This week we're joined by Rapid 7 founder and new IANS Faculty member Chad Loder to discuss the changing vulnerability scanning and management landscape and the need for more holistic, better integrated security awareness programs. Chad and I also touch on the goings on at last week's Blackhat and DEF CON events and talk about ways CISOs can improve their stature -- and their value prop -- within their organizations.
IANS Faculty Mark Clancy hops on the broadcast this week for a no-nonsense analysis of this week's global Petya-like ransomware attack. Mark brings his decades of experience as a security consultant, enterprise defender and threat intelligence expert to this discussion of the evolution of cyber-weapons, the limitations of real-time incident response and the tough choices teams make to balance protections and productivity.
It's dangerous world out there, and guys like Jon Condra are here to help us make sense of it. The Director of East Asian Research and Analysis at risk and threat intelligence firm Flashpoint, Jon joins me this week to talk about the recent Flashpoint Business Risk Intelligence Decision Report he authored and share his insights on emerging threats from Russia, China, North Korea and a host of other international bad actors.
After a busy week in infosec, we needed help sorting the wheat from the chaff. Enter IANS most prolific and acerbic faculty member, Dave Shackleford, to deliver the smackdown of truth on proposed updates to the ubiquitous NIST Framework, the present and future states of ransomware in the age of WannaCry, and the real value of President Trump's new cybersecurity executive order.
The WannaCry ransomware attack garnered global attention, but what should organizations be doing today to defend themselves against these types of attacks in the future? What’s the likelihood of a copycat attack in the near future? Was this simply a test for future, larger attacks?
IANS Faculty Dave Kennedy, president and CEO of TrustedSec and frequent guest on major news networks such as CNN and Fox, stops by the IANS studio to review the latest details surrounding the WannaCry attack and offer tips for thwarting future attacks, from disabling SMB-1 to implementing application whitelisting.
Special Guest David Dewey, head of research at Pindrop Security, drops by to talk about Pindrop's comprehensive report on the frightening state of call-center fraud. We discuss how phone fraudsters, aided by VOIP and other call-manipulation technologies, are costing large enterprises millions in account takeovers, fraudulent purchases and returns, bogus money transfers and the occasional mayhem just for the lulz.
If it's springtime in New England, it must be time for faculty member Kevin Beaver to join us on the podcast to examine the Verizon Data Breach Investigations Report better known as the DBIR. This week we dive into the 10th annual report and talk about what the findings say about our seeming inability to eradicate even basic security shortcomings like lousy passwords, porous web apps and our insatiable penchant for clicking on stuff. Any stuff.
Kevin and I also spend a few minutes talking about the Trump administration's efforts to improve security in federal government agencies and departments. And Kevin tells us why his passion for racing souped-up Mazda Miatas maybe isn't so crazy after all.
The IANS Podcast hits the road this week, meeting up with cloud expert and presentation powerhouse George Gerchow at our Washington DC Forum for a wide-ranging discussion of all things enterprise cloud security. George shares insights into the white-hot Cloud Access Security Broker (CASB) market, and dishes on behind-the-curtain action at the Big 3 cloud providers.
George also dives into SecDevOps, and talks about the need for coding savvy for infosec leaders in the new "security as code" world. He also shares how his other life pursuit as an accomplished musician informs his work as an information security thought leader.
This week, IANS Faculty Raffy Marty stops by to dish on the buzz -- and the hype -- surrounding machine learning and artificial intelligence in security. The VP of all things analytics at Sophos also talks improvements in visualization, trends in endpoint protection, and the need for better asset inventories and data classification in today's enterprises.
Well-known IT security and services expert Lawrence Walsh joins me this week to share his deep insights for vetting and working with managed security services provider (MSSPs) in a variety of settings. Larry and I also share a wide-ranging discussion of infosec industry trends, hits and misses from the recent RSA Conference, and the impact of the Trump administration on the tech sector.
This week I'm joined by IANS faculty member and Incite Learning founder Dr. David C. Kolb to talk about his popular series of organizational engagement and leadership skills courses now in their second year at the IANS Information Security Forums. David shares his thoughts on new sessions for 2017 targeting negotiation skills and the ability to thrive in the chaos that defines most infosec environments.
We also get in some Super Bowl talk and discuss how David's years as an outdoorsman and Outward Bound program leader have informed his work helping corporate executives hone their soft skills.
This week, Securosis founder and CEO Rich Mogull joins us to elaborate on his popular new blog series "Tidal Forces: The Trends Tearing Apart Security as We Know It." The thought-provoking articles, which will form the basis of Mogull's RSA talk next month, focus on fundamental changes in the nature of endpoints and the grand transformation toward cloud-based, as-as-service IT delivery. These changes, Mogull posits, are inflection points that will roil the multibillion dollar IT security market and require a significant rethinking of infosec by both vendors and practitioners.
The always-entertaining Joff Thyer of Black Hills Information Security shares his insights on threat hunting in the enterprise and gives advice on how information security leaders and teams can get maximum benefit from penetration tests -- from preparation and documentation to teaching moments and after-action items. We also take on more Yahoo! follies, the ongoing drama that is vendor vulnerability reporting, and the OTHER Russian hack -- the Methbot criminal enterprise stealing millions in video advertising revenues.
IANS faculty infosec experts Marcus Ranum, Dave Kennedy and Aaron Turner join me for a special edition of the IANS Information Security Podcast to discuss the recent DHS-FBI report attributing election-season hacking to Russian state-sponsored actors. We talk about the quality of the government's evidence in the matter and examine ways private-sector security professionals might be able to leverage the report's indicators of compromise to bolster their network defenses... or not.
Well-known security researcher and IoT expert Chris Poulin joins me this week to discuss the real issues around securing connected devices and embedded systems. Chris also talks about the challenges of increasingly connected automobiles and shares his optimistic view of Internet of Things as a beneficial platform for innovation.
Prolific IANS faculty member Aaron Turner brings his broad infosec expertise and sharp commentary to the 'cast this week on subjects ranging from the scourge of ransomware to the death of Microsoft's EMET. Aaron also addresses the sorry state of PIM/PAM in the enterprise, our failings in mobile device management and gives us a sneak peek at his Internet of Criminal Things talk at next year's RSA Conference.
Faculty member Kevin Johnson brightens the podcast studio this week for a rollicking conversation about incident response, penetration testing, and the value of business acumen for security leaders. A dedicated Star Wars fanatic, Kevin also talks about his charity work, including an upcoming 5K for the Arthritis Foundation that he'll "run" in full Darth Vader gear.
If you want to help Kevin and his team raise a few bucks for a great cause, go here.
IANS Senior Faculty Dave Shackleford joins the 'cast this week to talk about global DDoS threats, password policy problems, privileged credential management and the rising popularity of defensive threat-hunting efforts. Dave also shares his plans for presenting advanced web app pen testing techniques at IANS first-ever London symposium next month.
The inimitable Hacking Dave himself, IANS Faculty member Dave Kennedy, joins us this week to talk about the recent password follies, ethical issues around vulnerability disclosures, and his advice for effective penetration testing and purple teaming. Dave also shares insights into the hyper-positive culture and vibe of DerbyCon and talks about witnessing the big win last June of his hometown Cleveland Cavaliers.
On the show this week, IANS faculty member Ken Van Wyk talks NSA vs. Shadow Brokers and shares his approach to crafting effective incident response exercises. Ken also tells us how he helps organizations tackle the elusive art of threat modeling in the enterprise. Also joining us this week, social media expert Ginger Stevenson on IANS efforts to engage clients and faculty on Twitter and LinkedIn.
Security journalist, analyst and pundit Paul Roberts joins the IANS Podcast this week to talk about the state of security in all things connected and embedded. The editor of The Security Ledger also gives us a preview of the agenda for the 3rd Annual Security of Things Forum next month.
This week, we venture north of the border to talk current events and pressing issues with faculty member and Akamai Global Security Advocate Dave Lewis. Dave riffs on getting back to infosec basics, along with IoT, industrial controls, medical devices, the infosec media and the need for soft skills in security leadership. And it wouldn't be a security podcast without some mention of Pokemon Go, which Dave brands as no better or worse than most mobile apps. Gotta catch 'em all!
IBM's Chris Poulin joins us this week to talk security all things connected -- from cars to buildings to medical devices and more. Our esteemed IANS faculty member also riffs on securing coding, security leadership and what local politics has taught him about getting the right messages across in infosec.
Psychology expert and IANS Faculty member Katrina Rodzon joins me this week for an entertaining and informative look at advanced user-behavior modification and how organizations can use it to create a more effective security culture. Rodzon shares examples of successful, real-world enterprise programs and tells us why simple security awareness efforts are no longer enough to keep us safe.
IANS faculty member and Securosis CTO Adrian Lane joins me this week to talk about incentivizing security in the application development lifecycle and leveraging improvements in the security ecosystem growing up around Big Data initiatives. Lane also discusses security advantages in the cloud for those bold enough to fully embrace it and he tells me how being a gentleman farmer affects his thinking about infosec... or not.
This week, we're joined by infosec legend and firewall pioneer Marcus Ranum for a wide-ranging discussion of big ideas in network security, infosec program leadership, art, life and much more. Marcus gives us the inside dope on his Network Security: Reloaded talk and ponders which mistakes we're making today might haunt us in the future.
Securosis president and founder Mike Rothman joins me this week for a rollicking conversation about the enterprise cloud imperative and how automation and a strong SecDevOps culture are vital to cloud transformation. Mike also talks about the state of security program leadership a decade after he authored The Pragmatic CSO and we take a few shots at vendors and infosec industry hype. As one does.
Mentioned in the 'cast: Dennis Fisher's Ransomware Is Dope blog post: https://www.onthewire.io/ransomware-is-dope/
This week, IANS Chief Research Officer Stan Dolberg joins me to talk about the study of organizational engagement and its role in enterprise information security. Stan shares IANS data on security leadership performance and tells me how his passion for crafting fine studio furniture informs his approach to technology research.
This week I'm joined by by old friend and tech journalism colleague Dennis Fisher to talk about phone fraud and "card not present" scams and examine cutting edge tools to defend against these growing threats to the enterprise. We also talk security in the IoT space and take a no-holds-barred look at the state of infosec coverage in today's technology trade press.
Check out Dennis Fisher's infosec coverage at www.onthewire.io
As always just back from some exotic location, well-known IANS faculty member Jayson Street this week regales us with stories of intrigue from the world of physical security penetration testing and tells us how every enterprise should approach security from the front door to the loading dock. Jayson also talks about the sorry state of security awareness training in most organizations and offers some simple tips to keep businesses safe from e-mail fraudsters.
IANS Faculty, Debra J. Farber, joins me to talk all things data privacy and discuss how international regulations may affect U.S. businesses in the near term. She is the Sr. Director of Global Public Policy Visa (overseeing security, privacy, and cybercrime issues). Farber also shares details about Women in Security and Privacy (WISP), a San Francisco-based effort that she co-founded to attract more women into careers in information security and privacy.
Visit WISP at www.wisporg.com
Security testing and incident-response expert Kevin Beaver, author of Hacking for Dummies joins us to examine the 2016 Verizon Data Breach Investigations Report. We discuss the report's methods and conclusions and talk about real takeaways for enterprise security leaders and teams.
In the IANS Podcast studio this week we welcome fierce cloud advocate George Gerchow who talks about the must-haves every enterprise needs before making the emotional transition to cloud. George also explains the benefits of managing security controls in the cloud and tells us why Cloud Access Security Brokers (CASBs) are smoking hot right now. And he gives us some special insight into the infamous Mossack Fonseca Panama Papers as only an infosec expert with Panamanian roots really can.
IANS faculty David Etue joins us to discuss the "30-year opportunity" represented by DevOps for organizations that manage it correctly. We also discuss encryption, improvements in provider-driven cloud controls, and the importance of getting quick wins across LOBs for security team leadership efforts.
On this week's show, IANS Faculty Mike Saurbaugh stops by to chat about cooperative red team/blue team strategies, ways to address the infosec skills gap by nurturing current security team members, and how he keeps a stiff upper lip while compiling the IANS Vulnerability and Breach Update every quarter.
In this week's episode, I'm joined by IANS Lead Faculty Dave Schackleford for a wide ranging discussion of the infosec topics and trends on the minds of IANS clients. We cover the hot news of the week, explore top areas of concern in cloud security, and dive into growing areas of interest including SDN and advanced SIEM initiatives. Dave and I also square off on the security community's penchant for smugness and snark. What could go wrong?
This week, I sit down with noted mainframe security expert and seasoned IT auditor Philip Young a.k.a. Soldier of Fortran for an eye-opening look into the art and science of securing legacy systems. Mr. Young shares some harsh truths and tears down some persistent misconceptions about mainframe security. We also discuss the failings of modern compliance audits and ways to improve them.
This week, the inimitable Jack Daniel, one of information security's most respected and recognizable thought leaders, sits down with us for a wide-ranging conversation on securing networks, hardening applications, organizing Bsides events, fighting the crypto wars and staying sane in this crazy business. He also shares his tips for leveraging social media and gives us a glimpse into the mind of infosec's most compelling fictional character: @InfosecNoir's Jimmy Black, Cyber Private Eye.
Bluebox Security co-founder and IANS faculty member Adam Ely joins us this week to talk about trends in appdev security and the need for stricter oversight in regulatory compliance efforts. Ely also discusses discusses how CISOs can raise their innovation game and shares tips on how he overcame his own introverted nature to become a strong voice in enterprise security.
Episode 3 of the IANS Podcast features our wrap-up of RSA 2016 with news and views straight from the conference floor. We listen in on big .gov announcements from Defense Secretary Ashton Carter and Rep. Michael McCaul (R-Texas). And we talk to IANS faculty members Dave Shackleford and Joshua Corman about the big news of the week including the DROWN vulnerability, the Hack the Pentagon initiative, and the push to make infosec pros better business leaders.
In Episode 2 of our IANS Podcast, faculty member Kevin Johnson talks Locky ransomware, Apple v. FBI, the nasty glibc bug, and tells us how to make penetration tests and security awareness training more meaningful. He also tells us about some of the charity work he's involved with to make infosec -- and the world -- a better place.
Check out the pen test prep video Kevin mentions here.
And for more info on the wacky and wonderful 501st Legion, check out their website at 501st.com
In the premiere episode of our IANS Podcast, faculty member Raffy Marty joins us to chat about the state of visualization and actionable intelligence in security analytics as well as the difficulties surrounding SIEM implementations. The Pixlcloud founder also talks about Kaspersky Lab’s recent Security Analyst Summit in Tenerife, Spain and his amazement at the hacking skills of 10-year-old SAS presenter Reuben Paul.