Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!In this episodeCourt strikes down Wyndham's challenge to FTC powerWe have covered this beforeWyndham argued due proces and lack of case law - asked for dismissalCourt said no dismissal, FTC has standingFTC is arguing that Wyndham made promises it did not keepShould be interesting to watch this go to court (or likely not)http://www.csoonline.com/article/2975915/data-breach/wyndham-vs-ftc-corporate-security-pros-need-to-lawyer-up-about-data-breach-protection-experts-say.htmlAshley Madison hauled into court by class-action suitLots of thorny issues here, must separate out moral from legalShines light on the continued bias for breach preventionInteresting Streisand effect herehttp://www.csoonline.com/article/2975755/data-breach/ashley-madison-hauled-to-court-in-class-action-suits-over-data-breach.htmlVerizon launches Hum OBD port vehicle monitor and communication toolIn light of the stunt-hacking against Chrysler/Jeep is Verizon tone deaf?..or are they simply that confident in their security?There is no mention, by the way, of security of the device on the web sitehttp://www.macnn.com/articles/15/08/26/service.not.reliant.on.verizons.network.uses.any.ios.or.android.phone.130118/The move to EMV cards (chip & sign) in America is changing how fraud happensEMV cards cost a fortune to implementSolving a problem the finance industry did not havehttp://www.bankinfosecurity.com/interviews/emv-shift-preparing-for-fraud-migration-i-2850#Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this MicroCast, live from HTCIA Conference 2015 in Orlando, FL, Michael and I quickly set the stage for a conversation on conference speaker/attendee engagement. [Raf] One of my biggest pet peeves as a speaker is getting a room-full of people who watch (and listen) me speak, wait for me to finish, and leave when I'm done.[Michael] As an attendee, you need to know what you "do" and what you're looking for from the conference. --> Here's the link to the article Michael mentions: http://paulsohn.org/how-to-connect-with-anyone-you-just-met-with-5-questions/ We welcome the discussion on this topic, #DtSR on Twitter!Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...We discuss what life is like as the CISO when you have all the responsibility for, but no administrative access (or hands on keyboard)Brandon tells his story about how his IT organization went from in-house, to out-house, and how they got where they areBrandon tells us the process and strategy he uses to get a handle on his securityWe discuss why visibility is one of the most important things to outsourced IT (and security)Brandon tells a story of an incident where things went very sidewaysWe discuss the balance between outsourcer scalability and customer deviationsBrandon tells us why sometimes it takes 3 months to scan your environment for a vulnerability ( your head will explode )…and so much moreGuestBrandon Dunlap ( @bsdunlap ) - Brandon is the global Chief Information Security Officer for a an employee-owned, global leader in building critical infrastructure in energy, water, telecommunications and government services currently operating in more than 100 countries through consulting, engineering, construction, operations and program management.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Just when you thought America's neutered "chip & sign" was a safehttp://krebsonsecurity.com/2015/08/chip-card-atm-shimmer-found-in-mexico/Admittedly we put these stories in here just to get Michael all fired upAshley Madison's data and source code and CEO's email spool now released and publichttp://www.theregister.co.uk/2015/08/20/ashley_madison_email_dump/http://www.csoonline.com/article/2973575/business-continuity/ashley-madison-self-assessments-highlight-security-fears-and-failures.htmlSo much to talk about that's just wrong with this story...Uber is hiring people for securityhttp://www.ibtimes.com/uber-boost-security-staff-after-data-privacy-concerns-2055903Does more headcount equal better security?Where will these people come from given the shortage of talent? That gadget you attached to your OBD2 port on your car to "save on car insurance" may be used to kill youSeriouslyThe dangers of all these wireless & connected devices is scaryRisk assessment anyone?http://www.wired.com/2015/08/hackers-cut-corvettes-brakes-via-common-car-gadget/Someone get Flo on the phone...Windows 2003 which is now expired still has 609,000 public servers on the InternetTranslates into roughly 175M websites (Netcraft)Why are thse out there?Is there really a risk or is this hype?http://www.zdnet.com/article/windows-server-2003-servers-insecure-unpatched/ATC systems go down as they were ... being updated!Common problem of ancient systems going down due to upgradeATC has ZERO patch window..also close to ZERO ability to test patches/updates in "lab" environmentComplex, ancient systems fail when they're upgraded, sometimes catastrophicallyhttp://thehill.com/policy/cybersecurity/251310-software-limits-exposed-in-air-traffic-outageSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...We discuss the ever-growing need for strong leadership in securityI ask whether experience and longevity in a position naturally brings leadership qualitiesWe talk through how leadership interplays with other competenciesMichael asks whether the security leader has a place at the executive table (the "big kids table")Michael asks if the MBA has value in security leadershipWe discuss the model my team uses for leadership and how we build themMichael and Heath discuss various competency models for leadershipWe discuss measuring, KPIs and relative distanceWe discuss how leaders can make better decisionsHeath leaves us with an Alex Hutton quoteSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...The Belgian government's internal phishing test has "gone off the rails" a bitUsed a legitimate entity to test againstPanic and hilarity ensued, but mostly panichttp://www.networkworld.com/article/2951514/security/belgian-government-phishing-test-goes-offtrack.htmlBritish ICO makes a 180,000 pound fineDisconnect between policy and realityWas anything lost?2 big failures lead to a finehttps://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2015/08/ico-fines-nationwide-money-lender-the-money-shop-180-000/McAfee and Black Hat attendee surveys wildly differentAnswers you get depend on who and how you askInteresting answert though...Lesson: The more experience you have, the less confidence?http://www.slate.com/blogs/future_tense/2015/07/21/two_surveys_of_cybersecurity_professionals_show_starkly_different_attitudes.htmlSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeRaf asks - Why haven’t we solved the same old software security bugs?James asks how a security team gets out of the way and still get better security?We discuss threat modeling, and channel a bit of John StevenJeff talks about the OWASP ESAPI and standard security libraries and controlsJeff talks about “libraries with known vulnerabilities” and the role of open source componentsRaf brings up the ugly side of enterprise outsourcing - code development by committeeWe discuss static, dynamic and run-time security toolsRaf asks Jeff what the RIGHT approach to creating a software program looks like GuestJeff Williams ( @PlanetLevel ) - Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast. In 2002, Jeff co-founded and became CEO of Aspect Security, a successful and innovative consulting company focused on application security. Jeff is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode..."Hackers remotely kill a Jeep!"Lots to talk aboutBasics of segmentation weren't followed, aren't followedDiscussion on software 'fitness' and liabilityhttp://www.cato.org/blog/hackers-remotely-kill-jeepFirefox blocks Flash and FaceBook calls for its deathShould it concern you that FireFox can change your config without your permission or an update?How helpful is this? Does the message/pop-up actually DO anything to stop users from clicking YES?http://money.cnn.com/2015/07/14/technology/flash-firefox-facebook/index.htmlAshley Madison (the cheating website) breached!Check their privacy policy - is it consistent with actions?Did this event delay or possibly end the company's aspirations of going public?The morality of AM's business model shouldn't be an issue here - but it keeps coming uphttp://www.csmonitor.com/World/Passcode/2015/0722/Ashley-Madison-breach-a-painful-reminder-of-online-data-s-permanenceBritish Gas bows to criticism over blocking password managershttp://www.scmagazineuk.com/british-gas-bows-to-criticism-over-blocking-password-managers/article/426463/US Court says "pocket dialed" called are NOT privatehttp://www.itworld.com/article/2951715/security/us-court-says-pocketdialed-calls-are-not-private.htmlSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeTalent shortage - is it real, and how bad is it?We discuss: what does negative unemployment actually mean?Michael asks- ecurity is still relatively new, how do we determined what “qualified” means?What skills are necessary to be a good security professional?Hiring - we discuss how we get better at screening potentially qualified employeesWe discuss how we can vet out real experience, versus resume skillsMark and Michael discuss specialization, automation, and optimizing our workforceMark shares his thoughts on growing and retaining top talentGuestMark Orlando ( @MarkAOrlando )  - As the Director of Cyber Operations, Mark is responsible for Foreground’s Federal practice as well as the Virtual Security Operations Center (V-SOC) managed service. He leads a national team of analysts, engineers, incident responders, and managers who secure some of the most high profile networks in the Federal, financial, commercial, and power and utilities industries. As the senior operations subject matter expert, he is also responsible for security services strategy and advises on strategic Foreground initiatives such as threat intelligence analysis, custom analytics development. Mark is also a key advisor to the company’s award-winning educational unit, Foreground University. Prior to joining Foreground Security, Mark advanced through the technical ranks as a Security Analyst and Technical Lead in a variety of operations environments. In his 13+ years of experience, he has built and led security operations teams at the White House, the Department of Energy, the Pentagon, and numerous commercial organizations. He has also managed the operations division of a major Managed Security Service Provider supporting hundreds of private and public sector clients. Mark enjoys teaching and learning from others. He has presented on security operations and assessment at the Institute for Applied Network Security Forum and RSA Conference. Mark has earned the CISSP, PMP, CEH, ITIL, and multiple SANS GIAC certifications and holds a B.S. In Advanced Information Technology from George Mason University. Mark served in the US Marine Corp where he was a Marine Artillery NCO.Foreground Security (http://foregroundsecurity.com/)Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode... Peter Morin joins us to talk through the upcoming HTCIA International 2015 Conference in sunny Orlando, Florida.We talk through a preview of talks, events, and some interesting reasons you should be going to HTCIA Int'lCheck out the incredible lineup of keynotes, speakers and talks - http://www.htciaconference.org/Come see the #DtSR crew live and in person as we record and broadcast from the conferenceSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast