Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!In this episode...Appears as though Windows 10 WiFi Sense could have some issues with WiFi -- more on this as it developsWhy is the default opt-in, and why in the world do I have to change my SSID to opt out?!Is it really a good idea to use an SSID to describe security constraints on your network? (Hint: NO)http://www.computing.co.uk/ctg/news/2415787/windows-10-wi-fi-sense-security-warning-over-automatically-shared-passwords"Washington Post will encrypt the news"Ridiculous click-bait headlineIs this a good idea? Should everything be HTTPS?What about ads, are we defeating ourselves?https://hacked.com/washington-post-encrypt-news/OPM hackers stole 21.5 million people worth of recordsThat's all government employees, past, present, and under-cover (possibly)1.1 million biometrics (fingerprints) -- quick! go reset your fingerprints... oh waitBad --> worse --> catastrophic --> now what?http://www.computerworld.com/article/2946031/cybercrime-hacking/opm-hackers-stole-data-on-215m-people-including-11m-fingerprints.htmlKatherine Archuletta, Director of OPM, resignsShock. Awe. Not.Did everyone else see this one coming?Does this change anything? Does her departure make anything better or is she the sacrificial lamb, the way Washington operates?http://www.nytimes.com/2015/07/11/us/katherine-archuleta-director-of-office-of-personnel-management-resigns.htmlSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeWe take a little peek inside the mind of a CEO, from the security perspectiveWe discuss the state of information security in the last decadeDan shares his wisdom on how the role of a security professional and security leadership has changed over the course of his careerWe discuss about the talent shortage - and get an in-depth look at solving some of this problemDan shares with us his views on balancing people, processes and technology resources to achieve meaningful securityWe talk strategy, and Dan and the guys talk through why it's so vitalWe get Dan's "closing remark" (something you won't want to miss) GuestDan Burns, CEO Optiv, Inc. -  Dan Burns brings more than 23 years of business, technology and security industry experience to his role as chief executive officer. In this role he is responsible for the development and implementation of high-level strategies and direction of the company’s growth. Being able to provide clear insight into navigating the complex information security landscape is a priority for Burns. His philosophy is to focus on building long-term relationships with clients, working with them to simplify their lives and becoming a trusted information security partner rather than a reseller or outside consultant.From 2002 when he co-founded Accuvant, until 2012 when he assumed his position as the company’s first CEO, Burns served as senior vice president of Accuvant’s sales organization. In that role, he was responsible for strategic planning, sales growth and problem resolution. Burns co-developed and helped to successfully execute on Accuvant’s initial vision – to build a company with the breadth, depth and capabilities to address the information security needs of organizations worldwide. He launched the sales force and grew it to a national powerhouse organization within a 10-year period, conducting business with nearly half of the Fortune 500, and driving $740M in revenue in 2014.Prior to his achievements with Accuvant, Burns was the regional vice president of sales for the western region of OneSecure. He played an integral role in transitioning the organization from a managed security services (MSS) provider to a product company, delivering to the marketplace the first intrusion prevention system (IPS) and generating $40M in product sales in the first year.Previously, as the western region vice president for Exault, an integrator, consulting organization and reseller, Burns secured some of the largest enterprise clients in the Rocky Mountain region and helped grow revenues to nearly $150M in two years. He also held positions at Access Graphics, Arrowpoint, and Netrex where he supported some of the largest telecommunication companies in building their information security programs, implementing technology and taking advantage of Netrex’s world-class MSS.Burns earned a bachelor’s degree in economics from San Jose State USupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeWith me gone, James and Michael run feral!It's June, so here are the top 3 security priorities for CISOs for 2015 (yes in June)http://www.information-age.com/technology/security/123459699/top-3-security-priorities-cios-2015Boils down to: patch faster, improve credentials, code betterIs this the right list? It mentioned side-stepping cloud and mobility. What if migrating to the cloud offers the opportunity to not worry about patching or code, and improve your credentials? Someone pointed out to me that this matches the OPM hack; perhaps this is just content driven from that? Does that make it more or less valid?Let us know… #DTSRCybersecurity tops advisors's compliance worries: pollhttp://www.thinkadvisor.com/2015/06/24/cybersecurity-tops-advisors-compliance-worries-polMore people concerned. This directly undercuts the notion that people don’t care. They do care. They care about their money. The advisors entrusted with their money care. People care. The question for us: what are we doing? How are we helping?Why it's worth divorcing information security from IThttp://www.forbes.com/sites/frontline/2015/06/22/why-its-worth-divorcing-information-security-from-it/No. No it’s not. We don’t need more silos, we need less. This feels a bit like “we’re not getting what we want… so the answer is reorg.”Keeping your kids safe (online) this summer -- with our very own TV star, James!http://www.news4jax.com/news/summer-online-safety-for-kids/33747246James, tell us about the experience - and how you don’t have nearly the control you think you’ll haveWhat did you do to prep?What was your one big take away?Now that you did the interview, any new thoughts?Folks… what do you do? #DTSR - congratulate James on a great interview, then share your ideas (and yes, this is an enterprise play -- you can AND SHOULD share this with your employees)Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...What is the Security Advisor Alliance?We discuss some of the issues facing CISOs todayClayton gives us his perspective on how to solve some of those issuesClayton tells us about the mission of the SAAIf your'e a CISO, are you signed up for the SAA Summit?  Shoot Clayton an email GuestClayton Pummill ( @cp48isme ) - https://www.linkedin.com/pub/clayton-pummill/10/32a/44a - Clayton is the executive director of the Security Advisor Alliance. He also has a storied background so I encourage you to give it a check!Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Facebook has released PGP-encryption-enabled email communicationsThe anti-privacy platform will now encrypt emails to you if you give them your PGP public keyDoes no one see the insane irony here?http://www.theregister.co.uk/2015/06/01/facebook_pgp_support/White House issues mandate for HTTPS (by default) for all federal websites"By the end of 2016"Is this a good thing? A bad thing? Or does it even matter?http://www.huffingtonpost.com/2015/06/08/https-federal-websites_n_7539164.htmlAttackers are using medical devices to pivot into health care networksThe Internet of Medical Things is insecureThere are challenges here, but the risks of moving faster aren't negligibleLots to be thought about herehttp://www.csoonline.com/article/2931474/data-breach/attackers-targeting-medical-devices-to-bypass-hospital-security.htmlKaspersky gets popped, cue the typical verbiage"Three previously unknown techniques""..highly sophisticated attack used up to three zero-day exploits.."http://www.bbc.com/news/technology-33083050PwC healthcare spending study is disturbingPredicts a 6.5% dipSecurity is one factor in increasing costhttp://hitconsultant.net/2015/06/10/pwc-healthcare-spending-growth-rate-to-dip/http://www.csoonline.com/article/2934929/security-leadership/why-the-dip-in-healthcare-spending-is-actually-a-risky-opportunity-for-security-leaders.htmlSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Defenders are set up to fail? how and whyHow do we fill forensics and IR positions?What skills and qualifications do forensics/IR need to have?How can enterprises get better at IR from where they are today?How do we solve some of the problems plaguing the security industry? GuestAndrew Case ( @attrc ) - Andrew Case is a senior incident response handler and malware analyst.He has conducted numerous large-scale investigations that span enterprises and industries. Andrew's previous experience includes penetration tests, source code audits, and binary analysis.  He is a core developer on the Volatility memory analysis framework and co-author of the highly popular and technical forensics analysis book "The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory".Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Apologies to anyone who is having issues downloading this episode!In this episode...The ACLU encourages the government to get into bug bountiesRead the original letter: https://www.aclu.org/sites/default/files/field_document/aclu_-_iptf_recommendations_submitted.pdfPoints 1 & 2 are at sanePoint 3 makes a hard left into into crazy-townhttp://thehill.com/policy/technology/243265-aclu-says-government-should-offer-rewards-for-finding-security-flaws-on-itsThe massive taxpayer data fraud (not really a breach) is believed to be the work of Russia, says the IRSDoes it really matter?Was this a breach or an abuse of functionality?Would your company have caught this?http://www.cnn.com/2015/05/27/politics/irs-cyber-breach-russia/index.htmlCareFirst says their recent breach affects only about 1.1M peopleHealthcare is clearly in the "bad guys" target zoneQuick to point out what the attackers did not get access toOf course it was a sophisticated cyberattackhttp://abcnews.go.com/Technology/wireStory/carefirst-data-breach-affects-11m-people-31187250CNA Financial business unit refusing to pay out claim to Cottage Health SystemClaims hospital "failed to continuously implement procedures and risk controls identified"CNA unit alleges many failures -- but is this fair?http://www.businessinsurance.com/article/20150515/NEWS06/150519893Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...David Shearer, Executive Director for ISC2 joins us to talk about the results of the ISC2 2015 Information Security Workforce StudyWe ask David to highlight some of the resultsWe discuss how malware and application security were identified as top threats 3 years in a row -- and what's to be done about thisWe discuss the major discrepancy between priorities from this survey and recent CIO surveysWe discuss the importance of communication skills (identified in the survey) while leadership and business management are far down the scaleWe discuss with David how under his leadership ISC2 can build a much tighter alignment to business -- not just more security certificationsGuestDavid Shearer - David Shearer has more than 27 years of business experience including the chief operating officer for (ISC)², associate chief information officer for International Technology Services at the U.S. Department of Agriculture, the deputy chief information officer at the U.S. Department of the Interior, and the executive for architecture, engineering and technical services at the U.S. Patent and Trademark Office. Shearer has been responsible for managing and providing services via international IT infrastructures, and he has implemented large-scale SAP Enterprise Resource Planning (ERP) projects. Shearer holds a B.S. from Park College, a M.S. from Syracuse University, management and technical certificates from the U.S. National Defense University, and he is a U.S. federal executive presidential rank award recipient. As (ISC)² Executive Director, Shearer is responsible for the overall direction and management of the organization. Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...Netflix launched FIDO (not that one, or that one, no the other one)Focused on automating incident response practicesFIDO is an orchestration layer that automates the incident response process by evaluating, assessing and responding to malware and other detected threats.If you don't use it, at least they provide a structured framework for response and IR workflowhttp://techblog.netflix.com/2015/05/introducing-fido-automated-security.htmlIT Chief leaves sensitive data in car- spoiler: it gets stolenSomething smells like a fish market in the July heat on this storyMaybe it's time to check in on YOUR off-site handling procedures?http://www.thestarpress.com/story/news/local/2015/05/10/chief-left-hard-drives-car/27083031/Crowdstrike discovers, names "Venom"Massive security vulnerability within the floppy disk emulator in virtual machine hypervisorsEven if you disable floppy disk emulation, separate bug lets you enable itThis has a graphic and everything!http://www.csoonline.com/article/2921589/application-security/significant-virtual-machine-vulnerability-has-been-hiding-in-floppy-disk-code-for-11-years.htmlUnited Airlines launches bug bountyDoes this have anything to do with the now infamous (alleged) airplane hacker?Seems like some contradictory statements in the description(see below on United's response to our inquiry)http://www.united.com/web/en-US/content/contact/bugbounty.aspx Note back from United Bug Bounty Team:Posted with permission--"Rafal:            Thank you for the question.  We want researchers to be able to notify of potential issues they find while still protecting customers who are not participating in the program.  If a researcher launched a brute force attack and locked the accounts of 10,000 customers through already existing security measures this would negatively affect our customers and the program.            If any researchers believe they may have found a brute force condition, they can feel free to submit it to us without testing.  We will check on our end and if we confirm a bug exists we will gladly reward them for their effort.  Does that make sense?Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episode...A quick walk-through of Rob’s talk (“Hacker ghost stories”), and why it’s completely relevant todaySimple things that workblocking java (externally)effectively blocking “uncategorized” sites in your forwarding proxies(not) resolving DNS internally(not) default routing to the Internet from insidecanaries in the coal mine, or evil canariesGuestsJames Robinson ( @0xJames ) - https://www.linkedin.com/in/0xjames Currently the Director, Threat and Risk Management at Accuvant-Fishnet Security and part of the Office of the CISO. He has a long and storied career of success as an enterprise defender across various industries. Rob Fuller ( @mubix ) - Rob is an experienced InfoSec industry insider, with many interesting achievements and accomplishments. He's easily findable, as are his many public doings.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast