-cloud.html   This segment is sponsored by Ping. Visit https://securityweekly.com/ping to learn more about them!   Finally, in the enterprise security news, The company behind Basecamp and the Hey.com email service pulls anchor and exits the cloud, Your self-hosted Exchange Server might be a problem…Is Confidential Computing for suckers? Gen Z and Millennials found not taking things seriously in, survey fielded by Boomers, Industrial Cybersecurity Market expected to take off, Github adds fine-grained personal access tokens, Australia not playing around anymore, jacks up breach fines more than 20x, Layoffs and exit troubles, & more!   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw294

This week in the Security News: rethinking vulnerability severity, exploiting the hacker tools, Microsoft "fixes" the vulnerable driver problem, its what you do with the data that matters, what is comprehensive security, deconflictions, moles are always a problem, checking the certs, oh and there is a vulnerability in OpenSSL, well at least one that we know of, currently!   In this segment, we are going to discuss linux security and using the Rust programming language with an Offensive MindSet, and our guest Charles Shirer! Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw761

This week Dr. Doug postulates: Fibonacci lasers, Mark of the Web, typosquatting, malvertising, death to 486, AI Coding, CISA, Apple, along with the Expert Commentary of Jason Wood on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn250

Learn what keeps DevOps and SecOps up at night when securing Kubernetes, container, and cloud native applications, what tactics are best for developers and application architects to consider when securing your latest cloud application and hardening your CI/CD pipeline and processes. This segment is sponsored by Qualys. Visit https://securityweekly.com/qualys to learn more about them!   Text4Shell isn't a new patching hell, using supply chain info with GUAC, OpenSSF Scorecards and metrics, Toner Deaf firmware persistence, upcoming OWASP Board Elections, Chrome browser exploitation   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw217

Robert Herjavec, CEO of Cyderes, was the keynote speaker at InfoSec World 2022, where he discussed the momentum we continue to see in the cybersecurity industry. Topics included mergers & acquisitions, Robert's outlook on the cyber market, staffing shortages, and nation state threats. Robert joins BSW to expand on his ISW keynote presentation.   In the leadership and communications section, Boards looking to CEOs, not CIOs, to lead digital initiatives, Compensation for Cybersecurity Leaders is on the Rise, 3 cloud security posture questions CISOs should answer, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw282

Cloud computing’s velocity and dynamism make it hard for security teams to monitor and protect workloads in the cloud without impeding the agility of dev teams. ExtraHop Senior Principal Data Scientist Edward Wu joins ESW to discuss practical deployment approaches and scenarios to facilitate gathering and utilizing network data in cloud environments for improved visibility, detection, and response capabilities. This segment is sponsored by ExtraHop Networks. Visit https://securityweekly.com/extrahop to learn more about them!   The cloud and SaaS were supposed to make things easier, simpler, more scalable. Arguably, they _have_ done all those things, but traditional, legacy networks linger. Migrations are messy and take time. Nearly everything is encrypted in transit by default. Today, we interview Marty Roesch, the creator of Snort and founder of SourceFire, to discuss how things have changed and what defenders can do to catch up and restore some order to the madness. We'll step through some history along the way - listeners might be surprised at how much our current situation mirrors the reasons behind why Marty created Snort in the first place.   This week in the Enterprise News Adrian & the gang discuss: With Technology, there’s no such thing as “Magic”’, Cyber M&A Expected to Remain Robust Into 2023, Former NSO CEO and ex-Austrian Chancellor found startup, Field Effect raises USD $30M in Series A funding  led by Edison Partners, & France-based TEHTRIS raises €44M to help companies fight cyber threats in real-time!   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw293

SBOMs save the world, Elon, cut cabling, biometric lawsuits, sim swapping, tracking pixels, and fake LinkedIn accounts along with show wrap-ups   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn249

In the leadership and communications section, So you do not want to become a CISO anymore?, Which cybersecurity metrics matter most to CISOs today?, 15 Effective Tips on How To Talk Less (And Listen More!), and more!   One of my favorite segments! We track the top 25 public companies and provide you an update on the overall market. The Security Weekly Index has taken a beating, but so has the broader market. We'll update you on the latest funding, acquisition, and financial news. Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw281

Exploiting FortiOS with HTTP client headers, mishandling memory in Linux kernel Wi-Fi stack, a field guide to security communities, secure coding resources from the OpenSSF, Linux kernel exploitation Cybersecurity is a data problem. Accelerated AI enables 100 percent data visibility and faster threat detection and remediation. Find out how NVIDIA used AI to reduce cybersecurity events from 100M per week to up to 10 actionable events per day, and accelerate threat detection from weeks to minutes.   Segment Resources: Morpheus new digital fingerprinting GTC Fall 22 Demo Video: https://www.youtube.com/watch?v=8rEPkHRvDq0 Morpheus Web Page: https://developer.nvidia.com/morpheus-cybersecurity Morpheus Digital Fingerprinting Blog: https://developer.nvidia.com/blog/fingerprinting-every-network-user-and-asset-with-morpheus/ Detecting Threats Faster with AI-Based Cybersecurity Blog: https://developer.nvidia.com/blog/detecting-threats-faster-with-ai-based-cybersecurity/ Enroll in our free, self-paced, 1-hour DLI course : https://courses.nvidia.com/courses/course-v1:DLI+T-DS-02+V1/ Try Morpheus in NVIDIA LaunchPad: https://www.nvidia.com/try-morpheus Download Morpheus from NVIDIA GPU Cloud: https://catalog.ngc.nvidia.com/orgs/nvidia/teams/morpheus/collections/morpheus_ Get started with Morpheus in GitHub: https://github.com/nvidia/morpheus   This segment is sponsored by NVIDIA. Visit https://securityweekly.com/nvidia to learn more about them!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw216

This week, Dr. Doug discusses: YeBots, BlackLotus, Venus, ESXI, Act4shell, Women in cyber, Zoom, and ICS growth along with the expert commentary of Jason Wood on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn248

Fleming Shi, VMWare, Office, CommonSpiritHealth, Election assault, Thermal Attacks, and more on the Security Weekly News. This segment is sponsored by Barracuda Networks. Visit https://securityweekly.com/barracuda to learn more about them!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn247

Finally, in the enterprise security news: Don’t worry! IT and Security funding is OK and we have the proof in the form of 16 funding announcements, Private Equity firms are taking advantage of the dip in valuations to make a few acquisitions: KnowBe4 and ForgeRock Legal Drama! We’ll discuss the Joe Sullivan case, the Splunk/Cribl battle, Crypto Drama! Another week, another Crypto exchange losing half a billion, new insights on breaches and ransomware in two new reports from Cyentia Labs, Cybersecurity leaders have a hard time keeping companies secure, and Cyber Nutrition labels!   Fast-paced business initiatives require applications and workloads to migrate to the cloud. While the data remains the same, there are significant differences between securing on-premises and cloud environments. In this discussion, Dan Neault shares what organizations need to know about securing data in the cloud and how to migrate to the cloud without compromising on security. This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them!   Discuss the current state of the industry as it relates to the threats to application usage of open source. Understand what is being done to define risk, improve education and provide ways to proactively mitigate those risks.   Segment Resources: https://openssf.org/oss-security-mobilization-plan/ https://github.com/ossf/wg-best-practices-os-developers https://github.com/ossf/education/tree/main/plan https://github.com/ossf/sirt https://www.brighttalk.com/webcast/15811/528611?utm_source=brighttalk-portal&utm_medium=web&utm_content=eric%20tice&utm_term=search-result-3&utm_campaign=webcasts-search-results-feed https://www.brighttalk.com/webcast/534/527431?utm_source=brighttalk-portal&utm_medium=web&utm_content=eric%20tice&utm_term=search-result-2&utm_campaign=webcasts-search-results-feed   Visit https://www.securityweekly.com/esw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw292

As Vice President of Threat Research & Intelligence at BlackBerry, Ismael Valenzuela leads threat research, intelligence, and defensive innovation. Ismael has participated as a security professional in numerous projects around the world for over the past two decades. In this episode, Ismael discusses his journey to become a top cybersecurity expert. We also explore the cybersecurity trends he and his team are seeing, and how cyber attackers are gaining a foothold and maintaining persistence. Segment Resources: https://www.blackberry.com/us/en/company/research-and-intelligence https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat   This week in the Security News: The secrets of Schneider Electric’s UMAS protocol, Pixel 6 bootloader: Emulation, Securing Developer Tools: A New Supply Chain Attack on PHP, Microsoft Exchange double zero-day – “like ProxyShell, only different”, Tech Journalists Offered Bribes to Write Articles for Major Outlets, & Detecting Deepfake Audio!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw759

This week, Dr. Doug rants: iPhone trauma to my eye bones, sexy photos, Killnet, Fortinet, Solana, Lufthansa, LofyGang, and Jason Wood on the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn246

As 2023 approaches, security leaders are hard at work preparing their budgets, identifying their projects, and setting their priorities for the next twelve months. At the same time, the growth mode days of cybersecurity spending appear to be over as budgets receive more scrutiny than ever. Join us as we discuss the pressures and problems that CISOs will encounter in 2023, and how they can best defend their cybersecurity budgets while the economy slips into a downturn.   In the leadership and communications section, The CISO of Tomorrow Is Stepping Into the Business Spotlight, Why a Risk-Based Cybersecurity Strategy is the Way to Go, The Rise and Fall of Uber CISO and The Future of Cybersecurity Industry, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw280

We talk with Akira Brand about appsec educational resources and crafting better resources for developers to learn about secure coding. Segment Resources: - www.akirabrand.com - www.wehackpurple.com - www.owasp.org - www.brightsec.com/blog   Rust arrives in the Linux Kernel, verdict in the Uber security case, overview(s) of JavaScript prototype pollution, flaws in PHP Composer and the NPM vm2 package, reading CloudSecDocs   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw215

The size of my esophagus revealed, SQL Server, Blackbyte, China, Mafiaware666, Linux, Meta apps, IT repairs, and show wrap-ups.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn245

Every year, management needs to figure out what initiatives will be prioritized for the upcoming year. This simple, free method uses a quantitative approach based on CIS controls with input from the front-line analysts and engineers. The outcome is an engaging team discussion and clear plan for what the team should prioritize. Segment Resources: https://www.cisecurity.org/controls   It’s CyberSecurity Awareness Month and this year’s theme, set by CISA, is See Yourself in Cyber. We’re going to take some liberties in the interpretation of this to talk about the lines blurring between personal and work accounts and devices. We’ll also discuss MFA risks - what types of MFA are safe to use, and which aren’t in 2022? This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them!   Finally, in the enterprise security news, Cloudflare has 1.25 billion incentives to draw customers away from AWS, NetSPI raises $410M for pen testing? Tines extends their Series B an extra $55M, Detectify and Eclypsium also raise funding, Some big funding for Web3 security startups, Adversary emulation tools for blue teamers, Breaking news: the security market isn’t out of money, it’s just fine, The art of selling to cybersecurity people, and more!   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw291

Red Balloon Security CEO Ang Cui has spent over a decade looking into the most critical devices supporting our infrastructure. He explains why the insight that launched his company still holds true, and what it will take for security experts, manufacturers and end users to resolve our insecure stasis.   Segment Resources: https://redballoonsecurity.com/ https://ofrak.com/ https://github.com/redballoonsecurity/ofrak https://redballoonsecurity.com/def-con-30-badge-fun-with-ofrak/ https://www.wired.com/story/ofrak-iot-reverse-engineering-tool/ https://www.bloomberg.com/news/articles/2022-01-11/researchers-show-how-hackers-can-cut-the-lights-with-rogue-code   In the Security News: deep access, dell drivers for the win, detecting deep fakes with acoustic tracking, exchanging 0days, I got 99 embedded firmware security problems, executing in SMM, secure boot to the rescue, automation or a crappy pen test, PHP supply chain attacks, pig butchering, fake profiles, & bribing journalists!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw758

This week, Dr. Doug talks: Bruce Willis, Deepfake and Deepcake, comm100, cyber month, Chromium, Proxynotshell, fake Proxynotshell, Cobalt Strike, and Jason Wood on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn244

In an effort to diversify the cybersecurity talent pool and improve cybersecurity literacy, CYBER.ORG created Project Access, a nationwide effort designed to expand access to cybersecurity education for blind and vision impaired students between the ages of 13-21 who are in pre-employment transition (Pre-ETS). Through the Cybersecurity and Infrastructure Security Agency’s Cybersecurity Education and Training Assistance Program (CETAP) grant, CYBER.ORG pioneered a series of camps this past summer in Arkansas, Maine, Virginia, and Michigan to introduce blind and vision impaired students to key cybersecurity topics, help them develop cybersecurity skills, and explore the possibility of a career in a growing industry. This is one of CYBER.ORG’s efforts to improve diversity and inclusion in the cybersecurity industry – starting with K-12 students. Segment Resouces: To learn more about CYBER.ORG and Project Access or to get involved, visit: www.cyber.org www.cyber.org/events www.cyber.org/initiatives/project-access You can reach Dr. Chuck Gardner, Sr. Director of Government and Non-Profit Engagement for CYBER.ORG at [email protected]. https://www.businesswire.com/news/home/20220627005666/en/CYBER.ORG-Launches-Project-Access-a-National-Effort-to-Increase-Access-to-Cybersecurity-Education-for-Students-with-Disabilities   In the leadership and communications section, Fake CISO Profiles on LinkedIn Target Fortune 500s, Cybersecurity Executive Communication and importance of Metrics, Tips for developing cybersecurity leadership talent, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw279

The core focus of this podcast is to provide the listeners with food for thoughts for what is required for releasing secured cloud native applications - Continuous, Multi-layer, and Multi-service analysis and focusing not only on the code, but also on the runtime and the infrastructure. - Focus on the vulnerabilities that matter. The critical, exploitable ones. Use Context. - Choose the right remediation forms. It may come in different shapes Segment Resources: Oxeye Website for videos and content - www.oxeye.io   Exchange RCE, bulk pull requests to patch at scale, metrics from DORA, best papers from USENIX, implementing passkeys   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw214

Cybersecurity is now battling a human problem just as much, if not more, than a technical one. According to Verizon’s 2021 Data Breach Security Report, 85% of successful cyberattacks now involve a human element. Combine that with the fact that even the very best technology can only thwart about 93% of attacks and that leaves a large hole in an organization’s basic security hygiene. This has led to a growing demand for ongoing educational programs that rely on behavioral science to measure and manage cybersecurity risk as a distinctly different solution from generic, one-size-fits-all training programs.   In the enterprise security news, SentinelOne and Crowdstrike reinvest in the security market, Malwarebytes raises $100M, Ox Security raises a $34M Seed round??? Jamf acquires ZecOps, New startups looking to improve Code Reviews…Outsource questionnaires…provide consumer privacy awareness…Federal security funding for state and local governments, New software supply chain attacks, Microsoft Windows slaps your hand when you try to update passwords.txt, and stick around until the end, when we talk about a New Jersey Deli with a $100M market cap!   This is a recurring segment, in which we bring on a VC to provide an investor’s point-of-view on all this activity. It’s hard to imagine a better investor to join us than Will Lin, co-founder of Forgepoint, one of the few VC firms that exclusively invests in cybersecurity startups. We'll discuss: - How, the last time we had Will on (20 episodes ago, ESW 270), we were asking about huge valuations and potential market resets/corrections. Well, it seems that day arrived. What now? - Crowdstrike and SentinelOne are active investors with their own funds now. Is this a new trend, or are we just now noticing it? What does it mean for the larger market and for founders looking to raise? - We've had guests on to discuss enterprise browsers, and DSPM - what hot markets should we target next?   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw290

This week, Dr. Doug discusses: Optimus Prime, Hard Drives, Exchange, Witchetty, TLP, DOD, EIEIO, as well as the show Wrap-Ups and his Threat of the Week!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn243

Hackers rarely break through crypto or exploit fancy zero days. Most of the time they simply login using stolen credentials. Managing passwords, keys and other forms of secrets does not work at scale. In this segment we’ll look into a more radical approach to infrastructure security: getting rid of secrets entirely and moving to access control based on physical properties of humans and machines. This segment is sponsored by Teleport. Visit https://securityweekly.com/teleport to learn more about them!   This week, we're joined by Casey Ellis to discuss a Telco breach from a land down under, UK government sits out bug bounty boom but welcomes vulnerability disclosure, Karakurt Data Extortion Group, Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack, being caught with your pants down, & more!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw757

New fourth-annual research report analyzes ransomware attack patterns that occurred between August 2021 and July 2022 In the past 12 months, Barracuda researchers identified and analyzed 106 highly publicized ransomware attacks and found the dominant targets are still five key industries: education, municipalities, healthcare, infrastructure, and financial. Researchers also saw a spike in the number of service providers that have been hit with a ransomware attack. The volume of ransomware threats detected spiked between January and June of this year to more than 1.2 million per month. Most ransomware attacks don’t make headlines, though. Many victims choose not to disclose when they get hit, and the attacks are often sophisticated and extremely hard to handle for small businesses. To get a closer look at how ransomware is affecting smaller businesses, the report details three examples that researchers have seen through Barracuda SOC-as-a-Service, the anatomy of each attack, and the solutions that can help stop these attacks. Segment Resources: Read the full Threat Spotlight blog post: https://blog.barracuda.com/2022/08/24/threat-spotlight-the-untold-stories-of-ransomware/ This segment is sponsored by Barracuda Networks. Visit https://securityweekly.com/barracuda to learn more about them! In the leadership and communications section, Attention CISOs: The Board Doesn’t Care About Buzzwords, The Best Managers Are Leaders — and Vice Versa, Firing Your Entire Cybersecurity Team? Are You Sure?, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw278

Applications are the most frequent external attack vector for companies. However, application security can improve only if developers either code securely or remediate existing security flaws — unfortunately, many don’t receive training with proper security know-how. In this session, we will talk about the state of application security education and what you can do to secure what you sell. Segment Resources: - https://www.forrester.com/blogs/school-is-in-session-but-appsec-is-still-on-vacation/?ref_search=3502061_1663615159889 https://www.wisporg.com/events-calendar/2022/11/8/security-amp-risk-conference-forrester https://www.veracode.com/events/hacker-games https://blogs.microsoft.com/blog/2021/10/28/america-faces-a-cybersecurity-skills-crisis-microsoft-launches-national-campaign-to-help-community-colleges-expand-the-cybersecurity-workforce/ Wiz reveals authorization bypass in Oracle Cloud, Python 15-year old path traversal flaw, Prototype Pollution in Chrome, PS4 flaw reappears in PS5, Why security products fail Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw213

This week Dr. Doug talks: Darth Vader, SmartScreen, Erbium, Graphite, Russia, Metador, Whatsapp, RSocks, and is joined by the illustrious Jason Wood on the Security Weekly News! Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Show Notes: https://securityweekly.com/swn242

Sinan Eren, the VP of Zero Trust at Barracuda joins us to discuss various aspects of MFA Fatigue & Authentication with the PSW crew! Segment Resources: https://assets.barracuda.com/assets/docs/dms/NetSec_Report_The_State_of_IIoT_final.pdf This segment is sponsored by Barracuda Networks. Visit https://securityweekly.com/barracuda to learn more about them! In the Security News: Bloodhound's blind spots, Interactable Giraffe, don't use open-source, it has too many vulnerabilities, MFA fatigue, tamper protection, use-after-freedom, how not to do software updates, hacking gamers, stealing Teslas, safer Linux, trojan putty, there's money in your account, game leak makes history, GPS jammers, Uber blames LAPSUS, spying on your monitor from a zoom call, next-generation IPS with AI and ML for zero-day exploit detection, 3D printed meat, and what to do when the highway is covered with what is usually kept in the nightstand... Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw756

This week, Dr. Doug talks: Bionic Cockroaches, Credential Stuffing, MFA Fatigue, ICS, Magento, Mobsters as well as all the Show Wrap Ups for this week! Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn241

This week, Jonathan Roizin from Flow Security joins to discuss what this new security category is all about and how it differs from the OG, false positive heavy DLP we'd all rather forget! Data Security Posture Management (DSPM) is not your dad's DLP. This new category has emerged to tackle one of the toughest areas of security: protecting data. Then, Based on what we know so far (which is limited and could change), the Uber breach appears to be a classic example of how penetration testers and criminals alike break into large organizations. In this segment, we'll discuss how the attack happened. We'll go over the controls that failed, why they failed, and what Uber could have done to prevent or detect this attack. Then, in the Enterprise Security News, Fortanix raises a $90 series C for data security, Cyrebro raises a $40M series C for MSSP SOC solutions, Dig Security raises a $34M series A (yes, this is a repeat from last week, but we didn’t get a chance to talk about it), Internet 2.0 gets funded??? (probably not what you think), How to hire and build your cybersecurity team, The NSA gives some bad advice on securing software, Courtroom Drama, & Oracle makes a really bad whoopsie! Segment Resources: Flow's blog post - "5 Key Takeaways About DSPM From the Gartner® Hype Cycle™ For Data Security, 2022": https://www.flowsecurity.com/gartner-dspm/  Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw289

In the leadership and communications section, Cybersecurity’s Too Important To Have A Dysfunctional Team, In a Crisis, Great Leaders Prioritize Listening, White House Announces Stricter Cybersecurity Guidelines and Rules, and more!   Paul will discuss a risk-based approach to security that prioritizes fixing the most critical issues that will reduce risk in your organization. He'll walk through a three-step cycle that continuously monitors the threat landscape, enables quick response, and measures the metrics that company leadership cares about. Segment Resources: https://blog.qualys.com/qualys-insights/2022/05/31/transitioning-to-a-risk-based-approach-to-cybersecurity https://blog.qualys.com/qualys-insights/2022/07/26/aflac-completes-successful-poc-of-qualys-vmdr-2-0-with-trurisk www.qualys.com/vmdr   This segment is sponsored by Qualys. Visit https://securityweekly.com/qualys to learn more about them!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw277

This week, Dr. Doug talks: Hot, lonely planets, Chromeloader, MFA Fatigue, Lapsus$, Lastpass, LockerGoga, and Lincolnshire, all this and Jason Wood on the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn240

Appsec places a lot of importance on secure SDLC practices, API security, integrating security tools, and collaborating with developers. What does this look like from a developer's perspective? We'll cover API security, effective ways to test code, and what appsec teams can do to help developers create secure code. This segment is sponsored by ThreatX. Visit https://securityweekly.com/threatx to learn more about them!   Appsec dimensions of the Uber breach, Rust creates a security team, MiraclePtr addresses C++ heap mistakes for Chrome, a critical reading of the NSA/CISA Supply Chain guidance, talking about careers   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw212

Enterprise browsers are a new addition into the endpoint security market. Combining enhanced features not in the existing browsers, with centralized reporting and controls, they're promising to bring a better experience to the users and a more secure delivery of applications to the companies who use them. What's real, what's "vision", and what makes them different than all the other solutions that promise to "secure the browsing experience".   In the Enterprise Security News for this week: Funding rounds are back!, Bitwarden rasies $100M for password management Cymulate raises $70M, and a ton more Series A, Series B, and Seed announcements from vendors just coming out of stealth, Ethereum’s merge completes and moves to proof of stake, Some updates on the Twitterpocalypse, The latest in annoying buzzword innovation, and some Cyber Insurance trends that I promise are interesting!   Attackers have been targeting Active Directory for years and more recently set their sights on Azure AD & Microsoft Office 365. There are ways to tighten up these platforms beyond the default configuration and greatly improve the security posture. Segment Resources: Trimarc Webcast on how to quickly level up Active Directory security: https://www.hub.trimarcsecurity.com/post/webcast-top-10-ways-to-improve-active-directory-security-quickly Performing your own Active Directory Security Review - article and PowerShell tool: https://www.hub.trimarcsecurity.com/post/securing-active-directory-performing-an-active-directory-security-review Trimarc Content Hub: https://hub.trimarcsecurity.com   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw288

This week in the Security News, Dr. Doug discusses: Meat Men, History, Putty, Crypto, Edge, YouTube, EU Laws, Privacy, and show wrap-ups.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn239

Analyst burnout and the talent shortage are creating environments where teams are stressed out, overwhelmed, and frustrated. Security Operations managers (or anyone managing teams of security analysts) must empower their analysts with solutions that can make them more effective at their job. Thomas Kinsella joins to discuss why No-code automation is the ultimate solution to do that! Then, in the Security News: you liked the browser so much we put a browser in your browser, hackers are using sock puppets, the patch that kills performance, detect eavesdroppers, no more passwords, one-click account hijack thanks to JavaScript, the return of Shakata Ga Nai, GIFShell (or is it jifshell), Lexmark firmware confusion, and searching for a long lost copy of OS/2! Segment Resources: https://www.tines.com/reports/voice-of-the-soc-analyst/ Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw755

While applications and APIs are developed with cloud in mind, many organizations must rely on a hybrid architecture and edge computing to deliver their services given the high cost of cloud services. However, many organizations lack the right security stack to protect data and applications in these unique environments, or from threats added through reliance on open source code. With today’s attacks coming from automated threats, organizations need to implement tools to mitigate risks that impact the bottom line, brand reputation, and customer experience without slowing development lifecycles. This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw276

This week Dr. Doug talks: Steam, VMWare, Intel,HP, Apple, Craiglist killing, Meta, Tiktok and is joined by the illustrious Jason Wood!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn238

Go releases their own curated vuln management resources, OSS-Fuzz finds command injection, Microsoft gets rid of Basic Auth in Exchange, NSA provides guidance on securing SDLC practices, reflections on pentesting, comments on e2e   Shifting left has been a buzzword in the application security space for several years now, and with good reason – making security an integral part of development is the only practical approach for modern agile workflows. But in their drive to build security testing into development as early as possible, many organizations are neglecting application security in later phases and losing sight of the big picture. In this talk, Invicti’s Chief Product Officer Sonali Shah discusses the challenges and misunderstandings around shifting left, and provides tips on how organizations can implement web application security program without tradeoffs throughout the whole application security lifecycle. This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more about them!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw211

This week in the Security News: Vangogh vs. AI, Online Safety in California, Bad IoS Apps, Japan vs. Floppy Disks, Chile, Instagram, and show Wrap-Ups!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn237

In the Enterprise Security News This week: more layoff announcements than funding announcements! Krit acquired by GreyNoise, Incident Response in AWS is different, Awesome open source projects for SecOps folks, Tyler Shields can’t wait to talk about Product Led Growth, Forcing open source maintainers to use MFA, Twilio - the breach that keeps on pwning, The US Governments earmarks $15.6 BILLION for cybersecurity and we hear vendors salivating already, & more!   Security training isn't just about anti-phishing and security awareness for employees. When reading through breach details, a similar picture often emerges: the people were there, the tools were in place, but the people didn't know how to use the tools effectively. Every day, security tools catch attacks, but it doesn't matter if a human doesn't notice and tools are in 'monitor only' modes. This segment is sponsored by RangeForce. Visit https://securityweekly.com/rangeforce to learn more about them!   From its origins a decade ago, the grassroots movement to enshrine in law the right to repair our stuff (read: cell phones, laptops, home appliances, cars, machinery) has morphed into a potent, global movement. Today, much of the debate over right to repair laws has focused on issues like concentrations of market power by large corporations and anti-competitive behavior with regard to service and repair of "smart," connected products. However, there is a less-discussed but equally potent argument in favor of repair: cybersecurity and data privacy. In this conversation, Paul Roberts, the founder of SecuRepairs.org (pron: Secure Repairs), talks about the dire state of device security on the Internet of Things and how efforts by manufacturers to limit access to software updates, diagnostic tools and parts exacerbates IoT cyber risk, even as it burdens consumers and the environment. Segment Resources: Securepairs.org: https://securepairs.org Fight to Repair Newsletter: https://figh   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw287

John Hammond joins us today as we start off the show talking about Cybersecurity education! Training and education is a constant conversation within the cybersecurity community, but it doesn't have to be a hard problem to solve. We will discuss how to bring both valuable and actionable information into the industry and how that makes an impact, even in unexpected ways -- for better or for worse. Then, in the Security News: Lastpas breach, long live John McAfee, Macs getting fewer updates, CPE correlating to CVE, clicky clicky hacks, anti-cheat is not anti-hack, new LVFS release, $8 million zero day, don't sign crappy code, a very handy PI and a site that lets you send poop anonymously is hacked (it was a pretty crappy exploit)! Segment Resources: https://youtube.com/johnhammond010 Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw754

This week Dr. Doug talks: PS5, Twilio, Quantum, Bug Bounties galore, a date bomb, backups, Sephora, as well as the Expert Commentary of Jason Wood on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn236

We will review the primary needs for cloud security: - Guardrails against misconfiguration - Continuously Identify and Remediate Vulnerabilities in Cloud APIs, Apps, and Services - Observability, Protection, and Reporting against Compliance and Risk Policies - We will also review CNAPP -- Cloud Native Application Protection Platform -- and why companies need to take a closer look for the best cloud security Segment Resources: - https://www.datatheorem.com/news/2021/data-theorem-representative-vendor-cnapp-2021-gartner-innovation-insight-report   Twitter whistleblower complaint lessons for appsec (and beyond), the LastPass breach, building a culture of threat modeling, signed binaries become vectors for ransomware, a look back to the birth of Nmap and the beginning of Linux.   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw210

In this segment, BARR Advisory founder and president Brad Thies will use real-world examples to discuss how cybersecurity scorecards and KPIs can help organizations measure and manage the effectiveness of their cybersecurity programs. Thies will also reveal which metrics he sees as most valuable in evaluating cybersecurity posture and discuss how to define accountability for security within an organization. This segment is sponsored by BARR Advisory. Visit https://securityweekly.com/barradvisory to learn more about them!   In the leadership and communications section, 7 Uniquely Personal Bits of Wisdom To Improve Your Leadership, 4 key areas cybersecurity leaders should focus on, Cybersecurity spending strategies in uncertain economic times, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw275

In this edition of the Security Weekly News, Dr. Doug discusses: Toxic Tats, Fakery, MagicWeb, Sliver, Twilio, OSPFv3, Mudge, X-Platform Ransomware as well as all the show Wrap Ups from this week!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn235

The new category of Data Security Posture Management, what is it and why it's important. Discussing real customer stories where DSPM products played a critical role in helping companies secure their data.   Since the dawn of the internet, companies have been fighting cyber vulnerabilities with a myriad of traditional technologies. And assigning cybersecurity training to people without really knowing its effectiveness or being able to tell the difference between knowledge and behavior. This is why AwareGO created the Human Risk Assessment. Designed by behavioral and cybersecurity experts, it allows organizations to measure human risk and resilience across a number of critical cybersecurity threat vectors. It measures cyber risks connected to social media that are not only personal but can affect the workplace as well. It helps assess awareness of secure password handling with multiple interactive experiences and situations. And it allows you to discover how employees would deal with tricky situations around the workplace, such as tailgating and shouldersurfing …. and issues related to remote work. All in a safe and friendly environment. After completing the assessment employees get individualized results with an explanation of what they did right and what they could have done better. This offers guidance and a chance to learn. The overall results help organizations gather actionable insights and make informed decisions about their security strategy. The Human Risk Assessment works as a stand alone product but its flexibility allows integration into existing platforms. When combined with AwareGO’s live action training content it can bring your organization’s cyber resilience to the next level. Segment Resources: https://awarego.com/human-risk-assessment/ https://www.securityweekly.com/awaregoresource https://awarego.com/how-to-measure-human-cyber-risk-finally/ https://awarego.com/materials/the-human-side-of-cybersecurity/ This segment is sponsored by AwareGO. Visit https://securityweekly.com/awarego to learn more about them!   In the Enterprise Security News: We discuss Twitterpocalypse 2022! The Biggest Winner? Security startup Wiz reaches $100M ARR in 18 months??? Tons of funding we probably won’t get to, sorry in advance, we’ve got 2 weeks of news to catch up on! Awesome free tools, free training and DIY tips! Third party attacks and supply chain attacks continue to ramp up, John Deere’s security deficiencies get exposed again, Cyber insurers reduce coverage… again, ESPN8 the Ocho, explained, and more, on this episode of Enterprise Security Weekly!   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw286

There's a lot of worry about "fakes" especially in a world rapidly adopting AI/ML, so it's time for solutions. "Solid" is the W3C open standard, extending HTTPS, to upgrade the Web with security paradigms that solve for data integrity. Distributed systems naturally break through digital moats, free control through proper ownership, thus helping expand and achieve the best of the Internet. Segment Resources: https://solidproject.org/ https://github.com/inrupt https://www.flyingpenguin.com/?p=29523 https://alltechishuman.org/davi-ottenheimer https://www.schneier.com/blog/archives/2020/02/inrupt_tim_bern.html https://events.inrupt.com/dublin   This week in the Security News: Crypto Miners Using Tox P2P Messenger as Command and Control Server, 8-year-old Linux Kernel flaw DirtyCred is nasty as Dirty Pipe, & Janet Jackson music video given CVE for crashing laptops, & more! Segment Resources: Use code "securityweekly" to save 10% off Hack Red Con tickets at https://www.hackredcon.com/   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw753

This week, Dr. Doug talks: Tempus Fugit, PyPI, WordPress, Hikvision, Zimbra, Palo Alto, led morse code, and is joined by Expert Commentator Jason Wood on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn234

In the leadership and communications section, CISO salaries balloon, likely spurred by demand, 4 Steps to Being an Authentic Leader, Keeping Your Team Motivated When the Company Is Struggling, and more!   In order to run a successful SOC, security leaders rely on tools with different strengths to create layers of defense. This has led to a highly siloed industry with over 2,000 vendors, each with their own specific function and who very seldom work together. To gain an advantage on attackers, we need to start seeing cybersecurity as a team sport––united for a shared mission. In this session, ExtraHop’s Chase Snyder discusses why and how vendors should work together to enable better integrated security for their customers. He’ll answer questions like “what is XDR?” and “how do I get my vendors to work together?”. This segment is sponsored by ExtraHop Networks. Visit https://securityweekly.com/extrahop to learn more about them!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw274

The unique nature of cloud native apps, Kubernetes, and microservices based architectures introduces new risks and opportunities that require AppSec practitioners to adapt their approach to security tooling, integration with the CI/CD pipeline, and how they engage developers to fix vulnerabilities. In this episode, we’ll discuss how AppSec teams can effectively manage the transition from securing traditional monolithic applications to modern cloud native applications and the types of security tooling needed to provide coverage across custom application code, dependencies, container images, and web/API interfaces. Finally, we’ll conclude with tips and tricks that will help make your developers more efficient at fixing vulnerabilities earlier in the SDLC and your pen testers more effective. Segment Resources: https://www.deepfactor.io/kubernetes-security-essentials-securing-cloud-native-applications/ https://www.deepfactor.io/resource/observing-application-behavior-via-api-interception/ https://www.deepfactor.io/developer-security-demo-video/   Ideas on debugging with IDEs, Wiz.io shares technical details behind PostgreSQL attacks in cloud service providers, looking at the attack surface of source code management systems, a Xiaomi flaw that could enable forged payments, defensive appsec design from Signal, what targeted attacks mean for threat models when the targeting goes awry   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw209

Identity management has become a central pillar of many organizations’ security policies and architecture. In this executive interview, Ping Identity Senior Product Marketing Manager Zain Malik analyzes two heavily trending corners of the identity market: passwordless technology and customer identity and access management (or CIAM). This one-on-one session will address topics such as biometrics and QR code-based authentication, and how to determine which customer identity solution is right for each particular consumer touchpoint.   In March 2022, the SEC proposed new rules governing the reporting of cybersecurity incidents. This session will explore how businesses will be affected by this and similar legislation and provide tips to compliance and technical teams alike. S ecurity Weekly listeners save 20% on this year’s InfoSec World Conference by visiting https://securityweekly.com/isw and using the discount code ISW22-SECWEEK20   In 2023, at least five new “rights-based” data privacy laws will become enforceable in the United States at the state level, including the California Privacy Rights Act (CPRA). Common to all of these laws are information security requirements, including the need for risk assessments and the need for authenticating data access requests. In this podcast we’ll speak with an information security legal veteran on what these new laws mean for cybersecurity professionals and their data protection programs. Security Weekly listeners save 20% on this year’s InfoSec World Conference by visiting https://securityweekly.com/isw and using the discount code ISW22-SECWEEK20   Segment Resources: https://securityweekly.com/wp-content/uploads/2022/08/spirion-data-sheet-enforcable-laws-2023_PRINT.pdf   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw285

This week Dr. Doug talks: Janet Jackson, Legit British hacking, CS.Go, PyPI, swiss voting, Vegas, Sysmon, and show wrap-ups on the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn233

This week: Greg Conti joins us to discuss InfoSec Lessons from Military Strategy, Tactics, and Operational Art. Online conflict is widespread and at times the internet hurts more than it helps. In this segment, we’ll discuss ways to inform today’s enterprise defense by better understanding strategy, tactics and operational art from government influence operations, electronic warfare, and cyberspace operations! Then, Larry, Doug, Lee, Josh, and Chris Blask cover the security news from this week! Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw752

In 1995, Craig Newmark started curating a list of San Francisco arts and technology events, which he personally emailed to friends and colleagues. People were soon calling it “Craig’s List.” Most know the rest of the story. But what did that rapid entry into tech entrepreneurship teach him about information security? And how did that lead to a passion for, among other things, cyber philanthropy? SC Media's Jill Aitoro will speak to Newmark about his career, and his own evolution in infosec awareness that came with it.   Among the more challenging phases for a cyber business is transitioning from inspiring startup to successful enterprise, strategically leveraging investment to scale. SC Media's Jill Aitoro will sit down with Dave Dewalt, founder of NightDragon, and Matt Carroll, CEO of NightDragon's newest investment Immuta. Employees are on the move. As tech and security leaders adjust to managing hybrid teams, they should also plan for the loss and replacement of key security talent. Attrition and the increasing length of time needed to find a replacement leaves security programs — and firms — vulnerable. Implementing a formal succession planning process for the security organization mitigates risk and increases employee satisfaction and retention. This report provides steps for starting a succession planning program and real-world examples of companies that are already focused on developing and retaining the next generation of security talent. Segment Resources: https://www.forrester.com/report/succession-planning-is-a-business-resilience-imperative/RES177689?ref_search=604835_1658240598764   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw273

Let's talk about adding security tools to a CI/CD, the difference between "perfect" and "good" appsec, and my upcoming book. Segment Resources: https://community.wehackpurple.com #CyberMentoringMonday on Twitter Microsoft fixes an old bounty from 2019, rewards almost $14M on bounties in the past year, and releases a security layer for Edge; Black Hat talks on bounties and desync attacks, Google's bounties for the Linux kernel, modifying browser behavior, and the Excel championships.   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw208

This week Dr. Doug talks: UEFI, PyPI, vishing, VNC, Sova, Doom, Mailchimp, hiding photos, and is joined by Jason Wood on this episode of Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn232

This week Dr. Doug talks: OnlyFans strikes back, Paul's new post, Windows vs. Linux, Conti, CISA, Zeppelin, NHS, and show wrap-ups on the Security Weekly News! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/swn for all the latest episodes!  Show Notes: https://securityweekly.com/swn231

This week, we start off the show by welcoming Ryan Fried to discuss how Security analysts can move past traditional Indicators of Compromise from threat intel like domains, hashes, URLs, and IP addresses. These indicators typically aren't valid shortly after the incidents happen. Modern threat hunting by doing things like reading recent and relevant security articles, pull out behaviors that attackers are doing like commands such as net group "domain admins" or RDPing from workstation to workstation and translating those to threat hunting queries. Then, Joeseph Carson joins to discuss following in the footsteps of an attacker and uncovering their digital footprints, this episode will uncover an attacker’s techniques used and how they went from zero to full domain admin compromise, which resulted in a nasty ransomware incident. It will also cover general lessons learned from Ransomware Incident Response. Finally, in the Enterprise Security News, Normalyze and Flow Security raise money to protect data, Axio and Lumu raise money to assess risk, Bitsight intends to acquire ThirdPartyTrust, Flashpoint acquires Echosec Systems, ZeroFox goes public, Rumble rebrands as runZero, Trusting Amazon with medical records, Taking cryptocurrency off the (payment) menu, AWS’s CISO tells us why AWS is so much better than their competitors, and an ancient dial-up Internet service returns! Visit https://www.securityweekly.com/esw for all the latest episodes! Segment Resources: https://www.scythe.io/library/operationalizing-red-canarys-2022-threat-detection-report https://www.itbrew.com/stories/2022/05/09/quantum-ransomware-can-now-move-from-entry-to-encryption-in-under-four-hours?utm_campaign=itb&utm_medium=newsletter&utm_source=morning_brew&mid=1e3360a49c0b72a4c0e4550356ffee54 https://www.cisa.gov/uscert/ncas/alerts/aa22-181a Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw287

We start off the show this week by welcoming the infamous Eclypsium security researchers Mickey and Jesse to talk about Secure Boot vulnerabilities. They walk us through the history of Secure Boot, how it works, previous research they've performed ("Boothole"), and some details on their current research presented at Defcon this year in a talk titled "One bootloader to rule them all". Then, in the Security News, key fob hacks and stealing cars, the best Black hat and defcon talks of all-time, open redirects are still open, the keys to decrypt the wizard of oz are in a strange place, why the Linux desktop sucks, why businesses should all switch to Linux desktops, SGX attacks, let me send you an Uber to take you to the bank, 27-factor authentication, start your management engines, and guess what, your DMs are not private, and you should have used Signal. Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw751

This week Dr. Doug talks: Body Blows, TA428, Microsoft, Lazarus, GwisinLocker, Burger King, Fraud in China, Nomad and Solana, and is joined by Jason Wood on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn230

In the leadership and communications section, The Number 1 Growth Killer is Leadership Debt, How to Talk to Your Board & C-Suite About Cybersecurity, 5 ways to unite security and compliance, and more!   Zero Trust is the security buzzword of the moment, and while it is a very powerful approach, nearly every enterprise security product on the market – and some that aren’t even security products — are saying they enable Zero Trust. The problem is this: you can’t buy zero trust. It’s an approach, an architecture, and a journey, not software, hardware, or a service to deploy. Zero Trust also provides a rare opportunity in security - to reduce cost, improve security AND enhance end-user and customer experience.   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw272

In today's high-tech industries, security is struggling to keep up with rapidly changing production systems and the chaos that agile development introduces into workflows. Application security (AppSec) teams are fighting an uphill battle to gain visibility and control over their environments. Rather than invest their time in critical activities, teams are overwhelmed by gaps in visibility and tools to govern the process. As a result, many digital services remain improperly protected. In this episode, we plan to address and discuss the current state of AppSec, and point out a few common failure points. Afterwards we plan to discuss what agile AppSec looks like, and how a reorganization, and a shift in management strategy could greatly transform the field, and allow business to truly address the risk of under-protected software.   Segment Resources: https://appsecmap.com/   Nextauth.js account takeover due to parsing flaw, URL parsing flaw in Go's net/url, another path traversal, Slack exposes password hashes (whaaat!?), Twitter exposes 5.4 million accounts, ransomware and research against PyPI and GitHub, videos from fwd:cloudsec 2022.   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw207

Naughty lemons, logic errors, CISA, DuckDuckGo, Dark Utilities, CCTV, Sharpext, and show wrap-ups on the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn229

In the Enterprise Security News: BlackRock drops $250M into Acronis, Talon raises a massive $100M Series A to make Enterprise Browsers a thing, Cybrary raises $25M, Ghost Security comes out of stealth, Netskope acquires Infiot, Thoma Bravo acquires Ping Identity TLP 2.0, Thought Leadering, And Winamp is back!   The pandemic forced us to rethink our IT environment as office workers went remote, outside the traditional framework of enterprise connectivity and security. This conversation will focus on top security concerns, costs, and containment strategies that 1,100 IT/security workers in 11 countries shared in a global report Infoblox sponsored to understand how organizations are addressing the new workplace. Segment Resources: https://blogs.infoblox.com/security/1100-it-pros-spotlight-the-security-hazards-of-hybrid-work/   Secure Access Service Edge (SASE)/Secure Service Edge(SSE) has quickly become part of day-to-day lexicon. But what exactly is SASE/SSE and will it make enterprise data more secure? How will organizations secure their data in a cloud-first world when the user and information are completely outside the enterprise boundary? How SASE frameworks compares to traditional network protection, such as Secure Web Gateway, Next gen Firewalls, Remote Access and DLP. Segment Resources: https://www.brighttalk.com/webcast/288/508560 https://www.brighttalk.com/webcast/288/538266   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw283

Neal Bridges, CISO at Query.AI and well-known cybersecurity influencer, breaks down the key differences between the CISO role at a startup vs. an enterprise. He also provides best practices to be successful in this changing role.   In the leadership and communications section, CISOs: Embrace a common business language to report on cybersecurity, The Strategic Impact of Verizon's 2022 Data Breach Investigations Report, Make Shy Employees Part of Your Cybersecurity Strategy, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw271

Guy will go through some of his career choices that eventually led to 25 years in a long and fun career in information and cybersecurity. Infosec has been a fascinating and challenging field which anyone can learn through training and some of the excellent YouTube videos. Segment Resources: http://handlers.sans.org/gbruneau/ https://isc.sans.edu/handler_list.html#guy-bruneau   In the Security News: when hackers are not behind and outage, when hackers are behind re-routing traffic, neat pseudo-keystroke loggers, when XSS leads to code excution, TLS inside, post-quantum encryption that doesn't hold up to pre-quantum computers, Lockbit loading Cobalt Strike using Windows Defender, we love authentication bypass, and impress your co-workers with my Linux command of the week, & more!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw750

In our first segment, we are joined by Manish Gupt, the CEO and Co-Founder of ShiftLeft for A discussion of how the changes and advancements in static application security testing (SAST) and intelligent software composition analysis (SCA) have helped development and DevSecOps teams work better together to fix security issues faster! In the AppSec News: Multiple vulns in a smart lock, Office Macros finally disabled by default, data breach costs and threat modeling, designing migration paths for 2FA, & more!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw206

This week Dr. Doug talks: Tears in the Rain, Encryption, Microsoft, LockBit 3.0, Twitter keys, Outlook crashes, 911, and Russ Beauchemin on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn228

Necrobots, Class Action, Paul Speaks, Github, Robin Banks, net neutrality, and show wrap-ups on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn227

In the Enterprise Security News: Blockchain security startups are still raising tons of money, but not in crypto, since it’s now worthless. Ha! just kidding. Maybe. Am I? Anvilogic, AppViewX, Sotero, Resourcely, and Push Security all raise rounds JUICY RUMORS! Is Crowdstrike buying Orca? Is Akamai getting bought out by a PE shop? HUMAN and PerimeterX join in a rare cybersecurity merger, Are Azure’s vulnerabilities out of control? Zoom brings end-to-end encryption to its cloud phone service, npm says FINE, we’ll add some security, Kaseya’s CEO is just, telling it like it is, man. The problem must be with you. A robot attacks a child, time to add EMP grenades to your EDC! All that and more!   In order to run a successful SOC, security leaders rely on tools with different strengths to create layers of defense. This has led to a highly siloed industry with over 2,000 vendors, each with their own specific function and who very seldom work together. To gain an advantage on attackers, we need to start seeing cybersecurity as a team sport––united for a shared mission. In this session, ExtraHop's Jamie Moles and CrowdStrike's Dixon Styres discuss why and how vendors should work together to enable better integrated security for their customers. They'll share their joint philosophy toward an ecosystem approach to security and will show off some of the specific capabilities of the integration between ExtraHop Reveal(x) 360 and CrowdStrike Falcon in a live demo. This segment is sponsored by ExtraHop Networks. Visit https://securityweekly.com/extrahop to learn more about them!   Heightened emotions, demands for updates, not knowing how bad things might be... Incident response isn’t easy, but practice and the right tools can make it a whole lot less stressful. Some regulations like PCI require annual IR tests, but is that enough? Imagine playing a sport where the team meets for one half-hearted practice once a year. How would that team perform under pressure? How would they communicate? Say this sports analogy has convinced you – the IR team should practice more and should practice effectively. Questions still remain – how often? Are tabletops enough, or are live exercises and simulations necessary? We’ll aim to answer these questions and more during this interview with Tim and Paul from Tanium. This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them!    Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw282

In our research, 85% of security professionals attribute preventable business impacts to insufficient response practices. In this segment, Bill will discuss the key challenges slowing down response times, such as staffing challenges, alert quality, and organizational culture as primary factors slowing down response. This segment is sponsored by Deepwatch. Visit https://securityweekly.com/deepwatch to learn more about them!   This week in the Enterprise News: Lacework lays off approx 300 employees, US Narrows Scope of Anti-Hacking Law Long Hated by Critics, Security Study Plan, DevSecOps Vulnerability Management by Guardrails, StackZone, Cipherloc Acquires vCISO Security Services Provider SideChannel, Broadcom to Buy VMware for $61 Billion in Record Tech Deal, Cyscale raises EUR 3 million in Seed Funding Round, & more!   There are a few IETF standards that make the identity world go 'round. SAML, FIDO and LDAP are ones that we know and love... but there's one particularly un-loved standard that is the glue between most identity systems -- cloud and on-prem -- out there. It's called SCIM and -- good news -- smart people are working on improving this 10+ year old standard. Big changes coming, and here to talk with us about it is Paul Lanzi... Segment Resources: https://identiverse.com/idv2022/ (Paul on Wednesday)   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw275

We’ve heard about the recent abuses for Apple’s AirTags used in tracking and stalking issues in recent months. While tools exist for detection under the Apple ecosystem, limited options exist for Android and none under Linux. We’ll explore the AirTag beacons and showcase some tools for detecting beacons and creating our own for testing under Linux. We’ll also show some ways to take our methods even further as an exercise left unto the reader.   In the Security News FreeBSD and the software supply chain, open-source implies that its open, hardcoded passwords are always bad, on-again, off-again, on-again, privilege escelation defined, preparing for quantum, so many vulnerabilities, CosmicStrand another UEFI firmware rootkit, & reviving ancient computers!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw749

Nikhil will be discussing the pain points that leaders in the application security space are facing, which can cover how software development has evolved, as well as how this has impacted development teams and security teams as well as the occurrence of shifting left. He would also like to speak to the solution he has found to this problem, specifically being that of developing a community, the Purple Book Community. This closely connects to the final topics he would like to cover, which include how breaches have continued to occur at an increasingly rapid pace, leading to the importance behind why and how companies should be prepared for when, not if, a cyber attack will occur. The talk will also cover how the Purple Book of Software Security came about and how it has now morphed into a global movement by security leaders, for security leaders, to develop secure software. Segment Resources: https://www.armorcode.com/ https://www.thepurplebook.club/ https://www.armorcode.com/what-is-appsecops https://www.armorcode.com/platform-overview https://www.armorcode.com/news https://www.armorcode.com/integrations   This week in the AppSec News: Pwn2own results, reading the DBIR for appsec insights, XMPP flaws in Zoom, $10M bounty for a blockchain bridge vuln, researcher puts malicious payloads in ancient packages, Argo patches JWT handling, & more!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw199

In the Leadership and Communications section, Uber CISO's trial underscores the importance of truth, transparency, and trust, 4 Leadership Strategies to Help Women Advance in the Tech Industry, 5 Best Predictors of Employee Turnover and What Leaders Should Do About Them, and more!   Data is the most valuable resource on the planet; but, as businesses collect and store data at an astonishing pace, data sprawl, volume, and diverse storage environments create a security nightmare. With support for hundreds of data stores across leading cloud providers and thousands of automation and response integrations, Imperva Data Security Fabric modernizes and simplifies data governance, security, and workflow management for data in all forms across multicloud and hybrid environments. The product’s flexible architecture supports structured, semi-structured, and unstructured data across a range of data repositories to ensure security policies are applied consistently everywhere so businesses can quickly understand and mitigate risk. This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw264

Boards and CEOs are asking what their cyber risk posture is, and they aren't getting clear answers. Reports produced from assessments oftentimes are built on stale data rather than real-time compliance and risk data. How should C-levels be thinking about cybersecurity posture reporting, and how can they manage cyber risk in real-time as opposed to point-in-time? This segment is sponsored by CyberSaint. Visit https://securityweekly.com/cybersaint to learn more about them!   In the leadership and communications section, CISO MindMap 2022: What do InfoSec Professionals really do?, CISO Shares Top Strategies to Communicate Security's Value to the Biz, Security leaders chart new post-CISO career paths, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw263

Killer Robots, UEFI, LinkedIn, Ducktail, Costa Rica, Tmobile, Prestashop, we also have a special guest, David Monnier from Team Cymru.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn226

In the leadership and communications section, 5 Cybersecurity Questions CFOs Should Ask CISOs, How Leaders Can Escape Their Echo Chambers, 10 Cybersecurity Compliance Statistics That Show Why You Must Up Your Cybersecurity Game, and more!   Most current security risk assessments are not effective. Doug Landoll joins BSW to explain how we can fIx this. Doug will share 5 Essential Elements of an Effective Security Risk Assessment, including: - Scoping, Scheduling, and Champions - Team Structure - Data and Measurements - Calculations and Analysis - Reporting, Presentation, and Tracking   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw270

Vuln in an Atlassian Confluence app, "Dirty Dancing" in OAuth flows, security audits of sigstore and slf4j, flaws in fleet management app, conducting tabletop exercises.   Pressured by the speed of innovation, organizations are struggling to achieve the continuous web application security they need in the face of mounting threats and compliance requirements. What does it take in order for your AppSec program to be both effective and agile? In this segment, Ferruh Mavituna, founder and strategic advisor of Invicti Security, discusses best practices to help you implement an effective, agile, and – most importantly – continuous approach to application security. This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more about them!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw205

Passwordless authentication is all the rage. And rightly so, given its promise of driving engagement and boosting productivity via more secure and frictionless user experiences. However, the path to passwordless often leads to more questions than answers. Don’t fret! We’ll offer a passwordless journey roadmap that delves into leveraging different risk signals like user behavior and device characteristics to make smarter authentication decisions. Segment Resources: https://www.pingidentity.com/en/solutions/business-priority/passwordless.html https://download.pingidentity.com/public/assets/misc/en/3637-workforce-survey-passwordless-future.pdf   This segment is sponsored by Ping. Visit https://securityweekly.com/ping to learn more about them!   Sick Codes hacked all four John Deere Telematics Gateway's, and the John Deere Gen4 Series Display. Without those, it's "just a tractor." However, this is Critical Infrastructure. In fact, without Tractors, Combines & Implements: farmers cannot plant, spray or harvest. No raw materials == no food & alcohol. You will see how long I persisted over multiple months, to gain access and was able to hack these devices to the absolute binary core, warts & all. What was the bounty? Source Code, Root File Systems, FPGA compiled binaries, the works. Agricultural Security is a serious issue. Multiple ransomware attacks last year showed exactly how destructive attacks on Food & Agriculture are, and how fragile the supply chain is. Segment Resources: https://sick.codes https://github.com/sickcodes https://www.youtube.com/watch?v=zpouLO-GXLo https://hardwear.io/usa-2022/speakers/sick-codes.php   Finally, in the Enterprise Security News: HiveWatch raises $20M to protect the office, FORT Robotics raises $13M to protect the office from robots, Emproof raises €2M to secure embedded devices, Dutch startup OneWelcome acquired by Thales, Dutch startup Hatching acquired by Recorded Future, Pwnednomore aims to protect Web3, Cybersecurity!   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw281

In this episode: C++, 8220, HeatDeath, Microsoft, Okta, Candiru, Intel as well as all the show wrap-ups from this week on the Security Weekly News! Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn225