Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!In this episode Class action lawsuit against SuperValu dismissedNo damage (use of stolen information) so there's no case?As time passes, risk of use of stolen data, according to judge, decreasesThe precedent appears to be that in order to sue, you have to prove damage (imagine that?)http://legalnewsline.com/stories/510661014-data-breach-class-action-against-grocery-chain-dismissedNieman Marcus - breached again (with another lesson this time)http://www.bankinfosecurity.com/neiman-marcus-reports-new-breach-a-8843So is it official, not having MFA is weak authentication?Is someone accessing accounts through the web interface with stolen passwords a “breach”?Encryption would have done nothing to save any of this information as it was accessed through the interface.Did they have account lockout?  What's the rest of the story here?Hacker steals and releases information on 30,000 FBI and DHS employeesThe biggest weakness is always the human who wants to be helpfulWhat does this mean for the enterprise, when gov falls victim?http://dailycaller.com/2016/02/10/having-trouble-hacking-government-agencies-just-call-their-help-desks/Hacked toy company tries a different tacticVTec gets hacked, changes TOSNew TOS is "we'll be hacked, too bad so sad" is what it amounts toIs this realistic? Should this be the new standard?http://motherboard.vice.com/read/hacked-toy-company-vtech-tos-now-says-its-not-liable-for-hacks Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Andrew discusses a few of the key challenges making it difficult for the healthcare sector right nowRobb, Andrew and Raf discuss the importance of identity in the corporate environmentRobb and Andrew give some of their wisdom for the successes and failures of CISOs (and the broader security industry)We discuss the technical vs executive CISO approach (which is better?)Robb and Andrew provide some unfiltered advice for CISOs and those who want to become themGuestsRobb Reck ( @RobbReck ) - Chief Information Security Officer at Ping Identity, contributor to ISSA Denver with a long history as a successful security executive and leader.Andrew Labbo - Drew is the CISO at Denver Health and Hospital Authority and is the owner and principal of RMHG, which offers HIPAA consulting and HIPAA advisory services. Drew has over 15 years’ experience with information security and technology and over 10 years’ experience as a Privacy and Data Security Officer. He is an expert on HIPAA Privacy and Security Rule regulations as well as HITECH and Omnibus regulatory updates. Drew’s recommendations are guided by his education in health administration and experience and leadership integrating privacy and security controls with health information technology infrastructure and applications, as well as treatment, payment, operations, and human subjects research workflows and processes.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode Employees may face penalties if they misinterpret security policies?Human behavior still seen as the biggest weaknessEmployers are growing less tolerant of misbehaving employeesIf you "invite a data breach" you could be held liablehttp://www.welivesecurity.com/2016/01/14/employees-face-penalties-misinterpreting-security-policies/New lawsuit filed blaming Twitter for ISIS attackShould social media filter content from terror groups like ISIS?Can social media companies be held liable, why or why not?http://blogs.wsj.com/digits/2016/01/14/lawsuit-blames-twitter-for-isis-terrorist-attack/SCADA/ICS make incident response more complicatedTypical IR activities are complicated by the nature of ICS systemsDifferences are there, but strategy still possibleWhat is the path forward?http://www.darkreading.com/perimeter/how-incident-response-fails-in-industrial-control-system-networks/d/d-id/1324094Only in NYC: Dept of Consumer Affairs warns parents of baby monitor hacksThese issues seem to come down to default passwordsWhat can the general population do about this?How can we eliminate this behavior in consumer products?http://www.nbcnews.com/tech/security/hack-alert-nyc-regulators-warn-parents-secure-their-baby-monitors-n505391 Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeWhat goes us here - so where are we?Where do we go, and how? (addressing stunt hacking)We discuss how we can influence outcomes, without hand waving and endangering livesWhat about truly understanding risk, versus ‘security stuff’?Michael breaks out the “risk catnip”Raf asks Haroon - “What are the 2-3 things security does right now, that we should just quit?”We discuss some of the breakers that are turning into builders, and implicationsWith the rate of bad vastly outpacing the rate of good - what’s the solution?GuestHaroon Meer ( @haroonmeer ) - Haroon is an internationally acclaimed long-time industry insider and is working hard to change the "how we've always done it" dynamics. His talk "What got us here, won't get us there" is now world famous. He works over at Thinkst and does some pretty amazing things you should check out.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeFTC imposes a $250,000 fine for "false advertising" of encryptionInteresting case, where there really was 'false advertising'Would this even have been a 'security issue'?https://www.ftc.gov/news-events/press-releases/2016/01/dental-practice-software-provider-settles-ftc-charges-it-misledNY wants to ban encrypted smart phone salesAnother clear case of legislators being clueless?What about all the existing technology, and kit you can buy across state lines?http://www.zdnet.com/article/apple-iphone-ban-new-york-looks-to-outlaw-sale-of-encrypted-smartphones/Las Vegas casino is suing cybersecurity firm over "woefully inadequate" workAre there ethical implications here of a competitor defining negligence?Burden of proof is on casino to prove "woefully inadequate" - but against what standard?Does this ultimately raise quality, price or both for IR services?http://thehackernews.com/2016/01/casino-hacker.htmlThe FDA issues draft guidance of security guidelinesIf everyone is doing it, why not the FDA?As James points out, why does every industry need their own unique (exactly the same issues as everyone else) guidelines?Interesting mention of "full lifecycle" and disclosure of vulnerabilitiesOf course it's all non-enforceablehttp://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdfOpenSSH bug found, fixedOpenSSH bug creates a "malicious server" scenarioUser has to successfully authenticate first, then server can read/steal memoryCan be used to compromise SSH private key from hostGreat pivot method if you've compromised an SSH server w/this bug, to compromise the users of the serverhttp://arstechnica.com/security/2016/01/bug-that-can-leak-crypto-keys-just-fixed-in-widely-used-openssh/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!We open up our 2016 year interviewing Shawn Tuma on the show. Shawn is our legal eagle, and a regular contributor to the podcast. This episode ran a little bit long (OK a lot long) but I think you'll enjoy the show...  In this episode...Most important cybersecurity-related legal developments of 2015Tectonic Shift that occurred with “standing” in consumer data breach claimsDiscussion of law prior to Neiman Marcus case, and post Neiman MarcusDoes this now apply to all consumer data breach cases?Immediate impact? Companies now liable?Lesson is in seeing the trend and how incrementalism worksRegulatory TrendsFTC & SEC gave hints in 2014, post-emergence of Target detailsWyndham challenged authority – came to fruition in August 2015SEC not far behind – significant case in September 2015Aggressiveness of FTC is substantial – FTC v. LabMD … all over LimeWireOfficer & Director Liability2014 – SEC Comm. fired the warning shot … pointed the fingerShareholder derivative litigationIndividual liability of IT / Compliance / Privacy “officers”Major 2016 Legal TrendsRegulatory enforcement … which, by the way, is why NIST is becoming defaultShareholder Derivative – much more likely than consumer class actions at this timeLessons from both of these: when you need to persuade the “money folks” that they need to act, mention D&O Liability (especially Caremark) and Regulatory focus on individuals … now they're in the cross-hairsRealization that cybersecurity is more of a legal issue than anything else (IT or business) b/c it is the legal requirements and consequences that ultimately drive everythingSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode... Juniper has a backdoor problem2 separate issues, auth bypass & VPN weaknessbackdoor discovered in Juniper deviceslots of speculation on who put it there, but it was meant to be disguised as ‘debug code’enterprise implications - same as before (what's the bigger picture?)https://isc.sans.edu/forums/diary/Infocon+Yellow+Juniper+Backdoor+CVE20157755+and+CVE20157756/20521/Iranians broke into New York dam in 2013 and “had a look around”no direct damage doneUS has largest number of ICS connected to Internetcritical infrastructure is vulnerable, being probedthis is not a ‘government problem’ - every company has some ICS on their networkhttp://www.theregister.co.uk/2015/12/21/iranian_hackers_target_new_york_dam/ Facebook announced it’s dumping Adobe Flashis this a bigger deal than it sounds likeHTML5 has its own vulnerabilities and issues though… right?*only* for videos, games still in FlashFacebook will work with Adobe (really?) to improve security of Flashhttp://www.scmagazine.com/facebook-ditches-flash-videos-to-boost-security/article/461040/ 191 Million US voter records found ‘unprotected’ by a researcherguy from Texas found the data on an unprotected database“Vickery told Databreaches.net he was able to poke around the public-internet-facing database because it is poorly configured: no authentication or password is requSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...We discuss what in the world is going on in the healthcare space, and why they’re such a target for attackersDustin discusses why the explosion in digitalization in health care is both amazing and terrifyingWe discuss future-proofing “smart” healthcareI stumble on “the fundamentals”Dustin discusses the security of “data analytics” in the healthcare spaceI ask how we can make health care professionals better security people, without making them security peopleI ask Dustin what the healthcare industry should be doing, going forward into 2016Guest"Dustin" is a progressive CISO at a Fortune 250 Healthcare organizationSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Vizio is getting sued, over data their TVs collect?James provided security tips on the local news station and one of those tips was around the privacy details of your gadgetsCompanies need to be considering what they are doing with their dataAt what point does data go from an asset to a liability?Do companies understand the difference?http://www.consumerreports.org/lcd-led-oled-tvs/vizio-sued-for-smart-tv-data-sharingWyndham settles (caves to) the FTCAgrees to legally be bound to do things they should already be doing .. ?20 years of auditsInteresting ending to the long saga, assuming the courts approvehttps://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-unfairly-placed-consumers-paymentThe US Federal Bureau of Investigation (FBI) admits to using 0day vulnerabilitiesWhy is anyone surprised?Goes to a question of trust, and that's it.Are these being found anyway through programs like bug bounties?http://searchsecurity.techtarget.com/news/4500260464/FBI-admits-to-using-zero-day-exploits-not-disclosing-themGoogle introduces DLP into Google AppsSo far it's just for their Unlimited customersAre we reaching a tipping point where security becomes a feature and not a stand-alone discipline?Definitely a game-changerBasic patterns and detection built-in FREEhttp://techcrunch.com/2015/12/09/new-google-apps-feature-helps-businesses-keep-sensitive-information-out-of-emails/Black boxes on ships can be hackedCould be worse, someone could be claiming to make the boat float sideways?Is this a big deal, probably; is it a bigger deal than other things wrong?Who is exploiting this, and how do the good guys fix the problem?http://arstechnica.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Thanks for joining us! This is a very important episode with true experts on the topic of cyber insurance. I was lucky enough to get an attorney and a VP of an insurance firm who specialize in the topic and their depth of knowledge and candor may shock you.The net is that cyber insurance is a positive for our industry. In this episode.. Eran says that if you don’t do good security, the courts will frown down upon thatKeith tells us why insurance covers security, but it does not cover negligenceWe start back on the discussion on the importance of knowing your critical assetsKeith discusses why the insurance market is essentially a mirror of your programEran talks about how his team dissect and investigate breaches to improve understandingKeith and Eran discuss how the process of buying cyber insurance can actually lead to improved securityGuestsEran Kahana ( https://www.linkedin.com/in/erankahana ) - Attorney, Maslon, LLP with extensive data security experience and an expert in cyber insurance marketplace.L.Keith Burkhardt ( https://www.linkedin.com/in/keith-burkhardt-587b3772 ) - VP, Kraus-Anderson Insurance where he works towards innovative products and services for the industry and has been addressing the cyber insurance market for about two years.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast