DrZeroTrust

Can I find privacy violations with Shodan?  What companies are using hackable unpatched scada systems that are misconfigured?  Can we find osint on a company that has government contracts but is not secure?  Why is phishing training still a multi-billion dollar business when a variety of reports indicate that the numbers for that "defense" don't justify that expense?  Is the government really as secure as we think they are?  What about finding illegal violations of compliance mandates in ics systems?  Isn't breaking the law a bad thing?  Those questions and more on this podcast!  

More ideas and thoughts around applying Zero Trust to cloud workloads and kubernetes.   How should we think about the inherent vulnerabilities in these application development environments?  How can you secure something that only exists for minutes at a time?  Can you use open source solutions to approach the problems in this space?  Do developers really need to be security engineers, and should security people know how to build apps to make things more secure?  Check this one out and look for a video demo on Tigera.io and their open source Calico solution soon!

Marriott got hacked again, say what?  Does it mean anything?  What about their fines, didn't that teach them something?  Can I find vulnerable government assets that are misconfigured and make 30 grand in bug bounties in half an hour?  What about cloud resources that the DoD uses?  A billion records are stolen in China, what's up with that?  Those questions and more on this episode!

What's up with the WAF market?  Talking about how we should and shouldn't use a WAF with an expert.  Is the WAF the best way to address the problems we face?  Where is this market going?  What about the evolution of the WAF and it's place in history?  And some hard questions with data to challenge why we might need to move to a new approach.

Can I find medical offices open to the internet?  How hard would it be to hack them?  Why is phishing training a problem for enterprises and businesses?  Deepfakes and PII are being used for nefarious purposes, say what?  Those points and more on this episode.

Thoughts on RSA2022.  New research from Digital Shadows breaks down key areas of concern for us.  I find some vulnerable databases on the web (some are "security vendors"...uh oh).  We are still failing at the basics, and the password is eating our lunch, why is this still a problem?  A great new blog from the S/R team at Forrester on the economy and the security market.  Did AI just go sentient?  Those thoughts and more on this episode!

Can an organization be compliant if they are using Slack to share files, passwords, and other critical and risky data?  How does an agent-less system keep up with all of those short communications in collaboration applications?  Is there more risk if we use modern applications that allow unlimited interaction and collaboration?  What about business context, is there value to deciphering risk?

RSA is next week, I really need a beard trim.  See y'all out there!  Finding vulnerable hospital systems on the internet shouldn't be this easy, but here we go.  Don't worry though they all are HIPPA compliant lol.  How powerful is pimeyes at finding images of people on the internet and how does that affect privacy and security?  Should you be worried?  The new Microsoft Zero Day, how bad is it?  What about hacking tractors and affecting the food supply, that can't be a thing right?  DHS took seven years to hire one person, yeah.  Your tax dollars at work.  Costa Rica ignored it's own cyber defense strategy, and that worked out well right?  How much money is going into the Zero Trust market?  And the tech jerk of the year award goes to an absolute turd of a person.  Those questions and more on this one!

Can you find vulnerable stuff online from 2003?  Surely not?  Uh oh.  Do we need a cyber moonshot to get past the failures we face in cyber security?  Is there more evidence that legislation isn't dealing with reality, and that some of our leaders are missing the point?  Using your phone SIM to do MFA, good or bad?  Is DuckDuckGo really a "private" browser?  Those points and more on this episode.

What matters more, targeting the "asset" (tractors) or the infrastructure for John Deere.  Can you overthrow a government with a ransomware attack?  Why are insurers changing their approach to cyber policies and why are they raising rates?  What about the NSA guidance on best practices, is it really that different?  Those questions and more on this one!