PLAY PODCASTS
Security Weekly Podcast Network (Video)

Security Weekly Podcast Network (Video)

4,876 episodes — Page 20 of 98

Threat Intelligence & Threat Hunting - Chris Cochran - ESW Vault

Check out this interview from the ESW Vault, hand picked by main host Adrian Sanabria! This segment was originally published on September 22, 2021. Chris will discuss the relevance of intelligence and threat hunting today and how they work together. He will also talk about his EASY framework for creating impactful intelligence and its relation to hunting! Show Notes: https://securityweekly.com/vault-esw-8

Feb 22, 202422 min

Illuminating Cybersecurity Wisdom: Insights from a Thought Leader - Wendy Nather - PSW Vault

Join us in this illuminating podcast episode as we sit down with Wendy Nather, a distinguished thought leader and cybersecurity strategist, who has left an indelible mark on the ever-evolving landscape of digital security. Wendy's journey in cybersecurity is a narrative woven with expertise, innovation, and a deep understanding of the intersection between technology and risk. With a career that spans strategic roles in both the public and private sectors, Wendy has become a trusted voice in the industry, offering insights that resonate with cybersecurity professionals and enthusiasts alike. As the Head of Advisory CISOs at Cisco, Wendy Nather brings a unique perspective to our conversation. Explore with us as she shares her experiences navigating the complex cybersecurity challenges faced by organizations today. Wendy's strategic vision has helped shape cybersecurity policies, risk management frameworks, and resilient strategies for a myriad of enterprises. Dive into Wendy's wealth of knowledge as she discusses the dynamic nature of cyber threats, the importance of proactive cybersecurity measures, and the evolving role of technology in safeguarding our digital future. Her commitment to demystifying complex security concepts and fostering a culture of resilience makes this podcast episode a must-listen for anyone passionate about cybersecurity. Beyond her corporate role, Wendy is a prolific writer, speaker, and educator, contributing to the collective cybersecurity knowledge base. Join us as we explore her insights on emerging trends, best practices, and the human element in cybersecurity—a facet often overlooked but crucial in building robust defense strategies. Don't miss this opportunity to gain valuable perspectives from one of the industry's leading minds. Tune in to our podcast and discover the wisdom and foresight that Wendy Nather brings to the world of cybersecurity. Show Notes: https://securityweekly.com/vault-psw-8

Feb 21, 20241h 5m

Back to School: Networking 101 - SWN Vault

Check out this interview from the SWN Vault, hand picked by main host Doug White! This segment was originally published on October 4, 2018. This week, Russ takes the reigns in the absence of Dr. Doug to talk about Networking 101! We are going to go back to school to examine how networking and the internet actually work. Russ looks at MAC addresses, IP Addressing (Private/Public), DHCP, routing, and DNS. Show Notes: https://securityweekly.com/vault-swn-11

Feb 20, 202426 min

Redefining Threat Modeling - Security Team Goes on Vacation - Jeevan Singh - ASW Vault

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on Dec 13, 2022. Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottleneck. What if I told you, you can have your cake and eat it too. It is possible to scale your program and deliver higher quality threat models. Segment Resources: - Original blog: https://segment.com/blog/redefining-threat-modeling/ - Open Sourced slides: https://github.com/segmentio/threat-modeling-training Show Notes: https://securityweekly.com/vault-asw-8

Feb 20, 202438 min

The New BISO Role – A Career Path to CISO? - BSW Vault

Check out this interview from the BSW Vault, hand picked by main host Matt Alderman! This segment was originally published on February 22, 2022. The Business Information Security Officer, or BISO, is relatively new and somewhat controversial role. Does this role act as the CISO's non-technical liaison to the business units or as the CISO's deputy to oversee strategy implementation at a granular level? Is this new role a necessary career path for future CISOs or an entry point into security? The BSW hosts debate! Show Notes: https://securityweekly.com/vault-bsw-8

Feb 19, 202423 min

Batman, Microsoft, War Driving, OpenAI, DevDrive, The Dead, Aaran Leyland, and More - SWN #363

Batman, Microsoft, War Driving, OpenAI, DevDrive, Scams, The Dead, Aaran Leyland, and more are on this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-363

Feb 16, 202434 min

Pretending to be Batman, self-destructing USB drives, and controlling your dreams - ESW #350

This is almost a special episode on crazy new products. For the first half of the show, we discuss startup funding, market forces, acquisitions - stuff we usually discuss. Then we get into all the crazy new AI and non-AI products being announced and coming out. Have some disposable cash to pre-order crazy gadgets? This is the episode for you! Show Notes: https://securityweekly.com/esw-350

Feb 16, 20241h 8m

Material: cybersecurity word of the year, thanks to the SEC - Amer Deeba - ESW #350

In this segment, featuring guest Amer Deeba, we'll explore how the SEC's new breach reporting rules will affect companies. We've got a ton of questions: What behavior has to change? What additional preparation needs to take place? How does this rule affect data security? How does it affect crisis communications? And most importantly, when is an incident "material"? Show Notes: https://securityweekly.com/esw-350

Feb 15, 202445 min

Navigating the Cybersecurity Frontier: Insights from a Seasoned Professional - Toby Miller - PSW #817

Welcome to a riveting episode of Hacker Heroes, where we sit down with Toby Miller, a distinguished figure in the realm of cybersecurity. Toby brings a wealth of experience and a passion for fortifying digital landscapes against ever-evolving threats. Armed with a profound understanding of cybersecurity intricacies, Toby has spent years honing his skills in the field. As a seasoned professional, he has not only weathered the storms of the digital frontier but has emerged as a beacon of knowledge and resilience in the face of cyber challenges. Join us as we delve into Toby's journey, from the early days of his career to his current role as a cybersecurity expert. Gain valuable insights into the dynamic nature of cyber threats, the evolving tactics employed by malicious actors, and the strategies Toby employs to stay one step ahead in the ever-changing cybersecurity landscape. Toby's expertise extends across a spectrum of cybersecurity domains, including risk management, threat intelligence, and incident response. Discover the mindset that propels him forward in the pursuit of securing digital infrastructures and safeguarding sensitive information. In this podcast episode, Toby Miller shares anecdotes from the front lines of cybersecurity, offering our listeners a firsthand account of the challenges faced by professionals in the industry. Whether you're a cybersecurity enthusiast, a fellow professional, or someone navigating the digital landscape, Toby's insights are sure to enlighten and inspire. Show Notes: https://securityweekly.com/psw-817

Feb 15, 20241h 0m

Panel: Physical Security and Social Engineering - PSW #817

In this segment, we discuss topics related to physical security and social engineering. We also touch on the challenges and strategies for implementing effective security measures. The discussion highlights the importance of understanding the relationship between physical security and social engineering. The panel emphasizes the need for a comprehensive approach to security, acknowledging that social engineering and physical security often go hand in hand. We stress the significance of testing physical security measures and conducting threat assessments to ensure robust protection against potential threats. The conversation touches on the concept of usability versus security, acknowledging that security measures should provide a balance between effective protection and practical usability. We explore the vulnerabilities of certain security technologies, such as biometrics, and underscore the need for continuous evaluation and adaptation of security measures to mitigate emerging threats. Show Notes: https://securityweekly.com/psw-817

Feb 14, 20241h 3m

Proactive Compliance, Improving Cybersecurity Culture, and Hiring The Right Skills - BSW #338

In the leadership and communications section, SEC's Enforcement Head: It's Time for 'Proactive Compliance', Improving cybersecurity culture: A priority in the year of the CISO, Breaking Down Barriers: 6 Simple Measures to Overcome Communication Barriers, and more! Show Notes: https://securityweekly.com/bsw-338

Feb 13, 202434 min

LLMs & Security Tools, Shim Vuln, AI Threat Models, Configuration as Code with Pkl - ASW #273

LLMs improve fuzzing coverage, the Shim vuln threatens Linux secure boot, considering AI application threat models, a new language for a configuration file format, and more! Show Notes: https://securityweekly.com/asw-273

Feb 13, 202438 min

Creating Code Security Through Better Visibility - Christien Rioux - ASW #273

We've been scanning code for decades. Sometimes scanning works well -- it finds meaningful flaws to fix. Sometimes it distracts us with false positives. Sometimes it burdens us with too many issues. We talk about finding a scanning strategy that works well and what the definition of "works well" should even be. Segment Resources: https://www.lacework.com/blog/introducing-a-new-approach-to-code-security/ Show Notes: https://securityweekly.com/asw-273

Feb 13, 202445 min

Angry mobs, Azure, Avanti, Rhysida, Warzone, Flipper Zero, Josh Marpet, and More - SWN #362

Angry mobs, Azure, Avanti, Rhysida, Warzone, Flipper Zero, Bitlocker, Josh Marpet, and more are on this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-362

Feb 13, 202427 min

Fake IDs threaten ID verification services, PANW hits $100B valuation, and other news - ESW #349

This week, we discussed how a quick (minutes) and cheap ($15 a pop) fake ID service creates VERY convincing IDs that are possibly good enough to fool ID verification services, HR, and a load of other scenarios where it's common to share images of an ID. Kudos to 404Media's work there. In the security market, we discuss who might be the first cybersecurity unicorn to go public in 2024, Oasis Security and Tenchi's funding rounds, Protect AI's acquisition of Laiyer AI and their FOSS project, LLM Guard. We discussed the seemingly inevitable M&A activity as unfunded security startups NEED to find a sale. Ross Haleliuk had an interesting LinkedIn post that goes deeper on this topic. Finally, we discussed Tyler's observation that Palo Alto Networks did the seemingly impossible - increased their valuation from $19B to over $100B in 5 years, despite having to weather a pandemic and market downturn along the way! Ryan pointed out that PANW joined the S&P 500 somewhere along the way - a watershed moment for them. We discussed Bluesky and how it's likely too little too late when it comes to building back the community we lost when much of the InfoSec community left Twitter. We also discussed a cybersecurity training scammer, Daniel Miessler's new Fabric tool, AnyDesk getting hacked, The Real Shim Shady vuln, new (voluntary) cybersecurity goals for healthcare, and the lack of toothbrush-enabled DDoS attacks! Full show notes here: https://www.scmagazine.com/podcast-episode/3061-enterprise-security-weekly-349 Show Notes: https://securityweekly.com/esw-349

Feb 9, 202453 min

RoboJoe, SHIM, Fortinet, FaceOff, Simswap, sudo in Windows, Aaran Leyland, and More - SWN #361

RoboJoe, SHIM, Fortinet, FaceOff, Simswap, sudo in Windows, Aaran Leyland, and More on this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-361

Feb 9, 202435 min

Shim Shady and Algorithm Lovers - PSW #816

In the Security News: - Shim Shady, Up Shims Creek, whatever you want to call it, there's a vulnerability affecting pretty much all Linux distributions (and other operating systems as well), when your toothbrush attacks the Internet, or some claim, glibc has some vulnerabilities, not all got a CVE, and one is for the algorithm lovers, Google shows some love for Rust, beating Bitlocker in 43 seconds, DEF CON was canceled, then uncancelled, and I'm not even joking this time, and the Government is here to "unhack" your router, Show Notes: https://securityweekly.com/psw-816

Feb 9, 20241h 57m

Zero-Trust is Meaningless if Your Cryptography is Flakey - Vincent Berk - ESW #349

Legacy systems are riddled with outdated and unreliable cryptographic standards. So much so that recent proprietary research found 61 percent of the traffic was unencrypted, and up to 80% of encrypted network traffic has some defeatable flaw in its encryption No longer can enterprises take their cryptography for granted, rarely evaluated or checked. Knowing when, where and what type of cryptography is used throughout the enterprise and by which applications is critical to your overall security policy, zero-trust approach, and risk management strategy. After all, zero-trust is meaningless if your cryptography isn't working. Segment Resources: https://www.businesswire.com/news/home/20231030166159/en/Proprietary-Research-from-Quantum-Xchange-Shows-the-Dreadful-State-of-Enterprise-Cryptography https://www.forbes.com/sites/forbestechcouncil/people/vincentberk/?sh=3d88055852c1 This segment is sponsored by Quantum Xchange. Visit https://securityweekly.com/quantumxchange to learn more about them! Show Notes: https://securityweekly.com/esw-349

Feb 8, 202446 min

You Can't Defend What You Can't Define - Sergey Bratus - PSW #816

As a computer-smitten middle-schooler in the former Soviet Union in the 1970s, to his current and prominent role in the cybersecurity research community, Bratus aims to render the increasingly prevalent and perilous software, hardware, and networks in our lives much safer to use. His fascination with computer security started for real in the 1990s as a mathematics graduate student when a computer he was programming and responsible for at Northeastern University in Boston was taken over by a hacker. That experience set him on his life's mission to learn as much as he can about the vulnerabilities of software and hardware with the goal of learning how to best minimize or eliminate those vulnerabilities. Noting his embrace of the hacker community for its deep and innovative expertise in this context, Bratus's portfolio at DARPA could help reduce or entirely remove even some of the most stealthy and unexpected vulnerabilities that reside in software and its logical, computational, and mathematical foundations. Segment Resources: • Overall Portfolio: https://www.darpa.mil/staff/dr-sergey-bratus • Safe Documents: https://www.darpa.mil/news-events/2023-06-14 • Enhanced SBOM for Optimized Software Sustainment: https://sam.gov/opp/d0af3e325a594a8191b94e3f80b6bdcd/view • V-SPELLS program: https://www.theregister.com/2023/08/18/darpalegacybinary_patching/ • Digital Corpora Project: https://www.jpl.nasa.gov/news/jpl-creates-worlds-largest-pdf-archive-to-aid-malware-research • SocialCyber: https://www.technologyreview.com/2022/07/14/1055894/us-military-sofware-linux-kernel-open-source/ • Weird Machines: https://www.darpa.mil/program/hardening-development-toolchains-against-emergent-execution-engines • Safe Docs: https://www.darpa.mil/news-events/2023-06-14 • Exploit programming: https://www.usenix.org/publications/login/december-2011-volume-36-number-6/exploit-programming-buffer-ove Show Notes: https://securityweekly.com/psw-816

Feb 8, 20241h 4m

Sorting Out Glibc Vulns, Apple's Security Research Device, BoringSSL, Old C Vulns - ASW #272

Qualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more! Show Notes: https://securityweekly.com/asw-272

Feb 6, 202436 min

Teens Gone Wild, Nintendo, Anydesk, RUST, Google, Deepfakes, Jason Wood, and more - SWN #360

Teens Gone Wild, Nintendo, Anydesk, RUST, Google, Deepfakes, Jason Wood, and more are on this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-360

Feb 6, 202434 min

Starting an OWASP Project (That's Not a List!) - Grant Ongers - ASW #272

We can't talk about OWASP without talking about lists, but we go beyond the lists to talk about a product security framework. Grant shares his insights on what makes lists work (and not work). More importantly, he shares the work he's doing to spearhead a new OWASP project to help scale the creation of appsec programs, whether you're on your own or part of a global org. Segment Resources: https://owasp.org/www-project-product-security-capabilities-framework/ https://github.com/OWASP/pscf https://prods.ec/ https://owaspsamm.org https://iso25000.com/index.php/en/iso-25000-standards/iso-25010 https://www.scmagazine.com/podcast-episode/application-security-weekly-242 Show Notes: https://securityweekly.com/asw-272

Feb 6, 202437 min

Pick Your Battles To Avoid Overconsolidation - Jess Burn, Jeff Pollard - BSW #337

Large security vendors and hyperscalers, including Microsoft, continue to expand their cybersecurity product and service portfolios. Microsoft's extensive enterprise reach, massive partner network, and enormous influence in the C-suite puts pressure on CIOs and CISOs to consolidate on it as much as possible for cybersecurity. This report helps security leaders understand Microsoft's cybersecurity portfolio, the tactics it uses, and how to manage peer and executive pressure to single-source security technology. Show Notes: https://securityweekly.com/bsw-337

Feb 6, 202429 min

Security Money - The Index Comes Roaring Back - BSW #337

It's time to review the money of security, including public companies, IPOs, funding rounds and acquisitions from the previous quarter. We also update you on the Security Weekly 25 index. The index came roaring back last quarter. Here are the stocks currently in the index: SCWX Secureworks Corp PANW Palo Alto Networks Inc CHKP Check Point Software Technologies Ltd. SPLK Splunk Inc GEN Gen Digital Inc FTNT Fortinet Inc AKAM Akamai Technologies, Inc. FFIV F5 Inc ZS Zscaler Inc OSPN Onespan Inc LDOS Leidos Holdings Inc QLYS Qualys Inc VRNT Verint Systems Inc. CYBR Cyberark Software Ltd TENB Tenable Holdings Inc DARK Darktrace PLC S SentinelOne Inc NET Cloudflare Inc CRWD Crowdstrike Holdings Inc NTCT NetScout Systems, Inc. VRNS Varonis Systems Inc RPD Rapid7 Inc FSLY Fastly Inc RDWR Radware Ltd ATEN A10 Networks Inc Show Notes: https://securityweekly.com/bsw-337

Feb 5, 202428 min

E-Coli, Mercedes, Cloudflare, Ivanti, VT, GIGO, AI, Congress, Aaran Leyland and more - SWN #359

E-Coli, Mercedes, Cloudflare, Ivanti, Volt Typhoon, GIGO, AI, Congress, Aaran Leyland, and more are on this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-359

Feb 2, 202433 min

The Internet of Shit, AI Funding, Market Struggles, The Cyber Why, and when to Quit - ESW #348

In this week's Enterprise Security News, Adrian, Tyler, and Katie discuss: 1. Tons of funding! 2. A notable acquisition! 3. The line is blurring between services and product firms 4. Apparently IronNet isn't dead? 5. The toxicity of Hero culture in tech 6. Knowing when to quit 7. AI-powered fraud is hitting close to home 8. Quantum snake oil is getting worse 9. Prompt injection 10. Are you being hacked by your washing machine? All that and more, on this episode of Enterprise Security Weekly. Show Notes: https://securityweekly.com/esw-348

Feb 2, 202459 min

The Elephant in the Pipeline: Securing the Wild, Untamed Software Supply Chain - Pete Morgan - ESW #348

We've seen general users targeted with phishing, financial employees targeted for BEC scams, and engineers targeted for access to infrastructure. The truly scary attacks, however, are the indirect ones that are automated. The threats that come in via software updates, or trusted connections with third parties. The software supply chain is both absolutely essential, and fragile. A single developer pulling a tiny library out of NPM can cause chaos. A popular open source project changing hands could instantly give access to millions of systems. Every day, a new app store or component repository pops up and becomes critical to maintaining infrastructure. In this interview, we'll chat with Pete Morgan about how these risks can be managed and mitigated. Segment Resources: https://blog.phylum.io/q3-2023-evolution-of-software-supply-chain-security-report/ https://blog.phylum.io/software-supply-chain-security-research-report-q2-2023/ https://blog.phylum.io/q1-2023-evolution-of-software-supply-chain-security/ Show Notes: https://securityweekly.com/esw-348

Feb 1, 202446 min

Identifying Bad By Defining Good - Danny Jenkins - PSW #815

Danny Jenkins, CEO & Co-Founder of ThreatLocker, a cybersecurity firm providing Zero Trust endpoint security, is a leading cybersecurity expert with over two decades of experience building and securing corporate networks, including roles on red and blue teams. He is dedicated to educating industry professionals about the latest cyber threats and frequently speaks on the topics of ransomware and Zero Trust. This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them! Show Notes: https://securityweekly.com/psw-815

Feb 1, 202454 min

CVE, CVSS, EPSS Falls Short - PSW #815

When an RCE really isn't, your kernel is vulnerable, calling all Windows 3.11 experts, back to Ebay, Turkish websites and credentials, 10 public exploits for the same vulnerability, hacking Bitcoin ATMs, another vulnerability disclosure timeline gone wrong, Flipper Zero tips and how you should not use it to change traffic lights, Windows 11 S mode, and you're dead (but like in the movie Hackers dead), and more! Show Notes: https://securityweekly.com/psw-815

Feb 1, 20242h 2m

Vulns & Secure Design, MiraclePtr Success, Abandoned Projects & Maven, Old "AI Chip" - ASW #271

Vulns in Jenkins code and Cisco devices that make us think about secure designs, MiraclePtr pulls off a relatively quick miracle, code lasts while domains expire, an "Artificial Intelligence chip" from the 90s, and more! Show Notes: https://securityweekly.com/asw-271

Jan 30, 202440 min

Google, WhiteSnake, Outlook, NSA, Juniper, Jason Wood, and More - SWN #358

This week in the Security Weekly News: the NSA admits to secretly buying your internet browsing data, malicious Google ads target Chinese users, Juniper releases update for Junos OS flaws, Outlook could be leaking your NTLM passwords, WhiteSnake malware on Windows, Jason Wood discusses new guidance on the Microsoft "Midnight Blizzard" attack, and more! Show Notes: https://securityweekly.com/swn-358

Jan 30, 202427 min

Getting Your First Conference Presentation - Sarah Harvey - ASW #271

We return to the practice of presentations, this time with a perspective from a conference organizer. And we have tons of questions! What makes a topic stand out? How can an old, boring topic be given new life? How do you prepare as a first-time presenter? What can conferences do to foster better presentations and new voices? Segment resources: https://bsidessf.org https://infosec.exchange/@worldwise001/111280163638514582 https://www.youtube.com/watch?v=1lVIeh5f4Rg Show Notes: https://securityweekly.com/asw-271

Jan 30, 202438 min

Year of the CISO as CISOs Struggle for C-Suite Status and Expectations Skyrocket - BSW #336

In the leadership and communications section, A tougher balancing act in 2024, the year of the CISO, CISOs Struggle for C-Suite Status Even as Expectations Skyrocket, Want to Be a Better Leader? Stop Thinking About Work After Hours, and more! Show Notes: https://securityweekly.com/bsw-336

Jan 30, 202427 min

Cyber Readiness: Train As You Fight - William Hutchison - BSW #336

How do you prepare for a cyber incident? You train as you fight, but in what environment? William "Hutch" Hutchinson, CEO and co-founder of SimSpace, joins BSW to share cyber best practices and why testing in your operational environment not a good idea. Learn what it takes to be Cyber Ready. Show Notes: https://securityweekly.com/bsw-336

Jan 29, 202427 min

Veolia, FeverWarn, SystemK, Fortra, GitLab, Ring, Trickbot, Aaran Leyland, and More - SWN #357

Visa RB Cash AP Formula 1 Team, Veolia, FeverWarn, SystemK, Fortra, GitLab, Ring, Trickbot, Aaran Leyland, and More News on the Security Weekly News. Show Notes: https://securityweekly.com/swn-357

Jan 26, 202432 min

Secret Double Octopus, Furbies, and Too Much Data! - ESW #347

Oleria, Vicarius, and Secret Double Octopus raise funding (NOTE: Secret Double Octopus is a real company that chose Secret Double Octopus as their name, I'm making none of this up). Rumors about Zscaler's next 9-digit acquisition, 2 new security vendors and demystifying public cybersecurity companies. Chrome gets AI features, security teams have TOO much data, and a new threat intel database from Wiz. Is bootstrapping a cybersecurity startup a realistic option? Finally, remember Furbies? NSA's furby docs just dropped, and they are HILARIOUS. Thanks to Jason Koebler from 404Media for that. Show Notes: https://securityweekly.com/esw-347

Jan 26, 202457 min

2024: The Year Cross-Platform Endpoint Management Finally Gets Good? - Zach Wasserman - ESW #347

We interview the co-founder and CTO of Fleet to understand why good, cross platform MDM/EMM has been such a challenge for so many years. Want good Windows device management? You're probably going to compromise on MacOS management. Ditto for Windows if you prioritize your Macs. Want good Linux device management? It doesn't exist. Hopefully, Fleet can change all that in 2024, as they aim to complete their support for all major platforms, using the open source OSQuery project as their base. Segment Resources: Zach's GitHub Zach's Conf42 DevSecOps Presentation on Securing the endpoint with open source software GopherCon 2022: Collect First, Ask Questions Later Glitches in the Matrix, or Taming Agent Chaos Show Notes: https://securityweekly.com/esw-347

Jan 25, 202442 min

MS Breach, printers, Android hacking - PSW #814

In the Security News: Don't expose your supercomputer, auth bypass and command injection FTW, just patch it, using OSQuery against you, massive credential stuffing, backdoors in Harmony, looking at Android, so basically I am licensing my printer, hacking Tesla, injecting keystrokes over Bluetooth, and remembering the work of David L. Mills. Show Notes: https://securityweekly.com/psw-814

Jan 25, 20242h 12m

What Smart CISOs and Mature Orgs Get That Others Don't About Cyber Compliance - Matt Coose - PSW #814

Matt Coose is the founder and CEO of cybersecurity compliance firm Qmulos, previously the director of Federal Network Security for the National Cyber Security Division of the (DHS). CISOs carry the ultimate burden and weight of compliance and reporting and are often the last buck. Says Coose, best-of-breed is better described as best-to-bleed-the-budget: it's a bottom-up, tech-first, reactive approach for acquiring technology as opposed to managing risk. Coose shares his top considerations below for how CISOs can navigate the crowded market of cybersecurity tools when cost is highly scrutinized, but regulations keep growing. Platforms are what every vendor dreams of being called, but no platform does it all, says Coose. Coose shares what smart CISOs and mature organizations understand, that others don't: • There's no "buying their way out of security issues or into a better risk posture." They understand the need to evolve to a top-down, risk-driven, inherently business-aligned, dynamically adaptable, and evidence-based security management strategy. • That looking at technology choices through the lens of risk controls (and the related data provided by technology that implements those controls) enables credible and transparent strategic tech portfolio management decisions that are immune to vendor preferences or the latest market(ing) fads. • The need for meaningful security and risk measurement and the difference between leading and lagging indicators. • The original intent of security and regulatory compliance as a model for proactive and consistent risk management (leading indicator), not just a historical reporting and audit function (lagging indicator). • That managing risk, compliance, and security as distinct and separate functions is not only wasteful and inefficient, but denies the enterprise the ability to cross-leverage significant people, process, and technology investments Show Notes: https://securityweekly.com/psw-814

Jan 25, 20241h 2m

RoboJoe, Apple, VMWARE, AI, Confluence, Scarcruft, Microsoft, Jason Wood, and More - SWN #356

RoboJoe, Apple, VMWARE, AI Vision, Confluence, Scarcruft, Microsoft, Jason Wood, and more on this Edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-356

Jan 23, 202430 min

Security in Wrenches, Vulns in Atlassian and GitLab, 2023's Top Web Hacking Tricks - ASW #270

Vulns throw a wrench in a wrench, more vulns drench Atlassian, vulns send GitLab back to the design bench, voting for the top web hacking techniques of 2023, and more! Show Notes: https://securityweekly.com/asw-270

Jan 23, 202434 min

Dealing with the Burden of Bad Bots - Sandy Carielli - ASW #270

Where apps provide something of value, bots are sure to follow. Modern threat models need to include scenarios for bad bots that not only target user credentials, but that will also hoard inventory and increase fraud. Sandy shares her recent research as we talk about bots, API security, and what developers can do to deal with these. Segment resources https://www.forrester.com/blogs/avoid-a-bot-waterloo/ https://www.forrester.com/blogs/are-your-bot-management-tools-up-to-date-to-handle-the-holiday-season/ https://www.theguardian.com/technology/2023/sep/05/swedish-criminal-gangs-using-fake-spotify-streams-to-launder-money Show Notes: https://securityweekly.com/asw-270

Jan 23, 202434 min

Say Easy, Do Hard, Hiring a CISO, Part 2 - BSW #335

Inspired by my co-host, Jason Albuquerque, we get our hands dirty and discuss the challenges of hiring a CISO. How will the new SEC regulations impact the role for both organizations and individuals? In part 2, we get our hands dirty by addressing CISO hiring from the individual CISO. What should you look for in a CISO role? What questions should you be asking during the interview process? What are the non-negotiable items that must be part of the offer? Show Notes: https://securityweekly.com/bsw-335

Jan 22, 202429 min

Google, Pax, LeftOverlocals, Mint Sandstorm, DJI, Colossus, Aaran Leyland, and More - SWN #355

Google, Pax, LeftOverlocals, Mint Sandstorm, DJI, Colossus, JelloRain, Aaran Leyland, and More News on the Security Weekly News. Show Notes: https://securityweekly.com/swn-355

Jan 19, 202434 min

Dogs, AI, and Gyrogears (it's a slow security news week) - ESW #346

On this segment, we talk a lot about AI, new technologies, and the future from a personal and consumer standpoint. Not a lot of enterprise-relevant stuff in the news today, but consumer products and AI will have a HUGE long-term impact, so that's how we're justifying today's topical focus ;) Show Notes: https://securityweekly.com/esw-346

Jan 19, 202456 min

Creating Trust in Biometric Authentication for Identity Verification - Sabrina Gross - ESW #346

The general public has varied opinions of biometric authentication, and an increasingly reluctant relationship with it, as more and more facial recognition is forced upon us (especially those of us that travel frequently). Facial recognition doesn't work for everyone, so what other options do we have? In this interview, we'll explore accessibility in identity verification and the viability of voice-based authentication. How big an issue are AI-powered voice imposters? How will companies like Veridas combat these threats? We'll ask all these questions and more in this ESW interview. Show Notes: https://securityweekly.com/esw-346

Jan 18, 202448 min

Bigpanzi, PixieFAIL, Dark Xmas - PSW #813

In the Security News: Bricked Xmas, If you can hack a wrench, PixieFail and disclosure woes, exposing Bigpanzi (more Android supply chain issues, 20 years of OpenWRT, Jamming, traffic lights, and batteries don't work that well in the extreme cold. All that and more on this episode of Paul's Security Weekly! Show Notes: https://securityweekly.com/psw-813

Jan 18, 20241h 50m

K-12 Cybersecurity - Brian Stephens - PSW #813

With a recent increase in government attention on K–12 cybersecurity, there is a pressing need to shed light on the challenges school districts face in implementing necessary security measures. Why? Budgeting constraints pose significant obstacles in meeting recommended cybersecurity standards. Brian Stephens of Funds For Learning will discuss: The financial constraints K–12 schools face and the critical role of funding from federal and state governments in addressing cybersecurity concerns. Efforts by Funds For Learning to petition the FCC to expand E-rate funding to support next-generation firewalls and other cybersecurity services. By expanding the technologies and solutions eligible for E-rate funding, schools can obtain the necessary resources to protect against the growing threat of third-party data breaches. Here are links to the most current blog posts about Cybersecurity Notice of Proposed Rulemaking https://www.fundsforlearning.com/news/2023/11/dont-miss-your-chance-to-impact-e-rate-cybersecurity/, Wi-Fi hotspots https://www.fundsforlearning.com/news/2023/11/wi-fi-hotspots-proposed-for-e-rate-program/ and school bus Wi-Fi https://www.k12dive.com/news/fcc-approves-school-bus-wifi-e-rate/697337/. Funds For Learning also facilitated an informational webinar on the Cyberserucrity Notice for Proposed Rulemaking https://fundsforlearning.app.box.com/s/5gp9qr938qtgs0ug92nkgfvrjvtil4sf. Funds For Learning also conducts an annual survey for E-rate applicants to provide their feedback on the E-rate program. The responses are shared with the FCC through the Funds For Learnings annual E-rate Trends Report. https://www.fundsforlearning.com/e-rate-data/trendsreport/. Lastly, here is an article from Brian about cybersecurity and why it should be funded through E-rate https://www.eschoolnews.com/it-leadership/2023/09/29/will-cybersecurity-receive-e-rate-funding/ Show Notes: https://securityweekly.com/psw-813

Jan 18, 20241h 1m

Atari 400, Gitlab, Sonicwall, Juniper, Stats, Ivanti, Sharepoint, Jason Wood and More - SWN #354

Atari 400, Gitlab, Sonicwall, Juniper, Ransomware stats, Ivanti, Sharepoint, Jason Wood, and more are on this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-354

Jan 16, 202431 min

Communicating Technical Topics Without Being Boring - Eve Maler - ASW #269

It's time to start thinking about CFPs and presentations for 2024! Eve shares advice on delivering technical topics so that an audience can understand the points you want to make. Then we show how developing these presentation skills for conferences helps with presentations within orgs and why these are useful skills to build for your career. Show Notes: https://securityweekly.com/asw-269

Jan 16, 202435 min