Info Risk Today Podcast

Passwords are supported everywhere. But, says Andrew Shikiar, executive director of the FIDO Alliance, "they have been proven time and time again to simply be unfit for today's networked economy." In this episode of "Cybersecurity Unplugged," Shikiar discusses how to move beyond passwords.

The United States is arguably involved in a cyberwar against Russia and China - and appears to be losing. In this episode of "Cybersecurity Unplugged," Tom Kellerman of Contrast Security and Richard Bird of Traceable.ai discuss what the U.S. government and companies need to do to win this cyberwar.

The latest edition of the ISMG Security Report discusses what went wrong for Optus in the wake of one of Australia's biggest data breach incidents, the state of code security today and the growing trend of private equity firms pursuing take-private deals.

The latest edition of the ISMG Security Report discusses financial giant Morgan Stanley's failure to invest in proper hard drive destruction oversight, the future of ransomware and the gangs that have attacked organizations in recent years, and the methods required to secure new payments systems.

Dain Drake was CEO of a steel fabrication factory. In June 2019, Drake found himself standing outside a closed adult boutique in Houston at 10:00 a.m. on a Sunday. He called the owner and pleaded for him to come. He needed something inside, which might just save his business - from ransomware.

The latest edition of the ISMG Security Report discusses the appearance at a Senate hearing this week by the former head of security for Twitter; the top-performing web application and API protection vendors, according to Gartner's Magic Quadrant 2022; and threat trends to watch for in 2023.

In this episode of "Cybersecurity Unplugged," U.S. Air Force Chief Software Officer Nicolas M. Chaillan, a former DHS and DOD adviser, shares his opinions about the government's handling of DevSecOps and cybersecurity, where progress is being made and where more work needs to be done.

Vulnerabilities in certain medication infusion pump products from manufacturer Baxter could compromise a hospital's biomedical network. The flaws highlight the risks involving the acquisition and disposal of medical technology, says researcher Deral Heiland of Rapid7.

In this episode of "Cybersecurity Unplugged," Mark Cristiano of Rockwell Automation discusses Rockwell's cybersecurity journey, the particular challenges of deploying cybersecurity in an OT environment, and the minimum and proper industrial protections that organizations need to have in place.

The latest ISMG Security Report discusses a new phishing-as-a-service toolkit designed to bypass multifactor authentication, the decision by Lloyd's of London to exclude nation-state attacks from cyber insurance policies, and challenges at Okta after it acquired customer identity giant Auth0.

Cybersecurity threat modeling: automated tools or manual methods? It's not an either-or situation, say Stephen de Vries, CEO and co-founder of IriusRisk, and Adam Shostack, president of Shostack and Associates. Each approach brings unique business value, and they discuss the merits of both methods.

The sheer number of connected devices in healthcare environments is one of the top challenges healthcare entities face in adopting a zero trust approach to cybersecurity, says Zachary Martin, senior adviser at law firm Venable. He discusses the obstacles to achieving zero trust in healthcare.

The latest edition of the ISMG Security Report explores the possible unintended consequences of banning ransom payments, the challenges of opening a cyber intel firm during wartime, and the need for more clarity in the regulation of cryptocurrency firms.

CISOs have enough tools to identify security weaknesses, says Yoran Sirkis, but they need a way to make the information those tools gather more accessible and to streamline the remediation process. The CEO of Seemplicity discusses how its platform can help security leaders manage remediations.

In many healthcare entities, the amount of data that is being generated and retained continues to grow - and that mounting trove of legacy data is often never disposed, expanding the surface for cyberattacks and other compromises, says Matthew Bernstein of consulting firm Bernstein Data.

The latest edition of the ISMG Security Report discusses how ransomware-as-a-service groups are shifting their business models, how investigators battling cybercrime have been hindered by GDPR, and how employees consider workplace "choice" a key factor for job satisfaction.

Implementation of security service edge technology has progressed over the past six months from early adopters to mainstream organizations, with requests for proposals around SSE projects now carrying tight deadlines rather than no deadline at all, says iboss co-founder and CEO Paul Martini.

The extremely diverse architectures and systems within the tens of thousands of very specialized types of medical devices used in clinical settings adds to the complexity healthcare organizations and manufacturers face in managing cybersecurity risk for these products, says Phil Englert of H-ISAC.

Obsidian Security has in recent months invested in giving enterprises more visibility into how their SaaS applications are talking to other SaaS applications so that supply chain compromise can be more easily detected and thwarted, according to CEO Hasan Imam.

Kudelski Security has made a big investment into the blockchain and Web3 security spaces, leveraging a team of 25 to help translate the company's expertise around cryptography and application security into the nascent market, according to CEO Andrew Howard.

The latest edition of the ISMG Security Report discusses how ransomware groups continue to refine their shakedown tactics and monetization models, highlights from this year's Black Hat conference and why helping those below the "InfoSec poverty line" matters to businesses.

Identity, observability, log management and cloud security have been CrowdStrike's biggest areas of investment during 2022, says CTO Michael Sentonas. The company protects against the abuse of identities through a stand-alone capability embedded on the Falcon sensor.

Infoblox has invested in shifting left in the cybersecurity kill chain with on-premises, cloud and hybrid versions of its BloxOne Threat Defense tools, which help security practitioners find and identify threats earlier and mitigate risks, says President and CEO Jesper Andersen.

Marketers rely on events to create brand awareness and generate demand, and physical events are coming back after the COVID-19 pandemic, says Gily Netzer of Perimeter 81. But "not everybody is traveling," she says, so hybrid events - and SaaS-driven corporate networks - are the future for companies.

Companies continue to struggle with prioritizing which vulnerabilities present the greatest risk to the business and need to be remediated first since vulnerability scoring is too often based on a static set of what could happen if an issue is exploited, says Qualys President and CEO Sumedh Thakar.

SIEM can play a key role in aggregating log data for compliance or auditing purposes, but when it comes to identifying threat activity in an IT environment, nothing beats XDR, which excels at using advanced techniques to pinpoint threats in high volumes of data, says Secureworks' Ryan Alban.

Hybrid war includes cyberattacks, critical infrastructure attacks and efforts to get information. Victoria Beckman, director of Microsoft's Digital Crimes Unit in the Americas, says Ukraine used a national cybersecurity strategy to withstand such attacks from Russia and so can other countries.

The ISMG Security Report discusses how cyberattacks and operations tied to the Russia-Ukraine war have been affecting civilians since the start of Russia's invasion, whether a practicing cardiologist living in Venezuela is also a ransomware mastermind and effective bot management tooling strategies.

In this episode of "Cybersecurity Unplugged," Apiiro's Moshe Zioni, vice president of security research, discusses the company's "Secrets Insights 2022" report on the real-world risks of hardcoded secrets across the software supply chain and how to mitigate the potential damage they can cause.

It's not enough for medical device makers to provide a software bill of materials - there also needs to be close attention paid to how vulnerabilities in components are communicated and managed, says medical device security expert Ken Hoyme.

The ongoing Russia-Ukraine war has featured cyber operations being used to target Ukraine as well as Russia. But CyberPeace Institute, which tracks cyberattacks tied to the conflict, has so far seen 27 different countries being affected by more than 300 attacks, and many have affected civilians.

In this episode of "Cybersecurity Unplugged," Yonatan Khanashvili describes in detail how Golden Security Assertion Markup Language attacks occur and how SOC platforms with much greater capacity to cross-correlate data than legacy SIEMs can help defenders detect and hunt for them.

Increased collaboration between the public and private sectors hasn't slowed the increased frequency and ease of ransomware intrusions, but efforts to change the financial incentives of ransomware are having "a pretty good effect," says Marc Rogers, vice president of cybersecurity strategy at Okta.

The impending recession should accelerate cloud adoption as firms look to reduce infrastructure costs, but these moves will introduce a new set of security challenges. Arctic Wolf Chief Product Officer Dan Schiappa predicts many companies will start building security into their applications sooner.

Supply chain risk must be part of an enterprisewide risk management program framework, says information security manager Matt Marciniak of financial service firm Quantile. Reducing risk requires an agile approach to supplier management, he says.

This edition of the ISMG Security Report analyzes the latest ransomware trends from the European Union Agency for Cybersecurity, findings from the first-ever Cyber Safety Review Board on the Log4j incident, and how security and privacy leaders are harmonizing new U.S. privacy laws.

Commodity markets have created a cryptocurrency bloodbath that may not be over, but Richard Bird of SecZetta says economic patterns in history show that crypto "is not invalidated as a mean of commerce and exchange." He discusses the blockchain and the possible future uses of crypto.

Data breaches in the healthcare sector cost about $10.1 million - more than double the average cost of breaches across other industries - once again ranking the sector as having the most expensive data breaches, says Limor Kessem, principal consultant of cyber crisis management at IBM Security.

The ISMG Security Report analyzes a settlement with the U.S. Justice Department, in which Uber accepts responsibility for a data breach cover-up to avoid criminal charges. It also discusses why early-stage startups are conserving cash and recent initiatives from the U.S. Federal Trade Commission.

The latest edition of the ISMG Security Report asks: Whatever happened to Russia's cyberwar against Ukraine? It also looks at the curious case of a cardiologist who's been accused of moonlighting as a developer of such notorious strains of ransomware as Thanos and Jigsaw.

Future quantum computers will decrypt encrypted data, so businesses feel pressure to find quantum-resistant security solutions for data transmission. Wells Fargo Bank's Peter Bordow discusses the state of quantum computing, approaches to quantum security, and privacy-enhancing technologies.

A new assessment framework aims to help patients, healthcare providers and others examine the various privacy, security and other risks of digital health technologies, says Tim Andrews of the nonprofit Organization for the Review of Care and Health Applications, which co-developed the framework.

The latest edition of the ISMG Security Report analyzes why the number of ransomware attacks and the amounts being paid in ransoms are both on the rise. It also discusses today's cyberthreat landscape and whether organizations should rely on user training to improve security.

Rui Ribeiro, the founder and CEO of Jscrambler, a company that monitors and obfuscates JavaScript code, discusses the proliferation of web applications that use third-party code, the liability risks that often exist, and how Jscramber's products can increase the security of all application code.

Many healthcare sector entities are undertaking projects involving the collection, analysis and sharing of large volumes of health data. But along with those efforts come critical privacy and security concerns, says attorney Iliana Peters of Polsinelli.

Moises Zagala is a 55-year-old cardiologist living in Ciudad Bolivar, Venezuela. He has a bald head and an earnest smile. In one photo, he wears a doctor's white overcoat and has a stethoscope around his neck. But U.S. prosecutors allege Zagala led a double life and claim he's also a cybercriminal.

Chaim Mazal, discusses the issues affecting CISOs, including how increased market share leads to increased problems and how having uniform, automated controls can provide security and enforce compliance.

Ransomware attackers executing double-extortion schemes very carefully choose which data to steal and leak based on victims' economic sector, says Erick Galinkin, artificial intelligence researcher at security firm Rapid7. He discusses the latest ransomware data theft trends.

How can you leverage artificial intelligence and make sense of data from different industries to determine whether a customer is creditworthy or whether an account is a mule account? Guy Sheppard, general manager of financial services at Aboitiz Data Innovation, discusses a case study.

The latest edition of the ISMG Security Report discusses how financial service organizations should respond to the new "fraud universe." It also shares how CISOs can incorporate social media into their threat intelligence programs and describes the skills required by today's security leaders.