Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!This week, Patrick Dennis - the CEO of Guidance Software - joins us to talk about the Enterprise Security world's fascination with blaming the breach victim. We talk through some of the key issues and look for a way off the hamster wheel. As always, #DtSR on Twitter to join in our conversation.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!It is election day.. Have you voted?   Beware, IPhone Users: Fake retail apps are surging before the holidays The issue of brand protection and knock-off websites, apps and such is real Spilling over into digital world, from physical What is your company doing to protect yourself and your customers? http://www.nytimes.com/2016/11/07/technology/more-iphone-fake-retail-apps-before-holidays.html?_r=0   Moving Beyond EMET EMET is going away … in a while Most of the features are now built into Windows 10 This is a great thing (built in vs bolted on security) https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/   Tesco Bank blames ‘systematic sophisticated attack’ for account losses Fraud system appears to be working - good ~40,000 accounts affected, ½ of those lost money Tesco is putting funds back, making things right Core banking assets don’t appear compromised, ATMs and such still work Potentially an issue with website, fixable http://www.bbc.com/news/business-37891742   Google Discloses “Critical Flaw” in Microsoft OS 10 Days After Notifying Microsoft upset at Google Google says it meets their 7-days-to-disclosure policy from 2013 How do you even patch an issue in 7 days - or write up a mitigation if there is none? Is your company prepared to deal with this type of thing? Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!This week on DtSR Chad Boeckmann - President of Secure Digital Solutions - joins us to talk about the business of security. While the "bad guys" are running their criminal enterprise, security teams have struggled to be business-relevant. This discussion starts to dive into how to align security and business goals, answering the "how much is enough?" question and so much more. Thanks to Chad for joining us. We encourage you to ask questions and leave comments here in the comments section or on Twitter at #DtSR. You can talk to Chad directly at @cboeckm on Twitter.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!The Massive DDoS That Hit Dyn.Org Massive DDoS disrupts a ton of popular websites (Netflix, Twitter, etc) IoT used to amplify attack What does this mean for corporate users, home users, and vendors? https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/ Verizon Reviewing Terms of Yahoo Deal As Revenue Slides Is this really the result of the breach or did someone just get cold feet? We’re speculating, but we’ve heard this type of talk before To be honest, Yahoo! saw a rise in earnings over what was projected http://www.wsj.com/articles/verizon-revenue-falls-below-views-1476966420 Passwords - We’re Still Giving Out Horrible Advice Why are companies still making their end-users follow ridiculous policies? Selfies? Is that a viable replacement? http://www.wsj.com/articles/companies-try-out-selfies-as-password-alternatives-1476661046 What about SMS as an OTP replacement that NIST ‘deprecated’? https://threatpost.com/nist-recommends-sms-two-factor-authentication-deprecation/119507/   St. Jude Medical to Create Cybersecurity Advisory Board; Muddy Waters Releases More Vulnerability Allegations The ‘fight’ between the short-sell firm and St. Jude Medical is back Smack in the middle is "MedSecSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!This week, #DtSR takes a trip down Software Security lane or as some call it "How are we still writing code with bugs that we found relatively concrete fixes for in the late 90's?" (I may have been watching too many John Oliver episodes...)   Jeff Williams ( @Planetlevel ) and Tyler Shields ( @txs ) join me to talk this topic over from where we've been, to what we're doing now, to what the solution to this mess will be one day in the future. It's an interesting conversation that should stir up some emotion if you've been in AppSec or software security as there really are no docile opinions on this topic (or many others in security, unfortunately).   Plug in, listen and enjoy.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!‘Security Fatigue’ Can Cause Computer Users to Feel Hopeless and Act Recklessly, New Study Suggests https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly Is this indicative of the broader population? (Someone check the sample size?) What does this tell us about enterprise vs. consumer security thinking? Is security to blame?   Our insulin pumps could be hacked, warns Johnson & Johnson http://www.welivesecurity.com/2016/10/06/insulin-pumps-hacked-warns-johnson-johnson/ Big hat-tip to Jay Radcliffe ( @jradcliffe02 ) for what appears to be a very well-orchestrated and sane disclosure What is the added cost of proper authentication and secure communication? Let's use this as a teachable, but minus the typical FUD, moment for product development teams   FBI arrests NSA contractor who stole sensitive data https://www.justice.gov/usao-md/pr/government-contractor-charged-removal-classified-materials-and-theft-government-property Doesn’t appear to be any links to Shadowbrokers We recently did a podcast on insider threat - more relevant now than ever? Do you trust your employees? How do you spin this to protect your company in your culture?  Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Grab a cup of coffee, jack in your earphones and listen up. DtSR Episode 214 is addressing the issue of breaches, and their material financial impact to an organization. The premise is simple - when you have a breach, are you going to see massive stock price drop, client exodus and so on? We sit down with legal expert and DtSR regular Shawn Tuma and researcher Jon Nichols to talk this through with James, Michael and yours truly.   Check this episode out. It may sting a bit, but once you come to grips with its reality - the world looks a little different.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Quick update and invitation from Michael: starting to explore rolling out services and improving the Straight Talk Framework. If you’re up to discuss with me - I’ll offer a brief overview and then a “setup for Straight Talk”  review to explore how to get you started. It’s a real offer because I know we’ll both learn. And then I’ll get a better sense of where to focus and how to help more people in our industry. Note on yahoo: we’ll talk to Shawn later   How are Healthcare Data Breach Victims Affected by Attacks? It opens with some hype: “Healthcare cybersecurity attacks are much more prevalent and common because the industry typically has weaker approaches to data security, states” What’s to like? Maybe? → someone is working to explore the potential actual harm from breaches This article, however, is just an attack Why it matters? People read this stuff. They reinforce it. Fiction becomes fact because it gets repeated so much http://healthitsecurity.com/news/how-are-healthcare-data-breach-victims-affected-by-attacks  We're told data breaches cost millions on average - but this security study disagrees I routinely push back on the ponemon $$ thrown around each year The conclusion here concerns me - feels like we lept too far -- that now no one will invest in security? Stop it. That’s not what it means. It means we have to seek better alignment, understand and measure our value better, and focus on creating value instead of just doing things It also means maybe the regulations need to slow down a bit. They do nothing but distract focus and waste money. And yeah, I get it - this sort of “research” is a call for more regulation because otherwise, no incentive. That’s rubbish. http://www.zdnet.com/article/were-told-data-breaches-cost-millions-on-average-but-this-security-study-disagrees/  Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode, we talk with Mike Tierney, who is the brand-new CEO at Veriato. In our conversation we talk through a primer on insider threat, and use the great example of hosting a dinner party. Mike has loads of nuggets of wisdom from his experience and we're certain that if you're a seasoned insider threat professional, or just thinking about the topic and wondering if you can do anything to protect your company - this show will be a good primer for furthering your discussion and learning. Listen in, comment and share with your colleagues! Our show is always safe for the office and educational.   Talk back! Use our Twitter hashtag #DtSR to discuss this episode, ask questions, or suggest other topics or guests for the future!Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Chrome to label more sites as insecure in 2017 Link: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html Focus on sites that transmit passwords or credit card info over HTTP A USB Device is all it takes to steal credentials from locked PCs Link: http://www.pcworld.com/article/3117793/security/a-usb-device-is-all-it-takes-to-steal-credentials-from-locked-pcs.html This is actually pretty interesting, but a little trickier than it sounds Still - it's quite fascinating that a USB attack works cross-platform, based on network activity and default USB behaviors DHS chief: 'Very difficult' for hackers to skew vote Link: http://thehill.com/policy/national-security/294956-homeland-head-very-difficult-for-hackers-to-skew-vote Instead of dismissing the claim, let’s explore the merits Then let’s consider what, if anything, it means for enterprise security “It would be very difficult through any sort of cyber intrusion to alter the ballot count, simply because it is so decentralized and so vast,” he said, noting the series of state, local and county systems involved in running elections. “It would be very difficult to alter the count.” Decentralized and vast - the merits How many companies make the systems - so is it as decentralized as we’d like How much of what you do in the enterprise is decentralized? What are your points of failure - or the easy pathways to attack? If someone did alter the vote… would we know? How would we know? What’s the impact of appearing to alter the vote? Depending on your organization… how would you hSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast