Caveat
Caveat
Oct 30, 2020
The Malware Mash!
3 min


CISO-Security Vendor Relationship Podcast
CISO-Security Vendor Relationship Podcast
Mike Johnson and David Spark
We're 90% Confident We've Lost All Confidence
All links and images for this episode can be found on CISO Series (https://cisoseries.com/were-90-confident-weve-lost-all-confidence/) I don't think we're doing enough to protect ourselves against cyberattacks and I'm also pretty sure we're clueless as to what our third party vendors are doing. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Stephen Boyer (@swboyer), co-founder and CTO, BitSight. Thanks to our sponsor, BitSight. BitSight is the most widely used Security Ratings service with a mission to change the way the world addresses cyber risk. Learn how BitSight for Third-Party Risk Management helps you efficiently mitigate the growing risk across your vendor ecosystem by taking an automated, data-driven approach. On this week’s episode There’s got to be a better way to handle this How confident are your employees in your cybersecurity efforts? And how does employee confidence affect corporate security? Tip of the hat to Tor Swanson of Premier IT for posting this survey from Nulab. The survey found that employees felt that their company's ability to secure digital data was a major to moderate problem. That percentage jumped up dramatically for companies with less than 100 employees. In addition, employees don't feel they're being heard with their cybersecurity concerns. For companies with less than 50 employees, 44 percent felt their employers were slightly or not at all responsive. Perception is a huge part of successful cybersecurity. If you were to let these perceptions continue, how does it affect your overall security program? Question for the board Ross Young, CISO, Caterpillar Financial Services asked, "What are the cyber metrics that should be reported to the board each month or quarter? Is this standardized (example does the financial industry say we want these five metrics), and where would you go to see how you benchmark against the industry?" I'll skip to one important metric we've mentioned on this show multiple times and that's "dwell time" or the time between an incident happening, discovering it, and then remediating it. How do you go about finding benchmarks, and what other metrics tell a good story to the board so they can better wrap their heads around the security program's effectiveness? What's Worse?! Third party issues? We've got 'em. Please, Enough. No, More. Topic is third party risk management. What have we heard enough about third party risk management, and what would we like to hear a lot more? Close your eyes and visualize the perfect engagement We're all getting bombarded with virtual events. Interested to know what virtual events have you attended that you've really enjoyed. Also, what virtual events are the most engaging where you find yourself NOT multi-tasking while watching. Plus, what does a virtual event need to offer for you to take time out in your day to attend?
35 min
Brakeing Down Security Podcast
Brakeing Down Security Podcast
Bryan Brake, Amanda Berlin, Brian Boettcher
2020-043-Software_Defined_Radio-Sebastien_dudek-RF-attacks- IoT and car RF attacks
Sébastien Dudek - @FlUxIuS @penthertz Why we are here today? Software Defined Radio (sdr-radio.com) What kind of hardware or software do you need? Why would a security professional want to know how to use SDR tools and attacks? What other kinds of attacks can be launched? (I mean, other than replay type attacks) Door systems (badge systems) NFC? Contactless credit card attacks Smart building/home control systems Bluetooth attacks Point Of Sale systems Cellular radio 3g/4g/5g Industrial control systems Home appliances Medical telemetry systems Drones! LoRa - Wikipedia DASH7 - Wikipedia - custom TCP stack for LoRa Vehicle-to-grid - Wikipedia (V2G) Automatic Wireless Protocol Reverse Engineering | USENIX Hunting mobile devices endpoints - the RF and the Hard way | Synacktiv - Sébastien Dudek How Can Drones Be Hacked? The updated list of vulnerable drones & attack tools | by Sander Walters | Medium Carrier Aggregation explained (3gpp.org) Mobile phone jammer - Wikipedia World’s top hackers meet at the first 5G Cyber Security Hackathon - Security Boulevard Supply chain attacks - systems tend to use wireless chipsets or protocols LTE-torpedo-NDSS19.pdf (uiowa.edu) -privacy attacks on 4g/5g networks using side channel information How does someone make a faraday cage on the cheap? (mentioned in one of your class agendas) Lots of IoT devices use your typical home wifi connection, can’t you just sniff packets to get what you need? Replay attacks on car fobs: Jam and Replay Attacks on Vehicular Keyless Entry Systems (s34s0n.github.io) Attacks on Tesla wireless entry: Tesla’s keyless entry vulnerable to spoofing attack, researchers find - The Verge Garage door opener attacks: How to Hack a Garage Door in Under 10 Seconds and What You Can Do About It - ITS Tactical Kid’s toy opens garage doors: This Hacked Kids' Toy Opens Garage Doors in Seconds | WIRED What are the current limitations to testing wireless and RF related systems? What about custom wireless implementations? Cellular? Zigbee? I’m a wireless manufacturer of some kind of device. I’m freaked now by hearing you talk about how easy it is to attack wireless systems. What are some things I could do to ensure that the types of attacks we discussed here cannot affect me? Wireless defense system? https://www.researchgate.net/publication/321491751_Security_Mechanisms_to_Defend_against_New_Attacks_on_Software-Defined_Radio List of SDR software: The BIG List of RTL-SDR Supported Software (rtl-sdr.com)
32 min
Defense in Depth
Defense in Depth
Allan Alford and David Spark
Data Protection and Visibility
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-data-protection-and-visibility/) Where is your data? Who's accessing it? You may know if you have an identity access management solution, but what happens when that data leaves your control. What do you do then? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Elliot Lewis (@elliotdlewis), CEO, Keyavi Data. Thanks to this week's podcast sponsor, Keyavi Data. Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner’s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at keyavidata.com. On this episode of Defense in Depth, you’ll learn: * In general, all of security is based on detecting threats and stopping threats. When those two fail, and they do, what's your recourse to protect your data? * What if when your data leaves your control either accidentally or through a malicious breach, you were still able to see your data wherever it went and your data could communicate back to you its status, allowing you to control access to your data? * There are so many scenarios when data leaves you, it's impossible to protect for all scenarios. * Asset inventory is first step in the CIS 20. Just trying to get an asset inventory of equipment is difficult. An inventory of data is near impossible especially when you may be pumping out a terabyte of data a day. * Ideal situation is to protect data proactively, as it's being created. * The ultimate goal is to have visibility of your data in perpetuity, for the life of the data, and you can decide when to destroy it even when it's no longer within the confines of your greater network and ecosystem. * Governing your network, your applications, the rules, and the data is half the battle. * Data visibility also allows you to make informed decisions as a business and can provide the answers your legal team will need in case there's a breach. * You want the data protection and visibility schema to be platform and ecosystem independent. If data is taken out of the ecosystem, then the protection and visibility is moot. * A good precursor to this is digital rights management or DRM. They have figured out how to manage data from being copied and manipulated and they can place controls on it. The limiting factor though is it's platform dependent.
33 min
Cyber Work
Cyber Work
Infosec
Privileged access management and work-from-home tips
Today we’re talking cloud security and work-from-home. If you’ve ever checked your work email on your personal phone – I know you have, because we’ve all done it! – or touched up some time-sensitive spreadsheets on the same ipad your kids use to play Animal Crossing, Terence Jackson, Chief Information Security & Privacy Officer of Thycotic, is going to tell you how to tighten up your security protocols to ensure that work-from-home doesn’t become breach-from-home! – Enter code “cyberwork” to get 30 days of free training with Infosec Skills: https://www.infosecinstitute.com/skills/ – View transcripts and additional episodes: https://www.infosecinstitute.com/podcast With more than 17 years of public and private sector IT and security experience, Terence Jackson is responsible for protecting the company’s information assets. In his role, he currently leads a corporate-wide information risk management program. He identifies, evaluates and reports on information security practices, controls and risks in order to comply with regulatory requirements and to align with the risk posture of the enterprise. Prior to joining Thycotic, Terence was the Director of Cybersecurity and Professional Services for TSI, a Virginia based Inc. 5000 company. He has also worked as a Senior Security Consultant for Clango, Inc., a top Identity and Access Management (IAM) consultancy. He was featured in and also was a contributor to the book “Tribe of Hackers.” * About Infosec* Infosec believes knowledge is power when fighting cybercrime. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and privacy training to stay cyber-safe at work and home. It’s our mission to equip all organizations and individuals with the know-how and confidence to outsmart cybercrime. Learn more at infosecinstitute.com.
50 min
The Social-Engineer Podcast
The Social-Engineer Podcast
Social-Engineer, LLC
Ep. 135 - Fear of video and snakes with Lisa Forte
In this episode, Chris Hadnagy and Maxie Reynolds are joined by social engineering and insider threats expert: Lisa Forte. Learn how Lisa went from fighting terrorists and real-life sea pirates to being an expert on cybercrime and social engineering. Discover how scammers are taking advantage of global uncertainty and understand how to protect yourself from attack. 00:00 – Introduction to Lisa Forte 02:38 – Lisa's path to a career in social engineering 05:27 – The psychology that terrorists use to recruit teenagers 07:52 – Lisa's experience with fighting cyber crime 08:43 – Why Lisa named her cyber security company “Red Goat” 10:23 – The world pandemic made hospitals and their supply chains vulnerable to attack 14:38 – Keep secure by realizing the value of the information you possess 15:41 - How Cyber Volunteers 19 is helping to save lives by making hospitals secure. (twitter) 21:25 – Ego suspension is a required skill for a good social engineer 25:47 – Find someone who gives you honest feedback 27:28 – How Chris deals with harsh criticism 30:27 – New documentary: “hacker:HUNTER Ha(ck)cine” (Part 1) (Part 2) 34:44 – Lisa's Vlog: “Rebooting” 35:44 – Lisa's and Chris’s experience with exposure therapy. 40:00 – How scammers take advantage of global uncertainty 42:37 – Law enforcement has a big disadvantage when fighting cyber crime 45:42: Lisa’s Contact info: LinkedIn Website Rebooting vlog with Chris Twitter 46:56 – Lisa's Book recommendation Prisoners Of Geography 50:20 – Outro Social-Engineer.com Social-Engineer.org The Human Hacking Conference The Innocent Lives Foundation Human Hacking Book Phishing As A Service® Trainings: Practical Open Source Intelligence For Everyday Social Engineers * 11-12 November 2020 - VIRTUAL Advanced Practical Social Engineering Training * 17-20 November, 2020 - VIRTUAL
53 min
More episodes
Search
Clear search
Close search
Google apps
Main menu