TL;DR;This is part 2 of 2 - for this amazing topic! Please join us for both parts, and check out the full-length video online and available RIGHT NOW.On this episode of the DtSR Podcast, I welcome Kristin Demoranville and Nelson Estrada Hernandez to talk about the food industry and how cyber security can and should be a vital part in this absolutely critical topic.YouTube Video (full 62 minutes): https://youtube.com/live/72z70zYLxycLinks:Agriculture ISAC: https://www.wired.com/story/us-food-agriculture-isac-cybersecurity/ (h/t Najo Ifield)Guest:Kristin DemoranvilleLinkedIn: https://www.linkedin.com/in/demoranvillekristin/Nelson Estrada HernandezLinkedIn: https://www.linkedin.com/in/nelson-estrada-hernandez-07786956/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week, the guy with the best vendor hoodies ever is back! Philippe Humeau of Crowdsec joins us again to talk about some of the data his team have gathered, analyzed, and are using to crowd-source protection in the form of block lists. Anton Chuvakin joins us to bring his useful manner of snarkasm, just to keep us honest. Guests Philippe Humeau LinkedIn: https://www.linkedin.com/in/philippehumeau/  Anton Chuvakin LinkedIn: https://www.linkedin.com/in/chuvakin/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue We open this episode with an acknowledgement of the crisis in Ukraine, as Putin's madness is unleashed. We stand with the brave people of Ukraine as they defend themselves from unprecedented evil. That said, this week James and I bring Grant Sewell onto the show. Grant has experience being a "behind the scenes" CISO, and more recently in a customer-facing role. We discuss the evolution of the CISO into a "trust officer" and the focus that takes. Guest Grant Sewell LinkedIn: https://www.linkedin.com/in/grantsewell/  Twitter: https://twitter.com/grantsewell  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

LinkedIn Live stream (recorded): https://www.linkedin.com/video/event/urn:li:ugcPost:6895440886222643201/  DtSR LinkedIn Page (subscribe here!): https://www.linkedin.com/company/down-the-security-rabbithole-podcast/  Prologue This week is a slightly longer (oops) episode of the DtSR Podcast with a three-timer, Adam Meyers of Crowdstrike. Adam joins James and Rafal to talk about the latest Global Threat Report and all the trends and insights. There is a lot of good insight here, and if you want to catch the LIVE (recorded) video you can get that too! Don't forget to subscribe to our DtSR page on LinkedIn to get all the latest content. Guest Adam Meyers LinkedIn: https://www.linkedin.com/in/adam-meyers-7a58481/ Twitter: https://twitter.com/adam_cyber Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Continuing our thread on the software supply chain and SBoM (Software Bill of Materials) we bring in Ed Moyle who is writing a series on the subject for his column. Ed brings up some very interesting points on some key aspects of software supply chain including feasibility and asks that difficult question "So what if you get it?" Guest Ed Moyle LinkedIn: https://www.linkedin.com/in/edmoyle/  Must-read article: https://www.techtarget.com/searchsecurity/tip/4-software-supply-chain-security-best-practices  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue SBoM ("Software Bill of Materials") is the new rage. Everyone's talking about it. What it means is you're expecting a list of software components and includes, libraries, etc that make up the software you're buying or using. The problem is, in real life, SBoM is exceptionally difficult and maybe even slightly impractical. Listen in as Rafal & James discuss SBoM in real-life scenarios with Paul Caiazzo -- a guy who's trying to make this idea work in his day-job. Guest Paul Caiazzo LinkedIn: https://www.linkedin.com/in/pcaiazzo/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Back in episode 469 ( https://ftwr.libsyn.com/dtsr-episode-469-yght-they-hacked-ransomware ) we brought Steve Perkins of Nubeva ("Cloud Go" in Portuguese) to talk about a very interesting "accidental" development. They'd figured out a way to steal encryption keys from ransomware, thus rendering it potentially toothless. Well, now Steve's back with a product, and a way to reverse ransomware's encryption with minimal friction and without paying the ransom. So ... yeah. Listen in.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Have you ever made a payment from your mobile device, wirelessly using NFC? Of course you have, most of us have by now. Did you know there are some (or at least were) fairly significant design flaws, otherwise known as "features", in the various platforms? On this show, we're interested in learning more about Timur's research and what he's uncovered. You'll want to do what I did, check your phone's NFC payments settings, once this show is over.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue We have a repeat guest today! Mr. Mark Simos joins me once again to talk about Microsoft's Cloud Adoption Framework (CAF) and it's applicability to not only Azure, but also your other clouds. Building resilient and secure clouds isn't just about security, it's about design and architecture that adheres to good practices. Microsoft's CAF is fantastic place to start - listen here to learn more. Guest Mark Simos LinkedIn: https://www.linkedin.com/in/marksimos/  Twitter: @marksimos Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week, on a good start to the new year, Eric Escobar joins us to talk about hacking wireless - and a little bit of history on the topic. Taking us back to early wireless hacking where you had to have the right wireless PCMCIA card and drivers, to today where things are a little more complicated but oddly not too much has changed. Guest Eric Escobar LinkedIn: https://www.linkedin.com/in/eric-escobar/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Bentsi is a guy with some experience in the bad guy world when it comes to devices and gadgets getting compromised. In this episode, he tells us stories and anecdotes on things he's seen and the threats gadgets face. It's a very interesting discussion, and might just make you a little more paranoid before it's over. Guest Bentsi ben-Atar https://www.linkedin.com/in/bentsi-ben-atar-6b0128/ Check out Sepio - https://sepio.systems/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Have you ever plugged your smart phone, tablet or other "smart thing" into a power cable that wasn't yours? I'm guessing you've answered yes - and if so, you need to listen to this episode. As we travel and move around with our smart devices, we don't always have our charging cables & blocks with us, and that can lead to disaster. Hear more from Robert Rowley on how "juice jacking" can cause security problems we aren't even aware of. Guest Robert Rowley LinkedIn: https://www.linkedin.com/in/robertlei/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue In a technically deeper episode, Ev joins Rafal to discuss how security has made productivity challenging at times, in terms of having to jump through hoops to get work done, and what we should be doing about it. Ev asks us to image an entirely new paradigm of productive access to necessary resources - so listen in and dream big with us. Guest: Ev Kontsevoy LinkedIn: https://www.linkedin.com/in/kontsevoy/  Teleport: https://www.linkedin.com/company/go-teleport/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week's episode is one of my favorite topics - marketing buzzwords. You've all heard the term "XDR" and wondered (probably like me) what the heck it is and how it's different than EDR or MDR. Do we really need more buzzwords? Mark Alba from Anomali joins me this week to discuss this, and I think it'll help sort things out for you, it sure did for me. I'm still not a big fan of new buzzwords, but at least I get it now. Guest Mark Alba LinkedIn: https://www.linkedin.com/in/markalba/ Anomali XDR Info: https://www.anomali.com/learn/the-impact-of-xdr-in-the-modern-soc-v2  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Welcome to the last month of 2021 - December. This month we have a few bonus episodes, starting with this gem on identity. We've got a great guest and Mike Kiser has some interesting opinions he's definitely not holding back on. Thanks for listening - we hope you enjoy this episode. And special thanks to SailPoint for bringing Mike to the mic. Guest Mike Kiser LinkedIn: https://www.linkedin.com/in/mike-kiser/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Folks, the video of this episode which was live-streamed to our YouTube channel is here: https://youtu.be/IYVB_LNhURQ - and if you can, watch it. Huge mega-thanks to Microsoft and Lightstream for bringing together Jeff and Mark on this one to deliver some truly phenomenal content. This week is Azure Security Benchmark (not baseline, oops) version 3.0 hot off the presses. We talk about what it is, how to apply it, and where and why it's so useful for keeping not just your Azure public cloud safe, but also the "other" public clouds you use too. Guests Mark Simos LinkedIn: https://www.linkedin.com/in/marksimos/  Twitter: https://twitter.com/marksimos Jeff Collins LinkedIn: https://www.linkedin.com/in/jmcollins/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Fair warning y'all, this episode may have been just slightly more fun than the Surgeon General allows. That said, on this one we not only made up some new terms ("Threat Instructions", Anton) but also had some fun describing what a well-functioning system of highly automate-able threat data would look like. And as it turns out, it's CrowdSec's "Fire" data set. Fascinating conversation, and most fascinating of all is that as Philippe described how it functions, Anton could find nothing wrong with it. Call me gobsmacked. If you're interested in participating in the Crowd, click this link - because a typo will put you in a very weird and very different sort of crowd. Guests Philippe Humeau, CEO at CrowdSec LinkedIn: https://www.linkedin.com/in/philippehumeau/  Twitter: @Crowd_Security Website: https://crowdsec.net/  Anton Chuvakin LinkedIn: https://www.linkedin.com/in/chuvakin/  Twitter: @Anton_Chuvakin Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Hey! Are you attending OpenText World Enfuse? If not, click here and check it out - it's virtual! Straight from Enfuse Chuck Dodson joins Rafal & James to talk about digital evidence collection, management, and processing in the realm of law enforcement. A fascinating look at the law enforcement side of things, and a topic perspective most of us never have occasion to think about, unless you're in the fight. Guest Chuck Dodson https://www.linkedin.com/in/chuckdodson/  OpenText World - Enfuse  https://www.opentextworld.com/event/7653eae4-3cf3-4dfc-89f2-7c41e260aa89/websitePage:4b6071b8-edc1-4efc-888b-520c728292ff  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue In this episode, we host a lady who only needs one name, like a movie or rock star. But "Jax" deals with topics we normal people don't have the stomach for, like CMMC and government security. In this episode, she joins us to talk about the current Executive Order on Cybersecurity ( Executive Order 14028, May 12, 2021 - https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity ) and the implications and impact it will, might, and could have. A fascinating discussion that's worth listening to, whether you spend time in FedGov, or not. Guest Jaclyn “Jax” Scott LinkedIn: https://www.linkedin.com/in/iamjax/  Company site: Outpostgray.com Blog: http://www.beansandbytesblog.com/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Let me start by saying how much I enjoy chatting with Rick Howard, today's podcast guest. Rick's been on before, and we always go long (especially on this one, sorry not sorry), but the content is well worth your time. On today's episode, we chat about "Zero Trust" and where technology meets concept, what's missing, and what's next. If you think you know all these is to know about Zero Trust, I promise you, you'll learn something new. Guest Rick Howard LinkedIn: https://www.linkedin.com/in/rickhoward/  Twitter: https://twitter.com/racebannon99  Rick's Show on CyberWire (Pro, subscription required): https://thecyberwire.com/podcasts/cso-perspectives  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue On Episode 471, as we rapidly hurl towards our 500th episode, we bring back Chris Romeo to talk about threat modeling. Specifically, we discuss threat modeling of software - with developers, methodologies, silos, incentives, and outcomes all in play for discussion. Chris has been doing this a while, and has some deep insights into what it takes to make things work - and he we welcome your feedback on how you do it. Guest Chris Romeo  LinkedIn: https://www.linkedin.com/in/securityjourney/ Twitter: https://twitter.com/edgeroute  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue On this episode of the DtSR Podcast - Ann Johnson joins special guest-host Ken Fishkin of NJ ISC2 chapter, along with James & Rafal to talk about leadership, and sports apparently. Thanks to the NJ Chapter of ISC2 ( https://www.linkedin.com/groups/4425593/ )for submitting questions and Ken for joining us to guest-host. On this episodes, we ask Ann to talk to us about leadership challenges, and what's in store for the future. Also, we briefly talk sports teams and discover Ann is a Cowboys fan. Guests Ann Johnson LinkedIn: https://www.linkedin.com/in/ann-johnsons/  Twitter: https://twitter.com/ajohnsocyber  Ken Fishkin LinkedIn: https://www.linkedin.com/in/kfishkin/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week on a ridiculously awesome episode of the DtSR Podcast the one and only Mr. Steve Perkins of Nubeva joins Rafal & James to talk about something worth shouting about. They've figured out how to beat ransomware... yes, there are a few 'catch' things, but the tech seems solid and the possibilities endless. Give this episode a listen, then scroll below to click the links, and give this a look for yourself! Guest Steve Perkins LinkedIn: https://www.linkedin.com/in/steve-perkins-1604b31/  Relevant Links Webinar coming up on session key intercept: https://info.nubeva.com/fall_2021 Email info@nubeva.com if you want to hear more, or partner with them to deliver their tech to YOUR customers Learn about the tech: https://info.nubeva.com/ransomless_decryption Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week, we get to meet Sean Jackson. You may not know Sean, but his journey may feel familiar. He got here much like many of you, and his story of discovery and understanding of his role in the business as "the security guy" is something you should probably know. There are many paths into our profession, and there are many different ways to view what we do - Sean's is compelling as it is timeless. Give it a listen, and join me on his journey. Guest Sean Jackson LinkedIn: https://www.linkedin.com/in/74rku5/  Twitter: https://twitter.com/shunkydave  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week, Kim Lewandowski joins Rafal & James to talk about Google's latest contribution to the Open Source software movement - Supply-chain Levels for Software Artifacts (SLSA). We have a great conversation, and I hope you guys go watch the video (when it comes out) and check out the axe in the background. I never did find the interesting logo Kim talks about- maybe one of you will find it and post it to #DtSR on Twitter! Guest Kim Lewandowski LinkedIn: https://www.linkedin.com/in/kimsterv/  Twitter: https://twitter.com/kimsterv  SLSA Links https://cloud.google.com/blog/products/application-development/google-introduces-slsa-framework https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week, fresh off his Twitter rant, Travis McPeak joins Rafal to talk about the goat rodeo that vulnerability management in the enterprise. Travis talks about the multitude of reasons vulnerability management is so difficult, and what we can be done about the whole mess. Great episode, lots of great discussion and big thanks to Travis for the contribution to the topic. This needs more discussion, folks! Guest Travis McPeak LinkedIn: https://www.linkedin.com/in/travismcpeak/  Twitter: @TravisMcPeak Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue I have no excuses, and no ideas, how this show has made it so far without having the one and only JJ as a guest. She's been doing network security and architecture for a long time, in addition to being a force for good. Her focus on NAC (Network Access Control) shines through in this discussion too. Hilarity ensues. Guest Jennifer ("JJX") Minella LinkedIn: https://www.linkedin.com/in/jenniferminella/ Twitter: https://twitter.com/jjx Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week our pal and previous guest Patrick Miller joins us to talk about the power grid, current state of the thing, and what he's working on in the power generation and distribution sector. It's a strange place where 8" floppy disks and DOS 2.2 still live. Yeah, go search those, you think there's a 0-day for DOS 2.2? Guest Patrick C. Miller LinkedIn: https://www.linkedin.com/in/millerpatrickc/ Twitter: https://twitter.com/PatrickCMiller/ Ampere Security: https://amperesec.com Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week our friend Ira Winkler joins Rafal & James to talk about the human element in cyber security. Ira, like us, absolutely loathes the phrase "stupid user" - so you'll want to hear what he's working on, and his comments on the space.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue With all the craziness going on in the world, from terrorism, to catastrophically botched withdraws from a 20 year war, to the incredible proliferation of ransomware, and "cyber privateering" making a comeback in the news - it's as good a time as any to discuss open source intelligence, collection, and analysis. Aki is a guy who would know a little bit of something about the topic, because anytime someone has to choose the way they describe their past "work" - you know their background is pretty colorful. Guest Aki Peritz LinkedIn: https://www.linkedin.com/in/aki-peritz-483a994/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Let me start off by saying that this episode isn't about politics. It's about facts, claims made, and election security facts and myths. I want to thank Rob Graham for getting on the show and sharing his experience on short notice, and providing insights from Mike Lindell's "Symposium". It's truly eye-opening, and hopefully a conversation that strikes at the core of what we need to hear right now. Guest Robert Graham Twitter - https://twitter.com/erratarob Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Thanks to Okta, for providing what is surely an entertaining (at least to record) and informative episode with some really cool guests. Bharat and John join James and Raf to talk about CIAM (a term Raf had to look up) and all things authentication history, past, and present. By the way, if you haven't registered, you should register for this very cool Okta Developer Day "Auth for All".   Guests John Pritchard LinkedIn: https://www.linkedin.com/in/jpritchard/  Bharat Bhat LinkedIn: https://www.linkedin.com/in/bharatbhat/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Big thanks this week to OpenText for providing access to Fabian Franco (go check out his bio below). He joins James & Rafal to talk about protecting endpoints, and some of the interesting things that go along with state-of-the-art detection and response capabilities. Also, if you'd be so kind as to support those who keep this show going, go check out the OpenText link below and give it a click, won't you? Why are there so many acronyms for endpoint defense? What do EPP, EDR, MDR, XDR mean and are they at all any different? Let's dive into this, on today's episode.  Guest Fabian Franco Bio: Fabian Franco, Senior Manager of Digital Forensics and Incident Response (DFIR), Threat Hunting and SOC. Fabian specializes in digital forensics, incident response, memory forensics, malware analysis, reverse engineering of malware and threat hunting. LinkedIn: https://www.linkedin.com/in/fabian-franco-434646a/ OpenText: https://security.opentext.com/solutions/managed-detection-and-response  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week we have the pleasure of having Kevin Pope, one of Raf's close and long-time friends, and someone who's had one heck of a journey into and through our industry. Kevin is a veteran, a security-curious, and  cyber security professional - and he's also got some metered opinions too. We discuss hiring, staffing, and some of the issues we've collectively - and he specifically - have seen. Give this one a listen if you want to understand why we have the staffing problem in cyber-security that we do. Seriously.   Guest Kevin Pope LinkedIn: https://www.linkedin.com/in/screamingbyte/  Twitter: https://twitter.com/screamingbyte  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Huge thanks to Prevailion's Karim Hijazi for taking the time with us to dissect this Gartner headline and article on "adversaries killing people using OT". As we expected, a sensationalist headline, followed by some mildly fluffy stuff, with a kernel of truth. Good discussion nonetheless, though, and I even learned a thing. Links The Gartner article referenced: https://www.gartner.com/en/newsroom/press-releases/2021-07-21-gartner-predicts-by-2025-cyber-attackers-will-have-we Guest Karim Hijazi LinkedIn: https://www.linkedin.com/in/karimhijazi/ Previous episode: http://ftwr.libsyn.com/dtsr-episode-426-tpa-winning-intelligence-collecting-zombies  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Frankly, we have no idea how we got through 450 episodes without interviewing Rich. No clue. Rich is a man of many talents including a trained responder for situations like we've been facing. He's also a cloud security specialist, and happens to do a half-dozen other things in his "spare time" too. In this episode we chat about what the pandemic has taught cyber security professionals, and what we'll come out the other side looking like. Warnings: Loki spoiler alert - oops, Rafal did this one Explicit language warning - Rich dropped some colorful language, deal with it Guest Rich Mogull LinkedIn: https://www.linkedin.com/in/richmogull/  Twitter: https://twitter.com/rmogull Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue It's been a long time, maybe forever, since James and I sat down and just chatted on the podcast. With all these amazing guests we have on the show it's easy to get caught up in the fun and forget to just have a two-person conversation every once in a while. With that in mind, we did it this week. We sat down, just the two of us, and chatted about the last few hundred episodes, the things that have stayed with us, and some things we wished would "get better" but alas...   Jump in, this is a special episode.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Sean Scranton joins Shawn Tuma and myself to talk about cyber insurance, specifically, as it is a massive topic of discussion lately. Building on top of the "does cyber insurance even pay out?" question and exploring if cyber insurance will actually change the industry (as Jeremiah hints in episode 447) we traverse a lot of related topics and answer some good questions. This is one of the most informative episodes on this specific topic I've found out there - without all the usual propaganda. Huge thank you to Sean and Shawn for agreeing to take time away from client work to speak with DtSR, and leave this information accessible to my listeners. Guests Sean Scranton LinkedIn: https://www.linkedin.com/in/sean-scranton-2b24948/  Shawn Tuma LinkedIn: https://www.linkedin.com/in/shawnetuma/ Twitter: https://twitter.com/shawnetuma Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Vulnerability Management has been a bit of a soapbox for me lately, and this episode brings in two experts on the topic directly from the enterprise to talk about how we prioritization, spreadsheets, and today's big vulnerability problem produces serious issues for enterprise professionals. The problem is as old as our profession, but in spite of the tools, testimonials, and hand-waving it's still a massive problem. Guests Britney Hommertzheim LinkedIn: https://www.linkedin.com/in/bhommertzheim/  Twitter: https://twitter.com/bhommertzheim  Ace Moore Ace is incognito :) Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue On this episode of the podcast I have the pleasure of hosting one of my long-time friends and industry titan - Dawn-Marie "Rie" Hutchinson. She's fresh off of a stint as a CISO, and talking about burnout in our industry and beyond. It's always a pleasure chatting with a friend, but this is an important topic so extra thanks for sharing her knowledge and insights with us; working in a globally diverse and multi-timezone workforce isn't easy, and the lessons are useful! Guest Dawn-Marie "Rie" Hutchinson LinkedIn: https://www.linkedin.com/in/riehutch/  Twitter: https://twitter.com/CISO_Advantage  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue My pal Rock has ventured off on his own, so I wanted to catch up with him and get a quick update on the state of business, but also get a sense for what he's seeing in the industry as he's advising companies and helping them through compliance and regulatory challenges. Fascinating conversation, always fun stuff.   Guest Rock Lambros LinkedIn: https://www.linkedin.com/in/rocklambros/  Twitter: https://twitter.com/rocklambros Twitter: https://twitter.com/rockcyberllc  Website: https://www.rockcyber.com/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prolgue Ladies and Gentlemen - we've hit ** 450 ** episodes. Let me just take a moment and reflect on the number of awesome guests, long hours recording and editing, and all of you phenomenal fans and listeners spreading the show content. Episode 450 feels like the right one to drop an episode with one of my real-life best friends, British sensation, and perennial entrepreneur Vikas Bhatia. We drop the gloves and go after the shitshow that is third party risk management in modern day enterprise. There are answers, but not if you don't address it head-on. Guest Vikas Bhatia LinkedIn: https://www.linkedin.com/in/vikasbhatiauk/  Twitter: https://twitter.com/vikasbhatiauk  Company URL: https://justprotect.co Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue In this episode, our legal eagle Shawn Tuma is back to discuss the Colonial Pipeline incident and whether it could be a watershed moment for US Cyber interests. As Toby Keith's "Courtesy of the Red, White, and Blue" plays in the background, we discuss what's happened, what could happen, and what it all means. Guest Shawn Tuma LinkedIn: https://www.linkedin.com/in/shawnetuma/ Twitter: https://twitter.com/shawnetuma/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue You've GOT to hear this! This week on the podcast, I invited Martin Zizi of Aerendir, to talk about how we can use technology to not only distinguish between humans and non-humans (bots?) but also how to identify humans with staggering levels of precision - using commonly available and inexpensive components. He's got humor, an eclectic background, and great knowledge of the topic. Join us! Guest Martin Zizi Bio: Dr. Martin Zizi, MD-Ph.D, deep expertise in Molecular Biophysics and Neurosciences. He is one of the Founders & CEO of Aerendir Mobile Inc. He is the inventor of the NeuroPrint®, a cloudless AI-supported neural-tapping technology that can be used for authentication, identification, encryption, secure TLS, and bot segregation. Following his early years in the United States as a Scientist at the Walter Reed Army Institute of Research where he worked on very advanced projects, he had a 20-years dual-track career, leading both academic and strategic projects as a top scientist in 3 fields and was also a Chief Scientific Officer for Belgian DoD. Martin was a sought-after advisor for the Belgian, the EU governments, international organizations (UN) and the industry. Aerendir Mobile Inc. is his second start-up. He was #2 at another start-up in the Medical technology vertical. LinkedIn: https://www.linkedin.com/in/martinzizi/ Twitter: https://twitter.com/MartinZ_uncut Aerendir Mobile, Inc. LinkedIn: https://www.linkedin.com/company/aerendir-mobile-inc Twitter: https://twitter.com/AerendirMobile/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue I don't know about you, but I have Jeremiah in a list on Twitter that allows me to read/think about some of the things he posts without the noise of the rest of Twitter. Should a company that develops software be held responsible when a bug they missed is exploited? Why do we "Agree" on all those click-through agreements which basically disavow any responsibility, anyway? What about security tools - if they scan and miss a flaw that's later exploited, shouldn't they be liable? These and other salient topics are discussed in fairly great detail without all the usual hype you hear around this topic. Please join us, this is a wonderful episode to listen to more than once. Guest Jeremiah Grossman LinkedIn: https://www.linkedin.com/in/grossmanjeremiah/ Twitter: https://twitter.com/jeremiahg Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue When in Austin, TX ... meet up with some friends right? This week I have the pleasure of sitting down in-person with Joel whom has been doing the "AppSec thing" for longer than many of you who are reading this have been in our profession. Joel knows a thing or two - so we discuss a thing or two. Philosophy, history, and some ugly truths come out in a conversation that can only happen in-person. Guest Joel Scambray LinkedIn: https://www.linkedin.com/in/joelscambray/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue I honestly am having a difficult time understanding how this show has gone so long, so many episodes, without sitting down with Dave Marcus 1:1. It hurts my brain. So I rectified this situation and here you are. Dave is one of the best humans in the industry, has a few truckloads of knowledge, and you could stand to learn something from him. Give this episode a shot. Warning: Dave drops a pair of F-bombs, and the show goes a little longer than most at >40 minutes. But it's well worth your time. I promise. Guest Dave Marcus Twitter: https://twitter.com/DaveMarcus LinkedIn: https://www.linkedin.com/in/marcusdavid/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue I'm honored to have Gary McGraw on with James and myself on this episode. I hadn't realized, but Gary retired from (what was formerly) Cigital - and by retired I mean "started something new". Gary sucks at retirement, but he's brilliant and has a lot to say about machine learning and its applications, so you should really listen in. No, "AI" isn't going to take over security - but it's work exploring the enormous contributions machine learning make to our lives and how they can be abused.   Guest Gary McGraw Twitter: https://twitter.com/noplasticshower Home: https://www.garymcgraw.com/  Boards he's on: https://www.garymcgraw.com/technology/business/  Info on Berryville Institute: https://berryvilleiml.com/  ARA for ML: https://berryvilleiml.com/results/ara.pdf  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Chris Eng has been elbows deep in software security for a very long time. Times have changed over the last 20 years, as have tools, methods, and outcomes - what hasn't changed is how much security debt we keep amassing in our applications. How bad is the problem, and what can be done? Tune in and find out what we think. Guest Chris Eng LinkedIn: https://www.linkedin.com/in/chris-eng-ab51331/  Twitter: https://twitter.com/chriseng  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue ** First, before I say anything else, I want to thank Lonnie and his staff for their service to our country. Protecting diplomats is not an easy task I imagine, and being the most powerful nation on Earth, our diplomats are likely a target 24x7x365. ** This week, Lonnie Price joins me and James on the show for an intriguing talking through some very, very cool stuff. Now, this episode is special. Of course, every episode is special but some are more special than others. In this edition of the show we're talking to someone who keeps state secrets, well ... secret, as America's diplomats travel internally and abroad. I can safely say I had no idea how much there was to concern yourself with beyond just encryption. Guest Lonnie Price LinkedIn: https://www.linkedin.com/in/lonniejprice/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Account Take-Over (ATO). You've probably not given this too much thought, unless you've had your account jacked. Whether it was someone stealing your Twitter account, or your bank account, or God-forbid your Facebook - you know the ramifications are serious. But how do you identify it, prevent it, detect and respond to it, and maybe even recover from it... at scale? Rafal's guest, Ari Jacoby of Deduce has some ideas.  Ari talks about the broader ATO problem, and suggests some of the reasons it's gotten this bad (...how bad is it?...) and what companies that are not in the Fortune 250 can do to protect themselves - and you. Guest Ari Jacoby Deduce: https://www.deduce.com/  LinkedIn: https://www.linkedin.com/in/arijacoby/  Twitter: https://twitter.com/arijacoby  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue OK, say it with me, defender tools suck. They all have their own dashboards, data formats, ways to look at what's going on...and that wouldn't be bad if they even remotely worked together. OSQuery isn't the end-all for endpoint tools, but it surely can tell you a whole lot about what's going on out there - and then you can actually intelligently do something. But it needs a front-end...so enter Fleet. This episode is all about defending the endpoint using open source, and Fleet/OSQuery specifically.   Guest Zach Wasserman LinkedIn: https://www.linkedin.com/in/zacharywasserman/ Twitter: https://twitter.com/thezachw  Fleet Open Source Device Management: https://fleetdm.com/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week on a very cool conversation, Rafal snags a chance to do a virtual sit-down with Yuri all the way from the Netherlands. Yuri is one of the quintessential experts on Zero Trust (not the commercial tools stuff, but principles and foundations) and you need to hear his take on how we get it implemented, where, and why.   Guest Yuri Bobbert LinkedIn: https://www.linkedin.com/in/yuribobbert/ His book "Leading Digital Security": https://www.linkedin.com/pulse/new-book-leading-digital-security-yuri-bobbert-1f/?trackingId=%2Fwm4S897TnSMTgkDszCDJQ%3D%3D  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week, DJ McArthur joins James and Rafal to talk shop about his career in defending healthcare IT. The Cliff's Notes version is that it's more complex, more under siege, and more critical than ever. No problem, right? This episode has been a long-time coming, and DJ is an honest-to-goodness expert in the field. He teaches classes on this topic which you may just want to go and look up if this is your thing.   Guest DJ McArthur LinkedIn: https://www.linkedin.com/in/dj-mcarthur-74364b24/ Twitter: https://twitter.com/djmca5280 Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Continuing what accidentally became a series of AppSec or Software Security focused episodes, #436 takes it from yet another direction. Rey joins us to talk about AppSec from his perspective - that of a life-long developer that's moved into software security. It's been an interesting journey, and while some of the things we discuss aren't necessarily revelations - listen for the subtle clues about what software security teams are doing wrong in the corporate enterprise... you'll hear it. Guest Rey Bango LinkedIn: https://www.linkedin.com/in/reybango/ Twitter: @ReyBango Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Episode 435 is packed with OpenSource goodness, talking about WordPress and WPScan with Ryan Dewhurst. Ryan started WPScan (a tool you probably use as a security practitioner) and has now made a business out of it. He spends a half-hour discussing the product, his road, and Wordpress/security in general and includes some plans for the future. Guest Ryan Dewhurst LinkedIn: https://www.linkedin.com/in/ryandewhurst/ Twitter: https://twitter.com/ethicalhack3r Website: https://wpvulndb.com/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week, Jennifer Fernick of NCC Group joins me to talk about her work with open source software and security. With a storied career, Jennifer is well-qualified to talk about some really interesting topics, but finding bugs in open source software, at the scale we need it to be done, is a monumental task.  If you're a developer and keen on innovation and open-source, and know security or are interested in learning more - I encourage you to go check out the Open Source Security Foundation here: https://openssf.org/  Guest Jennifer Fernick LinkedIn: https://www.linkedin.com/in/jenniferfernick/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue: This week, Gary Latham joins the podcast to talk about taking the reigns of the Security Advisor Alliance, at a pivotal time for the organization. If you don't know about the SAA, I highly encourage you to check it out here: https://www.securityadvisoralliance.org/    Guest Gary Latham LinkedIn: https://www.linkedin.com/in/gary-latham-8bb62925/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue On this week's episode of the podcast, boomerang guest Robb Rock joins Rafal to talk identity, trust, and what's happened since the last time Robb was on the show (which was in 2016!). Of course they talk about the "big hack", and retreat into identity, Zero Trust, and the challenges of mid-market companies trying to do their own security. The lesson here? "The more we learn, the more we recognize we know very little." Guest Robb Reck LinkedIn: https://www.linkedin.com/in/robbreck/ Twitter: @RobbReck Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week on DtSR, an old friend Jamison Utter joins Rafal to talk about medical IoT devices, and what makes them different -- and of course, how we can better protect them. Jamison's company, Medigate, is a healthcare security and medical analytics company - and it's an interesting discussion on how this type of IoT differs from others with security implications. You'll want to listen in, since the "Internet of Things" discussion is getting very varied, and you need to keep up. Guest Jamison Utter LinkedIn: https://www.linkedin.com/in/jamisonutter/ Twitter: https://twitter.com/jamison_utter Company website: https://medigate.io   Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue David was a guest on the podcast many years ago, back in episode 7. We had a great conversation and it's interesting to see how so many of the topics have evolved in the last nearly a decade. Or not. Guest David Elfering LinkedIn: https://www.linkedin.com/in/aroundomaha/ Twitter: https://twitter.com/icxc  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

You Gotta Hear This! [YGHT] This special edition of the Down the Security Rabbithole Podcast is the first of it's kind. For 2021 I've decided to throw in a bonus episode here and there that doesn't necessarily fit the typical format when I find something interesting, or a topic or person worth your time. Right now, with CrowdSec is that time. Philippe Humeau is a wealth of information and the CEO of CrowdSec - a company that's picking up where someone else left off and making crowd-sourced security intelligence, free if you're a contributor to the system. Brilliant stuff... jump in and listen. Guest Philippe Humeau LinkedIn: https://www.linkedin.com/in/philippehumeau/  Twitter: https://twitter.com/philippe_humeau  Check out CrowdSec LinkedIn: https://www.linkedin.com/company/crowdsec/ Hub: https://hub.crowdsec.net/?_ga=2.115542209.614917574.1610075573-377858623.1610075573 Twitter: https://twitter.com/Crowd_Security  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Let's start 2021 off right with a returning guest whose name you will want to remember. Joep (pronounced like "soup" but with a "you") Gommers the founder and CEO of EclecticIQ joins Rafal to talk about threat intelligence - from platforms to TIPs, use-cases, implementations, limitations, and the move to TIM. It's a fun conversation that looks at where "threat intelligence" started, and where it's gone over the last 5 years or so. If you're a threat intel analyst, another consumer, or even a vendor, you'll want to listen up carefully and maybe take notes. By the way we need a "TIM-enabled NextGen SOC Platform" sticker to be made up, with "Tim the Enchanter" as the key figure ... this should happen. Someone has to have the talent! Guest Joep Gommers LinkedIn: https://www.linkedin.com/in/joepgommers/ Twitter: https://twitter.com/joepgommers  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week, on the last episode of 2020, Michael Coates joins Rafal to talk about wire-speed-data-protection. Sort of like CASB but more universal. Interestingly, Rafal and Michael talk through how DLP has evolved and into what, and some interesting developments along the way - then the promise of something better. Guest Michael Coates LinkedIn: https://www.linkedin.com/in/mcoates/ Twitter: https://twitter.com/_mwc Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue First and foremost, thank you to Prevailion for giving us some of Karim's time, and content for this episode. Adversary intelligence is critical to protection and defense, so the methods and means in which it's gathered, refined, and provided back into the industry is always a great topic of discussion. I can't stress enough how much I recommend going and doing this - https://www.prevailion.com/claim-your-apex-platform-account/ which is free and can give you an idea of whether you have some of those pesky "bad actors" running around your infrastructure stealing your critical assets. Guest Karim Hijazi LinkedIn: https://www.linkedin.com/in/karimhijazi/ Is YOUR org compromised?: https://www.prevailion.com/claim-your-apex-platform-account/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week, one of my old allies in the advocacy for sane media appearance joins James and me on the podcast. We talk about being a media liaison, managing speakers and security types with lots to say and few f***s to give for the media. It's an interesting conversation if you want to hear about what your media and PR person has to go through. Guest Diana Wong LinkedIn: https://www.linkedin.com/in/dianawong1/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Fill up your coffee cup, find a comfortable seat, and get ready to dive into this show! Richard & Anton join James and Rafal to discuss the SOC and it's evolution (or not) in today's enterprise. What are the major issues with SOCs today? What will the SOC of tomorrow be like? Does anyone know why Anton's hair is so nutty? These and other questions will be answered, maybe, on this show... so listen in and please give us some love on the socials. Guests Richard Steinnon LinkedIn: https://www.linkedin.com/in/stiennon/  Twitter: https://twitter.com/stiennon  Anton Chuvakin LinkedIn: https://www.linkedin.com/in/chuvakin/  Twitter: https://twitter.com/anton_chuvakin  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week, virtually live from Enfuse 2020 we've invited Grayson Milbourne, who is the Director of Security Intelligence at OpenText (formerly Carbonite/Webroot), to the show to talk about his work, malware, and the ever-evolving battle between good and evil'ish. This is a unique look at the intelligence, research, and innovation that goes into anti-malware tools and the arms race between attacker and defender in the real world. Guest Grayson Milbourne LinkedIn: https://www.linkedin.com/in/themilbourne/ Twitter: https://twitter.com/gmilbourne  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue: This week is a TREAT for you Down the Security Rabbithole Podcast listeners. Before she does her keynote on the topic, you'll get to hear Tarah Wheeler's take on the graying lines of privacy, security, and ethics. Just because we can ... does that mean we should? Lots of interesting discussions, and some totally nerdy and pedantic references you'll want to listen to a few times. Week 3 of OpenText's Enfuse Conference 2020 is kicking off with Tarah's keynote, and if you haven't checked in, or signed on, maybe this will convince you! Give her keynote a listen... Guest Tarah Wheeler LinkedIn: https://www.linkedin.com/in/tarah/ Twitter: https://twitter.com/tarah Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Welcome to week 2 of our coverage of the OpenText Enfuse conference! This week I'm super excited about two very cool guests - Brian Chidester and Tyler Moffitt. Y'all know Brian who is now officially a multi-time returning guest, and Tyler's background is pretty cool (literally, you'll know what I mean when I post the video hopefully soon). Huge thanks to OpenText for giving us access to these great guests. Go check out #EnfuseOnAir (on Twitter's hashtag) with the links below: Links: Conference link - https://www.opentext.com/enfuse General Registration link - https://web.cvent.com/event/d634f034-3b46-432a-ae21-4be1ca3fb1cf/regProcessStep1?RefId=enfuse2020-ppctx&rp=00000000-0000-0000-0000-000000000000 OpenText security handle -- https://twitter.com/OpenTextSecure Guests: Brian Chidester LinkedIn: https://www.linkedin.com/in/abchidester/ Twitter: https://twitter.com/ChidesterAB  Tyler Moffitt LinkedIn: https://www.linkedin.com/in/tyler-moffitt-29752050/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week on DtSR Anthony Di Bello from OpenText drops by the show to talk about Enfuse, and the future of forensics, eDiscovery, and cyber security - and happens to let out a few details of the Enfuse 2020 conference kicking off this week. Anthony's always a great interview and of course we talk about my favorite topic lately - "convergence" of security disciplines. Join us - and if you're so inclined, virtually attend Enfuse 2020 by clicking over here: REGISTER FOR ENFUSE 2020. Guest Anthony Di Bello LinkedIn: https://www.linkedin.com/in/anthony-di-bello-29b419b/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week James and Rafal have the pleasure of being joined by Allan Alford, from his work-cave somewhere near Dallas, TX to talk about what we're hearing and seeing as we advise CISOs during the times that Covid brings. We discuss budgets, priorities, and "good enough" security strategy in a weird time in our industry and world. Guest Allan Alford LinkedIn: https://www.linkedin.com/in/allanalford/ Twitter: https://twitter.com/AllanAlfordinTX/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week on DtSR, John Steven joins Rafal & James to talk about an inflection point in security that's happening right now. As you may notice, everything about security is changing, especially in the AppSec space... listen in and you'll hear John's thoughts on a very interesting time to be in the industry. Evolve, or die...  Guest John Steven LinkedIn: https://www.linkedin.com/in/m1splacedsoul/ Twitter: https://twitter.com/m1splacedsoul Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week on DtSR my long-time friend and pragmatic alter-ego, Chris Abramson, joins me to give a sneak peek at what you can expect on the new podcast we're launching together in a few weeks... and also to discuss the "budget before breach/budget after breach" meme going around LinkedIn. We discuss security, budget, process, threat modeling and a half-dozen other things you'll just have to listen to the show to hear. Guest Chris Abramson LinkedIn: https://www.linkedin.com/in/chris-abramson-29a9b2b/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

\\Prologue As I was scrolling through LinkedIn looking for interesting things to read, who should scroll by but one Sven Krasser, whom you may remember from a few episodes ago ( http://ftwr.libsyn.com/dtsr-episode-261-deeper-down-the-ml-rabbit-hole ) - OK it was a long time ago now. We talk briefly about machine learning, algorithms and other relevant things and have a little fun in the process. I hope you enjoy the episode! Guest Sven Krasser Twitter: https://twitter.com/SvenKrasser  LinkedIn: https://www.linkedin.com/in/svenkrasser/ His blog: http://www.skrasser.com/blog/archives/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue: This week on episode 414 of the podcast, I'm joined by Rick Howard who just retired ... no, wait ... scratch that, almost retired from Palo Alto Networks after a fantastic run. Rick tells the story of how he almost retired, why he's not on the beach somewhere yet, the Cyber Security Canon, and so much more. Join me, this week on the podcast, because you never know just how many more of these he'll agree to before he actually and truly does retire some day! Guest Rick Howard Twitter: https://twitter.com/raceBannon99 LinkedIn: https://www.linkedin.com/in/rickhoward/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue This week we welcome Greg Foss to the show - Greg has some experience in security operations and managing SOCs and such. He dishes, we laugh, we learn, and hopefully you'll enjoy. Lots of topics covered including my personal favorite: "tools in the SOC" - in which we discuss how tools are actually hurting SOC efficiency and such. Guest Greg Foss LinkedIn: https://www.linkedin.com/in/gregfoss/ LinkedIn: https://twitter.com/Heinzarelli Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue: This week David Soto joins Rafal and James to talk about how throughout his career the cybersecurity landscape has evolved and the tools have consolidated, integrated, and how we're perhaps still misunderstanding "good enough". David of course has a very long and storied career where he's carried multiple roles from CISO to a consultant, so he has a depth of experience most of us don't get. He's great to listen to, as he shares his knowledge - tune in!   Guest: David Soto LinkedIn: https://www.linkedin.com/in/dsoto/  Twitter: @David__Soto Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue: This week, the one and only @RSnake joins us to just ... talk. We notice he has a few cameras too many, or maybe he's just being monitored? We talk about the big problems in the industry, what he's doing to solve them, and some other random things you'll have to listen to get. Guest Robert Hansen Twitter: @RSnake LinkedIn: https://www.linkedin.com/in/roberthansen3/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue: Because we can't get enough of Brandon Dunlap and Shawn Tuma over here on the podcast, here we go again. Last episode Brandon talked about responsibility and accountability - so when we saw the story about a CISO being indicted for being less-than-truthful to the FTC, we couldn't resist. This episode is powerful, and doesn't tiptoe around difficult topics. Guests: Brandon Dunlap Twitter: @bsdunlap LinkedIn: https://www.linkedin.com/in/bsdunlap/ Shawn Tuma Twitter: @shawnetuma LinkedIn: https://www.linkedin.com/in/shawnetuma/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue: Hey friends, it's Tuesday so time for another dazzling edition of the podcast. This week we welcome Brandon Dunlap - hair model, professional snarkist - back to the show. This is Brandon's fourth trip around the merry-go-round, so I think he holds the record now. Someone may want to fact-check that... Brandon talks about transitioning between roles, managing big orgs, very remotely, and of course "Would you ever go back to a CISO role?" Join us, and you may be able to help solve a mystery. Guest Brandon Dunlap LinkedIn: https://www.linkedin.com/in/bsdunlap/ Twitter: @bsdunlap (Hey, someone remind him that picture is like ... 10 years old!) Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue: This week, on episode 408 Shawn Tuma joins us again to talk about the legal side of cyber security. Shawn's one of the premier legal forces on breach law and litigation - you can fact check that - and it's great to have him on the show again. We talk through what's going on in laws, litigation, and whatever else is on his mind. Guest Shawn Tuma: Twitter: @ShawnETuma LinkedIn: https://www.linkedin.com/in/shawnetuma/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue: This week, a legend of the InfoSec (or Cyber Security, for some of you) space joins me on the show. Marc Rogers has been the guy heading up Defcon security, and at the helm of the security function for some ... "highly visible" companies doing great amounts of good. Now, he's doing tremendous amounts of good during the global Covid-19 pandemic by providing cyber security services to besieged healthcare firms via the CTI League (check out their open letter here, as it may apply to you.) Guest Marc Rogers Twitter: @MarcWRogers LinkedIn: https://www.linkedin.com/in/marcrogers/ CTI League: https://cti-league.com/    Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue Cybersecurity is one of those industries where the one of the market segments that is the most desperate for support is also one of the segments that is the least supported. The Small and Medium Business (SMB) segment is largely ignored by most security vendors and service providers alike - and yet they need the most help. Kiersten has put in the work to build tools and resources (all free, by the way) for this dramatically underserved market segment. In our episode, we talk about challenges, resources, and opportunities before us. Join us!   Guest Kiersten Todt LinkedIn: https://www.linkedin.com/in/kiersten-e-todt-73b81359/ Cyber Readiness Institute: https://www.cyberreadinessinstitute.org/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue: This week, Rafal welcomes Wayne Reynolds, a veteran of not only our industry, but of the US Marine Corps - where he's been a leader in multiple scenarios. We talk about what makes good leaders, good and bad styles, and the things you need to know if you either WANT to be a leader, or you are looking to find someone who you want to work for. Huge thanks to Wayne for taking time out of his crazy schedule early in the morning to talk with us. Guest Wayne Reynolds LinkedIn: https://www.linkedin.com/in/wayne-reynolds-80593318/ Raf's note: It's been an honor and privilege to work alongside Wayne in a past life - he's a solid human, and a fantastic leader.  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue: This week, on the "Episode Not Found", Rafal and James host Robert Lee from Dragos. It's a conversation about Operational Technologies that includes a deep dive into the business and management side of Industrial Controls and the Energy Sector. Robert gives us a frank, no-spin walkthrough in the good and bad of the space and talks about some of the misunderstandings many of us have. A great episode if you're interested in the non-traditional cybersecurity sector. Guest Robert Lee Twitter: https://twitter.com/RobertMLee LinkedIn: https://www.linkedin.com/in/robmichaellee/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue: This week on the podcast, episode 403 features two good friends of mine Joey Peloquin and John "JP" Pirc. John and I talked about the awful state of the MSSP back in episode 395 (LINK) and I was challenged to do more than just talk about the sorry state of security delivered as a service. So, I called up some friends, and we talked it though. I'm curious - do you agree with us? Let us know on LinkedIn by going to our LinkedIn page, or on twitter using the hashtag #DtSR. Guests Joey Peloquin LinkedIn: https://www.linkedin.com/in/joeypeloquin/ Twitter: https://twitter.com/jdpeloquin John "JP" Pirc LinkedIn: https://www.linkedin.com/in/johnpirc/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Prologue: First, I need to apologize for the quality of my (Rafal) audio. For a reason I don't understand, the Skype central record feature absolutely butchered it - could have been something on my end, I simply don't know. It should be listenable, albeit annoying. Second, huge thanks to Carlos for taking the time out of his busy morning from being a dad and his day job to talk to us. He's got a lot of really interesting and important things to share about his adventures in our industry and community - you should probably listen closely. Lastly - I have t-shirts to give away. If you want one, follow & re-tweet the @DtSR_Podcast handle and we'll pick a few of you (probably at random) to send shirts to. Guest Carlos Perez LikedIn: https://www.linkedin.com/in/carlos-perez-a146b917/ Twitter: https://twitter.com/carlos_perez/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Episode 401 Epilogue: This week, I got to sit down virtually with a long-time friend, and one of the most intelligent and quiet people you'll ever meet in InfoSec. My pal Carl Vincent (some of you may know him by other names) and I chat the transition from Red Team to Blue Team, tools, the state of the industry over the last few years, and just general conversation. The world around us has changed, and it's important to have real conversations with people who shaped the industry in ways you probably didn't know or realize. Guest: Carl Vincent LinkedIn: https://www.linkedin.com/in/mcarlvincent/ Twitter: https://twitter.com/vyrus001 Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Friends and Colleagues! We've made it. Milestone episode 400 of the podcast is here. And for the 400th episode I have none other than Mr. Tom Nichols. He's truly a qualified expert on a topic that needs some serious attention in today's world - expertise. In fact, he's written a book about it. Please enjoy this episode, share it, and I want to thank Tom for taking the time out of his crazy schedule to laugh, educate, and drop a little bit of snark into our day. Guest: Tom Nichols LinkedIn: https://www.linkedin.com/in/tom-nichols-94a7a23/ Twitter: @RadioFreeTom Go get and read his book: https://smile.amazon.com/Death-Expertise-Campaign-Established-Knowledge/dp/0190865970/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Episode 399 ... what a crazy ride it's been. This week we have Brian Chidester - you may recall we had a chat with him on episode 379 which was recorded live at EnFuse Conference 2019 - back to talk about some of the things he's been hearing state and local security leadership talk about. Great conversation, lots of topics covered... you'll enjoy it. Also, next up - EPISODE 400! Guest Brian Chidester LinkedIn: https://www.linkedin.com/in/abchidester/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, episode 398 features our Leadership Series and the one and only Allan Alford. Allan has spent a long career building various security practices, advising boards, and generally doing great things. While we're at it, you should go check out and sign up for the RSS feed of "Defense In Depth" podcast that Allan is a co-host on. They have a great tagline: "Couples therapy for security vendors and practitioners". Check them out here: https://www.linkedin.com/company/ciso-security-vendor-relationship-series/ Guest: Allan Alford LinkedIn: https://www.linkedin.com/in/allanalford/ Defense In Depth Podcast: https://cisoseries.com/category/defense-in-depth Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Welcome Down the Security Rabbithole to yet another edition of the DtSR Podcast. We we roll on towards milestone episode 400 James and Rafal discuss a topic that doesn't get nearly enough airplay - vulnerability management. This isn't just your dad's vulnerability scanning though, or is it? Have we done anything exciting in this space in the last 15 years? Maybe... kind of...but the problem is much harder. Guest Ed Bellis Twitter: @ebellis LinkedIn: https://www.linkedin.com/in/bellis/   Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

It's Verizon Data Breach Investigations Report time again. This episode is a yearly walk-through of the DBIR, where Rafal and James once again welcome Gabe Bassett back to the show to talk data, graphics, and lessons we need to learn. Link to the report: https://enterprise.verizon.com/resources/reports/dbir/ Guest: Gabriel Bassett LinkedIn: https://www.linkedin.com/in/gabriel-bassett/ Twitter: https://twitter.com/gdbassett/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Special thanks to our friends at AlertLogic - for providing some great discussion points and John for the episode! This week, as DtSR hits episode 395 on our way to Episode 400, James and Rafal take some time out to ask: "Hey John, how's the hair?" It's great to be able to spend time with old friends and just talk about solving some long-standing problems our industry faces. One of the perennial favorites is why MSSPs are all terrible. Well - we have some ideas! Listen in if you've ever been frustrated with your MSSP... and are maybe interested in how the industry can collectively do better. Guest John Pirc LinkedIn: https://www.linkedin.com/in/johnpirc/ Rafal's personal note: John's a badass who has more experience in solving broad-scale problems and helping customers and companies through some difficult challenges. His advice is sage... you should probably listen in Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Episode 394 Rafal & James host Keith Duemling from the Cleveland Clinic (talk about high-profile jobs!) to talk about security in the healthcare space, challenges, the future, and other random topics. Keith has spent a large part of his career leading healthcare organizations, so he has a lot to share. Listen in! Guest Keith Duemling - Director of Cybersecurity Technology Protection at the Cleveland Clinic LinkedIn: https://www.linkedin.com/in/keithduemling/ Twitter: @KeithDuemling Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Guess who's back, back again ... James is back, so listen in! So James is officially back after a bit of a hiatus from the podcast, and on this episode him and Rafal sit down over a fun interview with Matt Lewis Research Director for the UK with NCC Group. Matt is the primary author on a report on "Smart Cities", and it's definitely something you should read. We talk about the report, discuss the true nature of a smart city and what it means to live in one. Pay particular attention to how difficult it was not to jump right into Die Hard 4 references... although we eventually broke down and did it anyway. Links Check out the NCC Group report on smart cities, right here: http://www.mynewsdesk.com/nccgroup/documents/ncc-group-a-blueprint-for-secure-smart-cities-whitepaper-95577  Guest Bio Matt Lewis is Research Director for the UK with NCC Group (https://www.nccgroup.trust/us/) – a security consultancy that has over 35 global offices, 2,000 employees and 15,000 clients. He’s worked in Cyber Security for over 18 years since his Computer Science academic studies, which focused on formal methods for system specification and design. Since then Matt has worked in various roles across Defence, Intelligence, Commercial and Big 4. He specializes in security consultancy, scenario-based penetration testing, vulnerability research and development of security testing tools and methodologies. His consultancy, testing and research experience spans multiple technologies across all sectors and many FTSE 100 and Forbes 2000 companies. He has vast experience in facilitating security assurance within the Government sector. Matt is a public speaker with global recognition of his knowledge and expertise in biometric security. He regularly presents at international conferences and seminars on all manner of cybersecurity-related topics.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Ladies and Gentlemen, friends, countrymen, lend me your ears! This episode of DtSR features one of my favorite guests and one of the better storytelling from the "old days" opportunities I can recall. It also, not accidentally, features one of my favorite totally genuine people from our industry - Chris Nickerson. I think the best way to describe Chris is like a charismatic honey badger. And if you haven't had the pleasure, you can listen to this episode and get just a small taste of what he's been up to the last few years. Buckle in, it's story time. Guest Chris Nickerson ( @Indi303 ) - https://www.linkedin.com/in/nickersonlares/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, I'd like to thank JD Work for taking the time to be on the show and sharing his professional experience and expertise with us. The space of cyber policy, at the national and international level, is growing by leaps and bounds; and difficult decisions are often debated even as rapid reactions have to be made. These are difficult times for policymakers in the theater of cybersecurity. JD is an expert in this space and provides some real inside into what's going on, what our policymakers are thinking.   Guest JD Work LinkedIn: https://www.linkedin.com/in/jd-work-22096010/ Bio: JD Work serves as the Bren Chair for Cyber Conflict and Security at Marine Corps University. He holds additional affiliations with the School of International and Public Affairs at Columbia University, the Elliot School of International Affairs at George Washington University, and as a senior advisor to the Cyberspace Solarium Commission. He can be found on Twitter @HostileSpectrum. The views and opinions expressed here are those of the author(s) and do not necessarily reflect the official policy or position of any agency of the US government or other organizations. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, Brian Carrier joins DtSR to talk about digital forensics and incident response in 20/20. Forensics and incident response has had to evolve and change as devices become more mobile, smaller, and purpose-built. Brian talks through what this change has meant, and how tools and techniques have had to evolve to deal not only with the explosion of device types, but also sizes and various log capabilities (or none at all). Guest Brian Carrier Twitter: @Carrier4n6 LinkedIn: https://www.linkedin.com/in/carrier4n6/ Related episodes: DtSR Episode 365 - "Mountains of Data" DtSR Episode 320 - "Specializing in Forensics" DtSR Episode 264 - "Windows Forensics Then and Now" DtSR Episode 252 - "DFIR with Lesley Carhart" DtSR Episode 247 - "Internet of Things Forensics" DtSR Episode 146 - "State of Enterprise Incident Response" Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, DtSR dives into security leadership with an academic twist. We have the pleasure of hosting Robert Turner, the CISO of the University of Wisconsin, Madison. This episode was recorded March 13th, 2020 right as the University and other institutions across the country and the world started their efforts to social distance and work from home due to the Corona Virus (Covid-19) pandemic. Special thanks to Bob for taking the time out of his busy day, and crazy schedule given the times, to give us insights on his strategy, challenges, and successes! Guest Robert Turner - https://www.linkedin.com/in/bob-turner-9936993/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Welcome to episode 388, an episode at least 5 years in the making...mainly because it's taken this long to figure out a good way to get Anton on the podcast! Now that he's not an analyst anymore, I snagged him for an honest and open conversation about the one topic he has more expertise in than most anyone I know - the SIEM. We wax philosophically, I manage to show my ignorance of the state of the art and history of SIEM, and we talk about where SIEM is going. Join us on a great conversation I am thrilled to have been a part of. Guest Anton Chuvakin - Let's face it, it's really "The" Anton Chuvakin, right? Linkedin: https://www.linkedin.com/in/chuvakin/ Twitter: @anton_chuvakin Blog: https://medium.com/anton-on-security  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, as we all continue quarantines and work-from-home DtSR hosts Valentina Thörner, who is an expert on remote workforce leadership. Valentina literally wrote the book (From a Distance) and now she's on the show discussing how to be a leader when your workforce is remote.   Additional Links and Resources 1:1s https://remote.co/creative-ways-get-to-know-your-team-when-work-from-home/ https://knowyourteam.com/blog/2020/02/19/how-to-coach-employees-ask-these-1-on-1-meeting-questions/ https://getlighthouse.com/blog/one-on-one-meeting-questions-great-managers-ask/ https://getlighthouse.com/blog/transition-to-remote-work-help-your-team/  - the blog has amazing resources apart from this article A great article on how to scale remote work: https://beau.blog/2020/03/remote-work-at-scale/ Recommended webinar: https://wordpress.com/blog/2020/03/06/a-crash-course-in-remote-management/ Quick guide on how to set up your remote working strategy: https://intenseminimalism.com/2020/quick-work-remote/  Guest 411 Valentina Thörner LinkedIn - https://www.linkedin.com/in/valedeoro/ Twitter - https://twitter.com/valedeoro Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Covid-19 ... that's the headlines. Everywhere. The suddenly remote workforce is a problem for many enterprises, and as workers are forced to work from home - security is a problem. To that end, I snagged Brian Foster who has a long and storied history in our industry, to talk about what he thinks we should be thinking about. Listen in, share, and let's hear what you think folks! Stay safe and well and most of all do not panic. Guest Brian Foster - https://www.linkedin.com/in/brianfoster1/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Greetings! On this episode of the podcast we present to you an episode we recorded back in January (but then due to a storage error we lost temporarily) with Nathan Collier from Malwarebytes. Nathan reported some findings from his research that basically there was some pre-installed malware running around, impossible to uninstall, on low-cost mobile phones. That kind of villainy is unforgivable (praying on the weak!) so we wanted to hear the whole story...and then some. Here's one link to the full story, in case you're interested in reading it on your own... https://blog.malwarebytes.com/android/2020/01/united-states-government-funded-phones-come-pre-installed-with-unremovable-malware/ Guest: Nathan Collier - Malwarebytes Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week Rafal hosts Dr. Chase Cunningham, Forrester analyst and all-around security badass to redux Zero Trust. The last time we tackled the topic was Episode 222 with John Kindervag back in 2016 - so it's time to see what's new. Zero trust is more than just firewall rules, and it encompasses a lot of security technologies we don't even think about - so this update is a great primer for 2020. Guest: Dr. Chase Cunningham - https://www.linkedin.com/in/dr-chase-cunningham-54b26243/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Join Rafal & James this week, as they welcome Jennifer Ayers. Jennifer is the Vice President of Overwatch and Security Response at Crowdstrike. Rafal and Jennifer worked together "back in the day" so the conversation starts with a little storytelling from the old days, and then works its way into Jennifer's fantastic career and lessons learned over the years in her various leadership positions. Guest Jennifer Ayers - https://www.linkedin.com/in/jnayers/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week on DtSR Podcast, a long-awaited guest joins us. That's right, the one and only Jeremiah Grossman joins us live from a tropical paradise, and you need to hear his message. On this show we cover history, "the basics", and the necessity to know what your security attack surface looks like. It's perhaps one of the least sexy topics ever - but if you ignore it, you're pretty much screwed. Guest: Jeremiah Grossman - @Jeremiahg - https://www.linkedin.com/in/grossmanjeremiah/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Welcome friends and fans! This week we go down the rabbithole with Russell Mohr of MobileIron as we talk about the security implications for 5G. The new standard unleashed upon the American consumer (but more importantly on the commercial market) is changing mobile communication and connectedness. About the guest... Russell Mohr is an expert in 5G and mobile technology, with a wide breadth of expertise in other areas as well. Apparently during the early part of the interview, he was attacked by a dog that tried to eat him (I may be guessing, but that's what it sounded like). LinkedIn: https://www.linkedin.com/in/russmohr/ Big thanks to Becca Chambers for setting this up, and lining up another future guest too!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Welcome to episode 380 of the DtSR Podcast. We have a special treat for you this episode, with long-time friend Gadi Evron, and he holds nothing back in his start discussion of our industry. We virtually guarantee this will quickly be your favorite episode...or at least your top 5. Highlights from this week's episode include... Gadi unloads on the 'attackers in the spotlight' nature of security conferences Gadi & Raf chat about 25 years of incidents and what it's leading up to Gadi is clearly not a fan of "Just do the basics" Raf & Gadi decide we're clearly going to have to do this again... Guest Gadi Evron ( @gadievron ) - https://www.linkedin.com/in/gadievron/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, in our final (for real this time) episode recorded LIVE from Enfuse Conference 2019, courtesy of OpenText, we chat with Brian Chidester. It's a fascinating conversation about what the IoT world can (and is) do for law enforcement and government ... think smart cities + Cops. Highlights from this week's episode include... Brian shatters any last shred of privacy I could believe in through the millions of IoT devices out there 'for our protection' Brian reminds us hackers set of Tornado alarms around Dallas ...  Brian and Rafal muse about FOIA in the digital age Brian talks about advances like 'connected firearms' Guest Brian Chidester - https://www.linkedin.com/in/abchidester/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In our final "Live from Enfuse 2019" episode, I had the pleasure of sitting down with Paul Shomo to talk about some of the things he's talked to CISOs about as he travels and advises on behalf of OpenText. It's a pretty interesting conversation... Once again, thanks to OpenText for having the DtSR Podcast in Vegas! Highlights from this week's episode include... Paul and Rafal disagree on whether the cloud transformation is "almost over" or "just begun" Paul brings up the challenge of API security Rafal and Paul tackle security budgets - how much you spend vs how you spend it Rafal asks Paul what's going on with security, and the challenge of identity A link to Paul's article he mentions: https://www.darkreading.com/cloud/5-cybersecurity-ciso-priorities-for-the-future--/a/d-id/1336325 Guest Paul Shomo - https://www.linkedin.com/in/paulshomo/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Welcome to 2020, as Down the Security Rabbithole rolls on! This week we're back with a timely episode on the global war for soft power, with Andrea Limbago, Chief Social Scientist from Virtru. This is an interesting episode, touching on some topics such as privacy and censorship, and very timely. Highlights from this week's episode include... Andrea gives us a run-down on "soft power" and why it's important Raf starts down a rabbithole and gets "dropped" Andrea discusses how privacy regulation is impacting this space Guest Andrea Limbago ( @limbagoa ) - Chief Social Scientist at Virtru - https://www.linkedin.com/in/andrea-little-limbago/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Merry Christmas, and a Happy New Year listeners of the Down the Security Rabbithole Podcast! This week the show focuses on one of the most important things any of us really have - our children. Protecting kids in an increasingly digital world is tough, but not impossible. We decided to bring Theresa Desuyo from Qustodio on the show this week to discuss what her company is doing, and the broader theme of protecting children online. Apologies in advance for Theresa's audio quality. Couldn't fix that in post. Highlights from this week's episode include... Rafal takes a shot at a sinister human being Theresa talks through some of the more ominous things kids can face online James is curious Theresa gives us a look into the crystal ball... Guest Theresa Desuyo of Qustodio - Theresa is Qustodio’s Digital Family expert, leading Qustodio’s insights into how to best generate talking points around technology use adapted to each family’s reality. In addition, she leads growth, partnerships and operations in the US. Before joining Qustodio, Theresa worked in gamification for enterprises and a social enterprise, leveraging technologies to engage employees and for cause marketing initiatives respectively. She holds a B.A. from UCLA and an MBA from ESADE, is fluent in Spanish, Catalán and native English speaker from California. As a mother of 3 school-aged children (13, 11, and 5), decisions around technology use is an everyday topic and different for every child. She believes in educating kids and openly discussing the good and the risks associated to digital devices and the internet for them to build the resilience needed today. Read her professional bio here: https://www.linkedin.com/in/theresadesuyo/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, DtSR is joined by Malcolm Harkins - former CISO of Intel and industry insider extraordinaire. Malcolm shares insights from his long and distinguished career so pull up a virtual chair, grab your notebook, and pull over because this is one that's a great listen. Highlights from this week's episode include... Rafal asks Malcolm why he doesn't job-hop like most CISOs Malcolm and Raf discuss the "feature economy" Raf asks Malcolm to predict the future Guest Malcolm Harkins ( @ProtectToEnable ) - Chief Security and Trust Officer at Cymatic https://www.linkedin.com/in/malcolmharkins/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, on a very special show recorded from his home studio in Atlanta, Rafal welcomes Mike Daugherty back onto the show to tell the story of his crazy journey and battle with the FTC. Highlights from this week's episode include... Mike gives a recap of the road to where he got Rafal and Mike discuss the last few years since episode 171: "When the FTC Attacks" Rafal & Mike discuss the New Yorker article: https://www.newyorker.com/magazine/2019/11/04/a-cybersecurity-firms-sharp-rise-and-stunning-collapse Guest Mike Daugherty - ( @daughertymj ) - https://www.linkedin.com/in/michael-j-daugherty-7a500819/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Welcome back for another great episode. This week we have a boomerang guest, Amber Schroader, recorded live in Las Vegas at Enfuse 2019. Highlights from this week's episode include... Amber wants a rockstar moment, but no confetti canons Amber dissects Apple, Android, and "other" mobile OSes We discuss machine-to-machine interactions ...so much more to discuss here! Guest: Amber Schroader ( @GingerWonderMom ) - https://www.linkedin.com/in/amberschroader/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week on #DtSR (live from Las Vegas, Enfuse 2019 Conference) Rafal chats with Nick Patience of 451 Group. Nick has some expertise in ML and provides context and content that is badly needed to dispel the crazy marketing hype out there. Highlights from this week's episode include... Nick answers the "What is ML/AI, and what is it not?" We think Nick insulted machines by calling their learning potentially "shallow" (haha) Nick gives us the retail applications of machine learning - grocery stores and similar things Nick talks about "automating the mundane vs automating the complex" as problem spaces where ML is applicable Nick explains ML is just software - but it's different from other software Guest Nick Patience ( @NickPatience ) - https://www.linkedin.com/in/nickpatience/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

First, and foremost, thank you to OpenText for having the #DtSR Podcast live and in-person in Las Vegas. Enfuse is a fantastic conference bringing together security operations professionals (forensics, threat hunters, SOC analysts), privacy, and legal professionals under one banner. It's a fantastic opportunity to hear some very involved talks, hear about the state-of-the-art, and join the conversation. Also ... the people you will meet there are amazing - guests and staff. Highlights from this week's episode include... Kevin gives us an educated, experience-based opinion on threat intelligence, threat hunting, and other various key terms Rafal make some snarky comments about "your mess for less" MSSPs Rafal and Kevin attempt to discuss the analyst shortage - do we solve it with tech or people? Guest Kevin Golas, Director of Worldwide Security Services at OpenText - https://www.linkedin.com/in/kevin-golas-cism-cisa-cissp-1126b01/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Dropping in for a quick announcement - you heard it here first! This week a few different announcements went out from OpenText, but this one caught my attention because it could honestly and truly be a game-changer for security and legal teams when it comes to breaches. Going beyond the typical EDR solution, this announcement may be able to shine light into the questions security and legal professionals need answered in the case of a breach. Check it out.   Official Name: OpenText™ Content Security for EnCase™ by Reveille. Press release: https://www.opentext.com/about/press-releases?id=6A68BD4D22384A45A910DEFBD22BECBD Guests: Paul Shomo, Senior Security Architect, OpenText   Brian Dewyer, CTO, Reveille Software Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Down the Security Rabbithole is back for Episode 370, and this week's podcast focuses on gamification, and it's applications to InfoSec. Big thanks to Chloé for joining us and sharing her knowledge. She's a legitimate expert in the field, so give this a listen.   Highlights from this week's episode include... Chloé explains gamification Rafal and James ask some tough questions Chloé explains how games help us learn Much more, tune in!   Guest Chloé Messdaghi ( @ChloeMessdaghi ) - VP of Strategy at Point3 Security. She is a security researcher advocate who supports safe harbor and strongly believes that information security is a humanitarian issue. Besides her passion to keep people safe and empowered online & offline, she is driven to change the statistics of women in InfoSec. She co-founded Women of Security (WoSEC) and heads the SF Bay Area chapter. As well, she created WomenHackerz, a global online community that provides support and resources for hundreds of women hackers at all levels https://www.linkedin.com/in/messdaghi/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Welcome to episode 369! This week Rafal talks ransomware and welcomes Oussama El-Hilali, Chief Technology Officer at Arcserve, and Chester Wisniewski, Principal Research Scientist at Sophos to the podcast. Highlights from this week's episode include... Chester hits us with some staggering facts and figures about ransomware Rafal asks if companies should pay the ransom …and ducks Oussama explains why backup companies and anti-malware companies should be besties Guests Oussama El-Hilali - https://www.linkedin.com/in/oussama-el-hilali/ Chester Wisniewski - https://www.linkedin.com/in/chester-wisniewski-b428241/ Links Arcserve landing page for more information - https://www.arcserve.com/partners/alliances/sophos/ Sophos press release on the alliance - https://www.sophos.com/en-us/press-office/press-releases/2019/09/sophos-and-arcserve-to-offer-all-in-one-data-security-and-protection-from-cyberattacks.aspx Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Welcome to another edition of the DtSR Podcast! This week Liz Rice joins us all the way from the (still) UK, and James is back too! What a treat... join us and read the show notes! Highlights from this week's episode include... Liz explains containers, security, and gives us a foundation Liz explains the fundamental stages of securing containers Liz explains the model of different types of containers and the things you need to worry about Rafal asks "where do you install the agent?"   Guest Liz Rice - ( @LizRice ) - Liz Rice leads Aqua’s technology evangelism activities in the cloud-native ecosystem. She is an active member of the open source community, and an award-winning speaker known for her live-coding demos. She is currently co-chair of KubeCon & CloudNativeCon. Prior to getting immersed in containers she built up a wealth of software development, team, and product management experience working on network protocols and distributed systems, and in digital technology sectors such as VOD, music, and VoIP with companies including Skype, Last.fm and Metaswitch Networks. When not writing code, or talking about it, Liz loves riding bikes in places with better weather than her native London, and competing in virtual races on Zwift. Find her on LinkedIn: https://www.linkedin.com/in/lizrice/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, #DtSR Podcast is recorded live from Dallas at the Armor SecureCon inaugural user conference. Rafal had the occasion (and good fortune) to get a few minutes to sit down with Jeff Collins (CSO, Lightstream) and Kristopher Russo (Security Architect, Herman Miller) and chat cloud. P.S. - We love in-person conversations! Highlights from this week's episode include... Jeff talks about Lightstream's cloud foundational framework and why it's a must-do if you're thinking cloud Kristopher some inner wisdom on architecture and business alignment Rafal makes a snarky comment about frameworks Guests Jeff Collins, CSO Lighstream - https://www.linkedin.com/in/jmcollins/ Kristopher Russo, Architect, Herman Miller - https://www.linkedin.com/in/krisrusso/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Welcome Down the Security Rabbithole, to the DtSR Podcast. This week, Zac Rosenbauer joins us to talk about what it's like to be "the IT guy" who also has to be vigilant of security in a fast-paced startup...based on Google's cloud platform. It's a riveting episode that will give you some good guideposts if you're about to DIY. Highlights from this week's episode include... Zac introduces what it's like to work in a rapidly evolving startup We discuss some of the DIY that Zac has had to work with Wait ... compliance...   Guest Zac Rosenbauer - VP of Technology at Precognative - https://www.linkedin.com/in/zacrosenbauer/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Welcome back to another episode ... this one sets up DtSRs appearance at the Enfuse Conference 2019 in Las Vegas in November. Give this topic a listen, as it doesn't matter whether you're in legal, compliance, or security - you need to understand this topic well. We want to thank Opentext for sponsoring DtSR's trip out to Las Vegas for the conference, and of course we encourage you to join us out in the desert for another really well-done conference on the intersection of law, compliance, privacy, and security.   Highlights from this week's show include... Anthony uses the phrase "data exhaust" We get a peek into the intersection of big data, and big forensics Anthony, James, and Rafal discuss 'real time identification' that's way beyond what your IPS can do Anthony gives an insider peek into Enfuse 2019 including a keynote by James Clapper Guest Anthony Di Bello - Vice President, Strategic Development at Opentext: https://www.linkedin.com/in/anthony-di-bello-29b419b/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Welcome! This episode of Down the Security Rabbithole Podcast was recorded live from Dallas, TX where the Security Advisor Alliance Summit 2019 was happening. One of the hardest working men in the business, Mr. Jerry Archer, stopped by and took a few minutes off his schedule to let Rafal interview him and get some of those amazing nuggets of wisdom and experience into your ears. Feedback, as always, is welcome! Highlights from this week's show include... Jerry sets the background for his knowledge by dropping his 40+ years experience Jerry talks about risk management and reporting to the board Jerry goes a little crazy talking about his budget ...so much more! Big thanks to Sidney, AJ, Jerry and the rest of the SAA crew for having me aboard and letting me add some value to this very worthy cause. Folks, if you aren't a part of this thing, go to https://www.securityadvisoralliance.org/ and find your cause. Guest Jerry Archer - SVP/Chief Security Officer at Sallie Mae; you can read more about Jerry's career here: https://www.linkedin.com/in/jearcher/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This episode was recorded live from the Security Advisor Alliance Summit, 2019 in blistering hot Dallas, TX. If you don't know what the Alliance is, or are asking yourself why you should bother, click here and find out why this is one of those organizations that you must be part of if you're serious about cybersecurity.   Highlights from this week's episode include... Graeme introduces himself Rafal & Graeme talk about security at scale Graeme discusses some of the insights of the Equifax breach Graeme dispenses knowledge and experience by the truckload Guest Graeme Payne ( @Cybersecurity4E ) - Shelve whatever you think you know about him. Graeme was the CIO of the business unit that had that catastrophic breach over at Equifax a few years ago. He's on LinkedIn here: https://www.linkedin.com/in/payneg/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Friends & Colleagues, this week I have the pleasure of being joined by one of my good friends and industry veteran - the one and only Jim Tiller. We revisit the things we talked about in Episode 102 and get an update on the state of security from a guy who would know. Pre-requisite listening: Episode 102 - http://ftwr.libsyn.com/dtr-episode-102-security-leaders-series-jim-tiller   Highlights from this week's show include... Jim & Rafal talk about the "feature economy" that is the security vendor marketplace today Jim explains the statement "Complexity is the camouflage for bad guys" Jim explains what he believes security organizations have accomplished in the last 5 years Rafal & Jim lament the 'fundamentals' Guest Jim Tiller ( @Real_Security ) - https://www.linkedin.com/in/jitiller/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week Adam Meyers joins James & Rafal to talk about the Crowdstrike Mobile Threat Landscape Report 2019 - https://www.crowdstrike.com/resources/reports/mobile-threat-report-2019/ and the learnings and lessons therein.   Highlights from this week's episode include... Adam gives us the lowdown on adversaries, in 2019 Adam bakes some bread Rafal asks who the biggest and baddest attackers are So much more... check out the link above, read the report! Guest: Adam Meyers - https://www.linkedin.com/in/adam-meyers-7a58481/ - VP, Intelligence at Crowdstrike. We'll let him explain the rest... Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, Rafal sits down in person with Sam Bouso of Precognitive, in Chicago headquarters to talk about some very cool tech that's probably only on the periphery of security. Give it a listen! Highlights from this week's show include... Sam discusses the problem that bots and fraud pose to not only digital commerce but overall digital interaction Sam and Rafal talk through the various buzzwords (machine learning, AI, etc) and their real applications here Sam talks through how algorithms and massive data sets can identify human from non-human So much more Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, in the 2nd of two installments recorded live at Black Hat 2019, Alyssa Miller joins Rafal live to talk about some of the talks she's giving, and takes us back in time. Highlights from this week's show include... Rafal and Alyssa discuss the very real problems the lack of diversity in technology creates A jab is taken at the TSA ...because it's just too easy  Alyssa revisits the 'castle analogy' for InfoSec and why it's so tough to get right Much more fun... you'll have to listen in! Guest Alyssa Miller ( @AlyssaM_Infosec ) - Alyssa's bio and website is here: https://alyssasec.com/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week on another jammed-packed episode, Rafal takes to Black Hat 2019 to interview some interesting guests that have something unique to tell you. We start with Deidre Diamond, the lady behind CyberSN - and why she's reinventing the way you get your next InfoSec job.   Highlights from this week's show include... Deidre tells us a little bit about what's new at CyberSN Rafal & Deidre discuss the insane InfoSec job market Deidre explains why how she's planning on eliminating hiring bias in the InfoSec workforce The last time Deidre joined us was episode 337 - http://ftwr.libsyn.com/dtsr-episode-337-insights-on-cyber-talent  For more, go to www.cyberSN.com/ and click the "Know More" icon in the top-right corner and get started!   Guest Deidre Diamond ( @Cyber_SN ) - With over 20 years spent leading technology and cybersecurity organizations, Deidre Diamond offers a great perspective on the issues that matter most in our industry. Her vision, “to transform employment searching” has remained constant since she founded CyberSN in 2014. Find her on LinkedIn: https://www.linkedin.com/in/deidrediamond/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, James and I sit down to think (and talk) through Black Hat (and Defcon) 2019. "Hacker Summer Camp" as it's affectionately known in the industry, is a rite of every summer...but is it delivering value to attendees, do we have the right audience, and is the content worthwhile? This and more...   Highlights from this week's show include... Raf and James reminisce about summer camp days gone by Rafal addresses Dino's excellent-sounding keynote (abstract) Raf & James discuss the hype (or more precisely, the lack thereof) of this year's conference and why it's nice for a change All this and more...so tune in! Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Welcome down the security rabbithole friends! This week, Andy Kalat takes a few minutes off from recovering to chat and comment on the state of security, and what's different since we first met back in... 2003? Fun episode... It's been a while, Andy! Highlights from this week's show include... Andy and Rafal try and figure out when they first met...in real life Andy points out the problem vendors suffer from "problem-scope-limiting" (this is an interesting one...) Are things getting better? The guys discuss...snark ensues Rafal asks Andy to predict what will change in the next ~5yrs   Guest Andrew Kalat ( @LERG ) - Andy is an IT Security Executive, Co-Host of the Defensive Security Podcast, Speaker, Writer...according to his LinkedIn profile, here. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

My dear listeners - we have John Steven back on this episode! If you don't remember his first appearance, it's OK, it was a little while ago back on episode 42 ... http://podcast.wh1t3rabbit.net/dt-r-episode-42-threat-modeling so it's been a while! Highlights from this week's show include... John gives us a run-down on the new things since the last episode James & John talk OWASP Top 10 The guys try to understand what happened to Threat Modeling, and security overall, over the last decade So much more, you'll have to listen Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Fans & Listeners! This week we have a treat for you... as this episode is recorded LIVE from Microsoft's Inspire 2019 in Las Vegas (where it was 117F) but the conversation here is way hotter. Highlights from this week's show include... What is Microsoft releasing to help guide secure Azure deployment? Mark and Jeff debate "What exactly is the value of "best practices"?" So much more packed into this extended episode! Links to things you need: Azure security guidance & best practices: https://aka.ms/AzureSecurityArchitecture Microsoft cybersecurity reference strategies: https://aka.ms/CISOWorkshop Things Mark thinks you should have handy: https://aka.ms/MarksList   Guests: Mark Simos ( @MarkSimos ) - Lead Architect, Cybersecurity Solutions Group, Microsoft Jeff Collins - Chief Strategy Officer, Lightstream Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Yes, DtSR took a week off ... we were due. This week, Ira Winkler joins Rafal to go down the rabbithole and talk about his career, opinions on our profession, and other important stuff. Sit back, take notes, and enjoy. Highlights from this week's show include... Ira gives a run-through on his career and what's gotten him "here" Ira and Rafal discuss "breaking into security" and how it's being sold now, versus what reality should be Ira gives us his take on training, certifications, career paths and the like Yeah, so much more... Guest Ira Winkler ( @IraWinkler ) - This guy: https://www.linkedin.com/in/irawinkler/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, ahead of AWS RE:INFORCE 2019 (the first one) Rafal gets a conversation with buddy Mark for a candid talk about the top 3 public cloud providers, and a little insight into the evolution of the industry ... or not... Highlights from this week's show include... What are we expecting from AWS RE:INFORCE this inaugural year? Mark gives us his take on the security in the three major public cloud providers Rafal and Mark reminisce about how things were...and where they are in terms of cloud, and security Mark and Rafal laugh about the opportunity security teams have right now...or may be missing Guest: Mark Nunnikhoven ( @marknca ) - Mark's awesome. He's also the Vice President of Cloud Research at Trend Micro. Other stuff he does here: https://www.linkedin.com/in/marknca/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Thank you to Microsoft for sponsoring this show, and our podcast over the years...   Highlights from this week's show include... Rob discusses what "Microsoft Threat Protection" is, isn't, and why it's relevant today Rob gives us some context to "trillions of signals" - what does that mean? Rob provides perspective on the pillars of operational excellence required to make Microsoft's vision a reality in damn-near-real-time Rafal and Rob discuss what the ecosystem looks like, and how it's being released into production Rob answers whether Microsoft consumes its own tools… the answer may surprise you Guest: Rob Lefferts - @rob_lefferts - Microsoft Responsibilities/Contributions – As corporate vice president for M365 Security within Experiences and Devices, Rob Lefferts is responsible for ensuring that Microsoft 365 provides a comprehensive and cohesive security experience for our all of our customers. Prior to this role, he led the Windows Enterprise & Security team, where he was responsible for hardening the Windows platform, building intelligent security agents, and driving commercial adoption of Windows 10. Since joining Microsoft in 1997, Lefferts has been instrumental in shaping key products and technologies, from helping develop the original SharePoint Portal Server to leading extensibility efforts for the Office platform to championing the vision for Microsoft 365.  Pre-Microsoft Work Experience – Rob began his career at Claritech, a startup that was born from a Carnegie Mellon research project. He then consulted with the Government of Namibia, Africa. Education – He earned a bachelor’s degree in logic and computation, as well as a master’s degree in computation linguistics, from Carnegie Mellon University. Family/Other Interests – Rob and his wife have two children and live in the Seattle area. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Show Note: As most of you know, this show has long refused to use advertisements, or ad revenue to keep itself going. That said, I openly welcome organizations who have something interesting to say and some extra marketing dollars to give, to sponsor an episode while still going through the same vetting process as everyone else. This is one of those shows. This week James and Rafal are joined by Saumitra Das, the Chief Technology Officer for an interesting little start-up called Blue Hexagon. If you find yourself nodding along and interested in hearing more, we encourage you to go check out their website and let them know you hear of them on this show. Highlights from this week's show include... Saumitra shares his insights on AI, machine learning, and the limitations and mis-uses of them We discuss the challenges of finding 'malice' at extremely high volumes, at extremely high rates of speed, and in extremely diverse environments Saumitra previews the methods Blue Hexagon use to approach this problem and potentially start to draw a viable approach Guest Saumitra Das - CTO at Blue Hexagon - https://www.linkedin.com/in/saumitramdas/ Fun fact, Saumitra has over 330 granted patents...how many you got? Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Friends & listeners - welcome to the 2nd half of the 2019 Verizon DBIR 2-part extravaganza. Gabe Bassett, one of the authors of the DBIR, joins Rafal & James to talk stats and lessons we can take away from the report. Highlights from this week's show include... We all talk patching... why it's hard, what we can do about it, and realities of patching Gabe does more live data analysis We get an insight into how long and how hard this report is to produce Guest Gabriel Bassett ( @gdbassett ) - Gabe is one of the writers and data scientists behind the Verizon DBIR. His LinkedIn is here: https://www.linkedin.com/in/gabriel-bassett/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Friends & listeners - welcome to the 2019 Verizon DBIR 2-part extravaganza. Gabe Bassett, one of the authors of the DBIR, joins Rafal & James to talk stats and lessons we can take away from the report. Highlights from this week's show include... Gabe distinguishes between an incident and a breach - for those of you who need the refresher Gabe dives into the stats to talk about small businesses, and the impact of breaches on them Gabs does some live data science for us, pulling in stats on-the-fly We avoid the 'patching' discussion (that's for the 2nd half) Guest Gabriel Bassett ( @gdbassett ) - Gabe is one of the writers and data scientists behind the Verizon DBIR. His LinkedIn is here: https://www.linkedin.com/in/gabriel-bassett/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, Tommy McDowell who is the Vice President at the Retail and Hospitality Information Sharing and Analysis Center, joins Rafal in person, in Dallas. Highlights from this week's show include... Tommy gives us a background on himself, and the RH-ISAC (and it's mission statement, and such) Tommy & Rafal discuss the difficulty in setting up an information sharing center Tommy gives us insights into why retail and hospitality need their own unique threat sharing network   Guest: Tommy McDowell - https://www.linkedin.com/in/tommy-mcdowell-97184116/ - It's easier to just let you go look at Tommy's page on LinkedIn. He's got a storied, and very interesting, career that we could not possibly do justice to here. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, Rafal gets the rare occasion of sitting down face-to-face with someone and do an interview in person. Andy Green is a great if not sharky fellow, who helped me get over my PG rating for this podcast. So ... it's probably PG-13.   Highlights from this week's show include... Andy talks about BSides Atlanta and the labor of love that is getting a conference stood up We talk about conference drama - because we all need more of that in our lives Andy discusses academic programs, shaping young minds, and being a universally beloved professor (not) Guest: Mr. Andy Green ( @SecProfGreen ) - Andy is a lecturer of Information Security at Georgia's Kennesaw State University. When he's not running Atlanta's BSides ATL he teaches classes in the Information Security and Assurance degree program, in the Information Systems department of the Michael J. Coles College of Business at Kennesaw State University. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week on the podcast, Rafal gets some one on one time with Raffael Marty ... and it's #RaffCon.   Highlights from this week's show include... Raf & Raffy discuss the origins of #RaffCon Raffy talks through Artificial Intelligence...in security Raf and Raffy dive into "risk management"   Guest: Raffael Marty - ( @raffaelmarty ) - Data analytics and visualization enthusiast. Interested in large-scale big data and cloud infrastructures to support cyber security use-cases. "How can we assist users to gain deep insight into large amounts of data?" I have spent a lot of time building and defining the security visualization space through open. I oversee Forcepoint's X-Labs, a specialized department within Forcepoint that is responsible for behavior-based security research and the development of predictive intelligence. In addition to traditional threat and security intelligence, we are the home of data science, machine learning, and artificial intelligence within Forcepoint. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, Rafal is joined by the man, the myth, the Aussie legend - Troy Hunt. We basically talk about whatever is on his mind - which, as it turns out is a lot. Take a listen, we may publish an English translation later (joking, Troy!).   Highlights from this week's show include... Troy gives a run-down on HaveIBeenPwned We talk through some of the interesting use-cases for HaveIBeenPwned data Troy gives perspective on usernames, passwords, and other important things technology/security related Guest Troy Hunt ( @TroyHunt ) - Troy is a Microsoft Regional Director and Most Valuable Professionalawardee for Developer Security, blogger at troyhunt.com, international speaker on web security and the author of many top-rating security courses for web developers on Pluralsight. I created HIBP as a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or "pwned" in a data breach. I wanted to keep it dead simple to use and entirely free so that it could be of maximum benefit to the community. Short of the odd donation, all costs for building, running and keeping the service currently come directly out of my own pocket. Fortunately, today's modern cloud services like Microsoft Azure make it possible to do this without breaking the bank! Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, on a riveting edition of Down the Security Rabbithole Podcast Raf sits down with Richie Etwaru, a human data ethicist and Founder and CEO of Hu-manity.co. What's a human data ethicist, you ask? Listen to the podcast, and find out. Highlights from this week's show include... Richie walks us through data ownership as a fundamental human right, including why now is the right time in history Raf and Richie discuss the principles of data ownership and how they're different from privacy or security Richie discusses data ownership as a great leveling factor for society SO much more... Guest Richie Etwaru - Richie Etwaru is a human data ethicist and the Founder & CEO at Hu-manity.co where he is responsible for vision, strategy and execution focus for the company. He is driven to reshape the world by creating a new data economy, where inherent human data is legally human property. He has held c-level roles at Fortune 500 companies for two decades, and serves as advisor to venture capitalists, startups, governments, academia, and large organizations on transitioning to Trust Companies. Richie’s book Blockchain Trust Companies, Every Company is at Risk of Being Disrupted by a Trusted Version of Itself (2017) is used by universities, consulting organizations, and governments, and his TEDx talk Blockchain Massively Simplified has been viewed almost 1 million times. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week on episode 342, Michael Coates joins Rafal & James for the 2nd time. Michael's first episode was way, way back in 2015 on episode 134 titled "Fundamental Security". Looks like things haven't changed much. We highly recommend you check out episode 134 first, then listen to this one. Trust us, you want the context.   Highlights from this week's show include... Michael gives us an opinion on "what's changed" in the last decade or so Michael discusses "risk", "technical risk", and the Enigo Montoya problem in security Michael gives an overview of what he thinks the profile of the CISO should be Michael gives his take on why he thinks low false-positive rates are important and automation is the future Guest Michael Coates: ( @_mwc ) All you need to know is here, on his LinkedIn page: https://www.linkedin.com/in/mcoates/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, in the final installment of "Live from RSA Conference 2019" Rafal interviews Mark Simos, who is the definitive source for reference architectures at Microsoft. He's the Lead Architect in the Enterprise Security Group and he's doing some amazing things for the community with regards to the Azure cloud and other Microsoft-related security things. Give this episode a listen and share it ...maybe listen again and take good notes! Highlights from this week's show include... Mark discusses security reference architectures (in general) Mark and Raf rap on the shared responsibility model for the cloud...again Mark answers "What's different about security in the cloud?" Mark raises the concept of "raising the cost to the adversary" for defenders... Guest Mark Simos - ( @MarkSimos ) - Mark is Lead Architect in Microsoft’s Enterprise Cybersecurity Group where he is part of a group of cybersecurity experts who create and deliver unique cybersecurity services and solutions to Microsoft’s customers. Mark has contributed to a significant amount of Microsoft cybersecurity guidance - most of which can be found on Mark's List (http://aka.ms/markslist) Mark focuses on cybersecurity guidance to help customers manage cybersecurity threats with Microsoft technology and our partner solutions. Mark's current focus is on security assessments and roadmaps that span the spectrum of security topics including privileged access, high value asset protection, security strategies and operations, datacenter security, and information worker protection. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, Down the Security Rabbithole Podcast is publishing episode 3 of 4 which were recorded LIVE at RSA Conference 2019. This episode features Diana Kelley, of Microsoft, talking about the latest security report and other goodies. Highlights from this week's show include... Diana discusses the highlights from the latest Microsoft Security Intelligence Report Raf provides an opinion on how Microsoft could totally own the endpoint space Rafal & Diana dive back into passwords...apparently, we just can't get away from them Diana tells a really interesting story about Microsoft Windows Hello and twins Guest Diana Kelley - @DianaKelley14 - Microsoft Enterprise Cybersecurity Group Leadership team member. Represent Microsoft at global security conferences, author-industry analysis, white papers, and blogs on Microsoft security strategy and response to cyber threats. Contribute to the all up security messaging and provide insight into the strategic vision and direction for the company in close partnership with marketing, business groups, and engineering, as well as working closing with the security PR and AR teams. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, driven by the news cycle, and an interesting story... Rafal & James invite George and Shawn, as actual experts, onto the show.   Highlights from this week's show include... This news story - https://www.infosecurity-magazine.com/news/zurich-refuses-to-pay-out-for/ George & Shawn discuss the language of cyber policies We discuss language, inclusions, exclusions, and such George brings up Information vs Cyber, security Other links related to this podcast: https://www.hstoday.us/subject-matter-areas/cybersecurity/perspective-economic-strength-and-cybersecurity-interplay-in-u-s-china-trade-policy/ https://www.hstoday.us/subject-matter-areas/cybersecurity/perspective-5g-and-the-scrutiny-of-huawei-could-herald-cybersecurity-shift/ https://www.bizcatalyst360.com/tearing-us-apart-at-ludicrous-speed/ https://www.bizcatalyst360.com/economic-leverage-a-smarter-user-two-things-to-improve-cybersecurity/ https://www.itspmagazine.com/from-the-newsroom/command-of-the-cyber-sea Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, part 2 of a four-episode set recorded live from RSA Conference 2019. This time, it's Phil Beyer's turn to have a turn at the microphone...  Highlights from this week's show include... Phil talks up "The failure of risk management" We discuss the realities of risk management Raf asks "How do we make more informed risk decisions?" Raf and Phil talk through thread models and why they're relevant ...and so much more   Guest Phil Beyer - https://www.linkedin.com/in/pjbeyer/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, in the first of a four-part "Live from RSA Conference 2019" series, Rafal interviews Deidre Diamond. Deidre knows a little something about cybersecurity talent having worked in the field most of her professional career. We discuss all kinds of interesting and relevant topics... Highlights from this week's show include... Deidre presents her new "human model" for hiring, staffing, and retaining excellent talent We discuss the difference between a good leader, and just a good manager and why those aren't the same We discuss the pay gap, why it's still a thing, and what's to be done about it Deidre discusses the challenges women face in cybersecurity, and what's changing   Guest: Deidre Diamond: (@DeidreDiamond) - https://www.linkedin.com/in/deidrediamond/  in her own words: Combining my 21 years of experience working in technology and staffing, my love for the cybersecurity community, and a genuine enthusiasm for people; I created Cyber Security Network (http://www.cybersn.com), a company transforming the way Cyber Security Professionals approach job searches. CyberSN.com will remove the frustration from job-hunting, and aid in interpersonal connections and education. Throughout my career, I have built large-scale sales and operations teams that achieved high performances. Creating cultures based on an anything is possible attitude allows people to achieve above and beyond the usual. By establishing an open communication framework throughout an organization; I have created cultures of positive energy, career advancement, and kindness, that enables teams to reach beyond peak performance and have fun at work. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, Patrick Miller joins Rafal to provide an update on the energy sector, and what's different (or not). Another episode with a returning guest who continues to provide timely and important updates on key "big picture" security issues.   Highlights from this week's show include... Patrick gives us a "state of the union" update on what's going on in the power industry with security Raf asks "are we getting better... or worse?" Patrick discusses IoT, IIoT, and "everything has an IP address" Patrick tells a story about his recent encounter with a 386 & DOS 2.2 (if you know what this is, you're old) Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, in a special episode, Dmitri Alperovitch of Crowdstrike joins Rafal to talk about a brand new report that Crowdstrike is releasing. The Crowdstrike 2019 Global Threat Report is a must-read with some very interesting topics covered. Dmitri joins Rafal to talk specifically about the ranking of threat actors, and what it means to you.   Highlights from this week's show include... Dmitri explains "breakout time" and why it's important Dmitri gives a walk-through of the methodology used to rank your global adversaries Dmitri & Rafal talk through who's on first, and what's up with China Rafal & Dmitri talk about what this report means to you sitting at your desk playing defender Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, on the DtSR Podcast, Rafal is joined by Matt Herring, long time listener, and first-time caller. We talk through Matt's career path, and how he got to head up a global security operations team. It's a pretty interesting story - you should listen.   Highlights from this week's show include... Matt talks us through how he got into being an auditor Matt and Raf compare and contrast compliance and security (yes, really) An uncomfortable discussion on market consolidation ensues Matt gets put on the spot for leading and trailing indicators, provides some insights   Guest: Matthew Herring - @MatthewDHerring - Found on LinkedIn here: https://www.linkedin.com/in/matthew-herring-cissp-63277038/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week James and Rafal talk to Sean Martin, one of the people who have been quietly making a difference in the security industry for almost three decades. Sean is credited with many innovations, ideas, and trends...and he spends some time discussing that with us.   Highlights from this week's show include... We collectively quickly make fun of the SIEM (yesterday, today, and next decade) Sean talks through the "feature companies" that are hitting the market in a recent couple of years Raf brings up the idea that we really don't understand the impact of the technology we create for 10+ years - what does that mean for security? Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, long-time friend and colleague Jenn Black (doer of interesting things) joins James and Rafal on the podcast to talk about the role of security leaders in the digital transformation efforts of enterprise shops. Interesting conversation ensues. Highlights from this week's show include... Jenn, James, and Rafal discuss the role of the security lead in enterprise digital transformation Jenn shares some of her experience in aiding CISOs with building security programs to support 'the business' We make light of the fact that it's a million degrees below zero up north Guest Jenn R. Black ( @JennRBlack ) - With over 18 years of experience within IT and cybersecurity managed services, Jenn helps companies manage their cybersecurity threats, vulnerabilities, and risks to meet regulatory and business needs, while driving process efficiency. As a consultant in a cybersecurity practice, she works closely with clients to define their cyber strategy, create roadmaps and solutions to meet the company’s security objectives.  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week second-timer Jon Hawes is back for another trip to the microphone to talk about his interesting take on risk, response, and the security world we live and breathe. With interesting anecdotes and a firm grasp on real-world risk discussions, Jon and Raf have a pretty enlightening chat you will benefit from. Highlights from this week's show include... Jon discusses the concept of a "counterfactual" Jon discusses feedback loops in how incidents are handled Jon and Raf talk through how security professionals discuss 'risk' and what we can do to better the conversation   Guest: Jon Hawes - https://www.linkedin.com/in/jonhawes/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, James and I sit down to discuss biometric authentication and some of the FUD around ways it can be broken. This ends pretty much the way you think it does.   Highlights from this week's show include... James & Raf talk about how hackers used a "wax hand" to fool a vein auth system Link: https://www.theverge.com/2018/12/31/18162541/vein-authentication-wax-hand-hack-starbug Fingerprint authentication to start your car?! We take this discussion to task Link: https://www.forbes.com/sites/jeanbaptiste/2018/12/27/hyundai-motor-lets-drivers-use-fingerprints-to-unlock-and-start-new-car/ James & Raf deconstruct the argument for and against biometric security We ask "Does it matter that biometric auth is hackable?" Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, on the DtSR Podcast recorded way too early on a Monday morning, we talk volunteering in InfoSec with Kathleen Smith. Kathleen is the CMO of ClearedJobs.net and CyberJobs.com - and she recently ran a volunteerism survey (link: https://cybersecjobs.com/cyber-security-community-volunteering-report) you should probably check out too. Highlights of this week's show include... Kathleen discusses some of the highlights of the survey We discuss some of the things volunteers learn, and why this is critical to our community Several jokes are made We discuss the value of volunteering and its impact on your career and much, much more   Guest Kathleen Smith - @YesItsKathleen - CMO, ClearedJobs.Net/CyberSecJobs.Com, both veteran-owned companies, she spearheads the community-building, and communications outreach initiatives catering to the both organizations’ many audiences including security cleared job seekers, cybersecurity candidates, and military personnel. Kathleen has presented at several security conferences on recruiting and job search within the cybersecurity world to include BSidesLV, BSidesTampa, BSidesDE, FedCyber. Kathleen volunteers in the cybersecurity community; she is the Director, HireGround, BSidesLV’s 2-day career track. Kathleen is well respected within the recruiting community, is the co-founder and current President of recruitDC, the largest community of recruiters in the Washington DC area Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, James and Rafal welcome in 2019 with a look at the fundamentally fatalistic argument that "everyone gets hacked" - with Richard Bird. They discuss whether that's even a valid statement, and if so, what can we do about it? Highlights from this week's show include... Richard addresses the question of whether we've addressed a fundamentally fatalistic attitude towards security The guys discuss whether the real perimeter, as we go into 2019 Richard schools the guys on identity - and what it's not the perimeter, but something else Guest Richard Bird - Chief Customer Information Officer at Ping Identity - Link: https://www.linkedin.com/in/rbird/ (Yes, Richard is the guy with the smashingly handsome bowties!) Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week James is back on the microphone with Rafal as they interview 2 industry veterans to talk about the right approach to security leadership, and developing that talent pool. We talk to Yaron and Setu to get a sense of what their thoughts are on where good security leaders come from, and the hallmarks of that experience. Highlights from this week's show include... the curious case of the cyber head who doesn't computer Yaron and Setu give us their thoughts on developing security leaders Yaron shares some of his experience building a security program, across industries Yaron and Setu give us a few pieces of insight for current and future security leaders Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, go down the security rabbit hole with someone who has been working on security in the mid-market (likely the kind of company you work at, statistically) for a long time. Bob has some great lessons learned and is willing to share. Listen in Highlights from this week's show include... Bob gives a quick history of how he "hacked into hacking" A discussion of breaking into security Bob & Raf discuss security in the mid-market, and how it's fundamentally different than other market segments Bob discusses hiring, talent acquisition and "working from home" in today's job market Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In another episode LIVE'ish from AWS re:Invent 2018 I catch perennial favorite and long-time friend Dustin Wilcox as he wandered the vendor show floor. Highlights from this week's show include... Raf asks Dustin the obvious question - what's a CISO doing at a cloud expo? Dustin discusses some of the cloud transformation challenges for security teams Dustin unveils the three things he is currently concerned most about for security, in the cloud Dustin imparts a final piece of wisdom you won't want to miss...   Rafal's Guest: Dustin Wilcox - Vice President and Chief Information Security Officer at Anthem, Inc. - https://www.linkedin.com/in/dustin-wilcox-4896614/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

At day 2 of re:Invent 2018 I tracked down Arash Marzban, Armor's head of product to talk about his stage session and where the market is going for security - at a developer/builder focused cloud conference. This short conversation is quite interesting...Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This episode of the Down the Security Rabbithole Podcast is sponsored in part by Armor Cloud Security. Go check us out at www.armor.com!   This week's show is a multi-part release from AWS re:Invent 2018. We sit down with two of Armor's solutions consultants to discuss trends, insights from day 0, and discuss anticipated moves and market shifts. Expect this to be an insightful episode where we dive into cloud security from a development and security perspective.  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

On episode 323, Richard Rushing (aka the "Security Ninua") joins us to talk about being the CISO of a global organization, and multi-national enterprise.   Highlights from this week's show include... Richard talks to us about his background We discuss the unique challenges of a multinational enterprise Richard gives us some wisdom on how to approach "the business" Richard provides some advice for keeping prioritization and sanity Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week #DtSR tackles the topic no one else wants to - ethics in cybersecurity. There are a lot of things to be said, so rather than writing them down here, go listen to the episode. Repeatedly. Highlights from this week's show include... A base platform for the discussion on ethics Moral relativism, applied to cyber Law vs ethics Cultural ethics and relativism "Hacking back" - yes we went there Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

** Go Vote ** Do your civic duty, and go vote. Heck, while you're standing in that long line to vote, listen to the podcast, we're not picky. This week, Rob Graham joins Rafal and James (who's back!) to talk about various topics related to threats. We start with the hacking voting machines, and it go from there. Highlights from this week's show include... We ask Rob to tell us what he knows about the Georgia 'hacking the election' case going on right now We discuss what the real threat to our elections is We ask Rob to tell us what he thinks the biggest threats are, and how we should approach them Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, James Habben joins me in studio for what turns out to be an introspective walk through the evolving world of forensics.   Highlights from this week's show include... James gives us some background on how he got where he is We talk through some nostalgia James answers the "Is APT trying to get me" question, sort of We talk about things companies should be doing to prepare... Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, my good friend and entrepreneur Rock Lambros (of the newly formed Rock Cyber) joins me to talk about getting the itch to go out on your own and actually doing it. Many of us have thought about it, daydreamed, but very few do it. So hear an episode from someone who did... Highlights of this week's show include... What motivates and drives someone to jump the safety net of corporate life and go off on their own? Rock gives us the secret to "How you know it's time" We discuss how you can avoid the failings of the typical "consultant" We talk through some very interesting strategy and advisory questions... (lots of gems in here!) Rock drops his list of things to think about/remember We discuss how to make security more than just a cost center Links: Rock's new company - Rock Cyber "Navigating Security in a Brave New World" (www.rockcyber.com) Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week the DtSR podcast tackles one of the thornier issues going around in the news. As the accusations of Russsian hacking continue to mount, international leaders are speaking out and making bold statements that impact policy on a global level. This topic needed to be addressed with some folks who have actual expertise in the matter - and with the understanding that what we have here are opinions and interpretations.   Highlights from this week's show include: A lively discussion on the implications of the term "cyber war" Jon and Dennis discuss the tone, and context of the article in question: https://nltimes.nl/2018/10/15/netherlands-cyber-war-russia-defense-minister-says Rafal, Patrick, and Jon go a few rounds on other cyber matters as it pertains to the term "war" and its implications If you listen to this episode and have a strong opinion - get on Twitter and use the hashtag #DtSR and let's discuss it! There is already a lively discussion started here: https://twitter.com/Wh1t3Rabbit/status/1051928507884875776  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

While James is away, Raf will podcast all day ...or something like that.   Highlights from this week's show include: Bill talks about what it's like to jump into a higher education system and try and play defense We discuss the role of governance, centralized policy, and management in higher education environments Bill discusses his view on the appropriate places to work in security, in a college/higher education environment We compare and contrast the experience of security in higher education against very large enterprise (the comparison may shock you) Guest William Reyor - ( @WilliamReyor ) - William is Fairfield University’s first CISO, is a former penetration tester, and has more than a decade of security and network engineering experience. He is also the Security BSides Connecticut co-founder. You can find Bill on LinkedIn here: https://www.linkedin.com/in/wreyor/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

So, it's October 2018, and it's National Cyber Security Awareness Month. Again. James and I have a bit of an issue with this, as you'd guess. Why are we still talking about awareness when we need action? Are there really people out there that are saying "If only I was aware that there are bad people trying to do bad things, I'd had done it differently"?   Highlights from this week's show include... We riff on the thing we talk about once a year (and not anymore) James takes a shot at passwords... fish, meet the barrel Raf gets a little upset that we're talking about awareness, since 2004 and nothing really changes Raf & James ask you to take action this year and tell us about it! Hashtag it #DtSR and tell us what you're doing for NCSAM 2018 that's going to make an actual difference Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

On this episode of the Down the Security Rabbithole Podcast, Mary Cheney joins us fresh off her talk to the North Texas ISSA Women in Security group. She has such a colorful background and such great stories to tell - we just had to have her on the show.   Highlights from this week's show include... A walk-through of Mary's colorful and extremely diverse background Mary talks about burnout as we pick up the topic from our conversation with Ann Johnson's episode Mary talks about corporate "tools efficacy" and security's cry for wolves ...so much more! Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, on DtSR Episode 314, the infamous (that's more than famous) John Strand joins us. No, not the male model ...the guy who's been an InfoSec legend since before you could walk.   Highlights from this week's show include... We take a stroll down memory lane We discuss the challenges with more complexity in development John takes us through what he thinks some of the faults are    Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Friends welcome to yet another edition of the Down the Security Rabbithole Podcast - as we invite perennial favorite, Shawn Tuma onto the show! Shawn has a new office, a new law firm, and is giving us his take on what's new in the world of cyber and law. Listen in!   Highlights from this week's episode include... Shawn brings up "The GDPR" and the self-imposed disaster that it has become We dive into the problem with "all the data" Shawn explains the idea of "necessary and proper" and case-law for data breaches Shawn tells us about cyber insurance and the scariest word in the vernacular ... "negligence" Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week Down the Security Rabbithole Podcast welcomes two very cool ladies from the InfoSec realm. First Ann Johnson of Microsoft (if you don't know Ann, you're living under a rock, honestly) is here to discuss a tweet she put out a while ago ( https://twitter.com/ajohnsocyber/status/1033934334720278528 ) on mental health in high-pressure jobs in InfoSec. If that wasn't enough, Jennifer Duman from Armor joins us as a guest-host to provide her experienced perspective as a road warrior.   Highlights from this week's episode include... Ann discusses the big deal with working from the road, in a high-pressure InfoSec job We discuss the impact of being a road warrior has on mental health, families, and career Ann gives us some insight from the teams and companies she's worked with Ann gives us some thoughts on how to mitigate mental health impact for InfoSec professionals Guest Ann Johnson - Corporate VP, Cybersecurity Solutions @ Microsoft Twitter: @ajohnsocyber LinkedIn: https://www.linkedin.com/in/ann-johnsons/ Guest Host Jennifer Duman - Director of North American Channels @ Armor LinkedIn: https://www.linkedin.com/in/jduman/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week we dive into the world of the web browser. A brief history, some discussion about what's wrong and how it's broken - and a few suggestions for what to do next. This is a complicated discussion - so you can bet we'll come back to it with your feedback!   Highlights from this week's show include... A brief walk-through of the history of browsing Solutions that tried, but ultimately failed, to solve the challenges An approach we've seen before - the "remote browser" Discussion on challenges and opportunities of the remote browser concept Discussion on Authentic8's approach and innovations Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, Rafal & James discuss one of the bigger challenges that an enterprise security team faces today - evaluating new/replacement security tools and services. Listen close if you're on the enterprise side, and listen closer if you're selling to them.   Highlights from this week's show include... We address the difficulties of evaluating or replacing technologies or services Rafal takes you into the "better" trap, and how you can avoid it We discuss defining concrete problem statements James & Rafal talk through the challenges of defining good requirements and evaluating We address how to pick a winner - or not Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week Nate Smolenski - Director, Cloud Architecture Services - joins us for an insightful discussion on the concept of digital transformation for the enterprise. Many companies are undergoing a digital transformation, or have done so already, and it's up to security to once again, catch up. Nate brings a truckload of experience and evidence into the conversation and as a security professional and practitioner - you should absolutely listen to this episode. Twice.   Highlights from this week's show include... Answering: What in the world is "digital transformation"? Discussion around the seemingly "take 2" we're embarking on, as security professionals Enterprise security's role, or not, in digital transformation Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Friends, this week's episode is truly unique. We talk to a gentleman whose job it is to think big, and into the future in a big way. Jeremy Nulik is the "Evangelist Prime" at Big Wide Sky - an organization that looks to think big, and solve big problems, in big ways. This is an incredible journey into problem-solving on a grand scale.   Highlights from this week's show include... An overview of futurism, as an abstract tool for problem-solving A discussion on the roots of futurism Overview of how futurism is applied today The four key approaches in applied futurism Applying futurism to problem-solving in information security   Links you need to check out: https://medium.com/@bigwidesky/create-a-culture-that-embraces-vision-8557ad03d55 https://www.linkedin.com/in/jeremynulik/ https://bigwidesky.com/#Jeremy-Nulik  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

On this episode of the Down the Security Rabbithole Podcast, Rafal is in Chicago for a few days and visiting with a long-time friend and colleague, Don Donzal. Don has some great history in the Chicago hacking and security professional scene, so we take a stroll down memory lane, talk about what he's doing now, and take a long look ahead. Join us!   Highlights from this week's show include... Don gives us a little insight into where Ethical Hacker Network got started A history of Chicago Con - anyone been? Life, family, career - and how balancing all of that and still doing what you love is important A look into the future of the new venture!   Catch the Ethical Hacker Network online at https://ethicalhacker.net, and on Twitter at @EthicalHacker.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, we tackle a topic that should not have taken 306 episodes to get to - balancing family and work while growing a career in Information Security. Britney hits the high points with us, and takes us down the road of what it's like being a mother and security leader - as we explore the topic for everyone who is in our field. Highlights from this week's show include: Who does this apply to? Are you being asked to choose? Becoming adaptive When you should bend and when you should concede Creating your own space Confidence Benefits of Blending Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Do you work at a company that's too big to be "small business" but too small to be "large enterprise"? You're probably in that place known as the "mid-market". Many of the large vendors don't pay attention to you, and yet you still have all of the same problems big companies do - just without all the budget. What do you do? Listen to this episode of DtSR and find out what we think.   Highlights from this week's show include... Addressing the "tool" or "staff" conundrum Who's manning all those dashboards? Staff to dashboard ratio How do you prioritize, when you can't multi-thread? Giving up isn't an option, so what do you do? Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, James and I interview a former Optiv colleague and advisor to many Fortune 250 CISOs in his long career, our friend Ron Kurisczak. Ron's long and successful career has included time spent truly transforming the way security functions, and how it's seen in the boardroom. Spend 35 minutes and hear his take on where we've been, and why right now is so crucial to our future. Highlights from this week's show include... Why are we transforming security? Data classification, operation policies Tracking key performance indicators (KPIs)  to the new rules of security Who's getting through, how long did they have, what did you do to eradicate? What are we measuring - how do we define "maturity" in security programs Understanding how we understand and measure long-term losses from security failures Moving into a truly risk-based security program, and away from "how much are my peers spending?" Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Thanks to my friend Brian Wrozek for joining us this week on Down the Security Rabbithole Podcast. Brian's long career as a CISO has broken several 'typical' molds... so he's a fantastic person to join us to talk about the things CISOs should be thinking about. Highlights from this week's show include... Prioritizing projects as the CISO Getting support from the outside because "we hired you to know this" Refreshing and revisiting completed projects/tools to optimize and see a value Security is additive, we never really take anything away - is this a problem? Red team, blue team, purple team ... what happened to penetration testing? Automation, orchestration, automated response to bad Risk management, and "back to the basics" is still broken Breach after breach after breach - and nothing's changing Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, as DtSR rolls on to Episode 302, we talk with John Svazic who is a Cloud Security Architect for a day job and runs the Purple Squad Security Podcast in his spare time. His perspective on the idea of an "infosec army of one" is one that many of us share, and it needs to be solved. Highlights from this week's show include... Trying to solve everything, on our own... burn out or flame on Working as a lone wolf can be detrimental to your career, and sanity Working as an individual within an enterprise team Perspective for the business requires others Case in point - Application security jobs Purple teams - the ultimate collaboration, not me vs you Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week on Episode 301, James is off and I take a one on one conversation with Julie Conroy from Aite group on the topic of global fraud. It's a fascinating conversation that winds through the fringes and often unexplored corners of enterprise security. Check it out, and special thanks to Julie for taking the time out of her busy schedule.   Highlights from this week's show include... A brief glimpse into the impact of enterprise security on global fraud Julie talks through identity, and how enterprise security can positively impact fraud Account takeovers - the thing we all fear but struggle to solve Balancing security and usability, convenience Guest Julie Conroy - ( https://www.linkedin.com/in/julie-conroy-6997/ ): Julie is an experienced product management executive with a proven track record of revenue growth and innovation. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Thank you, listeners! Down the Security Rabbithole has reached milestone episode #300. In this episode, James and Rafal sit down with the nothing more than an open mic and talk through topics the podcast has previously covered, and others we still have yet to cover.   Join us. And a personal thank you to all of our guests over the past 300+ episodes... we are looking forward to much more great content to come!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Special thanks to Chris for doing this in-person. It was a fun conversation and always a pleasure!   Highlights from this week's show include... Chris and I talk about measuring 'risk' We discuss 'brittle systems' which apparently are still alive and kicking Risk analysis, cloud computing, and your business   Guest Chris Abramson ( @cabramson50 ) - Director, Information Security Delivery & Engineering; Team oriented Enterprise Information Security Management professional seeking to improve the security of organizations through education and practice. Qualifications include a bachelors degree in computer science; CISM, CISA, CEH and ECSA certification. Understanding of Industry, State and Federal regulatory standards. Ten years of experience in the creation and deployment of Information Security solutions for protecting the networks, systems and data assets of a fortune 50 company. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Two more episodes until we hit #300...what a crazy ride it's been! Thanks for taking the journey with us, and we're looking forward to having you along for another 300 (maybe).   Highlights from this week's show include... Applications of DoD security in a non-DoD world The meaning and elements of the risk equation Understanding (making sense of) the risk equation Swimming in the swamp of marketing literature AppSec as an area of expertise (again, and again, and again)   Go see Jeff at Circle City Con if you're attending. He's giving a talk ( https://circlecitycon.com/talks/rethinking_cyber_security_given_the_spectre_of_a_meltdown_someone_hold_my_beer/ ) titled "(Re)Thinking Cyber Security Given the Spectre of a Meltdown: (Someone Hold My Beer)"Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Before you listen to this podcast ... go grab this report: https://www.kennasecurity.com/prioritization-to-prediction-report/ from Kenna Security and the Cyentia Institute. Read it. Think about it. Then listen to this show.   Highlights from this week's show include... A high-level walkthrough of the model that authors developed, and the many interesting insights Why what you're doing now is probably as good as random chance A deeper discussion on cause and effect of patches, and trying to do everything So much more! While you're listening to the show, hit us up on Twitter using the hashtag #DtSR or tweet to @DtSR_Podcast!   Guests Jay Jacobs ( @JayJacobs ) Wade Baker ( @WadeBaker ) Michael Roytman ( @MRoytman ) Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, former analyst and security industry veteran Adrian Sanabria joins James & Rafal to talk about some of the hype in our industry. From current events, to learning lessons, to the on-going master-class in bullsh*t we convince ourselves of - this podcast is a riveting (although slightly longer) episode of free-flowing discussion.   Highlights from this week's show include... We discuss #eFail - and the circus maximus of ridiculousness that it currently is Adrian gives us some views on believing our own nonsense We attempt to discuss how we got to this point Much more! Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, Mark Nunnikhoven joins us from the great white North. All the way from Ottawa, Canada - Mark talks with James and Raf about cloud computing, DevOps, and some silly things security folks are doing to undermine themselves in the brave new world. Highlights from this week's show include... A brief discussion on moose and Canada Why none of us believe "DevSecOps" is a thing Deploying security into modern code development practices Much, much, much more   Guest Mark Nunnikhoven ( @MarkNCA ) - Vice President, Cloud Research at Trend Micro. Mark has way too many credentials and accolades to list here, go read his LinkedIn page, or check out "Mornings with Mark" on his Twitter feed daily. [Mark on LinkedIn] Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

* Special thanks to Microsoft for giving DtSR access to fantastic guests, and printing t-shirts & stickers for RSA Conference 2018. Please help us say thank you and check out all of the MS announcements at https://microsoft.com/rsa and if you really want to check out something amazing where IoT and cloud collide, check out https://microsoft.com/azure-sphere. On this second special episode of the podcast live from RSA 2018, Raf sits down at RSA Conference 2018 with a gentleman you may not know but you should, Avi Ben-Menahem. We discuss what it's like in terms of effort, scope, and sheer talent, to take on the monumental task of securing the Azure public cloud platform. Avi shares his insights, and drops us some interesting tidbits on the day in the life of someone working at truly hyper scale. Again, special thanks to Jessica and the Microsoft team for some truly unprecedented access.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

* Special thanks to Microsoft for giving DtSR access to fantastic guests, and printing t-shirts & stickers for RSA Conference 2018. Please help us say thank you and check out all of the MS announcements at https://microsoft.com/rsa and if you really want to check out something amazing where IoT and cloud collide, check out https://microsoft.com/azure-sphere. On this very special episode of the podcast, Raf sits down at RSA Conference 2018 with the one and only Diana Kelley to talk data integrity, crisis communication, and fear-based selling in security. Again, special thanks to Jessica and the Microsoft.   Guest Diana Kelley ( @DianaKelley14 ) - Diana is the Cybersecurity Field CTO for Microsoft, a cybersecurity thought leader, practitioner, executive advisor, architect, speaker, author and co-founder of SecurityCurve. More here: https://www.linkedin.com/in/dianakelleysecuritycurve/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, James is back and he and Raf sit down for a discussion on navigating the big industry conferences, as RSA Conference kicks off in San Francisco. We add just the right bit of snark to your day, and provide some much-needed commentary on the industry, conferences, and survival. Highlights from this week's show include... A quick overview of RSA Conference Getting value, learning something, or whatever else Buzzwords, and navigating marketing speak Attendee personas: buyer, attendee, vendor - there is a huge difference in how you experience a conference from these angles Feature, product, or startup (sometimes they're the same thing!) Tips, tricks and ideas for having a successful experience Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

[This week's episode and fantastic discussion on endpoint security is sponsored by Nyotron]. DtSR listeners already know we don't do advertisements or traditional sponsorship - so when we bring in a sponsored guest it's because we believe the topic is interesting and the guests have a genuinely interesting point of view. On that note... The topic this week is the endpoint. Yes, the endpoint - the place where security started, and was subsequently abandoned, and reborn. Whether you're talking about virtual cloud workloads, laptops or other types of endpoints - we can all agree on the fact that there are too many buzz words, too many tools, and too many 'solutions' to the various ailments of the endpoint. This week we dive down the rabbit hole with Rene and Nir, from Nyotron, to hear their unique perspective and get an understanding on why they think their approach to this very difficult problem is worthy of your time. I invite you to give this episode a listen, as it's a bit of a pilot for us. If you all enjoy it, we will do 1-2 of these per quarter ... if the audience votes that these add no value, we will give it more thought. If you're coming out to RSA 2018, come see demos of live attacks (including Rubber Ducky) and learn more about Nyotron's technology at the RSA Conference - South Hall, booth #1639. More information on Nyotron which we invite you to check out are here:  Nyotron's latest OilRig report - https://nyotron.com/oilrig/ Background on Nyotron's technology - https://nyotron.com/wp-content/uploads/2017/01/Nyotron-Positive-White-Paper_1-10-2018.pdf Endpoint security assessment - https://nyotron.com/bpt/ Don't forget the hashtag #DtSR on Twitter and you can find us on LinkedIn as well! Thanks for Rene and Nir of Nyotron for the discussion and recognition of the DtSR audience!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week on the Down the Security Rabbithole Podcast, Tony Perez stops by for an early morning chat about the content management systems we in InfoSec love to hate on. We talk about Drupal, Wordpress and all the other CMSes out there that have similar issues.   Highlights from this week's show include... Why start a company that does CMS security (they're hopeless anyway right?) How many of the most popular CMSes are actually not as bad as you may think, security wise The core, the plug-in infrastructure, and plug-ins Finding, responding to, and fixing bugs in the modern software world Guest Tony Perez ( @Perezbox ) - [Tony has perhaps one of the coolest LinkedIn write-ups, so I'm pasting it here.] Tony is a proven business leader and operator. He is a former US Marine (2000 - 2005), and former CEO of Sucuri (2011 - 2017), a website security platform that was acquired by GoDaddy in April 2017. He has proven experience taking a security product from startup to a global, multi-national, organization.  His core competency revolves around: leadership, management, marketing, product position, product pricing, sales, business institutionalization, revenue and organizational strategy.  He believes that our greatest responsibility in sales and marketing is to bridge the gap between the value a customer expects from your product, and the value you assume you are delivering.  He brings with him an intoxicating level of energy, work ethic and passion. Excelling in high-tempo environments, and executing flawlessly against strategies. He is adamant about self-reflection and self-actualization, placing energy on learning his weaknesses and building on them.  He is horrible at spelling, but amazing at motivating people. He is known for challenging people to be better, to strive for more, to never settle for the cards they've been dealt. He was a leader of Marines, and today he's a leader of people, technology and industry. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, join DtSR as Rafal sits down across the virtual table with the one and only Robert Hansen. Rob (aka @Rsnake ) discusses his roots of being an almost-bad-guy, to the security of browsers, and privacy. Plus we get to reveal something pretty awesome...   Highlights from this week's show include... Rob's fascination with alien conspiracy theories A back history of browsers you've never heard of, that you benefit from today Google... Security vs. Privacy - why you don't actually get either A secret reveal from Rob about his exciting new venture Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In case y'all don't read LinkedIn or Twitter - Rafal recently joined Armor (Armor.com), so what better time to interview the CEO Chris Drake than right now. So this week, Chris Drake joins us in the studio to talk about his background (which is quite interesting, by the way) and how he got to start a fast-paced cloud security-as-a-service company.   Highlights from this week's show include... The road starts with jumping out of airplanes The Butterball story More discussion on challenges with existing security models Security-as-a-Service vs. Managed Security (MSS) - differences and big differences   Guest: Chris Drake, Founder and CEO of Armor ( @ChrisDrake ) - Chris is currently the founder and CEO of Armor, a fast-paced cloud Security-as-a-Service provider. If you want more on Chris, you'll have to listen to the podcast. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week's DtSR Podcast sits down in the offices of Shawn Tuma to discuss an update on the law with regards to data breaches, or incidents - and what the differences between. We talk through current events, past history and look into the future a bit. Highlights from this week's show include... the legal differences in the words we use (breach vs. incident) notification and disclosure in a global economy planning, preparation, and the big day costs - specifically around insurance - when things go badly right to sue for current, and future, damages (did they really happen?) overview of GDPR, and the cornucopia of other local, regional, national, and international laws as they are evolving Guest Shawn Tuma ( @ShawnETuma ) Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

We have a treat for you folks this week! On episode 285 of the podcast I'm joined by three well repected, forward thinking, and entrepreneurial-minded security executives to talk about about some of the challenges they see in the industry and what they're doing to solve them. From cloud, to threat intelligence, staffing, and other scaling issues - we address the issues head-on, and provide some insight into what these three are thinking going forward. *The audio quality isn't the usual high-quality I expect to publish, so my apologies for that in advance. Somewhere the recording tool I use had an issue, but I did my best to make sure you could hear the speakers clearly. Apologies for the background noise on this recording.   Guests: Susan Magee Dustin Wilcox Jason Clark   If you've noticed the new logo, it's courtesy of a phenomenal artist, whose name is Peter Czaplarski. Yes, you too can hire him to draw amazing things for you, you can find him here: http://fb.com/CzaplarskiArt. Peter is also the artist behind Vengence Nevada (found here, for you comic lovers: https://www.comixology.eu/Vengeance-Nevada-1/digital-comic/593731 ) and has been an artist in many other venues. We highly encourage you to give his Facebook page a like!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week on the Down the Security Rabbithole Podcast, Raf and James welcome long-time friend of Rafal's - Scott Stanton - to the microphone. Scott's able to join Raf in person in Atlanta, while James is predictably on the other end of a Howdy Doodie (you'll get this if you listen). This week, we tackle the MSS issue (Managed Security Services providers) again, but with a fresh angle where we aren't just spending the entire time bashing something we all rely on - but rather providing some constructive feedback into MSS providers from an enterprise perspective. And reminiscing a little. A lot. Join us! And spread the word! Guest: Scott Stanton ( @Scott_Stanton ) - Information Security leader with experience in the High Tech, Manufacturing, Engineering, Services, and Energy industries. My technical depth includes application development, IP networking, operating systems, virtualization, and storage systems. Scott is currently the Senior Manager of Infrastructure Security at a medical technology company.   If you've noticed the new logo, it's courtesy of a phenomenal artist, whose name is Peter Czaplarski. Yes, you too can hire him to draw amazing things for you, you can find him here: http://fb.com/CzaplarskiArt. Peter is also the artist behind Vengence Nevada (found here, for you comic lovers: https://www.comixology.eu/Vengeance-Nevada-1/digital-comic/593731 ) and has been an artist in many other venues. We highly encourage you to give his Facebook page a like!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week an old friend, Vinnie Liu of Bishop Fox, joins Raf and James to talk about the history of App Sec. We started trying to test ourselves secure, and we continue to come back to it - so this episode is a walk down memory lane and a glimpse into the future of application security. Don't forget to like us on iTunes and share with your colleagues!   Guest Vinnie Liu ( @VinnieLiu ) - Vincent Liu (CISSP) is a Partner at Bishop Fox, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. With nearly two decades of experience, Vincent is an expert in security strategy, red teaming, and product security; and at Bishop Fox, he oversees firm strategy and client relationships.  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Join us this week on Down the Security Rabbithole as Barrett Lyon (who knows a thing or two about DDoS) is our guest to talk about the evolution of the art and science of kicking people off of a network. Barrett is the authority on DDoS, with over 20 years in the field, going back to when angry teenagers flooded each other off of IRC servers. This is a fun episode that walks through DDoS - where it came from, how it evolved, and what we can expect in the future. TLDR; yes ...your fridge may one day DDoS your toaster.   Guest Barrett Lyon ( @BarrettLyon ) - Barrett Lyon is the Vice President of Research and Development for the Neustar Security Solutions’ portfolio. He spearheads the development of innovative new products and solutions for the company’s industry-leading DDoS, DNS and cybersecurity solutions. Mr. Lyon is a serial entrepreneur and a well-respected cybersecurity thought leader with experience building leading edge network services and infrastructure. Prior to Neustar, Mr. Lyon founded Defense.net and served as its Chief Technology Officer. In 2009, he co-founded XDN, Inc. and served as its CEO. As Chief Technology Officer, he led the strategy and technical operations at BitGravity, a company he co-founded. Previously, Mr. Lyon founded Prolexic Technologies and served as its Chief Technology Officer, where he created the first successfully managed service to defend enterprises from Distributed Denial of Service (DDoS) attacks. His authority and over 20 years of experience in the network security space has led to numerous collaborations with a majority of the tier-one and tier-two carriers in North America and Europe, and at National SecuritConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, go Down the Security Rabbithole with James and Raf as they host Robert Sell. Robert took 3rd place at the Defcon SECTF (Social Engineering Capture-the-Flag) in 2017 and he has some lessons to you in the enterprise. "Social Engineering" (while a ridiculous and non-descriptive term) is a real attack vector. How are you defending your enterprise? Listen in. Then talk back on Twitter at #DtSR or LinkedIn!   Guest: Robert Sell ( @RobertESell & https://www.linkedin.com/in/robertsell/ ) Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, Chris Rosen from IBM joins us to talk about cloud containers - and the security (or lack thereof) of them. There is a paradigm change coming which significantly impacts security - if we're ready for it. Chris talks us through the dramatic changes (or maybe not) of doing cloud security with containers and the impact to the shared responsibility model. Join us, and let us know what you think by leaving us a comment, either here or on iTunes.   Guest Chris Rosen - https://www.linkedin.com/in/chris-rosen-71790513/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, Jason Garbis re-joins the podcast to go past the Primer (Episode 257) and dive deeper into SDP (Software Defined Perimeter) with a discussion on cloud and relevance to the re-invention of the data center and related infrastructure.   Related DtSR listening: Zero Trust Model w/ John Kindervag: http://podcast.wh1t3rabbit.net/dtsr-episode-222-zero-trust-security-model Software Ate the Perimeter w/Jason Garbis: http://podcast.wh1t3rabbit.net/dtsr-episode-257-software-ate-the-perimeter  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Welcome Down the Security Rabbithole. This week we bring Jeff Schilling from Armor to talk about Spectre and Meltdown - the two hottest topics of the security right now and for the foreseeable future.   While you listen to us talk, check out these links: http://uproxx.com/technology/what-are-meltdown-spectre-computer-bugs-explained/ http://bgr.com/2018/01/04/intel-chip-security-flaw-how-slow-mac-pc/ https://en.wikipedia.org/wiki/Spectre_(security_vulnerability) And the obligatory "I patched and things got worse" post: https://twitter.com/timgostony/status/948682862844248065  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Happy New Year, 2018. Friends, thanks for listening! I can't believe this podcast is still going strong after all these years and 277 episodes. I started this podcast with an idea - give you something to listen to that was office-friendly, informative, and focused on advancing our trade. Over the years I've gotten some encouraging comments from people ranging from those trying to get into our industry, to those who are leading large organizations' security practices. I'm encouraged by you all, and thank you for supporting us. Now, let's get on with 2018. On this first episode of 2018, James and I welcome Ben Kepes who is a long-time friend of mine and and industry analyst. Ben isn't your typical analyst though, because he has a healthy dose of skepticism, an eye for bullsh**, and he's trusted by vendor and buyer alike. Oh, also, he's a Kiwi so he's got that going for him too. Sit back, enjoy, and leave us a comment if you are so moved.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

What: In this episode we get the facts on the recent game-changing malware/attacks that appear to be nation-state sponsored attacking critical safety systems in industrial controls (ICS). Why: You've probably read about it, and depending on what you read you may only have the hype or half the story. Who: As always, Sergio Caltagirone from Dragos is the master at telling a great story, from just the facts. He's part of the team that did the analysis, wrote the narrative, and then ended up on countless phone calls explaining it to executives and national security types. He knows his craft. Links: Dragos blog about the topic: https://dragos.com/blog/trisis/ Fireeye's version: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html We invited him on this special episode to give you the inside story, to separate some of the hyperbole from reality - so listen up.  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

For episode 275 we are once again joined by the one and only Haroon Meer ( @haroonmeer ) to follow up on his conversation from September 2016 titled "What will get us there". If you've not had a chance to listen to that show, you absolutely should do that first. Haroon shares his perspective including... "The cloud has won" Fundamentals are still hard, we're still largely failing at them Hackers make the best engineers when you give them a problem to solve Where do we go from here, into 2018, is there hope? Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, Patrick Miller returns (another boomerang guest from the way-back machine) to talk about the energy grid. It turn out, things aren't super different from 5 years ago, but some things have changed. Patrick and I discuss resiliency (over actual security) in the grid, and focus on transmission, generation, and "getting it all working again" from a life safety perspective. It's a fascinating discussion, don't miss it!   ** Apologies for some of the audio quality, we had "choppy" issues on Skype and I edited the best I could.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Join James and Rafal, one last time, live from Enfuse Conference (Las Vegas, NV) this past summer. In this episode, we track down a personal friend of Raf's - Bob Kruse, Demisto, VP Sales & Alliances, and talk about the need for the enterprise to automate and orchestrate. Oh, also, Bob pretty much said by 1 year from the recording of that episode he would get an "Automate or Die" tattoo. So just to be on the safe side, we'll give him until next year, about this time. Game on, Bob.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, Grant and Mark join me live and in person in Las Vegas at the Amazon AWS re:Invent conference to talk about the security marketplace, innovation, "the bubble" and more. Here's the announcement we talked about at the opening of the show McAfee announces agreement to buy SkyHigh Networks: https://www.skyhighnetworks.com/mcafee-and-skyhigh/   Guests: Mark Arnold ( @lotusebhat ) Grant Sewell ( @GrantSewell ) Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week James and I are fortunate enough to have one of the best keynote speakers I've ever seen on the show. He's an amazing speaker, a brilliant magician and a sharp dresser - this guy is the real deal. Straight off the keynote stage at the Security Advisor Alliance (SAA) Summit in Denver ... ok maybe not straight off, Vinh Giang joins us to talk about how to influence people while you're up there giving a talk or speech. Grab something to take notes with - trust me, this one is chock full of brilliant nuggets.   Guest: Vinh Giang ( Twitter: @AskVinh and Facebook: https://www.facebook.com/askvinh/ ) is a brilliant self-made public speaker, magician, and all-around snappy dresser.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Ladies and gentlemen - we have our first 3-time guest! Brandon Dunlap, my good friend and industry titan, joins the podcast for his third trip down the rabbit hole. In this episode Brandon Dunlap (@bsdunlap) and I talk through the challenges of security at scale, in person and live from Seattle. In the previous two episodes that Brandon has done on this show we've talked about the challenges of scaling information security teams, and this time we go deep into the strategies that work, where the lines are drawn and some lessons learned form a very successful career doing exactly this - infused at scale.   The previous two appearances of Brandon on this show are: Outsourced by Better - DtSR Episode 202 - Outsourced but Better Managing Security with Outsourced IT - DtSR Episode 158 - Managing Security with Outsourced IT We invite you to listen, take notes, and converse with us on #DtSR on Twitter, or on this post on LinkedIn.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, we have a repeat guess with Robert M. Lee joining our show to talk about the Industrial Internet of Things. Rob's just finished a conference his company, Dragos, Inc, just started to educate and help increase awareness and research for the Industrial Internet of Things. Whether you think you know what the IIOT is, or whether you can admit to yourself you need to be know more - this podcast will have it all. We also reference a podcast with Dr. Timothy Chou (link: DtSR Episode 250 - Deconstructing the Internet of Things ). If you haven't read his book, "Precision" (link: https://www.amazon.com/Precision-Principles-Practices-Solutions-Internet/dp/1329843568 ) it's the basis for a lot of this discussion.   Thanks to Rob again for being on the show!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Welcome down the Security Rabbithole, friends and colleagues! This week, my guest is Larry Whiteside, Jr. (we know him as the best dressed man in InfoSec). Larry joins the podcast while James is out to discuss the life and times of a CISO. He has extensive experience as a CISO and security leader, working across multiple market verticals from energy to healthcare, in addition to being a former colleague advising CISOs. Larry dispenses his brand of knowledge with a little bit of an edge, a little dose of realism, and a lot of fun. If you've never had the pleasure of working with Larry - it's something I advise you do at some point in your career. He's even been referred to as the "CISO Whisperer" by people who know and have worked with him. All else failing, Larry can always give you fashion advice, and up your sock game. Game on!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, James and Raf cover the tail-end of Cyber Security Awareness Month. It's been an interesting week of news and of course let's talk about awareness. Have you completed your mandatory training? -- This weeks' talking points Namaste Health Care security incident, announcement Pay attention to how this article is worded, we've covered this before with Sean and Michael too When you don't know, you have to report the worst-case Focuses spotlight on knowing what's in your environment, and having a plan for not only technical IR but communications How would your organization report? Are you ready to be better? http://www.abc17news.com/news/namaste-health-care-reports-data-breach-unsure-if-the-attacker-had-access-to-files/642247970 DHS Imposes DMARC on Federal Agencies Any time we can add to the security measures over email, bonus We already know email is the #1 way bad things get disseminated This is not set-and-forget, you need to make sure it's working! https://www.bankinfosecurity.com/dhs-imposes-email-security-measures-on-federal-agencies-a-10386 Cyber Security Awareness Training Are we over it yet? Raf says he's always late, and it's always the same thing... does it work? What are some better alternatives? (there have to be better) Does your job offer/mandate awareness training? Does it WORK?! How would you even know?? Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week we're getting the band back together! Michael Santarcangelo joins us for a segment we'll be featuring regularly (look for is every 6 weeks or so) on the leadership perspective. Security could use some leadership, and we will be enlisting Michael to talk about current events and lessons for leadership. Tune in, and you may just end up with something you can use in your day job.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week's Down the Security Rabbithole Podcast asks - "Are you paranoid enough about your privacy? or do you simply not have any?" with a couple of gentlemen who would know. Join James and Raf as we go down the rabbit hole one more time, this time talking about the breadcrumbs, fingerprints, and digital privacy violations you voluntarily give up in your everyday life. It's a little scary, but the trade-off we make for the sake of convenience is very real. Grab your tinfoil hat and your burner phone and enjoy!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, Harlan Carvey joins James and I to talk about the evolution of Windows forensics over the last decade and half or so. Harlan has more experience than most when it comes to diving into the Windows machine from a forensics perspective and is a well-spoken author of many books and blogs.   Guest Harlan Carvey ( @keydet89 ) - Digital forensics and incident response analyst with past experience in vulnerability assessments and penetration testing. Conducts research into identifying and parsing various digital artifacts from Windows systems, and has developed several innovative tools and investigative processes specific to the digital forensics analysis field. Developer of RegRipper, one of the most widely used tools for Windows Registry analysis. Has developed and teaches several courses, including Windows Forensics, Registry, and Timeline Analysis. Harlan's Blog: http://windowsir.blogspot.com  Harlan on LinkedIn: https://www.linkedin.com/in/harlan-carvey-86a8694b/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

On this episode of Down the Security Rabbithole Podcast James and I get an update on the legal issues that have been talked about from our legal-eagle Shawn Tuma! We're continuing our policy of not piling on to data breach hysteria, but will be covering some of the legal ramifications of recent disclosures, a possible national data breach law and a few other things that will make this show a must-listen. Shawn's unique perspective and true expert insights give you talking points and a download of facts that you wouldn't get listening to the talking heads and mainstream media. Enjoy, share with your colleagues, subscribe via RSS, and don't forget to talk back to us on Twitter using the hashtag #DtSR.   Thanks for listening!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This episode, in conjunction with the Security Advisor Alliance ( https://www.securityadvisoralliance.org/ ) we dive into a third round of Cyber Liability Insurance. This fascinating discussion dives deeper into the things security leaders need to know as Travis and Stephen get right to the heart of matters. Required pre-listening... Check out the first episode (way back in the archives) on DtSR Episode 34 - The Inside Scoop on Cyber Liability Insurance ( http://podcast.wh1t3rabbit.net/episode-34-the-inside-scoop-on-cyber-liability-insurance ) with Christine Marciano ( @DataPrivacyRisk ). Then, go grab episode 172, our 2nd foray into this topic titled "The Truth on Cyber Insurance" ( http://podcast.wh1t3rabbit.net/dtsr-episode-172-the-truth-on-cyber-insurance ) with Eran Kahana and L. Keith Burkhardt and dive a little deeper.   As always, thoughts and comments are more than welcome and discussion using the hashtag #DtSR is encouraged!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Welcome to another Down the Security Rabbithole episode folks! This week, Alex and Sven are baaaaaaack for a deeper dive into machine learning and the shenanigans that surround it. We talk through what ML is, some use-cases and further dispell some common myths. We even have a little fun, who knew.   Guests: Alex Pinto ( @Alexcpsec ) Sven Krasser, Ph.D ( @SvenKrasser ) Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, on Down the Security Rabbithole, Rudra "Rudy" Mitra joins us from Redmond to talk about what it's like to defend Office 365 at scale. On this episode we cover: What we mean by at scale in regards to Office 365 Some pros and cons of the Office 365 platform as it pertains to security and safety Eary warning, early detection, and how easy it is to really break things There's so much more too! We even skipped talking about current events to give this show maximum run-time. Sit back, grab something to take notes with, and listen up. The lesson begins now.   Guest Rudra "Rudy" Mitra - ( @rudramitra ) Rudra is the Director of Information Protection for the Office 365 platform. He works on extremely large-scale projects to ensure the safety and security of client data and the platform itself. LinkedIn profile is here: https://www.linkedin.com/in/rudramitra/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

As we go once again down the security rabbithole, Raf and James meet up with Claire Tills who gives us a primer on "risk communication". Communicating 'risk' is a nuanced, subtle and often time-based endeavor so we feel like everyone should have at least some background in it. Sit back, relax, and again...start taking notes furiously.   Guest Claire Tille ( @ClaireTills ) - Communication researcher trying to get into information security. I write about applying comm theory to infosec and case studies in my blog (http://cliretills.com). Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week on the Down the Security Rabbithole Podcast, Dave Bittner of The CyberWire (podcast) joins us to talk about some of the ways that we believe security goes awry when it comes to 'big, scary numbers'. Listen in...   -- Top News Maersk says it's going to lose between $200M and $300M from notPetya Depending on which headline you read this is either a catastrophe - or not that big of a deal Seems to be about perspective in their overall guidance to investors, in light of industry trends https://www.cnbc.com/2017/08/16/maersk-says-notpetya-cyberattack-could-cost-300-million.html https://theloadstar.co.uk/maersk-shrugs-off-300m-cost-cyber-attack-freight-rates-soar/ Bottom line, perspective matters Uber is in trouble. Again. FTC has Uber in hot water over less-than strict security of drivers' information Lack of security, privacy and finally a chief security exec Speaks to a broader issue with how start-ups treat security in the overall scheme of "making it" https://www.forbes.com/sites/thomasbrewster/2017/08/15/uber-settles-ftc-complaint-over-secuirty-and-privacy/#5dc3d58b88da Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This episode of Down the Security Rabbithole Podcast was recorded live and in person in Las Vegas at the Black Hat Conference 2017. Raf had a chance to sit down across the microphone from Jason Garbis of Cryptzone to talk about a the software defined perimeter. SDP is a relatively new space many of us in security aren't familiar with, so we decided we'd record a primer on the topic, narrated by someone who is expertly involved in the practitioner side (through the CSA, Cloud Security Alliance) developing the standards and the provider side (Cryptzone) developing products and services towards the specification. This is a more technical-focused podcast than many of our others, so sit back, grab a notepad and get ready to learn something. For more of Jason's work, check out this link: https://insight.cryptzone.com/author/jason-garbis/ Guest Jason Garbis - Vice President of Products for Cryptzone, where he's responsible for the company's product strategy and product management. Garbis has over 25 years of experience with technology vendors, including roles in engineering , professional services, product management, and marketing. Jason joined Cryptzone from RSA, and holds a CISSP certification. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week - Rick Howard joins us and goes on the record to talk about the Security Canon and a few other interesting things you're just going to have to listen to, in order to find out. — Top News Adobe is end-of-life'ing Flash I'll pause while you catch your breath Wait, it's not until 2020 Also there's more http://www.businessinsider.com/adobe-flash-killed-by-2020-2017-7 Developers targeted by malicious Chrome extension https://www.forbes.com/sites/leemathews/2017/08/03/over-a-million-coders-targeted-by-chrome-extension-hack/#7b6849359c9d Just like security people and "commoners" developers fall for it At least it was caught, and removed...   Here's what we talked about with Rick Howard...   The Cyber Security Canon Check it out Reading material for newbies and others of us Patrolling Cyberspace — my homework The Cyber Threat Alliance Sharing intelligence - amongst competing vendors Palo Alto leading the endeavor, with a group of 6 Some things are above competition — that’s worthy of a clap If your vendors isn’t part of this alliance, ask them why not? Guest Info Rick Howard - Currently the Chief Security Officer at Palo Alto Networks. More here: https://www.linkedin.com/in/rickhoward/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week on the Down the Security Rabbithole Podcast, John Nye ( @EndIsNye_Com ) to talk about the human aspect of the cyber security equation. Getting away from blaming the user, we talk through the human nature side of the business with a focus on social aspects and behavior modification. A fascinating discussion you'll want to listen to over and over again, for sure!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week Sergio Caltagirone joins James and I to talk about Industrial Controls networks and systems and some of the dangers that go undiscussed. Sergio is a 2nd timer, and we take the opportunity to catch up and discuss one of his favorite topics.   Additionally, we talk about a some of the topics that were discussed the week this podcast was recorded, a few weeks ago.   Whether you're in Las Vegas for Black Hat Conference 2017 or not, take a listen to this sobering discussion about industrial controls and some of the more clear and present dangers facing us in that sector.   Thanks again for joining us, Sergio!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

On this podcast - James and I welcome Shon Gerber as we talk through a pair of current events and the topic of the day.   Blue Cross Blue Shield of Alabama sends out USB sticks Security elitists up in arms We've taught people to be suspicious - don't click, don't open docs, and don't use USB -- So how do we get our clients content? To my fellow security professionals- it's reckless to continue to stand with a firm "no" while offering no alternatives So what do we suggest? More important - what threat model vector are we saying that blocking the sending out of USB sticks would defend against? https://www.theregister.co.uk/2017/07/12/blue_cross_usb_card_mailers/ MySpace has a major account password reset flaw, allowing account take-over Wait ... MySpace is still around? But seriously, to exploit this last ditch feature for those who've forgotten everything else all you need is the listed name, date of birth, and username How many of our sites have this problem, or worse? https://www.wired.com/story/myspace-security-account-takeover/   This week we bring Shon Gerber onto the show to talk about defending the SMB and SME. Here are some of our talking points: SMBs/SMEs are uniquely challenged in that they can't afford good security any more than they can accord lack of security -- what's the answer? How do we achieve scale, in an area of industry with razor thing margins and tiny profit margins SMBs/SMEs are more likely to be catastrophically affected by an attack such as ransomware than big companies -- agree or disagree (#DtSR on twitter to talk back) Other challenges - including how to achieve scale   Guest: Shon Gerber Current CISO for multinational chemical company with approximately 10K employees Recent Past Security Operations Supervisor for multi-national company 100K employees  Senior Security Architect with multi-national  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this smasher of an episode James and I are joined by Lesley Carhart live from Enfuse Conference in Las Vegas to talk about the DFIR (Digital Forensics and Incident Response) as a broad field. There is SO much to talk about here, you'll want to listen twice. Make sure that if you missed Enfuse this past year, you don't miss 2018. It's a great conference where you get to meet and talk with folks like Lesley and many others in this field.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week on Down the Security Rabbithole Episode 251 (wow, can you believe we've published 251 full episodes?!) James and I host a roundtable of privacy and data protection experts and talk about the looming EU regulation known affectionately as GDPR. The Global Data Protection Regulation (GDPR for short) impacts all companies that either do business with EU citizens, or operate in the EU. Basically, everyone. It's a huge deal and there really isn't a "wait and see" option. Listen in, and if you have feedback provide it!   Does anyone really read these show notes? Reply on Twitter with #DtSR!   Guests: James Keese - https://www.linkedin.com/in/james-keese/ Dawn-Marie Hutchinson - https://www.linkedin.com/in/dawn-marie-hutchinson-mba-06780314/ Stephen Edmonds - https://www.linkedin.com/in/stephen-edmonds-547176/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Fresh off of his closing keynote at Enfuse Conference 2017 in Las Vegas, Dr. Timothy Chou joins us to talk about the difference between the Internet of People and the Internet of Things. Even though many people talk about the IoT we still fail to understand the gravity and enormity of the problem we face and how information security professionals are so far behind the 8-ball here. Dr. Chou spend some time with us to dispense wisdom interlaced with humor to make it stick.   Guest: Dr Timothy Chou is a technologist, a lecturer, and published author. He has written a book called  "Precision: Principles, Practices and Solutions for the Internet of Things" that delves into an Internet of Things many don't really understand yet. While most of us focus on the Internet of People (gadgets and things meant to be operated by people) Dr. Chou focuses on the IoT where people aren't just optional, they're unnecessary. LinkedIn: https://www.linkedin.com/in/timothychou/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, James and i try out a new format for the show. We hope you enjoy the blend of news commentary and an interview.    News More car vulnerabilities - this time in a Subaru No stunt hacking involved A repeat vulnerability means there's potentially a bigger SDLC issue Responsibly disclosed, fixed ... if a tree falls... Link:  http://www.bankinfosecurity.com/exclusive-vulnerabilities-could-unlock-brand-new-subarus-a-9970 The 5th Amendment and your phone passcode This issue is sticky Passcodes, fingerprints, etc - all need consistent law We need a lawyer Link:  http://thehackernews.com/2017/06/unlock-iphone-passcode.html Guest Kevin Pope ( @screamingbyte ) - Kevin is a long-time friend of the show, and someone who has a fantastic story only he can tell. From struggling to thriving and the story to get there. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This podcast episode was recorded live to tape from Enfuse Conference 2017 from Las Vegas. If you didn't get a chance go get out this year to one of the premier DFIR (Digital Forensics and Incident Response) conferences you missed a heck of an event.  James and I want to thank Guidance Software for the invitation, for having us out, and for access to some truly amazing guests for this series of recordings. For #248 sit back and listen to Nick Hyatt talk with James and Raf about ransomware - fresh from his Enfuse Conference talk to your ears.   Enjoy and as always please hit us up on Twitter at #DtSR.   Guest: Nick Hyatt ( @Skelet0wn3d ) - Nick is currently the Senior Incident Management Consultant at Optiv Security, Inc. responsible for incident response, threat hunting, digital forensics, and malware forensics using a variety of skills and tools. He has hands-on knowledge and understanding of malware forensics, observation, removal, and threat hunting. Additionally, Nick has hands-on experience with digital forensics, malware forensics, data mapping, threat hunting, and e-discovery in different scales, from start-up and SMB environments to Fortune 500 environments. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Live once again from Enfuse Conference 2017 in Las Vegas, James and I interview Amber Schroader, the President and CEO of Paraben. This interview happened because you all voted and asked for it..ok and because she's a fantastic person to interview. Be prepared for a little humor and a lot of knowledge.   Special thanks again to Enfuse and the Guidance Software team for having us out and getting us access to some downright amazing guests!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

As James and I continue to publish our Enfuse Conference 2017 series of episodes we are this week joined by Theresa Payton. Theresa is the former CIO of the George W. Bush White House Administration, and now on the show Hunted where she runs a team of cyber trackers.   Guest: Theresa Payton ( @TrackerPayton) - Theresa Payton is one of the nation’s leading experts in cybersecurity and IT strategy. As CEO of Fortalice Solutions, an industry-leading security consulting company, and co-founder of Dark Cubed, a cybersecurity product company, Theresa is a proven leader and influencer who works with clients and colleagues to uncover strategic opportunities and identify new and emerging threats. Theresa began her career in financial services, where she coupled her deep understanding of technology systems with visionary leadership, executing complex IT strategies and winning new business. Following executive roles Bank of America and Wachovia, Theresa served as the first female chief information officer at the White House, overseeing IT operations for President George W. Bush and his staff. In 2015 Theresa was named a William J. Clinton distinguished lecturer by the Clinton School of Public Service. She is the author of several publications on IT strategy and cybersecurity and a frequent speaker on IT risk. In 2014 she co-authored, with Ted Claypoole, the book Privacy in the Age of Big Data​: Recognizing Threats, Defending Your Rights, and Protecting Your Family, which was subsequently featured on the Daily Show with John Stewart. Among her numerous accolades and recognitions, Theresa was named one of the top 25 Most Influential People in Security by Security Magazine and One of Infosec’s Rising Stars and Hidden Gems by Tripwire. In 2005 she was honored as Charlotte, NC’s Woman of the Year. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Continuing our series recorded live at Enfuse Conference 2017 in Law Vegas, this episode features two USC students who are part of a large contingent here to learn and make connections. Tatiana and Ayman join us to talk about how they got here, what they are planning for their future along with some general thoughts on DFIR and our industry!   Guests: Tatiana Santos ( @tatitasantita ) Ayman Siraj ( @aymansiraj ) Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Today, CEO Patrick Dennis joins the Down the Security Rabbithole Podcast right after his keynote to talk about the conference, what's going on at Guidance, and the state of defense. This is a FeatureCast so we get right to the point in an easy-to-listen format.   Thanks for listening!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

We kick off a week of on-the-scene podcasts live'ish from Enfuse Conference 2017, hosted by Guidance Software in Las Vegas, Nevada with Lori Chavez VP of Corporate Marketing. She is the brains responsible for the amazing conference including speakers, content and everything else. Lori gives YOU an insider preview of Enfuse 2017, and tells us a little about what we can expect and some history of the conference - and we can't wait to give you MORE! Stay tuned in all week as we bring you more fantastic content from Enfuse Conference 2017. And as always, use the hashtag #DtSR to talk back to James and I or #EnfuseCon17 to interact with speakers and attendees! Just for DtSR listeners - we will post a special coupon code for next year's registration... just for listening. Don't miss it later this week!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week we are live from Enfuse Conference 2017 in Las Vegas, Nevada. Special thanks to Guidance Software for having us out and getting us access to a whole host of fantastic speakers. On this episode Greg Hoglund and Ryan Butterworth of Outlier Security join us to talk about the DFIR space with all it's problems including a shortage of qualified labor and sub-optimal tools. This fantastic discussion wanders all over the DFIR space including the "data problem" and tools, tools, tools. That tool that Greg mentions, which is free, is right here: http://unbouncepages.com/supertimelines-free/   Guests Greg Hoglund - Founder and CEO, Outlier Security, Inc. Ryan Butterworth - Principal Software Engineer, Outlier Security, Inc. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Microsoft warns ransomware cyber-attack is a wakeup call As of recording, it is reported that 200,000 computers were infected. Patch for flaw was released in March, 2017 Microsoft has since released a patch for older systems Lots to discuss on this - including Microsoft's letter to the NSA Link: http://www.bbc.com/news/technology-39915440 Link: https://www.infosecurity-magazine.com/news/microsoft-xp-patch-wannacry/ Link: http://www.bbc.com/news/uk-39921479 United flight attendant accidentally leaked door codes online Flight attendant somehow posted the codes online Insider threat? Multiple layers of security needed and additional controls here Link: https://www.infosecurity-magazine.com/news/united-flight-attendant-door-codes/ Link: https://www.wsj.com/articles/uniteds-cockpit-door-security-codes-inadvertently-revealed-1494794444 Keylogger discovered preinstalled on some HP laptops Audio driver inspected keystrokes looking for events like Mute, Unmute, etc..  but also stored keystrokes in a file. Log file was overwritten after each reboot. Was this just a debugging issue that wasn’t disabled before release? Link: https://www.cnet.com/news/keylogger-discovered-on-some-hp-laptops-conexant/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week - live and in person from Denver, Colorado and the RMISC Conference I interview Stephen E. Coury the CISO of the County and City of Denver. The conversation leads off with Stephen's journey through cloud computing and weaves through some of the challenges municipalities and city governments are facing. It's a fantastic conversation that is readily applied to both public and private organizations - you need to check this out. Thanks Stephen for coming out and talking to us!   Guest Stephen E. Coury - CISO of the County and City of Denver, CO.  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Chrome to mark more HTTP pages ‘Not Secure’ In October, 2017, all HTTP sites will be marked ‘Not Secure’ while in incognito mode. Incognito mode allows surfing the internet without saving your browsing history. Enterprise: Have you seen any negative feedback from the previous changes to show not secure? Does this change your priority for moving to always HTTPS for all sites? Link: https://threatpost.com/chrome-to-mark-more-http-pages-not-secure/125255/   2017 Verizon DBIR Highlights: Analyzing the Latest Breach Data in 10 Years of Incident Trends Oh, the headlines. Slow the roll, folks. Stop the password hate and turn the mirror around Let’s talk about people… and why they are not the weakest link. Grow up. So many obvious points, yet so much insight not being talked about - why? Hint: It dispells the doom and gloom and asks tough questions Example: Page 13 - patching ... looks like after 2 weeks "If it's not patched, it's not getting patched". Ask yourself, what patch percentage you're at after 2 weeks - and are you OK with that? Link: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/highlights-of-the-2017-verizon-dbir-analyzing-the-latest-breach-data-in-10-years-of-incident-trends/ Link: http://www.infoworld.com/article/3193028/security/annual-verizon-security-report-says-sloppiness-causes-most-data-breaches.html   Hacker leaks episodes from Netflix show and threatens other networks Importance of digital supply chain The ‘peril’ of cyber Link: Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week the team gets together to talk Management and Leadership in the security industry and in general. Our very own Michael Santarcangelo joins us as our featured guest to dispense knowledge on leadership by the truckload. So grab a cup of coffee, something to take notes and listen in.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

NewsCast for Tuesday April 18th, 2017   Dallas Tornado Sirens Hijacked Tornado sirens in Dallas all simultaneously went off Suspected hijacking of the emergency system, lots of speculation of how this happened Now believed to be a radio hijack Link: http://content.govdelivery.com/bulletins/gd/TXDALLAS-1936de1   Two Inmates in Ohio Jail Hacked it From the Inside Talk about an “insider threat”! These were made from spare parts, hidden in ceiling, concealed well Unauthorized access to network (no NAC?) made infiltration possible Link: https://qz.com/958503/two-ohio-inmates-hacked-their-prison-from-the-inside-using-makeshift-computers-built-from-spare-parts/   SWIFT Launches New Anti-Fraud Controls in Wake of Wire Frauds New tools to ‘detect suspicious transactions’ Appears to be free in addition to other fraud-detection tools Link: https://www.swift.com/news-events/news/swift-launches-new-anti-fraud-payment-control-service-for-customers   Huge Adobe Security Update Just Released 59 total vulnerabilities - Flash still a big chunk of that (surprise!) 44 are considered critical - “code execution bugs” Enterprises should download, test and deploy -- how are you handling these? Link: https://threatpost.com/adobe-patches-59-vulnerabilities-across-flash-reader-photoshop/124914/   Insider Threat - Engineer Arrested for Stealing Code High-volume algo financial trading company TheseConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week the Down the Security Rabbithole podcast hosts Sven Krasser of CrowdStrike. Sven is an actual machine learning data science expert (as opposed to an "expert") who has been dabbling in machine learning, artificial intelligence and other forms of advanced computational science for a long while before it was popular in security. This week we James and Raf sit him down for 45 or so minutes to discuss the real facts and separate them from the fiction of what machine learning really is and the promise that it may hold for the enterprise security world. As always, join us, share, and engage our crew using the hashtag #DtSR on Twitter. We'd like to take a moment to thank Sven and Crowdstrike for the time and expertise to our show.   Guest: Sven Krasser ( @SvenKrasser ) - Dr. Sven Krasser currently serves as Chief Scientist at CrowdStrike where he leads the machine learning efforts utilizing CrowdStrike’s Big Data information security platform. He has productized machine learning-based systems for over a decade and most recently led the research and development of the first fully machine learning-based anti-malware engine featured on VirusTotal. Dr. Krasser has authored numerous peer-reviewed publications and is co-inventor of more than two dozen patented network and host security technologies. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Pew Center Survey Finds Americans Lack Understanding of Cybersecurity Measures Most ‘typical’ users simply don’t understand security because it’s “magic” to them Basics must be understood by average Jane - attackers count on you not knowing How do you take knowledge and push to enterprise, while keeping up with consumers? Link: http://www.pewinternet.org/2017/03/22/what-the-public-knows-about-cybersecurity/   Suspect Charged in USD 100m Whaling Scheme $100 Million dollar - from just two companies How would your executives (and those supporting staff) fare against this attack? More importantly, how does your “awareness” program deal with this? Link: https://www.justice.gov/usao-sdny/pr/lithuanian-man-arrested-theft-over-100-million-fraudulent-email-compromise-scheme   Google's Android Security 2016 Year in Review Report: Android Security Improving Overall, Google is making great strides The fragmentation problem isn’t getting better for legacy devices that have long life-spans Going forward, things appear to be set up for faster, more OTA updates regularly - but that’s only for NEW stuff What is the state of your enterprise mobile policy? Link: http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2016_Report_Final.pdf   U.S., U.K. warn airports, nuclear facilities of cyberattacks Confusing - threat to airports seems to be from hiding explosives in laptops/mobile devices Threat to Nuclear Plants (ICS) seems to be of a cyber nature to legacy systems Big picture issue works for enterprises too - legacy systems are a target Link: Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, on the Down the Security Rabbithole Podcast, Michael and I are back with perennial favorite Shawn Tuma. Shawn, our legal eagle friend from Dallas, breaks down the latest issues that affect Cyber Security and the Law - with that business perspective you've come to expect from our podcast. As always, we love hearing from you and if you have questions don't hesitate to hit us up on Twitter using hashtag #DtSR or you can always hit up Michael (@catalyst), myself (@Wh1t3Rabbit) or Shawn (@ShawnETuma) directly! Thanks for listening and spread the word!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

The Cost of Cybercrime - Let’s Take a Different Perspective Cybercrime is reported as a $450B drag on the economy; the absolute number sounds big The question to ask: “How big is the global economy?” Turns out that this is only 0.57% of the global economy, in 2014 (nominal) By way of contrast - how many minutes are in a day? What is 0.57% of your day? What it means - we’re doing a good job. Fraud is low. Cybercrime might be on the rise, but for now, it’s at low relative percentages Does it mean we don’t matter? No. Don’t be silly. Our efforts are why the numbers are low Keep up the good work http://www.en.netralnews.com/news/business/read/1249/cybercrime.costs.the.global.economy..450.billion https://en.wikipedia.org/wiki/Gross_world_product Home Depot to Pay Banks $25 Million in Data Breach Settlement New settlement with banks http://fortune.com/2017/03/09/home-depot-data-breach-banks/http://www.cnbc.com/2017/02/21/home-depot-earnings-q4-2016.html → has autoplay with the same video Survey: Experience Preferred Over Education When Hiring For Cybersecurity The survey of 350 IT security professionals gauged their attitudes toward the skills shortage in cybersecurity. Some 93 percent agreed that experience is more important than qualifications. A further 73 percent claimed that it didn't matter whether IT staff were college graduates when it came to getting the job done. Qualifications are considered degrees and certifications The rub -- and what they didn’t ask -- is how do you assess the experience and capability of professionals to solve the sorts of problems you have? Straight Talk on hiring… check it out. Split results on whether communication or technical skill was more important; hint - it’s communication. You can be the smartest one in the room, but if no one understands you… But it’s also awkward to suggest that you can’t have both good technicConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Check out episode 236 with Marie-Michelle Strah who is a repeat offender here on the podcast with her first appearance back in 2014 on Episode 122 ( http://podcast.wh1t3rabbit.net/dtsr-episode-122-enterprise-architectures-role-in-security ). This episode is a revisitation on Enterprise Architecture and it's importance to security with a perspective on enterprise tech stack, business segmentation and micro services in a modern distributed enterprise. Marie-Michelle's experience and extensive insight into the topic should give you something to think about as you go back to your day job in security.   Guest: Marie-Michelle Strah ( @CyberSlate ) - Marie-Michelle Strah. PhD is currently Senior Principal in the Enterprise Architecture Group at Infosys Ltd and based in New York City. A highly collaborative, diplomatic and inspiring thought leader Michelle is able to effectively drive business and technology strategy and business insights across corporate boundaries and departmental silos. A seasoned management and technology consultant, she specializes in strategy development, cloud transformation enterprise information modernization and innovation management efforts to drive global growth while minimizing cost and risk in complex organizations. She has PhD from Cornell University, was a Javits Fellow and is a US Army veteran. Connect with Michelle on Skype/Twitter/Instagram/Snapchat @cyberslate | http://cyberslate.meConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

A Note on the Passing of a Legend Howard Schmidt passed away this week Long, distinguished career as one of the CISOs who “got it” He will be missed in government and private industry - he was on our show too (December 2015) http://podcast.wh1t3rabbit.net/dtsr-episode-166-cyber-security-from-board-room-to-white-house Are SysAdmins Violating the CFAA? This is, by all accounts, an insane criminal defense...or is it? Can what sounds like a stretch logically, be used maliciously by employers? The law is about intent - does this invalidate his claim? Link: https://nakedsecurity.sophos.com/2017/02/27/it-admin-was-authorized-to-trash-employers-network-he-says/ Yahoo Board Sends Message That Echoes After a string of breaches, the board conducted an investigation CEO will not receive 2016 bonus or 2017 equity award Top lawyer resigns (or was asked to, which ever) Is this THE event that will put CEOs on notice? Link: https://www.nytimes.com/2017/03/01/technology/yahoo-hack-lawyer-resigns-ceo-bonus.html?_r=0 Cloud-connected toys The example of “CloudPets” and Spiral Toys is a doozy Bluetooth + web (“cloud”) back-end Great idea, allow parents to interact with kids through a toy Execution is about as bad as it gets Dispute over disclosure 3rd party developer, apparently little security Silly statements in their discloure/release Link: httpConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, the interview is extra special because we have a guest I've personally been following for a long while, and I finally got a chance to virtually sit down and talk through his considerable areas of expertise. I'm pleasured to say we had a chance to sit down virtually with Professor Tom Nichols and talk international affairs, foreign policy and all the important things getting lost in the off-color political arguments lately. These are important issues to cyber security professionals that impact our daily lives - but rarely get discussed by someone with actual, credentialed expertise. Enjoy this one, friends, I know we did recording it. I want to thank Tom for being an awesome guest and lending his time to our show. If you want to read Tom's latest book, you can get it on Amazon, link HERE.   Guest Tom Nichols ( @RadioFreeTom ):  Dr. Thomas M. Nichols is a Professor in the Department of National Security Affairs at the U.S. Naval War College and at the Harvard Extension School, where he worked with the U.S. Air Force to create the program for the Certificate in Nuclear Deterrence Studies. He is a former Secretary of the Navy Fellow, and held the Naval War College's Forrest Sherman Chair of Public Diplomacy. Dr. Nichols was previously the chairman of the Strategy and Policy Department at the Naval War College. Before coming to Newport, he taught international relations and Soviet/Russian affairs at Dartmouth College and Georgetown University. Dr. Nichols was personal staff for defense and security affairs in the United States Senate to the late Sen. John Heinz of Pennsylvania, and was a Fellow at the Center for Strategic and International Studies in Washington, DC. He is currently a Senior Associate of the Carnegie Council on Ethics and International Affairs in New York City. He was recently a Fellow in the International Security Program at the John F. Kennedy School at Harvard University. He is the author of several books and articles, including Eve of Destruction: The Coming of Age of Preventive War (University of Pennsylvania Press, 2008), and No Use: Nuclear Weapons and U.S. National Security (University of Pennsylvania, 2014). His most recent book, The Death of Expertise: The Campaign Against Established Knowledge and Why It Matters was released by Oxford in 2017. Dr. Nichols holds a PhD from Georgetown, an MA from Columbia University, the Certificate of the Harriman Institute for Advanced Study of the Soviet Union at Columbia, and a BA from Boston University. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, fresh on the close of RSA Conference 2017 James, Michael and I discuss the happenings of the conference, lessons, and features along with some inside anecdotes you won't get from anywhere else. Of course, we add our own unique blend of snark and humor - but that's what gets you listening and coming back for more. We'd like to say a big thank you to everyone who voted for us in the RSA Social Security (Security Bloggers) Awards. We didn't win, but we feel good about the audience we've acquired and will keep working hard to spread the message. So to all of you, thank you.   Let's get on with the show!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, while the security world congregates at RSA Conference 2017 we present to you Neira Jones, discussing digital payments, fraud and the world of security as it applies to this domain. In a fascinating discussion, we discuss many of the topics security executives and leaders are talking about right now - but as you have come to expect this is less about 'security' and more about protecting what matters. We want to thank Neira for taking the time out of her busy schedule to join us on the show, and encourage discussion on the topics we covered - if you listen, and you have an opinion (I know you do) then let's discuss using the hashtag #DtSR on twitter.   Guest Neira Jones (@NeiraJones) - Independent Advisor & International Speaker| Payments | Digital Innovation | Information Security | Fraud Non-Executive Director, Cognosec Chairman, Comcarde Chairman Advisory Board, Ensygnia Advisory Board Member & Ambassador, Emerging Payments Association Partner, Global Cyber Alliance Neira can also be found on LinkedIn: http://www.linkedin.com/in/neirajones  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

It is that time of year of W-2 Scams There have been multiple reports of companies releasing W-2s through email scams. Link: http://cbs4indy.com/2017/01/31/scammer-gets-copy-of-w-2-form-for-every-scottys-brewhouse-employee-after-data-breach/   Cops use pacemaker data to charge homeowner with arson, insurance fraud Becoming a common occurance with IoT devices.  If you are creating these devices, are you considering: Storage of the data Privacy policy Education around how data is stored and could be used From an enterprise perspective: How many of these devices are inside your organization How do any of these tools factor into your own forensics approaches? Have you explored any of the liabilities What if you were subpoenaed for the information in your IoT? Links: http://www.networkworld.com/article/3162740/security/cops-use-pacemaker-data-as-evidence-to-charge-homeowner-with-arson-insurance-fraud.html http://www.abajournal.com/news/article/data_on_mans_pacemaker_led_to_his_arrest_on_arson_charges/ Related Link: http://fortune.com/2017/02/04/amazon-alexa-phone-office/ “it's evident that Amazon is determined to embed Alexa in mobile devices and in offices.”   Facebook rolls out 2FA Hardware A move that goes past SMS. Not the first time we have seen this technique (many sites support Yubikey). What type of adoption will we see? Can we check to see if facebook has stock in hardware key companies? Or what was thatConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

On this Down the Security Rabbithole podcast we're joined by Stephen A. Ridley & Jamison Utter (yes, again with this guy) for a discussion on the finer points of Internet of Things (IoT) security ... or complete lack thereof. If you own gadgets that are 'connected' or you are ever around them (hint: you're surrounded by things that pull IP addresses right now) then you need to listen to this podcast. Some great discussion in what was the very first podcast we recorded in 2017.   Guests: Stephen A. Ridley aka "@S7ephen" Jamison Utter aka "@jamison_utter" Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Hi friends! We're honored to be finalists for the Security Blogger Awards 2017 "Best Security Podcast" so if you listen, go vote for "Wh1t3Rabbit" (as we're labeled) Link: https://devops.com/2017-social-security-blogger-awards-open-voting/   Digital transformation forces businesses to rethink cybersecurity A change where operations are being held accountable for security James has commented on this before. In order to get better security, it needs to be embedded in the teams within the organization, not just the security team. Link:http://www.cio.com/article/3157478/security/digital-transformation-forces-businesses-to-rethink-cybersecurity.html   Mobile is still the safest place for your data Most breaches are taking place in physical mediums, or traditional platforms Mobile was designed in the midst of the discussion on ‘digital threats’ - designed with security Mobile platforms are encrypted, more secure by default Link:http://www.infoworld.com/article/3155946/data-security/mobile-is-still-the-safest-place-for-your-data.html   The WhatsApp Backdoor That Isn’t Everyone freaked out that this is a government backdoor But - check your threat model - are you really worried about this (even if it was?) This is a design variation (if you freak out about this, you don’t understand the problem) Link: https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping-on-encrypted-messages Link: https://www.theregister.co.uk/2017/01/13/whatsapp_encryption_concerns/ Link: https://www.schneier.com/blog/archives/2017/01/whatsapp_securi.html   Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, Paul Hershberger joins us to talk about taking a fresh look at endpoint security for the new year. Paul has some insights into balancing risk/usability and how some of the things you've heard about endpoint may simply be ... wrong. Join James and I as we let Paul endow us with his wisdom and experience... take some notes, this one's going to be good. Guest Paul Hershberger - @pjhersh13 - Director IT Global Security Risk and Compliance at The Mosaic Company. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

St. Jude, MedSec and the FDA FDA, St. Jude go through disclosure/fix cycle No mention of MedSec - interesting for discussion; did they have an impact? St. Jude does a fairly great job of notification, updating “Benefits outweigh the risks”... that’s a big statement http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm http://www.businesswire.com/news/home/20170109005921/en/St.-Jude-Medical-Announces-Cybersecurity-Updates http://www.medsec.com/entries/stj-lawsuit-response.html http://podcast.developsec.com/ep-56-security-contacts   New York financial regulator to delay cyber security rules Originally supposed to go into effect Jan 1.. New Date is March 1 We discussed in passing in a previous episode There are final adjustments being made, of course http://www.reuters.com/article/us-cyber-new-york-idUSKBN14A224   Massachusetts makes data breach reports available online http://turnto10.com/news/local/massachusetts-makes-data-breach-reports-available-online-01-04-2017 Seems less like a report and more of just the quick details of the notification http://www.mass.gov/ocabr/data-privacy-and-security/data/data-breach-notification-archive.html How much value does this provide?    Finding a company on the list doesn’t indicate its current security posture.   Identifying that you did business with a company on the list.. Not much you can do anyway. Still no indications of what happeneConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Welcome to the first Down the Security Rabbithole Podcast episode of 2017! We would like to kick off this year, and the run to episode 250 with an episode that dissects the facts from the fiction on the topic of "Advanced Threats". With all the talk in the news about the Russians "hacking the US election" (yes, that's absolutely silly to call it that) and talk of retaliation, it's important to have a frank discussion on the merits of the concept of advanced threats. Sit back, grab a coffee and listen. I know you'll want to listen to this one more than once!   If you have a moment, and you actually read the show notes, we would love it if you could give us a rating on iTunes or actually leave a comment on the podcast page. Get engaged on Twitter, using the hashtag #DtSR!   Guest Biography Sergio Caltagirone hunts evil.  He spends his days hunting hackers and his evenings hunting human traffickers.  After 9 years with the US Government, over 3 years at Microsoft and now at Dragos, Sergio not only hunted the most sophisticated targeted hackers in the world but also applied that intelligence to protect billions of users worldwide and safeguarding civilization through the protection of critical infrastructure and industrial control systems.  He co-created the Diamond Model of Intrusion Analysis proudly helping thousands of others bring more pain to adversaries by strengthening hunters and intelligence analysts. He also proudly serves as the Technical Director of the Global Emancipation Network, a Non-Governmental Organization, leading a world-class all-volunteer team hunting human traffickers and finding their victims through data science and analytics working towards saving tens of millions of lives. You can find Sergio on Twitter at @cnoanalysis   Links Global Emancipation Network (NGO) - http://www.globalemancipation.ngo/ http://www.activeresponse.org/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Merry Christmas, Happy New Year everyone!   May your holidays be filled with joy, love and family. From Michael, James and myself we wish you the very best and a healthy, prosperous and fulfilling 2017. We will be back in 2017 with another great DtSR Episode... but before we go - here's one last NewsCast for 2016.   Yahoo - setting records again - biggest hack ever It happened again: Yahoo says 1 billion user accounts stolen in what could be biggest hack ever 1 billion accounts.. But 1 billion users? Probably not It was 2013… does it even matter? Bigger issue - secret questions/answers can't be changed easily (if you're honest, which you shouldn't be) What about the integrity of the Yahoo! brand? Netgear Routers - Simple fix, Difficult fix As with most devices that weren’t designed to be updated… The software fix (firmware) is quite easy according to Netgear Problem is … how to get users to install it http://kb.netgear.com/000036386/CVE-2016-582384 Microsoft Patches dangerous backdoor in skype for Mac OSX Issue on Mac only Use of an unused or outdated API that provided access http://www.darkreading.com/vulnerabilities---threats/microsoft-patches-dangerous-backdoor-in-skype-for-mac-os-x-/d/d-id/1327712 Flash being relegated by MS’s Edge browser… is it time? So many vulnerabilities in Adobe Flash, exploitable Chrome already has click-to-run Next version of Edge will do click-to-run Should we just nuke Flash? Isn’t HTML5 prime-time already? http://arstechnica.com/information-technology/2016/12/flash-will-become-click-to-run-in-edge-chrome-in-2017/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

On this episode of Down the Security Rabbithole we tackle the question head on. Whose responsibility is security? Is it the end user who should be responsible for patching the devices they own? Is it the vendor who sells the wares? Is it the manufacturer who sells things with security issues? What if it was everyone's problem? How do we police, legislate and ultimately assign blame? Should we be assigning blame, and more importantly what gives with this fascination for blaming the victim? Lots of questions are asked and we start to tackle some of the answers...maybe. Guests: Shawn Tuma - @shawnetuma Jonathan Nichols - @wvualphasoldier Dave Dittrich - @davedittrich Mark Zelcer - @markzelcer Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Federal Government Disproves the Myth of Cyber Talent Shortage If the government can find and hire them - they exist What does that mean for the rest of us hiring? https://cio.gov/how-to-snag-talent-to-fill-critical-cybersecurity-positions-at-your-agency/ 5 Mistakes to Avoid to Hire Qualified Application Security Talent Not understanding current needs Ignoring existing resources Not sharing the workload Not defining the role Overly broad job requirements General Idea: We say we need security talent, but we don’t step back to really understand what we actually need given our current status and resources https://www.jardinesoftware.com/5-mistakes-to-avoid-to-hire-qualified-application-security-talent/ Obama Cyber Security Commission to [Finally] Present Its Report Seems like lots of fluff. But is there any actual substance here? Protect, defend, and secure today’s information infrastructure and digital networks Innovate and accelerate investment for the security and growth of digital networks and the digital economy Prepare consumers to thrive in a digital age Build cybersecurity workforce capabilities  Better equip government to function effectively and securely in the digital age  Ensure an open, fair, competitive, and secure global digital economy http://thehill.com/policy/cybersecurity/308332-presidential-commission-on-cybersecurity-to-present-final-report-friday The First Question Security Leaders Need to Ask Before the Breach Happens Article by Michael, gets to the heart of the matter Turns out, figuring out what matters is hard work http://www.csoonline.com/article/3146560/leadership-management/the-first-question-security-leaders-need-to-ask-before-a-breach-happens.html Amazon Unveils Anti-DDoS Service for Customers The company is offering two levels of protection AWS Shield Standard monitors incoming web traffic for customers and uses anomaly algorithms and other analysis techniques to detect malicious traffic in real-time The company also announced AWS Shield Advanced, a version designed to protect against more aggressive and sophisticated attacks This is big news - because DDoS has become an effective tool of cyber extortionists Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, after a long wait, we have John Kindervag on the show! John talks us through the concept of "Zero Trust Security" and where and how it's implemented. It's a concept everyone should be familiar with by now - but I bet you aren't! Join us, and as always provide feedback to the team using the hashtag #DtSR on Twitter, and you can always ping John directly at @Kindervag as well.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

DHS Releases Strategic Principles for Securing the Internet of Things https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL....pdf These seem to be the same principles that we have been saying for all software (web, mobile, etc.) NIST also has a more generic publication 800-160 What is the implication for the enterprise? Do we prioritize anything differently as a result What about the “need” for IoT legislation? Is the marketplace “broken?” If “we’ve told people before” but “they didn’t listen,” does that actually mean they are wrong? This is an area where we need to think about what we’re actually asking for http://thehill.com/policy/cybersecurity/306418-house-subcommittee-chair-regulation-of-internet-connected-devices-not Facebook buys black market passwords to keep your accounts safe Password reuse is the single greatest cause of harm? Really? Sounds too much like a lab experiment, rather than a legitimate use of capital https://www.cnet.com/news/facebook-chief-security-officer-alex-stamos-web-summit-lisbon-hackers/ Michael just got back from Boston, hosting a CISO Leadership Conferences. We discuss the trends that came up… https://www.klogixsecurity.com/blog/boston-ciso-summit-recap   → just the trends… Importance of a shared vision between the business and information security Placing a higher value on skillsets vs. specific certifications/experience when seeking team members How to enable the business and minimize asset loss Creating a roadmap and measuring metrics/progress Importance of reputational risk within an organization Educating the board on your roadmap progress andConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, Patrick Dennis - the CEO of Guidance Software - joins us to talk about the Enterprise Security world's fascination with blaming the breach victim. We talk through some of the key issues and look for a way off the hamster wheel. As always, #DtSR on Twitter to join in our conversation.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

It is election day.. Have you voted?   Beware, IPhone Users: Fake retail apps are surging before the holidays The issue of brand protection and knock-off websites, apps and such is real Spilling over into digital world, from physical What is your company doing to protect yourself and your customers? http://www.nytimes.com/2016/11/07/technology/more-iphone-fake-retail-apps-before-holidays.html?_r=0   Moving Beyond EMET EMET is going away … in a while Most of the features are now built into Windows 10 This is a great thing (built in vs bolted on security) https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/   Tesco Bank blames ‘systematic sophisticated attack’ for account losses Fraud system appears to be working - good ~40,000 accounts affected, ½ of those lost money Tesco is putting funds back, making things right Core banking assets don’t appear compromised, ATMs and such still work Potentially an issue with website, fixable http://www.bbc.com/news/business-37891742   Google Discloses “Critical Flaw” in Microsoft OS 10 Days After Notifying Microsoft upset at Google Google says it meets their 7-days-to-disclosure policy from 2013 How do you even patch an issue in 7 days - or write up a mitigation if there is none? Is your company prepared to deal with this type of thing? http://www.computerworld.com/article/3137192/security/google-clashes-with-microsoft-over-windows-flaw-disclosure.html Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week on DtSR Chad Boeckmann - President of Secure Digital Solutions - joins us to talk about the business of security. While the "bad guys" are running their criminal enterprise, security teams have struggled to be business-relevant. This discussion starts to dive into how to align security and business goals, answering the "how much is enough?" question and so much more. Thanks to Chad for joining us. We encourage you to ask questions and leave comments here in the comments section or on Twitter at #DtSR. You can talk to Chad directly at @cboeckm on Twitter.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

The Massive DDoS That Hit Dyn.Org Massive DDoS disrupts a ton of popular websites (Netflix, Twitter, etc) IoT used to amplify attack What does this mean for corporate users, home users, and vendors? https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/ Verizon Reviewing Terms of Yahoo Deal As Revenue Slides Is this really the result of the breach or did someone just get cold feet? We’re speculating, but we’ve heard this type of talk before To be honest, Yahoo! saw a rise in earnings over what was projected http://www.wsj.com/articles/verizon-revenue-falls-below-views-1476966420 Passwords - We’re Still Giving Out Horrible Advice Why are companies still making their end-users follow ridiculous policies? Selfies? Is that a viable replacement? http://www.wsj.com/articles/companies-try-out-selfies-as-password-alternatives-1476661046 What about SMS as an OTP replacement that NIST ‘deprecated’? https://threatpost.com/nist-recommends-sms-two-factor-authentication-deprecation/119507/   St. Jude Medical to Create Cybersecurity Advisory Board; Muddy Waters Releases More Vulnerability Allegations The ‘fight’ between the short-sell firm and St. Jude Medical is back Smack in the middle is "MedSec" St. Jude in middle of acquisition by Abbott Labs What’s the real goal, this is starting to feel ugly When vendors and researchers fight, patients lose - end of story What is the happy ending here? Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, #DtSR takes a trip down Software Security lane or as some call it "How are we still writing code with bugs that we found relatively concrete fixes for in the late 90's?" (I may have been watching too many John Oliver episodes...)   Jeff Williams ( @Planetlevel ) and Tyler Shields ( @txs ) join me to talk this topic over from where we've been, to what we're doing now, to what the solution to this mess will be one day in the future. It's an interesting conversation that should stir up some emotion if you've been in AppSec or software security as there really are no docile opinions on this topic (or many others in security, unfortunately).   Plug in, listen and enjoy.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

‘Security Fatigue’ Can Cause Computer Users to Feel Hopeless and Act Recklessly, New Study Suggests https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly Is this indicative of the broader population? (Someone check the sample size?) What does this tell us about enterprise vs. consumer security thinking? Is security to blame?   Our insulin pumps could be hacked, warns Johnson & Johnson http://www.welivesecurity.com/2016/10/06/insulin-pumps-hacked-warns-johnson-johnson/ Big hat-tip to Jay Radcliffe ( @jradcliffe02 ) for what appears to be a very well-orchestrated and sane disclosure What is the added cost of proper authentication and secure communication? Let's use this as a teachable, but minus the typical FUD, moment for product development teams   FBI arrests NSA contractor who stole sensitive data https://www.justice.gov/usao-md/pr/government-contractor-charged-removal-classified-materials-and-theft-government-property Doesn’t appear to be any links to Shadowbrokers We recently did a podcast on insider threat - more relevant now than ever? Do you trust your employees? How do you spin this to protect your company in your culture?  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Grab a cup of coffee, jack in your earphones and listen up. DtSR Episode 214 is addressing the issue of breaches, and their material financial impact to an organization. The premise is simple - when you have a breach, are you going to see massive stock price drop, client exodus and so on? We sit down with legal expert and DtSR regular Shawn Tuma and researcher Jon Nichols to talk this through with James, Michael and yours truly.   Check this episode out. It may sting a bit, but once you come to grips with its reality - the world looks a little different.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Quick update and invitation from Michael: starting to explore rolling out services and improving the Straight Talk Framework. If you’re up to discuss with me - I’ll offer a brief overview and then a “setup for Straight Talk”  review to explore how to get you started. It’s a real offer because I know we’ll both learn. And then I’ll get a better sense of where to focus and how to help more people in our industry. Note on yahoo: we’ll talk to Shawn later   How are Healthcare Data Breach Victims Affected by Attacks? It opens with some hype: “Healthcare cybersecurity attacks are much more prevalent and common because the industry typically has weaker approaches to data security, states” What’s to like? Maybe? → someone is working to explore the potential actual harm from breaches This article, however, is just an attack Why it matters? People read this stuff. They reinforce it. Fiction becomes fact because it gets repeated so much http://healthitsecurity.com/news/how-are-healthcare-data-breach-victims-affected-by-attacks  We're told data breaches cost millions on average - but this security study disagrees I routinely push back on the ponemon $$ thrown around each year The conclusion here concerns me - feels like we lept too far -- that now no one will invest in security? Stop it. That’s not what it means. It means we have to seek better alignment, understand and measure our value better, and focus on creating value instead of just doing things It also means maybe the regulations need to slow down a bit. They do nothing but distract focus and waste money. And yeah, I get it - this sort of “research” is a call for more regulation because otherwise, no incentive. That’s rubbish. http://www.zdnet.com/article/were-told-data-breaches-cost-millions-on-average-but-this-security-study-disagrees/  http://www.csoonline.com/article/3120851/leadership-management/security-leaders-need-to-stop-chasing-risk-catnip.html NIST launches self-assessment tool for cybersecurity   Boosters say the document will help specialists explain the importance of cybersecurity to the company's bottom line — the "holy grail" of business cybersecurity. But some critics have questioned how useful it will be to smaller companies.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode, we talk with Mike Tierney, who is the brand-new CEO at Veriato. In our conversation we talk through a primer on insider threat, and use the great example of hosting a dinner party. Mike has loads of nuggets of wisdom from his experience and we're certain that if you're a seasoned insider threat professional, or just thinking about the topic and wondering if you can do anything to protect your company - this show will be a good primer for furthering your discussion and learning. Listen in, comment and share with your colleagues! Our show is always safe for the office and educational.   Talk back! Use our Twitter hashtag #DtSR to discuss this episode, ask questions, or suggest other topics or guests for the future!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Chrome to label more sites as insecure in 2017 Link: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html Focus on sites that transmit passwords or credit card info over HTTP A USB Device is all it takes to steal credentials from locked PCs Link: http://www.pcworld.com/article/3117793/security/a-usb-device-is-all-it-takes-to-steal-credentials-from-locked-pcs.html This is actually pretty interesting, but a little trickier than it sounds Still - it's quite fascinating that a USB attack works cross-platform, based on network activity and default USB behaviors DHS chief: 'Very difficult' for hackers to skew vote Link: http://thehill.com/policy/national-security/294956-homeland-head-very-difficult-for-hackers-to-skew-vote Instead of dismissing the claim, let’s explore the merits Then let’s consider what, if anything, it means for enterprise security “It would be very difficult through any sort of cyber intrusion to alter the ballot count, simply because it is so decentralized and so vast,” he said, noting the series of state, local and county systems involved in running elections. “It would be very difficult to alter the count.” Decentralized and vast - the merits How many companies make the systems - so is it as decentralized as we’d like How much of what you do in the enterprise is decentralized? What are your points of failure - or the easy pathways to attack? If someone did alter the vote… would we know? How would we know? What’s the impact of appearing to alter the vote? Depending on your organization… how would you handle the same sort of situation? How would you convey confidence to the executives and board? Big business worried more about data loss than hackers – survey Link: http://www.ibamag.com/news/cyber/big-business-worried-more-about-data-loss-than-hackers--survey-37489.aspx This might feel liConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode James and I invite Vlad Klasnja from Optiv's Office of the CISO, and Hudson Harris, Chief Privacy Officer at HarrisLOGIC, to talk about data protection. From defining the concept to providing some insight into how we can actually protect confidential information - we talk through a lot of complex issues in this segment. Join us!   Guests Hudson Harris - Chief Privacy Officer at HarrisLOGIC Vlad Klasnja - Data Protection and Privacy Manager at Optiv Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

NewsCast for Tuesday August 30th, 2016   Clinic Won’t pay breach protection for victims http://www.zdnet.com/article/clinic-wont-pay-breach-protection-for-victims-ceo-says-it-would-be-death-of-company/ Are companies required to pay for credit protection?  It is common, but is it required? Can a class action suit succeed to force it? Will that matter if they just declare bankruptcy? If not.. What is the purpose to filing the suit? California Bill would add security standards to data breach law https://bol.bna.com/california-bill-would-add-security-standards-to-data-breach-law/ But what is reasonable… it can’t just be what a reasonable company would implement. Bill Text - https://legiscan.com/CA/text/AB83/2015 Is this going too far?  Is it too broad?  Is it enforceable? St. Jude stock shorted on heart device hacking fears http://www.reuters.com/article/us-stjude-cyber-idUSKCN1101YV We were trying to build a relationship between testers and organizations.. This is a step backwards for building that trust. A Temperature-check on the state of application security http://www.darkreading.com/application-security/a-temperature-check-on-the-state-of-application-security/d/d-id/1326727 Where should appsec budget be?  With responsibility being in the application teams, should much of it be there and not accounted for in security?   Training, tools, etc? Important Apple patch for ‘Trident’ http://www.zdnet.com/article/apple-releases-important-security-update-for-iphone-after-malware-found/ Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week Michael and I chat with Jamison Utter of Infoblox on one of the more interesting topics at hand - the economy of ransomware. We talk through the sudden popularity of the attack vector, the way the underground "criminal enterprise" has scaled and grown and the future of being a bad guy. If you have occasion to talk to your organization's leadership on the ransomware epidemic, you need to listen to this podcast first.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Quick note from Michael about the Straight Talk Framework & Program -- > Get your free copy at https://securitycatalyst.com/straight-talk-framework/ Launched a new program last week… boy, did I learn a lot. Mostly, it’s my failure to explain. I’m going to chronicle some of the lessons over the next few days and share them If you’ve already downloaded the questions - I’d love to chat with you about your experience… If you find yourself in a situation like this, let’s chat. 25 minutes on the phone and we’ll both benefit Until Monday, August 22nd, chance to get on board early and benefit yourself; i’ve got a lot to share this week and into the future. We’re at the start of something big! Microsoft Accidentally Leaks 'Golden Keys' That Unlock Secure Boot-Protected Windows Devices: Oops? http://www.techtimes.com/articles/173282/20160811/microsoft-accidentally-leaks-golden-keys-that-unlock-secure-boot-protected-windows-devices-oops.htm Bottom line: backdoors are always discovered, compromised Another take away: key management… sounds easy, is rarely so. If you have the need to manage keys in your enterprise, don't try to do this yourself The Future Of ATM Hacking http://www.darkreading.com/endpoint/the-future-of-atm-hacking/d/d-id/1326549 We didn’t have a problem, but we went ahead with the solution. Looking back on it, imagine some straight talk on this fiasco? Yes, I realize some of you like the elegance of chip + pin; do you like the UX? Because it sucks. And if you lament the mag stripe, does that mean you stopped using a terrestrial radio, too? Our need as leaders - in the enterprise and across the industry - is to focus limited energy and assets on the areas that create the most value Apple will reward hackers with "bug bounty" to find flaws http://www.smartbrief.com/s/2016/08/apple-will-reward-hackers-bug-bounty-find-flaws-1 The more we press on it, the more that we understand bug bounties and the like are just externally sourced (on spec) testing. If you caught our last interview, we continued to explore the distinctions between research and testing; and rest assured, we’ll continue. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode we chat with Steve Christey Coley currently the Principal Information Security Engineer over at MITRE Corp. In this episode we talk through our industry's obsession with vulnerabilities, dive headlong into the thorny issue of security research, talk through the various issues with disclosure and even delve into some ethics issues. This episode is content-packed with some content that you will likely want to talk to us about. So here's how to find us: Steve on Twitter: @SushiDude Hashtag for the show: #DtSR   Steve's Bio (from LinkedIn - https://www.linkedin.com/in/steve-christey-coley-66aa1826): Editor / Technical Lead for the Common Vulnerabilities and Exposures (CVE) project; Technical Lead for the Common Weakness Enumeration (CWE); co-author of the "Responsible Vulnerability Disclosure Process" IETF draft with Chris Wysopal in 2002; participant in Common Vulnerability Scoring System (CVSS) and NIST's Static Analysis Tool Exposition (SATE). My primary interests include secure software development and testing, understanding the strengths and limitations of automated code analysis tools, the theoretical underpinnings of vulnerabilities, making software security accessible to the general public, vulnerability information management including post-disclosure analysis, and vulnerability research. Specialties: Vulnerability research, vulnerability management, software security.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Quick note from Michael about the Straight Talk Framework -- > I’ve separated the framework from the programs; the framework is free and available for download from my website. More on the way! To support both the framework and the programs, I’ve just finished a video that introduces the 5 questions; I have an optional workbook available and make a special offer at the end of the video I’m about to launch an online offering… stay tuned for details   $2.7 Million HIPAA Penalty For Two Smaller Breaches http://www.healthcareinfosecurity.com/27-million-hipaa-penalty-for-two-smaller-breaches-a-9270?rf=2016-07-18-eh&mkt_tok=eyJpIjoiWW1GaE5ERmtNR05oTldRMiIsInQiOiJ5YWd6dDg4cW84TXVCR0NCVkJ0KytQTnVwOHQ2UHBON0FMeWVZRDVleE82d3Zpdyt2S1RwNWFmZEs0aVRyQ3lMTlk3YWdaa0VmbnV4djVIOVVxczFUYkdsTHBKRGpld3h5bXU3aHRoNnhUaz0ifQ%3D%3D Interesting the info about the use of Google and lack of contract. How many other health companies are using Google or Microsoft to store some data?  Do they have the contracts in place? Is the GOP seriously considering endorsing vigilante hacking?! The wording here is dangerous, and could encourage vigilante justice So much could go wrong here, so much collateral damage You’ll likely hear a re-start of the hack back debate http://www.inforisktoday.com/blogs/gop-platform-suggests-hack-back-suitable-cyber-defense-p-2186 What if we just called it “forward looking research in a kinetic state?” NIST declares the age of SMS based 2-factor authentication over https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/ Recommendation use app (like google authenticator), RSA token or something similar rather than SMS How will this effect all of the financial institutions that have sms based 2-factor?   Even google supports SMS and App based.   Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, Chris Romeo joins Michael, James and I to talk about changing the security posture of an organization by changing culture. This episode talks through tough issues like incentives, measurements and success factors. This episode with Chris is of particular interest for leaders and those who are working hard to change companies at their core, for the long term.   Chris Romeo's bio: Chris Romeo is CEO and co-founder of Security Journey. His passion is to bring application security awareness to all organizations, large and small. He was the Chief Security Advocate at Cisco Systems for five years, where he guided Cisco’s Secure Development Life Cycle program, empowering engineers to "build security in" to all products at Cisco. He led the creation of Cisco’s internal, end-to-end application security awareness program launched in 2012. Chris has twenty years of experience in security, holding positions in application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP certifications, and is a frequent conference speaker at RSA and AppSec.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Ransomware that's 100% pure JavaScript? Sort of... Slightly misleading article Generally a Windows-based attack (go where the users are) https://nakedsecurity.sophos.com/2016/06/20/ransomware-thats-100-pure-javascript-no-download-required/ Researchers have come up with a 'cure' for ransomware Based on some interesting things like file-type changes, similarity measurements and entropy Interesting but not perfect ... do we even think perfect is reachable? Average of 10 files before an identification was made http://www.scmagazineuk.com/florida-researchers-claim-to-discover-cure-for-the-common-ransomware/article/509147/ The government has officially issued a 'fact sheet' on randomware Yes, it's a reportable breach Lots of interesting misconceptions (or half-truths) in this guidance Good for them for asking us to 'do better' but it's not enough Go read for yourself! http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf Pokemon Go! - a neat idea with big issues potentially First there are the privacy and security implications Then there is the app that wants every permission known to man Physical security and well-being issues? http://abcnews.go.com/Business/hit-app-pokemon-raises-security-concerns-google-account/story?id=40524454 FDIC hacked but covered it up, didn't report Perfect example of "the cobbler's children have no shoes" The FDIC is consistently terrible, and does little to close the gaps Obviously, it was China http://thehill.com/policy/cybersecurity/287561-chinese-government-likely-hacked-fdic-report The Fiat/Chrysler bug bounty program They will only pay you $1,500 Lots of uproar about how the pay-out isn't enough but there is so much more her Lots to unpack, including issues with complexity on enterprise side https://www.wired.com/2016/07/chrysler-launches-detroits-first-bug-bounty-hackers/  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week on the Down the Security Rabbithole podcast, Brandon Dunlap is back for his second show. Following up on Episode 158 where we discussed outsourced security, this time around we talk through the next iteration of what "Managed Security" and outsourcing means to security. You're not going to want to miss this episode! As always, hit up our hashtag on Twitter at #DtSR and you can find Brandon on Twitter as well at @bsdunlap if you want to talk to him directly.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

** Our 200th numbered episode! **   A note from Raf:  Thanks to everyone who has been listening to us, tweeting us, and sharing the links to our podcast. We are absolutely floored with the support and listenership we've received. The average show now gets just under 2,500 downloads when released in the first week, and that number goes up every week. So from the bottom of my heart, I humbly thank you and hope you'll continue to listen, share, and comment. This week's episode is titled "Privacy, Security, Risk and Law Collide" as we host Dr. Chris Pierson and our recurring legal eagle from the great state of Texas, Shawn Tuma. If you don't have Shawn added on Twitter, you should go follow him right now. In this week's episode we discuss the increasingly overlapping world of what was once "IT security" which has now started coming together with privacy, risk and law. Chris is uniquely poised to talk on the subject, as you will hear his credentials speak for themselves. You'll want to get comfortable, pay attention, and give this episode a careful listen as we take you down the security rabbithole for the 200th time.   Guest: Dr. Chris Pierson, CSO and General Counsel, Viewpost Dr. Chris Pierson is the EVP, Chief Security Officer & General Counsel for Viewpost. Dr. Pierson serves on the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee and Cybersecurity Subcommittee and is a Distinguished Fellow of the Ponemon Institute.  Previously, Chris was the first Chief Privacy Officer, SVP for the Royal Bank of Scotland’s U.S. banking operations leading its privacy and data protection program.  Chris was also a corporate attorney for Lewis and Roca where he established it’s Cybersecurity Practice representing companies on security and data breach matters. Chris is a graduate of Boston College (B.A., M.A.) and The University of Iowa (Ph.D., J.D.) and gives keynotes/speaks at national events and is frequently quoted on cybersecurity. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode..   The "Nuclear Bomb" analogy isn't working, stop using it" http://thebulletin.org/flawed-analogy-between-nuclear-and-cyber-deterrence9179 This is important with respect to how security people talk to real-life issues Here is another example: http://insight.kellogg.northwestern.edu/article/is-reading-someones-emails-like-entering-their-home/   iOS apps will require secure https connections by 2017 http://www.cnet.com/news/ios-apps-will-require-secure-https-connections-by-2017/ We have seen this push on the web before Michael wrote about this topic back in March 2015 (https://www.developsec.com/2015/03/17/is-http-being-left-behind-for-https/) Saw the government push this for all public facing websites (https://https.cio.gov/)   Inside Sierra: How apple watch “auto unlock” will let you jump straight into MacOS http://appleinsider.com/articles/16/06/16/inside-sierra-how-apple-watch-auto-unlock-will-let-you-jump-straight-into-macos Interesting idea here..  Thoughts?   FICO to Offer 'Enterprise Security Scores' http://www.fico.com/en/fraud-security/cyber-security http://www.fico.com/en/products/fico-enterprise-security-scoring Is this something you’d do? Do you trust it? Breakthrough we’ve been waiting for? Or mysterious approach that ultimately creates complexity, but little benefit   Why don't banks care more about credit card security? This suggests that if banks really cared, we’d go all chip and pin, not just chip and sign Ranty time: morons http://thehill.com/blogs/congress-blog/economy-budget/282778-why-dont-banks-care-more-about-credit-carConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

On this episode of the Down the Security Rabbithole podcast, Dawn-Marie Hutchinson, currently an Executive Director within the Optiv Office of the CISO joins us and we talk about the things that she's learned over her career working with legal counsel, CISOs and solving problems. A fantastic episode with lessons learned, and executive leadership crammed into less than an hour. Give it a listen!   Find Rie on Twitter at @CISO_Advantage   UPDATE: Thanks to Sean Jackson (@74rku5) who has hand-transcribed the show. I haven't read this, personally, so if there if he slipped any humor I can't be held accountable! http://pastebin.com/JMk0rpFQ  Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...     Are people "going offline" as a result of increasing dangers of the Internet? This article makes the case for yes: http://www.techspot.com/news/64839-increasing-number-internet-dangers-driving-millions-americans-offline.html But ... "millions"? We collectively call BS As the world moves more to mobile and digital, who thinks they have 'control' of their own data anyway?   "Sandjacking" allows attackers to install evil iOS apps IF that attacker is physically holding your device AND your device is unlocked AND it takes a while because you have to backup, and restore a phone ... one app at a time SO this isn't something you do to infiltrate someone's phone while they walk away for a few minutes to the restroom Cool trick bro, but where on the spectrum of critical things does this fall? The technique is called "Su-A-Cyder" ... awful name, lose points http://www.securityweek.com/sandjacking-attack-allows-hackers-install-evil-ios-apps   Dropbox takes heat for a breach, that wasn't their breach So what happens when you get blamed for a breach that you don't have anything to do with? http://krebsonsecurity.com/2016/06/dropbox-smeared-in-week-of-megabreaches/ What would YOUR company do if you were Dropbox?   Lenovo's asking people to uninstall it's bloatware "Accelerator" app ...because it's a massive security breach waiting to happen Of all the bloatware vendors install, I'm willing to be this isn't unique [Michael] Hey, at least they're admitting defeat here, right? http://www.zdnet.com/article/lenovo-begs-users-to-uninstall-accelerator-app-in-the-name-of-security/ [Raf] Does no one sense the delicious irony of a Chinese PC maker riddled with security issues in their product? Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

On this episode of the Down the Security Rabbithole podcast, I get the pleasure of sitting down with one of my all-time favorite Chief Security Executives, Mr. Jason Witty. He's had a long career of successful security leadership, and in this podcast he sits down with us to talk about risk, threats and words we often confuse. You're not going to want to miss this episode.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week the gang's all here to talk about some news happenings. Michael, James and I talk through some of the stories we've been tracking. Have something you've been reading and want to talk about? Hit us on Twitter with hashtag #DtSR and suggest a topic/story for the next NewsCast!   Tennessee Amends Breach Notification Statute http://www.natlawreview.com/article/tennessee-amends-breach-notification-statute Removes the exception for encrypted data. Will this raise the costs to companies?   Encrypted or not, will credit monitoring be the norm? More lawsuits (even if the data is encrypted) Do we run the risk of notification overload? What do people do with these notifications anyway? FFIEC’s New Mobile Security Guidance: An Assessment http://www.bankinfosecurity.com/ffiecs-new-mobile-security-guidance-assessment-a-9104 Interesting how they discuss some of the risks (SMS, mobile enabled website) but also talk about ways to mitigate the risk. Software “glitch” kills Formula1 car mid-race Does not take a rocket surgeon to figure out the real-world applications here Sure this time it was a 'glitch' but could just as well have been a security bug, exploited by an attacker? Many vehicles are now ‘smart’ and phone home, make decision and drive for you http://news.filehippo.com/2016/05/software-glitch-kills-formula-1-car-mid-race/ LinkedIn plays down 117 million user breach of data sale http://www.theregister.co.uk/2016/05/19/linkedin_breach/ From 2012 breach... coming back to us Does this show how a breach can linger on? Alternate theory: attacker has been usiConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...   Michael and I welcome back Shawn Tuma, our resident Cyber Law Expert from the great state of Texas. We discuss some of the recent cases (unlocking an iPhone!) and some of the tough issues facing the court systems today. Shawn provides insights into the use of the finger (not joking) and some amusing and frustrating aspects of cyber law as the courts continue to evolve. Join us!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode..   ImageTragick - major flaw in open source image processing toolkit ImageTragick is CVE-2016-3714 Logo & Website: https://imagetragick.com Has a logo, so it must be yuge Is this really that big of a deal? How many are impacted potentially? https://blog.sucuri.net/2016/05/imagemagick-remote-command-execution-vulnerability.html Remote code execution, with minor caveats - likely darn near everywhere Detroit company loses $495k to wire fraud Source was a faked email to make a wire transfer Why didn’t someone verify this?! http://www.detroitnews.com/story/news/local/oakland-county/2016/05/03/troy-investment-company-hacked/83879240/ Will insurance pay out? Is the policy change too little too late? How can other companies learn from this? The Ransomware Epidemic (Optiv blog) Is there an epidemic at play here? Why the switch to ransoming people’s data Is this a viable business model for cyber criminals? https://www.optiv.com/blog/ransomware-part-1-is-this-an-epidemic Undetectable flaw in Qualcomm-powered Android phones is a huge deal Input sanitization flaw (again?!) At risk is 34% users running Android 4.3 and earlier Text messages and call histories accessible in plain text An "undetectable" software flaw in Qualcomm Snapdragon-powered Android smartphones could lay bare users' text messages and call histories to hackers http://www.computing.co.uk/ctg/news/2457217/undetectable-qualcomm-code-vulnerability-lays-bare-android-users-text-messages-and-call-histori White Hat hacker sent to the clink for going too far Found (accidentally?) a SQL Injection flaw then used a tool to pull data out Obviously went too farConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Join our guest Larry Whiteside, Michael and I as werecord live from InfoSec World 2016 in sunnyOrlando, Florida! We talk through the life of a CISO, and thechallenges of being in the Healthcare and Critical Infrastructurespaces and the similarities and differences. Larry has had a verydiverse and successful career leading some of the most challengingorganizations, so we dig into some of the things he's faced, howhe's addressed some of those bigger leadership-level challenges,and just the mess that healthcare and critical infrastructure arein right now. Don't miss this episode! GuestLarry Whiteside Jr. ( @LarryWhiteside ) - Larry is the VP ofHealthcare and Critical Infrastructure at Optiv, and he's taskedwith creating innovative solutions to some of the industry's mostchallenging problems. More info here: https://www.optiv.com/about-us/press-releases/optiv-security-increases-focus-on-holistic-cyber-security-solutions-for-healthcare-and-critical-infrastructure-industriesNote: I'm blessed with being able to work withLarry on a daily basis at Optiv. I highly encourage you to listento this podcast and share with your friends and colleagues in thehealthcare and critical infrastructure space.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Only about a third of companies know how many vendors accesstheir systemsnearly every company is at risk for a third party breachit's almost impossible to vet every third partydeveloping a strategy and being consistent, scaling is keyhttp://www.csoonline.com/article/3055012/techology-business/only-a-third-of-companies-know-how-many-vendors-access-their-systems.htmlNo firewall, second-hand $10 routers are to blame for Bengladeshbank heistwe talked about this initially in episode 185(Link: DtSREpisode 185 - NewsCast for March 15th 2016)it's almost unfathomable that this happenedSWIFT attacked, now the suspected malware is identifiedJim McKelvey's Launchcode is helping unconventional techtalentinternal mentorships could be the keywho out there is doing this, talk back to us using hashtag#DtSR on TwitterThe Simpson's math secret is the key to better security ...?http://www.csoonline.com/article/3054566/leadership-management/the-simpsons-math-secret-is-the-key-to-better-security.html Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode, James, Michael and I are live from InfoSec World 2016 and we get the pleasure of interviewing Lance James fresh off the keynote stage. In this intimate, fast-paced and bold interview we talk through some of the challenges InfoSec is facing today, and where Lance believes we should be going. If you haven't been to InfoSec World, we highly recommend going next year. The content team continues to provide a solid mix of technical, managerial and transitioning information security speakers. Make sure you have this one on your calendar for next year, and being the family!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode... Pros examine mossack-fonseca breach: Wordpress plugin, Drupal likely suspectsPlug-ins seem to be a universal weaknessMany companies have this type of 3rd party security issueThe broader enterprise implications - how do you find these sites?http://www.scmagazine.com/pros-examine-mossack-fonseca-breach-wordpress-plugin-drupal-likely-suspects/article/488697/WordPress pushes free https encryption for all hosted sitesWhat's the problem we're trying to solve?2 separate issues, trust vs. authentication - know which you're solvinghttp://www.securityweek.com/wordpresscom-pushes-free-https-all-hosted-sitesIf you can't break crypto, break the clientBishop-Fox researcher finds webkit bug in iMessageJavaScript in iMessage, sure, why notSame-Origin-Policy (SOP) not enforced since it's a desktop apphttp://www.bishopfox.com/blog/2016/04/if-you-cant-break-crypto-break-the-client-recovery-of-plaintext-imessage-data/Executives - "We're not responsible for cyber security"Raf: This is squarely the fault of security professionals failing to make the security discussion a part of the enterprise vernacularMichael & James: What does this mean, and what do we do not? If anything.http://www.cnbc.com/2016/04/01/many-executives-say-theyre-not-responsible-for-cybersecurity-survey.html Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Intro song: "Josh Gabriel - Deep Down"; Intro/Outro v/o courtesy of @ToddHaverkosConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...BadLock bug (which now has a website, a graphic, and more hype than Bieber) is out thereIs the bug really worth all this hype?Is this anything more than a PR stunt, and a big marketing opportunity?Everyone has an opinion, but one thing is for certain, this bug is making big waveshttp://www.wired.com/2016/03/hype-around-mysterious-badlock-bug-raises-criticism/Your wireless mouse is probably a security risk... seriously.RF-based mice typically don't use encryption or mutual authenticationSome do (all of my Microsoft & Logitech mice tell me they mutually authenticate & encrypt... I think)How far up, or down, your risk register is this one; and how much should it matter to enterprise?http://www.thefiscaltimes.com/2016/03/23/Your-Wireless-Mouse-May-Be-Exposing-You-Cyber-HackersYour Node.js package manager could be an entry point for worms?Now that everything has functionality over our endpoints...Dependencies seem to be (at least partially) to blame here (who's surprised?)http://news.softpedia.com/news/node-js-package-manager-vulnerable-to-malicious-worm-packages-502216.shtmlRansomware is getting nastier (and more effective)Remember it's just a business model, so they actually are pretty good at unlocking, support, etc once you pay upWhat happens when a hospital system gets locked/encrypted -- real lives are at stake here!Enterprise advice? Backup, test, and take it all offline regularly so you can recoverThis is only going to get worse. Much, much worse.http://www.itsecurityplanet.com/experts-corner/hospital-hit-with-ransomware-contagion-declares-internal-emergencyhttp://www.healthitoutcomes.com/doc/backup-recovery-system-control-ransomware-attack-0001http://www.healthcareitnews.com/news/ransomware-wreak-havoc-2016-icit-study-says Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode I posed some questions to Joey, an InfoSec professional who had recently moved into a CISO role in a midwest retail company:Let's talk a little bit about the background you had before walking into your first day as a CISO...How long have you been in your role, and what do you think "so far"?What do you think were the biggest lessons you've learned in your time as a new CISO?What do you make of all the talk about CISO burn-out rates, and the average tenure of a CISO being less than 2 years?What do you see as the role of the CISO in today's business climate?How do you work with other IT leadership, and executive leadership to make your mark and do your job?From your experience, what do you think someone who is taking a new CISO role, or thinking about doing so, should know?Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode... The FTC is getting into providing guidance on password changesWell OK, this isn't really guidance, it's just a blogBut - does this mean that the FTC is getting into technical guidance?https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes Dwolla hit by CFPB and fined $100,000Who is the CFPB (Consumer Finance Protection Bureau)?This opening sentence is crucial: "The Consumer Financial Protection Bureau (Bureau) has reviewed certain acts and practices of Dwolla, Inc. (Respondent, as defined below) and has identified the following law violations: deceptive acts and practices relating to false representations regarding Respondent’s data-security practices in violation of Sections 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act of 2010 (CFPA), 12 U.S.C. §§ 5531(a), 5536(a)(1)"http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdfhttp://blog.dwolla.com/we-are-never-done/ FTC To Study Credit Card Industry Data Security AuditingThe FTC is asking for specific information from a specific number of companies (9 of them in total)Studying "how companies and their assessors interact" - is that code for something?Interesting to see what the FTC will do with this?https://www.ftc.gov/news-events/press-releases/2016/03/ftc-study-credit-card-industry-data-security-auditing Bengladesh bank hackers steal ~$100MThere is definitely more to this storyLots of finger-pointing, failed/unknown processes in SWIFT clearinghouseWas this account compromise? System compromise? An insider threat? All of the above?http://www.bankinfosecurity.com/bangladesh-bank-hackers-steal-100-million-a-8958Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode, we wind down from RSA Conference 2016 and talk with Jonathan and Michael, both security executives and leaders at their respective companies whom were both out at RSA Conf and share with us some of their insights, lessons learned, and discuss some of the more interesting topics. Join James and I for an informative, insightful, and slightly unnerving conversation about the state of our industry. If you missed RSA Conference (or even if you were out there but wish you weren't) this is one you're going to want to listen to at least once.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This is RSA Conference week, so while Rafal is out in San Francisco trying to make it through another one, James and Michael break down the news events that you may have missed. 300,000 Homes affected by security alarm bughttp://www.forbes.com/sites/thomasbrewster/2016/02/17/simplisafe-alarm-attacks/#3202d4e679a3According to Spokesperson, Alarm still alerts users' smart device when the alarm is armed or disarmed.Device is an alerting mechanism, not a lockTechnically, we’d consider this… wait for it… a ‘detective’ control. Appears to only intercept when pin is entered into the device.. does this effect if user arms/disarms via their device? 82 Percent of company boards are concerned about securityhttp://betanews.com/2016/02/29/82-percent-of-company-boards-are-concerned-about-cyber-security/Suggests that since CISOs don’t report to the CEO/Board, they companies aren’t serious. Ridiculous. This is myopic… Boards care. Executives care. In security - are you perceived as a leader? Or a technical resource?This is an opportunity.  See something suspicious online, Homeland Security wants to know about ithttp://m.nextgov.com/cybersecurity/2016/02/homeland-security-wants-see-something-say-something-campaign-internet/126008/We think this is rather unintelligent. That said, it’s the sign of the only part of an ‘awareness’ program that counts: people are comfortable reporting something that seems amissWhat’s amiss? And that’s what’s missing. We pretend it works at airports and in big cities. Does it? And what, exactly, are people reporting. And why?What’s the experience? Antivirus update breaks Internet browsing due to glitchhttp://www.theregister.co.uk/2016/02/29/eset_antivirus_false_positive/Apparently, update blocks getting to many internet sites due to flagging javascript as virusWe have seen this many times before.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Michael and I moderate what turns out to be an expert-filled panel discussion on the real issues of the Apple vs FBI debateShawn Tuma, our favorite cyber attorney, provides expert insights into the statutes, laws and applicable legislation in this caseDave Kennedy, Von Welch and Gary bring their technical expertise and background to discuss the issues from a technology and policy perspectiveWe think this is one of those landmark podcast episodes you'll want to listen to a few times. Lots of interesting content here, and we encourage you to share! Don't forget, #DtSR on Twitter!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode Class action lawsuit against SuperValu dismissedNo damage (use of stolen information) so there's no case?As time passes, risk of use of stolen data, according to judge, decreasesThe precedent appears to be that in order to sue, you have to prove damage (imagine that?)http://legalnewsline.com/stories/510661014-data-breach-class-action-against-grocery-chain-dismissedNieman Marcus - breached again (with another lesson this time)http://www.bankinfosecurity.com/neiman-marcus-reports-new-breach-a-8843So is it official, not having MFA is weak authentication?Is someone accessing accounts through the web interface with stolen passwords a “breach”?Encryption would have done nothing to save any of this information as it was accessed through the interface.Did they have account lockout?  What's the rest of the story here?Hacker steals and releases information on 30,000 FBI and DHS employeesThe biggest weakness is always the human who wants to be helpfulWhat does this mean for the enterprise, when gov falls victim?http://dailycaller.com/2016/02/10/having-trouble-hacking-government-agencies-just-call-their-help-desks/Hacked toy company tries a different tacticVTec gets hacked, changes TOSNew TOS is "we'll be hacked, too bad so sad" is what it amounts toIs this realistic? Should this be the new standard?http://motherboard.vice.com/read/hacked-toy-company-vtech-tos-now-says-its-not-liable-for-hacks Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Andrew discusses a few of the key challenges making it difficult for the healthcare sector right nowRobb, Andrew and Raf discuss the importance of identity in the corporate environmentRobb and Andrew give some of their wisdom for the successes and failures of CISOs (and the broader security industry)We discuss the technical vs executive CISO approach (which is better?)Robb and Andrew provide some unfiltered advice for CISOs and those who want to become themGuestsRobb Reck ( @RobbReck ) - Chief Information Security Officer at Ping Identity, contributor to ISSA Denver with a long history as a successful security executive and leader.Andrew Labbo - Drew is the CISO at Denver Health and Hospital Authority and is the owner and principal of RMHG, which offers HIPAA consulting and HIPAA advisory services. Drew has over 15 years’ experience with information security and technology and over 10 years’ experience as a Privacy and Data Security Officer. He is an expert on HIPAA Privacy and Security Rule regulations as well as HITECH and Omnibus regulatory updates. Drew’s recommendations are guided by his education in health administration and experience and leadership integrating privacy and security controls with health information technology infrastructure and applications, as well as treatment, payment, operations, and human subjects research workflows and processes.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode Employees may face penalties if they misinterpret security policies?Human behavior still seen as the biggest weaknessEmployers are growing less tolerant of misbehaving employeesIf you "invite a data breach" you could be held liablehttp://www.welivesecurity.com/2016/01/14/employees-face-penalties-misinterpreting-security-policies/New lawsuit filed blaming Twitter for ISIS attackShould social media filter content from terror groups like ISIS?Can social media companies be held liable, why or why not?http://blogs.wsj.com/digits/2016/01/14/lawsuit-blames-twitter-for-isis-terrorist-attack/SCADA/ICS make incident response more complicatedTypical IR activities are complicated by the nature of ICS systemsDifferences are there, but strategy still possibleWhat is the path forward?http://www.darkreading.com/perimeter/how-incident-response-fails-in-industrial-control-system-networks/d/d-id/1324094Only in NYC: Dept of Consumer Affairs warns parents of baby monitor hacksThese issues seem to come down to default passwordsWhat can the general population do about this?How can we eliminate this behavior in consumer products?http://www.nbcnews.com/tech/security/hack-alert-nyc-regulators-warn-parents-secure-their-baby-monitors-n505391 Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeWhat goes us here - so where are we?Where do we go, and how? (addressing stunt hacking)We discuss how we can influence outcomes, without hand waving and endangering livesWhat about truly understanding risk, versus ‘security stuff’?Michael breaks out the “risk catnip”Raf asks Haroon - “What are the 2-3 things security does right now, that we should just quit?”We discuss some of the breakers that are turning into builders, and implicationsWith the rate of bad vastly outpacing the rate of good - what’s the solution?GuestHaroon Meer ( @haroonmeer ) - Haroon is an internationally acclaimed long-time industry insider and is working hard to change the "how we've always done it" dynamics. His talk "What got us here, won't get us there" is now world famous. He works over at Thinkst and does some pretty amazing things you should check out.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeFTC imposes a $250,000 fine for "false advertising" of encryptionInteresting case, where there really was 'false advertising'Would this even have been a 'security issue'?https://www.ftc.gov/news-events/press-releases/2016/01/dental-practice-software-provider-settles-ftc-charges-it-misledNY wants to ban encrypted smart phone salesAnother clear case of legislators being clueless?What about all the existing technology, and kit you can buy across state lines?http://www.zdnet.com/article/apple-iphone-ban-new-york-looks-to-outlaw-sale-of-encrypted-smartphones/Las Vegas casino is suing cybersecurity firm over "woefully inadequate" workAre there ethical implications here of a competitor defining negligence?Burden of proof is on casino to prove "woefully inadequate" - but against what standard?Does this ultimately raise quality, price or both for IR services?http://thehackernews.com/2016/01/casino-hacker.htmlThe FDA issues draft guidance of security guidelinesIf everyone is doing it, why not the FDA?As James points out, why does every industry need their own unique (exactly the same issues as everyone else) guidelines?Interesting mention of "full lifecycle" and disclosure of vulnerabilitiesOf course it's all non-enforceablehttp://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdfOpenSSH bug found, fixedOpenSSH bug creates a "malicious server" scenarioUser has to successfully authenticate first, then server can read/steal memoryCan be used to compromise SSH private key from hostGreat pivot method if you've compromised an SSH server w/this bug, to compromise the users of the serverhttp://arstechnica.com/security/2016/01/bug-that-can-leak-crypto-keys-just-fixed-in-widely-used-openssh/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

We open up our 2016 year interviewing Shawn Tuma on the show. Shawn is our legal eagle, and a regular contributor to the podcast. This episode ran a little bit long (OK a lot long) but I think you'll enjoy the show...  In this episode...Most important cybersecurity-related legal developments of 2015Tectonic Shift that occurred with “standing” in consumer data breach claimsDiscussion of law prior to Neiman Marcus case, and post Neiman MarcusDoes this now apply to all consumer data breach cases?Immediate impact? Companies now liable?Lesson is in seeing the trend and how incrementalism worksRegulatory TrendsFTC & SEC gave hints in 2014, post-emergence of Target detailsWyndham challenged authority – came to fruition in August 2015SEC not far behind – significant case in September 2015Aggressiveness of FTC is substantial – FTC v. LabMD … all over LimeWireOfficer & Director Liability2014 – SEC Comm. fired the warning shot … pointed the fingerShareholder derivative litigationIndividual liability of IT / Compliance / Privacy “officers”Major 2016 Legal TrendsRegulatory enforcement … which, by the way, is why NIST is becoming defaultShareholder Derivative – much more likely than consumer class actions at this timeLessons from both of these: when you need to persuade the “money folks” that they need to act, mention D&O Liability (especially Caremark) and Regulatory focus on individuals … now they're in the cross-hairsRealization that cybersecurity is more of a legal issue than anything else (IT or business) b/c it is the legal requirements and consequences that ultimately drive everythingConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode... Juniper has a backdoor problem2 separate issues, auth bypass & VPN weaknessbackdoor discovered in Juniper deviceslots of speculation on who put it there, but it was meant to be disguised as ‘debug code’enterprise implications - same as before (what's the bigger picture?)https://isc.sans.edu/forums/diary/Infocon+Yellow+Juniper+Backdoor+CVE20157755+and+CVE20157756/20521/Iranians broke into New York dam in 2013 and “had a look around”no direct damage doneUS has largest number of ICS connected to Internetcritical infrastructure is vulnerable, being probedthis is not a ‘government problem’ - every company has some ICS on their networkhttp://www.theregister.co.uk/2015/12/21/iranian_hackers_target_new_york_dam/ Facebook announced it’s dumping Adobe Flashis this a bigger deal than it sounds likeHTML5 has its own vulnerabilities and issues though… right?*only* for videos, games still in FlashFacebook will work with Adobe (really?) to improve security of Flashhttp://www.scmagazine.com/facebook-ditches-flash-videos-to-boost-security/article/461040/ 191 Million US voter records found ‘unprotected’ by a researcherguy from Texas found the data on an unprotected database“Vickery told Databreaches.net he was able to poke around the public-internet-facing database because it is poorly configured: no authentication or password is required to query all 300-plus gigabytes stored within.” ← What the hell?legailty and ethics … again … but that aside is this REALLY an issue?same person who discovered Hello Kitty leak.. interesting.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...We discuss what in the world is going on in the healthcare space, and why they’re such a target for attackersDustin discusses why the explosion in digitalization in health care is both amazing and terrifyingWe discuss future-proofing “smart” healthcareI stumble on “the fundamentals”Dustin discusses the security of “data analytics” in the healthcare spaceI ask how we can make health care professionals better security people, without making them security peopleI ask Dustin what the healthcare industry should be doing, going forward into 2016Guest"Dustin" is a progressive CISO at a Fortune 250 Healthcare organizationConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Vizio is getting sued, over data their TVs collect?James provided security tips on the local news station and one of those tips was around the privacy details of your gadgetsCompanies need to be considering what they are doing with their dataAt what point does data go from an asset to a liability?Do companies understand the difference?http://www.consumerreports.org/lcd-led-oled-tvs/vizio-sued-for-smart-tv-data-sharingWyndham settles (caves to) the FTCAgrees to legally be bound to do things they should already be doing .. ?20 years of auditsInteresting ending to the long saga, assuming the courts approvehttps://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-unfairly-placed-consumers-paymentThe US Federal Bureau of Investigation (FBI) admits to using 0day vulnerabilitiesWhy is anyone surprised?Goes to a question of trust, and that's it.Are these being found anyway through programs like bug bounties?http://searchsecurity.techtarget.com/news/4500260464/FBI-admits-to-using-zero-day-exploits-not-disclosing-themGoogle introduces DLP into Google AppsSo far it's just for their Unlimited customersAre we reaching a tipping point where security becomes a feature and not a stand-alone discipline?Definitely a game-changerBasic patterns and detection built-in FREEhttp://techcrunch.com/2015/12/09/new-google-apps-feature-helps-businesses-keep-sensitive-information-out-of-emails/Black boxes on ships can be hackedCould be worse, someone could be claiming to make the boat float sideways?Is this a big deal, probably; is it a bigger deal than other things wrong?Who is exploiting this, and how do the good guys fix the problem?http://arstechnica.com/information-technology/2015/12/hacked-at-sea-researchers-find-ships-data-recorders-vulnerable-to-attack/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Thanks for joining us! This is a very important episode with true experts on the topic of cyber insurance. I was lucky enough to get an attorney and a VP of an insurance firm who specialize in the topic and their depth of knowledge and candor may shock you.The net is that cyber insurance is a positive for our industry. In this episode.. Eran says that if you don’t do good security, the courts will frown down upon thatKeith tells us why insurance covers security, but it does not cover negligenceWe start back on the discussion on the importance of knowing your critical assetsKeith discusses why the insurance market is essentially a mirror of your programEran talks about how his team dissect and investigate breaches to improve understandingKeith and Eran discuss how the process of buying cyber insurance can actually lead to improved securityGuestsEran Kahana ( https://www.linkedin.com/in/erankahana ) - Attorney, Maslon, LLP with extensive data security experience and an expert in cyber insurance marketplace.L.Keith Burkhardt ( https://www.linkedin.com/in/keith-burkhardt-587b3772 ) - VP, Kraus-Anderson Insurance where he works towards innovative products and services for the industry and has been addressing the cyber insurance market for about two years.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeI interview Mike Daugherty - author of The Devil Inside the Beltway [Amazon.com link] live from the Security Advisor Alliance first-ever Summit in Dallas, TX. Mike was kind enough to sit down with me (twice, thanks to a tech failure) and tell his absolutely surreal story of what happened to him, his company at the hands of what can only be described as an insane situation.If you own a business, or manage a business, or work in enterprise -- you need to hear Mike's story. If it wasn't documented and video recorded, you'd never believe it's true.Truth be told, I've been a supporter of the FTC as an advocate for the victims of breaches - the person who's information is stolen. After hearing Mike's story... I have had my mind completely changed.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeWe start a constructive discussion addressing the problem of the ‘talent shortage’The panel discusses the general lack of understanding of the big picture challenge from both sides: business and securityThe panel discusses basic security issues in an expanding ecosystem of Internet connected thingsThe panel discusses some real potential solutions to our talent issue GuestsBryce Austin ( @BryceA )Holly Miller ( @OPSEC_Girl )Jeff Man ( @MrJeffMan )Mike Kearn ( @MichaelKearn )Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Is this seriously the FBI suggestion to companies hit with ransomware?http://thehackernews.com/2015/10/fbi-ransomware-malware.htmlSets an awful precedent ... or does it?What other options are there?Would you take this advice?Microsoft is opening a data center in the UK ...why?http://thehill.com/policy/cybersecurity/259656-microsoft-opens-uk-only-data-center-following-eu-rulingHave the US spying revelations finally hit home?What about EU Safe Harbor?What do you think, if you're a multi-national Internet company?Is healthcare really that far behind enterprise security?http://www.cnbc.com/2015/11/11/us-health-care-way-behind-on-data-security-says-forrester.htmlForrester calling out the healthcare sector for being far behind on securityIs there more pressure, less attention, or more legacy? (or all?)How do you fix this situation?Disheartening (but predictable) state of human weaknesshttp://www.scmagazineuk.com/many-uk-workers-willing-to-sell-their-companys-ip-study/article/452428/Are your employees willing to sell your company's intellectual property?What can you do about it?YikYak not so anonymous, can reveal user data to copshttp://bigstory.ap.org/article/8535dd899f554fb3b5dd1c9498d610b5/yik-yak-social-media-service-can-reveal-user-data-policeIs there any anonymous social media, really?Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeRob & Liam discuss the practical applications of threat intelligence for today's enterpriseWe discuss what enterprise threat intelligence really is (and also what it isn't)We discuss the place of feeds, tools, processes and people in the mechanics of the programWe discuss the need to conduct a program-based intelligence approach for the enterpriseGuestsLiam Randall ( @hectaman ) - With a career spanning 20 years, Liam Randall has worked at every level of the information systems pipeline- from building and operating large networks, developing and maintaining large 100M+ e-commerce solutions, to designing and implementing global network security monitoring sensor grids. A frequent speaker and trainer at security conferences Liam has trained over 1000 students on advanced incident response with a focus on leveraging the open source Bro Platform. https://www.linkedin.com/in/hectamanRobert M. Lee ( @RobertMLee ) - Robert M. Lee is the founder and CEO at Dragos Security LLC where he helped design and build CyberLens - a cyber situational awareness software tool for critical infrastructure networks. He is also a non-resident National Cybersecurity Fellow at New America focusing on policy issues relating to the cyber security of critical infrastructure. For his research and focus areas, Robert was named one of Passcode’s Influencers and awarded EnergySec's 2015 Cyber Security Professional of the Year.https://www.linkedin.com/in/robert-m-lee-b2096532Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Turn any old car into a "smart car" for $200 with this new miracle device"BACKED BY FROGVENTURES, VOYOMOTIVE IS TACKLING THE BURGEONING CONNECTED-CAR SPACE"Could be a fantastic ideaCould be an awful ideaHas anyone considered the security ramifications?What about privacy?http://www.fastcodesign.com/3052012/this-device-will-turn-your-clunker-into-a-smart-car-for-200?utm_source#4OMB preps cyber sprint follow-upMichael's take on "gap focus": http://www.csoonline.com/article/2992553/security-leadership/stop-focusing-on-gaps-to-gain-influence-as-a-security-leader.htmlHoping for 75% authentication for 2FA - not exactly greatLots of challenges here, but is this the right thing to do?TalkTalk breached, 3 teenagers arrested, CEO goes tone deafCEO says they "were not legally required to encrypt client information"Teenagers arrested in breachThe poster child for having a breach preparedness plan, before the cameras start rolling and media starts callinghttps://hacked.com/british-police-arrest-15-year-old-telecom-hack-ransom-demanded-bitcoin/http://www.theregister.co.uk/2015/02/27/talktalk_admits_massive_data_breach/Lots of talk on security - but is anyone talking to each other?http://www.eenews.net/stories/1060026736http://cjonline.com/news/2015-10-25/bbb-small-business-cybersecurity-hackers-are-not-just-trick-or-treatersConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Raf sits down with Howard Shmidt to talk about Cyber Security from the public to private sectors and everything in between.Howard & Raf talk through challenges of cyber security in the board roomHoward gives us some of the challenges that government faces, from his experienceDon't miss this episode! GuestHoward A. Schmidt ( @HowardAS ) - Former Supervisory Special Agent,Director of Computer Crime and Information Warfare, AF OSI, Former CSO Microsoft Corp. Former Chairman of White House Critical Infrastructure Protection Board, VP, CISO eBay Inc. Special Agent, US Army CID (Reserves). Law Enforcement Officer Chandler Police Department, AZConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Standard & Poor's Adding Cybersecurity to RatingsThe headlineIn a report issued this week, the rating agency says it could issue a downgrade before a cyberattack if a bank looked ill-prepared, or following a breach that causes significant damage to a bank's reputation or which leads to substantial monetary losses or legal damages.Behind the curve? Stop.Michael wrote about it this week - stop calling it gaps… 16 questions… good start?How long has it typically taken to detect a cyberattack?What containment procedures are in place if the bank is breached?How many times was the business the target of a high-level attack during the past year, and how far did it reach in the system?What's the internal phishing success rate?What kind of expertise about cyberattacks exists on the board of directors?How much does the bank spend on cybersecurity, what resources does it devote, and what is the total tech budget this year versus last?Including security in the ratings - and we’re crying? Claim this leads to more insurance… how about that… http://www.bankinfosecurity.com/sps-cybersecurity-warning-late-to-game-a-8556Crisis Services Top Insurers’ Cyber Claims Payouts; Average Claim at $674KThis is interesting; and it’s a good data point, too -- in contrast to the “costs” we hear about in briefings all the time. Saw other stories that suggested the insurance is going to get jacked… of course they are. More insurance, more insight, more claims, more data…. this is all goodhttp://www.insurancejournal.com/news/national/2015/10/05/383785.htmNew California law requires warrants for online dataSame warrant requirements as files in your filing cabinetDoesn’t change Federal law capabilities to not have warrant.Worth remembering: feds can compel your biometric, but not your passwordDo you encrypt? policies? practices?Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Raf asks why we talking about global supply chain, 3rd party risk againJosh discusses what little things we are not thinking about today, that we shouldJosh discusses what happens as companies move critical data to the cloudWe discuss regional IT in a global data worldRaf opens up the “tiny company 3rd party” can of wormsWe discuss the cyber crime survey and CISO board reporting results; link:http://www.csoonline.com/article/2978020/security-leadership/do-boards-of-directors-actually-care-about-cybersecurity.htmlWhat about supply-chain issues with electronic components, software?Guest:Josh Douglas - CTO for Raytheon Cyber Products – has nearly two decades of experience in helping global enterprises and government agencies secure their most prized business/mission assets. During his past 9 years at Raytheon, he has overseen Raytheon’s Cyber Security Intelligence Operations, Malware Concepts, Security Infrastructure Operations and Research Technologies tasked to produce effective forward-looking cyber software solutions to contain and control advanced threats. These solutions are used to help commercial and government entities protect their enterprises and the global cyber supply chain from ever-changing advanced persistent threats and malware.Prior to joining Raytheon, Joshua has a successful track record in network security operations and engineering management positions, securing enterprise environments while promoting contextual response. Prior employers include Enterasys Networks, Kronos, Genuity, MIT Lincoln Laboratory and other prominent enterprises. Joshua earned a Bachelor of Science Degree in Computer Science from Appalachian State University and currently holds a number of technical computer and network security certifications. LinkedIn: https://www.linkedin.com/in/jdouglasConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Patreon got hacked, but it's OKThis is a lesson in how to do security in a reasonable mannerGreat response, good securityhttps://www.patreon.com/posts/important-notice-3457485The double-edged blade of the DMCA could have helped VW cheat emissionsReverse-engineering illegalDefinitions of 'researcher' and further 'independent researcher' are interestingly defined - lots of room for discussionhttp://www.itworld.com/article/2986856/enterprise-software/how-the-dmca-may-have-let-carmakers-cheat-clean-air-standards.htmlCFOs are getting involved in security whether they want to or notGood to-do checklist for CFOshttp://ww2.cfo.com/accounting-tax/2015/09/deals-demand-prior-cfo-involvement-data-security/Lawsuits preventing disclosure of vulnerabilities in the newsWe're "chilling security research" againGood points made, on top of bad points and half-truthsStems from the Fireeye vs ERNW fighthttp://ww2.cfo.com/accounting-tax/2015/09/deals-demand-prior-cfo-involvement-data-security/Verizon reports on the state of network transformationsecurity still an issue, and top priorityhuman talent is still a problemlots of leadership opportunities herehttp://www.enterprisenetworkingplanet.com/netsysm/verizon-reports-on-the-state-of-digital-network-transformation.htmlConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Kirby tells us what OSINT isWe discuss how much we are giving away on digital channels?We discuss if there is such a thing as anonymity anymoreLocation sharing in apps — the bad, the ugly, the scaryKirby and Michael discuss “checking up on your executives”Raf talks about “logo pages” — why do these still exist?!Kirby gives us some thoughts on OPSECKirby leaves us with a dose of reality about privacy in today’s world GuestKirby Plessas ( @kirbstr ) - Kirby is the CEO of Plessas Experts Network, Inc. She did some things before this too, but we can't tell you about them or we'd have to black-bag you and send you to Gitmo. You can get her LinkedIn bio here: https://www.linkedin.com/in/kirbyp.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

On this episode of the NewsCastIntel forms new Automotive Security Research Board (ASRB) to focus on security of their automotive platformhttp://newsroom.intel.com/community/intel_newsroom/blog/2015/09/13/intel-commits-to-mitigating-automotive-cybersecurity-risksGood security as a competitive advantage?Interesting development in the effort to secure cars as a technology platformAppeals court forces the issue of 'fair use' in DMCA casehttp://www.engadget.com/2015/09/14/appeals-court-copyright-holders-must-consider-fair-use-before/Interesting development in the case against Universal Music Group's malicious prosecution and nonsense take-down ordersBitpay sues their insurance company after giving away $1.8Mhttp://www.coindesk.com/bitpay-sues-insurer-after-losing-1-8-million-in-phishing-attack/Interesting argument in court - indirect lossCompany exec got phished for credentialsExecs fall for "transfer large quantity of money" scamFollow this case!China making demands of US tech companieshttp://www.engadget.com/2015/09/17/china-us-tech-companies-security-policies/This has happened before...US companies found ways around this onceEssentially it appears as though China is asking for 'backdoors' and secret access to source code, etc in order to do business in ChinaTalk about anti-competitive!The Kardashian train wreck exposes fans' information due to web flawhttp://techcrunch.com/2015/09/16/kardashian-website-security-issue-exposes-names-emails-of-over-half-a-million-subscribers-payment-info-safe/#.gofm76:EZbSSome 'developer' wanted to see how the site worked, poked around and found an interesting flaw and posed it to owners~500,000 subscribers info exposedConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Brandon, Michael and I discuss the challenges of leadership and how leadership is more than just telling people what to do. Brandon gives us some of his back-stories and anecdotes to illustrate his points on leadership along the way.I promise you'll love this episode, and I highly encourage you to go donate what you're able to, to Red Circle Foundation (http://redcirclefoundation.org).GuestBrandon Webb ( @BrandonTWebb ) - Brandon is a former Navy SEAL, bestselling author and CEO of Force12 Media. He founded Red Circle Foundation as a way to give back to the families of the Special Ops community in a meaningful way.LinksRed Circle Foundation - http://redcirclefoundation.org/  SOFREP - http://sofrep.comBrandon's website - http://brandontylerwebb.com/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeCourt strikes down Wyndham's challenge to FTC powerWe have covered this beforeWyndham argued due proces and lack of case law - asked for dismissalCourt said no dismissal, FTC has standingFTC is arguing that Wyndham made promises it did not keepShould be interesting to watch this go to court (or likely not)http://www.csoonline.com/article/2975915/data-breach/wyndham-vs-ftc-corporate-security-pros-need-to-lawyer-up-about-data-breach-protection-experts-say.htmlAshley Madison hauled into court by class-action suitLots of thorny issues here, must separate out moral from legalShines light on the continued bias for breach preventionInteresting Streisand effect herehttp://www.csoonline.com/article/2975755/data-breach/ashley-madison-hauled-to-court-in-class-action-suits-over-data-breach.htmlVerizon launches Hum OBD port vehicle monitor and communication toolIn light of the stunt-hacking against Chrysler/Jeep is Verizon tone deaf?..or are they simply that confident in their security?There is no mention, by the way, of security of the device on the web sitehttp://www.macnn.com/articles/15/08/26/service.not.reliant.on.verizons.network.uses.any.ios.or.android.phone.130118/The move to EMV cards (chip & sign) in America is changing how fraud happensEMV cards cost a fortune to implementSolving a problem the finance industry did not havehttp://www.bankinfosecurity.com/interviews/emv-shift-preparing-for-fraud-migration-i-2850#Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this MicroCast, live from HTCIA Conference 2015 in Orlando, FL, Michael and I quickly set the stage for a conversation on conference speaker/attendee engagement. [Raf] One of my biggest pet peeves as a speaker is getting a room-full of people who watch (and listen) me speak, wait for me to finish, and leave when I'm done.[Michael] As an attendee, you need to know what you "do" and what you're looking for from the conference. --> Here's the link to the article Michael mentions: http://paulsohn.org/how-to-connect-with-anyone-you-just-met-with-5-questions/ We welcome the discussion on this topic, #DtSR on Twitter!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...We discuss what life is like as the CISO when you have all the responsibility for, but no administrative access (or hands on keyboard)Brandon tells his story about how his IT organization went from in-house, to out-house, and how they got where they areBrandon tells us the process and strategy he uses to get a handle on his securityWe discuss why visibility is one of the most important things to outsourced IT (and security)Brandon tells a story of an incident where things went very sidewaysWe discuss the balance between outsourcer scalability and customer deviationsBrandon tells us why sometimes it takes 3 months to scan your environment for a vulnerability ( your head will explode )…and so much moreGuestBrandon Dunlap ( @bsdunlap ) - Brandon is the global Chief Information Security Officer for a an employee-owned, global leader in building critical infrastructure in energy, water, telecommunications and government services currently operating in more than 100 countries through consulting, engineering, construction, operations and program management.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Just when you thought America's neutered "chip & sign" was a safehttp://krebsonsecurity.com/2015/08/chip-card-atm-shimmer-found-in-mexico/Admittedly we put these stories in here just to get Michael all fired upAshley Madison's data and source code and CEO's email spool now released and publichttp://www.theregister.co.uk/2015/08/20/ashley_madison_email_dump/http://www.csoonline.com/article/2973575/business-continuity/ashley-madison-self-assessments-highlight-security-fears-and-failures.htmlSo much to talk about that's just wrong with this story...Uber is hiring people for securityhttp://www.ibtimes.com/uber-boost-security-staff-after-data-privacy-concerns-2055903Does more headcount equal better security?Where will these people come from given the shortage of talent? That gadget you attached to your OBD2 port on your car to "save on car insurance" may be used to kill youSeriouslyThe dangers of all these wireless & connected devices is scaryRisk assessment anyone?http://www.wired.com/2015/08/hackers-cut-corvettes-brakes-via-common-car-gadget/Someone get Flo on the phone...Windows 2003 which is now expired still has 609,000 public servers on the InternetTranslates into roughly 175M websites (Netcraft)Why are thse out there?Is there really a risk or is this hype?http://www.zdnet.com/article/windows-server-2003-servers-insecure-unpatched/ATC systems go down as they were ... being updated!Common problem of ancient systems going down due to upgradeATC has ZERO patch window..also close to ZERO ability to test patches/updates in "lab" environmentComplex, ancient systems fail when they're upgraded, sometimes catastrophicallyhttp://thehill.com/policy/cybersecurity/251310-software-limits-exposed-in-air-traffic-outageConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...We discuss the ever-growing need for strong leadership in securityI ask whether experience and longevity in a position naturally brings leadership qualitiesWe talk through how leadership interplays with other competenciesMichael asks whether the security leader has a place at the executive table (the "big kids table")Michael asks if the MBA has value in security leadershipWe discuss the model my team uses for leadership and how we build themMichael and Heath discuss various competency models for leadershipWe discuss measuring, KPIs and relative distanceWe discuss how leaders can make better decisionsHeath leaves us with an Alex Hutton quoteConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...The Belgian government's internal phishing test has "gone off the rails" a bitUsed a legitimate entity to test againstPanic and hilarity ensued, but mostly panichttp://www.networkworld.com/article/2951514/security/belgian-government-phishing-test-goes-offtrack.htmlBritish ICO makes a 180,000 pound fineDisconnect between policy and realityWas anything lost?2 big failures lead to a finehttps://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2015/08/ico-fines-nationwide-money-lender-the-money-shop-180-000/McAfee and Black Hat attendee surveys wildly differentAnswers you get depend on who and how you askInteresting answert though...Lesson: The more experience you have, the less confidence?http://www.slate.com/blogs/future_tense/2015/07/21/two_surveys_of_cybersecurity_professionals_show_starkly_different_attitudes.htmlConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeRaf asks - Why haven’t we solved the same old software security bugs?James asks how a security team gets out of the way and still get better security?We discuss threat modeling, and channel a bit of John StevenJeff talks about the OWASP ESAPI and standard security libraries and controlsJeff talks about “libraries with known vulnerabilities” and the role of open source componentsRaf brings up the ugly side of enterprise outsourcing - code development by committeeWe discuss static, dynamic and run-time security toolsRaf asks Jeff what the RIGHT approach to creating a software program looks like GuestJeff Williams ( @PlanetLevel ) - Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast. In 2002, Jeff co-founded and became CEO of Aspect Security, a successful and innovative consulting company focused on application security. Jeff is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode..."Hackers remotely kill a Jeep!"Lots to talk aboutBasics of segmentation weren't followed, aren't followedDiscussion on software 'fitness' and liabilityhttp://www.cato.org/blog/hackers-remotely-kill-jeepFirefox blocks Flash and FaceBook calls for its deathShould it concern you that FireFox can change your config without your permission or an update?How helpful is this? Does the message/pop-up actually DO anything to stop users from clicking YES?http://money.cnn.com/2015/07/14/technology/flash-firefox-facebook/index.htmlAshley Madison (the cheating website) breached!Check their privacy policy - is it consistent with actions?Did this event delay or possibly end the company's aspirations of going public?The morality of AM's business model shouldn't be an issue here - but it keeps coming uphttp://www.csmonitor.com/World/Passcode/2015/0722/Ashley-Madison-breach-a-painful-reminder-of-online-data-s-permanenceBritish Gas bows to criticism over blocking password managershttp://www.scmagazineuk.com/british-gas-bows-to-criticism-over-blocking-password-managers/article/426463/US Court says "pocket dialed" called are NOT privatehttp://www.itworld.com/article/2951715/security/us-court-says-pocketdialed-calls-are-not-private.htmlConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeTalent shortage - is it real, and how bad is it?We discuss: what does negative unemployment actually mean?Michael asks- ecurity is still relatively new, how do we determined what “qualified” means?What skills are necessary to be a good security professional?Hiring - we discuss how we get better at screening potentially qualified employeesWe discuss how we can vet out real experience, versus resume skillsMark and Michael discuss specialization, automation, and optimizing our workforceMark shares his thoughts on growing and retaining top talentGuestMark Orlando ( @MarkAOrlando )  - As the Director of Cyber Operations, Mark is responsible for Foreground’s Federal practice as well as the Virtual Security Operations Center (V-SOC) managed service. He leads a national team of analysts, engineers, incident responders, and managers who secure some of the most high profile networks in the Federal, financial, commercial, and power and utilities industries. As the senior operations subject matter expert, he is also responsible for security services strategy and advises on strategic Foreground initiatives such as threat intelligence analysis, custom analytics development. Mark is also a key advisor to the company’s award-winning educational unit, Foreground University. Prior to joining Foreground Security, Mark advanced through the technical ranks as a Security Analyst and Technical Lead in a variety of operations environments. In his 13+ years of experience, he has built and led security operations teams at the White House, the Department of Energy, the Pentagon, and numerous commercial organizations. He has also managed the operations division of a major Managed Security Service Provider supporting hundreds of private and public sector clients. Mark enjoys teaching and learning from others. He has presented on security operations and assessment at the Institute for Applied Network Security Forum and RSA Conference. Mark has earned the CISSP, PMP, CEH, ITIL, and multiple SANS GIAC certifications and holds a B.S. In Advanced Information Technology from George Mason University. Mark served in the US Marine Corp where he was a Marine Artillery NCO.Foreground Security (http://foregroundsecurity.com/)Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode... Peter Morin joins us to talk through the upcoming HTCIA International 2015 Conference in sunny Orlando, Florida.We talk through a preview of talks, events, and some interesting reasons you should be going to HTCIA Int'lCheck out the incredible lineup of keynotes, speakers and talks - http://www.htciaconference.org/Come see the #DtSR crew live and in person as we record and broadcast from the conferenceConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Appears as though Windows 10 WiFi Sense could have some issues with WiFi -- more on this as it developsWhy is the default opt-in, and why in the world do I have to change my SSID to opt out?!Is it really a good idea to use an SSID to describe security constraints on your network? (Hint: NO)http://www.computing.co.uk/ctg/news/2415787/windows-10-wi-fi-sense-security-warning-over-automatically-shared-passwords"Washington Post will encrypt the news"Ridiculous click-bait headlineIs this a good idea? Should everything be HTTPS?What about ads, are we defeating ourselves?https://hacked.com/washington-post-encrypt-news/OPM hackers stole 21.5 million people worth of recordsThat's all government employees, past, present, and under-cover (possibly)1.1 million biometrics (fingerprints) -- quick! go reset your fingerprints... oh waitBad --> worse --> catastrophic --> now what?http://www.computerworld.com/article/2946031/cybercrime-hacking/opm-hackers-stole-data-on-215m-people-including-11m-fingerprints.htmlKatherine Archuletta, Director of OPM, resignsShock. Awe. Not.Did everyone else see this one coming?Does this change anything? Does her departure make anything better or is she the sacrificial lamb, the way Washington operates?http://www.nytimes.com/2015/07/11/us/katherine-archuleta-director-of-office-of-personnel-management-resigns.htmlConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeWe take a little peek inside the mind of a CEO, from the security perspectiveWe discuss the state of information security in the last decadeDan shares his wisdom on how the role of a security professional and security leadership has changed over the course of his careerWe discuss about the talent shortage - and get an in-depth look at solving some of this problemDan shares with us his views on balancing people, processes and technology resources to achieve meaningful securityWe talk strategy, and Dan and the guys talk through why it's so vitalWe get Dan's "closing remark" (something you won't want to miss) GuestDan Burns, CEO Optiv, Inc. -  Dan Burns brings more than 23 years of business, technology and security industry experience to his role as chief executive officer. In this role he is responsible for the development and implementation of high-level strategies and direction of the company’s growth. Being able to provide clear insight into navigating the complex information security landscape is a priority for Burns. His philosophy is to focus on building long-term relationships with clients, working with them to simplify their lives and becoming a trusted information security partner rather than a reseller or outside consultant.From 2002 when he co-founded Accuvant, until 2012 when he assumed his position as the company’s first CEO, Burns served as senior vice president of Accuvant’s sales organization. In that role, he was responsible for strategic planning, sales growth and problem resolution. Burns co-developed and helped to successfully execute on Accuvant’s initial vision – to build a company with the breadth, depth and capabilities to address the information security needs of organizations worldwide. He launched the sales force and grew it to a national powerhouse organization within a 10-year period, conducting business with nearly half of the Fortune 500, and driving $740M in revenue in 2014.Prior to his achievements with Accuvant, Burns was the regional vice president of sales for the western region of OneSecure. He played an integral role in transitioning the organization from a managed security services (MSS) provider to a product company, delivering to the marketplace the first intrusion prevention system (IPS) and generating $40M in product sales in the first year.Previously, as the western region vice president for Exault, an integrator, consulting organization and reseller, Burns secured some of the largest enterprise clients in the Rocky Mountain region and helped grow revenues to nearly $150M in two years. He also held positions at Access Graphics, Arrowpoint, and Netrex where he supported some of the largest telecommunication companies in building their information security programs, implementing technology and taking advantage of Netrex’s world-class MSS.Burns earned a bachelor’s degree in economics from San Jose State UniversityConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeWith me gone, James and Michael run feral!It's June, so here are the top 3 security priorities for CISOs for 2015 (yes in June)http://www.information-age.com/technology/security/123459699/top-3-security-priorities-cios-2015Boils down to: patch faster, improve credentials, code betterIs this the right list? It mentioned side-stepping cloud and mobility. What if migrating to the cloud offers the opportunity to not worry about patching or code, and improve your credentials? Someone pointed out to me that this matches the OPM hack; perhaps this is just content driven from that? Does that make it more or less valid?Let us know… #DTSRCybersecurity tops advisors's compliance worries: pollhttp://www.thinkadvisor.com/2015/06/24/cybersecurity-tops-advisors-compliance-worries-polMore people concerned. This directly undercuts the notion that people don’t care. They do care. They care about their money. The advisors entrusted with their money care. People care. The question for us: what are we doing? How are we helping?Why it's worth divorcing information security from IThttp://www.forbes.com/sites/frontline/2015/06/22/why-its-worth-divorcing-information-security-from-it/No. No it’s not. We don’t need more silos, we need less. This feels a bit like “we’re not getting what we want… so the answer is reorg.”Keeping your kids safe (online) this summer -- with our very own TV star, James!http://www.news4jax.com/news/summer-online-safety-for-kids/33747246James, tell us about the experience - and how you don’t have nearly the control you think you’ll haveWhat did you do to prep?What was your one big take away?Now that you did the interview, any new thoughts?Folks… what do you do? #DTSR - congratulate James on a great interview, then share your ideas (and yes, this is an enterprise play -- you can AND SHOULD share this with your employees)Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...What is the Security Advisor Alliance?We discuss some of the issues facing CISOs todayClayton gives us his perspective on how to solve some of those issuesClayton tells us about the mission of the SAAIf your'e a CISO, are you signed up for the SAA Summit?  Shoot Clayton an email GuestClayton Pummill ( @cp48isme ) - https://www.linkedin.com/pub/clayton-pummill/10/32a/44a - Clayton is the executive director of the Security Advisor Alliance. He also has a storied background so I encourage you to give it a check!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Facebook has released PGP-encryption-enabled email communicationsThe anti-privacy platform will now encrypt emails to you if you give them your PGP public keyDoes no one see the insane irony here?http://www.theregister.co.uk/2015/06/01/facebook_pgp_support/White House issues mandate for HTTPS (by default) for all federal websites"By the end of 2016"Is this a good thing? A bad thing? Or does it even matter?http://www.huffingtonpost.com/2015/06/08/https-federal-websites_n_7539164.htmlAttackers are using medical devices to pivot into health care networksThe Internet of Medical Things is insecureThere are challenges here, but the risks of moving faster aren't negligibleLots to be thought about herehttp://www.csoonline.com/article/2931474/data-breach/attackers-targeting-medical-devices-to-bypass-hospital-security.htmlKaspersky gets popped, cue the typical verbiage"Three previously unknown techniques""..highly sophisticated attack used up to three zero-day exploits.."http://www.bbc.com/news/technology-33083050PwC healthcare spending study is disturbingPredicts a 6.5% dipSecurity is one factor in increasing costhttp://hitconsultant.net/2015/06/10/pwc-healthcare-spending-growth-rate-to-dip/http://www.csoonline.com/article/2934929/security-leadership/why-the-dip-in-healthcare-spending-is-actually-a-risky-opportunity-for-security-leaders.htmlConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Defenders are set up to fail? how and whyHow do we fill forensics and IR positions?What skills and qualifications do forensics/IR need to have?How can enterprises get better at IR from where they are today?How do we solve some of the problems plaguing the security industry? GuestAndrew Case ( @attrc ) - Andrew Case is a senior incident response handler and malware analyst.He has conducted numerous large-scale investigations that span enterprises and industries. Andrew's previous experience includes penetration tests, source code audits, and binary analysis.  He is a core developer on the Volatility memory analysis framework and co-author of the highly popular and technical forensics analysis book "The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory".Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Apologies to anyone who is having issues downloading this episode!In this episode...The ACLU encourages the government to get into bug bountiesRead the original letter: https://www.aclu.org/sites/default/files/field_document/aclu_-_iptf_recommendations_submitted.pdfPoints 1 & 2 are at sanePoint 3 makes a hard left into into crazy-townhttp://thehill.com/policy/technology/243265-aclu-says-government-should-offer-rewards-for-finding-security-flaws-on-itsThe massive taxpayer data fraud (not really a breach) is believed to be the work of Russia, says the IRSDoes it really matter?Was this a breach or an abuse of functionality?Would your company have caught this?http://www.cnn.com/2015/05/27/politics/irs-cyber-breach-russia/index.htmlCareFirst says their recent breach affects only about 1.1M peopleHealthcare is clearly in the "bad guys" target zoneQuick to point out what the attackers did not get access toOf course it was a sophisticated cyberattackhttp://abcnews.go.com/Technology/wireStory/carefirst-data-breach-affects-11m-people-31187250CNA Financial business unit refusing to pay out claim to Cottage Health SystemClaims hospital "failed to continuously implement procedures and risk controls identified"CNA unit alleges many failures -- but is this fair?http://www.businessinsurance.com/article/20150515/NEWS06/150519893Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...David Shearer, Executive Director for ISC2 joins us to talk about the results of the ISC2 2015 Information Security Workforce StudyWe ask David to highlight some of the resultsWe discuss how malware and application security were identified as top threats 3 years in a row -- and what's to be done about thisWe discuss the major discrepancy between priorities from this survey and recent CIO surveysWe discuss the importance of communication skills (identified in the survey) while leadership and business management are far down the scaleWe discuss with David how under his leadership ISC2 can build a much tighter alignment to business -- not just more security certificationsGuestDavid Shearer - David Shearer has more than 27 years of business experience including the chief operating officer for (ISC)², associate chief information officer for International Technology Services at the U.S. Department of Agriculture, the deputy chief information officer at the U.S. Department of the Interior, and the executive for architecture, engineering and technical services at the U.S. Patent and Trademark Office. Shearer has been responsible for managing and providing services via international IT infrastructures, and he has implemented large-scale SAP Enterprise Resource Planning (ERP) projects. Shearer holds a B.S. from Park College, a M.S. from Syracuse University, management and technical certificates from the U.S. National Defense University, and he is a U.S. federal executive presidential rank award recipient. As (ISC)² Executive Director, Shearer is responsible for the overall direction and management of the organization. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Netflix launched FIDO (not that one, or that one, no the other one)Focused on automating incident response practicesFIDO is an orchestration layer that automates the incident response process by evaluating, assessing and responding to malware and other detected threats.If you don't use it, at least they provide a structured framework for response and IR workflowhttp://techblog.netflix.com/2015/05/introducing-fido-automated-security.htmlIT Chief leaves sensitive data in car- spoiler: it gets stolenSomething smells like a fish market in the July heat on this storyMaybe it's time to check in on YOUR off-site handling procedures?http://www.thestarpress.com/story/news/local/2015/05/10/chief-left-hard-drives-car/27083031/Crowdstrike discovers, names "Venom"Massive security vulnerability within the floppy disk emulator in virtual machine hypervisorsEven if you disable floppy disk emulation, separate bug lets you enable itThis has a graphic and everything!http://www.csoonline.com/article/2921589/application-security/significant-virtual-machine-vulnerability-has-been-hiding-in-floppy-disk-code-for-11-years.htmlUnited Airlines launches bug bountyDoes this have anything to do with the now infamous (alleged) airplane hacker?Seems like some contradictory statements in the description(see below on United's response to our inquiry)http://www.united.com/web/en-US/content/contact/bugbounty.aspx Note back from United Bug Bounty Team:Posted with permission--"Rafal:            Thank you for the question.  We want researchers to be able to notify of potential issues they find while still protecting customers who are not participating in the program.  If a researcher launched a brute force attack and locked the accounts of 10,000 customers through already existing security measures this would negatively affect our customers and the program.            If any researchers believe they may have found a brute force condition, they can feel free to submit it to us without testing.  We will check on our end and if we confirm a bug exists we will gladly reward them for their effort.  Does that make sense?Best,United Bug Bounty Team"Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...A quick walk-through of Rob’s talk (“Hacker ghost stories”), and why it’s completely relevant todaySimple things that workblocking java (externally)effectively blocking “uncategorized” sites in your forwarding proxies(not) resolving DNS internally(not) default routing to the Internet from insidecanaries in the coal mine, or evil canariesGuestsJames Robinson ( @0xJames ) - https://www.linkedin.com/in/0xjames Currently the Director, Threat and Risk Management at Accuvant-Fishnet Security and part of the Office of the CISO. He has a long and storied career of success as an enterprise defender across various industries. Rob Fuller ( @mubix ) - Rob is an experienced InfoSec industry insider, with many interesting achievements and accomplishments. He's easily findable, as are his many public doings.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...A join Ponemon Institute & IBM Security study shows that, surprise surprise, developers are "neglecting security"The study only looked at mobile apps and app developersLess than half (of their study) test the mobile apps they buildAbout 33% never test their appshttp://www.eweek.com/developer/ibm-study-shows-mobile-app-developers-neglecting-security.htmlIllinois Bill SB1833 expands the definition of PII to include almost everythingRequires notification in the event of a breach of...Online browsing history, online search history, or purchasing historyIs this absurd, or just protecting our privacy?http://www.eweek.com/developer/ibm-study-shows-mobile-app-developers-neglecting-security.htmlThe DOJ has jumped in and issued some sound fundamental breach guidance!4 sections: what to do before, during and after a breach plus what NOT to do after a breachFantastic fundamentals... great ideaThe push to fundamentals is critical!http://www.alstonprivacy.com/doj-issues-data-breach-guidance/http://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/criminal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyber_incidents.pdfMozilla is phasing out non-secure HTTPHTTPS only is the way forward, so Mozilla (champions of liberty and all that) are leading the wayhttps://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/First foreign hacker is convicted in the USCanadian kid who hacked and stole trade secrets and other sensitive info from video game companiesHe pled guity in September 2014, maximum of 5yr prison sentencehttp://blogs.orrick.com/trade-secrets-watch/2015/04/30/first-foreign-hacker-is-convicted-in-the-united-states-of-hacking-crimes-involving-theft-of-trade-secrets-from-american-companies/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...What about public safety, where do we draw the line on open research?Self-regulation? Disclosure? What are our options…What makes a researcher? We discuss“Chilling security research”A quick dive into bug bounty programs; do they help?Ethics vs. moral compass …we discussHacker movies, and what they’re doing for our professionGuestsKeren Elezari ( @K3r3n3 ) - brings years of experience in the international cyber security industry to the stage. Since 2000, Keren has worked with leading Israeli security firms, government organizations, Global Big 4 and Fortune 500 companies. Keren holds a CISSP security certification, a BA in History and Philosophy of Science and is currently a senior research fellow with the prestigious Security & Technology workshop at Tel Aviv University. In 2012, Keren held the position of Security Teaching Fellow with Singularity University, a private think tank, founded by Dr. Ray Kurzweil and sponsored by Google & NASA amongst others. Since 2013, Keren covers emerging security technologies and trends as a security industry analyst with GIGAOM research, a leading independent media hub. In 2014, Keren became the first Israeli woman to be invited to speak at the prestigious international annual TED conference. Keren’s TED talk has been viewed by 1.2 million people, translated to more than 20 languages and selected for TED’s list of ‘Most Powerful Ideas in 2014’ and for Inc.com’s list of ‘Top TED Talks of 2014’.Kellman Meghu ( @kellman ) - heads up a team of Security Architects for CheckPoint Software Technologies Inc., the worldwide leader in securing the Internet. His background includes almost 20 years of experience deploying application protection and network-based security. Since 1996 Mr. Meghu has been involved with consultation on various network security strategies to protect ISP's in Southern Ontario as well as security audits and security infrastructure deployments for various Commercial and Governmental entities across Canada and the Central United States. Kellman has delivered security talks in private corporate focused events, at school internet safety classes for students and teachers, as well as public events such as, SecureWorld Seattle, The Check Point Experience, Bsides St. Johns, Bsides San Francisco, Bsides Iowa, Bsides Detroit, Secure360, Trilateral Conference, and Sector lunch keynote for 2014. Kellman has contributed to live TV interviews in the Toronto area with CP24, CityNews, and CHCH TV, as well as radio station interviews and news articles across Canada and the US.Mark Nunnikhoven ( @marknca ) - focuses on helping organizations as they move from the data centre to hybrid environments to working fully in the cloud. Bringing over 15 years of practical experience to the table, he is regularly sought after to speak on cloud computing, usable security systems, and modernizing security practices.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Friend and security researcher Chris Roberts steps into it... A poorly-conceived tweet, followed by mass hysteriaMost everyone talking about this is missing the point entirelyOf course, the EFF jumps in to keep from "chilling research" (roll eyes)http://www.usatoday.com/story/tech/2015/04/19/chris-roberts-one-world-labs-united-rsa-computer-security-tweets/26036397/The EFF take: https://www.eff.org/deeplinks/2015/04/united-airlines-stops-researcher-who-tweeted-about-airplane-network-securityCorporate threat intelligence teams opting to go anonymous?New company, making intelligence sharing work, anonymously?Many questions on whether anonymity is workable in the intelligence spacehttps://www.eff.org/deeplinks/2015/04/united-airlines-stops-researcher-who-tweeted-about-airplane-network-securityTarget settles with Mastercard for $19M USDMastercard trying to settle this out, as alternative payout option for victims (this time the issuers, not card holders)http://www.theregister.co.uk/2015/04/16/target_settles_with_mastercard_for_us19_million/The looming security threat no one is talking aboutWe're talking about it!Windows 2003 is going out of service... after 12 yrs?Final deadlines is July 14thPanic? Compensating security controls?http://www.healthcaredive.com/news/himss15-the-looming-it-security-threat-that-no-one-is-talking-about/386754/HTTP "ping of death" coming to a Windows IIS web-server near youPatch now... people are actively exploiting this flaw to knock over web serversQuick turn-around from "patch released" to "patch reverse-engineered to attack IIS servers"http://www.theregister.co.uk/2015/04/16/http_sys_exploit_wild_ms15_034/JPMC algorithmn knowns you're an insider threat, before you doFascinating, applies to the financial worldUses behavioral indicatorshttp://www.bloomberg.com/news/articles/2015-04-08/jpmorgan-algorithm-knows-you-re-a-rogue-employee-before-you-doConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Where do you even start with “threat intelligence”?Ryan talks about context, and why it’s *the* most important thing when it comes to threat intelHow does a SME make use of a “luxury item” like threat intelligence?Michael asks what are 1-2 things you can do *immediately* as an SME?What are the basics, beyond the basics of security? Where do you make your first investment?Getting your own house in order is harder than it sounds, so what then?Michael drops some #RiskCatnipMichael breaks down the “feedback loop” and his basic questions to ask/answerDown the rabbit hole of shiny boxes, standards, and productized threat intelligenceThe overlap of data on commercial threat intelligence providers GuestRyan Trost - Ryan is the CIO of ThreatQuotient and knowledgeable on matters of intelligence with his extensive background and history in the community.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...TrueCrypt security audit results are good news, right? Why are some of the most depended-upon http://arstechnica.com/security/2015/04/truecrypt-security-audit-is-good-news-so-why-all-the-glum-faces/At Aetna, CyberSecurity is a matter of business riskJim Routh talks about how he runs a security programSecurity is a matter of business risk, if not you're doing it wronghttp://blogs.wsj.com/cio/2015/03/30/cybersecurity-at-aetna-is-a-matter-of-business-risk/Why aren't you vulnerability scanning more often?Wrong question.Simple answer -- because scanning doesn't matter if you can't fix the issues you findExample of how security misses the pointhttp://www.csoonline.com/article/2901472/vulnerabilities/why-aren-t-you-vulnerability-scanning-more-often.htmlSecurityScorecard - a new startup that is exposing 3rd party risks to you -- or is it?Interesting business modelHow legitimate is this, and what are the risks?http://www.businessinsider.com/securityscorecard-raises-125-million-led-by-sequoia-2015-3Does removing Windows administrator permission really mitigate 97% of vulnerabilities?!Is this real? If so -- why isn't everyone doing it?Local administrator privileges are starting to fade, but why so slowly?http://blog.norsecorp.com/2015/04/02/removing-admin-privileges-mitigates-97-of-critical-microsoft-vulnerabilities/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Jon Callas gives a little of his background and his current roleWe talk through why cryptography is so hard, and so broken todayJon overviews compatibility, audit and making cryptography usefulJon brings up open source, security, and why "open is more secure" is bunkWe talk through "barn builders" vs. "barn kickers" and why security isn't improvingWe talk through how to do privacy, active vs. passive surveillanceWe talk through anonymous VPN providers, anonymization services, and how they're legally boundJon talks about appropriate threat modeling and knowing what we're protectingWe talk through patching -- how to do patching for Joe Average UserBonus-- Mobile is as secure (or more) than what we're used to on the desktopGuestJon Callas ( @JonCallas ) - Jon Callas is an American computer security expert, software engineer, user experience designer, and technologist who is the co-founder and CTO of the global encrypted communications service Silent Circle. He has held major positions at Digital Equipment Corporation, Apple, PGP, and Entrust, and is considered “one of the most respected and well-known names in the mobile security industry.” Callas is credited with creating several Internet Engineering Task Force (IETF) standards, including OpenPGP, DKIM, and ZRTP, which he wrote. Prior to his work at Entrust, he was Chief Technical Officer and co-founder of PGP Corporation and the former Chief Technical Officer of Entrust.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Remember folks, as you listen reach out to us on Twitter and hit the hashtag #DtSR to continue the conversation, and speak your mind! Let's hear what your take is on the stories we discuss...maybe you have a unique angle we've not considered?In this episode--Target settled class-action lawsuit over its data breach - for $10M USDWho wins? Lawyers, clearly the lawyersBurden of proof on the victims to show they've suffered a loss to get up to $10,000.00.If you can't prove loss, you can still try to get part of settlement of what's left-overhttp://www.usatoday.com/story/money/2015/03/19/target-breach-settlement-details/25012949/Federal judge dismisses suit against Paytime -- "simply no compensable injury yet"Leaves door open for future suits if someone were to suffer a compensable injury"Once a hacker does misuse a person's information for personal gain...there is a clear injury and one that can be fully compensated with money damages." -- Judge John E. Jones IIIWatch this case, read the story for yourselfhttp://www.securityinfowatch.com/news/11883806/federal-judge-dismisses-lawsuits-over-paytime-inc-data-breachSacred Heath Health System victim-by-proxy of a data breachHappened at a 3rd partySo why is only Sacred Heart in the news?~40 individuals SSN and patient information"deceptive technique" known as phishinghttp://pensacolatoday.com/2015/03/sacred-heart-informs-patients-of-billing-information-disclosure/Premera Blue Cross "warned about security flaws before breach"Lots to talk about here -- starting with is 3 weeks enough time?OPM audit finds issues, is this a systemic failure or examplary of an enterprise doing its best in a difficult security climate?Before you judge, measure up your own security posture against this articlehttp://www.seattletimes.com/business/local-business/feds-warned-premera-about-security-flaws-before-breach/Advantage Dental notifies patients of breach3 days from initial breach to discoveryAmazingly fast detection, but was it adversary or malware?Is this a feel-good, or something else?https://secure.advantagedental.com/index.asp?din=598NYC Auxiliary Officer charged with hacking NYPD & FBI systemsInsider threat poster childSmart enough to do some interesting thingsYet, one of the dumbest criminals we've seen in a long timehttp://www.fbi.gov/newyork/press-releases/2015/new-york-city-police-department-auxiliary-officer-charged-with-hacking-into-nypd-computer-and-fbi-database Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Michael C and the team talk bout "going back to basics" and the need for security fundamentalsMichael C talks a little about why we (security professionals) fail at fixing problems at scaleWe dive into the need for automation, and Michael C talks about why creating more work for security professionals is a bad thingMichael C and the crew talk through why many of our metrics fail, highlighting the need to get away from the typical dashboard approach of "bigger numbers is better"We discuss the balance between false positives and false negatives -- a super critical topicRafal brings up the role security professionals play in software security, and why we can't be expected to drive the daily tasksWe talk through centralized vs. de-centralized security, and how to understand which works better, and whereMichael C gives us his 3 key take-aways for listeners (don't miss these!)We talk through "assume breach", and what it means for securityGuestMichael Coates ( @_mwc ) - Currently, Michael is the Trust and Security Officer at Twitter where he leads the information security team and drives overall security efforts across the organization to a common goal and objective. Michael is a staple of the OWASP community now serving on its board and having contributed countless hours and lines of code to the effort. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode--Law firm hit and crippled by ransomware, decides it's not paying the ransom.They aren't quite sure what got encryptedBut they have backups.....and data was likely not exfiltratedhttp://news.softpedia.com/news/Ransomware-Hits-Law-Firm-Encrypts-Workstation-and-Server-474788.shtmlMajor law firms for ISAC to fight off adversaries, share intelligenceCatching up to the threat they're facingLaw firms are major targets, given the data they have ("secrets!")Downside: exclusive to a handful of major firmshttp://thehill.com/policy/cybersecurity/234722-law-firms-to-share-info-about-cyber-threatsBig kerfuffle about Anthem's refusal of a 3rd party audieThey were under no legal obligation...Who out there would submit to a 3rd party audit/test?Sounds like publish shaming, big headline, little storyhttp://www.healthcareinfosecurity.com/anthem-refuses-full-security-audit-a-7980Apple Pay being attacked, sort ofWhen technology becomes 'good enough' attackers attack processes, peopleLesson -- nothing is "unhackable" even if the tech is greathttp://www.theguardian.com/technology/2015/mar/02/apple-pay-mobile-payment-system-scammers[Slightly-old-but-relevant] Victor Valley College suspends entire IT staff to investigate a vague breach in protocolVery little actually said in disclosure"We don't have any reason to believe we've been hacked by outside hackers"Entire computer system was taken down for nearly 3 hoursEmphasizing "no private student or employee information has been compromised"Stay tuned...weirdhttp://www.vvdailypress.com/article/20150130/NEWS/150139991Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...We learn the origins of "RSnake" as told by Rob himselfRob gives us a peek into the dark side, from his contacts and experiencesWe discuss the black-hat economy as it's verticalized, specialized, and maturedRob discusses the balancing act of the good vs. bad and why the situation is as bad as it needs to beWe discuss some of the things businesses and defenders really need to worry aboutRob gives us his view of the inevitability of security from SMB to enterprise -- and why things are so good, or bad, or just rightWe discuss the different ways security is being understood, implemented and matured and why it's futile to chase absolutesMichael and Rob dive into the labor shortage in security - real, perceived, or misunderstood?Rob gives us his outlook on where things are going over the next decade or so GuestRobert "RSnake" Hansen - ( @RSnake ) - Strategic. Web security expert. Visionary. Robert brings more than 20 years of web application and browser security experience, innovation, and vision to the WhiteHat Security team. Under Robert’s leadership, WhiteHat Labs successfully launched Aviator, the most secure browser available, for Mac and Windows, quickly racking up more than 170,000 downloads in less than six months. When asked about WhiteHat Labs’ mission, Hansen said, “Labs will strive to provide prototypes that go beyond customer expectations, to delight the user.” Before WhiteHat, Robert was the CEO of SecTheory and Falling Rock Networks. Robert has co-authored several books including XSS Exploits and Website Security for Dummies. Robert is also the author of Detecting Malice. He is a member of WASC, APWG, IACSP, ISSA, APWG and has contributed to several OWASP projects, including originating the XSS Cheat Sheet. When he is not breaking the web to make it stronger, Robert enjoys watching Formula One racing.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode--Would you be OK with your credit card company tracking you, to decrease fraud rates? Visa wants to track your smartphone.http://triblive.com/business/headlines/7774328-74/visa-card-fraudYour stolen healthcare data is increasingly being sold on the black markethttp://www.ihealthbeat.org/articles/2015/2/19/security-experts-health-data-increasingly-being-sold-on-black-marketLenovo has shipped software that performs a man-in-the-middle (MITM) attack against all SSL connections on some of its consumer laptops. This is really, really, really bad, but Lenovo doesn't seem to get it.http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/http://blog.erratasec.com/2015/02/extracting-superfish-certificate.htmlThe web browser is totally broken, and a haven for malware. Long live the web browser?http://securityintelligence.com/broken-web-browsers-malwares-new-address/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeTraveler's Insurance files suit against a web developmeent company for failing to provide adequate security, resulting in a breach of one of its customershttp://www.law360.com/articles/614158/travelers-blames-web-designer-in-bank-website-data-breachWe discuss whether security standards are now "implied"?Does Traveler's have any standing to sue? (Shawn thinks not)FTC goes after LabMD for a data breachhttp://healthitsecurity.com/2015/01/23/ftc-healthcare-data-breach-case-v-labmd-continues/Is the FTC over-reaching?We discuss this statement from the FTC website: "[LabMD failed to] ..reasonably protect the security of consumers’ personal data, including medical information"Social media company TopFace pays a ransom to hackershttp://www.forbes.com/sites/davelewis/2015/01/31/topface-facepalms-as-it-surrenders-to-data-breach-hacker-blackmail/Face + Palm.We lament why this absolutely terrible decision may have far-reaching repercussionsGuestShawn Tuma ( @ShawnETuma ) - In addition to being a perennial favorite on this show, Shawn is an attorney with expertise in computer fraud, social media law, data security, intellectual property, privacy, and litigation. He's a Texan, a Christian, a family man, an author & and speaker - and an all-around awesome guy.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics coveredMassive breach at American Health Insurer Anthem - from the "haven't we done this once before?" department as Queen - Another One Bites the Dust plays in the backgroundhttps://gigaom.com/2015/02/05/oops-another-big-data-breach-this-time-at-anthem/http://money.cnn.com/2015/02/05/investing/anthem-hack-stocks/index.html?sr=twmoney020615anthemwallst0600story(Obligatory OMG China! hype link) http://krebsonsecurity.com/2015/02/china-to-blame-in-anthem-hack/Hackers target brokers, financial advisors -- SEC "does something"http://thehill.com/policy/cybersecurity/231649-hackers-targeting-brokerages-and-financial-advisersSEC weighs cybersecurity disclosure rules (why SEC?) - http://thehill.com/policy/cybersecurity/229431-sec-weighs-cybersecurity-disclosure-rulesA promising new technology which detects hacks in - milliseconds? -but what's the use-case?http://www.bloomberg.com/news/articles/2015-02-03/new-technology-detects-hacks-in-millisecondsGoogle launches vulnerability research grants program - because bug bounties just aren't enoughhttp://www.scmagazine.com/google-launches-vulnerability-research-grants-program/article/395694/Sony Pictures Entertainment (the company that was so thoroughly hacked) CEO Amy Pascal is out! But is this proof of anything, for security? Ask Michael...http://www.csoonline.com/article/2880600/security-leadership/the-conversation-security-leaders-need-to-have-about-amy-pascal-s-departure.htmlConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This is the 7th installment (call it a rebirth) of the MicroCast. Short and to the point, Michael and James talk about the phrase breached companies use - "We take your security seriously..." .. join the conversation at #DtSR on Twitter!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Fans - If you haven't booked your ticket for InfoSec World 2015 in sunny Orlando, FL check this out. Register using our code CLD15/RABBIT for 15% off.If you want a chance to go for FREE, listen to Episode 127 for your chance! In this episode...John gives us a little lesson on markets, and why they move up/down, commentary for the information security professionalJohn discusses what #BTFD meansJohn uses the Target example of why security professionals, marketers, and much of the media got it completely wrongJohn educates us on insurance, compliance and liabilityMy head explodes...GuestJohn Foster ( @dearestleader ) - Mr. Foster has 19 years of technology experience but left technical infosec in 2003 to pursue a career in Compliance and Ethics. He now focuses on bribery & corruption, environmental issues, and other interesting topics, but infosec keeps appearing in compliance and finance. He is an investor with experience in stock, foreign exchange, options, and futures which allows him to see past the data breach hype. He is a Certified Treasury Professional, Six Sigma Black Belt, and holds certificates in ISO 9001, 14001, 20000, 22301, 27001, & 28000 from PECB. He is a partner at Bianco Foster Group, LLC which provides training and education services in ISO standards and an investor in several early stage startups.LinksShort portfolio http://dearestleader.me/2015/01/portfolio-update/S&P no material impact http://dearestleader.me/2015/01/standard-poors-says-breaches-have-no-material-impact/Home Depot earnings call analysis http://dearestleader.me/2014/12/home-depot-earnings-indicate-there-is-no-fear/Target sales up 40% over last year http://dearestleader.me/2014/11/target-continues-to-conquer-all/Initial Target analysis http://dearestleader.me/2014/03/target-data-breach-not-a-disaster/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

** There is a special gift for our listeners in this episode, from our friends at InfoSec World 2015! Listen to find out how you can go for free. We have a promo code!CLD15/RABBIT – 15% off for “Down the Rabbit Hole” listenersTopics CoveredGoogle picks up really big rocks, but lives in a glass house. As Google drops zero-day on Apple and Microsoft they respond with a lame excuse as to why they aren't patching a vulnerability that puts north of 60% of all Android users at risk.http://m.v3.co.uk/v3-uk/news/2389839/google-puts-60-percent-of-android-users-at-risk-with-webview-security-changeshttp://www.extremetech.com/mobile/197346-google-throws-nearly-a-billion-android-users-under-the-bus-refuses-to-patch-os-vulnerabilityhttp://www.eweek.com/security/google-project-zero-continues-its-microsoft-zero-day-assault.htmlhttp://www.zdnet.com/article/googles-project-zero-reveals-three-apple-os-x-zero-day-vulnerabilities/Marriott reverses its decision to block guests' personal WiFi devices at their propertieshttp://threatpost.com/marriott-agrees-to-stop-blocking-guest-wifi-devices/110441LabMD's request to have an enforcement action against them by the Federal Trade Commission is denied. While this doesn't necessarily mean anything serious, yet, it's definitely one to watch.http://healthitsecurity.com/2015/01/23/ftc-healthcare-data-breach-case-v-labmd-continues/Heartland Payment Systems - yes the company that was the posted child for nearly going out of business because of a horrible breach - is continuing to reinvent itself around security, this time making headlines with an offer of a data breach warranty. Strings, as you may suspect, attached.http://www.cspnet.com/industry-news-analysis/technology/articles/heartland-offering-data-breach-warrantyhttp://www.businesswire.com/news/home/20150112005260/en/Heartland-Offer-Comprehensive-Merchant-Breach-WarrantyWatch this podcast page later this week for that freebie Michael told you about!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...The blog post that started it all - http://blog.norsecorp.com/2014/11/10/the-new-reality-in-security-offense-always-wins-and-defense-always-loses/Vince, tells us what he means by "Offense always wins, defense always loses"We disagree over this snip from his blog post: "To “win” in cyber security, defense must be right 100% of the time, while offense only has to be right once. We must wake up to the reality that defense is an impossible task; no matter what actions we take, we will lose."We discuss how we get away from being Eeyore defeatists?Vince give us security strategies he is advocating knowing that defense is better equipped, and better fundedWe briefly mention high-value assets, and why it's even more critical today than it has ever been before, and why we still stink at itWe challenge Vince to give us some tangible steps to managing risk better, to get away from winning/losing?We discuss how we compress delivery time lines for security competencies? (Average time to deliver a technical control is months, plus budget cycle - maybe years)We close with lessons learned from your Vince's rich experience that he'd like to share with the listeners, to change the nature of the win/lose conversationGuestVince Crisler - Vince has done some very interesting things in his background including former Communications Officer with the US Air Force, who also worked at the White House as Presidential Communications Officerm backed security start-ups, and chairing a Washington DC OSINT group. He's definitely one of the people you should get to know.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Welcome to a new year of the Down the Security Rabbithole Podcast! We are kicking off this year with a guest on this morning's program, Phil Beyer joined us to talk about the last few weeks that have been a wild, wild ride in the security indsutry!Thanks for your support so far, and we promise a fantastic 2015 to come. Topics CoveredSony. Sony. Sony. It's all anyone can talk about! They got hacked. They released a movie. They apparently aren't in dire straits. Fascinating.http://www.cbc.ca/m/news/world/sony-pictures-ceo-michael-lynton-says-hackers-burned-down-the-house-1.2894997http://en.wikipedia.org/wiki/Sony_Pictures_Entertainment_hackhttp://www.washingtonpost.com/world/national-security/fbi-director-offers-new-evidence-to-back-claim-north-korea-hacked-sony/2015/01/07/ce667980-969a-11e4-8005-1924ede3e54a_story.htmlMeanwhile, an iron plant in Germany was attacked (via cyber) and caused some very serious, and real, damagehttp://blogs.wsj.com/cio/2014/12/18/cyberattack-on-german-iron-plant-causes-widespread-damage-report/Microsoft abruptly cut off patch Tuesday public notifications, unless you're paying extrahttp://www.computerworld.com/article/2866996/microsoft-abruptly-dumps-public-patch-tuesday-alerts.htmlOn January 11th, 2015 a 90-day window expired and Google's new Project Zero disclosed on the world a Windows 8.1 privilege elevation flaw. Microsoft had not yet patched it. War of words is on.https://code.google.com/p/google-security-research/issues/detail?id=123http://www.pcworld.com/article/2867533/google-reveals-windows-81-flaw-mere-days-before-patch-tuesday-fix-irking-microsoft.htmlConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Hi everyone! Welcome to the very first episode of the Down the Security Rabbithole Podcast for 2015! On this opening episode, Jeff Man joins us to talk truth to power on PCI-DSS and shatters myths for us. In this episodeJeff tackles some common misunderstandings about PCIThe crew discusses PCI – what’s right about it and what’s wrong about itJeff tells us why he believes if you’re secure you’re compliant, but if you’re compliant you’re probably not secureThe $64M question- Isn’t EMV, P2PE, and tokenization going to spell the end of PCI?Jeff tells us what to look forward to with PCI DSS v3.0GuestJeff Man ( @MrJeffMan ) - Mr. Man has 13 years of DoD experience (10 at NSA as a Cryptanalyst/Information Security Analyst), 18 years of commercial consulting – pen testing, vulnerability assessments, security architecture reviews, and 10 years as a QSA doing PCI (and yet he's never conducted a PCI audit and never been a CISSP). As a QSA he's been involved with most of the major companies that experienced breaches in the mid-2000’s (Walmart, TJX, Heartland) so he can speak with some credibility about recent breaches in the past year or so.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Hey everyone! We're almost done with 2014 and another new year is right around the corner. We thought this was the perfect time to sit back, relax a little and reflect on the year that was...and boy was it ever!Jack Daniel & Allison Miller join Michael, James and I on the podcast to talk it all out, share a few chuckles and try to make sense of it all! Thanks for listening everyone, it's been an epic year and we look forward to more awesome things in 2015!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeAttorney and CFAA expert Shawn Tuma joins us to talk about the US vs. Salinas case where Mr. Salinas was threatened with 440 years in jail, and now plead down to a misdemeanor. Prosecutorial discretion, or attorneys-gone-wild?Link: http://www.wired.com/2014/11/from-440-years-to-misdemeanor/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics coveredThe unfolding case of the Sony Pictures Entertainment breachhttp://blog.wh1t3rabbit.net/2014/12/when-press-aids-enemy.htmlhttp://www.thedailybeast.com/articles/2014/12/12/shocking-new-reveals-from-sony-hack-j-law-pitt-clooney-and-comparing-fincher-to-hitler.htmlhttp://www.csoonline.com/article/2857455/business-continuity/fbi-says-theres-nothing-linking-north-korea-to-sony-hack.htmlhttp://www.csoonline.com/article/2854672/business-continuity/the-breach-at-sony-pictures-is-no-longer-just-an-it-issue.htmlThe phishing scam that succeeded at hitting a big chunk of Wall Street - it probably would have fooled you too. Here's what we've learnedhttp://arstechnica.com/security/2014/12/phishing-scam-that-penetrated-wall-street-just-might-work-against-you-too/Iranian hackers hit Las Vegas behemoth with a sophisticated attacked ... wait it was a Visual Basic base?!http://arstechnica.com/security/2014/12/iranian-hackers-used-visual-basic-malware-to-wipe-vegas-casinos-network/Judge refuses to dismiss case against Target, brought on by banks who are the ones who take the brunt of the losses-http://arstechnica.com/tech-policy/2014/12/judge-rules-that-banks-can-sue-target-for-2013-credit-card-hack/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeMichelle explains to us what Enterprise Architecture is, and what it isn'tMichelle gives her take on how both security and enterprise architecture both support each otherWe discuss the roll of standards, standards, standards - and why you can't have security without itWe talk about GRCWe talk through roles & responsibilities definition between security, architecture, and the rest of IT"Application Portfolio Rationalization" --the most impossible project. Ever.Michelle schools us on data, high-value assets, meta-data and the really hard topics for securityMichelle gives us a series of examples of "HOW" we can find high-value assets, and start security thereMichelle addresses the phrase "business alignment" since it's pivotal to enterprise architectureGuestMichelle-Marie Strah ( @CyberSlate ) - Director, Enterprise Architecture at NBCUniversal – recently joined the newly formed Strategy and Architecture team at NBCUniversal designed to drive enterprise architecture, solutions architecture and innovation management across all companies in the NBCUniversal global portfolio. Previously she was at Microsoft Corporation worldwide headquarters where she was responsible for leading emerging markets cloud deployments, go to market and compete strategies in Latin America for public, private and hybrid cloud offers (both Azure and partner hosted clouds). As part of her role on the Applied Incubation Team she worked closely with partners, CIOs and government officials as well as internal CTO, legal, and chief security officer teams in the region to ensure privacy and security standards for government and private sector cloud adoption in Latin America. As an enterprise architect, Michelle specializes in governance, risk, compliance, information security and enterprise information management and has decades of experience in highly regulated industries, government, defense and healthcare.Additional LinksIBM Security Framework: http://www.redbooks.ibm.com/abstracts/sg248100.html?OpenOSA: http://www.opensecurityarchitecture.orgTOGAF: The Open Group Architecture Framework: http://www.opengroup.org/togaf/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics coveredSony Pictures is having a very, very bad couple of days - and it could keep getting worse.http://www.theverge.com/2014/11/24/7277451/sony-pictures-paralyzed-by-massive-security-compromisehttp://www.csoonline.com/article/2852982/data-breach/sales-contracts-and-other-data-published-by-sonys-attackers.htmlA newly discovered (but old) comment bug in Wordpress affects ~86% of sites. The story isn't what you think it is-http://www.consumeraffairs.com/news/newly-discovered-comment-security-bug-affects-86-of-wordpress-blogs-112414.htmlThe Australian government is blaming a data breach from February on ... "awareness"? Michael disagrees (and he's right).http://www.esecurityplanet.com/network-security/australian-government-data-breach-linked-to-poor-security-training.htmlThe public release of the research on Regin malware has it pegged as the most advanced thing since the computer - so what?http://money.cnn.com/2014/11/23/technology/security/regin-malware-symantec/index.html?hpt=hp_t2https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/Symantec whitepaper: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdfThe Justice Department is using a 225 year old law to tackle a modern problem of encrypted cell phones through the manufacturer.http://blogs.wsj.com/digits/2014/11/25/case-suggests-how-government-may-get-around-phone-encryption/The court system...works? 440 year jail threat down to a misdemeanor in no time flathttp://www.wired.com/2014/11/from-440-years-to-misdemeanor/Updates:Target doesn't feel like all the banks' losses are their problem, here's why - http://arstechnica.com/tech-policy/2014/11/target-to-judge-banks-losses-in-our-card-breach-arent-our-problem/In spite of the massive breach, Home Depot financial outlook is bright - http://www.forbes.com/sites/maggiemcgrath/2014/11/18/home-depot-outlook-bright-despite-data-breach/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeWe revisit the 'human' side of hackingChris tells us all about the Defcon CTF his team has hostedWe discuss the role human nature plays in social engineering, or "Why the bad guys always win"Chris gives us his tips for making it harder for social engineersMichael and Chris talk metrics and measuring "getting better" GuestChris Hadnagy ( @HumanHacker ) - Chris Hadnagy (author of Social-Engineering: The Art of Human Hacking and Unmasking the Social Engineer: The Human Element of Security) is a speaker, teacher, pentester, and recognized expert in the field of social engineering and security.Chris Hadnagy is the President and CEO of Social-Engineer, Inc. He has spent the last 16 years in security and technology, specializing in understanding the ways in which malicious attackers are able to exploit human weaknesses to obtain access to information and resources through manipulation and deceit.Chris is a graduate of Dr. Paul Ekman’s courses in Microexpressions, having passed the certification requirements with an “Expert Level” grade. He also has significant experience in training and educating students in non-verbal communications. He hold certifications as an Offensive Security Certified Professional (OSCP) and an Offensive Security Wireless Professional (OSWP).Finally, Chris has launched a line of professional social engineering training and penetration testing services at Social-Engineer.Com. His goal is to assist companies in remaining secure by educating them on the methods used by malicious attackers. He accomplishes this by analyzing, studying, dissecting, then performing the very same attacks used during some of the most recent incidents (i.e. Sony, HB Gary, LockHeed Martin, Target, etc), Chris is able to help companies understand their vulnerabilities, mitigate issues, and maintain appropriate levels of education and security.Chris has developed one of the web’s most successful security podcasts, The Social-Engineer.Org Podcast, and the equally-popular SEORG Newsletter. Over the years, both have become a staple in most serious security practices and are used by Fortune 500 companies around the world to educate their staff.You can find Chris's articles for local, national, and international publications and journals, including Pentest Mag, EthicalHacker.net, and local and national Business Journals. Links:Social Engineer Org - Your one-stop place for podcast, newsletter, and all things social engineering from Chris's team - http://www.social-engineer.org/SECTF Report - http://www.social-engineer.org/ctf/social-engineer-inc-releases-annual-report-def-con-22-social-engineering-capture-flag-sectf-contest/Social Engineer, Chris's company - http://www.social-engineer.com/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Note: The hashtag for the show on Twitter has changed, please connect with us using #DtSR going forward. Thanks! Topics coveredUpdate: Home Depot breach (Hint: apparently it was a 3rd party entry point)Story: http://www.computerworld.com/article/2844491/home-depot-attackers-broke-in-using-a-vendors-stolen-credentials.htmlApparently as a reaction, all execs are being switched to iDevices (blame Windows? and why only execs?) - http://www.imore.com/home-depot-switches-execs-iphones-macbooks-it-blames-windows-massive-breachAlso, they lost ~53 Million email addresses too - http://online.wsj.com/articles/home-depot-hackers-used-password-stolen-from-vendor-1415309282American Express is pushing tokenization to their payment ecosystem, this is big news but leaves a lot more questions and concerns than answers (for example- what about chip & pin (sign)? )-Story: http://threatpost.com/american-express-brings-tokenization-to-payment-cards/109137Check out the standard itself: http://www.emvco.com/download_agreement.aspx?id=945Flaw found (in a lab) in the VISA EMV protocol, but is it realistic to do this kind of "immense fraud" in outside the lab, in real life?Story: http://www.cio.com/article/2842994/flaw-in-visa-cards-could-ring-up-a-very-large-fraud.htmlThe FTC further exerises its (Constitutional?) powers to take down fake "Support call scammers" and is on track to some public fanfare-Story: https://nakedsecurity.sophos.com/2014/10/26/ftc-takes-down-fake-support-scammers-upbeat-about-getting-consumers-money-back-poll/Connecticut Supreme Court paves the way for class-action suit in HIPAA breach/violation. Big question- is this good for anyone other than the lawyers? Will it just add to the rising cost of healthcare, or is this doing some good?Story: http://wwwConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeAdam and Dmitri discuss what is (and what isn't) threat intelligenceWe discuss strategic, tactical and operational security intelligenceWho is using threat intelligence, and how?Adam talks about the success factors, key points, and trendsMichael asks how an organization can know whether they're READY for a threat intelligence programAdam explains the term "finished intelligence"Adam describes tactical intelligence, while Dmitri gives his take on strategic intelligenceWe discuss the merits of education and awareness - firstHow important is attribution, really?3 critical things an enterprise *must be doing* before jumping into threat intelligence as a programGuestsAdam Meyers ( @adamcyber ) - Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field. At CrowdStrike, Adam serves as the VP of Intelligence. Within this role it is Adam’s responsibility to oversee all of CrowdStrike’s intelligence gathering and cyber-adversarial monitoring activities. Adam’s Global Intelligence Team supports both the Product and Services divisions at CrowdStrike and Adam manages these endeavors and expectations. Prior to joining CrowdStrike, Adam was the Director of Cyber Security Intelligence with the National Products and Offerings Division of SRA International. He served as a senior subject matter expert for cyber threat and cyber security matters for a variety of SRA projects. He also provided both technical expertise at the tactical level and strategic guidance on overall security program objectives. During his tenure at SRA International, Adam also served as the Product Manager for SRA’s dynamic malware analysis platform Cyberlock.Dmitri Alperovitch ( @dmitricyber ) - Dmitri Alperovitch is the Co-Founder and CTO of CrowdStrike Inc., leading its Intelligence, Technology and CrowdStrike Labs teams.  A renowned computer security researcher, he is a thought-leader on cybersecurity policies and state tradecraft.  Prior to founding CrowdStrike, Dmitri was a Vice President of Threat Research at McAfee, where he led company’s global Internet threat intelligence analysis and investigations. In 2010 and 2011, Alperovitch led the global team that investigated and brought to light Operation Aurora, Night Dragon and Shady RAT groundbreaking cyberespionage intrusions, and gave those incidents their names. In 2013, Alperovitch received the prestigious recognition of being selected as MIT Technology Review’s “Young Innovators under 35” (TR35), an award previously won by such technology luminaries as Larry Page and Sergey Brin, Mark Zuckerberg and Jonathan Ive. Alperovitch was named Foreign Policy Magazine’s Leading Global Thinker for 2013, an award shared with Secretary of State John Kerry, Elon Musk and Jeff Bezos. He was the recipient of the prestigious Federal 100 Award for his contributions to the federal information security in 2011 and recognized in 2013 as one Washingtonian’s Tech Titans for his accomplishments in the field of cybersecurity. With more than a decade of experience in the field of information security, Alperovitch is an inventor of eighteen patented technologies and has conducted extensive research on reputation systems, spam detection, web sConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeJeff explains a little bit about who Norse is, and why they were potentially targeted with a DDoSWe discuss what a DDoS is, how it becomes effective, and what methods/tools attackers use (in this case SNMP v2 reflection)We talk about threat intelligence (reputational intelligence) and how companies and intelligence platforms can leverage this data to decrease risks activelyGuestJeff Harrell ( @jeffharrell ) - Jeff Harrell is the Vice President of Product Marketing at Norse, the leader in live attack intelligence. Jeff has over 15 years of experience in the IT Security industry leading product management and product marketing teams to build and market security solutions from end users to large enterprises. Jeff’s areas of expertise include cloud technology, threat intelligence, compliance, vulnerability management, configuration auditing, and encryption. Prior to Norse, Jeff worked for security and technology companies including nCircle, Qualys, McAfee, PGP, and eMusic. Additional LinksThe attack map Jeff talked about: http://map.ipviking.comBlog post from Norse on the DDoS: http://blog.norsecorp.com/category/featured/2014/11/06/video-norse-live-attack-map-hammered-by-1-5-gbps-ddos-attack/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics coveredBanks urging shoppers not to avoid breached retailers - Companies that get breached impact card holders minimally, at least as far as we can tell, right?http://www.kcentv.com/story/26887771/local-bank-leaders-no-need-to-avoid-hacked-retailers-during-holidaysFederal officials (FBI, US SS) are making a big push to be your source for cyber-security help - Interesting that this comes up at a time when everyone is fighting back against government meddling/surveillencehttp://www.usatoday.com/story/news/politics/2014/10/20/secret-service-fbi-hack-cybersecuurity/17615029/The FCC flexes its muscle in a pair of fines totalling a paltry $10m for egregious security violations - Of course, the people who have had their privacy and security violated see none of this big-telco pocket-change...http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/24/with-a-10-million-fine-the-fcc-is-leaping-into-data-security-for-the-first-time/Congress doesn't crant FBI ability to prevent mobile encryption .. undoubtedly ushering us into "a very dark place" - for once, Congress did something useful by doing what it's famous for, nothinghttp://www.theregister.co.uk/2014/10/22/fbi_apple_grapple_congress_kills_cupertino_crypto_kibosh/Insurance companies fighting to get data breach coverage removed from general liability policies - isn't this obvious? I think this is one of the last shoes to drop before things move forward, finallyhttp://www.businessinsurance.com/article/20141026/NEWS07/141029850Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeChris attempts to explain the consternation with 'security research' right nowKevin gives his perspective and why he doesn't quite understand why people don't see they're "breakin' the law"Shawn discusses what parts of the CFAA he would like to see reformedJames drops the question - "What is a security researcher?" ..and rants a littleKevin talks about why the security industry needs to self-regulate w/exampleChris and Kevin debate intent, and "stepping over the line"Chris brings up the issue of bug intake at a large companySpirited discussion about intent, regulation, actions and separating emotion from factsGuestsChris John Riley - ( @ChrisJohnRiley ) - Chris John Riley is a senior penetration tester and part-time security researcher working in the Austrian financial sector. With over 15 years of experience in various aspects of Information Technology, Chris now focuses full time on Information Security with an eye for the often overlooked edge-case scenario. Chris is one of the founding members of the PTES (Penetration Testing Execution Standard), regular conference attendee, avid blogger/podcaster (blog.c22.cc / eurotrashsecurity.eu), as well as being a frequent contributor to the open-source Metasploit project and generally getting in trouble in some way or another. When not working to break one technology or another, Chris enjoys long walks in the woods, candle light dinners and talking far too much on the Eurotrash Security podcast.Shawn Tuma - ( @ShawnETuma ) - Shawn is an attorney with expertise in computer fraud, social media law, data security, intellectual property, privacy, and litigation. He's a Texan, Christian, family man, author & speaker - and an all-around awesome guy.Kevin Johnson - ( @SecureIdeas ) - Kevin is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is an instructor and author for the SANS Institute and a faculty member at IANS. He is also a contributing blogger at TheMobilityHub.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics coveredThe FBI paid a visit to the "researcher" who revealed (and tinkered with) the hacked Yahoo! servers - we discuss the various aspects of this case, which we've been going round and round on latelyhttp://www.wired.com/2014/10/shellshockresearcher/US Cyber Security Czar Michael Daniel wants us passwords gone, replaced by .... "selfies"; We wish we were making this one up or the link was to an Onion article, but sometimes the jokes write themselves in a sad, sad wayhttp://www.theregister.co.uk/2014/10/15/forget_passwords_lets_use_selfies_says_obamas_cyber_tsar/Pres. Obama has issued an executive order that all government payment cards now must be "chip & pin"; once again underscoring that "just do something" may be worse than actually doing nothing -- we'd love to hear your thoughts?http://www.whitehouse.gov/the-press-office/2014/10/17/executive-order-improving-security-consumer-financial-transactionsNotable data breaches discussed:K-Mart - http://www.theregister.co.uk/2014/10/12/kmart_cyber_attach/Dairy Queen - http://www.theregister.co.uk/2014/10/10/dairy_queen_restaurants_hacked/POODLE, the latest OMG SSL vulnerability; is this really that big a deal that there is a public vulnerability in a protocol that should have become extinct at the turn of the century? (Hint: Sadly, yes)http://www.theregister.co.uk/2014/10/10/dairy_queen_restaurants_hacked/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeRon gives us a brief history of Tenable and TVM for the enterpriseRon answers "How do you make network security obtainable and defendable?"We discuss TVM as a fundamental principle to many other security program itemsRon tells us what the modern definition of "policy" isWe discuss some hurdles and challenges of TVM programs in an enterpriseWe note that security scanning can always break stuff - so how do you get around that?Ron tells us why TVM is so much more than scanningMichael asks "Why are so many companies stuck in a Prince song (1999)?"We attempt to tackle - compliance, risk, and managing to a goalRon answers the question - "Are we getting any better?"GuestRon Gula ( @RonGula ) - CEO and CTO at Tenable Ron co-founded Tenable Network Security, Inc. in 2002 and serves as its Chief Executive Officer and Chief Technology Officer. Mr. Gula served as the President of Tenable Network Security, Inc. He served as the Chief Technology Officer of Network Security Wizards which was acquired by Enterasys Networks. Mr. Gula served as Vice President of IDS Products and worked with many top financial, government, security service providers and commercial companies to help deploy and monitor large IDS installations. Mr. Gula served as Director of Risk Mitigation for US Internetworking and was responsible for intrusion detection and vulnerability detection for one of the first application service providers. Mr. Gula worked at BBN and GTE Internetworking where he conducted security assessments as a consultant, helped to develop one of the first commercial network honeypots and helped develop security policies for large carrier-class networks. Mr. Gula began his career in information security while working at the National Security Agency conducting penetration tests of government networks and performing advanced vulnerability research. He was the original author of the Dragon IDS. Mr. Gula has a BS from Clarkson University and a MSEE from University of Southern Illinois.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics coveredThe petition on WhiteHouse.gov titled "Unlock public access to research on software safety through DMCA and CFAA reform" and ...well we talk about it with an attorney and some necessary skepticismhttps://petitions.whitehouse.gov/petition/unlock-public-access-research-software-safety-through-dmca-and-cfaa-reform/DHzwhzLDMy take: http://blog.wh1t3rabbit.net/2014/10/to-reform-and-institutionalize-research.htmlA Marriott property in Nashville (Gaylord Opryland) will pay $600,000 in an FCC settlement for jamming/blocking guests' personal WiFi hotspotshttp://www.fcc.gov/document/marriott-pay-600k-resolve-wifi-blocking-investigationA Pakistani man has been indicted in Virginia for selling "StealthGenie", an app designed specifically as spywarehttp://www.justice.gov/opa/pr/pakistani-man-indicted-selling-stealthgenie-spyware-appThe code for the badUSB attack was published and released at DerbyCon - we discuss implicationshttp://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/Cedars-Sinai Medical Center loss of data is much worse than they thought, but it's actually worse than that - a teachable moment here-http://www.latimes.com/business/la-fi-cedars-data-breach-20141002-story.htmlConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Thank you to Shawn Tuma - an attorney specializing in CFAA and a good friend of our show - for stopping by and lending his expertise on this episode. If you enjoy Shawn's insights, consider following him on Twitter ( @ShawnETuma ) or just saying hello! In this episodeWe discuss the CFAA in regards to Robert Graham's brilliantly written blog post on the topic - http://blog.erratasec.com/2014/09/do-shellshock-scans-violate-cfaa.htmlShawn gives some key insights on the CFAA including historical contextMichael asks some tough questions on the discretion and applicability of CFAA prosecutionJames goes on a rant about "security researchers" (it's a gem)I'm pretty sure Shawn goes on the record saying security researchers should be credentialed..or was that me?We get some advise from Shawn on where this topic goes next, and how to avoid being a target of prosectionGuestShawn Tuma - ( @ShawnETuma ) - Shawn is an attorney with expertise in computer fraud, social media law, data security, intellectual property, privacy, and litigation. He's a Texan, Christian, family man, author & speaker - and an all-around awesome guy.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeDREAMR: What is it, and why is it so important to Enterprise Security today?Examples of aligning business and security requirements and winning hearts & mindsHow does a security organization get around "see I told you so!" securityAn example of how to make the framework work for youWe discuss the importance of listening, then listening, then listening some moreJessica and Ben explain "accomodating" the businessJessica and Ben give us "One critical piece of advice"GuestsJessica Hebenstreit ( @secitup ) - Jessica Hebenstreit has been a member of the Information Security community for over a decade. Having worked on both the technical and business sides of various enterprises, Hebenstreit has a unique perspective that allows for more understanding when balancing competing interests. She is a successful and results-oriented Information Security expert with hands-on information security experience in security monitoring, incident response, risk assessment, analysis, and architecture and solution design. She holds the following certifications, CISSP, GIAC-GSEC, CRISC and SFCP. In March 2012, she earned her Masters of Science in IT (MSIT) specializing in Information Assurance and Security. She is currently the Manager of Security Informatics - Threat Analysis and Response at Mayo Clinic.  She is building a smart response architecture for incident response from the ground up.Ben Meader ( @blmeader ) - Ben Meader is a Senior Security professional with a unique blend of technical acumen and business know-how. Meader’s security thought leadership has been battle tested at multi-national firms over the past 13 years ranging from network security and operational security to performing detailed risk assessments and implementing a firm-wide privacy program. He remains up to date in both security and business having received his M.B.A. from DePaul University and has a current CISSP. He is also active in the entrepreneurial community and is Co-Founder of a mobile application company on the side. His education and range of experiences in working with firms both large and small have given him a unique perspective on the role of security within different business cultures and how competing philosophies can collide.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics coveredHacker flees US for non-extradition country - why?http://blog.erratasec.com/2014/09/hacker-weev-has-left-united-states.htmlhttp://www.newrepublic.com/article/117477/andrew-weev-auernheimers-tro-llc-could-send-him-back-prisonClass-action lawsuit againt Onity lock company ("easily hackable hotel lock") rejectd by judgehttps://www.techdirt.com/articles/20140903/14134528408/onity-wins-hotels-that-bought-their-easily-hacked-door-lock-cant-sue-according-to-court.shtmlhttp://www.extremetech.com/computing/133448-black-hat-hacker-gains-access-to-4-million-hotel-rooms-with-arduino-microcontrollerhttp://www.forbes.com/sites/andygreenberg/2012/12/06/lock-firm-onity-starts-to-shell-out-for-security-fixes-to-hotels-hackable-locks/Home Depot - the dirt start to flyhttp://arstechnica.com/security/2014/09/home-depot-ignored-security-warnings-for-years-employees-say/https://privacyassociation.org/news/a/following-breach-report-shows-home-depot-has-105-million-in-coverage/https://privacyassociation.org/news/a/2013-05-01-supreme-court-wiretap-ruling-upholds-stringent-standing-to-sue/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeSeparating the hype from reality of the Chinese hacking threatThe escalation of economic tensions between US & China, over hackingWhat is the advice for the enterprise regarding state-sponsored attacks?The challenge with the uni-directional intelligence flow for government/enterpriseThe challenge with nation-state hacking of critical infrastructureThe worst-case scenario (quietly happening?)Directly addressing the various APT reports (specifically APT1)Does a cyber attack warrant a kinetic response?Attribution is hard. Is it more than black-magic, and is anyone doing it right?The great disconnect between the keyboard jockey and real-life consequencesGuestBill Hagestad II ( @RedDragon1949 ) - Internationally recognized cyber-intelligence & counter-intelligence professional. Technical, cultural, historical and linguistic analysis of foreign nation state cyber warfare capabilities, intents & methodologies... Listed on Forbes Magazine as : "20 Cyber Policy Experts To Follow On Twitter". Bill can be found on LinkedIn at - www.linkedin.com/in/reddragon1949Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics coveredApple has been making news, issuing guidance, and refuting a hack - all around iCloudhttp://www.padgadget.com/2014/09/03/apple-warns-developers-not-to-store-health-data-in-icloud/http://www.padgadget.com/2014/09/03/apple-says-celebrity-photo-leak-was-not-due-to-icloud-breach/http://www.cio-today.com/article/index.php?story_id=94027HealthCare.gov was hacked, but no worries it was only a test server and no 'data was taken/viewed'. Does this sound like something you've faced in the enterprise ... hmmmm?If only there was someone warning them about the insecurity of that site! h/t to Dave Kennedy for standing up and taking political heat.http://www.nationalreview.com/article/387182/healthcaregov-hack-reminiscent-earlier-vermont-exchange-attack-jillian-kay-melchiorhttp://www.computerworld.com/article/2603929/healthcare-gov-hacked-if-only-someone-had-warned-it-was-hackable-oh-wait.htmlHome Depot apparently has suffered a massive breach, much like Target. Interesting? Or ho-hum? (did you Buy The Dip? h/t @DearestLeader )http://seekingalpha.com/article/2478055-home-depot-potential-data-breach-may-have-presented-a-good-opportunity-to-buy-the-stockhttp://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/http://www.csoonline.com/article/2601082/security-leadership/are-you-prepared-to-handle-the-rising-tide-of-ransomware.htmlNorway's Oil & Gas industry is now the target of hackers, seeking to get intelligence on production, exploration - and that all-important state-sponsored competitive edge.http://www.thelocal.no/20140827/norwegian-oil-companies-hackedGoogle is deprecating (in a big way) the use of SHA-1 in certificate way ahead of the set schedule. Is this "Google the game-changer" or "Google the bully"? You decide - tweet us at #DtRhttp://www.csoonline.com/article/2602108/security-leadership/do-you-agree-with-googles-tactics-to-speed-adoption-of-sha-2-certificates.htmlConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeWe discuss the largest challenges in the state government sectorBrian discusses balancing the need for openness versus security/secrecyPhil talks about the challenge of balancing policy with agency needs in state governmentMichael asks how state-level security justifies and prioritizes security requirementsRaf asks how policy is created that can be both effective, and broadThe group talks about metrics, policy implementation, and showing value to protecting citizensThe guys answer "What's the best piece of advice you've gotten in your career?GuestsPhilip Beyer ( @pjbeyer ) - Philip is a security professional with more than 12 years progressive experience. Currently leading information security for an organization as a function of business goals and risk profile. Consummate generalist with background in multi-client consulting and specialization in risk management, incident handling, security operations, software assurance (OpenSAMM, BSIMM), and technical compliance testing (ISO 27002, PCI-DSS, HIPAA). Confident leader, problem solver, relationship builder, technical communicator, public speaker, presenter, and security evangelist. Fast-paced learner with a strong work ethic and self-starter attitude.Brian Engle ( @brianaengle ) - Currently the Chief Information Security Officer & Texas Cybersecurity Coordinator who is a results-oriented executive and leader with over 20 years of progressive experience in Information Technology and Information Security across the government, healthcare, manufacturing, financial services, technology, telecommunications and retail verticals. His specialties include risk management, project management, and cost effective delivery of appropriate security solutions within organizational risk tolerances. Consummate generalist with a background in effective incident management, security and network operations, vulnerability and threat management, as well as technical compliance evaluation and gap analysis.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics coveredCommunity health systems and UPS Stores breached - an analysis and contrast of the two breaches, the data, and the common messagehttp://regmedia.co.uk/2014/08/18/community_health_systems_8k.pdfhttp://blogs.wsj.com/cio/2014/08/20/the-morning-download-community-health-systems-breach-stirs-up-heartbleed-fears/http://time.com/3151681/ups-hack/The case of the pre-mature declaration of BYOD death, via an over-hyped court case?http://www.cio.com/article/2466010/byod/court-ruling-could-bring-down-byod.html"Shadow clouds" (cloud services consumed by enterprises, not approved by security) are on the rise. No one on the show is shocked, and you aren't either.http://www.computerworld.com/s/article/9250606/Shadow_cloud_services_pose_a_growing_risk_to_enterprisesFaceBook gives the $50,000.00 away for the "Internet Defense Prize" joining Microsoft in trying to make being defensive-minded (and actually solving some security problems, rather than continuing to point them out) sexyhttp://threatpost.com/new-facebook-internet-defense-prize-pays-out-50000-awardConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeJason tells us why he isn't hating on complianceJason talks about how security people are often the source of the issuesJason gives us his perspective on compliance-driven securityJason correlates compliance to quality assurance in securityWe talk about security's unbroken streak of failing at the basicsWe lament poor metrics, why we suck at them, and what comes nextWe discuss how you can tell whether an investment in security 'is working'We discuss the need for repetitive and consistent securityJaason gives us his three things that he wants to leave you with GuestJason Oliver ( @jasonmoliver ) - Jason M Oliver, CISSP, CRISC is the Chief and CEO of Tikras Technology Solutions Corp, a Native American Owned Small Business, President at Arrow Ventures, a seasoned security industry veteran, leader, and lifelong pursuer of knowledge. His unique approach to solving security issues involves individualized plans tailored to meet each specific customer’s needs. His high level of unwavering integrity has been met by the highest regard from both customers and peers.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics coveredSurvey shows CISOs still struggle for respect (from business peers)http://www.cio.com/article/2460165/security/cisos-still-struggle-for-respect-from-peers.htmlHold Security uncovers 1.2 billion password heist on Russian hacker sites (but something smells funny) - draw your own conclusions folks... I'd love to hear 'emhttp://www.theverge.com/2014/8/6/5973729/the-problem-with-the-new-york-times-biggest-hack-everhttp://www.youarenotpayingattention.com/2014/08/08/the-lie-behind-1-2-billion-stolen-passwords/https://identity.holdsecurity.com/Submit/http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/Yet another Android core software blunder, called "Fake ID", essentially gives "highly privileged malware" a free ride.http://arstechnica.com/security/2014/07/android-crypto-blunder-exposes-users-to-highly-privileged-malware/HP study says 70% of "Internet-of-Things" (IoT) vulnerable. There's a shock, we're carrying around legacy baggage? Perish the thought.http://h30499.www3.hp.com/t5/Fortify-Application-Security/HP-Study-Reveals-70-Percent-of-Internet-of-Things-Devices/ba-p/6556284Civilian sector is better than the military at Cyber-War exercise. *rollseyes*http://www.navytimes.com/article/20140804/NEWS04/308040019/In-supersecret-cyberwar-game-civilian-sector-techies-pummel-active-duty-cyberwarriors?sf29369064=1Target booking $148M due to data breachhttp://fortune.com/2014/08/05/target-data-breach-profit/http://investors.target.com/phoenix.zhtml?c=65828&p=irol-secPF Chang's does an astonishingly good job at being transparent about their breach(es)http://www.bankinfosecurity.com/pf-changs-breach-33-locations-hit-a-7153/op-1Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeWho is J.W. Goerlich (redux from episode - How did he get to where he is now?How does the security executive deal with the "moving finish line"?JW discusses how 'security' people can break down barriers between "us" and "them"We discuss why we still fail at the basics, and what all this means...JWG tries to talk about his favorite controls frameworkWe discuss what difference it makes where the CISO reports in the enterpriseWhat will the CISO be, or need to do, in ~3-5 years?We discuss hiring into InfoSec - from outside, or within ... and why?JW gives us the one thing you need to remember GuestJ.W. Goerlich ( @jwgoerlich ) - Results-driven IT management executive with a track record of building high performance teams and providing flawless execution. Leverages background in systems engineering, software development, and information security expertise to consistently lower operating costs and raise service levels. Designs solutions that support long-term strategic planning and create immediate impact throughout product lifecycle in process and efficiency gains.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics coveredCertificate pinning back in the spotlight with the GMail iOS app having some difficulties, but there is a bigger issue here. We discuss.http://securityaffairs.co/wordpress/26577/hacking/gmail-app-flaw-mitm.htmlNearly 3 years later, the NASDAQ hack attributed to FSB/Russian 'state sponsored' hackers, via 2 "zero day malware'. Highlighting need for attribution, common language, and other issues in security.http://www.infosecurity-magazine.com/view/39397/nasdaq-hackers-used-two-zero-days-but-motives-a-mystery/Cyber insurance - is this a forcing function to improve overall security, or yet another carpet to sweet security problems under?http://www.reuters.com/article/2014/07/14/us-insurance-cybersecurity-idUSKBN0FJ0B820140714A judget has just ruled that your "GMail account" has the same legal (or lack thereof) protections as a hard drive you own. Dangerous precedent, or nothing new?http://nakedsecurity.sophos.com/2014/07/22/your-gmail-account-is-fair-game-for-cops-or-feds-says-us-judge/also relevant - http://nakedsecurity.sophos.com/2013/08/14/google-says-gmail-users-cant-expect-privacy/ Not discussed, but interesting reads:"Operation Emmental" is an assault against 2FA and online bankinghttp://secureidnews.com/news-item/operation-emmental-attacks-online-banking-and-2fa/Looks like healthcare is next on the list of verticals targetted... filed under things we all suspected, but will soon seehttp://healthitsecurity.com/2014/07/24/how-healthcare-can-learn-from-retails-it-security-mistakes/ h/t to Eric CowperthwaiteConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeJim Tiller - a few things you probably didn't know?In the last 15 years, what has changed, and what hasn't?Why isn't security moving forward?"Complexity is the camouflage for bad guys" -JimChasing the moving line of 'security'"Fixing the airplane as it flies"How do enterprise security organizations push away from playing 'prevent' permanently?Fundamentals, fundamentals, fundamentals ... you're still failingWhat things are CISOs doing that they're NOT right now?Where will security be, as a discipline, in 10 year?GuestJim Tiller ( @Real_Security ) - Jim has been in the security industry since the very early 90’s and has continued his mission in working with individuals, groups, organizations, and companies around the world to collaborate, develop, and implement business aligned security strategies and technologies. Through his career he's worked with and in numerous organizations for the advancement of information security technologies, practices, and standards and through these activities help organizations achieve their goals. Find Jim on LinkedIn here.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics coveredFlorida Information Protection Acf of 2014 is in the books, and it brings "sweeping changes" to the data breach disclosure process in Florida. Good thing or bad? You decidehttp://www.scmagazine.com/fla-passes-sweeping-data-breach-notification-bill/article/357858/http://www.flsenate.gov/Session/Bill/2014/1526/?Tab=RelatedBillshttp://www.flsenate.gov/Session/Bill/2014/1524The DoJ has nabbed a 'prolific hacker'... a Russian national. Russia calls it kidnapping. Tensions flare. Again.http://mashable.com/2014/07/08/russian-man-hacking-retailers/Chinese man charged with industrial espionagehttp://arstechnica.com/tech-policy/2014/07/chinese-businessman-charged-with-hacking-boeing-and-lockheed/US Banks are calling for a "Cyber War Council" (so much wrong here, it's incredible...)http://www.businessweek.com/news/2014-07-08/banks-dreading-computer-hacks-call-for-cyber-war-council#p2The ultra-ultra-legacy code problem and why we're not getting security any higher up the ladder any time soonhttp://www.businessweek.com/articles/2014-06-25/the-talent-that-keeps-your-50-year-old-software-running-is-retiring-dot-now-whatPayroll processing company Paytime was hacked and breached. But in the midst of the rush to file law suits, at least one company is pledging to stand by Paytime in this rough time... sanity prevails?http://www.witf.org/news/2014/07/at-least-one-company-stands-by-paytime-after-data-breach.phpConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeWho is Dan Geer (just in case you live in a cave and don't know)Dan's definition of security - "The absence of unmitigatable surprise"What exactly is the pinnacle goal of security engineering?Responsibility, liability and when software fails as a result of security issuesIn a liability lawsuit - "What did you know, when did you know it?"The fraction of the population who could sign an "informed consent" is falling - so now what?Why ICANN is actually making all of this so much worseWhat do we do about "abandoned software"?Fixing security bugs in software is a tricky business...good, bad, worseAre things getting better [in security]?Dan talks about a "diversity re-compiler" and how we can make the exploit writer's job harder(from Jason White) -What "low hanging fruit" issues are we simply not addressing properly right now?(from Jason White) If the Internet were being built from scratch today, what would you keep and throw away?GuestDan Geer - Dan Geer is a computer security analyst and risk management specialist. He is recognized for raising awareness of critical computer and network security issues before the risks were widely understood, and for ground-breaking work on the economics of security.Geer is currently the chief information security officer for In-Q-Tel, a not-for-profit venture capital firm that invests in technology to support the Central Intelligence Agency.In 2003, Geer's 24-page report entitled "CyberInsecurity: The Cost of Monopoly" was released by the Computer and Communications Industry Association (CCIA). The paper argued that Microsoft's dominance of desktop computer operating systems is a threat to national security. Geer was fired (from consultancy @Stake) the day the report was made public. Geer has cited subsequent changes in the Vista operating system (notably a location-randomization feature) as evidence that Microsoft "accepted the paper." --http://en.wikipedia.org/wiki/Dan_GeerConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics coveredYour server may have a hardware flaw that exposes your baseband management interface to the world - http://arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/Airports are getting hacked, APT involved, state-sponsored attackers! - http://www.nextgov.com/cybersecurity/2014/06/nation-state-sponsored-attackers-hacked-two-airports-report-says/86812/PayPal flaw renders 2-factor auth on mobile useless, disabled temporarily while they work on fix - http://www.darkreading.com/mobile/paypal-two-factor-authentication-broken/d/d-id/1278840?FTC vs. Wyndham: another shoe drops, the FTC takes a hit while Wyndham scores a win - http://www.mediapost.com/publications/article/228730/judge-authorizes-wyndham-to-appeal-data-security-r.htmlDilbert says it best - http://dilbert.com/strips/comic/2014-05-19/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeWhat exactly is "GRR"?What sorts of things can GRR do?What is a hunt, and how does it scale across tens of thousands of machines?How does GRR "hide" from malware?How does GRR keep some of the great power it has from being abused?Automating and integrating GRR with external sources and toolsFeatures, functions, capabilities and some magic from GregThe future features, requests, and direction of GRR GuestGreg Castle - Greg has 10 years experience working in computer security. In his current role as Senior Security Engineer at Google, he is a developer and user of the open-source GRR live-forensics system. He also has strong interest and involvement in OS X security, having been responsible for the security of Google's OS X fleet for two years. His pre-Google job roles have included pentester, incident responder, and forensic analyst.LinksGrr Rapid Response - https://code.google.com/p/grr/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Note: I want to thank Will Gragido for stopping by this morning to talk over the news with us. Always great to have someone with a fresh perspective, I hope you enjoy the show. Topics CoveredDon't like Google Glass (or similar devices) on your network? Kick them off - http://mashable.com/2014/06/04/glassholes-wifi-jamming/The FAA has issued an order for Boeing to 'protect the planes from computer hackers' ... but what is really going on here? - http://www.usatoday.com/story/news/nation/2014/06/06/faa-boeing-737/10066247/APT, APT, APT, APT ... evolved APT? - http://www.csoonline.com/article/2158775/security-leadership/why-you-need-to-embrace-the-evolution-of-apt.htmlAfter getting breached, PF Chang's goes "old school"; sounds legit, right? - http://krebsonsecurity.com/2014/06/p-f-changs-confirms-credit-card-breach/Why preparation is a good idea, even when it comes to 'cyber' - http://www.csoonline.com/article/2360748/security-leadership/using-a-cyber-war-exercise-to-improve-your-security-program.htmlFeed.ly gets DDoS'd, extorted and we're mad as hell - http://www.forbes.com/sites/jaymcgregor/2014/06/12/feedly-goes-down-again-in-second-ddos-attack/Target hires a (good) CISO, Brad Maiorino, so why are people getting all bent out of shape over where he reports in the organization? - http://blog.wh1t3rabbit.net/2014/06/getting-wrapped-around-ciso-reporting.html Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

My apologies for some of the skips in this episode - we had some difficulty with the recording and ultimately I hope it doesn't take away from Joe's wonderful message.Thanks for your patience.In this episodeFrom CISO to CIO - making that leapDoes the CISO need to be technical? (answering that question, again)What types of things does a CIO need to know?Who should the CISO report to?Any chance the CISO reporting structure shifts around?A "Chief Data Officer"?Are there too many 'splintered' job titles in the security/risk role?Responsibility, accountability, and where the buck stopsWhat are 3 things security does right, and what are 3 things that we do terribly?How big should your security budget be? (trick question)What KPIs should security be reporting to the CIO? (the hardest question ever)What resources are there for CIOs? GuestJoe Riesberg ( @JoeRiesberg ) - Joe is currently the CIO of Drake University. Previos to his current role, he was the Senior Vice President, Global IT Security Services Director at Aviva plc. His LinkedIn profile can be found here: https://www.linkedin.com/pub/joe-riesberg/1/a81/931Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Note: Today, Kim Halavakoski joined us on the show to provide perspective all the way from Finland! We appreciate his international addition to the show, and hope the listeners enjoy the added brainpower. Topics coveredFacebook's next major update will turn your mobile device into an always-on listening tool for FaceBook. This is a good time to remind you that you are the product, not the customer - http://www.ibtimes.com/facebook-microphone-update-store-data-social-media-giant-confirms-new-feature-will-1588916In a blow to security professionals' ego everywhere, investors apparently aren't swayed by data breaches - http://www.businessweek.com/articles/2014-05-23/why-investors-just-dont-care-about-data-breachesThe US's indictment of 5 Chinese nationals for 'state sponsored industrial espionage' is apparently backfiring (or at least it is in the media) - http://www.bloomberg.com/news/2014-05-27/china-said-to-push-banks-to-remove-ibm-servers-in-spy-dispute.htmlNow that there is a hack to enable WinXP SP3 computers to masquerade as Point-of-Sale terminals and receiving updates ...should you even consider this? Hint: NO - http://blog.wh1t3rabbit.net/2014/05/hacking-registry-to-keep-windowsxp.htmlTarget's Audit Committee is under fire for the data breach, but who's really, really at fault? An interesting perspective from Forrester - http://blogs.forrester.com/renee_murphy/14-05-29-dont_blame_targets_audit_committee_for_the_sins_of_technology_managementConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeJeff explains the background of the relationship between the US government, ICANN and IANAWhat is the ITU and why is this $0 contract handoff to the ITU such a big deal?What impact did Edward Snowden's actions have on the issue?The potential issues with DNS, cross-border censorship and DNSThe importance of Tor, Freenet and challenges of implementationDiscussing the evolution of services like Tor through "nation-state firewalls"Changing the image of anonymous servicesMaking Tor and similar services more user-friendly, and more prevalentGuest:Jeff Moss ( @TheDarkTangent ) - Jeff, also known as The Dark Tangent, is an American hacker, computer security expert and internet security expert who founded the Black Hat and DEF CON computer Hacker conferences. His Wikipedia page can be found here.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Announcements:I want to thank Circle City Con as a sponsor for the show! I have one more ticket to give away ... so watch the #DtR hashtag on Twitter!Thanks to special guest Philip Beyer for sitting in James' seat this morning... Topics discussed"US charges China with cyber-spying on American firms" (Hello, pot? this is the kettle...) - http://www.nbcnews.com/news/us-news/u-s-charges-china-cyber-spying-american-firms-n108706Should we be thinking about security beyond win/lose (aka "oh no, hackers are winning!") - http://www.csoonline.com/article/2156104/security-leadership/thinking-about-security-beyond-winning-and-losing.htmlRetail Industry Leaders Association (RILA) has launched their own ISAC-like entity called Retail Cyber Intelligence Sharing Center (R-CISC) - http://associationsnow.com/2014/05/retail-group-launches-sharing-tool-cyber-threats/A recent survey tells us that a whopping 43% of all identity theft in 2013 happened in healthcare ( W O W ) - http://www.studentdoctor.net/2014/04/the-rise-of-medical-identity-theft-in-healthcare/Self-driving cars, making life-and-death decisions (this should terrify you) - http://www.wired.com/2014/05/the-robot-car-of-tomorrow-might-just-be-programmed-to-hit-you/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeDan gives us the reality of living in what is commonly termed "the post-breach" worldDan and Robin talk through the explosion in the numbers of malware samplesWe discuss the different approaches to malware, crimeware, and the cross-over between themDan explains what "rapid incident response" really means and why it's essentialDan and Robin give us some excellent examples of incident preparedness fundamentalsDan gives us a lesson on implementing 'powerful tools' (and forgetting about them)We talk through "who's doing it well?" (and we don't get a very hopeful answer)Is it time to learn from our own and others mistakes? (how?)Guests:Robin Jackson ( @rjacksix ) - Robin is an incident response and digital forensics specialist for HP Enterprise Security Services.Dan Moore - Dan is an incident response and digital forensics specialist for HP Enterprise Security Services.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics dicussedMicrosoft has issued a patch for the massive MS IE flaw - for WindowsXP! - http://arstechnica.com/security/2014/05/microsofts-decision-to-patch-windows-xp-is-a-mistake/Is Open Source Software more or less secure than closed-source? (in a post-Heartbleed era) - http://www.telegraph.co.uk/technology/internet-security/10769996/Heartbleed-the-beginning-of-the-end-for-open-source.htmlTarget's CEO has stepped down, but what's the real reason and is there now opportunity for change? - http://www.usatoday.com/story/money/business/2014/05/05/target-ceo-steps-down/8713847/ and http://www.latimes.com/business/money/la-fi-mo-target-ceo-resigns-20140505,0,4479532.storyBiometrics (specifically fingerprints) aren't as secure or unique as we'd like them to be, so ... paswords? - http://www.telegraph.co.uk/science/science-news/10775477/Why-your-fingerprints-may-not-be-unique.htmlConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeWe discuss some of the new techniques auto insurance companies are using to custom-tailor rates to driversOur guest discusses some of the capabilities of the widgets availableOur guest discusses the 'call home' functions, and potential mis-useWe use 'big data' seriouslyWe talk about 'big data' and security - for realOur guest gives us a realistic view about the type of data that's out there about your driving, habits, and trackingGuestOur guest is an industry insider, who for obvious reasons chose not to identify himself. We respect the guest's position, and kindly ask that our listeners do as well.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics discussedThe big story - "Heartbleed"http://www.csoonline.com/article/2142626/security-leadership/how-you-need-to-respond-to-heartbleed-and-how-you-can-explain-it-to-others.htmlhttp://www.csoonline.com/article/2146141/disaster-recovery/healthcare-gov-urges-password-resets-due-to-heartbleed.htmlhttp://xkcd.com/1354/http://rt.com/news/heartbleed-arrest-canada-security-016/The "hacker*" known as "Weev" is free ...on a technicality, and why this is bad, very very bad, for our industryhttp://techcrunch.com/2014/04/11/weev-is-free/"Ramshackle Glam" - how one blogger had to go to extraordinary lengths to get her site back, and what you can learn from ithttp://mashable.com/2014/04/02/ramshackle-glam-hacking/The FTP's lawsuit of Wyndham Hotels was allowed to proceed by a federal judge - and why this is a very dangerous precedenthttp://www.fiercegovernmentit.com/story/ftc-lawsuit-over-hotel-chain-data-breach-can-proceed/2014-04-14Data breach roundupMichaels [yes, again] - http://www.business-standard.com/article/news-ani/leading-us-art-store-admits-2-6-mln-credit-cards-at-risk-of-hacking-114041800569_1.htmlSouth Carolina data breach is getting costly (for tax payers) - http://www.therepublic.com/view/story/396a4be862cd485e9248cab7879a3a71/SC--Hacked-Tax-ReturnsHard drive maker LaCie was a victim ...for over a year - http://www.techtimes.com/articles/5672/20140416/lacie-latest-victim-data-theft-ironies-hard-drive-manufacturer-hacked.htm[UK] Cosmetic surgery group hacked, blackmail ensues (yikes!) - http://www.dailymail.co.uk/news/article-2604805/Cosmetic-surgeons-targeted-hackers-personal-details-500-000-people-enquiries-clinic-stolen.htmlPittsburgh's UPMC hacked, sees 788 fraudulent tax returns as a result - http://www.witf.org/news/2014/04/27k-upmc-worker-hit-by-data-breach-788-by-fraud.phpConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeAdvanced Threat Actors - more or less a threat right now than before? (how much is hype?)Advanced Persistent Threat - is it really THAT advanced? (a "what" or a "who"?)The distinction of what "APT" is ...and isn'tTouching on Mandiant APT-1 ...hype from realityA quick discourse on corporate espionage!How we respond to APTs ... is this just really "incident response" for a boogeyman?The snake oil salesman behind "Automated APT defense"Threat Intelligence - necessary, but what's the proper use?Threat Intelligence requires collaboration, how do we do it?Is our security failing, or is our perception of what we want it to do wrong?Key take-aways for the enterprise professionalGuestsSteve Santorelli ( @SteveSantorelli ) - Manager of outreach at Team CymruJohn Pirc ( @jopirc ) - CTO of NSS LabsJ. Oquendo ( @advancedthreat ) - veteran threat researcherRobin Jackson ( @rjacksix ) - veteran threat researcher, forensics expert at HP Enterprise Security ServicesConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics coveredWindowsXP is officially, for real, definitely end of life - http://windows.microsoft.com/en-us/windows/end-support-helpGoogle Nest pushes update - examining the bigger picture - http://www.theregister.co.uk/2014/04/04/nest_waves_goodbye_to_alarm_switchoff_feature/South Carolina's agencies are still not any better after the massive breaches - http://www.wbtw.com/story/25149085/still-no-consistent-computer-security-plan-at-sc-agenciesNews flash - we trust the government and Internet companies less as a result of leaks - http://www.computerworld.com/s/article/9247441/Snowden_leaks_erode_trust_in_Internet_companies_governmentThe two banks which filed suit against TrustWave & Target have dropped their effort...sanity apparently prevailed but there's a bigger issue here at stake - http://www.securityweek.com/banks-drop-suit-against-target-trustwaveConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeRise of DDoSWhere did it come fromWhat's nextWhy does it workSpoofer project3-DOS attacksQuantum computingWhat is itHow is it different than what we commonly use todayWhat problems does it solveHow practical is itThe dark webWhere did it come fromLegitimate uses, turn into nefarious use-casesAlternatives, adoption and optionsGuestProf. Alan Woodward ( @ProfWoodward ) - Alan is not only a subject matter expert in computing, computer security and the impact technology has on business but brings to his roles a very broad range of experience in business management, technical management and project management.Whilst he has particular expertise in covert communications, forensic computing and image/signal processing, Alan is primarily a particularly good communicator, be it with clients, staff or investors. He is known for his ability to communicate complex ideas in a simple, yet passionate manner. He not only publishes in the academic and trade journals but has articles in the national press and appears on TV and radio. Despite the length of his experience, his hands-on ability with emerging technologies contributes significantly to the respect he is repeatedly shown when he leads teams where technology is involved.Alan has been involved in some of the most significant advances in computer technology and, although he continues to work in industry, he is actively involved with academia as a visiting Professor in the Department of Computing which is part of the Faculty of Engineering and Physical Sciences at the University of Surrey.His achievements have resulted in him rising to become a Fellow of various institutions including British Computer Society, Institute of Physics and Royal Statistical Society.Did you catch all that? DtR is giving away a free ticket to Source Boston - if you're interested in being the lucky recipient - be the first to @Wh1t3Rabbit with "I just won a ticket to @SOURCEConf Boston courtesy of the #DtR Podcast!"Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics coveredThe FTC jumps into the breech (pun intended) and may try and levy fines against Target, and future breach victims - http://ww2.cfo.com/technology/2014/03/ftc-urges-data-breach-penalties/ http://www.nextgov.com/cybersecurity/2014/03/target-could-face-federal-charges-failing-protect-customer-data-hackers/80824/?oref=ng-channelriverCould the Barclays Bank breach of Feb 2014 have been test data? Richard Bishop thinks so - http://blog.trustiv.co.uk/2014/03/barclays-data-breach-%E2%80%93-could-it-be-test-data http://www.theregister.co.uk/2014/02/10/barclays_investigates_gold_mine_client_data_breach/US Commerce Dept not renewing ICANN contract, moving control to ITU - http://www.bloomberg.com/news/2014-03-15/u-s-to-relinquish-control-of-internet-address-system.html http://www.businessweek.com/articles/2014-03-17/the-u-dot-s-dot-ends-control-of-icann-gives-up-backing-of-the-free-speech-internetWith Microsoft officially, and finally, stopping support for WinXP (after 14yrs!), is there a "breach crisis" around the bend? - http://www.pcmag.com/article2/0,2817,2455206,00.aspMicrosoft can read your Hotmail/webmail ...so can Google, Apple and Yahoo! hype or crisis? - http://www.theverge.com/2014/3/21/5533814/google-yahoo-apple-all-share-microsofts-troubling-email-privacy-policy(bonus) "eGovernment" is something many governments globally and locally are moving ahead with - is this rainbows or rain clouds? I joined Discover Performance Weekly to briefly discuss - http://youtu.be/bAfP-jc0x6QConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodewhat is the promise of automation, and where did we go wrong (or right?)the problems with 'volume' (of logging) and the loss of expressivenessa dive into 'exploratory based monitoring'how does log-based data analysis scale?baselines, and why 'anomaly detection' has failed usdoes machine learning solve the 'hands on keyboard' (continuous tuning) problem with SIEM?does today's 'threat intelligence' provide value, and is it really useful?decrying the tools - and blaming the victimswhat is machine learning good at, and what won't it be great at?log everything! GuestAlex Pinto ( @alexcpsec ) - Alex has almost 15 years dedicated to Information Security solutions architecture, strategic advisory and security monitoring. He has been a speaker at major conferences such as BlackHat USA, DefCon, BSides Las Vegas and BayThreat.He has been researching and exploring the applications of machine learning and predictive analytics into information security data sources, such as logs and threat intelligence feeds.He launched MLSec Project (https://www.mlsecproject.org) in 2013 to develop and provide practical implementations of machine learning algorithms to support the information security monitoring practice. The goal is to use algoritmic automation to fight the challenges that we currently face in trying to make sense of day-to-day usage of SIEM solutions.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics coveredTarget CIO resigns, new central CISO and CCO roles created; but what's really going on here? - http://www.darkreading.com/attacks-breaches/target-begins-security-and-compliance-ma/240166451 & http://pressroom.target.com/news/target-reports-third-quarter-2013-earningsCity of Detroit employees' information (including SSNs, DoB, etc) are "at risk" because someone clicked something they shouldn't have - http://www.freep.com/article/20140303/NEWS01/303030085/Detroit-computer-security-breachComiXology was [big time] hacked, but it's all good because the passwords were 'cryptographically secured' but where's the transparency? - http://www.theregister.co.uk/2014/03/07/comixologys_phantom_zone_breached_by_evil_haxxor/A North Dakota University System was hacked and now 290k students, employees and faculty (yes including SSNs) data is at risk ... or is it? - http://www.greenfieldreporter.com/view/story/8f909740809e48e9a5669de333418134/US--University-System-HackedNC State researchers have a genius new way to detect Android malware (hint: you look for C code) - http://www.computerworld.com/s/article/9246825/N.C._State_researchers_devise_tool_that_detects_Android_malwareThe AARP (yes, that AARP) has decided that now is the time to post a bulletin to their system to teach retired persons how to make good passwords - http://www.aarp.org/home-family/personal-technology/info-2014/create-password-avoid-hacks-kirchheimer.viewall.htmlConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeDoes is make sense, in a mathematical and practical senes, to look for 'probability of exploit'?How does 'game theory' apply here?How do intelligent adversaries figure into these mathematical models?Is probabilistic risk analysis compatible with a game theory approach?Discussing how adaptive adversaries figure into our mathematical models of predictability...How do we use any of this to figure out path priorities in the enterprise space?An interesting analogy to the credit scoring systems we all use todayAn interesting discussion of 'unknowns' and 'black swans'Fantastic *practical* advice for getting this data-science-backed analysis to work for YOUR organizationGuestsLisa Leet - Lisa is a wife of 17 years, a mother of 5 years to boy/girl twins, and an employee of 7 years on the Information Security team at a Minneapolis-based financial services firm. She is also an intern at Stamford Risk Analytics (Stamford, CT), pursuing studies at Stanford University, prepping for her CISSP Exam on July 15th, taking MOOCs, and reading at least twelve books concurrently including a 1600-pager on Python. In her free time she volunteers on the Board of Directors for SIRA (Society of Information Risk Analysts) and participates in awesome podcasts like DtR.Russell Thomas ( @MrMeritology ) - Russell is a Security Data Scientist in financial services, and a PhD student in Computational Social Sciences.  His focus is on the intersection of information security and business and economic decision making.  He’s “MrMeritology” on Twitter, and blogs at “Exploring Possibility Space” (http://exploringpossibilityspace.blogspot.com/).Bob Blakley - Bob has been in the security industry for more than 35 years.  He's led the OMG CORBAsecurity, SAML, and OATH standardization efforts, and currently chairs the NSTIC Identity Ecosystem Steering Group.  He's in the drama department at a large multinational financial institution.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics coveredApple had a "Goto Fail" failure - yes people at Apple Computer still use Goto statements in 2014 - http://www.computerworld.com/s/article/9246533/Apple_encryption_mistake_puts_many_desktop_applications_at_risk and Adam Langley's awesome blog - https://www.imperialviolet.org/2014/02/22/applebug.htmlLook out Terps, Univ of Maryland has lost 309,000+ staff members, students and faculty worth of personal information including social security numbers ... OUCH - http://www.washingtonpost.com/local/college-park-shady-grove-campuses-affected-by-university-of-maryland-security-breach/2014/02/19/ce438108-99bd-11e3-80ac-63a8ba7f7942_story.htmlICS-CERT has a new report out that bemoans the Industrial Control sector's inability to detect and respond to incidents ...mainly due to inadequate logging - http://www.govinfosecurity.com/report-cyberthreat-detection-lacking-a-6516 and the report https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Oct-Dec2013.pdfWebsense has done a massive analysis of Dr. Watson (MS Windows crash files) file and determined there is some new kind of APT, POS attack afoot - http://www.darkreading.com/attacks-breaches/microsoft-windows-crash-reports-reveal-n/240166207Many different outlets are reporting this in various ways but consumer endpoints (at this point lots of Linksys home routers) are being infected with a new worm targetting a flaw mainly because people choose to expose their management interfaces to the outside, why? - http://krebsonsecurity.com/2014/02/time-to-harden-your-hardware/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeJay and Bob talk about their new bookA discussion on using data as 'supporting evidence' rather than gut feelingsDo we have actuarial quality data to answer key security questions?A discussion on "asking the right question", and why it's THE single most important thing to doBob attempts to ask security professionals to use data we already have, to be data-drivenJay tells us why he wouldn't consider "SQL Injection" a "HIGH" risk ranking - and why data challenges what you THINK you knowQuick shout out to Allison Miller on finding the little needles in the big, big haystackWe think about why security as an industry needs to start looking outside of itself to get its data - nowJay discusses how there is a definite skills shortage in working with large data sets, and doing analysisI ask whether there is a chicken and egg problem in large-scale data analysisBob brings up the "kill chain" and whether we really need real-time data analysis for attacksBob makes a pitch for having a "Cyber CDC" ... stop laughingJay laments the absolute bonkers problems dealing with information sharing (when you don't have any to share)Jay urges you to "count and compare" GuestsJay Jacobs ( @JayJacobs ) - www.linkedin.com/pub/jay-jacobs/3/896/4b0, Jay is currently a Principal at Verizon BusinessBob Rudis ( @hrbrmstr ) - www.linkedin.com/in/hrbrmstr, Director. Enterprise Security, IT Risk Management at Liberty Mutual Insurance & Co-author of Data-Driven SecurityConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics coveredIn the wake of the Target & Nieman Marcus breaches - is chip+pin really a priority right now, and does it solve the real problem? - http://blogs.csoonline.com/security-leadership/2977/does-chip-and-pin-actually-solve-problem-find-out-asking-these-questionsSpeaking of Target ... it turns out that 3rd parties really are a problem and still a blind spot in many organizations' risk matrices, who knew - http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/Apparently NBC News doesn't believe it's stretching the news at all, when it virtually makes up a story then gets called out by Robert Graham, hilarity ensues - http://news.cnet.com/8301-1009_3-57618533-83/sochi-hack-report-fraudulent-security-researcher-charges/Something bad, very, very bad just happened over at Barclays in the UK ... although jury seems to still be out on what exactly is going on; you can bet we're going to keep an eye on this - http://www.theregister.co.uk/2014/02/10/barclays_investigates_gold_mine_client_data_breach/In a "You can't make this stuff up, folks" moment, the FBI is asking for malware and they're willing to pay for it; and they'll send you all the info in a .docx file?! - http://www.nextgov.com/cybersecurity/cybersecurity-report/2014/02/fbi-market-malware/78218/Is your next new vehicle going to be part of the mesh-network which keeps cars from crashing into each other? It will if the government has it's ways - complete with wildly-made-up-sounding statistics and ridiculous news story and all (somewhere, Flo from Progressive is mad they stole her schtick)- http://www.usatoday.com/story/money/cars/2014/02/03/nhtsa-vehicle-to-vehicle-communication/5184773/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeDavid discusses what it's like working for a law firm (in the UK)A quick wade through the UK Data Protection Act (mostly Principle 7)"When lawyers get to interpret the laws"Law firms as targets for data breachesThe new regulations in the UK, fines between 2%-5% of your REVENUE? Ouch.Defining "adequate measures" in regulationsA brief chat on fines, regulations, and risk managementI trail off on a Princess Bride quote, and get ranty on "risk"Dealing with personal devices, public WiFi to work and securityJames asks the inevitable question on trainingGood vs. "best" practiceYour security as a competitive advantage. really.GuestDavid Prince ( @riskobscurity ) - A dedicated and well-respected Technical Information Security Professional with several years’ experience and demonstrated success leading information security initiatives, in a variety of organizations. Initiatives which are in direct support of business-objectives to maintain the confidentiality, integrity, and availability of organizational assets and improve business efficiency, and effectiveness.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Special thanks to Michael Santarcangelo ( @catalyst ) for stopping by the show and guest-hosting with James and I! We had fun, and I think you'll all enjoy Michael's perspective and humor.Topics CoveredNieman Marcus breach - all new, same as before, or is it? - http://www.wired.com/threatlevel/2014/01/neiman-marcus-hack/Coca-Cola loses laptops ... sort of ... but no worries, no evidence of wrongdoing - http://www.ajc.com/news/business/coca-cola-tells-thousands-of-employees-of-security/nc2NB/Breach over at Microsoft, law enforcement documents "likely stolen", but what does that really mean? - http://www.pcworld.com/article/2091480/microsoft-says-law-enforcement-documents-likely-stolen-by-hackers.htmlThe (San Jose) police want to use your home surveillence system cameras, I'm not kidding - http://news.cnet.com/8301-17852_3-57617809-71/police-want-to-use-your-home-security-cameras-for-surveillance/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeDid the Target/Neiman/? breach finally create a catalyst for change?The card system, payment processing infrastructure clearly wasn't designed with defensibility in mind ... who should be changing that?Are today's fraud rates finally getting high enough such that card processors, issuers, banks need to depart from the status quo?Are the days of "zero fraud liability" to the end consumer coming to an end?What about chip & pin? Is the risk less?What kinds of pains will the industry go through to make security on payment systems better?How is the commercial payments industry different from the consumer?Do end users of credit accounts ultimately care about breaches?GuestsLaura Claytor ( @the.hgic ) - Laura is a security specialist and veteran within a large US-based banking organization, and is based in the southwest United StatesAlfred Portengen - ( @alfredportengen ) - Alfred has a deep bredth of experience in architecture and security specialty within a multi-national banking organization, he is based in the NetherlandsConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

I can't believe it's 2014 already, and we're rolling through our 3rd calendar year! As we grow and you "regulars" mount, James and I want to thank you for listening, bookmarking, sharing and talking about the podcast. Your patronage has really made a us smile, and you're the reason we do this.Topics coveredReuters: Retail community may be ready for a change in the payment card system and processes - http://uk.reuters.com/article/2014/01/13/uk-target-databreach-retailers-idUKBREA0B01A20140113More Snowden fallout: French/UAE Intel satellite deal may be scuttled because of US-made components - http://www.defensenews.com/article/20140105/DEFREG04/301050006Ransomware CryptoLocker's uglier, meaner cousin now available for $100... look out! - http://arstechnica.com/security/2014/01/researchers-warn-of-new-meaner-ransomware-with-unbreakable-crypto/Schneier: "The Internet of Things" is very vulnerable ...and there's no good way to patch it all - http://www.wired.com/opinion/2014/01/theres-no-good-way-to-patch-the-internet-of-things-and-thats-a-huge-problem/Lawsuit filed in the "FaceBook reads my private messages" case - http://money.cnn.com/2014/01/03/technology/facebook-privacy-lawsuit/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeChris Wysopal - who is that masked man?Putting some reality to the state-sponsored backdoors (Huawei) and supply-chain compromiseThe risks coming through the door with the products you buyThe case for setting up an independent testing lab for mitigating 'backdoor' accusationsChris does an interesting assessment on software security practices in the enterpriseChris discusses holding your vendor to the same standards you hold yourselfWhat does it mean that enterprises are doing a "good job" in SwSecChris goes there, open-source components as part of supply chain riskJames asks "How do smaller buyers leverage scale to hold their suppliers accountable?"Why do we still see SQL Injection?! Are we ever going to get rid of it?GuestChris Wysopal ( @Weldpond ) - Chris is the Founder, CTO and CISO of VeraCode, a company dedicated to software security as-a-service. Chris has a long and storied history in the security industry dating back to L0pht Heavy Industries. His bio and profile can be found on LinkedIn.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeWill gives us a lay of the land on the state of "state sponsored" and advanced threatsWe discuss collective advances in malwareWe discuss the persistence of 'old' malware, and code re-useWe discuss enterprise defense and strategyWill gives us some wisdom from his experiencein helping clients defend themselvesGuestWill Gragido ( @wgragido ) - Will is currently a senior manager in the Threat Research Intelligence organization at RSA NetWitness. Will is an information security and risk management professional with over 18 year’s professional industry experience, Mr.Gragido brings a wealth of knowledge and experience to bear. Working in a variety of roles, Mr.Gragido has deep expertise and knowledge in operations, analysis, management, professional services & consultancy, pre-sales / architecture and business development within the information security industry. You cn get more information on Will on his LinkedIn page.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Hello! This is a special episode in that it's our year-end wrap-up. We bring together 3 of the industry's best to talk about the year that was, the things that made were on your mind, and maybe give us a hint at what is to come...GuestsWill Gragido ( @wgragido ) - Will is the Sr. Manager of threat Research Intelligence for RSA NetWitness and a lightweight with the cold medicine.John Pirc ( @jopirc ) - John is the Vice President of Research at NSS Labs, with very strong hair.David Marcus ( @DaveMarcus ) - David is the Director and Chief Architect of the Federal Advanced Program Group at McAfee and a kettle bell monster!Notably absent, but invited, were Dave Lewis ("fell asleep") and Dave Kennedy ("was on an airplane") ...apparently because I thought it would be fun to invite every Dave I know....... but seriously next time guys :)James and I would like to wish all our listeners a very merry holiday season, and a happy, healthy and prosperous 2014.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Folks, if you work with, design, or implement embedded systems this is one episode you don't want to miss. Fair warning, it's a little bit long at just over 50 minutes total. I hope you find the extra time worth the effort of listening, I know we sure did!In this episodeThe quirky things that Josh's organization gets to work on and deconstructThe methodology of breaking foreign thingsAndroid and why it's "horribly interesting" beyond just the OS everyone seesHacking Android at the very, very, very basic hardware interface(s)Copy/Paste software development and it's pitfallsEmbedded devices as pivot points for intrusionThe importance of embedded systems, and why no one is writing secure code (still)GuestJosh Thomas ( @m0nk_dot ) - Chief Breaking Officer for Atredis, Security researcher, mobile phone geek, mesh networking evangelist and general breaker of things electronic. Typical projects of interest span the hardware / software barrier and rarely have a UI. m0nk has spent the last year or two digging deep into Android and iOS internals, with a major focus on both the network stack implementation and the driver and below hardware interfaces. He uses IDA more frequently than Eclipse (and a soldering iron more that both). His life dreams are to ride a robot unicorn on a moonlit beach and make the world a better place, but mostly the unicorn thing...Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Special thanks to Steve Ragan ( @SteveD3 ) for sitting in this morning and providing his perspective as a journalist.Topics Covered"Leaked" FBI memo to government agencies says "there's a hacking spree on government websites, and it's Anonymous!" (we have to chuckle, a little) - http://www.theregister.co.uk/2013/11/18/anon_us_gov_hack_warning/ , http://www.thewire.com/national/2013/11/fbi-anonymous-hackers-stole-over-100000-employees-information/71675/Fokirtor is a very interesting new piece of malware that targetted Linux systems, but by slipping into SSH comms - http://www.theregister.co.uk/2013/11/15/stealthy_linux_backdoor/ ( and a related piece of malware - http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices )The Healthcare.gov website is a case study in how not to release a web app, or complex system; and it's not even a partisan issue anymore - http://arstechnica.com/security/2013/11/healthcare-gov-targeted-by-more-than-a-dozen-hacking-attempts/Ahead of the G20 meeting to be held there in 2014, the city of Brisbane, Australia performs a penetration test on their physical city infrastructure, finds major flaws. A plot from "The Italian Job"? - http://www.qao.qld.gov.au/files/file/Reports%20and%20publications/Reports%20to%20Parliament%202013-14/RTP5Trafficmanagementsystems.pdf[Scary] Renesys says someone is hijacking the Internet ... but is it on purpose, or just mistakes? (Does it matter?) - Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

I want to thank Carolyn Kopprasch and the @BufferApp team for getting back to me, and agreeing to not only join the podcast, but also field questions from "anyone" ...what a cool group of people!In this episodeCarolyn gives us some of the insider's perspective on what really happened, when Buffer got hackedCarolyn and I discuss triage methodology, and how Buffer's small team respondedIn-depth conversation on the communications strategy and implemented plan to be totally transparentWe discuss that point where it's time to "shut it down" and the need to have the ability and information to make the decision Buffer's team did when they shut down the service temporarilyCarolyn talks about some of the non-typical ways that her team detects potential security issuesCaroly dispenses some solid advice for anyone in a small shop that may be operating ultra-leanFinally, Carolyn and I talk about software security and what role it (or the lack thereof) played in the Buffer incidentGuestCarolyn Kopprasch ( @CaroKopp ) - Carolyn is currently Buffer's "Chief Happiness Officer". Her role is to make sure that Buffer's customers are, in fact, happy. Also she has a web presence right here: http://CaroKopp.comLinks!Buffer's communications page: http://open.bufferapp.com/buffer-has-been-hacked-here-is-whats-going-on/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

I'm back! Maybe a little sleep-deprived and a tad grumpier than usual, but back to talk news!Topics CoveredMicrosoft unveils the new Digital Crime Unit, and it is quite the statement - http://www.darkreading.com/attacks-breaches/microsoft-unveils-state-of-the-art-cyber/240163924 http://www.microsoft.com/en-us/news/presskits/dcu/CME Group hacked, claims platform and trades unaffected ...let's hope so - http://www.businessweek.com/news/2013-11-15/cme-group-says-its-computers-were-hacked-no-trades-affectedJeremy Hammond, Chicago's very own romanticized criminal - http://www.nbcnews.com/technology/hacker-tied-anonymous-gets-10-years-prison-cyberattacks-2D11603760The FBI says there's a "hacking spree" on government webites by Anonymous hackers. You don't say ... - http://arstechnica.com/security/2013/11/fbi-warns-hacking-spree-on-government-agencies-is-a-widespread-problem/There's an apparent zero-day in vBulletin, and it's serious enough that Def-Con's forums were taken down pro-actively ... - http://www.computerworld.com/s/article/9244109/Hackers_use_zero_day_vulnerability_to_breach_vBulletin_support_forumIf you use SnapChat to send questionable selfies hoping they'll just evaporate...you're in for a bad time - http://www.sidhtech.com/news/snapchat-android-hack-iphone/10024107/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...We revisit some of the topics Eric & I talked about nearly 2 years ago at ISSA International, Baltimore.Eric discusses the paradigm shift that needs to happen in securityWe talk about shifting resources (in the defensive) from "everything" to something more reasonableEric and I discuss how CISOs must re-allocate resources to survive in a post-breach realityGuestEric Cowperthwaite ( @e_cowperthwaite ) - Vice President, Advanced Security and Strategy at CORE Security, a Boston-based security vendor. CORE is the leading provider of predictive security intelligence solutions for enterprises and government organizations. We help more than 1,400 customers worldwide preempt critical security threats throughout their IT environments, and communicate the risk the threats pose to the business. Our patented, proven, award-winning enterprise solutions are backed by more than 15 years of applied expertise from CoreLabs, the company's innovative security research center.Eric was formerly the CSO of Providence Health & Services, a healthcare delivery organization with $12.5 billion in revenue, 32 hospitals and more than 65,000 employees, headquartered in Seattle, WA. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Hey all - Raf here and I wanted to thank James for flying solo as my wife and I celebrate the brith of Niccolai and Isabella our new twins! I'll be back in our next episode...Topics CoveredThe buzz over calling yourself a 'hacker' - http://www.theguardian.com/technology/2013/oct/24/hacker-computer-seized-us-open-source (Raf's note - I personally think the way this has been spun is largely to gain clicks/readers, it was very well analyzed here - http://theprez98.blogspot.com/2013/10/omg-call-yourself-hacker-lose-your-4th.htmlA follow-up on Dick Cheney's pacemaker paranoia - http://www.dotmed.com/news/story/22298Big name limo service hacked, discloses info on big-name clients - http://krebsonsecurity.com/2013/11/hackers-take-limo-service-firm-for-a-ride/Look out, hackers may be targeting SAP users - http://www.computerworld.com/s/article/9243727/New_malware_variant_suggests_cybercriminals_targeting_SAP_users?taxonomyId=17Java patching lagging, attackers exploiting, story at 11 - https://www.securityweek.com/java-attacks-jump-user-patching-lags-kaspersky-labIt just got real. Real 2010, that is, as Yahoo unleashes bug bounty program - http://www.tripwire.com/state-of-security/top-security-stories/yahoo-unleashes-new-bug-bounty-program/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Special thank you to the US District Attorney's office for the Southern District of California for a fantastic interview and for letting us pick Sabrina's mind for the podcast... In this episode...Hackers, carders, and the disturbing trend of them pairing up with the traditional mafiaThe challenge of VPSes in cyber-crimeEvangelizing the truths about cyber-crime to businesses, average personAn insight into the way that 'bad guys' specialize in the criminal undergroundAn insight into (bottom-up) investigative models available to law enforcement, as it pertains to hackersAre cyber criminals fleeing or hacking from non-extradition countries?The delicate dance of involving the government in a hacking or breach caseSeeking the white whale - an organization that hasn't been breached (yet)3rd party data sharing and your privacy - do you have any left?GuestSabrina Feve - Sabrina is an Assistant US Attorney (AUSA) for the Southern District of California, specializing in hacking and cybercrime cases.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episodeWe get a peek into the first member of English Royalty that we've ever had on the podcastBaroness Neville-Jones discusses the difficulties in cybersecurity at the government levelWe discuss the challenges of policy, compliance and implementing real-life securityThe Baroness discusses her efforts to raise both the awareness and collective security of businessThe Baroness discusses a bit about critical infrastructure protectionI ask the uncomfortable question in the wake of the Snowden disclosures - privacy vs. security...GuestRt Hon Baroness Neville-Jones - Baroness Neville-Jones is a long-time political figure in the UK Parliament, House of Lords. She recently retired from public service and now focuses on the public-private partnership for cybersecurity in the UK. She has an amazing history and rather than try to summarize it here, I simply point you to her biography page at http://www.conservatives.com/People/Peers/Neville-Jones_Pauline.aspxConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Thanks to Josh Corman for joining us this morning ... always nice to have Josh's experience and brain power on the show.Topics CoveredGargantuan Oracle CPU (Critical Patch Update) including -51- Java security fixes! - http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.htmlHuawei calling for "independent cybersecurity assurance lab" framework, an interesting but difficult thing - http://www.informationweek.com/security/application-security/huawei-proposes-independent-cybersecurit/240162840Dick Cheney, fearing an assassination attempt, had wireless pacemaker removed in 2007 - http://www.theguardian.com/world/2013/oct/19/dick-cheney-heart-assassination-fearChesapeake hospice suffers breach, but there's a lesson in the tragedy - http://www.hispanicbusiness.com/2013/10/19/hospice_of_chesapeake_shut_down_computer.htmNPI research shows companies will overpay $10.1 billion for IT security solutions in 2013, worse in 2014 - http://www.prweb.com/releases/2013/10/prweb11239951.htmMinor Verizon security bug, issues with coordinated disclosure, fix timelines, and the much bigger white elephant in the room - http://prvsec.com/verizon-wireless-message-detail-disclosure.htmlHat-tips this week go to...Brian Katz ( @bmkatz ) because we borrowed your 'crapplications' exampleAlex Hutton ( @AlexHutton ) - Josh borrowed your "Alex head asplode"Wendy Nather ( @451Wendy ) because we mentioned your 'security poverty line' conceptConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...James and I host legitimate Polynesian royalty (a princess....) really!Katie gives us the skinny on Microsoft's 10 year progression to get to a bug bounty programWe discuss the merits of bug bounties and execution in a very large enterpriseKatie gives us as many details as she can about the recent $100,000 payoutMuch... much ... more!GuestKatie Moussouris ( @k8em0 ) - Katie runs the Security Community Outreach and Strategy team for Microsoft as part of the Microsoft Security Response Center (MSRC) team to help drive crucial elements of our security community strategy effort. She is a Senior Security Strategist Lead, and let's not sell her short - she is royalty!She created and drove the first ever Microsoft security bounty programs (www.microsoft.com/bountyprograms). Which received 18 vulnerabilities and a new attack technique that will help Microsoft build stronger defenses that will protect the entire platform from this new class of attack.She serves as lead subject matter expert in the US National Body for the ISO work item 29147 "Vulnerability Disclosure", scheduled for publication in 2013, and does countless other efforts associated with the ISO standards body and various other industry groups. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Big thanks to the soon-to-be-regular peanut gallery ... @JoeKnape and @BeauWoods for jumping in this morning and breaking it down with James and I.As a personal message to those of you who listen and our community - please ...remember we all live in a giant glass house, and throwing rocks is a bad, bad idea. I've said it before and I'm looking right at the media for this one (ahem...) - unless you've been in a high-stress environment and have successfully thwarted every attack, please don't go trying to personally attack those out there who work hard at it every day. It just makes you look like an idiot. Nobody wins when we name and shame and attack people personally. Remember that when it's your turn to stand in the spotlight.Topics CoveredAdobe got popped. Bad. ~2.9 users' information, encrypted credit card details, source code. The only thing worse than this story is the kind of media trolls it brought out... - http://www.computerworld.com/s/article/9242963/Hackers_steal_data_on_2.9_million_Adobe_customers?taxonomyId=82&pageNumber=2 and this unfortunate mess from Richi Jennings https://plus.google.com/117220625678034723010/posts/EjP4JjKFd6w13 Anonymous 'members' indicted for DDoS attacks - http://www.computerworld.com/s/article/9242969/US_indicts_13_Anonymous_members_for_DDoS_attacksLA schools gave out "locked down" iPads. Students circumvented. Hilarity ensued. http://blogs.computerworld.com/mobile-security/22929/what-la-schools-forgot-boneheaded-ipad-hand-outSenior Iranian Cyber official killed (assasinated?) - http://www.matthewaid.com/post/63207233044/the-mystery-surrounding-the-killing-of-a-senior-iranianProof that the fist people to get paid should be the ones who hold the keys to your doors - http://nycfreshmarket.com/ (as long as the page stands, then check out the tweet I re-posted https://twitter.com/Wh1t3Rabbit/status/387076594407575552 )So ... does anyone actually read these? If so, let me know on Twitter? Hashtag #DtRConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Dave Kennedy wraps up DerbyCon 2013, and gives us the statistic you don't want to tell your managementDave announces the top secret guest for DerbyCon 4Chris & Gabe discuss risk modeling using REAL automated toolsGabe introduces us to his concept of using a 'big data' approach to risk modelingWe discuss risks, network segmentation, and other things you're doing wrongGuestsDave Kennedy ( @Dave_Rel1k ) - Dave Kennedy is the founder of TrustedSec, and the brain behind DerbyCon.Chris G ( @SecbitChris ) - Chris is one of the brains behind the SecuraBit podcastGabe B ( @gdbassett ) - Gabe is an industry expertConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

I want to thank Mr. Josh Corman ( @JoshCorman ) for guest-commentating today's episode, and lending his expertise and industry leadership point of view.Topics CoveredUK's GCHQ has been using Prism (Courtesy of the NSA) to spy on you ... the revelation continues - http://www.telegraph.co.uk/news/uknews/law-and-order/10106507/GCHQ-has-been-accessing-intelligence-through-internet-firms.htmlWisconsin trucker vs. Koch Industries, just what is a "direct loss"? - http://www.kfdi.com/news/local/Wisconsin-man-pleads-guilty-in-cyber-attack-on-Koch-Industries-223365221.htmliPhone, fingerprint reader, #IsTouchIDHacked - http://www.forbes.com/sites/markrogowsky/2013/09/22/iphone-fingerprint-scanner-hacked-should-you-care/Can the FTC (and other government entities) go after companeis who fail to do reasonable security? (also, what does that mean?) - http://www.computerworld.com/s/article/9242531/FTC_lacks_data_breach_authority_says_accused_medical_lab?taxonomyId=17&pageNumber=2The gang that popped Bit9 is at it again, IE 0-day in the wild - http://www.computerworld.com/s/article/9242570/Security_org_raises_Internet_threat_level_after_seeing_expanded_IE_attacksMore information on The CavalryThe talk: "The Cavalry Isn't Coming: Starting the Revolution to FSCK it all!"The video of the more mellow, smaller BSides "warm-up before DEF CON 21" is here: http://www.irongeek.com/i.php?page=videos/bsideslasvegas2013/1-2-2-the-cavalry-isnt-coming-starting-the-revolution-to-fsck-it-all-nicholas-j-percoco-and-joshua-cormanTwitter: @iamthecavalryURL: http://iamthecavalry.orgemail info@iamthecavalry.orggoogle group: https://groups.google.com/d/forum/iamthecavalryJosh Corman's Bio:Joshua Corman is the Director of Security Intelligence for Akamai.  Mr. Corman’s cross-domain research highlights adversaries, game theory and motivational structures. His analysis cuts across sectors to the core security challenges and toward emerging technologies and shifting incentives. A staunch advocate for CISOs, Corman also serves as a Fellow with the Ponemon Institute, on the Faculty for IANS, co-founder of Rugged Software and was a 2009 Top Influencer of IT in NetworkWorld. Corman received his bachelor’s degree in philosophy, graduating summa cum laude, from the University of New Hampshire.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

For those of you unfamiliar with the event, HP Protect is the premier event of the year for the HP Enterprise Security products and services organization, held to bring customer practitioners, industry experts, products/services managers and their support specialists together to not only solve real-world problems but to also help set the course for the next year. If you've not had a chance to attend the event and you're an HP customer, or you're interested in the event - check out the HP Protect website.I was a guest at the conference this year and had an amazing opportunity to sit down in 3 separate sessions with a serviceEpis provider, a practitioner, and 2 vendor-partners and talk real-world security... Episode 3 - Vikas Bhatia (CEO of Kalki Consulting) and Anton Goncharov (Managing Principal of MetaNet, LLC) - In this discussion, we just barely scratched the surface on the challenges SMEs face with integrating security into business processes and developing security solutions on a shoestring. This discussion focuse entirely on processes and the need for business integration and insight - and is likely the starting point for many further conversations to come.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

For those of you unfamiliar with the event, HP Protect is the premier event of the year for the HP Enterprise Security products and services organization, held to bring customer practitioners, industry experts, products/services managers and their support specialists together to not only solve real-world problems but to also help set the course for the next year. If you've not had a chance to attend the event and you're an HP customer, or you're interested in the event - check out the HP Protect website.I was a guest at the conference this year and had an amazing opportunity to sit down in 3 separate sessions with a serviceEpis provider, a practitioner, and 2 vendor-partners and talk real-world security... Episode 2 - Wasif Shakeel, Program Director Information Security, General Dynamics - Wasif and I discovered that we have entierly too much in common, and talked about the need for a sane, process and measurement approach to security and handling the "needle in a haystack" problem many Security Operations Centers are faced with.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

For those of you unfamiliar with the event, HP Protect is the premier event of the year for the HP Enterprise Security products and services organization, held to bring customer practitioners, industry experts, products/services managers and their support specialists together to not only solve real-world problems but to also help set the course for the next year. If you've not had a chance to attend the event and you're an HP customer, or you're interested in the event - check out the HP Protect website.I was a guest at the conference this year and had an amazing opportunity to sit down in 3 separate sessions with a serviceEpis provider, a practitioner, and 2 vendor-partners and talk real-world security... Episode 1 - Ian Beckford, Senior Product Manager, TELUS Security Solutions - Ian and I had a lively discussion around the service-provider use of the analytics and network security devices (currently ArcSight and TippingPoint) to provide customers with security solutions which benefit them, while remaining cost effective.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Mike explains once and for all how the BSides namesake came to beWe talk about how the industry has evolved over the last 10+ yearsMike dispenses a little of his philosophy on how to better the industryWe talk burnout and why it exists, and possibly how to get through itGuestMike Dahn ( @MikD ) - Mike Dahn is one of the original co-founders of the Security BSides conference many of you have attended, spoken at, or heard of. In addition to that, Michael Dahn is an information security and organizational design strategist responsible for the management of data strategies, project engagements, and cost modeling. With over 12 years of information security experience, Mr. Dahn has managed teams of 50 people and budgets of up to $30m annually for Fortune 500 companies. Today he focuses on leading mobile security strategies and industry relations.He is an industry leader in regulatory compliance issues who previously worked for Visa, Pricewaterhouse Coopers, and Verizon Business, created PCI training for and trained over 10,000 assessors, merchants, and vendors globally. He contributes regularly to the continued development of the global PCI guidelines.During his tenure Mr. Dahn has presented to a variety of financial and banking associations (FDIC and NCUA), including regulatory bodies such as the PCI Council, and information security groups on topics including mobile security, compliance, information security programs, auditing and network security, and computer hackers. He has been published in several news articles and TV spots on information security.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Today I had the pleasure of sitting down with one old friend, and one new. As a speaker at the HTCIA International conference, and the CISO Summit - I had the opportunity to gain some valuable insight, meet lots of excellent leaders, and force some new relationships. As a wonderful side-effect I had the pleasure of sitting down with Mike Murray of Mad Security, and Vince Skinner an attendee of the conference and security leader of his enterprise.We talked about a range of topics from history of the information security industry, to our experiences and the current lack of direction and strategy in much of the enterprise space. We also discussed some topics that dated us quite a bit ...so don't judge!GuestsMike Murray ( @MMurray ) - Mike is the co-founder of Mad Security, an industry veteran and mentor, and an all-around fantastic friend.Vince Skinner ( @SkinnerVince )  - Vince is the Informatino Security and Business Continuity Manager, AVP of D.A. Davidson & Co.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

I want to thank our guests - Beau Woods and Joe Knape for joining us this morning. It was great to have these two well-versed commentators on the show ...vote with your downloads folks - if you want to make this a regular thing leave us a comment!Topics CoveredRedHack 'hacks' Turkish police website, stops border traffic? - http://www.hurriyetdailynews.com/redhack-hacks-turkish-police-website-as-border-traffic-grounds-to-a-halt.aspx?pageID=238&nID=53904&NewsCatID=341A few thoughts on the NSA/Crypto from Matthew Green's blog - http://blog.cryptographyengineering.com/2013/09/on-nsa.htmlThe FTC settles with TRENDnet (the webcam shouting obscenities at the 2yr old story) - http://www.bostonglobe.com/business/2013/09/04/ftc-settles-complaint-over-hacked-security-cameras/uYjAuRcb4uCz51Zt1HSGbP/story.htmlCiti ordered to pay $10.86/record, more harm than good - http://www.infosecurity-magazine.com/view/34328/citi-ordered-to-pay-55k-to-connecticut-over-2011-data-breachNY Times hacked (again) but this time it's DNS ...DNS is baaaaack - http://www.thestreet.com/story/12020336/1/new-york-times-website-hacked-in-likely-malicious-external-attack.html"This is why we can't have nice websites" - http://www.reddit.com/r/PHP/comments/1l7baq/creating_a_user_from_the_web_problem/Other LinksFTC FAQ (Thanks to Beau Woods) - http://business.ftc.gov/documents/bus35-advertising-faqs-guide-small-businessConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Every once in a while this podcast has a guest who makes us truly feel blessed to be doing this - Rob Dubois is one of those people. If you don't know anything about Rob, go read his website, listen to this podcast and check out his book. He is a real American hero, a fantastic human being, and a true patriot. On behalf of James and I - I want to extend a hearty thank you for the time Rob spent, and wisdom he's imparted.In this episode...Rob Dubois on being a 'badass'the parable of the blind wise men and the elephantbe reachable and teachable (be a RAT)the collision of boots, bits, and threatsthe arrogance of security professionals are a weaknessfail early, fail often - learn from itwhy plans are useless, and planning is essentiala George Carlin quote, and a "The Office" referencea brutal lesson from PoW trainingGuestRob Dubois ( @RobDubois ) - Rob is currently best-known for his book "Powerful Peace - A Navy SEAL's Lessons on Peace from a Lifetime at War". I can't possibly do Rob justice but to call him a true, powerful, "badass"... check him, his book, and his powerful message out for yourself on his blog SEAL of Peace.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Since James is out this week with something called "work", I've pulled in two friends (affectionately known as "The Joshes") Josh Marpet and Josh C. Big thanks for these fine gentlemen for stepping in and co-chairing this Monday morning quarterback session... I hope you enjoy!Topics CoveredFraudsters target "wire payment switch" at banks to steal millions - http://www.scmagazine.com/fraudsters-target-wire-payment-switch-at-banks-to-steal-millions/article/307755/#Insurer to Schnucks: We won't pay for lawsuits related to your breach - http://www.scmagazine.com/insurer-to-schnucks-we-wont-pay-for-lawsuits-related-to-your-breach/article/307960/#NASDAQ has a "technical glitch" ... halts trading in the middle of the day - http://www.eweek.com/security/nasdaq-trading-halted-by-technical-issue/Apple App Store infiltrated by researchers' Jeckyll malware - http://www.nbcnews.com/technology/apple-app-store-infiltrated-researchers-jekyll-malware-6C10945771Hacker takes over baby-monitoring IP cam, shouts obscenities... world put on alert - http://www.bbc.co.uk/news/technology-23693460Other linksLink to the now-defunct'ish "CamWar" maintained by @Viss - http://atenlabs.com/camwar/Josh Brashars' talk at BayThreat 2011 was called "Inagada Davida (Or, Scary **** on Cellular Modems)"Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Rob gives us a little history lessonRob keeps going on the history lesson, IDS, open vs. closed circuitsWe discuss "defense in depth" from back-in-the-dayJames re-introduces us to the "security onion"Rob talks about "programming for super-high-speed" and scaleConstructing things to truly "build scalability in"...Designing networks as a front-end vs. back-end architectureRob points out that network diagrams are always wrongGuestRobert Graham ( @ErrataRob ) - No, this is not Robert Graham the clothing designer, this is Robert Graham the guy who pioneered the IDS. In Robert's own words ... "I am a well-known security research (aka. "white-hat" hacker). I created the BlackICE personal firewall in 1998. I invented the first network intrusion prevention system (IPS) "BlackICE Guard" in 1999, which is now sold as "Proventia" by IBM."Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics CoveredThe trash bin that stalked me (seriously, only in London) - http://arstechnica.com/security/2013/08/no-this-isnt-a-scene-from-minority-report-this-trash-can-is-stalking-you/ and a follow-up as we recorded today: http://www.bbc.co.uk/news/technology-23665490No data breach in Indianapolis, after laptop stolen/recovered - http://www.theindychannel.com/news/call-6-investigators/state-no-data-breach-after-stolen-laptop-traced-to-indy-homeDDoS blackmail in Manchester (UK) FAIL - http://www.manchestereveningnews.co.uk/news/greater-manchester-news/two-held-over-attempted-blackmail-5680548US national health push ("Obamacare") falling behind on security testing...who's surprised? - http://au.news.yahoo.com/technology/news/article/-/18390597/obamacare-months-behind-in-testing-it-data-security-government/Weird password 'feature' in Chrome... - http://blog.elliottkember.com/chromes-insane-password-security-strategyConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Dave reminisces a bit...Dave discusses 'digitall signed malware' and that it meansWe discuss whether it's true that 'all networks are compromised'We discuss consumer-grade vs. corporate-grade threats, and why they're differentAn interesting point by Dave about why enterprises aren't learning from their compromisesWe discuss customized malware, with specific and targeted payloads for specific systemsDave talks about whether 'compat the criminal, hire the criminal' is trueGuestDave Marcus ( @DaveMarcus ) - Dave is currently the Chief Architect, Advanced Research and Threat Intelligence McAfee Federal Advanced Programs Group. He's been around the industry for a long time, and has influenced countless numbers of researchers. He is well known as a fantastic speaker, subject-matter expert and generally a badass, and I feel lucky enough to call him my friend.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Ladies and gentlemen, we are over the 50 episodes mark!  If you've enjoyed the podcast, please go rate us in the iTunes store, or leave us a note here. Have you checked out past episodes?! There are some gems in there, I promise, and worth your time.Topics CoveredCharlie Miller and Chris Valasek demonstrated (and will disclose code to) the hack which allows complete (tethered) remote control of a modern vehicle. You need to watch this video, and if you develop code for transport vehicles and aren't thinking about securing your code - it's time to adjust course before you actually kill someone - http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video/ and this is how the UK 'muzzled' a researcher who did something similar - http://www.theregister.co.uk/2013/07/28/birmingham_uni_car_cracker_muzzled_by_lords/Apple demonstrates how not to do breach disclosure, while Ibrahim Balic demonstrates how to jump into the spotlight (and put foot in mouth before thinking) by disclosing, video-recording, and telling the world of his 'ethical test' of Apple's forums - http://www.news.com.au/technology/ibrahim-balic-breaks-silence-on-hacking-apple-developer-site/story-e6frfro0-1226684484916 and http://gigaom.com/2013/07/22/researcher-comes-forward-to-claim-responsibility-for-intrusion-on-apple-developer-site/After many years on the run Russian super-hackers involved in the biggest breach of all time are caught - because they broke the first few rules of hiding - http://www.reuters.com/article/2013/07/26/us-usa-hackers-creditcards-arrests-idUSBRE96P02Z20130726Exciting news for those of you who are sick of Android App Developers' over-reaching nature in the permissions arena, with the release of 4.3 there is a glimmer of hope in reigning in those games that for some unknown reason require access to your contacts and 'premium services' and such - http://www.androidpolice.com/2013/07/25/app-ops-android-4-3s-hidden-app-permission-manager-control-permissions-for-individual-apps/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Welcome down the rabbithole as we hit EPISODE 50! I'm thrilled that we've made it this far, and look forward to having you along for the ride into the future! At this point, I'd like to encourage you to listen to some of the fascinating guests we've had on this show, people I'm proud to have had a chat with, in the past archives... suggest guests, or just leave us a comment./Wh1t3RabbitIn this episode...We try and discuss 'defense in depth' on the geopolitical scale@packetknife drops the truth about 'geopolitics experts' in InfoSecAli explains navigating the undocumented security requirements in emerging marketsWe talk about whether all this stolen data from enterprise has actually made a differenceAli discusses the 'western sense of intellectual property' (eye-opening!)Deperimeterization - why #InfoSec must adapt this RIGHT NOW, but seems allergic to itAli drops 'lawfare' on us - and why #InfoSec must know its optionsWwe discuss why people 'generally just don't get it' when it comes to moving to triage over 'secure'Ali decides he wants to be Frank, or is that frank? :-)GuestAli-Reza Anghaie ( @PacketKnife ) - Ali is a resident expert (or as much as one can be) on geopolitics from his unique background, experience and perspective. He's a well-known figure in the community and has deep insight into the things that most of us read in the media, and pretend to understand. He's the perfect guest for Episode 50!Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Topics Covered9 Years After Shadowcrew, Feds Get Their Hands on Fugitive Cybercrookhttp://www.wired.com/threatlevel/2013/07/bulgarian-shadowcrew-arrestvBulletin Forums compromised (~15-~150k) to serve malwarehttp://news.softpedia.com/news/Around-150-000-vBulletin-Forums-Compromised-Abused-to-Serve-Malware-366442.shtmlAmerica's EAS (Emergency Alert System) is open to compromise (still)http://www.wired.com/threatlevel/2013/07/eas-holes/Mobile malware up 614% y/y says Juniper, but mostly Androidhttp://www.computerworld.com/s/article/9240772/Mobile_malware_mainly_aimed_at_Android_devices_jumps_614_in_a_yearBlue Box Security finds "master key" issue with Android - but there's more to ithttp://www.zdnet.com/android-oems-slow-to-roll-out-bluebox-security-patch-7000018012/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...We get a little insight into the mind of Tomer, and how he thinks about securityWe get an insight into what HP Software IT Management is doing to ensure security in the products they releaseWe discuss making security more than just a security line-item, and a business requirementThere are many "uncomfortable pauses" :)We discuss Tomer's risk-focused approach to software qualityWe ask "Is HP drinking it's own champagne?"Tomer gives us his feeling on DevOpsGuestTomer Gershoni - Tomer is the Information Security Officer responsible for product security for a select part of HP Software known as IT Management. Previous to that he was the CISO for HP Software-as-a-Service for over 3 years based out of Yehud, Israel. Tomer has over 10 years experience in Information Security and a background in software security. He is a very interesting individual, and his public profile can be found on LinkedIn here: http://il.linkedin.com/in/tomergershoniConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

*Apologies for this very important episode getting out a bit late ladies and gents, experienced a loss in the family so things were a little slow to re-start, we should be back on track for next week's episode.Topics CoveredPolitical hacktivism is making a big splash in international news - http://www.ilovechile.cl/2013/06/17/chile-democratic-partys-official-site-hacked/87737http://www.kjrh.com/dpp/news/local_news/jenks/jenks-chamber-of-commerce-website-hacked-for-second-time-within-a-monthhttp://www.publicnewshub.com/zimbabwean-hackers-hailed-for-attacking-ancs-website/http://www.bignewsnetwork.com/index.php/sid/215436810/scat/b8de8e630faf3631/ht/South-and-North-Korea-close-website-amid-hacking-alertshttp://www.business-standard.com/article/pti-stories/syria-s-online-troops-wage-counter-revolutionary-cyber-war-113060900065_1.htmlhttp://www.ehackingnews.com/2013/06/turkish-ministry-of-interior-website.htmlGoogle Published their epic Transparency Report datahttp://krebsonsecurity.com/2013/06/web-badness-knows-no-bounds/http://www.google.com/transparencyreport/European Union issues new data breach laws for telecommunications industryhttp://www.infosecurity-magazine.com/view/33109/eu-announces-new-data-breach-rules-for-telecoms/Critical vulnerabilities found in CROWD single sign-on producthttp://www.computerworld.com/s/article/9240487/Critical_vulnerabilities_found_in_Atlassian_Crowd_enterprise_single_sign_on_toolFacebook offers (pays!) $20,000 flaw for brilliant business-logic bughttp://www.eweek.com/security/facebook-patches-mobile-text-vulnerability-rewards-flaw-discoverer/Microsoft launchges a bug bounty program, for IE11 and morehttp://www.microsoft.com/security/msrc/report/bountyprograms.aspx#http://www.wired.com/threatlevel/2013/06/microsoft-bug-bounty-program/Opera code signing certificate stolen and used to sign malwarehttp://www.eweek.com/security/opera-data-breach-exposes-lConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...The gang discusses the issues with the rapid escalation of connectivity in modern-day industrial control systemsWhat specialized skills are needed to be a SCADA or ICS hackerA nervous pause as vulnerabilities in ICS systems which could affect the adult beverage industry are touched uponDiscussion on how to deal with 25 year patch cyclesWhy is it that embedded devices simply don't get patched like your other systems?What are the real issues with ICS systems, and why they're not getting enough attention...yetGuestMr. Billy Rios ( @XSSniper ) - In addition to being a long-time friend of mine, and one of the most knowledgable and humble people in the hacking space, Billy is currently a Technical Director and the Director of Consulting for Cylance. Billy is an accomplished web application hacker releasing an XSS tool which is currently his Twitter handle. While being a "big picture" guy, Billy also tackles some of the most complex large-scale ICS issues, and with his team works to identify and remediate threats to his clients.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This week, James is flying solo on the microphone catching you up on all the latest news and BIG stories since I'm at HP Discover, Las Vegas and Suits and Spooks in La Jolla, CA. A busy week all the way around, some pretty earth-shattering news coming out!Topics CoveredWe couldn't be the only ones NOT covering the big NSA leak and revelations of spying and other surveillance. Somewhere in the hype, though, is the enterprise story of insider threat - http://www.guardian.co.uk/world/2013/jun/09/nsa-secret-surveillance-lawmakers-liveGoogle Glass is in the news, again, this time from an enterprise perspective. In light of the slight insider threat problem revealed lately, how will Google's glasses impact security, and society in general for good or evil? - http://www.computerworld.com/s/article/9240077/Google_Glass_could_get_a_look_at_the_enterpriseApple made the news with iOS7 and the big "kill switch" feature, is this really a good idea that actually works or a desperate gimmick to demonstrate innovation? (especially in light of the lock screen bypass in iOS7 beta! - http://www.cnn.com/2013/06/11/tech/mobile/iphone-ios7-kill-switchhttp://www.forbes.com/sites/andygreenberg/2013/06/12/bug-in-ios-7-beta-lets-anyone-bypass-iphone-lockscreen-to-access-photos/Google noticed a significant spike in phishing traffic to GMail around the Iranian "election" (and I use that in quotes on purpose), an interesting developing story - http://money.cnn.com/2013/06/14/technology/security/google-phishing-iran/index.htmlLast but certainly not least, how about that 2+ year old Adobe Flash bug that's being exploited in Chrome to allow attackers (or just perverts) to spy on you using your webcam... creepy! - http://www.forbes.com/sites/andygreenberg/2013/06/14/two-year-old-flash-bug-still-allows-webcam-spying-on-chrome-users/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...We discuss the true nature of many of the security products decisions CISOs have to make every dayFrank and Raf make very poorly thought-out sports analogiesThere are uncomfortable length of silence (mostly edited out)The crew discusses NSS Labs, and what they do to help the CISOs out there make smarter decisions"Someone" asks about anti-virus...[ More info on NSS Labs and the two guests today can be found here: https://www.nsslabs.com/analysts and https://www.nsslabs.com/ ]GuestsFrank Artes ( @franklyfranc ) - Research Director Francisco Artes is a recognized information security executive who has helped form some of the motion picture & television industry’s best practices for securing intellectual property.  Artes is also know for his work with on cybercrime, hacking and forensic security issues with various federal, state and local government and law enforcement agencies such as the US Dept. of Homeland Security, the FBI, the Texas Rangers, US Marshals and several others.  Mr. Artes most recently served as Vice President, Chief Architect / Content Protection for Trace3, and as Vice President, Security Worldwide for Deluxe Entertainment Services Group. Artes has presented on six of the seven continents, serves on several boards and is a Trusted Adviser for The Security Consortium.John Pirc ( @jopirc ) - Research Vice President John Pirc is a noted security intelligence and cybercrime expert, an author and a renowned speaker, with more than 15 years of experience across all areas of security. The co-author of two books, “Blackhatonomics: An Inside Look at the Economics of Cybercrime” (published in December 2012), and “Cyber Crime and Espionage” (published in February 2011), Pirc has been named a security thought leader from the SANS Institute and speaks at top tier security conferences worldwide. Mr. Pirc’s extensive expertise in the security field includes roles in cybersecurity research and development for the Central Intelligence Agency, Chief Technology Officer at CSG LTD, Product Manager at Cisco, Product Line Executive for Security Products at IBM Internet Security Systems, Director of McAfee's Network Defense Business Unit and, most recently, Director of Security Intelligence at HP Enterprise Security Products, where he led the strategy for next generation security products. In addition to a bachelor's degree in Business Administration, Pirc holds the NSA-IAM and CEH certifications.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

It's June already?! Where has the first half of 2013 gone? James and I break down the last 2 weeks of interesting InfoSec news in a short "Monday morning quarterback" style... enjoy!Topics CoveredEvernote adds 2-step veficication for their authentication, and follows suit with just about every other 'modern' app. Following on the hells of Twitter, LinkedIn, FaceBook, Apple and the one that started it all, Google - we're now getting multi-step authentication from Evernote. Free users not welcome ...yet? - http://blog.evernote.com/blog/2013/05/30/evernotes-three-new-security-features/Dropbox down for more than an hour, but it wasn't a security bug (we don't think), it's just that they had 'technical difficulty'. If you depend on Dropbox for your file synchronization services, you knew this happened - http://www.computerworld.com/s/article/9239648/Dropbox_goes_down_for_more_than_an_hourNIST 500-299 "Cloud COmputing Security Reference Architecture" document is released. There's a bit of irony here, as the document itself is a whopping 299 pages! - http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/CloudSecurity/NIST_Security_Reference_Architecture_2013.05.15_v1.0.pdfDrupal.org has been hacked, and it appears 2013 just isn't a good year for the folks over at Drupal. Apparently about 1 million accounts have been compromised/affected, and all accounts had their passwords reset - I apparently had a Drupal account I don't remember anymore and my password was reset too - http://techcrunch.com/2013/05/29/drupal-org-hacked-user-details-exposed-and-reset/Google changed its disclosure policy for critical issues that are actively being exploited from the standard 60 days, to 7. A week. 7 days down from 60 ... this needs more reading and discussion - http://www.csoonline.com/article/734286/google-zero-day-disclosure-change-slammed-praisedHackers are exploiting Ruby on Rails vulnerability that was patched this past January, so zero-day no longer applies... the lesson here is to patch in a timely fashion! - http://www.computerworld.com/s/article/9239588/Hackers_exploit_Ruby_on_Rails_vulnerability_to_compromise_servers_create_botnet?taxonomyId=17Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...John discusses some of the foundational principles of Threat ModelingWe talk about why threat modeling is like your time in high schoolWe discuss why threat modeling is such an incredibly important tool to the enterpriseJohn gives us some nuggets of his experience with threat modeling enterprise applicationsGuestJohn Steven ( @m1splacedsoul ) - John Steven is the Internal CTO at Cigital with over a decade of hands-on experience in software security. John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John’s keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.John is known for his in-depth work in software security, his expertise in the field of threat modeling, and his snarkcasm. If you don't follow John on Twitter or haven't attended one of the talks he's been known to give occasionally - I recommend you do so. Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Welcome to Monday, May 20th 2013 as James and I discuss the last 2 weeks' worth of Information Security news and relate it (attemptively) to your enterprise day-job. This week was a bit on the lighter side, with the quote of the year (as far as I'm concerned) winner going to the Washington State Administrative Office of the Court for ...well, you'll just have to read the rest of the show notes and listen to the podcast.Also ... we are now on the Zune store. So ...to the 2 new Zune listeners - HELLO!Topics CoveredResearches at Trend Micro uncover new cyberespionage campaign call it SafeNet (in unrelated news SafeNet the security company had nothing to do with this...). Yet another cyberespionage campaign targeting users with revolutionary new technique called "phishing", and using a vulnerability in Microsoft software patched in April 2012, originating from ... China! -  http://www.computerworld.com/s/article/9239342/Researchers_uncover_SafeNet_a_new_global_cyberespionage_operationDomain registrar, Name.com hacked, customer information including potentially usernames, email addresses, encrypted passwords (just how encrypted are we talking here? ROT13? double-XOR?), and encrypted (same question as before) credit card information potentially stolen. Again, the vector of choice is this revolutionary new tequnique called ... phishing - http://www.pcworld.com/article/2038263/namecom-forces-customers-to-reset-passwords-following-security-breach.htmlGodzilla hacked EC-Council (this needs no explanation) - http://www.esecurityplanet.com/hackers/ec-council-hacked.htmlFour former LulzSec members (former?) sentenced for their roles in the 2011 attacks on companies such as Sony, Nintendo, News Corp, the CIA and many others. Sentences range from a 30-month prison term for "Kayla" to 200 hours of community services for T-Flow. Justice? Interested to hear what you think - http://www.computerworld.com/s/article/9239302/Four_former_LulzSec_members_sentenced_to_prison_in_the_UKWashington State's court system has been compromised, exposing 160,000 social security numbers and a million drivers' license numbers - basically everything you'd ever need to steal someone's identity. Luckily officials have determined that only 94 of those were definitely obtained by the attacker (what?!). Also, ridiculous quote of the year honors go to the "officials" for this: ".. officials at first believed no confidential information was leaked even though a large amount of data was downloaded from the website, the Washington State Administrative Office of the Courts said." - http://tech2.in.com/news/general/up-to-160000-social-security-numbers-exposed-in-washington-state-court-hack/872700Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Kevin, James and I discuss why penetration testing reports are often so worthlessKevin and I disagree. Then we agree, sort of.We discuss the major differences between the 'builder' and 'breaker' mindset, and whether they're actually different peopleKevin gives some fantastic examples of how context and experience is critical in penetration testingWe provide guidance no how someone can 'break into' (no pun intended) penetration testing and be effectiveKevin gives an example of how someone can be a great penetration tester, but be of little value beyond thatWe wrap by disussing how enterprises can gain value from penetration testing- and Kevin provides an interesting strategyGuestKevin Johnson ( @SecureIdeas ) - Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is an instructor and author for the SANS Institute and a faculty member at IANS. He is also a contributing blogger at TheMobilityHub.  Kevin is also very involved in the open source community. He runs a number of open source projects. These include SamuraiWTF; a web pen-testing environment, Laudanum; a collection of injectable web payloads, Yokoso; an infrastructure fingerprinting project and a number of others. Kevin is also involved in MobiSec and SH5ARK. Kevin was the founder and lead of the BASE project for Snort before transitioning that to another developer.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

It's another beautiful Monday (somewhere) and we've got the news of the last 2 weeks covered, and we're breaking it down for you. The news this week is, well, quite frankly kind of dark. Everything tells us we're in for a rough ride for the rest of the year, and it's only getting worse.If I sound a little funny, it's because I'm talking through a massive sinus infection and it's making me talk funny and stuffy.  Also the recording you hear is take 2 ... I had a major technology fail so we had to re-record, with less sadness.Topics CoveredWe are happy to report that Justin Beiber is in fact, not coming out of the closet and E! Online was only hacked by those wacky military hackers from the Syrian Electronic Army. Apparently they've been on quite the hacking spree of media outlets and even put a major - albeit brief - dent in the stock market! - http://www.nydailynews.com/entertainment/e-online-twitter-account-hacked-article-1.1335214The US Department of Labor was hacked, in what appears to be a very targeted 'watering hole' attack aimed at Nuclear employees. The attackers, if the stories are true, burned an IE8 0-day on this one, and of course they are Chinese - http://www.eweek.com/security/zero-day-exploit-enabled-cyber-attack-on-us-labor-department/Anonymous is threatening a massive attack against the White House (the political entity not the ...nevermind), Bank of America, Citibank and other targets on May 7th. Are these folks just becoming part of the 'background noise' of the Internet? Are security professionals just starting to become numb to the DDoS attacks? - http://pastebin.com/TyvAK20FChinese hackers have apparently ransacked QinetiQ, a defense contractor with ties to global cyber intelligence operations, spooks,and other interesting things. Bloomberg's write-up was not kind to these guys - http://www.bloomberg.com/news/2013-05-01/china-cyberspies-outwit-u-s-stealing-military-secrets.htmlIn the perfect illustration of the fact that insider threats are real a systems manager returned to the company he was no longer employed at and wreaked havok. Folks, there is no magic 1U box that will stop this sort of attack, be vigiland and have good auditing and processes! - http://www.computerworld.com/s/article/9238874/Systems_manager_arrested_for_hacking_former_employer_39_s_networkConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...Live (live-to-tape) from 44Con, London, England.It's amazing, listening to this episode recorded at 44Con last fall, how little the landscape of enterprise security has changed. I took some time during the busy conference to sit down with Ian Amit and Dennis Groves to discuss Ian and my talks (which were perfectly aligned, and completely unplanned!) on the state of security in the enterprise. It's always interesting to get the perspective from 2 industry-well-known speakers and thinkers.We discuss the topics of #SecBiz including the role of security in the enterprise, the challenges business security professionals face, metrics and why we have some of the crazy change management failures in security. We laugh, we almost start to cry - but ultimately come to the realization that we need change. Ian and Dennis and I are working on driving that change!GuestsIftach Ian Amit ( @iiamit ) - Seasoned manager in the security and software industry with vast experience in a myriad areas of software (from enterprise security, through retail oriented, to end user software and large back-end systems). Highly experienced in leading marketing opportunities, and translating technical innovation into marketable concepts that increase sales and exposure. Information Security expert with vast experience ranging from low level technical expertise and up to corporate security policy, regulatory compliance and strategy. BlackHat and DefCon speaker, with vast experience in public speaking and private customer focused seminars. Founding member of the PTES (Penetration Testing Execution Standard), IL-CERT, and the Tel-Aviv DefCon group (DC9723).Dennis Groves - Dennis's work focuses on a multidisciplinary approach to risk management. He is particularly interested in risk, randomness, and uncertainty. He holds an MSc in Information Security from the University of Royal Holloway where his thesis received a distinction. He is currently a UK expert for the UK mirror of ISO subcommittee 27, IT Security Techniques, working group 4, Security Controls and Services at the British Standards Institute. He is most well known for co-founding OWASP.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

It's Monday April 22nd, 2013, and here are the topics from the last 2 weeks James ( @jardinesoftware ) and I ( @Wh1t3Rabbit ) will be talking about as we Monday-morning-quarterback the last 2 weeks in Information Security... Fair warning, we have way too many topics to fit into 20 minutes... so went a little bit longer but both feel it's well worth your time. Laugh, cry, and be informed.Topics CoveredMicrosoft rolls out 2-factor authentication - James points out that Microsoft has rolled out authenticator-agnostic, robust 2-factor authentication... if only I could figure out how to use it? If you have any experiences with this, please share with us on Twitter, using the #DtR hashtag - http://nakedsecurity.sophos.com/2013/04/11/microsoft-look-like-being-next-with-2fa/Oracle dumps a 42-patch bundle - Oracle has dropped a massive patch bundle, many of these are remotely exploitable Java issues, and it's not a walk in the part for Enterprise Security folks. Also ... we chuckle a little bit about the absolutely mindless new 'shape-coded' warnings - http://krebsonsecurity.com/2013/04/java-update-plugs-42-security-holes/US and China to work on cyber security? - In what James and I both thought was a botched April Fools' joke, it appears as though China & US have come together to decide who the real vicim in this 'cyber hacking' problem is, and what they're going to do about it going forward. Are we absolutely sure this isn't a farse? - http://www.reuters.com/article/2013/04/13/us-china-us-cyber-idUSBRE93C05T20130413?irpc=932Hacking a plane with an Android app? - A hacker has demonstrated (at the HitB Conference) that it is possible to remotely control a plane, in the setting of a lab. James and I talk about what the implications of this are... more to come - http://www.theatlanticwire.com/technology/2013/04/no-german-hacker-probably-cant-hijack-airplane-software/64158/Louisville Credit card processor HACKED - Another credit card processor hacked...and the notification comes from, you guessed it, a 3rd party - http://www.wave3.com/story/21911646/louisville-credit-card-processor-hacked-card-numbers-stolenHacking ring targeting...video games? - A hacking ring was uncovered by Kaspersky that has, for a number of years, been targeting video games, their source code, and other components. To What end? we discuss - http://www.gamepolitics.com/2013/04/12/kaspersky-chinese-hacking-ring-has-hacked-multiple-mmo-game-serversUS President Obama seeks a slight increase in technology spending - Does a 2% increase (which is actually a decrease) mean anything without context? Nope... - http://www.nextgov.com/cio-briefing/2013/04/tech-spending-projected-rise-fiscal-2014/62405/?oref=ng-HPtopstoryFCC issues fines to 2 enterpriseConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...A critical discussion on the available 'cyber intelligence' reports from various vendorsHow hard is attribution in cyber space, really?"Alternative analysis" - why isn't it being used enough in cyber intelligence reporting?Discussion on 'degrees of certainty' and its apparent lack of application to cyber intelligenceExtensive discussion on avoiding confirmation bias, critically reviewing intelligence work, and peer reviewing processesKinetic responses to cyber threats and other outrageous rhetoricHacking back? but hacking whom?GuestJeffrey Carr ( @JeffreyCarr ) - Jeffrey Carr is a cybersecurity analyst and expert.He lives in Seattle Washington. He is founder and CEO of Taia Global inc. He is also the founder and principal investigator of Project Grey Goose, an open source investigation into cyber conflicts including the Russian cyber attacks on Georgia, the Indian Eastern Railway Website defacement and the Israeli-Palestinian war in 2008 to 2009. He is also a government contractor who is consulted on Russian and Chinese cyber warfare strategy and tactics. [ http://en.wikipedia.org/wiki/Jeffrey_Carr ]Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this second episode of our Monday morning InfoSec quarterbacking, James and I actually got through the news items we had lined up in just about 20 minutes. I count this as a win.Topics CoveredChoice Escrow & Land Title, LLC vs. BancorpSouth, Inc. | At issue is the Uniform Commercial Code (UCC) as it applies to commercial entities taking "commericially reasonable methods" to secure their transactions. This one is going to have a major ripple effect, keep an eye out for further developments - http://krebsonsecurity.com/2013/03/missouri-court-rules-against-440000-cyberheist-victim/"The biggest cyber attack ever" | Or really, a DDoS feud between a known spammer (CyberBunker) and a spam fighter (SpamHaus) which actually did impact Internet traffic in Europe, but was effectively a tempest in a teapot for most everyone else - http://www.cnn.com/2013/03/27/tech/massive-internet-attack/index.html?hpt=hp_t2Schnuck's gets hacker by "computer code", but it's OK now | Short version of this story, be careful how hard you play up the 'reputation' angle with your business ...turns out people may not care so much - http://www.stltoday.com/business/local/schnucks-says-credit-card-fraud-source-found-and-contained/article_605469bd-db5d-5a1b-94cf-100f4eabc58f.htmlDarkleech affects huge amount of Apache servers, silently installs iFrame-based malware selectively | People who name these things come up with some of the coolest names ...seriously! Interesting story. - http://www.h-online.com/security/news/item/Darkleech-infects-scores-of-Apache-servers-1834311.htmlBitCoin wallet service InstaWallet hacked, shuts down "indefinitely" | Oh, another BitCoin tragedy as the currency suffers yet another blow to its viability as hackers target a wallet service, value bounces. - http://venturebeat.com/2013/04/03/bitcoin-wallet-instawallet-hacked/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

First ...a milestone.I want to take this time to formally welcome Mr. James Jardine, of SecureIdeas, as my permanent co-host to the podcast. James has experience podcasting as he already co-pilots the Professionally Evil Podcast, and he's witty, knowledgeable, and awesome to work with on the microphone. I ask that you all give James a warm welcome!In this episode...Overview of what cyber liability insurance is and what it isn'tWe ask "Why would we need a security program, when you can just buy insurance?"How do [cyber] under-writers figure out how to insure you, and how much of a liability your organization and its practices is?The types of costs and coverages available in some of the different policies at the various carriersWe pull on the 'reputation' thread ... againWe try to divine the magic formula used to calculate how to calculate a 'liability' or coverage requirementWe try and figure out how an enterprise can drive down their cyber liability insurance premiumsChristine touches on mobility, encryption, and some interesting tidbits for the modern enterpriseGuestChristine Marciano ( @DataPrivacyRisk ) - Christine Marciano is President of Cyber Data Risk Managers, an Independent Insurance Agency specializing in Cyber Risk/Data Breach insurance, Directors & Officers insurance and (IP) Intellectual Property protection. Christine has over 17 years of experience working in various roles within the Insurance and Financial Services industry. Prior to establishing Cyber Data Risk Managers, Christine has held positions at CIBC Oppenheimer, Axa Advisors and Allstate Insurance Company.LinksChristine's Blog - http://databreachinsurancequote.com/blog/My 2013 Data Privacy, InfoSec & Cyber Insurance Trends report - http://databreachinsurancequote.com/wp-content/uploads/2013/02/2013-Data-Privacy-Information-Security-and-Cyber-Insurance-Trends-Report.pdfChristine's free weekly newsletter signup page - http://databreachinsurancequote.com/subscribe-data-breach-weekly-newsletter/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Welcome to the Down the Rabbithole NewsCast!Join me in welcoming James Jardine ( @JardineSoftware) of Secure Ideas to the show as a permanent co-host! The NewsCast is a bi-weekly (2nd and 4th Monday of the month) release where we'll discuss the news and events of the past 2 weeks, and attempt to analyze, break down, and generally make sense of the madness of the Security industry and real world at large.Also a big thanks to Todd Haverkos, the voice behind the hilarious intro you'll hear on this podcast, and all the others ...Topics We CoveredApple's new 2-Factor Authentication went liveCisco made passwords weaker (whoops!) in their IOSThe US Government struck out twice (SAM security issue, and a contractor "buys" warez)Celebrities get their credit info jackedS. Korea gets whacked with a nasty bug, wipes out 32,000 machines in one swoopConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

In this episode...We discuss "big data", what the heck it really is, and whether it's something new, something old, or something marketing made upMarcus does interpretive dance, and makes up new wordsAlex (shockingly) disagrees with Marcus, and actually describes 'data science'We hear Marcus talk about "NBS - never before seen" detection and why it's so criticalWe collectively agree (it's OK to be shocked) that "big data" is not a productMarcus discusses why you should be defending against the sniperThe guests disagree on whether we have too little data, or whether we just don't know how to make it work for usAlex puts on a tinfoil hat ...GuestsMarcus Ranum ( @mjranum ) - Marcus J. Ranum is a world-renowned expert on security system design and implementation. He is a pioneer in security technology who was one of the early innovators in firewall, VPN, and intrusion detection systems. Since the late 1980s, Marcus designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer to founder and CEO of NFR. In SC Magazine's 20th Anniversary Edition, Marcus was named as one of the top industry pioneers over the last 20 years. Marcus is currently the CSO at Tenable.Alex Hutton ( @alexhutton ) - Alex is the Director of Operations Risk & Governance for a very, very large financial, so he has to stay incognito. Frankly, it doesn't matter much whether he says where he works, the dude's one of the smartest people I know, and lives, breathes, and often excretes 'risk' knowledge.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisThis timely podcast is right on the heels of the US vs. Cotterman decision from the 9th Circuit Court of Appeals. One of the watershed decisions on privacy and digital law, this is an extremely important case that touches on whether government agents can take and search your digital property while crossing the border with or without cause or suspicion. Michael and Shawn give their analysis, and we get some critical information for international business travelers, as well as those of us in the security community who regularly cross the US border with sensitive, potentially encrypted or password-protected information.Link to the original 9th Circuit Court of Appeals decision: http://cdn.ca9.uscourts.gov/datastore/opinions/2013/03/08/09-10139.pdfYou're not going to want to miss this podcast.GuestsMichael Schearer ( @theprez98 ) - Security consultant and penetration tester by day, law student and hacker by night, proud Navy veteran, writer, promoter of civility in political discourse, Philadelphia and Penn State sports fanatic, practicing philomath, and last but certainly not least, Dad and Husband. Michael maintains a fantastic blog at http://theprez98.blogspot.com.Shawn E. Tuma ( @shawnetuma ) - Partner at the law firm BrittonTuma and an attorney with a broad based business, litigation, and intellectual property litigation experience combined with his unique expertise with cutting-edge legal issues such as computer fraud, data security, privacy, and social media law. Shawn is a member of the Information Security Committee of the Section of Science & Technology Law for the American Bar Association and the Privacy, Data Security, and e-Commerce Committee of the State Bar of Texas. Shawn maintains a great resource for analysis on legal decisions http://www.shawnetuma.com.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisSecurity has an interesting view on "business decisions", and in this podcast episode recorded at GrrCon 2012 in Grand Rapids, MI I sit down with some of the talent behind MISEC and we discuss #SecBiz topics of interest including the ugly phrase "it's a business decision" and why we say that. We also dive into how decisions are made, and why security and business are still often at odds on goals and acceptable 'risks'... and why our recommendations and guidance still falls on seemingly deaf ears.We sample some of the sage wisdom of J.W. Goerlich as he runs his IT and security organization, and how he asks his security employees to think business, and put themselves into the frame of reference of the business when making decisions.Jen Fox brings up Miller's Law, and teachs us to ask "What is that true of?" when framing discussions in the business context with non-technologists. Jen makes us think about frames of reference. She tells us that we must assume that a statement someone makes is true ... from their frame of reference and we simply must get inside their frame of reference to understand their thinking.Steven Fox gives us a little bit of a glimpse into the government world where you can't always go sit down with the decision maker, and have to depend on your relationships, cooperation, and sometimes back-room politics to get things done.I invite you to listen in, this is a timeless discussion that everyone should participate in.GuestsJ.W. Goerlich - @JWGoerlich - Information Systems and Information Security Manager. Regular InfoSec practitioner, occasional speaker and writer. INTJ. #MiSec, #BSidesDetroit, #CSA, #OwaspJen Fox - @J_Fox - Making security accessible to the end user. Independent consultant, biz analyst, tech-to-biz translator, and diplomat. CIPP/IT and locksport enthusiast.Steven Fox - @Securelexicon - I am a Security Architect at the U.S. Dept of the Treasury & Penetration Tester passionate about security as a business value and differentiator.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisShawn and I have been trying to get together to record an episode for what seems like forever. We first started talking about the CFAA (Computer Fraud and Abuse Act) when it was ruled that a person could not be charged as a 'hacked' under the CFAA by their employer when they accessed information improperly if the employed did not restrict that access appropriately. Shawn's expert insight here as an attorney dealing with the CFAA shines as we talk about hacking, vulnerability research, and other critical topics to the hacker culture, information security industry and security professionals.You're not going to want to miss what Shawn has to say... I want to thank him for his time, and encourage anyone who needs the sort of advice Shawn has to give him a call, or send him a Tweet.GuestShawn E. Tuma - Shawn E. Tuma is an experienced business, litigation, and intellectual property attorney at BrittonTuma who helps businesses and individuals assess, avoid, and resolve business and legal issues. Shawn has spent his career handling cases before state and federal courts alike and is well versed in both traditional and emerging areas of the law. In addition to his career-long business law and litigation practice, he has developed a niche practice as a thought-leader in emerging areas of such as computer fraud, data breach, privacy, and social media law, with a strong command of the Computer Fraud and Abuse Act. Shawn enjoys handling highly complex commercial, technological, and intellectual property matters as much as he does those that are more traditional. Shawn can be found on Twitter as @shawnetuma.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisI sat down with Bill at ISSA International in Anaheim, CA in the fall of 2012 to discuss what it's like, and what types of challenges he faces in the fast-paced, hybrid world of security at Netflix. We talked about some of the challenges his environment faces, and more generic issues that are endemic to the evolving security landscape. It's fascinating to hear Bill's take on what the big picture items are, and how security is really in a state of evolution right now. Join us, I tihnk you'll love this episode.GuestBill Burns - Director of IT Security and Networking, Netflix - Bill is a silicon valley titan, his name is associated with the likes of Infoblox, Riverbed and Netflix. Currently he's the Director of IT Security and networking at Netflix managing security in a hybrid cloud, traditional IT world, and facing some of the most complicated challenges in today's tough security landscape.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisTo kick off January on the Down the Rabbithole podcast I have Mikko Hypponen, the "malware adventurer" and Chief Resarch Officer from F-Secure Corp and we're talking about the state of malware and 'viruses' digging into the modern threat landscape and maybe digging up a bit of nostalgia from the late 90's. This is a fascinating conversation so I invite you to break out your old boot sector and COM viruses and join us for some interesting discussion!GuestMikko Hypponen - Chief Research Officer at F-Secure Corp., TED speaker, and self-professed "malware adventurer". He can be found on Twitter at @MikkoConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisThis microcast episode was recorded live from hackfest.ca 2012, on location in Quebec. The conference is a phenomenal success for the challenges they face (primarily non-English speaking region, small market, etc) but they've managed to attract a ridiculous amount of people to this conference, awesome speakers, and have one of the best 'War games' scenarios I've ever seen... listen to these two guys talk about how they make this happen.GuestsSteven McElrea (@Longferret) - contributed and supporting organizer, key cog in the hackfest.ca wheel!"Martin" - he's responsible for a lot of the design and infrastructure behind the War Games that were conducted here.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisThis episode is special because it's been a long-time-in-the-making interview with Brad Arkin of Adobe. This is the organization that many of the hacker community like to hate, and pick on - without realizing the monumental task of securing the software that Brad's team is responsible for. Brad's official title at Adobe is Engineering Senior Director but in real life one of the responsibilities his team is tasked with is doing product security for products like Adobe Flash and Reader ... Brad's take on software security and how he got the bug problem under control at Adobe is worth a listen!GuestBrad Arkin - Engineering Senior Director at Adobe - Brad has a long history of being involved in the Information Security world, particularly software security and has held many interesting roles from Cigital, to a technical director at @Stake, to working his way through Adobe since 2008. Brad can be found on LinkedIn, here: http://www.linkedin.com/pub/brad-arkin/1/2a8/4.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisLIVE from day 2 of the ISSA International conference 2012, in Anaheim, California I cornered Eric Cowperthwaite after a much-anticipated year-long wait... and we talked about his prediction that in the next 2 years many of the traditional IT employees will be employed as either business-IT resources in the enterprise, or IT-technical resources at an IT outsource or cloud provider... Eric's predictions tend to be right on the money so it'll be interesting if some of the things he advocates in this microcast come true!  Only time will tell.GuestEric Cowperthwaite - Eric is the Chief Security Officer at Providence Health & Services, and a strong advocate of pragmatic security.  Eric has a long history from Army Recruiter, to outsource services delivery with EDS, to his many years of service to the ISSA and Providence Health & Services.  In addition to being a good friend and colleague, Eric has a snarky sense of humor, and tends to be not afraid of speaking his mind ... and as it turns out his predictions become reality in the near future.  Eric can be found on Twitter as @e_cowperthwaite, and on LinkedIn.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Syhopsis When I caught up with these two gentlemen in Amsterdam over the week of Black Hat 2012, I knew we wouldn't run out of things to talk about!  We ended up chatting for quite some time, and I think you'll find this conversation interesting from hearing of David's recent work with Oracle, and Jim's perspective on "the fix"... I kept the conversation going and am probably at last partially responsible for how long this podcast ended up being.  It's well worth the time, in my opinion, as we cover the following topics:Attacking Oracle (David's talk had to be shelved, but he talks about ways to attack Oracle via putting a string into a numeric query - by manipulating the meta-environment)Jim & David talk about how to do sane SQL Injection protection (bind everything!)David talks about some contrived ways of hacking Oracle databases, that are 'outside the business logic' and explains why validation is still importantJim brings up structural validation of inputs (useful white-listing)David brings up that his exploits from 2007 are STILL working in 2012 - terrifying"Parameterize it, or jeopardize it" - Jim's campaign to rid the world of SQL InjectionDavid talks about unconventional database forensics that identify attacks via weblogsVendors have upped their game to protect applications, developers are still writing bad codeJim Manico "We are entering the golden age of hackers" ... does this mean better security?!David discusses how if MS had stopped development of NEW features, WinNT4 would be 'secure' by now... but innovation & features will continue to drive forward - security suffersJim asks "does the [development] framework of the future, consider security as a built-in?"GuestsJim Manico - One of the people who holds OWASP together, Jim is an enthusiastic espouser of the Web App Security word.  You can find him providing training, practical advice, and code knowledge all over the place, particularly for the OWASP organization.David Litchfield - David has been taking Oracle to task over their claims of database security for years, and continues to be a driving force behind penetration testing, database forensics, and all things Oracle security.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisThis week we went free-form with two of my favorite InfoSec insiders ...people you probably follow on Twitter but can't quite place.  Here are some of the topics covered this week:The Apple UDID theft - what really happened, why, and what more is there to this story?Information vs. DISinformation...the battle for online trustSpeaking of distrust - where do you go post-breach?InfoSec intelligence is a lot harder to do than just reading mailing lists and Twitter, there's a ton to this (scratching the surface)Change management's impact and possible salvation for IT and InfoSecLegacy systems and why they are the ball and chain, and why we can't nuke themThe user ... how do we get past just hating on the user in InfoSec?Guests@DarthNull - David is a mobile hacked with Intrepidus Group, and active puzzle-solver extraordinaire@InfoJanitor - He's a long-time InfoSec guy, working for a 'big company' ...and if he told you more than that, well ...you know.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisToday's podcast discussion is with someone who has one of the toughest jobs in the security world... Patrick helps organizations that generate and deliver the power that runs our gadgets and critical systems that maintain life as we know it.  The power grid is not only surprisingly vulnerable due to it's age-old infrastructure, but also surprisingly resilient due to the complex nature of power distribution and generation... there's just a lot more to it than most people realize.Patrick separates fact from fiction and goes into the pragmatic approach on national electric grid security - where we realize that it's really worse than we believed from a cyber security perspective, but better than we know because as you read this the electric grid is under constant attack, but it's still transmitting clean power.I urge you to listen to this podcast, and then engage Patrick (@PatrickCMiller) or I in discussion... GuestPatrick C. Miller - President & CEO of EnergySecPrincipal Investigator of National Electric Sector CyberSecurity Organization (NESCO)Links:NESCO - US Dept. of Energy (DoE) Office of Electricy Delivery & Energy Reiliability - http://energy.gov/oe/services/cybersecurity/nescoEnergySec - A 501(c)(3) not-for-profit organization formed to support organizations within the energy sector in securing their critical technology infrastructures -  http://www.energysec.org/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisThis episode is a mini-episode recorded live from the social media lounge at HP Discover Las Vegas 2012.  It was an incredible show, where I caught up with Marc and Matt - two guys who are really from opposite side of today's deploy vs. secure coin.  Somehow we quickly dove into DevOps and picked up right where my conversation with the incomprable Gene Kim left off in episode 20.  Ironically, we discussed how to deploy faster (sound familiar?) and still get security and quality into the scope of delivery... this isn't a product pitch but it's two HP guys talking about how products impact software quality, security and overall delivery speed.GuestsMarc Blackmer  - Senior Solutions Marketing Manager (HP Enterprise Security Products) - Marc is a seasoned veteran of the Information Security industry with experience going back to high technician days in 1998.  Since 2006 Marc has held various technical and engineering roles at ArcSight and has come to learn the SEIM industry better than anyone I know.  Marc is one of the rare people who 'gets' how products solve actual problems.Matt Morgan Vice President and General Manager, HP Software Cloud and Hybrid IT - Matthew Morgan is the vice president and general manager of product marketing for the HP Software Cloud and Hybrid IT software organization, a $2.5B software business delivering solutions used by 100,000s of users to successfully define, deliver, and manage business software in a cloud and mobile world.  Matt has 20 years of experience in the Internet and IT business application industry. In his time at HP Software, he had held multiple executive roles including leading the commercialization of HP Application Lifecycle Management, launching HP's first mobile testing and monitoring solutions, and leading a shift to digital marketing operations.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisIn this episode we ask the big question of "Can security be a part of the 'build/deploy faster!' culture?"  We discuss the need to separate out high/low risk code, understanding how to deploy dormant components of the applications, proper testing strategies and branching/merging in a world where faster isn't just an ask, it's a need to stay competitive.A huge thank you to all my guests for their time and expert insight.  The combined talent and experience of my 3 guests is something you should absolutely take a listen to, as these gentlemen really know what they're talking about - whether it's Information/Application Security, or DevOps ... this is a discussion that bridges both with expert precision.GuestsNick Galbreath - Nick's Linked-In profile says he's been at 5 early to very early startups, all sold, IPO'd or huge - all dealing with massive scaling in load and large data sets.  FaceBook now owns a half-dozen of his patents on social graphs, and Google is using some of his code in Chrome!  On top of that, he's written a book on cryptography too... when he's not out building start-ups, Nick's speaking/teaching or hacking away at code to find better, bigger exploits and fixes.James Wickett - James is an innovative thought leader in the DevOps and Information Security communities, and has a passion for helping big companies work like start-ups to deliver products in the cloud.  He got his start in technology when he ran a web startup company as a student, and James is currently employed as a Senior DevOps Engineer working on launching cloud-based products for the Embedded Software division of Mentor Graphics.  James' bio is linked here.Olivier Saudan - Olivier is a software security analyst with 10 yeras experience in operations (including Information Security) and a significant development background.  He keeps his identity and employer a mystery due to the nature of his work, and the need for discretion.Links:Recent podcast on DevOps with Gene Kim (part 1 [Episode 10], part 2 [Episode 20])Nick Galbreath's "Client9" - http://www.client9.comJames Wickett's blog - http://blog.wickett.meConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisThis episode was recorded in June '12, live from the show floor at HP Discover Las Vegas, 2012 and the talk of the town was once again DevOps.  Gene and I have had 2 prior conversations on the topic, but we're once again tackling the impact of DevOps on the IT and security relationship and overall business value.  We tip our hats to several people including Josh Corman (Rugged DevOps), David Mortman, James Wickett, Nick Galbreath and Mr. Daniel Blander for their prior contributions and supporting work on the topic.  Gene talks about some of the mechanisms we have available to us to bridge that IT Security-to-developer-to-operations gap that's holding us back from true business value.  Fun fact- studies have found that when you wake up a developer at 2am to solve an issue, problem resolution times plummet!Enjoy the podcast, and go grab Gene's books when they're available... comments are welcome!GuestGene Kim - Gene is finishing up the third and fourth books, "When IT Fails: The Novel" and "The DevOps Cookbook," [highly recommended reads for any IT professional who aspires to high performance] scheduled to be published in August 2012. Both are the culmination of over 13 years of researching both high-performing and low-performing IT organizations, as well as benchmarking over 1500 IT organizations to help inform what behaviors simultaneously advance business and information security objectives.  LinkedIn profile, just in case you have never had the pleasure -http://realgenekim.me.LinksGene Kim's publisher website (mentioned in the podcast) - ITRevolution.comConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisThis episode is special, not because it's more Info Security stuff, but because we take a far departure from the world of bits and bugs to the world of the pick-pocket and thief.  Sitting down with Bob Arno is a real pleasure, as he has the storytelling ability and knowledge to educate and open your eyes to a world where nothing is as it seems and anyone can be separated from their valuables.  Yes - this extends into the world of Information Security, and there are lessons to learn.In this episode Bob and I talk about picking pockets, keeping yourself safe, and the world of criminal activity in the physical and digital world... Bob is also speaking at Hacker Halted, Miami 2012 so if you listen to this episode and are thinking about going ... there's a contest coming!  Stay tuned... and you can win an excusive, private dinner with Bob in Miami!GuestBob Arno is widely known as the "World's foremost legal pick-pocket".  He's performed on stage, on television and has provided advice to travelers on how to keep from being roused... Bob is a speaker, entertainer, author, and special lecturer to law enforcement agencies. He has been profiled or quoted on NPR, CNN, MSNBC, ABC’s 20/20, The Travel Channel, The Learning Channel, Discovery, Court TV, in The New York Times, USA Today, Fortune, Kiplinger’s, National Geographic Traveler, Law and Order, and others. He has lectured for the Police Departments of Chicago, San Diego, Houston, Las Vegas, Detroit, Honolulu, Anaheim, and many abroad; for the California Tourism Safety & Security Conference, the International Tourism Safety and Security Conference, and many others; for Kroll & Associates, RSA Security Conference and Expo, and more. He taught an accredited course at the Connecticut State Police Training Academy.LinksBob's main site: http://www.bobarno.comAmazing YouTube video - Traveling Europe (Naples, Italy) and unmasking the pickpocket tactics: http://www.youtube.com/watch?v=mUHAQnyVvegTravel advice from Bob Arno: http://www.justluxe.com/travel/luxury-vacations/feature-1702026.phpConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisI caught up with my friend Kellman Meghu at BSides Detroit as the conference was coming to a close and we finally got to sit down and have a fun conversation about chaos, and what sorts of things enterprises can realistically do to increase security today.  We both work for vendors so we talked about "shiny blinky boxes", when things fail, and the notion of resiliency.  Fun conversation ensues ... with a random sprinkling of security buzzwords.Kellman's famous quote is from this episode is "I can hand you this tool, and that doesn't suddenly make you any more secure than if you hand me a hammer I suddenly become a carpenter."  Wise words to live by folks, wise words indeed.  Spend a few minutes with Kellman and I, and see why he's one of my favorite people to interview.GuestsKellman Meghu - Kellman Meghu is Head of Security Engineering (Canada and Central US) for Check Point Software Technologies Inc., the worldwide leader in securing the Internet. His background includes over 15 years of experience deploying application protection and network-based security. Since 1996 Mr. Meghu has been involved with consultation on various network security strategies to protect ISP's in Southern Ontario as well as security audits and security infrastructure deployments for various Commercial and Governmental entities across Canada and the Central United States.  You can find him on Twitter and LinkedIn ... I highly recommend a conversation, he's a very smart guy.LinksConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisGreetings fans, this episode promises to be a great one with the likes of Adam Shostack starting off talking about what the whole concept of "New School Security" is all about, and how it differs from the way we've all done it for the past 15+ years.  Adam and I talked through some new interesting ideas for moving the information security community and discipline forward, and even commented on how we can start to overcome the security community's focus on 'secrecy' when things go wrong.  How do security professionals understand what the desired outcomes should be, then start to move towards implemting pragmatic approaches to move closer to those desired outcomes - because in the end it's really about business and getting it done, not about 'security'.You will be sorry if you miss this episode!GuestAdam Shostack - Adam Shostack is a principal program manager on the Usable Security team in Trustworthy Computing. As part of ongoing research into classifying and quantifying how Windows machines get compromised, he recently led the drive to change Autorun functionality on pre-Win7 machines; the update has so far improved the protection of nearly 400 million machines from attack via USB. Prior to Usable Security, he drove the SDL Threat Modeling Tool and the Elevation of Privilege threat modeling game as a member of the SDL core team. Before joining Microsoft, Adam was a leader of successful information security and privacy startups, and helped found the CVE, the Privacy Enhancing Technologies Symposium and the International Financial Cryptography Association. He is co-author of the widely acclaimed book, The New School of Information Security.LinksAdam on Twitter: @AdamShostackThe New School Security blog: http://newschoolsecurity.com/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisLast winter, on a frigid afternoon I got a chance to sit down with 2 of my favorite Iowa locals, Kevin and Kenneth to talk about the tenuous relationship between QA and Information Security.  Earlier in the day I had given a workshop on software security testing (of the web variety) to a ViViT user group, and with that topic and their questions/concerns fresh in my mind I settled down for a 30 minute conversation with Kevin and Kenneth ... we essentially continued the conversation from Episode 3 (please give that a listen if you haven't yet to get a background).Some of the questions we tackled included "Which team within the software development or security organization is best positioned to test the security of applications?", and "Can Information Security ever really thoroughly test an application without the full context?" ...and much more.Give this episode a listen!GuestsKevin Riggins - @kriggins - Kevin is a veteran of the Information Security community with many years experience in vast IT systems and a quality, development and systems background as well.Kenneth Johnson - @patories - Kenneth has been in the Information Security field for the last six years, with five of those years working as an IT Analyst for Principal Financial Group. He graduated in 2007 with a BS degree in Information Systems Security from ITT Tech, and he is currently attending Iowa State to pursue a Ph.D in Information Assurance, with a specialization in Digital Forensics, Incident Response and Malware Analysis.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Greetings friends!  I am taking some time to do something a little out of the ordinary right now... I'm coming to you from beautiful Las Vegas, Nevada and HP Discover 2012 where the theme is Make it matter.Rather than doing yet another blog post on how beautiful the show floor is, and how amazing the content is going to be, I've recorded a little bit of audio, about 6:30 miutes or so to give you a feel for what we're up to, what's going on, and why I'm downright giddy with excitement.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisThis episode of Down the Rabbithole microcast (~15 minutes length) was recorded live at the Ohio Information Security Summit.Albert and Paul were kind enough to sit down with me and discuss metrics and process - and essentially what demonstrating "good security" means to an enterprise.  "Can we ever get there?"  Where is there?  Understanding the basics of security, measurement, and whether if we really do a great job, Information Security can work itself out of a job ... those are some heavy topics for a mini-podcast.  Enjoy!Feedback is always welcomeGuestsPaul Elwell - Security Specialist for a Fortune 500 companyAlbert School - Application Security Specialist and Penetration Tester at a Fortune 500 companyConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisIn this episode, streamed live and recorded for your listening pleasure, I'm joined by @SpaceRog and @Shpantzer from Security BSides Delaware.  What started out as an off-the-cuff discussion on the 'Cyber Apocalypse' quickly materialized into a much longer discussionw which dove into various aspects of infrastructure security, critical protection and even the inability to separate the physical from the cyber worlds.  Join us for a little bit of nostalgia, a little bit of knowledge and a lot of commentary from these two very smart staples of the security community.This is one of those conversations which I barely edited... it was free-flowing, entertaining and insightful.  I hope you enjoy it!Guests@Spacerog - Spacerog is one of the founders of L0pht, and founder of the HNN (Hacker News Network) way, way back in "the day"... He has a full profile here.@Shpantzer - Shpantzer is a veteran of the security industry and describes himself as "Information security and risk management consultant. Strong project manager with interdisciplinary skillset to solve complex business and technical problems."  He also writes for the "Shpantzer on Security" blog (which you should be following).Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisIt's rare that I get to be a spectator at a podcast, but in this case I was listening to some of the conversations and talks being given at Chicago's very own THOTCON 0x3, and decided it would be valueable to you to get some of the conversation movers on the microphone.  We started talking about the applicability of information security conferences to your "day job", got into a discussion on "hallway con" and then went down the rabbithole on some interesting tangential topics ... and of course the fresh rap from DualCore was awesome.  I hope you enjoy the episode ...GuestsGeorgia Weidman - Georgia is a independent consultant, penetration tester and mobile device hacker.Ken Swick - Ken is a security manager from the Financial Services vertical with many years experience in defending corporate networks, and bringing business value to information security programs.DualCore - DualCore ... what can I say - dropping raps like packets straight to your ears ... DualCore music is what you should hear.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisIn this short microcast we rap about the THOTCON 0x3 experience, why we think the Chicago community has taken off so much, and what sorts of interesting things make THOTCON, and the local hacker con here in Chicago, so attractive to people from around the world.  Yes, there is comedy involved...GuestsTodd - Audio genius, InfoSec luminary, pen tester ...better known to his Twitter fans as @PhoobarBen - Ben is a Chicago suburban staple, first time on the microphone, otherwise known on Twitter as @Ben0xAConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisThis episode I sit down with Dave Frederickon who has a unique viewpoint on cloud computing from a Canadian point of view, as well as a VP of the HP Canada business.  I pose some tough questions to Dave including "Is 'cloud' just marketing hype?" and other discussion topics and we have a good chat on the reality of cloud computing, who's adopting it and how it's changing and revolutionizing Information Technology at the pace of business.  This is another great podcast in the cloud series, and you should not miss it!GuestDave Frederickson - (Vice President & General Manager Enetrprise Servers, Storage & Networking Business at HP Canada) - Dave Frederickson is the VP of the ESSN group and is located in HP Canada's HQ in Mississauga, Ontario.  He is responsible for leading sales, pre-sales, channels, marketing and product management teams, achieving top and bottom line and market share objectives.  His role also includes responsibility for Enterprise marketing for HP and linking HP services and software.  He is a board member of Sharcnet and Schulich Corporate and Social Reponsibility.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisOn this episode of Down the Rabbithole I get the distinct pleasure of sitting down with one of Silicon Valley's top attorneys to talk Cloud Computing T's and C's ...and let me tell you this was a wild ride.  I learned a lot, including the fact that I know a famous legal court case about a tugboat captain and the use of radar ... and what all that CAPSLOCK PRINT ON SOFTWARE LICENSE AGREEMENTS means ...and so very much more.  Join me, and learn a little bit more about the legal aspects of cloud, before you find out the hard way.  This is a do not miss episode.GuestMark Radcliffe [DLA Piper] - Mark F. Radcliffe concentrates in strategic intellectual property advice, private financing, corporate partnering, software licensing, Internet licensing and copyright and trademark.Leading international legal publishers consistently rank Mr. Radcliffe among the top lawyers in his profession. The respected English publishers Chambers and Partners has repeatedly named him in Chambers USA: America's Leading Lawyers for Business, and has described him as "outstanding" and "a leader in open source-related matters." Legal 500 also recognizes him, commenting: "His expertise in providing strategic IP advice, with particular specialism in open-source matters, has won him plaudits. Indeed, one client describes him as 'probably the best lawyer in his field.'"More on Mark on his profile page: http://www.dlapiper.com/mark_radcliffe/Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SummaryThis 1 hour podcast was recorded live at the March 7th, Chicago Cloud Security Alliance chapter meeting, where we were fortunate enough to have a panel of attorneys discuss the issues with cloud security from a legal perspective.  I hope you find the content stimulating, if not a little bit worrisome.Apologies for some of the flaws in the audio, but this was an ad-hoc recording and I didn't have time to clean up the taps and paper shuffling that the super-sensitive microphone picked up.This was the first recording using the mobile Zoom H4n, and I think you'll agree it's an amazing piece of tech.This podcast is posted as-is, and hosting is provided courtesy of HP.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisThe guest on this podcast will blow your mind ... literally.  He is none other than the "human hacker" himself, Christopher Hadnagy, who has written a book and now runs social-engineer.org.  Chris is a long-time friend of mine and an invaluable resource in the psy-ops James Bond style social engineering world.  Chris knows his stuff, and he's willing to teach you if you're willing to listen... so buckle down and get educated on social engineering background, tricks and even the 6 things your company must do to prevent being a victim of social engineering attacks.  Oh ... and let's not forget, somewhere in this episode Chris makes you an offer you can't refuse, just for you Down the Rabbithole listeners, how cool is that?  If you've ever thought about taking a class, or having your organization fortified against social engineering attacks but didn't think it was within your budget - listen to this podcast ... Guest Christopher Hadnagy - Chris, or as his friends on Twitter know him - @HumanHacker - is a fountain of knowledge on social engineering and the art and science behind corporate-level offense and defense using the human mind.  Chris has written a book called Social Engineering: The art of human hacking, and runs social-engineer.org contributing to community through teaching, speaking and writing as well as hosting a heck of a podcast on the fascinating topic of social engineering.  Chris's organization offers SE penetration testing, education and is at the forefront of social engineering tactics for the defensive good.LinksThe official social engineering portal - Social-Engineer.orgRegister for social engineering training & services through Chris's organization hereConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisI had the pleasure of sitting down with Nathaniel Dean, someone I had met through a mutual colleague's introduction, and hear about a neat concept that takes the software security program to a new level.  Interestingly enough, Nathaniel runs a red team but it's guaranteed to be unlike any red team you've probably ever worked with.  The crazy thing?  It's working.  We talk through the mechanics, psychology, and business implications of what he's driving, and how he's rollig up his sleeves and getting it done which is probably more important than anything else.Jack in and get a 25-minute does of knowledge from someone I know you'll learn something from.GuestNathaniel Dean - Business Information Security Officer at a major financial institution.  Nathaniel has been managing and building programs in this space for a long time, and his experience shows.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Synopsis  We were "live to tape" (as Adam says) from HP's Master the Cloud event in Calgary.  As we wrap up the road tour in the frozen city of Calgary I had the pleasure of sitting down with a comedian and celebrity, a technical expert on virtualization from HP, and the manager of Intel's advanced server technologies team.  This was a wild, off-the-rails discussion and you can really tell we were just having a good time and excited to wrap up the tour.  Great topics of discussion...Topics covered in this episode include...Hypervisors and their value to cloud computing, virtualization and hackingWhy are hypervisors critical to cloud computing?Will Intel build a hypervisor into the silicone?How robust driver stacks keep hypervisors 'safe' on the software level..."Raising the bar" on security (analogies of a department store)Virtualization of compute resources & BYOD ...slightly off the railsFederation of identities, and applied to social media Special GuestsJake Smith (Advanced Server Technologies Manager at Intel Corp.) - Jake was a keynote speaker at HP's "Master the Cloud" tour across Canada speaking about Intel's vision for a more connected, more virtualized, and more secure Cloud Computing environment; including Intel's partnerships with HP and some of the advancements they have embarked on together.  Jake can be found on LinkedIn here: http://www.linkedin.com/in/jakesmith42Adam Growe (Celebrity host of Cash Cab Canada) - Adam is the host of Canada's "Cash Cab" show on the Discovery Channel.  Additionally, Adam has his own quiz show ("The Adam Growe Quiz Show") and is a recognized celebrity, accomplished comedian and emcee, and has the uncanny gift to derail any boring IT conversation! Adam can be found on FaceBook here: http://fb.com/AdamGrowe and on his own site: http://adamgrowe.com - on behalf of HP I wish to thank Adam for his presence and making us all chuckle.Emrah Alpa (HP TippingPoint technical specialist) - Emrah in addition to being an accomplished DJ is the Northwest Canada regional HP TippingPoint technical expert. LinksHP TippingPoint Secure Virtualization Framework (SVF) - http://h17007.www1.hp.com/us/en/solutions/security/svf/index.aspxFederation (federated identity) - http://en.wikipedia.org/wiki/Federated_identityConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisWorld-renowned author, researcher, speaker and founder of legendary TripWire joins me semi-live from LASCON in Austin, Texas to talk about his current project(s) [The DevOps Cookbook, and When IT Fails: A Novel], and his book Visible Ops and how this can all be applied to security in today's tough business climate.  Gene and I discuss what in the DNA of well-performing (or "agile") IT organizations, based on Gene's research and experience, enables them to not only perform better, but also serve the business faster.  These high-performing organizations all have things in common, and you may be shocked to hear it's not heaps of money, or resources, or "powerful" CISOs.  The experience was a pleasure and I guarantee you'll learn something from this podcast, and I highly encourage you to add Gene's books as a staple of your career-building library.Guest"The real" Gene Kim - I am working on my third and fourth books, "When IT Fails: The Novel" and "The DevOps Cookbook," scheduled to be published in June 2012. Both are the culmination of over 13 years of researching both high-performing and low-performing IT organizations, as well as benchmarking over 1500 IT organizations to help inform what behaviors simultaneously advance business and information security objectives.  LinkedIn profile, just in case you have never had the pleasure - http://realgenekim.me.LinksConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisI sat down at the HP Master the Cloud (hp.com/go/cloud) event in Toronto, Canada to answer some Twitter-based questions, talk about the trade show, and listen to some of the fantastic things Victor and his team are working on right now in their incubator ... and it was a really great 20 minutes.  We covered the questions below (posted directly from Twitter, special thanks to all who participated) and talked about technology, the evolution of security, and how organizations can take advantage of this shift as technology turns the corner in a new operating and delivery paradigm.  Is cloud right for everyone?  Probably not.  Is cloud right in every situation?  Probably not.  This is exactly why you need to listen to Victor ... this is definitely a worthwhile way to spend 20 minutes of your time.Questions from Twitter"What's your perspective on letting the entire Internet pen test your service in a sandboxed environment?" -- HackBlat (@HackBlat)Virtual processing is great, but how are we supposed to layer on data privacy? IoW - w/the "To the Cloud!" rush, why aren't there any (effective) integration patterns emerging? Lift & Drop is bad for data. -- awpiii (@awpiii)How does one establish bandwidth requirements when establishing a pipe to a cloud service? -- RonService (@RonService)Vendor routinely sell something not using themselves. What percentage of HP infrastructure is running in public cloud offering? -- brew_ninja (@brew_ninja)GuestVictor Garcia (CTO HP Canada) - Victor is the Chief Technology Officer for HP's Canada business, leading the business in technology & business strategy, incubation and commercialization of new technologies, strategic alliances, and systems integration as well as business management.  Victor's LinkedIn profile is here.Links"The security poverty line" from Wendy Nather of the 451 Group (podcast with Alan Shimel) - https://gpodder.net/podcast/securityexe-powered-by-the-ciso-group-with-alan-shimel-1/security-below-the-poverty-line-with-wendy-nather-of-the-451-groupConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Synopsis  This special episode of Down the Rabbithole is sponsored exclusively by HP Canada, and I wanted to thank them for hosting this fantastic event!  In this episode I sat down with Charlie Bess and EG Nadhan to talk about Cloud Computing.  Now, this isn't your standard cloud discussion ... no my friends, these are two of the top technologists HP has to offer from the labs and services organizations talking about the paradigm shifts in computing that "the cloud" offers.  We talk through business adoption, getting over the "it's cheaper" mentatlity, security ... and even some of the things learned here at the event in Montreal.  What a fantastic opportunity to pick the brains of some extremely smart people, and hear their responses to one of the most difficult and rewarding business shifts in technology in the last 10 years.  You're not going to want to miss this.GuestsEG Nadhan - Distinguished Technologist, HP Enterprise ServicesCharlie Bess - Fellow, HP LabsConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Synopsis  This month's cal lkicks off 2012 with a big question - "Do security professionals follow their own policies?" ... and as we talk through this issue we discover that there are other subtleties to this question.  Does it make sense for Information Security to have separate accounts for general and administrative access?  Does a securit policy fail if it does not account for 'exceptions' to that policy - legitimate exceptions?  What about an exception policy that allows information security professionals to navigate complex policy issues and receive 'allowances' to do their jobs without being limited by the general user policy?  These are complex questions that we tackle, and offer some guidance for ... and in the end, things aren't as simple and black-and-white as we'd all like ... you'll just  have to listen to hear the advice we dispense!Guest[Co-Host] Michelle Klinger of EMC Consulting joins me to co-moderate the first SecBiz 2012 monthly call.  Michelle is currently a consultant with EMC.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisThis episode with Jeff was awesome, recorded at the OWASP LASCON security conference, I got a chance to sit down with Jeff in person and talk shop.  I always learn something, but in this podcast Jeff dispensed his usual wisdom in buckets, I could barely write this stuff down fast enough.  We covered the raising of the "information security table stakes", and what the last 15 years have meant to the information security profession in terms of evolution.  We went into a discussion on how information security can avoid being a cost center and feeling the traditional expansion and contraction with workload and economic times, and I learned what the phrase "it was a business decision" really means.  In case you need one more compelling reason, Jeff brought up yet another gem when he discussed how the business pushes the boulder off the cliff, then expects information security to change its trajectory mid-fall ... you're not going to want to miss this.  I had a wonderful time catching up with Mr. Reich, and you'll enjoy this podcast, that's a promise.GuestJeff Reich - (hint: it's prounounced "rich") - A solid history of developing and providing expertise and leadership on information security and all associated disciplines by integrating Managed Risk into the business in the energy, manufacturing, technology and financial services industries. Successfully created and implemented comprehensive Security and Risk Management Infrastructure for a large oil and gas company as well as four of the largest Internet and e commerce providers in their respective industries. Holds a national reputation of excellence through results, publications and presentations of value. Known for ability to hire, train and inspire high performance teams that support and help drive the core business structures. [LinkedIn: http://www.linkedin.com/in/jreich]In addition to that, I've known Jeff for a very, very long time throughout his illustrious career, and have always been amazed by his ability to dispense one-liner wisdom, like this one on a recent blog post on "The compliance hamster wheel": "I have been saying for years that simply chasing compliance is like chasing your tail.  You probably won't catch it and if you do, it will hurt."Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Synopsis  This is the third and final part of a 3-part (3 x 30 minute segments) holiday episode that was aired LIVE, where Will, Scott and I talk about what significant things happened in 2011, and what we should be looking forward to in 2012.  No predictions, no propaganda, just hard-hitting, amusing, and often nostalgic discussion about the realities of living in an ever-more connected world as we go into 2012.  I hope you enjoy the podcast series if you missed it live.  In the future, look for announcements of live episodes on my (@Wh1t3rabbit) podcast feed and join in the discussion!  If you're a fan of the dirty world of cyber-crime, botnets, and the seedy underbelly of polymorphic, crypto-virological (I think Will made that word up...) code, you need to hear this episode.  A great opportunity to hear Will share he experience as we talk through some of the nasty threats, real dangers and critical problems with the way we deal with the continuing digital criminal enterprise.  Enjoy the epside!GuestsWill Gragido: In addition to being a great guy, and a personal friend of mine ...An information security and risk management professional with over 17 year’s professional industry experience, Mr.Gragido brings a wealth of knowledge and experience to bear. Working in a variety of roles, Mr.Gragido has deep expertise and knowledge in operations, analysis, management, professional services & consultancy, pre-sales / architecture and business development within the information security industry.  Will currently serves as the Senior product-line manager for HP Enterprise Security TippingPoint.Scott Clark: Scott Clark brings more than 16 years of leadership experience to Vyatta as its Senior Director of Worldwide Channels. In this role, he is responsible for creating and managing Vyatta’s emerging Worldwide channel, as well as evaluating future channel opportunities. In addition to his role at Vyatta, Scott also serves as the Chapter President of the Cloud Security Alliance in Chicago.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Synopsis  This is the second part of a 3-part (3 x 30 minute segments) holiday episode that was aired LIVE, where Will, Scott and I talk about what significant things happened in 2011, and what we should be looking forward to in 2012.  No predictions, no propaganda, just hard-hitting, amusing, and often nostalgic discussion about the realities of living in an ever-more connected world as we go into 2012.  I hope you enjoy the podcast series if you missed it live.  In the future, look for announcements of live episodes on my (@Wh1t3rabbit) podcast feed and join in the discussion!  I'm a particular fan of this segment because we tackle education... and the ever-popular how do we train or educate people to be good Info Security people ...and also get into "hacker worship" and other thorny topics.  Listen in, this one is especially fun.GuestsWill Gragido: In addition to being a great guy, and a personal friend of mine ...An information security and risk management professional with over 17 year’s professional industry experience, Mr.Gragido brings a wealth of knowledge and experience to bear. Working in a variety of roles, Mr.Gragido has deep expertise and knowledge in operations, analysis, management, professional services & consultancy, pre-sales / architecture and business development within the information security industry.  Will currently serves as the Senior product-line manager for HP Enterprise Security TippingPoint.Scott Clark: Scott Clark brings more than 16 years of leadership experience to Vyatta as its Senior Director of Worldwide Channels. In this role, he is responsible for creating and managing Vyatta’s emerging Worldwide channel, as well as evaluating future channel opportunities. In addition to his role at Vyatta, Scott also serves as the Chapter President of the Cloud Security Alliance in Chicago.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Synopsis  This is the first part of a 3-part (3 x 30 minute segments) holiday episode that was aired LIVE, where Will, Scott and I talk about what significant things happened in 2011, and what we should be looking forward to in 2012.  No predictions, no propaganda, just hard-hitting, amusing, and often nostalgic discussion about the realities of living in an ever-more connected world as we go into 2012.  I hope you enjoy the podcast series if you missed it live.  In the future, look for announcements of live episodes on my (@Wh1t3rabbit) podcast feed and join in the discussion!GuestsWill Gragido: In addition to being a great guy, and a personal friend of mine ...An information security and risk management professional with over 17 year’s professional industry experience, Mr.Gragido brings a wealth of knowledge and experience to bear. Working in a variety of roles, Mr.Gragido has deep expertise and knowledge in operations, analysis, management, professional services & consultancy, pre-sales / architecture and business development within the information security industry.  Will currently serves as the Senior product-line manager for HP Enterprise Security TippingPoint.Scott Clark: Scott Clark brings more than 16 years of leadership experience to Vyatta as its Senior Director of Worldwide Channels. In this role, he is responsible for creating and managing Vyatta’s emerging Worldwide channel, as well as evaluating future channel opportunities. In addition to his role at Vyatta, Scott also serves as the Chapter President of the Cloud Security Alliance in Chicago.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Synopsis  On this edition of the podcast, Kris Herrin joins me from the ISSA International Conference to talk about his unenviable role as Chief Information Security Officer of Heartland Payment Systems during one of the most epic data breaches in history.  For those of you who didn't live in a cave - Kris and his organization turned the ship around ...not only that - this incident was used to help the organization find religion in Information Security and sound risk management practices.  Now as Heartland leads the payment industry in security - Kris talks about his ascention through the tanks to CTO, and how getting in front of the bull made all the difference.  You do not want to miss this episode!GuestKris Herrin:  Mr. Herrin is a recognized technology and security executive with international leadership experience in large and small publically traded companies. Leveraging an extensive history of security, audit, and governance, he brings high energy and a risk-based view to delivering secure and reliable technology solutions to business problems. Mr. Herrin’s experience includes transforming traditional IT into a mature, ITIL-oriented service organization, building domestic and Asia-based organizations, and IT crisis management.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Synopsis  My guest David Elfering (@icxc on Twitter) and I go all over the map covering various SecBiz related topic, and come up with a fantastic set of quotes including: "No matter how long you hold the light bulb up, the world will not revolve around InfoSec" and other gems.  We talk through how to present to a business group or executive, the communication and written skills required and various other topics related with bridging the business - security gap.  This is a great episode to listen to - we cover a lot of ground.GuestDavid Elfering (@icxc) - David is the Senior Director of Information Security over at Werner Enterprises out of Omaha, NB.  David is a verteran of the IT industry providing leadership at corporate level, building and leading the security program and infrastructure for a two billion dollar, multi-national corporation. Experience at community, state and national levels with FBI Infragard, Nebraska Infrastructure Protection Council and the SANS Institute. Able to translate information security practices to business advantage. Experienced speaker, instructor and mentor. Member ISSA CISO Executive Forum. CRISC #1115272Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Synopsis  In this edition of the podcast, I sit down with Jeff Moss (@TheDarkTangent) to talk about all of the interesting evolutions currently going on in the Internet age.  As one of the people who has watched the cyber punk culture evolve from the dark culture of hacking for curiosity, through the "dot com boom" and now into mainstream business, and he has some interesting commentary on how we've evolved as a culture and a group.  We also talk through some interesting hacker vs. government regulation topics, and IPv6 of course!  Listen in, and hear all the really exciting things Jeff has to say. GuestJeff Moss (@TheDarkTangent) - In addition to being the founder of the Black Hat and Defcon hacker conferences, Jeff is now a part of the Department of Homeland Security Advisory Council since 2009.  Currently Jeff is the Chief Security officer at ICANN, the Internet names and assigned numbers authority.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Synopsis  This is perhaps the most important podcast I've recorded to date, and probably will record for some time.  The guests on my show in this episodes are not only privacy experts, but people who deal with digital privacy every day ...and are just as appalled as I am about the rapid erosion of privacy in the modern digital age.  From 4Square to the automated toll collection system - you're being tracked when you tweet, drive, and buy discount paper towels at your local market ...and technology is facilitating the privacy you're willfully giving up.  STOP the madness!  This episode just scratches the surface on all the different methods we're giving away our reasonable expectation of privacy, and how corporations and governments are hastening its demise.GuestsMy guests on this podcast wished to remain anonymous (lower-case A) except for their Twitter handles.  Join me in thanking them for their time, thought, and insight.theprez98grecsinfojanitorLinksOnStar spying on drivers/passengers - http://www.autoblog.com/2011/09/21/gms-onstar-now-spying-on-your-car-for-profit-even-after-you-uns/Divorce cases swayed by FaceBook, social media - http://www.knoxnews.com/news/2010/jul/25/in-the-age-of-facebook-divorce-battles-go/?print=1Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Synopsis  This week I host Bryan Stiekes, a distinguished technologist with HP ...and not a security guy by trade.  Bryan has been a part of IT for a very long and distinguished career, with a background in networking and architecture.  Bryan's premise is that Information Security is at its core fundamentelly broken ...and I can't say I disagree.  We discuss the different aspects of what's been wrong with modern information security, and whether this is a good time to be in the 'business' of IT.  This is a fascinating conversation for anyone who's feeling lost in IT Security ...and looking for some light at the end of the dark tunnel we've managed to wander into. GuestBryan Stiekes - Distinguished Technologist Hewlett Packard - Bryan Stiekes is an HP Distinguished Technologist with a focus on network strategy and cloud services architecture. Bryan has deep experience in secure networking and in multi-tenant services architecture to this role. Recently he's been focusing on the emerging 'as-a-Service' ecosystem and how that ecosystem impacts enterprise network and security models... and a Jedi Master.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Synopsis  This is the first MicroCast, a new 15-minute format jammed packed with a series of great topics.  This time around, Jack Nichelson joins me and tells us how Bruce Lee feels about IT Security (this is a great quote!), why really good IT Security is just really good IT, and whether we will all be replaced by "Cyber-Insurance" policies.  Yikes ... this is definitely 15 minutes you'll be happy you listened.Guest:Jack Nichelson - Jack is an information security officer at a very large industrial enterprise.  Jack's background is not IT Security, but he is a venteran of technology, and a master story-teller.  Jack can be found on Twitter as "@jack0lope".Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Synopsis  This is a special episode for anyone who's feeling like "Information Security" in their small business is impossible.  My guests and I talk through how to make information security a proper entity that can both serve the business need, and be respected; more than just survival, it's about making security thrive in the small business.  Michael potificates on what makes the security community such a valuable resource to security managers in his position, and we go into what advice you could give a vendor selling into a small business ... what a fascinating discussion!GuestsJ.W. Goerlich - Network and Security Manager for a midwestern financial organizationWolfgang has 15 years in IT, with a InfoSec focus for the past 5 years. He has a deep background in risk management and business continuity for SMB firms.Michael Allen - Information Systems Security Officer for a Jamaican-based financial Institution. Michael has over 8 years experience in IT, with a focus on Infosec during the last 4 years. He has a strong background in application development with a keen interest in penetration testing, software security assurance and network security.LinksThe "SecBiz" group on LinkedIn: http://www.linkedin.com/groups/SecBiz-4001160?gid=4001160&trk=hb_side_gConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Synopsis  Over the past year and a half of so, I've been pushing hard to change the paradigm around secure software - specifically the testing aspect of it to incorporate a much heavier emphasis on quality assurance.  That conversation spilled over into an OWASP conversation, which lead Glenn, Rohit and I to sit down and record this conversation we had - as we appear to be of like mind.  While it's not trivial to incorporate security testing into quality assurance, it's not impossible, and in fact, more practical than you may think.  In this segment we discuss what security testing in a QA team looks like, how it's potentially split up, and whether we can really and truly make it work.  Glenn provides his practical perspective being an implementer of this methodology, while Rohit and I provide an across-the-industry discussion and commentary.  I think you'll find this podcast episode fascinating, especially if you're struggling with the QA/Security relationship.GuestsRohit Sethi - VP Product Development at SD Elements (http://www.sdelements.com)Rohit Sethi is a specialist in building security controls into the software development life cycle (SDLC). Rohit is a SANS course developer and instructor on Secure J2EE development. He has spoken and taught at FS-ISAC, RSA, OWASP, Shmoocon, CSI National, Sec Tor, Infosecurity New York and Toronto, TASK, the ISC2's Secure Leadership series conferences, and many others. Mr. Sethi has written articles for Dr. Dobb's Journal, TechTarget, Security Focus and the Web Application Security Consortium (WASC), and he has been quoted as an expert in application security for ITWorldCanada and Computer World. He also leads the OWASP Design Patterns Security Analysis project. Glenn Leifheit - Lead Information Security Consultant at FICO (http://www.fico.com)Glenn Leifheit, CISSP, CSSLP is a Senior Security Architect at FICO. He has worked in developing, managing, architecting and securing large scale applications for over 15 years. His day is spent rolling out an Enterprise secure software development lifecycle and managing PCI requirements as well as secure software reviews. Glenn is active in the Technology community as the Co-Chair of (ISC)2 Application Security Advisory Board, President of TechMasters Twin Cities, as an active member of IASA (International Association of Software Architects) and OWASP (Open Web Application Security Project) as well as a regional speaker evangelizing secure software. Glenn's blog is located at www.glennleifheit.com. LinksNo links for this podcast...Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

SynopsisThis edition of the podcast doesn't hold back.  We ask "Can someone be hacked out of business?" and as usual we don't really like the answers we come up with.  While Martin, Rob and I have been in most every aspect of security for just over a combined 3 decades, we end up with a conslusion that I don't think any of us are comfortable with ...at least not that we were willing to say out loud, until now.  So is it possible?  Is DigiNotar being "hacked out of business" as Dark Reading suggests all FUD?  Listen and find out where we go with this topic!GuestsRob Hale (UK) - An entrepreneur and industry commentator, Rob has over 12 years of experience working in the Security industry, with integrators, channel partners and vendors, providing advice and solutions for Enterprises & Government agencies to secure their networks, systems and data from internal and external threats.Martin McKeay - Security Evangelist, AkamaiRafal Los (aka the "Wh1t3 Rabbit) - HP Enterprise & Cloud Security StrategistLinksThe DarkReading story that started us thinking: http://www.darkreading.com/authentication/167901072/security/attacks-breaches/231601790/diginotar-hacked-out-of-business.htmlThe company Rob brought up which actually was hacked out of business (Distribute IT)- http://risky.biz/distributeitConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

This is the inaugural podcast episode of Down the Rabbithole.Our podcast focuses on security, but from a business perspective and shines a light on the often misunderstood connection between Information Security and "business".Today's guests were:Chris Nickerson - Founder, Lares ConsultingWill Gragido - Lead Researcher, HP TippingPoint DV LabsMartin McKeay - Security Evangelist, AkamaiThe topic for today's podcast was the question: "Everyone's getting hacked, should I panic?" ...and we also mention the HP TippingPoint DVLabs 1st Half 2011 Cyber Threat Report.Links:Chris Nickerson mentions his "12-step blog post" > http://www.laresblog.com/2010/04/confessions-of-secaddict.htmlMartin McKeay mentions Sony's "lawyer approach" > http://arstechnica.com/gaming/news/2011/09/mandatory-ps3-update-removes-right-to-join-in-a-class-action-lawsuit.arsHP TippingPoing DV Labs 2011 Mid-Year Top Cyber Security Risks Report > http://www.hpenterprisesecurity.com/collateral/report/CyberSecurityRisksReport.pdfConnect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast

Phil Cox joins Rafal (aka Wh1t3 Rabbit) and Martin McKeay and a gallery of others dicussing the issues with the very nebulous term "Cloud Security", and what it means, and how we as vendors can realistically help the consumers of cloud get a handle on what the heck this all means.Fascinating conversation ensues.Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/Follow along on Twitter: https://twitter.com/dtsr_podcast