Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!This week on the Down the Security Rabbithole podcast, Brandon Dunlap is back for his second show. Following up on Episode 158 where we discussed outsourced security, this time around we talk through the next iteration of what "Managed Security" and outsourcing means to security. You're not going to want to miss this episode! As always, hit up our hashtag on Twitter at #DtSR and you can find Brandon on Twitter as well at @bsdunlap if you want to talk to him directly.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!** Our 200th numbered episode! **   A note from Raf:  Thanks to everyone who has been listening to us, tweeting us, and sharing the links to our podcast. We are absolutely floored with the support and listenership we've received. The average show now gets just under 2,500 downloads when released in the first week, and that number goes up every week. So from the bottom of my heart, I humbly thank you and hope you'll continue to listen, share, and comment. This week's episode is titled "Privacy, Security, Risk and Law Collide" as we host Dr. Chris Pierson and our recurring legal eagle from the great state of Texas, Shawn Tuma. If you don't have Shawn added on Twitter, you should go follow him right now. In this week's episode we discuss the increasingly overlapping world of what was once "IT security" which has now started coming together with privacy, risk and law. Chris is uniquely poised to talk on the subject, as you will hear his credentials speak for themselves. You'll want to get comfortable, pay attention, and give this episode a careful listen as we take you down the security rabbithole for the 200th time.   Guest: Dr. Chris Pierson, CSO and General Counsel, Viewpost Dr. Chris Pierson is the EVP, Chief Security Officer & General Counsel for Viewpost. Dr. Pierson serves on the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee and Cybersecurity Subcommittee and is a Distinguished Fellow of the Ponemon Institute.  Previously, Chris was the first Chief Privacy Officer, SVP for the Royal Bank of Scotland’s U.S. banking operations leading its privacy and data protection program.  Chris was also a corporate attorney for Lewis and Roca where he established it’s Cybersecurity Practice representing companies on security and data breach matters. Chris is a graduate of Boston College (B.A., M.A.) and The University of Iowa (Ph.D., J.D.) and gives keynotes/speaks at national events and is frequently quoted on cybersecurity. Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode..   The "Nuclear Bomb" analogy isn't working, stop using it" http://thebulletin.org/flawed-analogy-between-nuclear-and-cyber-deterrence9179 This is important with respect to how security people talk to real-life issues Here is another example: http://insight.kellogg.northwestern.edu/article/is-reading-someones-emails-like-entering-their-home/   iOS apps will require secure https connections by 2017 http://www.cnet.com/news/ios-apps-will-require-secure-https-connections-by-2017/ We have seen this push on the web before Michael wrote about this topic back in March 2015 (https://www.developsec.com/2015/03/17/is-http-being-left-behind-for-https/) Saw the government push this for all public facing websites (https://https.cio.gov/)   Inside Sierra: How apple watch “auto unlock” will let you jump straight into MacOS http://appleinsider.com/articles/16/06/16/inside-sierra-how-apple-watch-auto-unlock-will-let-you-jump-straight-into-macos Interesting idea here..  Thoughts?   FICO to Offer 'Enterprise Security Scores' http://www.fico.com/en/fraud-security/cyber-security http://www.fico.com/en/products/fico-enterprise-security-scoring Is this something you’d do? Do you trust it? Breakthrough we’ve been waiting for? Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!On this episode of the Down the Security Rabbithole podcast, Dawn-Marie Hutchinson, currently an Executive Director within the Optiv Office of the CISO joins us and we talk about the things that she's learned over her career working with legal counsel, CISOs and solving problems. A fantastic episode with lessons learned, and executive leadership crammed into less than an hour. Give it a listen!   Find Rie on Twitter at @CISO_Advantage   UPDATE: Thanks to Sean Jackson (@74rku5) who has hand-transcribed the show. I haven't read this, personally, so if there if he slipped any humor I can't be held accountable! http://pastebin.com/JMk0rpFQ  Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...     Are people "going offline" as a result of increasing dangers of the Internet? This article makes the case for yes: http://www.techspot.com/news/64839-increasing-number-internet-dangers-driving-millions-americans-offline.html But ... "millions"? We collectively call BS As the world moves more to mobile and digital, who thinks they have 'control' of their own data anyway?   "Sandjacking" allows attackers to install evil iOS apps IF that attacker is physically holding your device AND your device is unlocked AND it takes a while because you have to backup, and restore a phone ... one app at a time SO this isn't something you do to infiltrate someone's phone while they walk away for a few minutes to the restroom Cool trick bro, but where on the spectrum of critical things does this fall? The technique is called "Su-A-Cyder" ... awful name, lose points http://www.securityweek.com/sandjacking-attack-allows-hackers-install-evil-ios-apps   Dropbox takes heat for a breach, that wasn't their breach So what happens when you get blamed for a breach that you don't have anything to do with? http://krebsonsecurity.com/2016/06/dropbox-smeared-in-week-of-megabreaches/ What would YOUR company do if you were Dropbox?   Lenovo's asking people to uninstall it's bloatware "Accelerator" app ...because it's a massive security breach waiting to happen Of all the bloatware vendors install, I'm willing to be this isn't unique [Michael] Hey, at least they're admitting defeat here, right? http://www.zdnet.com/article/lenovo-begs-users-to-uninstall-accelerator-app-in-the-name-of-security/ [Raf] Does no one sense the delicious irony of a Chinese PC maker riddled with security issues in their product? Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!On this episode of the Down the Security Rabbithole podcast, I get the pleasure of sitting down with one of my all-time favorite Chief Security Executives, Mr. Jason Witty. He's had a long career of successful security leadership, and in this podcast he sits down with us to talk about risk, threats and words we often confuse. You're not going to want to miss this episode.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!This week the gang's all here to talk about some news happenings. Michael, James and I talk through some of the stories we've been tracking. Have something you've been reading and want to talk about? Hit us on Twitter with hashtag #DtSR and suggest a topic/story for the next NewsCast!   Tennessee Amends Breach Notification Statute http://www.natlawreview.com/article/tennessee-amends-breach-notification-statute Removes the exception for encrypted data. Will this raise the costs to companies?   Encrypted or not, will credit monitoring be the norm? More lawsuits (even if the data is encrypted) Do we run the risk of notification overload? What do people do with these notifications anyway? FFIEC’s New Mobile Security Guidance: An Assessment http://www.bankinfosecurity.com/ffiecs-new-mobile-security-guidance-assessment-a-9104 Interesting how they discuss some of the risks (SMS, mobile enabled website) but also talk about ways to mitigate the risk. Software “glitch” kills Formula1 car mid-race Does not take a rocket surgeon to figure out the real-world applications here Sure this time it was a 'glitch' but could just as well have been a security bug, exploited by an attacker? Many vehicles are now ‘smart’ and phone home, make decision and drive for you http://news.filehippo.com/2016/05/software-glitch-kills-formula-1-car-mid-race/ LinkedSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...   Michael and I welcome back Shawn Tuma, our resident Cyber Law Expert from the great state of Texas. We discuss some of the recent cases (unlocking an iPhone!) and some of the tough issues facing the court systems today. Shawn provides insights into the use of the finger (not joking) and some amusing and frustrating aspects of cyber law as the courts continue to evolve. Join us!Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode..   ImageTragick - major flaw in open source image processing toolkit ImageTragick is CVE-2016-3714 Logo & Website: https://imagetragick.com Has a logo, so it must be yuge Is this really that big of a deal? How many are impacted potentially? https://blog.sucuri.net/2016/05/imagemagick-remote-command-execution-vulnerability.html Remote code execution, with minor caveats - likely darn near everywhere Detroit company loses $495k to wire fraud Source was a faked email to make a wire transfer Why didn’t someone verify this?! http://www.detroitnews.com/story/news/local/oakland-county/2016/05/03/troy-investment-company-hacked/83879240/ Will insurance pay out? Is the policy change too little too late? How can other companies learn from this? The Ransomware Epidemic (Optiv blog) Is there an epidemic at play here? Why the switch to ransoming people’s data Is this a viable business model for cyber criminals? https://www.optiv.com/blog/ransomware-part-1-is-this-an-epidemic Undetectable flaw in Qualcomm-powered Android phones is a huge deal Input sanitization flaw (again?!) At risk is 34% users running Android 4.3 and earlier Text messages and call histories accessible in plain text An "undetectable" software flaw in Qualcomm Snapdragon-powered Android smartphones could lay bare users' text messages and call histories to hackers Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Join our guest Larry Whiteside, Michael and I as werecord live from InfoSec World 2016 in sunnyOrlando, Florida! We talk through the life of a CISO, and thechallenges of being in the Healthcare and Critical Infrastructurespaces and the similarities and differences. Larry has had a verydiverse and successful career leading some of the most challengingorganizations, so we dig into some of the things he's faced, howhe's addressed some of those bigger leadership-level challenges,and just the mess that healthcare and critical infrastructure arein right now. Don't miss this episode! GuestLarry Whiteside Jr. ( @LarryWhiteside ) - Larry is the VP ofHealthcare and Critical Infrastructure at Optiv, and he's taskedwith creating innovative solutions to some of the industry's mostchallenging problems. More info here: https://www.optiv.com/about-us/press-releases/optiv-security-increases-focus-on-holistic-cyber-security-solutions-for-healthcare-and-critical-infrastructure-industriesNote: I'm blessed with being able to work withLarry on a daily basis at Optiv. I highly encourage you to listento this podcast and share with your friends and colleagues in thehealthcare and critical infrastructure space.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast