DrZeroTrust

How does a CEO of a unicorn company view cybersecurity? How does the board of such a company look at the risks of cyber threats? Does insurance make sense for those leaders? What about the big acquisition in recent days, does that affect the overall market? Those questions and more on this episode!

Rick Moy and I discuss ZT and the cloud. How developers can and should look at security (it's not how you think). Dealing with ethereal assets, 5G and a whole bunch of other great issues in this episode!

Should executives ever be exempt from security standards and practices, the answer rhymes with bell no. MGM got his with ransomware via a third party and some social engineering, but they spend hundreds of millions on security. So what should we learn from that? CISA wants to offer free scans for utilities, is that a good or bad thing? Congress wants to legislate around deepfakes for elections, how will that work? And a major university was found to be fudging their self certification for compliance, whoops! Those and more on this one!

What is Surf's new RBI extension? How does this fit with Zero Trust strategically? Why is RBI now a "thing" in security? Is this just for enterprises or all businesses? How hard is it to configure this thing? What about third parties and developers, does this help them be more secure? Those questions and more on this one!

Cyberpsychology and the hacker mindset, what should we think? Malwarebytes and their funding and layoffs, what does that indicate about the market? AI and LLM's aren't people, stop treating them like they are from MIT. Compliance does not equal security, say what? Phishing as a service get smarter according to Microsoft. The FBI "brought down" a massive botnet, they'll never come back right? And a very suspect claim from a vendor on their "response time". All that and more on this one!

Thoughts on the recent RNC candidate debate where cybersecurity never came up, super. China is using Linkedin to recruit spies, how can you know when you are targeted? Trustwave published new research on BEC hacks, what do we get from that research? Two guys are arrested for laundering money via crypto, is that a treasonous act? MAC's get some new malware, hurray! Ransomware group deletes a providers entire customer base's data, whoops! Those and more on this one!

How to defend from a "Zero Day" attack that is "not in any anti-virus" engine. Proxy wars from AT&T. Interesting data from Flashpoint on the underground market. Is CISA really enforcing effective controls if they rely on training? Irish police department have a data breach that might lead to terrorist targeting, yikes! And rethinking the terminology and understanding around cyberwar! Those points and more on this episode!

Insider threats are a real thing, do you have the tools to detect malicious intent before it becomes a threat? How do we know if behavior equals threat? More data on ransomware and the insurance market. Companies selling insurance are considering "ratings" for premiums. Halcyon identifies "new" threat groups, or is the same one with a new fancy name? The new cyber workforce plan, good or bad? Those questions and more on this episode.

Does the Veterans Affairs Administration really do all it can for Veterans? I have a tale to tell about this one folks. Sophos released a report on the current state of ransomware for education, it's not encouraging. Ivanti has a bug that should be patched for mobile security customers. The FBI used a FISA database improperly, interesting. Cofense has some new data on phishing as a threat, guess what it's still a thing. And some thoughts on the 4 day rule from the SEC for disclosure of breach activity.

SECOPs teams have faith in the their tools, but question if they will "miss" something? What? Administration releases plan for IoT security and labeling, how will it work? Top10 predictions for 2023 and security. That Zero Trust thing is still in there I hope. The upcoming election and the explosion of AI are already going bonkers, what is next? Those questions and more insights on this episode!

An AI girlfriend talked a kid into trying to kill the Queen of England with a crossbow, yeah. Fortinet vulnerability, how bad is it and are we patching fast enough? What is the number one avenue of exploit for cloud? Hint, it rhymes with bumans. Japan's largest port is under ransomware attack, uh oh. What CEO's really think about their security teams from the World Economic Forum, and more on this episode!

An event in NYC with BeyondIdentity made me sad for the state of the market, why? What happened with the Supreme Court and the 1st amendment via cyberstalking, huh? "Never before seen hacking tactics" from Chinese APT says Crowdstrike, you sure about that? A church brings "AI" to preach, did they just impact religion? Those points, some hard hitting questions and more on this episode!

Is it possible to take a different approach to threat detection and do better? Why are endpoint security solutions missing the threats that we buy them to detect? Is a counter-terrorism method applicable to threat hunting? How does malware evade allow listing in some instances? What gaps in coverage are we seeing from methodologies for threat intelligence? Those questions and more on this episode!

Samsung is dealing with an insider threat that tried to copy their entire chip manufacturing plant, wow! CISA issued a "binding" directive for ZT, but how binding is it really? The top 10 from the Verizon DBIR, what does that tell us about the space? Another Presidential candidate uses a deepfake to target their adversaries, should we worry? A mother deals with a deepfake voice attack where her daughter is "kidnapped", does this bode well for our collective future if criminals are vectoring in on this type of attack? 99% of organizations expect an identity related compromise this year, jeez (#killthepassword already). Those points and more on this one!

NSA released a guide on securing remote access, cool so what should we learn from it? ILTA has produced a study about law firms and their cybersecurity practices. Are they prepared for the threats they face? Deepfakes are showing up on TikTok with stories from dead kids asking for followers (seriously). Lumu published a blog on how MSSP's can adapt to better server their customers. What should we know about that? Forbes published an article about the "most cybersecure companies" in the USA, that's a great idea right? Those points and more on this episode!

Youtube flagged my content for PII violations, but what did I do to get put in the penalty box? CISO's plan on investing more for cybersecurity over the next few years, new research from Nuspire indicates the growing spending trend. Mitiga has found some configuration issues with Gdrive and Gsuite, what should businesses know to defend themselves? Armorblox says brand impersonation is increasing, how much of a threat is this type of attack? Gigabyte hardware and firmware has been found to be shipped with embedded back doors, uh oh. The IDSA has produced some new research on the status of iam and strategy, what can we learn from that? And G2 has unbiased reviews on security tooling and solutions, what can you learn from visiting that site. Those points and more on this episode!

Ever wanted to learn the difference between a Lama and an Alapaca, we talk about that here. Weird but interesting. Crowdsec discusses their approach to changing the way we handle malicious IP's and domains. Their approach to Zero Trust as part of a global network is innovative. We chat about how open source solutions can help businesses of all sizes better defend themselves. Some discussion on collective threat intelligence, and conversations about sharing information to dynamically defend the network.

Should we be concerned that our leaders (and former leaders) are posting deepfakes onto social media? What can we learn from the Uber case and the final decision by the lawmakers? What did the general counsel do in that case, what about the CEO? How should we plan for a ransomware attack? Can we learn from the lessons that a CISO has been through and be better prepared (hint: yes). When is the best time to learn when to fight, before the event or during? And was I wrong about my thoughts on executive punishment for breaches, probably...

Are K-12 organizations and universities prepared for the onslaught of cyber threats? How long does it take me to find a vulnerable school district, it ain't long? An appeals court has upheld Merck's claim in the the NotPetya case. What does that mean for cyber insurance, and why does this make me so happy? Iran is moving quickly into the realm of influence operations, are they mirroring the Russian operations and how will this affect the upcoming election cycle? ChatGPT had a breach issue, how much of a threat or problem is this? Should we have expected anything less? Phishing is getting worse, statistically speaking, but how is this possible with all of the training we get? Is there a technical alternative that works? Those questions and more on this episode!

How hard is it to use "ai" to clone your own voice? I did it and you can hear the sample on this podcast. What should we learn about the recent Pentagon leaker? Was it a technical failure, insider threat, of failure of leadership? What does MIT say about privacy for ChatGPT and "ai" and are there violations taking place? Are MAC's a viable target for ransomware, seems like that is a reality now. Those questions, points, and a line up of some of my schedule at RSA if you happen to be around!

Can ChatGPT make me a less crappy programmer? That isn't hard to be honest, but there are implications to consider. Can you use AI (I really hate using that term but you can't beat the market I guess) to be an artist? Does that impact other talented people's future earning potential? How hard is it to use StableDiffusion to create bogus images? How bad was FTX's cybersecurity? Hint: It rhymes with pepto-bismol. What else should we know about cyber insurance and who do insurers actually "take care of?" What about the leaks from the DoD? How does this keep happening? Those points and more on this episode!

How many vulnerable systems out there are connected to the internet with a ten year old vulnerability, with RCE, and have no authentication? Surely the answer is 0? Operation Cookie Monster took down a dark marketplace, so what? Should there be a victory lap? KnowBe4 published some research on state and local security and BEC statistics, what should we learn from that document? Fake ransomware attacks are taking place, what the hell is that? Crowdstrike and others are publishing on threat groups, but the nomenclature is all over the place. How do we know what attackers are doing what if we can't align on the naming conventions? More insights on the Silicon Valley Bank fiasco (the executives did some "questionable" things). What does that mean for the cybersecurity market at large? Those questions and more on this episode.

Did the Pope wear a puffy jacket? So what? How might applied deepfakes be used to manipulate the collective narrative? What about our political system? Cofense published their annual report on the state of email security. What can we learn from that? Cymulate also published their analysis of more than 1 million security assessments. What's in there for us to learn? Lloyds CEO said they might take a hit on their cyber insurance offering due to their policies around the "war clause. Ok, what's the big deal? Ivanti published a report on government cyber security status. Surely all is well if the government is involved (and this is a global analysis, not just the US y'all.) Those points and more on this episode!

Not Blockchain...Or, kinda...But not really?  Anyway listen to smarter folks than me (lots of those) talk about how we can innovate around the use of distributed ledgers as part of a security strategy.  And how is this approach being accepted internationally, especially in Australia?  Cool new methods of enabling security with the folks from Tide (not the soap, the security guys).  Some solid conversation on this one y'all!

Did I spread misinformation about the SVB fiasco? Uh oh.  Did Ring get hit with ransomware, and are they secure?  What weird ports do Ring cameras use?  Rubrik has some issues going on, but did they handle it well?  Is it smart to market your organization or brand as Zero Trust?  Oh crap I am in trouble.  SpaceX may have been hit via a third party, ouch.  Why does third party risk continue to lead to compromise?  A recent report states that you can make up to 250k as a developer for the dark web.  Might be time for a career change.  Those points and more on this episode!

30% of dark web operators are women, according to TrendMicro.  That means more women are operating in the criminal side of cyber than on the defender side, wow.  The TSA is pushing new requirements for airports and airlines, but how secure are they and the FAA?  Layoffs are showing up in cyber, even though companies are doubling or even tripling their profits in the only market that has negative unemployment.  Why?  What does that tell us about those companies and their strategic execution?  Some tips on what to do if you are a business user of Lastpass.  And more on this episode!

US SOCOM had emails exposed to the internet for weeks thanks to a cloud misconfiguration.  Surely it's not still messed up?  Is the US Treasury as secure as it should be in regards to cyber?  What about using ChatGPT to send emails to students when a mass casualty event occurs?  Good or bad idea?  Does the Supreme Court understand the technology they are enforcing and drafting laws about?  What about section 230 and the big tech providers?  50% of CISO's say they are burnt out and it's only February, how can we help one another?  Those questions, my dog goes bonkers, and more on this episode!

Should we worry about the spy balloon?  Why not?  Gartner published some "research" on Zero Trust and how they don't see the strategy as a silver bullet.  Awesome.  Let's analyze that game changing paper.  Venturebeat also published a report on how to get wins from your Zero Trust endeavors this year, what should we pay attention to there?  Why wasn't cyber a topic during the State of the Union?  PWC published a good report on the executive sponsorship for security in large organizations, what can we learn there?  Those topics and more on this episode!

Can we have a national and international strategy that addresses ransomware?  How would that work?  Is it better to address the "how" of those attacks or the "why"?  What should we do to remove the incentive for these attacks?  Would a US first approach make us a bigger target?  What about kinetic attacks on those hacker groups?  Those questions and more on this super episode!

What happens when marketing attacks and goes "bold" without really understanding their position?  Is it smart to also not pay attention to your social profiles (lol)?  Why is the DoD Red Teaming their ZT providers?  Should you do the same as part of your strategy?  Why not?  Organizations aren't taking cyber warfare seriously according to Armis research, but why?  Is that wise?  Blackberry says malware is basically published at a rate of about one new sample per minute, wow!  And Akamai has published some research on the Windows CryptoAPI, what does that mean?  Those points and more on this episode!

What the h*ll is quantum really?  Why should we care?  Does cracking an algorithm with quantum change the balance of power globally?  Is quantum potentially a WMD?  How can this technology be used by our government and others?  What about the banking system and quantum applications and risks?  Those questions and more on this very nerdy episode!

Checkpoint released a report on the wrap up from 2022, what can we learn from that analysis?  It's a super cool report by the way, ping me for the link!  How secure or insecure are the education systems in the US?  Can I find some glaring issues?  China wants to "work with" the UN on addressing disinformation, ok.  Lol, sure.  What do they mean?  A major shipping system is hit with ransomware, uh oh!  Orange published some research on the criminal mindset and motivations for ransomware operators.  Wow that is very interesting, but what should we take away from that research?  Norton got problems y'all, what can we learn from the problems they face?  Those points and more on this episode!

Is TikTok really a threat to national security?  Why should we be concerned about this app?  Should your kids be on this thing?  What are the implications for national security and those folks who have clearances?  Where does this all go in the next year?  What about social media and the justice system?  Are you still able to get a fair trial in today's news cycle focused world?  How does that affect our future?  Those questions and more on this one with an expert who served in the FBI!

Welcome to 2023 y'all.  Let's get into the new year by looking at some news you need to know.  A major FAA system went down and caused an outage for all of Florida.  How secure is the FAA, and what about other airport safety systems?  Surely, no misconfigurations there.  Right?  Links to study guides for OSCP cert via Reddit, pretty cool huh?  A hospital was hit with ransomware then the bad guys gave the key away for free.  What does that reveal about the business model for those threat actors?  The best example of how "useful" GDPR is, via a hack.  Lol.  Those points and more on this one!

Okta has an issue with their source code and a Github breach.  Does that matter, and if so why?  Is the FDA asking for more funding a real issue, and are they secure enough to be mandating legislation?  1password published an interesting analysis on the state of access for 2022, what can we learn from that?  What about this ChatGPT thing, how can it be useful and is it a threat?  And the most egregious example of combining marketing, social media, TikTok, and a lie that have influenced millions is discussed.  Those points and more on this episode!

Why are certs hurting the industry?  Are they really?  How much does it cost to get an entry certification?  Why so much?  Is the process for certifications fair for everyone?  Should companies have a fellowship track for non-manager technologists?  How do we get past this problem?  Is HR in the way of fixing the cyber security hiring crisis?  How hard is it to fix the problem with management and onboarding?  Could a CISO get their own job based on the HR filtering system?  Those questions and more on this episode.

Do buyers always configure vendor security solutions correctly?  Is there a magic button to push and then your organization is secure?  Do vendors have no risks or avenues of compromise?  How bad is the MSQL database security that is out there right now (think millions).  The DoD released it's strategy for Zero Trust, what should we take away from that?  Amazon is offering a security data lake recently, is that a good thing?  The White House and Starlink were hit by a threat group via a DDoS attack, so what?  And another attack on an island nation that is now working off of paper to run the government, super.  Those points and more on this episode.

A former Forrester analyst and a former Gartner analyst talk about the market and a variety of topics.  Is it a good idea for layoffs to be taking place right now in cyber as the economy takes a dive?  How will that affect our collective security?  What should you know about analyst reports like the Wave or the Magic Quadrant?  Does security product bloat actually hurt operational capabilities?  Should automation be everywhere?  How does strategy start, and where?  Why do customers still run towards point solutions, rather than broader strategic offerings?  What about the new book "The Art of Selling Cybersecurity"?  Those questions and more on this one.

Zscaler has come up with their own certification for Zero Trust.  Is that a good thing?  What else is up with Medibank and how bad is the security for the Australian government that is pushing the formation of these new "hack back" teams?  Is that even a thing?  China is using universities to plunder research and intellectual innovations from America, so what?  Why isn't that more of a problem?  Don't we have a means to address this insider threat activity?  Navigation systems for pilots were affected recently, did you hear about that on the news?  Why not?  How much financial impact can one tweet have on a major company?  It's a lot y'all.  Those questions and more on this episode.

A noted Russian "leader" openly admits to tampering with elections, does that close the book on whether or not that has happened?  An article on the Hill says that "ignorance" is the issue for legislators regarding cyber.  Is it "ignorance" or willful ignoring of the problem?  With the midterm elections going on surely I can't find potentially insecure and misconfigured election related systems?  Right?  And surely the company that has been tasked with securing those election networks isn't at risk, right?  The CIO of the US DoD will release their Zero Trust strategy in the coming weeks, what should we take away from that?  And a great article from Andy Ellis on some of the realities of being a CISO in today's business world.  Those points and more on this episode.

Banks have paid out a massive multi-billion dollar plus to ransomware operations, but where does all that money go?  Is crypto entirely to blame?  Dropbox had a compromise issue, but luckily it's never happened before?  Right?  And it's good that it wasn't related to any companies intellectual property.  Oh wait.  And then let's talk about Chegg.  They get the award for continued cyber negligence I think.  But the FTC is now suing them, even though this is the fourth breach in a few years.  Good thing they moved fast.  Why does this keep happening and how are such major companies getting away with ignoring basic best practices?  Those questions and more on this episode.

A major insurance provider for an millions of people is dealing with a compromise, surely they have buttoned up the easy stuff?  Right?  Wanna bet.  Can I find a misconfigured SSH server that pipes me directly into an adversary nations internal networks?  Maybe.  More problems with TikTok as it gets reported in Forbes that the company was working to access American citizens personal location data "without their knowledge".  Uh oh.  How about the new mandates from TSA for the rail companies?  Do those requirements really have teeth and will they help things?  How many standards for compliance and the legal requirements to do business via digital connections are there?  Guess.  FastCompany got hit via the use of really bad passwords, that must have been a really hard problem to solve.  Right?  Those questions and more on this episode.

How long does it take to find possible vulnerable assets online, about 21 minutes.  Yeah.  Is the OPM data breach "settlement" even worth it?  Surely I can't find admin usernames and passwords with 1234 on the internet, right?  Certainly not for a state or local system, right?  Is data security up to par after a breach?  Why aren't states and local governments willing to work through the paperwork to get a cyber security grant?  That's nuts!  Is the job market getting any better for staffing?  Do trends indicate that?  A free resource for ZT planning, really?  Well, some of it's free but the resources are great.  Do vendors sell "snake oil" or is more a factor of the market at large and are investors and VC's affecting the ability to execute?  Those questions and more on this episode!

Dell has setup a Zero Trust Center of Excellence, that's pretty cool.  Real investment into strategic technology alignment sounds like a good idea to me.  Disinformation around the hurricane Ian fiasco.  How can we defend democracy when folks buy into this stuff?  Are you using Reddit to gain insight into your customer experience, you should be.  How secure is the organization that is forcing me to renew my business and cyber insurance policy, wanna guess?  And what about the Uber CISO issue?  Does that scenario really affect us all?  Those questions and more on this episode.

How many VPN's are out there that might have a configuration issue?  Are there any major companies that might be piping threats into their networks (the answer is probably).  Has Uber fixed the low hanging fruit from it's recent issue?  More ICS and SCADA vulnerable systems aren't out there, right?  Research from ZScaler on the use and adoption of the VPN is interesting, has the tide shifted with this old technology?  Are users really the weakest link, or has the security industry misled that group?  Those questions and more on this one!

Why are security leaders going "scorched earth" when they leave employers?  How can an organization better be prepared to deliver on their promises?  Does ethics apply in technology (it sure should)?  What's the right and wrong way to go about blowing the whistle when the need is there?  Does money paid out call into question the motives for speaking out?  Is it better to go out with a bang or just fade away?  Some hard hitting questions on this one!

What a wake up call this week when working with SMB's on their cyber security strategy and the reality of the space.  Do SMB's use outsourced security, and is that smart?  Does that hurt their overall awareness?  Why aren't things getting patched the way they should even when we have been notified by CISA and others of "critical vulnerabilities"?  Does the upcoming legislation around semi-conductors and silicon pointed at China have any impact on our national security and cyber future?  Those questions and a few more on this one.

Is the news media collaborating to manipulate our collective consciousness?  How would that happen?  Is local news "more true" than national news?  What about OPSEC for the war in Ukraine?  Could an organization cause a kinetic attack based on pictures that came from soldiers sharing via social media?  How does politics play into the space around cyber and disinformation?  Some hard hitting questions in this one to ponder.

How can you secure no code or low code applications?  Is devsecops a real thing?  Does anyone actually do this?  How should organizations look at the risks from these types of "factory made" apps?  Why is the 8200 unit such a big thing in the Israeli cyber scene?  What types of pricing make sense for security applications that you might not own?  How should the market approach the future of application security in an all cloud world?  Those questions and more on this one.