Look for any podcast host, guest or anyone
Showing episodes and shows of

Rafal Los

Shows

Future of Threat IntelligenceFuture of Threat IntelligenceExtraHop’s Rafal Los on Avoiding Strategic Advisement MistakesIn our latest episode of the Future of Threat Intelligence podcast, David chats with Rafal Los, Head of Services Strategy & GTM at ExtraHop and the creative force behind the Down the Security Rabbithole podcast. Rafal discusses his journey from curiosity-driven exploration to a professional career in cybersecurity and the lessons he’s learned along the way.   Rafal shares his extensive experience in cybersecurity, offering insights on transitioning from technical roles to strategic leadership positions. He also talks about common misconceptions in strategic advisement, the importance of understanding the business context, and actionable advice for aspiring lea...2024-09-0631 minZapiski z zielonego zeszytuZapiski z zielonego zeszytuModlitwa – Sprawiedliwy Panie, w Twe ręce powierzam dzisiaj swój losSprawiedliwy Panie, w Twe ręce powierzam dzisiaj swój los. Twojej sprawiedliwości zawierzam swe życie. Twojemu miłosierdziu oddaje samego siebie. I nie chcę już patrzeć na świat swoimi oczami. Nie chcę oceniać tego, co widzę, swoim ograniczonym punktem widzenia. Nie chcę polegać na swoich osądach i swojej wiedzy. Nie chcę wierzyć w to, co podpowiadają mi moje myśli. Bo, ukochany Ojcze, chcę być mądry jedynie Twoją mądrością. Bo chcę widzieć bliźnich tak, jak Ty nas widzisz. Bo chcę miłować tak, jak umiłował nas Twój Syn, Jezus Chrystus. Przenajświętszy Ojcze, wypełnij mnie sobą ta...2023-05-0102 minThe Cyber Ranch PodcastThe Cyber Ranch PodcastCybersecurity Centers of Excellence w/ Rafal LosAllan is joined by Rafal Los, industry innovator, strategist, and personality. His career spans 20+ years while working inside companies from the Fortune 10 to a firm of less than 10. Additionally, Rafal is a founder and host of the Down the Security Rabbithole Podcast - an industry podcast delivering a weekly take on cybersecurity since 2011. Join Allan and Rafal as they discuss cyber security centers of excellence, metrics, marketing and acceptance in this conversation between two friends.   Key Takeaways: 01:56 Bio 04:27 Goals for Cybersecurity Center of Excellence (CoE) 06:44 How do you birth a...2022-01-1940 minRemedios Caseros Para su SaludRemedios Caseros Para su SaludSubida de azúcar (hiperglucemia) síntomas, causas, tratamiento. ¿Cómo regular los niveles de glucosa en sangrehttps://mejores-suplementos.es/subida-de-azucar-hiperglucemia/etabolismo de los hidratos de carbono, derivada principalmente de una dieta inadecuada y del sobrepeso u obesidad asociados. Una concentración demasiado alta de azúcar en la sangre, especialmente cuando aparece con una frecuencia creciente, es un fenómeno peligroso. Da lugar a una serie de enfermedades, con la diabetes a la cabeza. La hiperglucemia grave puede poner en peligro nuestra vida y nuestra salud. Sin embargo, el nivel elevado de azúcar es una condición que en muchos casos puede revertirse, incluso en el caso de la diabetes diagnosticada. ¿Cómo bajar e...2021-11-0211 minRemedios Caseros Para su SaludRemedios Caseros Para su SaludCómo perder peso después de las vacaciones, es decir, sobre cómo fijar los efectos de los placeres anuales¿Cómo perder peso después de Navidad? Esta es una pregunta que a menudo nos hacemos cuando el tiempo de entretenimiento navideño se acaba. La pregunta es tanto más importante porque en nuestra tradición, las fiestas son principalmente un momento de fiesta familiar y a veces incluso, debemos admitir, de comida. Las muchas delicias preparadas, las largas horas sentadas a la mesa y el estímulo para comer de nuestras madres y abuelas definitivamente no favorecen la moderación. ¿Qué se debe hacer para que después de unos días de soltar, no aumentemos unos kilos de pes...2021-09-2210 minRemedios Caseros Para su SaludRemedios Caseros Para su SaludHondrowell – elimina los dolores en las articulaciones y la columna vertebral, restaura la movilidad'El Hondrowell es una preparación conjunta multicomponente para uso externo. Cumpledos tareas al mismo tiempo: alivia el dolor y estimula la reconstrucción de los tejidos dañados. Por lo tanto, no sólo es una medida a corto plazo que alivia el dolor durante unas horas, sino también un antídoto a largo plazo para las molestas lesiones articulares.Al estimular la síntesis de colágeno, Hondrowell contribuye al fortalecimiento y regeneración de las estructuras articulares para ayudarnos a recuperar una buena movilidad. Sin duda, una gran ventaja de la preparación es su uso uni...2021-09-2211 minRemedios Caseros Para su SaludRemedios Caseros Para su Salud¿Cómo perder peso a los 40 añosPuedes perder peso a cualquier edad. Sobre todo, no debemos rendirnos y pensar que es imposible, aunque el asunto es quizás un poco más difícil que para un veinteañero. De todos modos, ¿qué significa 40 hoy en día? Afortunadamente, no es el momento en que una mujer de 40 años se consideraba una matrona. Los cuarenta de hoy son jóvenes, atractivos, tal vez más que un adolescente, llenos de fuerza y energía. ¿Cómo perder peso después de los 40? Tienes que abordarlo como si fuera a resolver cualquier otro problema. Aquí hay algunos consejo...2021-09-2111 minRemedios Caseros Para su SaludRemedios Caseros Para su SaludGingeBlack – pérdida de peso intensa, regeneración corporal, estado de ánimo perfecto… Poder de los beneficios en un solo suplementoSi quieres estilizar tu figura, mejorar tu salud y mejorar tu estado de ánimo al mismo tiempo, prueba GingeBlack. El suplemento ha sido equipado con ingredientes que muestran fuertes efectos de aceleración del metabolismo. Hacen que el cuerpo trabaje de forma más eficiente: se deshace de las toxinas de forma dinámica, digiere los alimentos que llegan de forma ininterrumpida y deja de almacenar grasa, y reduce dos o tres veces más rápido el exceso de peso acumulado anteriormente. Los beneficios de GingeBlack serán apreciados no sólo por las personas que quieren perder peso rápidame...2021-09-2011 minRemedios Caseros Para su SaludRemedios Caseros Para su SaludCócteles para adelgazar – Ranking 2021 los batidos más eficaces para ayudar a perder peso rápidamenteLos batidos para adelgazar han sido un éxito en los últimos meses y son un gran competidor de las tradicionales píldoras adelgazantes. Aceleran el ritmo de la quema de grasas, a la vez que nos proporcionan mucha energía para mantenernos en perfecto estado durante todo el día. La mayoría de los batidos para adelgazar ya preparados, gracias a su contenido en fibra, proteínas y otros valiosos nutrientes, pueden incluso sustituir una comida, ya que hacen frente al hambre de forma brillante. Los batidos para adelgazar son también una buena alternativa para las personas que no les g...2021-09-2014 minRemedios Caseros Para su SaludRemedios Caseros Para su SaludSerum para el rostro ranking de los mejores cosméticos para la renovación y revitalización intensiva de la pielEl sérum facial Serum es un cosmético cada vez más solicitado por las mujeres jóvenes y mayores. Para los propietarios de pieles maduras, los sérums faciales son una forma de rejuvenecer y nutrir la piel en profundidad, y para las mujeres de treinta o cuarenta años, una forma de detener el proceso de envejecimiento y eliminar las pequeñas imperfecciones. Los sérums faciales tienen una importante ventaja: debido a su alta concentración de ingredientes activos, tienen un efecto rápido e intensivo en la mejora de la estructura y el estado de la piel. P...2021-09-2011 minShared Security PodcastShared Security PodcastElection Security and the Packet Capture Controversy with Special Guest Rafal LosThis week Rafal Los, host of the Down the Security Rabbithole Podcast, joins us to talk about election fraud claims vs facts, the recent packet capture controversy, tribalism, and the challenges with election security. Note: this is not a political discussion but we believe that election security is important to discuss, no matter what your […] The post Election Security and the Packet Capture Controversy with Special Guest Rafal Los appeared first on Shared Security Podcast.2021-09-0635 minShared SecurityShared SecurityElection Security and the Packet Capture Controversy with Special Guest Rafal LosThis week Rafal Los, host of the Down the Security Rabbithole Podcast, joins us to talk about election fraud claims vs facts, the recent packet capture controversy, tribalism, and the challenges with election security. Note: this is not a political discussion but we believe that election security is important to discuss, no matter what your political views are. This is one episode you don't want to miss! Show notes: https://sharedsecurity.net/2021/09/06/election-security-and-the-packet-capture-controversy-with-special-guest-rafal-los/2021-09-0635 minSecurity and Compliance Weekly (video)Security and Compliance Weekly (video)Vulnerability Management is Still a Mess - Part 1 - Rafal Los - SCW #67The SCW hosts discuss Rafal Los' recent blog post "Vulnerability Management is Still a Mess" (https://blogwh1t3rabbit.medium.com/vulnerability-management-is-still-a-mess-27519ffcecc0). In the first segment, we will learn all about Rafal's cybersecurity background and why vulnerability management has not evolved in line with the technology.   Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://securityweekly.com/scw672021-03-3034 minGuilty LeisureGuilty LeisureOdcinek 4: "Będziemy bohaterami" Roberta Rodrigueza, "Przekorny los" Akcentu, Ievan Polkka i podatek cukrowyW czwartym odcinku Maciek i Rafał zastanawiają się nad tym, jak Robert Rodriguez radzi sobie z łączeniem kina familijnego z fascynacją kinem eksploatacji oraz przyznają się do słuchania Zenka nie tylko w trakcie weselnej zabawy. Doceniają również utwór Ievan Polkka za wartości pozamemiczne, a także mierzą się z podatkiem cukrowym.2021-02-1439 minShared Security PodcastShared Security PodcastHow to Break Into a Cybersecurity Career – Part 2 with Rafal LosRafal Los, industry veteran and host of the “Down the Security Rabbithole Podcast”, joins Tom Eston for part two in our series on how to break into a cybersecurity career. If you’re a college student or thinking about getting into cybersecurity, this is one episode you don’t want to miss! ** Links mentioned on the […] The post How to Break Into a Cybersecurity Career – Part 2 with Rafal Los appeared first on Shared Security Podcast.2021-01-1123 minShared SecurityShared SecurityHow to Break Into a Cybersecurity Career - Part 2 Rafal LosRafal Los, industry veteran and host of the Down the Security Rabbithole Podcast, joins Tom Eston for part two in our series on how to break into a cybersecurity career. If you're a college student or thinking about getting into cybersecurity, this is one episode you don't want to miss! Show notes: https://sharedsecurity.net/2021/01/11/how-to-break-into-a-cybersecurity-career-part-2-with-rafal-los/2021-01-1123 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 253 - Defending the Small-to-Medium EnterpriseOn this podcast - James and I welcome Shon Gerber as we talk through a pair of current events and the topic of the day.   Blue Cross Blue Shield of Alabama sends out USB sticks Security elitists up in arms We've taught people to be suspicious - don't click, don't open docs, and don't use USB -- So how do we get our clients content? To my fellow security professionals- it's reckless to continue to stand with a firm "no" while offering no alternatives So what do we suggest? More important - what threat model vector ar...2017-07-1852 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 252 - DFIR with Lesley CarhartIn this smasher of an episode James and I are joined by Lesley Carhart live from Enfuse Conference in Las Vegas to talk about the DFIR (Digital Forensics and Incident Response) as a broad field. There is SO much to talk about here, you'll want to listen twice. Make sure that if you missed Enfuse this past year, you don't miss 2018. It's a great conference where you get to meet and talk with folks like Lesley and many others in this field.2017-07-1151 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 251 - General Data Protection Regulation (GDPR)This week on Down the Security Rabbithole Episode 251 (wow, can you believe we've published 251 full episodes?!) James and I host a roundtable of privacy and data protection experts and talk about the looming EU regulation known affectionately as GDPR. The Global Data Protection Regulation (GDPR for short) impacts all companies that either do business with EU citizens, or operate in the EU. Basically, everyone. It's a huge deal and there really isn't a "wait and see" option. Listen in, and if you have feedback provide it!   Does anyone really read these sho...2017-06-2750 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 250 - Deconstructing the Internet of ThingsFresh off of his closing keynote at Enfuse Conference 2017 in Las Vegas, Dr. Timothy Chou joins us to talk about the difference between the Internet of People and the Internet of Things. Even though many people talk about the IoT we still fail to understand the gravity and enormity of the problem we face and how information security professionals are so far behind the 8-ball here. Dr. Chou spend some time with us to dispense wisdom interlaced with humor to make it stick.   Guest: Dr Timothy Chou is a technologist, a lecturer, a...2017-06-2056 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 249 - Finding a WayThis week, James and i try out a new format for the show. We hope you enjoy the blend of news commentary and an interview.    News More car vulnerabilities - this time in a Subaru No stunt hacking involved A repeat vulnerability means there's potentially a bigger SDLC issue Responsibly disclosed, fixed ... if a tree falls... Link:  http://www.bankinfosecurity.com/exclusive-vulnerabilities-could-unlock-brand-new-subarus-a-9970 The 5th Amendment and your phone passcode This issue is sticky Passcodes, fingerprints, etc - all need consistent law We need a lawyer Link:  http://thehackernews.com/2017/06/unlock-iphone-passcode.html Guest Kevin...2017-06-1351 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 248 - Nick Hyatt On RansomwareThis podcast episode was recorded live to tape from Enfuse Conference 2017 from Las Vegas. If you didn't get a chance go get out this year to one of the premier DFIR (Digital Forensics and Incident Response) conferences you missed a heck of an event.  James and I want to thank Guidance Software for the invitation, for having us out, and for access to some truly amazing guests for this series of recordings. For #248 sit back and listen to Nick Hyatt talk with James and Raf about ransomware - fresh from his Enfuse Conference talk to yo...2017-06-0651 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 247 - Internet of Things ForensicsLive once again from Enfuse Conference 2017 in Las Vegas, James and I interview Amber Schroader, the President and CEO of Paraben. This interview happened because you all voted and asked for it..ok and because she's a fantastic person to interview. Be prepared for a little humor and a lot of knowledge.   Special thanks again to Enfuse and the Guidance Software team for having us out and getting us access to some downright amazing guests!2017-05-3045 minDown the Security RabbitholeDown the Security RabbitholeDtSR FeatureCast - Enfuse Conf 2017 - Theresa PaytonAs James and I continue to publish our Enfuse Conference 2017 series of episodes we are this week joined by Theresa Payton. Theresa is the former CIO of the George W. Bush White House Administration, and now on the show Hunted where she runs a team of cyber trackers.   Guest: Theresa Payton ( @TrackerPayton) - Theresa Payton is one of the nation’s leading experts in cybersecurity and IT strategy. As CEO of Fortalice Solutions, an industry-leading security consulting company, and co-founder of Dark Cubed, a cybersecurity product company, Theresa is a proven leader and influencer who wo...2017-05-2618 minDown the Security RabbitholeDown the Security RabbitholeDtSR FeatureCast - Enfuse Conf 2017 - DFIR StudentsContinuing our series recorded live at Enfuse Conference 2017 in Law Vegas, this episode features two USC students who are part of a large contingent here to learn and make connections. Tatiana and Ayman join us to talk about how they got here, what they are planning for their future along with some general thoughts on DFIR and our industry!   Guests: Tatiana Santos ( @tatitasantita ) Ayman Siraj ( @aymansiraj ) 2017-05-2530 minDown the Security RabbitholeDown the Security RabbitholeDtSR FeatureCast - Enfuse Conf 2017 - Keynote Patrick DennisToday, CEO Patrick Dennis joins the Down the Security Rabbithole Podcast right after his keynote to talk about the conference, what's going on at Guidance, and the state of defense. This is a FeatureCast so we get right to the point in an easy-to-listen format.   Thanks for listening!2017-05-2423 minDown the Security RabbitholeDown the Security RabbitholeDtSR FeatureCast - Enfuse Conf 2017 - PreambleWe kick off a week of on-the-scene podcasts live'ish from Enfuse Conference 2017, hosted by Guidance Software in Las Vegas, Nevada with Lori Chavez VP of Corporate Marketing. She is the brains responsible for the amazing conference including speakers, content and everything else. Lori gives YOU an insider preview of Enfuse 2017, and tells us a little about what we can expect and some history of the conference - and we can't wait to give you MORE! Stay tuned in all week as we bring you more fantastic content from Enfuse Conference 2017. And as always, use the ha...2017-05-2318 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 246 - Finding and Responding to BadnessThis week we are live from Enfuse Conference 2017 in Las Vegas, Nevada. Special thanks to Guidance Software for having us out and getting us access to a whole host of fantastic speakers. On this episode Greg Hoglund and Ryan Butterworth of Outlier Security join us to talk about the DFIR space with all it's problems including a shortage of qualified labor and sub-optimal tools. This fantastic discussion wanders all over the DFIR space including the "data problem" and tools, tools, tools. That tool that Greg mentions, which is free, is right here: http://un...2017-05-2346 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 245 - NewsCast for March 16th 2017Microsoft warns ransomware cyber-attack is a wakeup call As of recording, it is reported that 200,000 computers were infected. Patch for flaw was released in March, 2017 Microsoft has since released a patch for older systems Lots to discuss on this - including Microsoft's letter to the NSA Link: http://www.bbc.com/news/technology-39915440 Link: https://www.infosecurity-magazine.com/news/microsoft-xp-patch-wannacry/ Link: http://www.bbc.com/news/uk-39921479 United flight attendant accidentally leaked door codes online Flight attendant somehow posted the codes online Insider threat? Multiple layers of security needed and additional controls here Link: https://www...2017-05-1649 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 244 - A Government CISOs PerspectiveThis week - live and in person from Denver, Colorado and the RMISC Conference I interview Stephen E. Coury the CISO of the County and City of Denver. The conversation leads off with Stephen's journey through cloud computing and weaves through some of the challenges municipalities and city governments are facing. It's a fantastic conversation that is readily applied to both public and private organizations - you need to check this out. Thanks Stephen for coming out and talking to us!   Guest Stephen E. Coury - CISO of the County and City of...2017-05-1045 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 243 - NewsCast for May 2nd 2017Chrome to mark more HTTP pages ‘Not Secure’ In October, 2017, all HTTP sites will be marked ‘Not Secure’ while in incognito mode. Incognito mode allows surfing the internet without saving your browsing history. Enterprise: Have you seen any negative feedback from the previous changes to show not secure? Does this change your priority for moving to always HTTPS for all sites? Link: https://threatpost.com/chrome-to-mark-more-http-pages-not-secure/125255/   2017 Verizon DBIR Highlights: Analyzing the Latest Breach Data in 10 Years of Incident Trends Oh, the headlines. Slow the roll, folks. Stop the password hate and turn the mirror around Le...2017-05-0248 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 242 - Management and LeadershipThis week the team gets together to talk Management and Leadership in the security industry and in general. Our very own Michael Santarcangelo joins us as our featured guest to dispense knowledge on leadership by the truckload. So grab a cup of coffee, something to take notes and listen in.2017-04-2649 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 241 - NewsCast for April 18th 2017NewsCast for Tuesday April 18th, 2017   Dallas Tornado Sirens Hijacked Tornado sirens in Dallas all simultaneously went off Suspected hijacking of the emergency system, lots of speculation of how this happened Now believed to be a radio hijack Link: http://content.govdelivery.com/bulletins/gd/TXDALLAS-1936de1   Two Inmates in Ohio Jail Hacked it From the Inside Talk about an “insider threat”! These were made from spare parts, hidden in ceiling, concealed well Unauthorized access to network (no NAC?) made infiltration possible Link: https://qz.com/958503/two-ohio-inmates-hacked-their-prison-from-the-inside-using-makeshift-computers-built-from-spare-parts/   SWIFT Launche...2017-04-1846 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 240 - The Truth About Machine LearningThis week the Down the Security Rabbithole podcast hosts Sven Krasser of CrowdStrike. Sven is an actual machine learning data science expert (as opposed to an "expert") who has been dabbling in machine learning, artificial intelligence and other forms of advanced computational science for a long while before it was popular in security. This week we James and Raf sit him down for 45 or so minutes to discuss the real facts and separate them from the fiction of what machine learning really is and the promise that it may hold for the enterprise security world. As always, j...2017-04-1153 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 239 - NewsCast for April 4th 2017Pew Center Survey Finds Americans Lack Understanding of Cybersecurity Measures Most ‘typical’ users simply don’t understand security because it’s “magic” to them Basics must be understood by average Jane - attackers count on you not knowing How do you take knowledge and push to enterprise, while keeping up with consumers? Link: http://www.pewinternet.org/2017/03/22/what-the-public-knows-about-cybersecurity/   Suspect Charged in USD 100m Whaling Scheme $100 Million dollar - from just two companies How would your executives (and those supporting staff) fare against this attack? More importantly, how does your “awareness” program deal with this? Link: https://ww...2017-04-0659 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 238 - March 2017 Update with Shawn TumaThis week, on the Down the Security Rabbithole Podcast, Michael and I are back with perennial favorite Shawn Tuma. Shawn, our legal eagle friend from Dallas, breaks down the latest issues that affect Cyber Security and the Law - with that business perspective you've come to expect from our podcast. As always, we love hearing from you and if you have questions don't hesitate to hit us up on Twitter using hashtag #DtSR or you can always hit up Michael (@catalyst), myself (@Wh1t3Rabbit) or Shawn (@ShawnETuma) directly! Thanks for listening and spread the w...2017-03-2859 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 237 - NewsCast for March 21st 2017The Cost of Cybercrime - Let’s Take a Different Perspective Cybercrime is reported as a $450B drag on the economy; the absolute number sounds big The question to ask: “How big is the global economy?” Turns out that this is only 0.57% of the global economy, in 2014 (nominal) By way of contrast - how many minutes are in a day? What is 0.57% of your day? What it means - we’re doing a good job. Fraud is low. Cybercrime might be on the rise, but for now, it’s at low relative percentages Does it mean we don’t matter? No...2017-03-2149 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 236 - Enterprise Architecture 2017Check out episode 236 with Marie-Michelle Strah who is a repeat offender here on the podcast with her first appearance back in 2014 on Episode 122 ( http://podcast.wh1t3rabbit.net/dtsr-episode-122-enterprise-architectures-role-in-security ). This episode is a revisitation on Enterprise Architecture and it's importance to security with a perspective on enterprise tech stack, business segmentation and micro services in a modern distributed enterprise. Marie-Michelle's experience and extensive insight into the topic should give you something to think about as you go back to your day job in security.   Guest: Marie-Michelle Strah ( @CyberSlate ) - Marie-Michelle Strah. PhD i...2017-03-1444 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 235 - NewsCast for March 7th 2017A Note on the Passing of a Legend Howard Schmidt passed away this week Long, distinguished career as one of the CISOs who “got it” He will be missed in government and private industry - he was on our show too (December 2015) http://podcast.wh1t3rabbit.net/dtsr-episode-166-cyber-security-from-board-room-to-white-house Are SysAdmins Violating the CFAA? This is, by all accounts, an insane criminal defense...or is it? Can what sounds like a stretch logically, be used maliciously by employers? The law is about intent - does this invalidate his claim? Link: https://nakedsecurity.sophos.com/2017/02/27/it-admin-was-authorized-to-trash-employers-network-he-says/ Y...2017-03-0848 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 234 - Straight Talk on National SecurityThis week, the interview is extra special because we have a guest I've personally been following for a long while, and I finally got a chance to virtually sit down and talk through his considerable areas of expertise. I'm pleasured to say we had a chance to sit down virtually with Professor Tom Nichols and talk international affairs, foreign policy and all the important things getting lost in the off-color political arguments lately. These are important issues to cyber security professionals that impact our daily lives - but rarely get discussed by someone with actual, credentialed expertise.2017-03-0152 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 233 - Reflecting on RSA Conference 2017This week, fresh on the close of RSA Conference 2017 James, Michael and I discuss the happenings of the conference, lessons, and features along with some inside anecdotes you won't get from anywhere else. Of course, we add our own unique blend of snark and humor - but that's what gets you listening and coming back for more. We'd like to say a big thank you to everyone who voted for us in the RSA Social Security (Security Bloggers) Awards. We didn't win, but we feel good about the audience we've acquired and will keep working hard to spre...2017-02-2146 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 232 - Security, Fraud, Digital PaymentsThis week, while the security world congregates at RSA Conference 2017 we present to you Neira Jones, discussing digital payments, fraud and the world of security as it applies to this domain. In a fascinating discussion, we discuss many of the topics security executives and leaders are talking about right now - but as you have come to expect this is less about 'security' and more about protecting what matters. We want to thank Neira for taking the time out of her busy schedule to join us on the show, and encourage discussion on the topics we covered...2017-02-1558 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 231 - NewsCast for February 7th 2017It is that time of year of W-2 Scams There have been multiple reports of companies releasing W-2s through email scams. Link: http://cbs4indy.com/2017/01/31/scammer-gets-copy-of-w-2-form-for-every-scottys-brewhouse-employee-after-data-breach/   Cops use pacemaker data to charge homeowner with arson, insurance fraud Becoming a common occurance with IoT devices.  If you are creating these devices, are you considering: Storage of the data Privacy policy Education around how data is stored and could be used From an enterprise perspective: How many of these devices are inside your organization How do any of these tools factor into your ow...2017-02-0842 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 230 - The IoT You Got for ChristmasOn this Down the Security Rabbithole podcast we're joined by Stephen A. Ridley & Jamison Utter (yes, again with this guy) for a discussion on the finer points of Internet of Things (IoT) security ... or complete lack thereof. If you own gadgets that are 'connected' or you are ever around them (hint: you're surrounded by things that pull IP addresses right now) then you need to listen to this podcast. Some great discussion in what was the very first podcast we recorded in 2017.   Guests: Stephen A. Ridley aka "@S7ephen" Jamison Utter aka "@j...2017-01-311h 00Down the Security RabbitholeDown the Security RabbitholeDtSR Episode 229 - NewsCast for January 24th 2017Hi friends! We're honored to be finalists for the Security Blogger Awards 2017 "Best Security Podcast" so if you listen, go vote for "Wh1t3Rabbit" (as we're labeled) Link: https://devops.com/2017-social-security-blogger-awards-open-voting/   Digital transformation forces businesses to rethink cybersecurity A change where operations are being held accountable for security James has commented on this before. In order to get better security, it needs to be embedded in the teams within the organization, not just the security team. Link:http://www.cio.com/article/3157478/security/digital-transformation-forces-businesses-to-rethink-cybersecurity.html   Mobile is sti...2017-01-2545 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 228 - Another Look at Endpoint SecurityThis week, Paul Hershberger joins us to talk about taking a fresh look at endpoint security for the new year. Paul has some insights into balancing risk/usability and how some of the things you've heard about endpoint may simply be ... wrong. Join James and I as we let Paul endow us with his wisdom and experience... take some notes, this one's going to be good. Guest Paul Hershberger - @pjhersh13 - Director IT Global Security Risk and Compliance at The Mosaic Company. 2017-01-1851 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 227 - NewsCast for January 10th 2017St. Jude, MedSec and the FDA FDA, St. Jude go through disclosure/fix cycle No mention of MedSec - interesting for discussion; did they have an impact? St. Jude does a fairly great job of notification, updating “Benefits outweigh the risks”... that’s a big statement http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm http://www.businesswire.com/news/home/20170109005921/en/St.-Jude-Medical-Announces-Cybersecurity-Updates http://www.medsec.com/entries/stj-lawsuit-response.html http://podcast.developsec.com/ep-56-security-contacts   New York financial regulator to delay cyber security rules Originally supposed to go into effect Jan 1.. New Date is...2017-01-1247 minThe Application Security PodcastThe Application Security PodcastRafal Los, James Jardine, and Michael Santarcangelo -- #DtSR and What Makes a Good Security Consultant?Greetings all! We have a treat for you in this episode. The crew joins Robert and me from the Down the Security Rabbit Hole Podcast. This includes Rafal Los (@wh1t3rabbit), James Jardine (@jardinesoftware), and Michael Santarcangelo (@catalyst). This is a unique conversation for me because the AppSec PodCast was born from my first interview with #DtSR. I was featured on DtSR Episode 204 in July 2016 after a friend suggested me to Raf on Twitter. (Thanks, Nigel!) The DtSR episode was entitled “On Changing Culture.”  I had listened to these guys on and off for years and now had the c...2017-01-1237 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 226 - Targeted Threats Facts From FictionWelcome to the first Down the Security Rabbithole Podcast episode of 2017! We would like to kick off this year, and the run to episode 250 with an episode that dissects the facts from the fiction on the topic of "Advanced Threats". With all the talk in the news about the Russians "hacking the US election" (yes, that's absolutely silly to call it that) and talk of retaliation, it's important to have a frank discussion on the merits of the concept of advanced threats. Sit back, grab a coffee and listen. I know you'll want to listen t...2017-01-0357 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 225 - NewsCast for December 20th 2016Merry Christmas, Happy New Year everyone!   May your holidays be filled with joy, love and family. From Michael, James and myself we wish you the very best and a healthy, prosperous and fulfilling 2017. We will be back in 2017 with another great DtSR Episode... but before we go - here's one last NewsCast for 2016.   Yahoo - setting records again - biggest hack ever It happened again: Yahoo says 1 billion user accounts stolen in what could be biggest hack ever 1 billion accounts.. But 1 billion users? Probably not It was 2013… does it e...2016-12-2044 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 224 - Pointing the Finger of ResponsibilityOn this episode of Down the Security Rabbithole we tackle the question head on. Whose responsibility is security? Is it the end user who should be responsible for patching the devices they own? Is it the vendor who sells the wares? Is it the manufacturer who sells things with security issues? What if it was everyone's problem? How do we police, legislate and ultimately assign blame? Should we be assigning blame, and more importantly what gives with this fascination for blaming the victim? Lots of questions are asked and we start to tackle some of...2016-12-131h 07Down the Security RabbitholeDown the Security RabbitholeDtSR Episode 223 - NewsCast for December 6th 2016Federal Government Disproves the Myth of Cyber Talent Shortage If the government can find and hire them - they exist What does that mean for the rest of us hiring? https://cio.gov/how-to-snag-talent-to-fill-critical-cybersecurity-positions-at-your-agency/ 5 Mistakes to Avoid to Hire Qualified Application Security Talent Not understanding current needs Ignoring existing resources Not sharing the workload Not defining the role Overly broad job requirements General Idea: We say we need security talent, but we don’t step back to really understand what we actually need given our current status and resources https://www.jardinesoftware.com/5-mistakes-to-avoid-to-hire-qualified-application-security-talent/ Obama Cy...2016-12-0648 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 222 - Zero Trust Security ModelThis week, after a long wait, we have John Kindervag on the show! John talks us through the concept of "Zero Trust Security" and where and how it's implemented. It's a concept everyone should be familiar with by now - but I bet you aren't! Join us, and as always provide feedback to the team using the hashtag #DtSR on Twitter, and you can always ping John directly at @Kindervag as well.2016-11-3054 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 221 - NewsCast for Nov 22 2016DHS Releases Strategic Principles for Securing the Internet of Things https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL....pdf These seem to be the same principles that we have been saying for all software (web, mobile, etc.) NIST also has a more generic publication 800-160 What is the implication for the enterprise? Do we prioritize anything differently as a result What about the “need” for IoT legislation? Is the marketplace “broken?” If “we’ve told people before” but “they didn’t listen,” does that actually mean they are wrong? This is an ar...2016-11-2245 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 220 - Blaming the Breach VictimThis week, Patrick Dennis - the CEO of Guidance Software - joins us to talk about the Enterprise Security world's fascination with blaming the breach victim. We talk through some of the key issues and look for a way off the hamster wheel. As always, #DtSR on Twitter to join in our conversation.2016-11-1544 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 219 - NewsCast for Nov 8th 2016It is election day.. Have you voted?   Beware, IPhone Users: Fake retail apps are surging before the holidays The issue of brand protection and knock-off websites, apps and such is real Spilling over into digital world, from physical What is your company doing to protect yourself and your customers? http://www.nytimes.com/2016/11/07/technology/more-iphone-fake-retail-apps-before-holidays.html?_r=0   Moving Beyond EMET EMET is going away … in a while Most of the features are now built into Windows 10 This is a great thing (built in vs bolted on security) https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/   Tes...2016-11-0847 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 218 - The Business of SecurityThis week on DtSR Chad Boeckmann - President of Secure Digital Solutions - joins us to talk about the business of security. While the "bad guys" are running their criminal enterprise, security teams have struggled to be business-relevant. This discussion starts to dive into how to align security and business goals, answering the "how much is enough?" question and so much more. Thanks to Chad for joining us. We encourage you to ask questions and leave comments here in the comments section or on Twitter at #DtSR. You can talk to Chad directly at @cboeckm on...2016-11-0151 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 217 - NewsCast for October 25th 2016The Massive DDoS That Hit Dyn.Org Massive DDoS disrupts a ton of popular websites (Netflix, Twitter, etc) IoT used to amplify attack What does this mean for corporate users, home users, and vendors? https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/ Verizon Reviewing Terms of Yahoo Deal As Revenue Slides Is this really the result of the breach or did someone just get cold feet? We’re speculating, but we’ve heard this type of talk before To be honest, Yahoo! saw a rise in earnings over what was projected http://www.wsj.com/articles/verizon-revenue-falls-below-views-1476966420 Passwords - We’re Stil...2016-10-2547 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 216 - Why Software Insecurity is Still a ThingThis week, #DtSR takes a trip down Software Security lane or as some call it "How are we still writing code with bugs that we found relatively concrete fixes for in the late 90's?" (I may have been watching too many John Oliver episodes...)   Jeff Williams ( @Planetlevel ) and Tyler Shields ( @txs ) join me to talk this topic over from where we've been, to what we're doing now, to what the solution to this mess will be one day in the future. It's an interesting conversation that should stir up some emotion if you've been in A...2016-10-1946 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 215 - NewsCast for October 11th 2016‘Security Fatigue’ Can Cause Computer Users to Feel Hopeless and Act Recklessly, New Study Suggests https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly Is this indicative of the broader population? (Someone check the sample size?) What does this tell us about enterprise vs. consumer security thinking? Is security to blame?   Our insulin pumps could be hacked, warns Johnson & Johnson http://www.welivesecurity.com/2016/10/06/insulin-pumps-hacked-warns-johnson-johnson/ Big hat-tip to Jay Radcliffe ( @jradcliffe02 ) for what appears to be a very well-orchestrated and sane disclosure What is the added cost of proper authentication and secure communication? Let's use this as a t...2016-10-1158 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 214 - Financial Impact of BreachesGrab a cup of coffee, jack in your earphones and listen up. DtSR Episode 214 is addressing the issue of breaches, and their material financial impact to an organization. The premise is simple - when you have a breach, are you going to see massive stock price drop, client exodus and so on? We sit down with legal expert and DtSR regular Shawn Tuma and researcher Jon Nichols to talk this through with James, Michael and yours truly.   Check this episode out. It may sting a bit, but once you come to gr...2016-10-0450 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 213 - NewsCast for September 27th 2016Quick update and invitation from Michael: starting to explore rolling out services and improving the Straight Talk Framework. If you’re up to discuss with me - I’ll offer a brief overview and then a “setup for Straight Talk”  review to explore how to get you started. It’s a real offer because I know we’ll both learn. And then I’ll get a better sense of where to focus and how to help more people in our industry. Note on yahoo: we’ll talk to Shawn later   How are Healthcare Data Breach Victim...2016-09-2751 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 212 - Insider Threat PrimerIn this episode, we talk with Mike Tierney, who is the brand-new CEO at Veriato. In our conversation we talk through a primer on insider threat, and use the great example of hosting a dinner party. Mike has loads of nuggets of wisdom from his experience and we're certain that if you're a seasoned insider threat professional, or just thinking about the topic and wondering if you can do anything to protect your company - this show will be a good primer for furthering your discussion and learning. Listen in, comment and share with your...2016-09-2051 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 211 - NewsCast for Sept 13th 2016Chrome to label more sites as insecure in 2017 Link: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html Focus on sites that transmit passwords or credit card info over HTTP A USB Device is all it takes to steal credentials from locked PCs Link: http://www.pcworld.com/article/3117793/security/a-usb-device-is-all-it-takes-to-steal-credentials-from-locked-pcs.html This is actually pretty interesting, but a little trickier than it sounds Still - it's quite fascinating that a USB attack works cross-platform, based on network activity and default USB behaviors DHS chief: 'Very difficult' for hackers to skew vote Link: http://thehill.com/policy/natio...2016-09-1548 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 210 - Data Protection PrimerIn this episode James and I invite Vlad Klasnja from Optiv's Office of the CISO, and Hudson Harris, Chief Privacy Officer at HarrisLOGIC, to talk about data protection. From defining the concept to providing some insight into how we can actually protect confidential information - we talk through a lot of complex issues in this segment. Join us!   Guests Hudson Harris - Chief Privacy Officer at HarrisLOGIC Vlad Klasnja - Data Protection and Privacy Manager at Optiv 2016-09-0751 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 209 - NewsCast for August 29th 2016NewsCast for Tuesday August 30th, 2016   Clinic Won’t pay breach protection for victims http://www.zdnet.com/article/clinic-wont-pay-breach-protection-for-victims-ceo-says-it-would-be-death-of-company/ Are companies required to pay for credit protection?  It is common, but is it required? Can a class action suit succeed to force it? Will that matter if they just declare bankruptcy? If not.. What is the purpose to filing the suit? California Bill would add security standards to data breach law https://bol.bna.com/california-bill-would-add-security-standards-to-data-breach-law/ But what is reasonable… it can’t just be what a reasonable company would implement. Bill Text - h...2016-08-3059 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 208 - Beyond the Ransomware EconomyThis week Michael and I chat with Jamison Utter of Infoblox on one of the more interesting topics at hand - the economy of ransomware. We talk through the sudden popularity of the attack vector, the way the underground "criminal enterprise" has scaled and grown and the future of being a bad guy. If you have occasion to talk to your organization's leadership on the ransomware epidemic, you need to listen to this podcast first.2016-08-2341 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 207 - NewsCast for August 16th 2016Quick note from Michael about the Straight Talk Framework & Program -- > Get your free copy at https://securitycatalyst.com/straight-talk-framework/ Launched a new program last week… boy, did I learn a lot. Mostly, it’s my failure to explain. I’m going to chronicle some of the lessons over the next few days and share them If you’ve already downloaded the questions - I’d love to chat with you about your experience… If you find yourself in a situation like this, let’s chat. 25 minutes on the phone and we’ll both benefit Until Monday, August 22nd, chance to ge...2016-08-1847 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 206 - Vulnerabilities, Disclosure, Ethics, Research and SecurityIn this episode we chat with Steve Christey Coley currently the Principal Information Security Engineer over at MITRE Corp. In this episode we talk through our industry's obsession with vulnerabilities, dive headlong into the thorny issue of security research, talk through the various issues with disclosure and even delve into some ethics issues. This episode is content-packed with some content that you will likely want to talk to us about. So here's how to find us: Steve on Twitter: @SushiDude Hashtag for the show: #DtSR   Steve's Bio (from LinkedIn...2016-08-101h 01Down the Security RabbitholeDown the Security RabbitholeDtSR Episode 205 - NewsCast for August 2nd 2016Quick note from Michael about the Straight Talk Framework -- > I’ve separated the framework from the programs; the framework is free and available for download from my website. More on the way! To support both the framework and the programs, I’ve just finished a video that introduces the 5 questions; I have an optional workbook available and make a special offer at the end of the video I’m about to launch an online offering… stay tuned for details   $2.7 Million HIPAA Penalty For Two Smaller Breaches http://www.healthcareinfosecurity.com/27-million-hipaa-penalty-for-two-smaller-breaches-a-9270?rf=2016-07-18-eh&mk...2016-08-0642 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 204 - On Changing CultureThis week, Chris Romeo joins Michael, James and I to talk about changing the security posture of an organization by changing culture. This episode talks through tough issues like incentives, measurements and success factors. This episode with Chris is of particular interest for leaders and those who are working hard to change companies at their core, for the long term.   Chris Romeo's bio: Chris Romeo is CEO and co-founder of Security Journey. His passion is to bring application security awareness to all organizations, large and small. He was the Chief Security Advocate at C...2016-07-2644 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 203 - NewsCast for July 19th 2016Ransomware that's 100% pure JavaScript? Sort of... Slightly misleading article Generally a Windows-based attack (go where the users are) https://nakedsecurity.sophos.com/2016/06/20/ransomware-thats-100-pure-javascript-no-download-required/ Researchers have come up with a 'cure' for ransomware Based on some interesting things like file-type changes, similarity measurements and entropy Interesting but not perfect ... do we even think perfect is reachable? Average of 10 files before an identification was made http://www.scmagazineuk.com/florida-researchers-claim-to-discover-cure-for-the-common-ransomware/article/509147/ The government has officially issued a 'fact sheet' on randomware Yes, it's a reportable breach Lots of interesting misconceptions (or half-truths) in this guidance...2016-07-1952 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 202 - Outsourced but BetterThis week on the Down the Security Rabbithole podcast, Brandon Dunlap is back for his second show. Following up on Episode 158 where we discussed outsourced security, this time around we talk through the next iteration of what "Managed Security" and outsourcing means to security. You're not going to want to miss this episode! As always, hit up our hashtag on Twitter at #DtSR and you can find Brandon on Twitter as well at @bsdunlap if you want to talk to him directly.2016-07-1245 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 200 - Privacy, Security, Risk and Law Collide** Our 200th numbered episode! **   A note from Raf:  Thanks to everyone who has been listening to us, tweeting us, and sharing the links to our podcast. We are absolutely floored with the support and listenership we've received. The average show now gets just under 2,500 downloads when released in the first week, and that number goes up every week. So from the bottom of my heart, I humbly thank you and hope you'll continue to listen, share, and comment. This week's episode is titled "Privacy, Security, Risk and Law Collide" as we hos...2016-06-281h 10Down the Security RabbitholeDown the Security RabbitholeDtSR Episode 199 - NewsCast for June 21st 2016In this episode..   The "Nuclear Bomb" analogy isn't working, stop using it" http://thebulletin.org/flawed-analogy-between-nuclear-and-cyber-deterrence9179 This is important with respect to how security people talk to real-life issues Here is another example: http://insight.kellogg.northwestern.edu/article/is-reading-someones-emails-like-entering-their-home/   iOS apps will require secure https connections by 2017 http://www.cnet.com/news/ios-apps-will-require-secure-https-connections-by-2017/ We have seen this push on the web before Michael wrote about this topic back in March 2015 (https://www.developsec.com/2015/03/17/is-http-being-left-behind-for-https/) Saw the government push this for all public facing websites (https://https.cio.gov/) ...2016-06-2151 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 198 - What Legal Counsel Wishes CISOs KnewOn this episode of the Down the Security Rabbithole podcast, Dawn-Marie Hutchinson, currently an Executive Director within the Optiv Office of the CISO joins us and we talk about the things that she's learned over her career working with legal counsel, CISOs and solving problems. A fantastic episode with lessons learned, and executive leadership crammed into less than an hour. Give it a listen!   Find Rie on Twitter at @CISO_Advantage   UPDATE: Thanks to Sean Jackson (@74rku5) who has hand-transcribed the show. I haven't read this, personally, so if there if he...2016-06-1448 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 197 - NewsCast for June 7th 2016In this episode...     Are people "going offline" as a result of increasing dangers of the Internet? This article makes the case for yes: http://www.techspot.com/news/64839-increasing-number-internet-dangers-driving-millions-americans-offline.html But ... "millions"? We collectively call BS As the world moves more to mobile and digital, who thinks they have 'control' of their own data anyway?   "Sandjacking" allows attackers to install evil iOS apps IF that attacker is physically holding your device AND your device is unlocked AND it takes a while because you have to backup, and restore a ph...2016-06-0748 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 196 - Jason WittyOn this episode of the Down the Security Rabbithole podcast, I get the pleasure of sitting down with one of my all-time favorite Chief Security Executives, Mr. Jason Witty. He's had a long career of successful security leadership, and in this podcast he sits down with us to talk about risk, threats and words we often confuse. You're not going to want to miss this episode.2016-05-3143 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 195 - NewsCast for May 24th 2016This week the gang's all here to talk about some news happenings. Michael, James and I talk through some of the stories we've been tracking. Have something you've been reading and want to talk about? Hit us on Twitter with hashtag #DtSR and suggest a topic/story for the next NewsCast!   Tennessee Amends Breach Notification Statute http://www.natlawreview.com/article/tennessee-amends-breach-notification-statute Removes the exception for encrypted data. Will this raise the costs to companies?   Encrypted or not, will credit monitoring be the norm? More lawsuits (even if the data is encrypted) Do...2016-05-2454 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 194 - Update on Cyberlaw w Shawn TumaIn this episode...   Michael and I welcome back Shawn Tuma, our resident Cyber Law Expert from the great state of Texas. We discuss some of the recent cases (unlocking an iPhone!) and some of the tough issues facing the court systems today. Shawn provides insights into the use of the finger (not joking) and some amusing and frustrating aspects of cyber law as the courts continue to evolve. Join us!2016-05-1746 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 193 - NewsCast for May 10th, 2016In this episode..   ImageTragick - major flaw in open source image processing toolkit ImageTragick is CVE-2016-3714 Logo & Website: https://imagetragick.com Has a logo, so it must be yuge Is this really that big of a deal? How many are impacted potentially? https://blog.sucuri.net/2016/05/imagemagick-remote-command-execution-vulnerability.html Remote code execution, with minor caveats - likely darn near everywhere Detroit company loses $495k to wire fraud Source was a faked email to make a wire transfer Why didn’t someone verify this?! http://www.detroitnews.com/story/news/local/oakland-county/2016/05/03/troy-investment-company-hacked/83879240/ Wil...2016-05-1157 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 192 - Healthcare and Critical Infrastructure SecurityIn this episode... Join our guest Larry Whiteside, Michael and I as we record live from InfoSec World 2016 in sunny Orlando, Florida! We talk through the life of a CISO, and the challenges of being in the Healthcare and Critical Infrastructure spaces and the similarities and differences. Larry has had a very diverse and successful career leading some of the most challenging organizations, so we dig into some of the things he's faced, how he's addressed some of those bigger leadership-level challenges, and just the mess that healthcare and critical infrastructure are in right now.  ...2016-05-0445 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 191 - NewsCast for April 26th 2016In this episode... Only about a third of companies know how many vendors access their systems nearly every company is at risk for a third party breach it's almost impossible to vet every third party developing a strategy and being consistent, scaling is key http://www.csoonline.com/article/3055012/techology-business/only-a-third-of-companies-know-how-many-vendors-access-their-systems.html No firewall, second-hand $10 routers are to blame for Bengladesh bank heist we talked about this initially in episode 185 (Link: DtSR Episode 185 - NewsCast for March 15th 2016) it's almost unfathomable that this happened SWIFT attacked, now the suspected malware is identified Jim M...2016-04-2635 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 190 - Interview with Lance JamesIn this episode, James, Michael and I are live from InfoSec World 2016 and we get the pleasure of interviewing Lance James fresh off the keynote stage. In this intimate, fast-paced and bold interview we talk through some of the challenges InfoSec is facing today, and where Lance believes we should be going.   If you haven't been to InfoSec World, we highly recommend going next year. The content team continues to provide a solid mix of technical, managerial and transitioning information security speakers. Make sure you have this one on your calendar for next year, and be...2016-04-2044 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 189 - NewsCast for April 12th 2016In this episode...   Pros examine mossack-fonseca breach: Wordpress plugin, Drupal likely suspects Plug-ins seem to be a universal weakness Many companies have this type of 3rd party security issue The broader enterprise implications - how do you find these sites? http://www.scmagazine.com/pros-examine-mossack-fonseca-breach-wordpress-plugin-drupal-likely-suspects/article/488697/ WordPress pushes free https encryption for all hosted sites What's the problem we're trying to solve? 2 separate issues, trust vs. authentication - know which you're solving http://www.securityweek.com/wordpresscom-pushes-free-https-all-hosted-sites If you can't break crypto, break the client Bishop-Fox researcher finds webkit bug in...2016-04-1250 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 188 - Security Talent TruthsIntro song: "Josh Gabriel - Deep Down"; Intro/Outro v/o courtesy of @ToddHaverkos2016-04-0548 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 187 - NewsCast for March 29th, 2016In this episode... BadLock bug (which now has a website, a graphic, and more hype than Bieber) is out there Is the bug really worth all this hype? Is this anything more than a PR stunt, and a big marketing opportunity? Everyone has an opinion, but one thing is for certain, this bug is making big waves http://www.wired.com/2016/03/hype-around-mysterious-badlock-bug-raises-criticism/ Your wireless mouse is probably a security risk... seriously. RF-based mice typically don't use encryption or mutual authentication Some do (all of my Microsoft & Logitech mice tell me they mutually authenticate & encrypt... I think) How far u...2016-03-2940 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 186 - Becoming a CISOIn this episode   I posed some questions to Joey, an InfoSec professional who had recently moved into a CISO role in a midwest retail company: Let's talk a little bit about the background you had before walking into your first day as a CISO... How long have you been in your role, and what do you think "so far"? What do you think were the biggest lessons you've learned in your time as a new CISO? What do you make of all the talk about CISO burn-out rates, and the average tenure of a C...2016-03-2242 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 185 - NewsCast for March 15th 2016In this episode...   The FTC is getting into providing guidance on password changes Well OK, this isn't really guidance, it's just a blog But - does this mean that the FTC is getting into technical guidance? https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes   Dwolla hit by CFPB and fined $100,000 Who is the CFPB (Consumer Finance Protection Bureau)? This opening sentence is crucial: "The Consumer Financial Protection Bureau (Bureau) has reviewed certain acts and practices of Dwolla, Inc. (Respondent, as defined below) and has identified the following law violations: deceptive ac...2016-03-2142 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 184 - A CISO Post-RSA WrapUpIn this episode, we wind down from RSA Conference 2016 and talk with Jonathan and Michael, both security executives and leaders at their respective companies whom were both out at RSA Conf and share with us some of their insights, lessons learned, and discuss some of the more interesting topics.   Join James and I for an informative, insightful, and slightly unnerving conversation about the state of our industry. If you missed RSA Conference (or even if you were out there but wish you weren't) this is one you're going to want to listen to at least o...2016-03-1642 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 183 - NewsCast for March 1st 2016This is RSA Conference week, so while Rafal is out in San Francisco trying to make it through another one, James and Michael break down the news events that you may have missed.   300,000 Homes affected by security alarm bug http://www.forbes.com/sites/thomasbrewster/2016/02/17/simplisafe-alarm-attacks/#3202d4e679a3 According to Spokesperson, Alarm still alerts users' smart device when the alarm is armed or disarmed. Device is an alerting mechanism, not a lock Technically, we’d consider this… wait for it… a ‘detective’ control. Appears to only intercept when pin is entered into the device.. do...2016-03-0140 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 182 - Apple Versus the FBIIn this episode... Michael and I moderate what turns out to be an expert-filled panel discussion on the real issues of the Apple vs FBI debate Shawn Tuma, our favorite cyber attorney, provides expert insights into the statutes, laws and applicable legislation in this case Dave Kennedy, Von Welch and Gary bring their technical expertise and background to discuss the issues from a technology and policy perspective We think this is one of those landmark podcast episodes you'll want to listen to a few times. Lots of interesting content here, and we encourage you to share! 2016-02-2355 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 181 - NewsCast for Feb 16 2016In this episode   Class action lawsuit against SuperValu dismissed No damage (use of stolen information) so there's no case? As time passes, risk of use of stolen data, according to judge, decreases The precedent appears to be that in order to sue, you have to prove damage (imagine that?) http://legalnewsline.com/stories/510661014-data-breach-class-action-against-grocery-chain-dismissed Nieman Marcus - breached again (with another lesson this time) http://www.bankinfosecurity.com/neiman-marcus-reports-new-breach-a-8843 So is it official, not having MFA is weak authentication? Is someone accessing accounts through the web interface with stolen passwords a “breach”? Encry...2016-02-1648 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 180 - From the CISO PerspectiveIn this episode... Andrew discusses a few of the key challenges making it difficult for the healthcare sector right now Robb, Andrew and Raf discuss the importance of identity in the corporate environment Robb and Andrew give some of their wisdom for the successes and failures of CISOs (and the broader security industry) We discuss the technical vs executive CISO approach (which is better?) Robb and Andrew provide some unfiltered advice for CISOs and those who want to become them Guests Robb Reck ( @RobbReck ) - Chief Information Security Officer at Ping Identity, contributor to ISSA Denver wi...2016-02-0942 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 143 - NewsCast for May 18th, 2015In this episode... Netflix launched FIDO (not that one, or that one, no the other one) Focused on automating incident response practices FIDO is an orchestration layer that automates the incident response process by evaluating, assessing and responding to malware and other detected threats. If you don't use it, at least they provide a structured framework for response and IR workflow http://techblog.netflix.com/2015/05/introducing-fido-automated-security.html IT Chief leaves sensitive data in car- spoiler: it gets stolen Something smells like a fish market in the July heat on this story Maybe it's time to check in on...2015-05-1847 minDown the Security RabbitholeDown the Security RabbitholeDtSR Episode 134 - Fundamental SecurityIn this episode... Michael C and the team talk bout "going back to basics" and the need for security fundamentals Michael C talks a little about why we (security professionals) fail at fixing problems at scale We dive into the need for automation, and Michael C talks about why creating more work for security professionals is a bad thing Michael C and the crew talk through why many of our metrics fail, highlighting the need to get away from the typical dashboard approach of "bigger numbers is better" We discuss the balance between false positives and false negatives...2015-03-1648 minSoftware Process and Measurement CastSoftware Process and Measurement CastSPaMCAST 162 - Rafal Los, Security Strategy and KPIsWelcome to the Software Process and Measurement Cast 162! The SPaMCAST 162 features my interview with Rafal Los discussing security and key process indicators for measuring secutity.   Rafal Los, Enterprise and Cloud Security Strategist for Hewlett-Packard Software, combines over a decade of deep technical expertise in information security and risk management with a critical business perspective.  From technical research to building and implementing enterprise application security programs, Rafal has a proven track record with organizations of diverse sizes and verticals.  He is a sought after speaker at both public and private information security and quality conferences, and has presented at events produced by...2011-11-2741 minDown the Security RabbitholeDown the Security RabbitholeDown the Rabbithole - Episode 2 - "Can You Be Hacked Out of Business?"Synopsis This edition of the podcast doesn't hold back.  We ask "Can someone be hacked out of business?" and as usual we don't really like the answers we come up with.  While Martin, Rob and I have been in most every aspect of security for just over a combined 3 decades, we end up with a conslusion that I don't think any of us are comfortable with ...at least not that we were willing to say out loud, until now.  So is it possible?  Is DigiNotar being "hacked out of business" as Dark Reading suggests all FUD?  Listen and f...2011-09-2935 minDown the Security Rabbithole Podcast (DtSR)Down the Security Rabbithole Podcast (DtSR)Down the Rabbithole - Episode 2 - "Can You Be Hacked Out of Business?"Send the hosts a message - try it now!SynopsisThis edition of the podcast doesn't hold back.  We ask "Can someone be hacked out of business?" and as usual we don't really like the answers we come up with.  While Martin, Rob and I have been in most every aspect of security for just over a combined 3 decades, we end up with a conslusion that I don't think any of us are comfortable with ...at least not that we were willing to say out loud, until now.  So is it possible?  Is DigiNotar being "hack...2011-09-2935 minDown the Security RabbitholeDown the Security RabbitholeThe #SecBiz Podcast - Talking "Cloud Security" with Phil CoxPhil Cox joins Rafal (aka Wh1t3 Rabbit) and Martin McKeay and a gallery of others dicussing the issues with the very nebulous term "Cloud Security", and what it means, and how we as vendors can realistically help the consumers of cloud get a handle on what the heck this all means. Fascinating conversation ensues.2011-09-1451 min