Real CyberSecurity

Greg and Bill discuss how breach disclosure laws could play out while discussing the recent events around SUNBURST, water treatment as targets, and the critical CISO skill of just walking around and talking to people. 

Bill reports that Mastodon lives on and how awful Twitter is, we talk about the SEC complaint re: the SolarWinds CISO, and Greg reports on his Digital Fight Club experience in Dallas (and how awesome it was)

Bill and Greg nominate their candidates for biggest fails in cybersecurity in 2023 - we focus on the ideas or technologies that were hyped and just didn't deliver.

Cybersecurity for elections is likely going to be hitting the news more often. Bill and Greg discuss the big picture issues of election security, why governments struggle with election security at all (spoiler: it isn't because technology isn't available), and a brief discussion of rural and small jurisdictions. Here's the link to the poll book systems graphic we discuss during the episode:https://www.cyber.gc.ca/en/guidance/security-considerations-electronic-poll-book-systems-itsm10101

An update of the state of AI cybersecurity (including the hype) and a roundup of noteworthy breaches in the news. Also our thoughts on Splunk.

This week Bill and Greg dig into posture management - not the chair - but the posture of assets, people, and identities and such. We discuss why infrastructure and operating system companies won't ever make best in breed security, and why infrastructure isn't self-defending.

Discussion on risk, GRC, and 3rd party risk with former Gartner analyst who is now with Black Kite. 

Greg covers the new SEC rules for disclosing cybersecurity incidents, and our celebrity reporter Bill has a brush with greatness in the personage of Jonathan Frakes. 

This week in Real Cybersecurity we celebrate the 365 day countdown to Skynet, the Guidelines for the National Cybersecurity Strategy, startup funding challenges,  & recent hack news including Microsoft and Revolut.

A real treat for you today, as Bill brought in his friend Spaff for a great chat. One highlight was hearing about his newest book, Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail UsAmazon link to his new book: https://a.co/d/3SCd1nGhttps://en.wikipedia.org/wiki/Gene_Spafford

We discuss Bill's ugly luggage, how new entries to the cybersecurity job market are often exploited, lapsing CISSPs, what really happened around Y2K, the limitations of AI in risk management, and why declassifying in a cavalier manner is catastrophic.

Bill and Greg answer listener questions about AI. And we didn't use ChatGPT for our answers. I think.

Our roving reporter Bill gives his impressions of the RSA Conference 2023, his talk on maritime cybersecurity he delivered just an hour before our recording. Greg asserts that without public-private partnership cybersecurity is hobbled vs the bad guys: but only if they each stay in their lanes.

Bill and Greg discuss the security aspects of AI, the 'black box' of AI is vulnerable to being manipulated or polluted, or having biases that aren't evident to subjects., how a Bay Area bank collapse will impact cybersecurity, and Bill's visit to CERIAS' anniversary with Gene Spafford. 

Bill updates us about the updates to the NIST CSF (Cyber Security Framework), and we talk about the state of ransomware. 

Greg and Bill dig into the unique cybersecurity needs of FinTech, and manage to keep blockchain mentions down to a few mentions. In the 2nd part some brief security impact of ChatGPT and AI. Bill has a great story about naming collisions.

Bill and Greg try and unravel where the Crypto-Queen has skedaddled to, how all airline IT and cybersecurity are not equal, and how downsizing hasn't made a dent in the cybersec skills gap and people shortage.

We cover a lot of recent cybersecurity news, including AI developments, Infragard and the cyberwar part of the Russian/Ukraine war, and why it is the new era of Public-Private Partnerships

Greg and Bill discuss options when faced with recession cuts. Cut shelfware, or a platform could be your best bet in getting rid of inefficiencies. Cuts in cybersec aren't a  common thing, but even so, getting rid of inefficacies and shelf ware is a great way to improve security.

This week we talk about the issues in the wide-spread use of open source components, and what an attractive target that makes for the bad guys.

Bill educates us on satellite and control systems vulnerabilities, and we go philosophical on information theory. Sorry about the sound on one channel.

This episode we answer the question "what is the state of zero trust?", and discuss the Twitter drama, Bill's recent talk in Santa Clara on automotive cybersecurity, and what the fudge is 5.5G (spoiler - not a real thing).

Bill and Greg present their top 6 issues you'll likely come across in cybersecurity in 2023. 3 are business related, and 3 are techie.  

Recent hacks of well known tech firms bring us some lessons learned. The biggest lesson is that creating a security debt often doesn't work out.  Maybe a big part of our security staff shortage is we're producing the wrong kinds of security leaders, and good leaders won't go into bad security companies.In the second half we discuss the several roles of machine learning we see today in security.

Bill gives the OneDrive screwdriver a 1 star review as a backup hammer. We discuss how this shows that consumer and enterprise security tools are different, and being good for one does not mean naturally it is good as the other - it takes a conscious effort. This leads to how moving to new buying centers takes a conscious effort, and even more so when the buying center isn't adjacent. How small and midsize companies' cybersecurity is so unique.

Bill and Greg report on what Bill saw at AWS ReInvent, and what they've heard from Black Hat/DEFCON (spoiler - nothing earth shattering). The security nonsense continues in the cryptocurrency world. Greg talsk why Continuous Assessment is the most important trend.

ICS security course tales, hacking factories, the current state sponsored landscape.

The Real CyberSecurity podcast talks suspected state-sponsored eavesdropping using equipment providers,  famous incidents involving tampered devices in embassies.Privacy and cybersecurity seem to be diverging and that has to stop.And how awesome the cybersecurity vibe in the US Northeast.

Bill and Greg discuss why even though blockchains have great inherent security, the businesses and applications that are using them for cryptocurrency are not. They then explore why we are planning now for Quantum Crypto, and what "Quantum Safe" means.

Bill gives a post event report on the RSA Conference.

Bill files his report from his trip to Halifax, how not all cybersec issues are technology, how outsourcing is best as a balanced approach, and how the most complex cybersecurity conversations are actually the business ones.

Bill discusses the great Microsoft report on the revealed details of the cyberwar aspects of Ukraine & Russia war, and The Countdown to Zero Day book about Stuxnet. And Greg discusses why security conferences need to change.

Greg and  Bill review two pieces - Top reasons cybersec people leave their jobs by SecurityMagazine.com, and the Top 7 CyberSecurity Trends by Gartner as reported on by VentureBeat. Kudos to Peter Firstbrook for his comments that clarified the article and press release. Bill gives a really good description of the issues around Identity of Things. Greg opines we're about to enter the golden age of API richness in security, especially APi-API.

Hacked traffic enunciator boards, the reports of the top passwords from a hack, how poor communications security is in the news for the Ukraine war,  security education, and internet of things chat. And a tutorial on Mesh Cybersecurity.

Bill and Greg discuss the impact should Russia disconnect form the internet, Pi Day, Conti Ransomware group messages, and the dynamic of Ransomware - how does the war in Ukraine change ransomware now that state sponsored entities are busy?

Will Bill (not to be confused with Kill Bill, because we really like Bill) be going to prison for tax evasion? Maybe, if you believe the sketchy letter he got in the snail-mail from "The Federal Tax Authorities". Scammers continue to evolve. They haven't gone away because they are still making money.  In this episode we discuss some recent  scam trends, and a case from last week of the FBI seizing billions in Bitcoin from alleged money launderers.

We're in a strange place in the cycle of Data Privacy. We give it away, but seem most concerned about it. Greg and Bill pull on some threads including social media, encryption, VPNs, and how we got here. Happy Data Privacy Week!

I think the Union of Cybersecurity Workers Local 404 says we have to talk about Log4J. except we'll discuss some different aspects of it. Avoiding holiday scams and talking to your families about them. Some positive comments about Australian cybersecurity culture.

We dip into some history of hacking and spying where the technical security and physical security were both involved.  The Thing, U2 and SR71 planes, ransomware as a service, bugged embassies, ... so much to discuss! Cybersecurity companies with poor physical security are not to be trusted. Why embedding security in silicon is and will continue to be bad.

This episode we roast the continuing  awfulness of companies and politicians who accuse vulnerability researchers of hacking, Bill gives a history lesson on tarry substances used on crypto boards, and how the Morris Worm changed history. 

National Cybersecurity Awareness Month (NCSAM) is October! In this special week 4 of 4 (the finish line!)  of  NCSAM episode we are speaking to consumers and individuals about social media security. A lot of security professionals have zero social media presence, but that's not the reality for most people. You can engage without undertaking high risk.  And being respectful of the privacy and security others in your posts and feeds.  Listen in and join us!

National Cybersecurity Awareness Month (NCSAM) is October! In this special week 3 of 4 of  NCSAM episode we are speaking to consumers and individuals about passwords - those security things we all love to hate. But still, we have to protect them. Greg and Bill talk about some ways to make them easier to manage, and how to choose them. We also say the word entropy a lot, because it makes us sound more serious. 

National Cybersecurity Awareness Month (NCSAM) is October! In this special week 2 of 4 of  NCSAM episode we are speaking to consumers and individuals about device security. All your phones, TVs, and routers and such. protect yourself, and not just this month.

National Cybersecurity Awareness Month (NCSAM) is October! In this special week 1 of 4 of  NCSAM episode we are speaking to consumers and individuals about surfing (the web) safely.

Some reality about security startups, the fool's gold and FOMO-stress of fame in social media and conferences for cybersecurity, some career advice, Bill has some great advice about what makes a good organization and some criteria for buying companies, and Greg points out that the difference in cybersecurity companies who have  stock market success vs those whose target is making the best cybersecurity matters when you are buying stock vs buying products.

Greg and Bill talk some cybersecurity history about the Orange Book, and how fundamentally the approach to what we put security into has changed.  Big IT vendors have trouble with security because it isn't their core business.

Bill and Greg cover the history of app security testing,  why it is neglected, web application firewalls, code scanners, and how the devsecops loop is still mostly aspirational. Some thoughts on Zero Trust, and ... The Zachman Framework! DEFCON is here, trade show giveaways, and the most memorable celebrity keynotes.

Greg and Bill discuss, if in charge for a day, what they would change in cybersecurity to break the cycle we are in. Greg has big issues about that meeting of CEOs concerning cybersecurity at the White House. Bill talks defect analysis. How challenging the CISO job is in government, and we salute you. AI and security clearances!

We start out with a few presentation tips, and do a status check on these unprecedented pajama-bottom wearing times. How the cybsersecurity culture in companies will be different in 2022. Complexity in the new hybrid telework/in-person will be exploited. SASE as a good tool to accommodate new business processes. What the near term of Ransomware as a service is. The biggest impact on Ransomware would be interrupting payments. We talk about our big current topics - XDR, Zero Trust, Resilience, Supply Chain, and SASE.

Balancing security education with security technology. Real risk: livestock are a bigger threat than sharks, and what about self-driving cars. The role of federal governments in tamping down ransomware activity. Small and Midsize Organization security. The dark arts of the Common Criteria and Formal Methods. Bill drives the Trolley Car in the Trolley Car Problem.

Was in-person RSAC only a year ago? Selling passwords for candy bars, thinking back to RSA 2020, the good and bad of virtual events, and green M&Ms. Virtual cybersecurity events need to be a rethinking of the event format, not the worst of both worlds. And stop recording sessions months in advance. And Zoom backgrounds.