POPULARITY
A strong cyber defense is vital to public- and private-sector activities in the United States. In 2019, in response to an executive order to strengthen America's cybersecurity workforce, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) partnered with the SEI to develop and run the President's Cup Cybersecurity Competition, a national cyber competition that identifies and rewards the best cybersecurity talent in the federal workforce. In six years, more than 8,000 people have taken part in the President's Cup. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Jarrett Booz, technical lead for the President's Cup, and John DiRicco, a training specialist in the SEI's CERT Division, sit down with Matthew Butkovic, the CERT technical director of cyber risk and resilience, to reflect on six years of hosting the cup, including challenges, lessons learned, the path forward, and publicly available resources.
Episode 88. On this episode of All Quiet, host Tyler Sweat chats with cybersecurity expert Greg Touhill, director of the CERT Division at Carnegie Mellon's Software Engineering Institute. With a rich background as the U.S. government's first Chief Information Security Officer (CISO) and a seasoned executive in the U.S. Air Force and Department of Homeland Security, Greg discusses the trajectory of cybersecurity from its foundational days to its current critical role in national security and private sector strategy. Explore how AI and cybersecurity intersect and the essential steps today's leaders must take to safeguard our digital future.What's Happening on the Second Front:Greg's journey from the U.S. Air Force to leading national cybersecurity initiatives.The impact of AI on cybersecurity—what does the future hold?Cybersecurity in the corporate world: How is it shaping business strategies at the highest levels?Emerging challenges: What are the next big threats, and how are we preparing to tackle them?Connect with GregLinkedIn: Gregory TouhillConnect with TylerLinkedIn: Tyler SweattSEI resources discussed:SEI website: https://www.sei.cmu.edu/AI/AI Security: Artificial Intelligence Security Incident Response Team (AISIRT)Risk and Resilience: Enterprise Risk and Resilience ManagementSEI GitHub: Software Engineering Institute · GitHub
To make secure software by design a reality, engineers must intentionally build security throughout the software development lifecycle. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Timothy A. Chick, technical manager of the Applied Systems Group in the SEI's CERT Division, discusses building, designing, and operating secure systems.
In the wake of widespread adoption of artificial intelligence (AI) in critical infrastructure, education, government, and national security entities, adversaries are working to disrupt these systems and attack AI-enabled assets. With nearly four decades in vulnerability management, the Carnegie Mellon University Software Engineering Institute (SEI) recognized a need to create an entity that would identify, research, and identify mitigation strategies for AI vulnerabilities to protect national assets against traditional cybersecurity, adversarial machine learning, and joint cyber-AI attacks. In this SEI podcast, Lauren McIlvenny, director of threat analysis in the SEI's CERT Division, discusses best practices and lessons learned in standing up an AI Security Incident Response Team (AISIRT).
Developers know that static analysis helps make code more secure. However, static analysis tools often produce a large number of false positives, hindering their usefulness. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), David Svoboda, a software security engineer in the SEI's CERT Division, discusses Redemption, a new open source tool from the SEI that automatically repairs common errors in C/C++ code generated from static analysis alerts, making code safer and static analysis less overwhelming.
In this podcast from the Carnegie Mellon University Software Engineering Institute, Carol Ware, a senior cybersecurity engineer in the SEI's CERT Division, discusses her career path, the value of mentorship, and the importance of diversity in cybersecurity.
In the wake of the COVID pandemic, the workforce decentralized and shifted toward remote and hybrid environments. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Dan Costa, technical manager of enterprise threat and vulnerability management, and Randy Trzeciak, deputy director of Cyber Risk and Resilience, both with the SEI's CERT Division, discuss how remote work in the post-pandemic world is changing expectations about employee behavior monitoring and insider risk detection.
Zero trust architecture has the potential to improve an enterprise's security posture. There is still considerable uncertainty about the zero trust transformation process, however, as well as how zero trust architecture will ultimately appear in practice. Recent executive orders have accelerated the timeline for zero trust adoption in the federal sector, and many private-sector organizations are following suit. Researchers in the CERT Division at the Carnegie Mellon University Software Engineering Institute (SEI) hosted Zero Trust Industry Days to enable industry stakeholders to share information about implementing zero trust. In this SEI podcast, CERT researchers Matthew Nicolai and Nathaniel Richmond discuss five zero trust best practices identified during the two-day event, explain their significance, and provide commentary and analysis on ways to empower your organization's zero trust transformation.
In Ansible, roles allow system administrators to automate the loading of certain variables, tasks, files, templates, and handlers based on a known file structure. Grouping content by roles allows for easy sharing and reuse. When developing roles, users must deal with various concerns, including what operating system(s) and version(s) will be supported and whether a single node or a cluster of machines is needed. In this podcast from the Carnegie Mellon University Software Engineering Institute, Matthew Heckathorn, an integration engineer with the SEI's CERT Division, offers guidance for systems engineers, system administrators, and others on developing Ansible roles and automating infrastructure as code.
In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI) Marisa Midler and Samantha Chaves, penetration testers with the SEI's CERT Division, talk with Suzanne Miller about a penetration-testing repository that they helped to build. The repository is a source of information for active directory, phishing, mobile technology, systems and services, web applications, and mobile- and wireless-technology weaknesses that could be discovered during a penetration test. The repository is intended to help assessors provide reports to organizations using standardized language and standardized names for findings, and to save assessors time on report generation by having descriptions, standard remediations, and other resources available in the repository for their use. The repository is available at https://github.com/cisagov/pen-testing-findings
While the memory safety and security features of the Rust programming language can be effective in many situations, Rust's compiler is very particular on what constitutes good software design practices. Whenever design assumptions disagree with real-world data and assumptions, there is the possibility of security vulnerabilities–and malicious software that can take advantage of those vulnerabilities. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), David Svoboda and Garret Wassermann, researchers with the SEI's CERT Division, explore tools for understanding vulnerabilities in Rust whether the original source code is available or not. These tools are important for understanding malicious software where source code is often unavailable, as well as commenting on possible directions in which tools and automated code analysis can improve.
While the memory safety and security features of the Rust programming language can be effective in many situations, Rust's compiler is very particular on what constitutes good software design practices. Whenever design assumptions disagree with real-world data and assumptions, there is the possibility of security vulnerabilities–and malicious software that can take advantage of those vulnerabilities. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), David Svoboda and Garret Wassermann, researchers with the SEI's CERT Division, explore tools for understanding vulnerabilities in Rust whether the original source code is available or not. These tools are important for understanding malicious software where source code is often unavailable, as well as commenting on possible directions in which tools and automated code analysis can improve.
In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI) Gregory J. Touhill, director of the SEI CERT Division, talks with Suzanne Miller about secure by design, secure by default, a longstanding tenet of the work of the SEI and CERT in particular. The SEI has been in the forefront of secure software development, promoting an approach where security weaknesses are addressed, prevented, or eliminated earlier in the software development lifecycle, which not only helps to ensure secure systems, but also saves time and money. Touhill also discusses the CERT strategy in support of SEI sponsors in the U.S. Department of Defense (DoD), the Department of Homeland Security (DHS), and the Cybersecurity Infrastructure Security Agency (CISA) and his vision for the future of cybersecurity and the role of the CERT Division.
Secure by design means performing more security and assurance activities earlier in the product and system lifecycles. A secure-by-design mindset addresses the security of systems during the requirements, design, and development phases of lifecycles rather than waiting until the system is ready for implementation. The need for a secure-by-design mindset is exacerbated by the amount of interconnectedness of today's systems and the increasing amount of automation that characterizes system development. These trends have led to increased levels of risk and made implementation of security controls during test and patching systems after deployment increasingly unsustainable. In this podcast from the Carnegie Mellon University Software Engineering Institute, Robert Schiela, technical manager of the Secure Coding group, and Carol Woody, a principal researcher in the SEI's CERT Division, talk with Suzanne Miller about the importance of integrating the practices and mindset of secure by design into the acquisition and development of software-reliant systems.
Rust is growing in popularity. Its unique security model promises memory safety and concurrency safety, while providing the performance of C/C++. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), David Svoboda and Joe Sible, both engineers in the SEI's CERT Division, talk with principal researcher Suzanne Miller about the Rust programming language and its security-related features. Svoboda and Sible discuss Rust's compile-time safety guarantees, the kinds of vulnerabilities that Rust fixes and those that it does not, situations in which users would not want to use Rust, and where interested users can go to get more information about the Rust programming language.
Coordinated vulnerability disclosure (CVD) begins when at least one individual becomes aware of a vulnerability, but it can't proceed without the cooperation of many. Software supply chains, software libraries, and component vulnerabilities have evolved in complexity and have become as much a part of the CVD process as vulnerabilities in vendors' proprietary code. Many CVD cases now require coordination across multiple vendors. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Allen Householder, a senior vulnerability and incident researcher in the SEI's CERT Division, talks with principal researcher Suzanne Miller about Vultron, a protocol for multi-party coordinated vulnerability disclosure (MPCVD).
In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Dr. Carol Woody, a principal researcher in the SEI's CERT Division, talks with Suzanne Miller about the SEI's newly released Acquisition Security Framework, which helps programs coordinate the management of engineering and supply-chain risks across system components including hardware, network interfaces, software interfaces, and mission capabilities.
In aiming for correctness and security of product, as well as for development speed, software development teams often face tension in their objectives. During a recent customer engagement that involved the development of a continuous-integration (CI) pipeline, developers wanted to develop features and deploy to production, deferring non-critical bugs as technical debt, whereas cyber engineers wanted compliant software by having the pipeline fail on any security requirement that was not met. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Alejandro Gomez, a researcher in the SEI's CERT Division who worked on the customer project, talked with principal researcher Suzanne Miller about how the team explored—and eventually resolved—the two competing forces of developer velocity and cybersecurity enforcement by implementing DevSecOps practices.
The shift to a cloud environment provides significant benefits. Cloud resources can be scaled quickly, updated frequently, and widely accessed without geographic limitations. Realizing these benefits, however, requires organizations to manage associated organizational and technical risks. In this podcast from the Carnegie Mellon University Software Engineering Institute, Chris Alberts, principal cybersecurity analyst in the SEI's CERT Division, discusses with principal researcher Suzanne Miller a prototype set of cloud adoption risk factors and describes a method that managers can employ to assess their cloud initiatives against these risk factors.
On this edition of Security Bytes Jim talks to Sharon Mudd, a senior cybersecurity operations researcher with CERT Division at the Software Engineering Institute. In a world where technology is at the center of evaluating cyber risks, the human factor arguably contributes greatly, but how are we measuring and improving?
In this podcast from the Carnegie Mellon University Software Engineering Institute, Thomas Podnar and Dustin Updyke, both senior cybersecurity engineers with the SEI's CERT Division, discuss their work to apply machine learning to increase the realism of non-player characters (NPCs) in cyber training exercises.
On today's episode of The Daily Scoop Podcast, Brig. Gen. Gregory Touhill (USAF, ret.), director of the CERT Division at the Software Engineering Institute and former federal chief information security officer, discusses the coordinated government response to cyber attacks. Gordon Bitko, senior vice president at Information Technology Industry Council and former FBI chief information officer, discusses the funding challenges for zero trust initiatives across government. The Daily Scoop Podcast is available every weekday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on Apple Podcasts, Google Podcasts, Spotify and Stitcher. And if you like what you hear, please let us know in the comments.
To ensure trust, artificial intelligence systems need to be built with fairness, accountability, and transparency at each step of the development cycle. In this podcast from the Carnegie Mellon University Software Engineering Institute, Carol Smith, a senior research scientist in human machine interaction, and Dustin Updyke, a senior cybersecurity engineering in the SEI's CERT Division, discuss the construction of trustworthy AI systems and factors influencing human trust of AI systems.
In this podcast from the Carnegie Mellon University Software Engineering Institute, Shannon Gallagher, a data scientist with SEI's CERT Division, and Dominic Ross, multimedia team lead for the SEI, discuss deepfakes, their exponential growth in recent years, their increasing technical sophistication, and the problems they pose for individuals and organizations. Gallagher and Ross also discuss the SEI's recent research in assessing the technology underlying the creation and detection of deepfakes and understanding current and future threat levels.
How do you build cyber resilience? How serious is the threat of cyber warfare? What's new in cybersecurity training? These are things all business owners – large or small – need to know to keep their data safe. We recently asked about these issues and more with Matthew Butkovic, technical director – cyber risk and resilience at the CERT Division of the Software Engineering Institute at Carnegie Mellon University in Pittsburgh.
Over the past several years, zero trust architecture has emerged as an important topic within the field of cybersecurity. Heightened federal requirements and pandemic-related challenges have accelerated the timeline for zero trust adoption within the federal sector. Private sector organizations are also looking to adopt zero trust to bring their technical infrastructure and processes in line with cybersecurity best practices. Real-world preparation for zero trust, however, has not caught up with existing cybersecurity frameworks and literature. NIST standards have defined the desired outcomes for zero trust transformation, but the implementation process is still relatively undefined. As the nation's first federally funded research and development center with a clear emphasis on cybersecurity, the Carnegie Mellon University Software Engineering Institute (SEI) is uniquely positioned to bridge the gap between NIST standards and real-world implementation. In this podcast, Tim Morrow and Matthew Nicolai, researchers with the SEI's CERT Division, have outlined 4 steps that organizations can take to implement and maintain zero trust architecture.
On today's episode of The Daily Scoop Podcast, the Department of Energy is ready to use a supercomputer to tackle 24 initial science and engineering problems. The Department of Defense will investigate a shared service model for security for contractors. Brig. Gen. Gregory Touhill (USAF, ret.), director of the CERT Division at the Software Engineering Institute at Carnegie Mellon University and former federal chief information security officer, discusses how this will impact the Cybersecurity Maturity Model Certification (CMMC). Dwayne Spriggs, service delivery director at the Department of Justice, tells Scoop News Group's Wyatt Kash how cloud capabilities provides DOJ with flexibility and responsiveness. This interview is part of FedScoop's “Cloud-Driven Innovation in Federal Government” video campaign. The Daily Scoop Podcast is available every weekday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on Apple Podcasts, Google Podcasts, Spotify and Stitcher. And if you like what you hear, please let us know in the comments.
#cybersecurity #security Our reliance on digital infrastructure and the Internet makes everyone vulnerable to cybersecurity attacks. Given the importance of cybersecurity, everyone from CEOs to board members and employees must understand the nature of this threat. Although cybersecurity involves technology, managing the problem relies on people and the willingness of individuals to change their behavior.To learn how to manage a cybersecurity program, we spoke with Gregory Touhill, director of the world-renowned CERT Division of the Carnegie Mellon University Software Engineering Institute (SEI). Proactive cybersecurity strategy should be an important element of any digital transformation effort.The conversation includes these topics:-- On the state of cybersecurity in 2022-- On security weakness arising from the intersection of administrative and operational systems-- On the challenges of enterprise security-- On the importance of prioritizing enterprise cybersecurity-- On managing ransomware attacks-- On creating a culture of cybersecurity-- On the future of managing cybersecuritySubscribe to the CXOTalk newsletter: https://www.cxotalk.com/subscribeRead the full transcript: https://www.cxotalk.com/episode/state-cybersecurity-2022At the SEI Cert Division, Greg Touhill leads a diverse group of researchers, software engineers, security analysts, and digital intelligence specialists working together to research security vulnerabilities in software products, contribute to long-term changes in networked systems, and develop cutting-edge information and training to improve the practice of cybersecurity.Touhill was appointed by former President Barack Obama to be the first chief information security officer (CISO) of the United States government. Previously, he served in the Department of Homeland Security (DHS) as deputy assistant secretary in the Office of Cybersecurity and Communications. Before joining the Software Engineering Institute, he was president of Appgate Federal, a provider of cybersecurity products and services to civilian government and defense agencies.Touhill is a 30-year veteran of the U.S. Air Force where he was an operational commander at the squadron, group, and wing levels. He served as a senior leader of military cybersecurity and information technology programs, culminating as the chief in-formation officer of the United States Transportation Command, one of the nation's 10 combatant commands. A combat veteran, he is the recipient of numerous awards and decorations including the Bronze Star medal and the Air Force Science and Engineering Award. He retired from the Air Force with the rank of brigadier general.He is an adjunct faculty member of the CMU Heinz College of Information Systems and Public Policy and the Deakin University (Australia) Centre for Cybersecurity Research and Innovation. A member of many organizational boards and committees and recipient of many awards, Touhill was recog-nized by Security Magazine as one of its Most Influential People in Security and by Federal Computer Week in the Federal 100. He is the co-author of the books Cybersecurity for Executives: A Practical Guide and Commercialization of Innovative Technologies.
In this episode, host Olivia Neal speaks to Mary Ann Blair, the Chief Information Security Officer of Carnegie Mellon University. Blair and her team, the Information Security Office, protect the global research university from cyber threats that attack the confidentiality, integrity and availability of information and systems. Hear her challenges, priorities, and lessons learned since starting her role in 2004. Click here for transcript of this episode. Olivia Neal [host] | LinkedIn | Twitter Microsoft Public Sector Center of Expertise Cybersecurity at Carnegie Mellon University CyLab at Carnegie Mellon University The CERT Division at Carnegie Mellon University Carnegie Mellon University Information Security Office Cybersecurity Center Development at Carnegie Mellon University REN-ISAC (Research Education Networking Information Sharing & Analysis Center) Microsoft Cybersecurity Scholarship Program Learn about Microsoft's new security certifications Learn more about Microsoft Security Discover and follow other Microsoft podcasts at aka.ms/microsoft/podcasts
Greg Touhill is one of the nation's premier cybersecurity, information technology and risk management leaders. As an Air Force officer he led technology efforts in some of our nation's most demanding organizations including combatant commands during time of war. He is an accomplished speaker and author and business executive and also served as our nation's first Chief Information Security Officer (CISO). Touhill is currently the director of the Carnegie Mellon University Software Engineering Institute's CERT Division. In this capacity he leads one of the most highly regarded organizations in the cybersecurity community. The CERT is a diverse group of researchers, software engineers, security analysts and digital intelligence specialists who work together to research vulnerabilities, contribute to long term changes and develop cutting-edge information and training to improve the practice of cybersecurity. In this OODAcast we examine Greg's approach to leadership and then get into: Operational views of the cyber threat that can help drive collective action in mitigating risks. Ways security leaders can continue to learn and grow The CERT's role in improving security through cybersecurity Lessons learned in communicating security topics with non technical audiences (including a fantastic discussion of lessons from SciFi)
- We know you served as the First Federal U.S. CISO, can you tell us a bit about that experience?- In addition to your military and public sector background, you've held various industry roles as well, what are some of the major differences between the two environments you've experienced?- We know you've held various board advisor and even director roles. Do you feel that Cyber is increasingly becoming a boardroom concern?- You're very passionate about Zero Trust. What are your thoughts on the Federal push to adopt Zero Trust in an environment as big and complex as the Federal and DoD space?- You've served as the highest levels of Cybersecurity leadership for several years - any advise for aspiring security leaders?- What do you think the CISO of the future looks like in terms of skillsets and competencies?- Can you tell us a bit about what you're up to these days with the CERT Division at SEI?
Organizations are turning to DevSecOps to produce code faster and at lower cost, but the reality is that much of the code is actually coming from the software supply chain through code libraries, open source, and third-party components where reuse is rampant. The downside is that this reused code contains defects unknown to the new user, which, in turn, propagate vulnerabilities into new systems. This is troubling news in an operational climate already rife with cybersecurity risk. Organizations must develop a cybersecurity engineering strategy for systems that addresses the integration of DevSecOps with the software supply chain. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Carol Woody, a principal researcher in the SEI's CERT Division, talks with Suzanne Miller about supply-chain issues and the planning needed to integrate software from the supply chain into operational environments. The discussion includes building a cybersecurity engineering strategy for DevSecOps that addresses those supply-chain challenges.
On today's episode of The Daily Scoop Podcast, Priority Area Leads for each of the three pillars of the BIden-Harris President Management Agenda Vision are announced. The Cybersecurity and Infrastructure Security Agency will revise its Zero Trust Maturity Model it's creating in intersection with the Continuing Diagnostics and Mitigation Program. Brig. Gen. Gregory Touhill (USAF, ret.), director of CERT Division at Carnegie Mellon University's Software Engineering Institute and former federal chief information security officer, discusses how a zero trust model can help lead to less complexity for cybersecurity solutions. The FY2022 defense budget is in place now and it's setting a marker for 2023. Roman Schweizer, managing director of the Washington Research Group for Cowen, breaks down the biggest increases in the FY22 budget and what to watch for in the FY23 defense budget. At ITModTalks, Office of Personnel Management Chief Information Officer Guy Cavallo joins FedScoop's Dave Nyczepir to discuss how OPM is using the Technology Modernization Fund to transform the agency's zero trust posture. The Daily Scoop Podcast is available every weekday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on Apple Podcasts, Google Podcasts, Spotify and Stitcher. And if you like what you hear, please let us know in the comments.
In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Jeffrey Gennari, a senior malware reverse engineer, and Garret Wassermann, a vulnerability analyst, both with the SEI's CERT Division, discuss Kaiju, a series of tools that they have developed that allows for malware analysis and reverse engineering. Kajiu helps analysts take better advantage of Ghidra, the National Security Agency's reverse-engineering tool.
On today's episode of The Daily Scoop Podcast, the Army's Combat Capabilities Development Command has its first permanent chief technology officer. Comments are open now for the draft of the first ever learning agenda from the Office of Management and Budget. Chris Mihm, adjunct professor of public administration at the Maxwell School at Syracuse University and former managing director for strategic issues at the Government Accountability Office, explains what's important about the learning agenda and the process of taking in comments on it. The Department of Homeland Security says it will bring in hundreds of cyber professionals through its new Cybersecurity Talent Management System, but DHS and other agencies have thousands of cyber openings. Brig. Gen. Gregory Touhill (USAF, ret.), director of the CERT Division at the Software Engineering Institute and former federal chief information security officer, explains the two challenges he sees the government facing while filling these cyber vacancies. The Daily Scoop Podcast is available every weekday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on Apple Podcasts, Google Podcasts, Spotify and Stitcher. And if you like what you hear, please let us know in the comments.
Impact of climate change on US defense interests Erin Sikorsky, director of the Center for Climate and Security, discusses how China is taking advantage of climate change and how the U.S. can work with allies and partners to respond Confronting security risks from climate change Rolf Mowatt-Larssen, senior fellow at the Belfer Center and former director of Intelligence and Counterintelligence at the Department of Energy, describes actions the intelligence community should take to confront and mitigate national security threats from climate change Responding to the growing cyber threat landscape Brig. Gen. Gregory Touhill, director at the CERT Division at the Software Engineering Institute, discusses changes in the cyber threat landscape and a new directive from CISA for federal agencies to address security vulnerabilities
In this SEI Podcast, Dr. Leigh Metcalf and Dr. Jonathan Spring, both researchers with the Carnegie Mellon University Software Engineering Institute's CERT Division, discuss the application of scientific methods to cybersecurity. As described in their recently published book, Using Science in Cybersecurity, Metcalf and Spring describe a common-sense approach and practical tools for applying scientific rigor to the field of cybersecurity.
Implementing cyber defense action at federal agencies Brig. Gen. Gregory Touhill, director of the CERT Division at the Software Engineering Institute, discusses how the new Joint Cyber Defense Collaborative will allow the government and private sector to proactively address cyber threats The importance of the Space Portfolio to DIU operations Steve Butow, director of the Space Portfolio at the Defense Innovation Unit, discusses space as a service and deployment of commercial technology into military services to improve readiness Streamlining and reforming political appointment system Max Stier, president and chief executive officer of the Partnership for Public Service, discusses shortcomings in the system for nominating and confirming major positions in government
Zero trust adoption is a security initiative that an enterprise must understand, interpret, and implement. Enterprise security initiatives are never simple, and their goal to improve cybersecurity posture requires the alignment of multiple stakeholders, systems, acquisitions, and exponentially changing technology. This alignment is always a complex undertaking and requires cybersecurity strategy and engineering to succeed. In this SEI Podcast, Geoff Sanders, a senior network defense analyst in the CERT Division at Carnegie Mellon University's Software Engineering Institute, discusses zero trust adoption and its benefits, applications, and available resources.
Nataliya (Natasha) Shevchenko and Mary Popeck, both senior researchers in the CERT Division at Carnegie Mellon University's Software Engineering Institute, discuss the use of model-based systems engineering (MBSE), which, in contrast to document-centric engineering, puts models at the center of system design. MBSE is used to support the requirements, design, analysis, verification, and validation associated with the development of complex systems.
This week Greg Touhill, Director of CERT Division, joins the podcast to share insights on CERT's history as the birthplace of cyber and culture of innovation at the center of the cyber universe. He also dives into the importance of the development of a Software Bill of Materials (SBOM), what happens when national leaders shine a light on cyber, why talent with breadth and depth is critical helping move the federal government cyber needle and the building blocks for standing up the federal government's first CISO office. To learn more about CERT visit CERT.org. For links and resources discussed in this episode, please visit our show notes at https://www.forcepoint.com/govpodcast/e141
Understanding IT security policies at the VA Gary Stevens, executive director for information security policy and strategy at the Department of Veterans Affairs, discusses the cybersecurity executive order and tools and methods his department uses to get in front of cyber threats The impacts of the climate crisis on national security Jim Mitre, former principal director at the Office of the Secretary of Defense and now chief strategy officer at Govini, discusses his team's analysis of the effects of climate change on national security and recent defense investments in this space Investigating ransomware attacks across federal agencies Brig. Gen. Gregory Touhill, former federal chief information security officer and now director of the CERT Division at the Software Engineering Institute, discusses the federal government's strong protections against ransomware and the concept of banning ransomware payments
In this SEI Podcast, the latest in the My Story in Computing series, Marisa Midler, a cybersecurity engineer in the SEI's CERT Division, discusses her career path. After growing up on a farm in Pennsylvania, Midler graduated from college with a degree in communications and English writing and then traveled to Seattle and worked a variety of jobs, including as a bouncer at a Seattle night club. Midler returned to Pittsburgh to obtain a second bachelor's degree in information science followed by a master's degree in information security policy and management from Carnegie Mellon University. Throughout it all Midler has been guided by her mantra: never settle.
The Software Engineering Institute, operated by Carnegie Mellon University as a federally funded research and development center, has a new name at its CERT Division. The Division's new director is Greg Touhill, a retired Air Force Brigadier General former federal chief information security officer joined the Federal Drive to discuss his new role.
If organizations take more steps to address security-related activities now, they will be less likely to encounter security incidents in the future. When it comes to application containers, security is achieved through adopting a series of best practices and guidelines. In this SEI Podcast, Tom Scanlon and Richard Laughlin, researchers with the SEI's CERT Division, discuss seven steps that developers can take to engineer security into ongoing and future container adoption efforts.
In this SEI Podcast, Marisa Midler and Tim Shimeall, network defense analysts within the SEI's CERT Division, discuss the growing problem of ransomware including the rise of ransomware as a service threats. Ransom payments from Quarter 3 of 2019 were on average $42,000, and in Quarter 1 of 2020, that average increased $70,000 to $112,000. The volume of attacks also increased by 25 percent in Quarter 4 of 2019 and by another 25 percent in Quarter 1 of 2020. The sophistication of the attacks has increased alongside their severity. Midler and Shimeall discuss steps and strategies that organizations can adopt to minimize their exposure to the risks and threats associated with ransomware.
Software vulnerability coordination at the CERT Coordination Center (CERT/CC) has traditionally relied on a hub-and-spoke model, with reports submitted to analysts at the CERT/CC analysts who would then work with contact affected vendors. To scale communications and increase the level of collaboration between vulnerability reporters, coordinators, and software vendors, the CERT/CC team has created a web-based platform for software vulnerability reporting and coordination called the Vulnerability Information and Coordination Environment (VINCE). In this SEI Podcast, Emily Sarneso, the architect of VINCE, and Art Manion, technical manager of the Vulnerability Analysis Team in the SEI’s CERT Division, discuss the rollout of VINCE, how to use it, and future work in vulnerability coordination.
The COVID-19 pandemic has forced significant changes in enterprise work practices, including an increased use of telecommunications technologies required by the new work-from-home policies that most organizations have instituted in response. In this podcast, Phil Groce, a senior network defense analyst in the CERT Division of the Carnegie Mellon University Software Engineering Institute, discusses the security implications of this dramatic increase in the number of people in organizations who are working from home, examines the threats and vulnerabilities associated with the increase in remote work, and offers practical solutions to individuals and enterprises for operating securely in this new environment.
Situational awareness makes it possible to get relevant information from across an organization, to integrate that information, and to disseminate it to help leaders make more informed decisions. In this SEI Podcast, Angela Horneman and Timothy Morrow, researchers in the SEI's CERT Division, discuss the importance of looking beyond the network to acquire situational awareness for cybersecurity.
Risk managers must often sift through the cacophony of demands for resources and advocacy to identify a diverse set of risks to include in their organization’s risk register. These managers of cyber risk face this problem when trying to prioritize risks within the scope of their function, only to then turn to executives and justify the need for resources. OCTAVE FORTE, a new and upcoming Enterprise Risk Management (ERM) process model developed by Carnegie Mellon’s CERT Division of the SEI, provides a scalable and standardized process that assists managers and with policy guidelines and tools necessary for identifying risks and justifying the resources needed for the organization’s proper response to them. Attendees at the OCTAVE FORTE webcast learn more about the new OCTAVE FORTE process and learn about a report, Advancing Risk Management Capability Using the OCTAVE FORTE Process, due this Fall. More specifically, the webcast attendees can expect to learn about the fundamental steps of the process and how they might apply them in their own organization.
The culture of computers and information technology changes quickly. The Future of Cyber Podcast series explores the future of cyber and whether we can use the innovations of the past to address the problems of the future. In our latest episode, Bobbie Stempfley, director of the SEI’s CERT Division, interviews Dr. Diana Burley, executive director and chair of the Institute for Information Infrastructure Protection, or I3P, and vice provost for research at American University. Their discussion focused on educating the cybersecurity workforce in a way that closes the gap between what students are taught in school and the skills they’ll need to use in the workplace.
For more than 30 years, the cybersecurity community has worked to increase the effectiveness of our cybersecurity and resilience efforts. Today we face an explosion of devices, the pervasiveness of software, the threat of adversarial capability, and the dependence of national capabilities on the cyber domain. These challenges demand that we think about how to achieve the future we need, which is the subject of a new series of podcasts, The Future of Cyber. In this episode, Bobbie Stempfley, director of the CERT Division of the SEI, explores the future of secure coding with Steve Lipner, the executive director of SAFECode and former director of software security at Microsoft, where he created Microsoft’s Security Development Lifecycle.
The leadership team at OODA have had the pleasure of working with and learning from Bobbie Stempfley since her leadership of the Department of Defense Computer Emergency Response Team (DoD CERT) after she established it in the late 1990's. This OODAcast captures insights from Bobbie that can inform the action of leadership of corporate and government leaders alike. She has had a broad influence on the cybersecurity community, including rising to senior executive position in the DoD and then later helping DHS as they established themselves as a new Department. She also lead Cybersecurity activities at MITRE. Through it all she has been a mentor to 1,000's and a thought leader known for anticipating and mitigating risks. Now as director of the Carnegie Mellon University Software Engineering Institute's CERT Division (since 2017) she leads a highly respected team of researchers examining some of the nation's biggest challenges in cybersecurity, including insider threats, the security of Artificial Intelligence, and ways to measure the impact of cybersecurity solutions. Topics we discuss with Bobbie included: Her foundational story Views on the current situation including actions we should take to reduce cyber risks right now The situation regarding the security of artificial intelligence solutions Advice for cybersecurity professionals seeking to stay current. Research we should be aware of at CMU Advice for the youth of today Related Resources: SEI CERT Bobbie Stempfley on LinkedIn An Executive’s Guide to Cognitive Bias in Decision Making: How we think is critically important. A Decision-Makers’s Guide to Artificial Intelligence: A plain english overview with the insights you need to drive corporate decisions The Executive’s Guide to Quantum Computing: What business decision-makers need to know now about quantum superiority The Executive’s Guide to the Revolution in Biology: An overview of key thrusts of the transformation underway in biology and offers seven topics business leaders should consider when updating business strategy to optimize opportunity because of these changes. OODA COVID-19 Sense-making: A dynamic resource for OODA Network members looking for Coronavirus/COVID-19 information to drive their decision-making process. We’ll update it with new links as we encounter them. This is not meant to be a comprehensive list, but rather a compilation of the most useful resources. The 2020 OODA Cybersecurity Watch List: list can serve multiple stakeholders. Investors can find firms that have demonstrated good product-market fit and are good candidates for follow-on funding. CISOs can find companies that have demonstrated real disruptive technology potential and at least enough traction to prove they are worth considering. OODAcast on YouTube: OODA's YouTube Channel
The culture of computers and information technology evolves quickly. In this environment, how can we build a culture of security through regulations and best practices when technology can move so much faster than legislative bodies? The Future of Cyber Podcast Series explores whether we can use the innovations of the past to address the problems of the future. In this SEI Podcast, David Hickton, founding director of the University of Pittsburgh Institute for Cyber Law, Policy, and Security, sits down with Bobbie Stempfley, director of the SEI’s CERT Division, to talk about the future of cybercrime.
Those who work in computing today bring a wide array of backgrounds and experiences to the profession. In this podcast learn how Madison Quinn Oliver, who wanted to work at Carnegie Mellon University since childhood, relied on a strong work ethic and lifelong pursuit of education to become an associate vulnerability engineer on the Vulnerability Coordination Team within the SEI’s CERT Division. This is the second installment in our My Story in Computing podcast series.
Computers and information technology are getting more and more integrated into our daily lives, so they need to be easy to use. But recent, historically large data breaches have demonstrated the need to make systems more secure and to protect information about individuals. How will the security−privacy−usability triangle successfully accommodate the challenges that the future will bring? In this podcast, Dr. Lorrie Faith Cranor, director of CyLab, sits down with Bobbie Stempfley, director of the SEI’s CERT Division, to talk about the future of cyber in security and privacy.
For more than 30 years, the cybersecurity community has worked to increase the effectiveness of our cybersecurity and resilience efforts. Today we face an explosion of devices, the pervasiveness of software, the threat of adversarial capability, and the dependence of national capabilities on the cyber domain. These challenges demand that we think about how to achieve the future we need. In this podcast, the first in a series exploring The Future of Cyber, Bobbie Stempfley, director of the CERT Division of the SEI, and Dr. Michael McQuade, vice-president for research at Carnegie Mellon University, explore past and present technologies that have helped to secure our digital infrastructure and how past advancements will help us secure future architectures.
Dr. Carol Woody discusses the career path that led to her current role as technical manager for the Cybersecurity Engineering (CSE) team in the SEI’s CERT Division.
In this webcast, as a part of National Cybersecurity Awareness Month, our experts will provide an overview of the concept of cyber hygiene, which bears an analogy to the concept of hygiene in the medical profession. Like the practice of washing hands to prevent infections, cyber hygiene addresses simple sets of actions that users can take to help reduce cybersecurity risks. Matt Butkovic, Randy Trzeciak, and Matt Trevors will discuss what some of those practices are, such as implementing password security protocols and determining which other practices an organization should implement. Finally, they discuss the special case of phishing—which is a form of attack that can bypass technical safeguards and exploit people’s weaknesses—and how changes in behavior, understanding, and technology might address this issue. What attendees will learn • Key findings from the CERT Division of the SEI, and the CERT-RMM team, in identifying commonalities among cyber practices and aligning them to CERT-RMM practices • The CERT Division’s 11 cyber hygiene areas, comprising 41 CERT-RMM practices that are paramount to every organization’s success • What organizations can do to change behavior, understanding, and technology to implement good cyber hygiene
Operation Wire Wire, a coordinated law enforcement effort by the U.S. Department of Justice, U.S. Department of Homeland Security, U.S. Department of the Treasury, and the U.S. Postal Inspection Service, was conducted over a six-month period and resulted in 74 arrests in the United States and overseas, including 29 in Nigeria and 3 in Canada, Mauritius, and Poland. The operation also resulted in the seizure of nearly $2.4 million and the disruption and recovery of approximately $14 million in fraudulent wire transfers. In this podcast, Anne Connell, a researcher in the SEI’s CERT Division, discusses recent business email compromise (BEC) attacks, including the one at the center of Operation Wire Wire and another attack involving a Texas energy company. Connell also offers guidance on how individuals and organizations can protect themselves from these sophisticated new modes of attack.
Those who work in computing today bring a wide array of backgrounds and experiences to the profession. In this podcast, the first in a series, Dr. Eliezer Kanal—a former premed student, computational neuroscientist, health-care technical manager, financial quantitative analyst, freelance web developer, and IT consultant—discusses his background and education, all of which led to his current work leading a team of data scientists in the SEI’s CERT Division.
Please join us for a public event on initiatives for securing the software supply chain on Wednesday, April 24, 2019 from 1:00-3:00 pm at the CSIS headquarters. Within the U.S. government, there is increasing awareness of and movement on the need for a coordinated strategy to prevent, identify, and respond to threats stemming from the software supply chain throughout the acquisition process. At this event, we will discuss some of the various initiatives, including the Department of Defense’s Deliver Uncompromised, along with work at the Carnegie Mellon, BSA | The Software Alliance, and the Department of Commerce, designed to minimize the risk of compromised software infiltrating critical systems. Opening Speech 1:00 pm - Registration 12:45 pm - William Stephens,Director, Counterintelligence, Defense Security Service, Department of DefenseModerated Discussion 1:15 pm - Allan Friedman, Director of Cybersecurity Initiatives, National Telecommunications Information Administration Bob Metzger, Co-Author MITRE "Deliver Uncompromised"; Head of DC Office, Rogers Joseph O’Donnell, P.C.Tommy Ross, Senior Director, Privacy, BSA | The Software AllianceRoberta Stempfley, Director, CERT Division, Carnegie Mellon University Software Engineering InstituteDerek Weeks, Vice President, Sonatype Inc. Moderated by James A. Lewis, SVP and Director, CSIS Technology Policy Program 2:45 pm - Audience Q&A 3:00 pm - End This event is made possible through general support to CSIS.
In this SEI Podcast interview, Roberta (Bobbie) Stempfley discusses her career and journey to becoming the director of the SEI’s CERT Division. This podcast is one of the inaugural interviews in our Women in Software and Cybersecurity podcast series.
In today's operational climate, threats and attacks against network infrastructures have become far too common. Researchers in the SEI’s CERT Division work with organizations and large enterprises, many of whom analyze their network traffic data for ongoing status, attacks, or potential attacks. Through this work we have observed both challenges and best practices as these network traffic analysts analyze incoming contacts to the network, including packets traces or flows. In this SEI Podcast, Tim Shimeall and Timur Snoke, both researchers in the SEI’s CERT Division, highlight some best practices (and application of these practices) that they have observed in network traffic analysis.
Bugs and weaknesses in software are common: 84 percent of system breaches exploit vulnerabilities at the application layer. The prevalence of software-related problems is a key motivation for using application security testing tools. With a growing number of application security testing tools available, it can be confusing for leaders, developers, and engineers to know which tools address which issues. In this podcast, Thomas Scanlon, a researcher in the SEI’s CERT Division, discusses the different types of application security testing tools and provides guidance on how and when to use each tool.
Static analysis tools used to identify potential vulnerabilities in source code produce a large number of alerts with high false-positive rates that engineers must painstakingly examine to find legitimate flaws. Researchers in the SEI’s CERT Division have developed the SCALe (Source Code Analysis Laboratory) tool to help analysts be more efficient and effective at auditing static analysis alerts. In this podcast, CERT researchers Lori Flynn and Zach Kurtz discuss ongoing research using test suites as a source of labeled training data to create classifiers for static analysis alerts.
Ritwik Gupta of the SEI’s Emerging Technology Center and Carson Sestili, formerly of the SEI’s CERT Division and now with Google, discuss adversarial machine learning.
Ritwik Gupta of the SEI’s Emerging Technology Center and Carson Sestili, formerly of the SEI’s CERT Division and now with Google, discuss the importance of diverse perspectives in deep learning. “If you feel like I am an OK programmer, but I am a good deep thinker and a good mathematician, that is actually one of the corners of what it takes to be a successful data scientist. Again, in regard to our previous conversation, you cannot get away with only knowing math. But if you do know math, you are going to be useful to people in a way that other people will not be. Anyway, there is hope. ”
Roberta “Bobbie” Stempfley, who was appointed director of the SEI’s CERT Division in June 2017, discusses a technical strategy for cybersecurity. “There is never enough time, money, power, resources—whatever it is—and we make design tradeoffs. Adversaries are looking at what opportunities that creates. They are looking at failures in implementation.”
Don Faatz and Tim Morrow, researchers with the SEI’s CERT Division, outline best practices that organizations should use to address the vulnerabilities and risks in moving applications and data to cloud services.
Tim Shimeall and Timur Snoke, researchers in the SEI’s CERT Division, examine the role of the network traffic analyst in capturing and evaluating ever-increasing volumes of network data. “Part of it is the ability to use a wide variety of tools to answer questions about what is happening on the network and to figure out ways to go past inference and supposition and to get facts that can actually provide support for the hypothesis that you’re coming up with.
In today's global business environment, risk management must be aligned to business strategy. As companies continue to shift their business models, strategies change and risk management becomes even more important. A company must find the right balance between risk resiliency and risk agility. The chief risk officer (CRO) role is an important catalyst to make that happen, so a company's long term strategic objectives may be realized. The CRO Certificate Program is developed and delivered by Carnegie Mellon University’s Heinz College of Information Systems and Public Policy, and the CERT Division of the Software Engineering Institute (SEI). In this podcast, Summer Fowler and Ari Lightman discuss the evolving role of the chief risk officer and a Chief Risk Officer Program. Listen on Apple Podcasts.
Guest: Roberta Stempfley The EastWest Institute's cyberspace program chief Bruce McConnell speaks with Roberta Stempfley, Director of CERT Division at Carnegie Mellon University, on how to develop cyber secure software as many aspects in everyday life increasingly depend on IT products and services. The two also delved into the concept of "cybersecurity poverty line." Stempfley previously served as acting assistant secretary and deputy assistant secretary, Office of Cyber Security and Communications, at the Department of Homeland Security. She also worked in the Department of Defense as CIO of the Defense Information Systems Agency and as chief of the DoD Computer Emergency Response Team, which she established.
DevOps breaks down software development silos to encourage free communication and constant collaboration. Agile, an iterative approach to development, emphasizes frequent deliveries of software. In this podcast, Eileen Wrubel, technical lead for the SEI’s Agile-in-Government program, and Hasan Yasar, technical manager of the Secure Lifecycle Solutions Group in the SEI’s CERT Division, discuss how Agile and DevOps can be deployed together to meet organizational needs. Listen on Apple Podcasts.
Software is a growing component of modern business- and mission-critical systems. As organizations become more dependent on software, security-related risks to their organizational missions also increase. Traditional security-engineering approaches rely on addressing security risks during the operation and maintenance of software-reliant systems. The costs required to control security risks increase significantly when organizations wait until systems are deployed to address those risks. Field experiences of technical staff at the SEI indicate that few programs currently implement effective cybersecurity practices early in the acquisition lifecycle. Recent Department of Defense directives are beginning to shift programs’ priorities regarding cybersecurity. As a result, researchers from the CERT Division of the SEI have started cataloging the cybersecurity practices needed to acquire, engineer, and field software-reliant systems that are acceptably secure. In this podcast, Carol Woody and Christopher Alberts introduce the prototype Software Assurance Framework (SAF), a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain. The SAF can be used to assess an acquisition program’s current cybersecurity practices and chart a course for improvement, ultimately reducing the cybersecurity risk of deployed software-reliant systems. Listen on Apple Podcasts.
The position of SEI Fellow is awarded to people who have made an outstanding contribution to the work of the SEI and from whom the SEI leadership may expect valuable advice for continued success in the institute's mission. Nancy Mead, a principal researcher in the SEI’s CERT Division, was named an SEI Fellow in 2013. This podcast is the first in a series highlighting interviews with SEI Fellows. Listen on Apple Podcasts.
Greg Shannon discusses the CERT Division's current work associated with cyber community of interest (COI).
This is a ''watershed year'' for cybercrime, according to a new survey on the topic. Yet many companies are falling short in their efforts to battle it. The state of corporate cybercrime protection is mixed at best. Government agencies and boards of directors are taking an increased role in the adoption of good preventive practices, according to a new survey by PwC, CSO, the U.S. Secret Service, and the CERT Division of the Software Engineering Institute at Carnegie Mellon University. On the other hand, many companies still aren't fully aware of the threat presented by hackers, terrorists and foreign governments. Shockingly, one in five of the surveyed executives said they aren't worried about the risk that cybercrime poses to their supply chains. Even some of the more forward-thinking organizations haven't progressed very far on the maturity curve. On this episode, we discuss the implications of the survey with PwC partner Quentin Orr. He outlines the various kinds of cyber threats, addresses the critical issue of third-party risks, and reports on the level and types of corporate investment in people, process and systems. Finally, he answers the key question: Given the sophistication and persistence of cyber-criminals today, is there any hope?
In this podcast, Dr. Richard Young, a professor with Carnegie Mellon’s Tepper School of Business, teams with Sam Perl, a member of the CERT Division’s Enterprise Threat and Vulnerability Management team, to discuss their research on how expert cybersecurity incident handlers think, learn, and act when faced with an incident. The research study focuses on critical cognitive factors that such experts use to make decisions when faced with a complex incident, including how to deal with critical information that is missing. Study results may be used to enhance the knowledge and skills of less experienced responders. Listen on Apple Podcasts.
Software is a growing component of modern business- and mission-critical systems. As organizations become more dependent on software, security-related risks to their organizational missions are also increasing. Traditional security-engineering approaches rely on addressing security risks during the operation and maintenance of software-reliant systems. However, the costs required to control security risks increase significantly when organizations wait until systems are deployed to address those risks. It is more cost effective to address software security risks as early in the lifecycle as possible. As a result, researchers from the CERT Division of the Software Engineering Institute (SEI) have started investigating early lifecycle security risk analysis (i.e., during requirements, architecture, and design). In this podcast, CERT researcher Christopher Alberts introduces the Security Engineering Risk Analysis (SERA) Framework, a systematic approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle. The framework integrates system and software engineering with operational security by requiring engineers to analyze operational security risks as software-reliant systems are acquired and developed. Initial research activities have focused on specifying security requirements for these systems. Listen on Apple Podcasts.
In this webinar, John Haller and Matthew Butkovic of the CERT Division of the Software Engineering Institute will discuss real-world incidents, including recent industrial control system attacks and incidents affecting Department of Defense capabilities, and the lessons that organizations should take away. The session will focus on the lifecycle of supply chain relationships and introduce concepts to help organizations manage them more effectively. Managing the risks of depending on external entities and supply chains to support critical services has increasingly become an area of concern for both the federal government and private critical infrastructure organizations. External dependencies may consist of business partners that your organization relies on, cloud services such as data processing, or storage facilities. Or these dependencies may take the form of reliance on public infrastructure such as transportation or the electrical grid. The webinar speakers, John and Matthew, will discuss the HAVEX malware attacks on industrial control system vendors, which were reported to the security community in June 2014. For supply chain risk management, a key lesson from the HAVEX case is the importance of having a process to identify and prioritize external dependencies. The speakers will also explore and discuss methods for addressing this problem in a realistic, reliable way. Also covered in the webinar are the lessons for third-party risk management that organizations should take away from recent attacks on DoD-affiliated transportation contractors. The speakers will explain how to correctly scope and build security programs around key, organizationally critical services. The speakers will discuss how your organization can learn from these incidents, including best practices around forming relationships with external entities and managing the relationship over time to support your organization's incident management and situational awareness processes. The webinar closes with a recap of key supply chain risk management capabilities and an update to CERT research into the state of these capabilities across U.S. critical infrastructure sectors.
Every day, major anti-virus companies and research organizations are inundated with new malware samples. Although estimates vary, approximately 150,000 new malware strains are released each day. Not enough manpower exists to manually address the volume of new malware samples that arrive daily in analysts' queues. Malware analysts need an approach that allows them to sort samples in a fundamental way so they can assign priority to the most malicious binary files. In this podcast, Jose Morales, a malicious software researcher with the CERT Division, discusses an approach for prioritizing malware samples, helping analysts to identify the most destructive malware to examine first, based on the binary file's execution behavior and its potential impact. Related Training Malware Analysis Apprenticeship Listen on Apple Podcasts.
The U.S. Department of Homeland Security (DHS) conducts a no-cost, voluntary Cyber Resilience Review (CRR) to evaluate and enhance cybersecurity capacities and capabilities within all 18 Critical Infrastructure and Key Resources (CIKR) Sectors, as well as State, Local, Tribal, and Territorial (SLTT) governments. The goal of the CRR is to develop an understanding of an organization’s operational resilience and ability to manage cyber risk to its critical services and assets during normal operations and during times of operational stress and crises. In this podcast, Kevin Dillon, Branch Chief for Stakeholder Risk Assessment and Mitigation with DHS and Matthew Butkovic, the CERT Division’s Technical Portfolio Manager for Infrastructure Resilience, discuss the DHS Cyber Resilience Review and how it is helping critical infrastructure owners and operators improve their operational resilience and security. Listen on Apple Podcasts.