Down the Security Rabbithole Podcast (DtSR)

Send the hosts a message - try it now!Topics coveredThe FBI paid a visit to the "researcher" who revealed (and tinkered with) the hacked Yahoo! servers - we discuss the various aspects of this case, which we've been going round and round on latelyhttp://www.wired.com/2014/10/shellshockresearcher/US Cyber Security Czar Michael Daniel wants us passwords gone, replaced by .... "selfies"; We wish we were making this one up or the link was to an Onion article, but sometimes the jokes write themselves in a sad, sad wayhttp://www.theregister.co.uk/2014/10/15/forget_passwords_lets_use_selfies_says_obamas_cyber_tsar/Pres. Obama has issued an executive order that all government payment cards now must be "chip & pin"; once again underscoring that "just do something" may be worse than actually doing nothing -- we'd love to hear your thoughts?http://www.whitehouse.gov/the-press-office/2014/10/17/executive-order-improving-security-consumer-financial-transactionsNotable data breaches discussed:K-Mart - http://www.theregister.co.uk/2014/10/12/kmart_cyber_attach/Dairy Queen - http://www.theregister.co.uk/2014/10/10/dairy_queen_restaurants_hacked/POODLE, the latest OMG SSL vulnerability; is this really that big a deal that there is a public vulnerability in a protocol that should have become extinct at the turn of the century? (Hint: Sadly, yes)http://www.theregister.co.uk/2014/10/10/dairy_queen_restaurants_hacked/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeRon gives us a brief history of Tenable and TVM for the enterpriseRon answers "How do you make network security obtainable and defendable?"We discuss TVM as a fundamental principle to many other security program itemsRon tells us what the modern definition of "policy" isWe discuss some hurdles and challenges of TVM programs in an enterpriseWe note that security scanning can always break stuff - so how do you get around that?Ron tells us why TVM is so much more than scanningMichael asks "Why are so many companies stuck in a Prince song (1999)?"We attempt to tackle - compliance, risk, and managing to a goalRon answers the question - "Are we getting any better?"GuestRon Gula ( @RonGula ) - CEO and CTO at Tenable Ron co-founded Tenable Network Security, Inc. in 2002 and serves as its Chief Executive Officer and Chief Technology Officer. Mr. Gula served as the President of Tenable Network Security, Inc. He served as the Chief Technology Officer of Network Security Wizards which was acquired by Enterasys Networks. Mr. Gula served as Vice President of IDS Products and worked with many top financial, government, security service providers and commercial companies to help deploy and monitor large IDS installations. Mr. Gula served as Director of Risk Mitigation for US Internetworking and was responsible for intrusion detection and vulnerability detection for one of the first application service providers. Mr. Gula worked at BBN and GTE Internetworking where he conducted security assessments as a consultant, helped to develop one of the first commercial network honeypots and helped develop security policies for large carrier-class networks. Mr. Gula began his career in information security while working at the National Security Agency conducting penetration tests of government networks and performing advanced vulnerability research. He was the original author of the Dragon IDS. Mr. Gula has a BS from Clarkson University and a MSEE from University of Southern Illinois.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics coveredThe petition on WhiteHouse.gov titled "Unlock public access to research on software safety through DMCA and CFAA reform" and ...well we talk about it with an attorney and some necessary skepticismhttps://petitions.whitehouse.gov/petition/unlock-public-access-research-software-safety-through-dmca-and-cfaa-reform/DHzwhzLDMy take: http://blog.wh1t3rabbit.net/2014/10/to-reform-and-institutionalize-research.htmlA Marriott property in Nashville (Gaylord Opryland) will pay $600,000 in an FCC settlement for jamming/blocking guests' personal WiFi hotspotshttp://www.fcc.gov/document/marriott-pay-600k-resolve-wifi-blocking-investigationA Pakistani man has been indicted in Virginia for selling "StealthGenie", an app designed specifically as spywarehttp://www.justice.gov/opa/pr/pakistani-man-indicted-selling-stealthgenie-spyware-appThe code for the badUSB attack was published and released at DerbyCon - we discuss implicationshttp://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/Cedars-Sinai Medical Center loss of data is much worse than they thought, but it's actually worse than that - a teachable moment here-http://www.latimes.com/business/la-fi-cedars-data-breach-20141002-story.htmlSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Thank you to Shawn Tuma - an attorney specializing in CFAA and a good friend of our show - for stopping by and lending his expertise on this episode. If you enjoy Shawn's insights, consider following him on Twitter ( @ShawnETuma ) or just saying hello! In this episodeWe discuss the CFAA in regards to Robert Graham's brilliantly written blog post on the topic - http://blog.erratasec.com/2014/09/do-shellshock-scans-violate-cfaa.htmlShawn gives some key insights on the CFAA including historical contextMichael asks some tough questions on the discretion and applicability of CFAA prosecutionJames goes on a rant about "security researchers" (it's a gem)I'm pretty sure Shawn goes on the record saying security researchers should be credentialed..or was that me?We get some advise from Shawn on where this topic goes next, and how to avoid being a target of prosectionGuestShawn Tuma - ( @ShawnETuma ) - Shawn is an attorney with expertise in computer fraud, social media law, data security, intellectual property, privacy, and litigation. He's a Texan, Christian, family man, author & speaker - and an all-around awesome guy.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeDREAMR: What is it, and why is it so important to Enterprise Security today?Examples of aligning business and security requirements and winning hearts & mindsHow does a security organization get around "see I told you so!" securityAn example of how to make the framework work for youWe discuss the importance of listening, then listening, then listening some moreJessica and Ben explain "accomodating" the businessJessica and Ben give us "One critical piece of advice"GuestsJessica Hebenstreit ( @secitup ) - Jessica Hebenstreit has been a member of the Information Security community for over a decade. Having worked on both the technical and business sides of various enterprises, Hebenstreit has a unique perspective that allows for more understanding when balancing competing interests. She is a successful and results-oriented Information Security expert with hands-on information security experience in security monitoring, incident response, risk assessment, analysis, and architecture and solution design. She holds the following certifications, CISSP, GIAC-GSEC, CRISC and SFCP. In March 2012, she earned her Masters of Science in IT (MSIT) specializing in Information Assurance and Security. She is currently the Manager of Security Informatics - Threat Analysis and Response at Mayo Clinic.  She is building a smart response architecture for incident response from the ground up.Ben Meader ( @blmeader ) - Ben Meader is a Senior Security professional with a unique blend of technical acumen and business know-how. Meader’s security thought leadership has been battle tested at multi-national firms over the past 13 years ranging from network security and operational security to performing detailed risk assessments and implementing a firm-wide privacy program. He remains up to date in both security and business having received his M.B.A. from DePaul University and has a current CISSP. He is also active in the entrepreneurial community and is Co-Founder of a mobile application company on the side. His education and range of experiences in working with firms both large and small have given him a unique perspective on the role of security within different business cultures and how competing philosophies can collide.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics coveredHacker flees US for non-extradition country - why?http://blog.erratasec.com/2014/09/hacker-weev-has-left-united-states.htmlhttp://www.newrepublic.com/article/117477/andrew-weev-auernheimers-tro-llc-could-send-him-back-prisonClass-action lawsuit againt Onity lock company ("easily hackable hotel lock") rejectd by judgehttps://www.techdirt.com/articles/20140903/14134528408/onity-wins-hotels-that-bought-their-easily-hacked-door-lock-cant-sue-according-to-court.shtmlhttp://www.extremetech.com/computing/133448-black-hat-hacker-gains-access-to-4-million-hotel-rooms-with-arduino-microcontrollerhttp://www.forbes.com/sites/andygreenberg/2012/12/06/lock-firm-onity-starts-to-shell-out-for-security-fixes-to-hotels-hackable-locks/Home Depot - the dirt start to flyhttp://arstechnica.com/security/2014/09/home-depot-ignored-security-warnings-for-years-employees-say/https://privacyassociation.org/news/a/following-breach-report-shows-home-depot-has-105-million-in-coverage/https://privacyassociation.org/news/a/2013-05-01-supreme-court-wiretap-ruling-upholds-stringent-standing-to-sue/Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeSeparating the hype from reality of the Chinese hacking threatThe escalation of economic tensions between US & China, over hackingWhat is the advice for the enterprise regarding state-sponsored attacks?The challenge with the uni-directional intelligence flow for government/enterpriseThe challenge with nation-state hacking of critical infrastructureThe worst-case scenario (quietly happening?)Directly addressing the various APT reports (specifically APT1)Does a cyber attack warrant a kinetic response?Attribution is hard. Is it more than black-magic, and is anyone doing it right?The great disconnect between the keyboard jockey and real-life consequencesGuestBill Hagestad II ( @RedDragon1949 ) - Internationally recognized cyber-intelligence & counter-intelligence professional. Technical, cultural, historical and linguistic analysis of foreign nation state cyber warfare capabilities, intents & methodologies... Listed on Forbes Magazine as : "20 Cyber Policy Experts To Follow On Twitter". Bill can be found on LinkedIn at - www.linkedin.com/in/reddragon1949Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics coveredApple has been making news, issuing guidance, and refuting a hack - all around iCloudhttp://www.padgadget.com/2014/09/03/apple-warns-developers-not-to-store-health-data-in-icloud/http://www.padgadget.com/2014/09/03/apple-says-celebrity-photo-leak-was-not-due-to-icloud-breach/http://www.cio-today.com/article/index.php?story_id=94027HealthCare.gov was hacked, but no worries it was only a test server and no 'data was taken/viewed'. Does this sound like something you've faced in the enterprise ... hmmmm?If only there was someone warning them about the insecurity of that site! h/t to Dave Kennedy for standing up and taking political heat.http://www.nationalreview.com/article/387182/healthcaregov-hack-reminiscent-earlier-vermont-exchange-attack-jillian-kay-melchiorhttp://www.computerworld.com/article/2603929/healthcare-gov-hacked-if-only-someone-had-warned-it-was-hackable-oh-wait.htmlHome Depot apparently has suffered a massive breach, much like Target. Interesting? Or ho-hum? (did you Buy The Dip? h/t @DearestLeader )http://seekingalpha.com/article/2478055-home-depot-potential-data-breach-may-have-presented-a-good-opportunity-to-buy-the-stockhttp://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/http://www.csoonline.com/article/2601082/security-leadership/are-you-prepared-to-handle-the-rising-tide-of-ransomware.htmlNorway's Oil & Gas industry is now the target of hackers, seeking to get intelligence on production, exploration - and that all-important state-sponsored competitive edge.http://www.thelocal.no/20140827/norwegian-oil-companies-hackedGoogleSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!In this episodeWe discuss the largest challenges in the state government sectorBrian discusses balancing the need for openness versus security/secrecyPhil talks about the challenge of balancing policy with agency needs in state governmentMichael asks how state-level security justifies and prioritizes security requirementsRaf asks how policy is created that can be both effective, and broadThe group talks about metrics, policy implementation, and showing value to protecting citizensThe guys answer "What's the best piece of advice you've gotten in your career?GuestsPhilip Beyer ( @pjbeyer ) - Philip is a security professional with more than 12 years progressive experience. Currently leading information security for an organization as a function of business goals and risk profile. Consummate generalist with background in multi-client consulting and specialization in risk management, incident handling, security operations, software assurance (OpenSAMM, BSIMM), and technical compliance testing (ISO 27002, PCI-DSS, HIPAA). Confident leader, problem solver, relationship builder, technical communicator, public speaker, presenter, and security evangelist. Fast-paced learner with a strong work ethic and self-starter attitude.Brian Engle ( @brianaengle ) - Currently the Chief Information Security Officer & Texas Cybersecurity Coordinator who is a results-oriented executive and leader with over 20 years of progressive experience in Information Technology and Information Security across the government, healthcare, manufacturing, financial services, technology, telecommunications and retail verticals. His specialties include risk management, project management, and cost effective delivery of appropriate security solutions within organizational risk tolerances. Consummate generalist with a background in effective incident management, security and network operations, vulnerability and threat management, as well as technical compliance evaluation and gap analysis.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Send the hosts a message - try it now!Topics coveredCommunity health systems and UPS Stores breached - an analysis and contrast of the two breaches, the data, and the common messagehttp://regmedia.co.uk/2014/08/18/community_health_systems_8k.pdfhttp://blogs.wsj.com/cio/2014/08/20/the-morning-download-community-health-systems-breach-stirs-up-heartbleed-fears/http://time.com/3151681/ups-hack/The case of the pre-mature declaration of BYOD death, via an over-hyped court case?http://www.cio.com/article/2466010/byod/court-ruling-could-bring-down-byod.html"Shadow clouds" (cloud services consumed by enterprises, not approved by security) are on the rise. No one on the show is shocked, and you aren't either.http://www.computerworld.com/s/article/9250606/Shadow_cloud_services_pose_a_growing_risk_to_enterprisesFaceBook gives the $50,000.00 away for the "Internet Defense Prize" joining Microsoft in trying to make being defensive-minded (and actually solving some security problems, rather than continuing to point them out) sexyhttp://threatpost.com/new-facebook-internet-defense-prize-pays-out-50000-awardSupport the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast