Podcasts about cert division

  • 16PODCASTS
  • 83EPISODES
  • 32mAVG DURATION
  • 1MONTHLY NEW EPISODE
  • May 12, 2025LATEST

POPULARITY

20172018201920202021202220232024


Best podcasts about cert division

Latest podcast episodes about cert division

Software Engineering Institute (SEI) Podcast Series
The Best and Brightest: 6 Years of Supporting the President's Cup Cybersecurity Competition

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later May 12, 2025 21:40


A strong cyber defense is vital to  public- and private-sector activities in the United States. In 2019, in response to an executive order to strengthen America's cybersecurity workforce, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) partnered with the SEI to develop and run the President's Cup Cybersecurity Competition, a national cyber competition that identifies and rewards the best cybersecurity talent in the federal workforce. In six years, more than 8,000 people have taken part in the President's Cup. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Jarrett Booz, technical lead for the President's Cup, and John DiRicco, a training specialist in the SEI's CERT Division, sit down with Matthew Butkovic, the CERT technical director of cyber risk and resilience, to reflect on six years of hosting the cup, including challenges, lessons learned, the path forward, and publicly available resources.  

All Quiet on the Second Front
88. Greg Touhill, Director of the SEI's CERT Division at Carnegie Mellon University

All Quiet on the Second Front

Play Episode Listen Later Mar 18, 2025 30:24


Episode 88. On this episode of All Quiet, host Tyler Sweat chats with cybersecurity expert Greg Touhill, director of the CERT Division at Carnegie Mellon's Software Engineering Institute. With a rich background as the U.S. government's first Chief Information Security Officer (CISO) and a seasoned executive in the U.S. Air Force and Department of Homeland Security, Greg discusses the trajectory of cybersecurity from its foundational days to its current critical role in national security and private sector strategy. Explore how AI and cybersecurity intersect and the essential steps today's leaders must take to safeguard our digital future.What's Happening on the Second Front:Greg's journey from the U.S. Air Force to leading national cybersecurity initiatives.The impact of AI on cybersecurity—what does the future hold?Cybersecurity in the corporate world: How is it shaping business strategies at the highest levels?Emerging challenges: What are the next big threats, and how are we preparing to tackle them?Connect with GregLinkedIn: Gregory TouhillConnect with TylerLinkedIn: Tyler SweattSEI resources discussed:SEI website: https://www.sei.cmu.edu/AI/AI Security: Artificial Intelligence Security Incident Response Team (AISIRT)Risk and Resilience: Enterprise Risk and Resilience ManagementSEI GitHub: Software Engineering Institute · GitHub

Software Engineering Institute (SEI) Podcast Series
3 Key Elements for Designing Secure Systems

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Oct 2, 2024 36:28


To make secure software by design a reality, engineers must intentionally build security throughout the software development lifecycle. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Timothy A. Chick, technical manager of the Applied Systems Group in the SEI's CERT Division, discusses building, designing, and operating secure systems.

Software Engineering Institute (SEI) Podcast Series
Best Practices and Lessons Learned in Standing Up an AISIRT

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Sep 9, 2024 38:29


In the wake of widespread adoption of artificial intelligence (AI) in critical infrastructure, education, government, and national security entities, adversaries are working to disrupt these systems and attack AI-enabled assets. With nearly four decades in vulnerability management, the Carnegie Mellon University Software Engineering Institute (SEI) recognized a need to create an entity that would identify, research, and identify mitigation strategies for AI vulnerabilities to protect national assets against traditional cybersecurity, adversarial machine learning, and joint cyber-AI attacks. In this SEI podcast, Lauren McIlvenny, director of threat analysis in the SEI's CERT Division, discusses best practices and lessons learned in standing up an AI Security Incident Response Team (AISIRT).  

Software Engineering Institute (SEI) Podcast Series
Automated Repair of Static Analysis Alerts

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later May 31, 2024 27:05


Developers know that static analysis helps make code more secure. However, static analysis tools often produce a large number of false positives, hindering their usefulness. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), David Svoboda, a software security engineer in the SEI's CERT Division, discusses Redemption, a new open source tool from the SEI that automatically repairs common errors in C/C++ code generated from static analysis alerts, making code safer and static analysis less overwhelming.

Software Engineering Institute (SEI) Podcast Series
The Importance of Diversity in Cybersecurity: Carol Ware

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Mar 21, 2024 26:37


In this podcast from the Carnegie Mellon University Software Engineering Institute, Carol Ware, a senior cybersecurity engineer in the SEI's CERT Division, discusses her career path, the value of mentorship, and the importance of diversity in cybersecurity.

Software Engineering Institute (SEI) Podcast Series
Insider Risk Management in the Post-Pandemic Workplace

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Sep 8, 2023 47:34


In the wake of the COVID pandemic, the workforce decentralized and shifted toward remote and hybrid environments. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Dan Costa, technical manager of enterprise threat and vulnerability management, and Randy Trzeciak, deputy director of Cyber Risk and Resilience, both with the SEI's CERT Division, discuss how remote work in the post-pandemic world is changing expectations about employee behavior monitoring and insider risk detection.

Software Engineering Institute (SEI) Podcast Series
Zero Trust Architecture: Best Practices Observed in Industry

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Jul 26, 2023 27:53


Zero trust architecture has the potential to improve an enterprise's security posture. There is still considerable uncertainty about the zero trust transformation process, however, as well as how zero trust architecture will ultimately appear in practice. Recent executive orders have accelerated the timeline for zero trust adoption in the federal sector, and many private-sector organizations are following suit. Researchers in the CERT Division at the Carnegie Mellon University Software Engineering Institute (SEI) hosted Zero Trust Industry Days to enable industry stakeholders to share information about implementing zero trust. In this SEI podcast, CERT researchers Matthew Nicolai and Nathaniel Richmond discuss five zero trust best practices identified during the two-day event, explain their significance, and provide commentary and analysis on ways to empower your organization's zero trust transformation. 

Software Engineering Institute (SEI) Podcast Series
Automating Infrastructure as Code with Ansible and Molecule

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Jul 10, 2023 39:38


In Ansible, roles allow system administrators to automate the loading of certain variables, tasks, files, templates, and handlers based on a known file structure. Grouping content by roles allows for easy sharing and reuse. When developing roles, users must deal with various concerns, including what operating system(s) and version(s) will be supported and whether a single node or a cluster of machines is needed. In this podcast from the Carnegie Mellon University Software Engineering Institute, Matthew Heckathorn, an integration engineer with the SEI's CERT Division, offers guidance for systems engineers, system administrators, and others on developing Ansible roles and automating infrastructure as code.

Software Engineering Institute (SEI) Podcast Series
A Penetration Testing Findings Repository

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Jun 13, 2023 25:47


In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI)  Marisa Midler and Samantha Chaves, penetration testers with the SEI's CERT Division, talk with Suzanne Miller about a penetration-testing repository that they helped to build. The repository is a source of information for active directory, phishing, mobile technology, systems and services, web applications, and mobile- and wireless-technology weaknesses that could be discovered during a penetration test. The repository is intended to help assessors provide reports to organizations using standardized language and standardized names for findings, and to save assessors time on report generation by having descriptions, standard remediations, and other resources available in the repository for their use. The repository is available at https://github.com/cisagov/pen-testing-findings  

Software Engineering Institute (SEI) Podcast Series
Understanding Vulnerabilities in the Rust Programming Language

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Jun 8, 2023 36:45


While the memory safety and security features of the Rust programming language can be effective in many situations, Rust's compiler is very particular on what constitutes good software design practices. Whenever design assumptions disagree with real-world data and assumptions, there is the possibility of security vulnerabilities–and malicious software that can take advantage of those vulnerabilities. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), David Svoboda and Garret Wassermann, researchers with the SEI's CERT Division, explore tools for understanding vulnerabilities in Rust whether the original source code is available or not. These tools are important for understanding malicious software where source code is often unavailable, as well as commenting on possible directions in which tools and automated code analysis can improve.

Software Engineering Institute (SEI) Podcast Series
Rust Vulnerability Analysis and Maturity Challenges

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Jun 6, 2023 90:01


While the memory safety and security features of the Rust programming language can be effective in many situations, Rust's compiler is very particular on what constitutes good software design practices. Whenever design assumptions disagree with real-world data and assumptions, there is the possibility of security vulnerabilities–and malicious software that can take advantage of those vulnerabilities. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), David Svoboda and Garret Wassermann, researchers with the SEI's CERT Division, explore tools for understanding vulnerabilities in Rust whether the original source code is available or not. These tools are important for understanding malicious software where source code is often unavailable, as well as commenting on possible directions in which tools and automated code analysis can improve.

Software Engineering Institute (SEI) Podcast Series
Secure by Design, Secure by Default

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later May 10, 2023 54:05


In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI) Gregory J. Touhill, director of the SEI CERT Division, talks with Suzanne Miller about secure by design, secure by default, a longstanding tenet of the work of the SEI and CERT in particular. The SEI has been in the forefront of secure software development, promoting an approach where security weaknesses are addressed, prevented, or eliminated earlier in the software development lifecycle, which not only helps to ensure secure systems, but also saves time and money. Touhill also discusses the CERT strategy in support of SEI sponsors in the U.S. Department of Defense (DoD), the Department of Homeland Security (DHS), and the Cybersecurity Infrastructure Security Agency (CISA) and his vision for the future of cybersecurity and the role of the CERT Division.

Software Engineering Institute (SEI) Podcast Series
Key Steps to Integrate Secure by Design into Acquisition and Development

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later May 2, 2023 48:50


Secure by design means performing more security and assurance activities earlier in the product and system lifecycles. A secure-by-design mindset addresses the security of systems during the requirements, design, and development phases of lifecycles rather than waiting until the system is ready for implementation. The need for a secure-by-design mindset is exacerbated by the amount of interconnectedness of today's systems and the increasing amount of automation that characterizes system development. These trends have led to increased levels of risk and made implementation of security controls during test and patching systems after deployment increasingly unsustainable. In this podcast from the Carnegie Mellon University Software Engineering Institute, Robert Schiela, technical manager of the Secure Coding group, and Carol Woody, a principal researcher in the SEI's CERT Division, talk with Suzanne Miller about the importance of integrating the practices and mindset of secure by design into the acquisition and development of software-reliant systems. 

Software Engineering Institute (SEI) Podcast Series

Rust is growing in popularity. Its unique security model promises memory safety and concurrency safety, while providing the performance of C/C++. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), David Svoboda and Joe Sible, both engineers in the SEI's CERT Division, talk with principal researcher Suzanne Miller about the Rust programming language and its security-related features. Svoboda and Sible discuss Rust's compile-time safety guarantees, the kinds of vulnerabilities that Rust fixes and those that it does not, situations in which users would not want to use Rust, and where interested users can go to get more information about the Rust programming language. 

Software Engineering Institute (SEI) Podcast Series
Improving Interoperability in Coordinated Vulnerability Disclosure with Vultron

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Feb 24, 2023 51:16


Coordinated vulnerability disclosure (CVD) begins when at least one individual becomes aware of a vulnerability, but it can't proceed without the cooperation of many. Software supply chains, software libraries, and component vulnerabilities have evolved in complexity and have become as much a part of the CVD process as vulnerabilities in vendors' proprietary code. Many CVD cases now require coordination across multiple vendors. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Allen Householder, a senior vulnerability and incident researcher in the SEI's CERT Division, talks with principal researcher Suzanne Miller about Vultron, a protocol for multi-party coordinated vulnerability disclosure (MPCVD).

Software Engineering Institute (SEI) Podcast Series
Asking the Right Questions to Coordinate Security in the Supply Chain

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Feb 7, 2023 31:11


In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Dr. Carol Woody, a principal researcher in the SEI's CERT Division, talks with Suzanne Miller about the SEI's newly released Acquisition Security Framework, which helps programs coordinate the management of engineering and supply-chain risks across system components including hardware, network interfaces, software interfaces, and mission capabilities.

Software Engineering Institute (SEI) Podcast Series
Managing Developer Velocity and System Security with DevSecOps

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Dec 7, 2022 35:33


In aiming for correctness and security of product, as well as for development speed, software development teams often face tension in their objectives. During a recent customer engagement that involved the development of a continuous-integration (CI) pipeline, developers wanted to develop features and deploy to production, deferring non-critical bugs as technical debt, whereas cyber engineers wanted compliant software by having the pipeline fail on any security requirement that was not met. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Alejandro Gomez, a researcher in the SEI's CERT Division who worked on the customer project, talked with principal researcher Suzanne Miller about how the team explored—and eventually resolved—the two competing forces of developer velocity and cybersecurity enforcement by implementing DevSecOps practices.

Software Engineering Institute (SEI) Podcast Series
A Method for Assessing Cloud Adoption Risks

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Nov 17, 2022 21:47


The shift to a cloud environment provides significant benefits. Cloud resources can be scaled quickly, updated frequently, and widely accessed without geographic limitations. Realizing these benefits, however, requires organizations to manage associated organizational and technical risks. In this podcast from the Carnegie Mellon University Software Engineering Institute, Chris Alberts, principal cybersecurity analyst in the SEI's CERT Division, discusses with principal researcher Suzanne Miller a prototype set of cloud adoption risk factors and describes a method that managers can employ to assess their cloud initiatives against these risk factors.

Tech Talks
Factoring humans in information risk management with Jim Tiller and Sharon Mudd

Tech Talks

Play Episode Listen Later Nov 4, 2022 49:54


On this edition of Security Bytes Jim talks to Sharon Mudd, a senior cybersecurity operations researcher with CERT Division at the Software Engineering Institute. In a world where technology is at the center of evaluating cyber risks, the human factor arguably contributes greatly, but how are we measuring and improving?

Software Engineering Institute (SEI) Podcast Series
ML-Driven Decision Making in Realistic Cyber Exercises

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Oct 13, 2022 48:58


In this podcast from the Carnegie Mellon University Software Engineering Institute, Thomas Podnar and Dustin Updyke, both senior cybersecurity engineers with the SEI's CERT Division, discuss their work to apply machine learning to increase the realism of non-player characters (NPCs) in cyber training exercises.

The Daily Scoop Podcast
Who's running point for federal cybersecurity; Finding the funds for zero trust initiatives

The Daily Scoop Podcast

Play Episode Listen Later Aug 16, 2022 23:52


On today's episode of The Daily Scoop Podcast, Brig. Gen. Gregory Touhill (USAF, ret.), director of the CERT Division at the Software Engineering Institute and former federal chief information security officer, discusses the coordinated government response to cyber attacks. Gordon Bitko, senior vice president at Information Technology Industry Council and former FBI chief information officer, discusses the funding challenges for zero trust initiatives across government. The Daily Scoop Podcast is available every weekday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on Apple Podcasts, Google Podcasts, Spotify and Stitcher. And if you like what you hear, please let us know in the comments.

Software Engineering Institute (SEI) Podcast Series

To ensure trust, artificial intelligence systems need to be built with fairness, accountability, and transparency at each step of the development cycle. In this podcast from the Carnegie Mellon University Software Engineering Institute, Carol Smith, a senior research scientist in human machine interaction, and Dustin Updyke, a senior cybersecurity engineering in the SEI's CERT Division, discuss the construction of trustworthy AI systems and factors influencing human trust of AI systems. 

Software Engineering Institute (SEI) Podcast Series

In this podcast from the Carnegie Mellon University Software Engineering Institute, Shannon Gallagher, a data scientist with SEI's CERT Division, and Dominic Ross, multimedia team lead for the SEI, discuss deepfakes, their exponential growth in recent years, their increasing technical sophistication, and the problems they pose for individuals and organizations. Gallagher and Ross also discuss the SEI's recent research in assessing the technology underlying the creation and detection of deepfakes and understanding current and future threat levels.   

Flyover Future Presents: Innovators
New Flight Plans: Cyber Risk and Resilience with Matthew Butkovic

Flyover Future Presents: Innovators

Play Episode Listen Later Jul 15, 2022 38:26


How do you build cyber resilience? How serious is the threat of cyber warfare? What's new in cybersecurity training? These are things all business owners – large or small – need to know to keep their data safe. We recently asked about these issues and more with Matthew Butkovic, technical director – cyber risk and resilience at the CERT Division of the Software Engineering Institute at Carnegie Mellon University in Pittsburgh.

Software Engineering Institute (SEI) Podcast Series
The 4 Phases of the Zero Trust Journey

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Jul 5, 2022 34:28


Over the past several years, zero trust architecture has emerged as an important topic within the field of cybersecurity. Heightened federal requirements and pandemic-related challenges have accelerated the timeline for zero trust adoption within the federal sector. Private sector organizations are also looking to adopt zero trust to bring their technical infrastructure and processes in line with cybersecurity best practices. Real-world preparation for zero trust, however, has not caught up with existing cybersecurity frameworks and literature. NIST standards have defined the desired outcomes for zero trust transformation, but the implementation process is still relatively undefined. As the nation's first federally funded research and development center with a clear emphasis on cybersecurity, the Carnegie Mellon University Software Engineering Institute (SEI) is uniquely positioned to bridge the gap between NIST standards and real-world implementation. In this podcast, Tim Morrow and Matthew Nicolai, researchers with the SEI's CERT Division, have outlined 4 steps that organizations can take to implement and maintain zero trust architecture.

The Daily Scoop Podcast
Leveraging cloud capabilities at DOJ; How managed service providers might impact CMMC

The Daily Scoop Podcast

Play Episode Listen Later Jun 7, 2022 18:38


On today's episode of The Daily Scoop Podcast, the Department of Energy is ready to use a supercomputer to tackle 24 initial science and engineering problems. The Department of Defense will investigate a shared service model for security for contractors. Brig. Gen. Gregory Touhill (USAF, ret.), director of the CERT Division at the Software Engineering Institute at Carnegie Mellon University and former federal chief information security officer, discusses how this will impact the Cybersecurity Maturity Model Certification (CMMC). Dwayne Spriggs, service delivery director at the Department of Justice, tells Scoop News Group's Wyatt Kash how cloud capabilities provides DOJ with flexibility and responsiveness. This interview is part of FedScoop's “Cloud-Driven Innovation in Federal Government” video campaign. The Daily Scoop Podcast is available every weekday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on Apple Podcasts, Google Podcasts, Spotify and Stitcher. And if you like what you hear, please let us know in the comments.

Interviews: Tech and Business
How to Manage Cybersecurity in 2022

Interviews: Tech and Business

Play Episode Listen Later Jun 6, 2022 37:57


#cybersecurity #security Our reliance on digital infrastructure and the Internet makes everyone vulnerable to cybersecurity attacks. Given the importance of cybersecurity, everyone from CEOs to board members and employees must understand the nature of this threat. Although cybersecurity involves technology, managing the problem relies on people and the willingness of individuals to change their behavior.To learn how to manage a cybersecurity program, we spoke with Gregory Touhill, director of the world-renowned CERT Division of the Carnegie Mellon University Software Engineering Institute (SEI). Proactive cybersecurity strategy should be an important element of any digital transformation effort.The conversation includes these topics:-- On the state of cybersecurity in 2022-- On security weakness arising from the intersection of administrative and operational systems-- On the challenges of enterprise security-- On the importance of prioritizing enterprise cybersecurity-- On managing ransomware attacks-- On creating a culture of cybersecurity-- On the future of managing cybersecuritySubscribe to the CXOTalk newsletter: https://www.cxotalk.com/subscribeRead the full transcript: https://www.cxotalk.com/episode/state-cybersecurity-2022At the SEI Cert Division, Greg Touhill leads a diverse group of researchers, software engineers, security analysts, and digital intelligence specialists working together to research security vulnerabilities in software products, contribute to long-term changes in networked systems, and develop cutting-edge information and training to improve the practice of cybersecurity.Touhill was appointed by former President Barack Obama to be the first chief information security officer (CISO) of the United States government. Previously, he served in the Department of Homeland Security (DHS) as deputy assistant secretary in the Office of Cybersecurity and Communications. Before joining the Software Engineering Institute, he was president of Appgate Federal, a provider of cybersecurity products and services to civilian government and defense agencies.Touhill is a 30-year veteran of the U.S. Air Force where he was an operational commander at the squadron, group, and wing levels. He served as a senior leader of military cybersecurity and information technology programs, culminating as the chief in-formation officer of the United States Transportation Command, one of the nation's 10 combatant commands. A combat veteran, he is the recipient of numerous awards and decorations including the Bronze Star medal and the Air Force Science and Engineering Award. He retired from the Air Force with the rank of brigadier general.He is an adjunct faculty member of the CMU Heinz College of Information Systems and Public Policy and the Deakin University (Australia) Centre for Cybersecurity Research and Innovation. A member of many organizational boards and committees and recipient of many awards, Touhill was recog-nized by Security Magazine as one of its Most Influential People in Security and by Federal Computer Week in the Federal 100. He is the co-author of the books Cybersecurity for Executives: A Practical Guide and Commercialization of Innovative Technologies.

Public Sector Future
Cybersecurity – Protecting a global research university

Public Sector Future

Play Episode Listen Later May 26, 2022 26:23


In this episode, host Olivia Neal speaks to Mary Ann Blair, the Chief Information Security Officer of Carnegie Mellon University. Blair and her team, the Information Security Office, protect the global research university from cyber threats that attack the confidentiality, integrity and availability of information and systems. Hear her challenges, priorities, and lessons learned since starting her role in 2004.  Click here for transcript of this episode.   Olivia Neal [host] | LinkedIn | Twitter  Microsoft Public Sector Center of Expertise   Cybersecurity at Carnegie Mellon University     CyLab at Carnegie Mellon University    The CERT Division at Carnegie Mellon University    Carnegie Mellon University Information Security Office  Cybersecurity Center Development at Carnegie Mellon University  REN-ISAC (Research Education Networking Information Sharing & Analysis Center)   Microsoft Cybersecurity Scholarship Program  Learn about Microsoft's new security certifications  Learn more about Microsoft Security     Discover and follow other Microsoft podcasts at aka.ms/microsoft/podcasts 

OODAcast
Episode 96: First Federal CISO Greg Touhill on Advanced Cybersecurity by Design

OODAcast

Play Episode Listen Later Apr 22, 2022 38:37


Greg Touhill is one of the nation's premier cybersecurity, information technology and risk management leaders. As an Air Force officer he led technology efforts in some of our nation's most demanding organizations including combatant commands during time of war. He is an accomplished speaker and author and business executive and also served as our nation's first Chief Information Security Officer (CISO). Touhill is currently the director of the Carnegie Mellon University Software Engineering Institute's CERT Division. In this capacity he leads one of the most highly regarded organizations in the cybersecurity community. The CERT is a diverse group of researchers, software engineers, security analysts and digital intelligence specialists who work together to research vulnerabilities, contribute to long term changes and develop cutting-edge information and training to improve the practice of cybersecurity. In this OODAcast we examine Greg's approach to leadership and then get into: Operational views of the cyber threat that can help drive collective action in mitigating risks. Ways security leaders can continue to learn and grow The CERT's role in improving security through cybersecurity Lessons learned in communicating security topics with non technical audiences (including a fantastic discussion of lessons from SciFi)

Resilient Cyber
S2E23: Greg Touhill - Security/Boardroom Leadership & Zero Trust

Resilient Cyber

Play Episode Listen Later Mar 30, 2022 38:31


- We know you served as the First Federal U.S. CISO, can you tell us a bit about that experience?- In addition to your military and public sector background, you've held various industry roles as well, what are some of the major differences between the two environments you've experienced?- We know you've held various board advisor and even director roles. Do you feel that Cyber is increasingly becoming a boardroom concern?- You're very passionate about Zero Trust. What are your thoughts on the Federal push to adopt Zero Trust in an environment as big and complex as the Federal and DoD space?- You've served as the highest levels of Cybersecurity leadership for several years - any advise for aspiring security leaders?- What do you think the CISO of the future looks like in terms of skillsets and competencies?- Can you tell us a bit about what you're up to these days with the CERT Division at SEI?

Software Engineering Institute (SEI) Podcast Series
Incorporating Supply-Chain Risk and DevSecOps into a Cybersecurity Strategy

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Mar 22, 2022 31:46


Organizations are turning to DevSecOps to produce code faster and at lower cost, but the reality is that much of the code is actually coming from the software supply chain through code libraries, open source, and third-party components where reuse is rampant. The downside is that this reused code contains defects unknown to the new user, which, in turn, propagate vulnerabilities into new systems. This is troubling news in an operational climate already rife with cybersecurity risk. Organizations must develop a cybersecurity engineering strategy for systems that addresses the integration of DevSecOps with the software supply chain. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Carol Woody, a principal researcher in the SEI's CERT Division, talks with Suzanne Miller about supply-chain issues and the planning needed to integrate software from the supply chain into operational environments. The discussion includes building a cybersecurity engineering strategy for DevSecOps that addresses those supply-chain challenges.

The Daily Scoop Podcast
Zero trust at OPM; Less complexity for cybersecurity solutions; FY22 defense budget takeaways

The Daily Scoop Podcast

Play Episode Listen Later Mar 16, 2022 31:55


On today's episode of The Daily Scoop Podcast, Priority Area Leads for each of the three pillars of the BIden-Harris President Management Agenda Vision are announced. The Cybersecurity and Infrastructure Security Agency will revise its Zero Trust Maturity Model it's creating in intersection with the Continuing Diagnostics and Mitigation Program. Brig. Gen. Gregory Touhill (USAF, ret.), director of CERT Division at Carnegie Mellon University's Software Engineering Institute and former federal chief information security officer, discusses how a zero trust model can help lead to less complexity for cybersecurity solutions. The FY2022 defense budget is in place now and it's setting a marker for 2023. Roman Schweizer, managing director of the Washington Research Group for Cowen, breaks down the biggest increases in the FY22 budget and what to watch for in the FY23 defense budget. At ITModTalks, Office of Personnel Management Chief Information Officer Guy Cavallo joins FedScoop's Dave Nyczepir to discuss how OPM is using the Technology Modernization Fund to transform the agency's zero trust posture. The Daily Scoop Podcast is available every weekday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on Apple Podcasts, Google Podcasts, Spotify and Stitcher. And if you like what you hear, please let us know in the comments.

Software Engineering Institute (SEI) Podcast Series
Building on Ghidra: Tools for Automating Reverse Engineering and Malware Analysis

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Feb 8, 2022 23:24


In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Jeffrey Gennari, a senior malware reverse engineer, and Garret Wassermann, a vulnerability analyst, both with the SEI's CERT Division, discuss Kaiju, a series of tools that they have developed that allows for malware analysis and reverse engineering. Kajiu helps analysts take better advantage of Ghidra, the National Security Agency's reverse-engineering tool.

The Daily Scoop Podcast
Filing cybersecurity job vacancies; learning from OMB's first-ever draft learning agenda

The Daily Scoop Podcast

Play Episode Listen Later Jan 6, 2022 21:04


On today's episode of The Daily Scoop Podcast, the Army's Combat Capabilities Development Command has its first permanent chief technology officer. Comments are open now for the draft of the first ever learning agenda from the Office of Management and Budget. Chris Mihm, adjunct professor of public administration at the Maxwell School at Syracuse University and former managing director for strategic issues at the Government Accountability Office, explains what's important about the learning agenda and the process of taking in comments on it. The Department of Homeland Security says it will bring in hundreds of cyber professionals through its new Cybersecurity Talent Management System, but DHS and other agencies have thousands of cyber openings. Brig. Gen. Gregory Touhill (USAF, ret.), director of the CERT Division at the Software Engineering Institute and former federal chief information security officer, explains the two challenges he sees the government facing while filling these cyber vacancies. The Daily Scoop Podcast is available every weekday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on Apple Podcasts, Google Podcasts, Spotify and Stitcher. And if you like what you hear, please let us know in the comments.

Government Matters
China & climate change, Climate national security threat, Cybersecurity directive – November 9, 2021

Government Matters

Play Episode Listen Later Nov 10, 2021 22:43


Impact of climate change on US defense interests Erin Sikorsky, director of the Center for Climate and Security, discusses how China is taking advantage of climate change and how the U.S. can work with allies and partners to respond Confronting security risks from climate change Rolf Mowatt-Larssen, senior fellow at the Belfer Center and former director of Intelligence and Counterintelligence at the Department of Energy, describes actions the intelligence community should take to confront and mitigate national security threats from climate change Responding to the growing cyber threat landscape Brig. Gen. Gregory Touhill, director at the CERT Division at the Software Engineering Institute, discusses changes in the cyber threat landscape and a new directive from CISA for federal agencies to address security vulnerabilities

Software Engineering Institute (SEI) Podcast Series
Applying Scientific Methods in Cybersecurity

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Aug 24, 2021 39:49


In this SEI Podcast, Dr. Leigh Metcalf and Dr. Jonathan Spring, both researchers with the Carnegie Mellon University Software Engineering Institute's CERT Division, discuss the application of scientific methods to cybersecurity. As described in their recently published book, Using Science in Cybersecurity, Metcalf and Spring describe a common-sense approach and practical tools for applying scientific rigor to the field of cybersecurity.

Government Matters
JCDC cyber initiative, DIU Space Portfolio, Reforming political appointment system – August 12, 2021

Government Matters

Play Episode Listen Later Aug 13, 2021 23:11


Implementing cyber defense action at federal agencies Brig. Gen. Gregory Touhill, director of the CERT Division at the Software Engineering Institute, discusses how the new Joint Cyber Defense Collaborative will allow the government and private sector to proactively address cyber threats The importance of the Space Portfolio to DIU operations Steve Butow, director of the Space Portfolio at the Defense Innovation Unit, discusses space as a service and deployment of commercial technology into military services to improve readiness Streamlining and reforming political appointment system Max Stier, president and chief executive officer of the Partnership for Public Service, discusses shortcomings in the system for nominating and confirming major positions in government

Software Engineering Institute (SEI) Podcast Series
Zero Trust Adoption: Benefits, Applications, and Resources

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Aug 13, 2021 30:25


Zero trust adoption is a security initiative that an enterprise must understand, interpret, and implement. Enterprise security initiatives are never simple, and their goal to improve cybersecurity posture requires the alignment of multiple stakeholders, systems, acquisitions, and exponentially changing technology. This alignment is always a complex undertaking and requires cybersecurity strategy and engineering to succeed. In this SEI Podcast, Geoff Sanders, a senior network defense analyst in the CERT Division at Carnegie Mellon University's Software Engineering Institute, discusses zero trust adoption and its benefits, applications, and available resources.

Software Engineering Institute (SEI) Podcast Series
Benefits and Challenges of Model-Based Systems Engineering

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Jul 23, 2021 33:10


Nataliya (Natasha) Shevchenko and Mary Popeck, both senior researchers in the CERT Division at Carnegie Mellon University's Software Engineering Institute, discuss the use of model-based systems engineering (MBSE), which, in contrast to document-centric engineering, puts models at the center of system design. MBSE is used to support the requirements, design, analysis, verification, and validation associated with the development of complex systems.

To The Point - Cybersecurity
He Who Defends Everything, Equally Defends Nothing -- Greg Touhill --- Part One

To The Point - Cybersecurity

Play Episode Listen Later Jul 13, 2021 26:41


This week Greg Touhill, Director of CERT Division, joins the podcast to share insights on CERT's history as the birthplace of cyber and culture of innovation at the center of the cyber universe. He also dives into the importance of the development of a Software Bill of Materials (SBOM), what happens when national leaders shine a light on cyber, why talent with breadth and depth is critical helping move the federal government cyber needle and the building blocks for standing up the federal government's first CISO office. To learn more about CERT visit CERT.org. For links and resources discussed in this episode, please visit our show notes at https://www.forcepoint.com/govpodcast/e141  

Government Matters
IT security at the VA, Climate & national security, Government ransomware attacks – June 10, 2021

Government Matters

Play Episode Listen Later Jun 11, 2021 26:55


Understanding IT security policies at the VA Gary Stevens, executive director for information security policy and strategy at the Department of Veterans Affairs, discusses the cybersecurity executive order and tools and methods his department uses to get in front of cyber threats The impacts of the climate crisis on national security Jim Mitre, former principal director at the Office of the Secretary of Defense and now chief strategy officer at Govini, discusses his team's analysis of the effects of climate change on national security and recent defense investments in this space Investigating ransomware attacks across federal agencies Brig. Gen. Gregory Touhill, former federal chief information security officer and now director of the CERT Division at the Software Engineering Institute, discusses the federal government's strong protections against ransomware and the concept of banning ransomware payments

Software Engineering Institute (SEI) Podcast Series
My Story in Computing with Marisa Midler

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Jun 11, 2021 27:11


In this SEI Podcast, the latest in the My Story in Computing series, Marisa Midler, a cybersecurity engineer in the SEI's CERT Division, discusses her career path. After growing up on a farm in Pennsylvania, Midler graduated from college with a degree in communications and English writing and then traveled to Seattle and worked a variety of jobs, including as a bouncer at a Seattle night club. Midler returned to Pittsburgh to obtain a second bachelor's degree in information science followed by a master's degree in information security policy and management from Carnegie Mellon University. Throughout it all Midler has been guided by her mantra: never settle.

Federal Drive with Tom Temin
A former federal cybersecurity chief is now helping from an academic standpoint

Federal Drive with Tom Temin

Play Episode Listen Later May 7, 2021 21:01


The Software Engineering Institute, operated by Carnegie Mellon University as a federally funded research and development center, has a new name at its CERT Division. The Division's new director is Greg Touhill, a retired Air Force Brigadier General former federal chief information security officer joined the Federal Drive to discuss his new role.

Software Engineering Institute (SEI) Podcast Series
7 Steps to Engineer Security into Ongoing and Future Container Adoption Efforts

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Feb 23, 2021 20:23


If organizations take more steps to address security-related activities now, they will be less likely to encounter security incidents in the future. When it comes to application containers, security is achieved through adopting a series of best practices and guidelines. In this SEI Podcast, Tom Scanlon and Richard Laughlin, researchers with the SEI's CERT Division, discuss seven steps that developers can take to engineer security into ongoing and future container adoption efforts.

Software Engineering Institute (SEI) Podcast Series
Ransomware: Evolution, Rise, and Response

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Feb 16, 2021 32:50


In this SEI Podcast, Marisa Midler and Tim Shimeall, network defense analysts within the SEI's CERT Division, discuss the growing problem of ransomware including the rise of ransomware as a service threats. Ransom payments from Quarter 3 of 2019 were on average $42,000, and in Quarter 1 of 2020, that average increased $70,000 to $112,000. The volume of attacks also increased by 25 percent in Quarter 4 of 2019 and by another 25 percent in Quarter 1 of 2020. The sophistication of the attacks has increased alongside their severity. Midler and Shimeall discuss steps and strategies that organizations can adopt to minimize their exposure to the risks and threats associated with ransomware.

Software Engineering Institute (SEI) Podcast Series
VINCE: A Software Vulnerability Coordination Platform

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Jan 21, 2021 38:14


Software vulnerability coordination at the CERT Coordination Center (CERT/CC) has traditionally relied on a hub-and-spoke model, with reports submitted to analysts at the CERT/CC analysts who would then work with contact affected vendors. To scale communications and increase the level of collaboration between vulnerability reporters, coordinators, and software vendors, the CERT/CC team has created a web-based platform for software vulnerability reporting and coordination called the Vulnerability Information and Coordination Environment (VINCE). In this SEI Podcast, Emily Sarneso, the architect of VINCE, and Art Manion, technical manager of the Vulnerability Analysis Team in the SEI’s CERT Division, discuss the rollout of VINCE, how to use it, and future work in vulnerability coordination.

Software Engineering Institute (SEI) Podcast Series
Work From Home: Threats, Vulnerabilities, and Strategies for Protecting Your Network


Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Jan 6, 2021 46:17


The COVID-19 pandemic has forced significant changes in enterprise work practices, including an increased use of telecommunications technologies required by the new work-from-home policies that most organizations have instituted in response. In this podcast, Phil Groce, a senior network defense analyst in the CERT Division of the Carnegie Mellon University Software Engineering Institute, discusses the security implications of this dramatic increase in the number of people in organizations who are working from home, examines the threats and vulnerabilities associated with the increase in remote work, and offers practical solutions to individuals and enterprises for operating securely in this new environment.

Software Engineering Institute (SEI) Podcast Series
Situational Awareness for Cybersecurity: Beyond the Network

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Sep 30, 2020 25:35


Situational awareness makes it possible to get relevant information from across an organization, to integrate that information, and to disseminate it to help leaders make more informed decisions. In this SEI Podcast, Angela Horneman and Timothy Morrow, researchers in the SEI's CERT Division, discuss the importance of looking beyond the network to acquire situational awareness for cybersecurity.

Software Engineering Institute (SEI) Webcast Series
Risk Management for the Enterprise–How Do You Get Executives to Care About Your Risks?

Software Engineering Institute (SEI) Webcast Series

Play Episode Listen Later Aug 20, 2020 61:50


Risk managers must often sift through the cacophony of demands for resources and advocacy to identify a diverse set of risks to include in their organization’s risk register. These managers of cyber risk face this problem when trying to prioritize risks within the scope of their function, only to then turn to executives and justify the need for resources. OCTAVE FORTE, a new and upcoming Enterprise Risk Management (ERM) process model developed by Carnegie Mellon’s CERT Division of the SEI, provides a scalable and standardized process that assists managers and with policy guidelines and tools necessary for identifying risks and justifying the resources needed for the organization’s proper response to them. Attendees at the OCTAVE FORTE webcast learn more about the new OCTAVE FORTE process and learn about a report, Advancing Risk Management Capability Using the OCTAVE FORTE Process, due this Fall. More specifically, the webcast attendees can expect to learn about the fundamental steps of the process and how they might apply them in their own organization.

Software Engineering Institute (SEI) Podcast Series
The Future of Cyber: Educating the Cybersecurity Workforce

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Aug 10, 2020 28:10


The culture of computers and information technology changes quickly. The Future of Cyber Podcast series explores the future of cyber and whether we can use the innovations of the past to address the problems of the future. In our latest episode, Bobbie Stempfley, director of the SEI’s CERT Division, interviews Dr. Diana Burley, executive director and chair of the Institute for Information Infrastructure Protection, or I3P, and vice provost for research at American University. Their discussion focused on educating the cybersecurity workforce in a way that closes the gap between what students are taught in school and the skills they’ll need to use in the workplace.

Software Engineering Institute (SEI) Podcast Series
The Future of Cyber: Secure Coding

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Jun 15, 2020 41:16


For more than 30 years, the cybersecurity community has worked to increase the effectiveness of our cybersecurity and resilience efforts. Today we face an explosion of devices, the pervasiveness of software, the threat of adversarial capability, and the dependence of national capabilities on the cyber domain. These challenges demand that we think about how to achieve the future we need, which is the subject of a new series of podcasts, The Future of Cyber. In this episode, Bobbie Stempfley, director of the CERT Division of the SEI, explores the future of secure coding with Steve Lipner, the executive director of SAFECode and former director of software security at Microsoft, where he created Microsoft’s Security Development Lifecycle.   

future microsoft secure cyber sei coding cert division steve lipner safecode
OODAcast
Episode 21: Bobbie Stempfley of Carnegie Mellon University Software Engineering Institute

OODAcast

Play Episode Listen Later Jun 12, 2020 29:14


The leadership team at OODA have had the pleasure of working with and learning from Bobbie Stempfley since her leadership of the Department of Defense Computer Emergency Response Team (DoD CERT) after she established it in the late 1990's. This OODAcast captures insights from Bobbie that can inform the action of leadership of corporate and government leaders alike. She has had a broad influence on the cybersecurity community, including rising to senior executive position in the DoD and then later helping DHS as they established themselves as a new Department. She also lead Cybersecurity activities at MITRE.  Through it all she has been a mentor to 1,000's and a thought leader known for anticipating and mitigating risks. Now as director of the Carnegie Mellon University Software Engineering Institute's CERT Division (since 2017) she leads a highly respected team of researchers examining some of the nation's biggest challenges in cybersecurity, including insider threats, the security of Artificial Intelligence, and ways to measure the impact of cybersecurity solutions. Topics we discuss with Bobbie included: Her foundational story Views on the current situation including actions we should take to reduce cyber risks right now The situation regarding the security of artificial intelligence solutions Advice for cybersecurity professionals seeking to stay current. Research we should be aware of at CMU Advice for the youth of today Related Resources: SEI CERT Bobbie Stempfley on LinkedIn An Executive’s Guide to Cognitive Bias in Decision Making: How we think is critically important. A Decision-Makers’s Guide to Artificial Intelligence: A plain english overview with the insights you need to drive corporate decisions The Executive’s Guide to Quantum Computing: What business decision-makers need to know now about quantum superiority The Executive’s Guide to the Revolution in Biology: An overview of key thrusts of the transformation underway in biology and offers seven topics business leaders should consider when updating business strategy to optimize opportunity because of these changes. OODA COVID-19 Sense-making: A dynamic resource for OODA Network members looking for Coronavirus/COVID-19 information to drive their decision-making process. We’ll update it with new links as we encounter them. This is not meant to be a comprehensive list, but rather a compilation of the most useful resources. The 2020 OODA Cybersecurity Watch List: list can serve multiple stakeholders. Investors can find firms that have demonstrated good product-market fit and are good candidates for follow-on funding. CISOs can find companies that have demonstrated real disruptive technology potential and at least enough traction to prove they are worth considering. OODAcast on YouTube: OODA's YouTube Channel

Software Engineering Institute (SEI) Podcast Series
The Future of Cyber: Cybercrime

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later May 7, 2020 35:03


The culture of computers and information technology evolves quickly. In this environment, how can we build a culture of security through regulations and best practices when technology can move so much faster than legislative bodies? The Future of Cyber Podcast Series explores whether we can use the innovations of the past to address the problems of the future. In this SEI Podcast, David Hickton, founding director of the University of Pittsburgh Institute for Cyber Law, Policy, and Security, sits down with Bobbie Stempfley, director of the SEI’s CERT Division, to talk about the future of cybercrime.

Software Engineering Institute (SEI) Podcast Series
My Story in Computing: Madison Quinn Oliver

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Apr 13, 2020 23:09


Those who work in computing today bring a wide array of backgrounds and experiences to the profession. In this podcast learn how Madison Quinn Oliver, who wanted to work at Carnegie Mellon University since childhood, relied on a strong work ethic and lifelong pursuit of education to become an associate vulnerability engineer on the Vulnerability Coordination Team within the SEI’s CERT Division. This is the second installment in our My Story in Computing podcast series.

Software Engineering Institute (SEI) Podcast Series
The Future of Cyber: Security and Privacy

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Feb 26, 2020 24:57


Computers and information technology are getting more and more integrated into our daily lives, so they need to be easy to use. But recent, historically large data breaches have demonstrated the need to make systems more secure and to protect information about individuals. How will the security−privacy−usability triangle successfully accommodate the challenges that the future will bring? In this podcast, Dr. Lorrie Faith Cranor, director of CyLab, sits down with Bobbie Stempfley, director of the SEI’s CERT Division, to talk about the future of cyber in security and privacy.

Software Engineering Institute (SEI) Podcast Series
The Future of Cyber: Security and Resilience

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Feb 14, 2020 33:19


For more than 30 years, the cybersecurity community has worked to increase the effectiveness of our cybersecurity and resilience efforts. Today we face an explosion of devices, the pervasiveness of software, the threat of adversarial capability, and the dependence of national capabilities on the cyber domain. These challenges demand that we think about how to achieve the future we need. In this podcast, the first in a series exploring The Future of Cyber, Bobbie Stempfley, director of the CERT Division of the SEI, and Dr. Michael McQuade, vice-president for research at Carnegie Mellon University, explore past and present technologies that have helped to secure our digital infrastructure and how past advancements will help us secure future architectures.

Software Engineering Institute (SEI) Podcast Series
Women in Software and Cybersecurity: Dr. Carol Woody

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Jan 29, 2020 25:07


Dr. Carol Woody discusses the career path that led to her current role as technical manager for the Cybersecurity Engineering (CSE) team in the SEI’s CERT Division.

Software Engineering Institute (SEI) Webcast Series
Cyber Hygiene: Why the Fundamentals Matter

Software Engineering Institute (SEI) Webcast Series

Play Episode Listen Later Oct 16, 2019 62:13


In this webcast, as a part of National Cybersecurity Awareness Month, our experts will provide an overview of the concept of cyber hygiene, which bears an analogy to the concept of hygiene in the medical profession. Like the practice of washing hands to prevent infections, cyber hygiene addresses simple sets of actions that users can take to help reduce cybersecurity risks. Matt Butkovic, Randy Trzeciak, and Matt Trevors will discuss what some of those practices are, such as implementing password security protocols and determining which other practices an organization should implement. Finally, they discuss the special case of phishing—which is a form of attack that can bypass technical safeguards and exploit people’s weaknesses—and how changes in behavior, understanding, and technology might address this issue.   What attendees will learn • Key findings from the CERT Division of the SEI, and the CERT-RMM team, in identifying commonalities among cyber practices and aligning them to CERT-RMM practices • The CERT Division’s 11 cyber hygiene areas, comprising 41 CERT-RMM practices that are paramount to every organization’s success • What organizations can do to change behavior, understanding, and technology to implement good cyber hygiene

Software Engineering Institute (SEI) Podcast Series
Defending Your Organization Against Business Email Compromise

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later May 30, 2019 44:24


Operation Wire Wire, a coordinated law enforcement effort by the U.S. Department of Justice, U.S. Department of Homeland Security, U.S. Department of the Treasury, and the U.S. Postal Inspection Service, was conducted over a six-month period and resulted in 74 arrests in the United States and overseas, including 29 in Nigeria and 3 in Canada, Mauritius, and Poland. The operation also resulted in the seizure of nearly $2.4 million and the disruption and recovery of approximately $14 million in fraudulent wire transfers. In this podcast, Anne Connell, a researcher in the SEI’s CERT Division, discusses recent business email compromise (BEC) attacks, including the one at the center of Operation Wire Wire and another attack involving a Texas energy company. Connell also offers guidance on how individuals and organizations can protect themselves from these sophisticated new modes of attack.

Software Engineering Institute (SEI) Podcast Series
My Story in Computing with Dr. Eliezer Kanal

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later May 21, 2019 30:28


Those who work in computing today bring a wide array of backgrounds and experiences to the profession. In this podcast, the first in a series, Dr. Eliezer Kanal—a former premed student, computational neuroscientist, health-care technical manager, financial quantitative analyst, freelance web developer, and IT consultant—discusses his background and education, all of which led to his current work leading a team of data scientists in the SEI’s CERT Division.

Cybersecurity and Technology - Audio
Supply Chain Security and Software

Cybersecurity and Technology - Audio

Play Episode Listen Later Apr 24, 2019 108:32


Please join us for a public event on initiatives for securing the software supply chain on Wednesday, April 24, 2019 from 1:00-3:00 pm at the CSIS headquarters. Within the U.S. government, there is increasing awareness of and movement on the need for a coordinated strategy to prevent, identify, and respond to threats stemming from the software supply chain throughout the acquisition process. At this event, we will discuss some of the various initiatives, including the Department of Defense’s Deliver Uncompromised, along with work at the Carnegie Mellon, BSA | The Software Alliance, and the Department of Commerce, designed to minimize the risk of compromised software infiltrating critical systems.  Opening Speech  1:00 pm - Registration 12:45 pm -  William Stephens,Director, Counterintelligence, Defense Security Service, Department of DefenseModerated Discussion 1:15 pm - Allan Friedman, Director of Cybersecurity Initiatives, National Telecommunications Information Administration Bob Metzger, Co-Author MITRE "Deliver Uncompromised"; Head of DC Office, Rogers Joseph O’Donnell, P.C.Tommy Ross, Senior Director, Privacy, BSA | The Software AllianceRoberta Stempfley, Director, CERT Division, Carnegie Mellon University Software Engineering InstituteDerek Weeks, Vice President, Sonatype Inc.  Moderated by James A. Lewis, SVP and Director, CSIS Technology Policy Program 2:45 pm - Audience Q&A 3:00 pm - End This event is made possible through general support to CSIS. 

Software Engineering Institute (SEI) Podcast Series
Women in Software and Cybersecurity: Bobbie Stempfley

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Mar 1, 2019 17:09


In this SEI Podcast interview, Roberta (Bobbie) Stempfley discusses her career and journey to becoming the director of the SEI’s CERT Division. This podcast is one of the inaugural interviews in our Women in Software and Cybersecurity podcast series.

Software Engineering Institute (SEI) Podcast Series
Applying Best Practices in Network Traffic Analysis

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Feb 27, 2019 22:12


In today's operational climate, threats and attacks against network infrastructures have become far too common. Researchers in the SEI’s CERT Division work with organizations and large enterprises, many of whom analyze their network traffic data for ongoing status, attacks, or potential attacks. Through this work we have observed both challenges and best practices as these network traffic analysts analyze incoming contacts to the network, including packets traces or flows. In this SEI Podcast, Tim Shimeall and Timur Snoke, both researchers in the SEI’s CERT Division, highlight some best practices (and application of these practices) that they have observed in network traffic analysis.

Software Engineering Institute (SEI) Podcast Series
10 Types of Application Security Testing Tools and How to Use Them

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Feb 25, 2019 20:11


Bugs and weaknesses in software are common: 84 percent of system breaches exploit vulnerabilities at the application layer. The prevalence of software-related problems is a key motivation for using application security testing tools. With a growing number of application security testing tools available, it can be confusing for leaders, developers, and engineers to know which tools address which issues. In this podcast, Thomas Scanlon, a researcher in the SEI’s CERT Division, discusses the different types of application security testing tools and provides guidance on how and when to use each tool.

Software Engineering Institute (SEI) Podcast Series
Using Test Suites for Static Analysis Alert Classifiers

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Feb 18, 2019 30:11


Static analysis tools used to identify potential vulnerabilities in source code produce a large number of alerts with high false-positive rates that engineers must painstakingly examine to find legitimate flaws. Researchers in the SEI’s CERT Division have developed the SCALe (Source Code Analysis Laboratory) tool to help analysts be more efficient and effective at auditing static analysis alerts. In this podcast, CERT researchers Lori Flynn and Zach Kurtz discuss ongoing research using test suites as a source of labeled training data to create classifiers for static analysis alerts.

Software Engineering Institute (SEI) Podcast Series
Deep Learning in Depth: Adversarial Machine Learning

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Nov 27, 2018 12:47


Ritwik Gupta of the SEI’s Emerging Technology Center and Carson Sestili, formerly of the SEI’s CERT Division and now with Google, discuss adversarial machine learning.

Software Engineering Institute (SEI) Podcast Series
Deep Learning in Depth: The Importance of Diverse Perspectives

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Nov 7, 2018 9:03


Ritwik Gupta of the SEI’s Emerging Technology Center and Carson Sestili, formerly of the SEI’s CERT Division and now with Google, discuss the importance of diverse perspectives in deep learning. “If you feel like I am an OK programmer, but I am a good deep thinker and a good mathematician, that is actually one of the corners of what it takes to be a successful data scientist. Again, in regard to our previous conversation, you cannot get away with only knowing math. But if you do know math, you are going to be useful to people in a way that other people will not be. Anyway, there is hope.  ”

Software Engineering Institute (SEI) Podcast Series
A Technical Strategy for Cybersecurity

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Nov 4, 2018 14:51


Roberta “Bobbie” Stempfley, who was appointed director of the SEI’s CERT Division in June 2017, discusses a technical strategy for cybersecurity. “There is never enough time, money, power, resources—whatever it is—and we make design tradeoffs. Adversaries are looking at what opportunities that creates. They are looking at failures in implementation.”

Software Engineering Institute (SEI) Podcast Series
Best Practices for Security in Cloud Computing

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Oct 26, 2018 19:20


Don Faatz and Tim Morrow, researchers with the SEI’s CERT Division, outline best practices that organizations should use to address the vulnerabilities and risks in moving applications and data to cloud services.

Software Engineering Institute (SEI) Podcast Series
How to Be a Network Traffic Analyst

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Sep 14, 2018 21:10


Tim Shimeall and Timur Snoke, researchers in the SEI’s CERT Division, examine the role of the network traffic analyst in capturing and evaluating ever-increasing volumes of network data. “Part of it is the ability to use a wide variety of tools to answer questions about what is happening on the network and to figure out ways to go past inference and supposition and to get facts that can actually provide support for the hypothesis that you’re coming up with.

Software Engineering Institute (SEI) Podcast Series
The Evolving Role of the Chief Risk Officer

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later May 24, 2018 28:22


In today's global business environment, risk management must be aligned to business strategy. As companies continue to shift their business models, strategies change and risk management becomes even more important. A company must find the right balance between risk resiliency and risk agility. The chief risk officer (CRO) role is an important catalyst to make that happen, so a company's long term strategic objectives may be realized. The CRO Certificate Program is developed and delivered by Carnegie Mellon University’s Heinz College of Information Systems and Public Policy, and the CERT Division of the Software Engineering Institute (SEI). In this podcast, Summer Fowler and Ari Lightman discuss the evolving role of the chief risk officer and a Chief Risk Officer Program. Listen on Apple Podcasts.

EastWest Podcast
Cybersecurity Poverty Line

EastWest Podcast

Play Episode Listen Later May 12, 2018 9:56


Guest: Roberta Stempfley The EastWest Institute's cyberspace program chief Bruce McConnell speaks with Roberta Stempfley, Director of CERT Division at Carnegie Mellon University, on how to develop cyber secure software as many aspects in everyday life increasingly depend on IT products and services. The two also delved into the concept of "cybersecurity poverty line." Stempfley previously served as acting assistant secretary and deputy assistant secretary, Office of Cyber Security and Communications, at the Department of Homeland Security. She also worked in the Department of Defense as CIO of the Defense Information Systems Agency and as chief of the DoD Computer Emergency Response Team, which she established.

Software Engineering Institute (SEI) Podcast Series

DevOps breaks down software development silos to encourage free communication and constant collaboration. Agile, an iterative approach to development, emphasizes frequent deliveries of software. In this podcast, Eileen Wrubel, technical lead for the SEI’s Agile-in-Government program, and Hasan Yasar, technical manager of the Secure Lifecycle Solutions Group in the SEI’s CERT Division, discuss how Agile and DevOps can be deployed together to meet organizational needs. Listen on Apple Podcasts.

government sei agile devops agile devops cert division
Software Engineering Institute (SEI) Podcast Series
The CERT Software Assurance Framework

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Aug 31, 2017 19:08


Software is a growing component of modern business- and mission-critical systems. As organizations become more dependent on software, security-related risks to their organizational missions also increase. Traditional security-engineering approaches rely on addressing security risks during the operation and maintenance of software-reliant systems. The costs required to control security risks increase significantly when organizations wait until systems are deployed to address those risks. Field experiences of technical staff at the SEI indicate that few programs currently implement effective cybersecurity practices early in the acquisition lifecycle. Recent Department of Defense directives are beginning to shift programs’ priorities regarding cybersecurity. As a result, researchers from the CERT Division of the SEI have started cataloging the cybersecurity practices needed to acquire, engineer, and field software-reliant systems that are acceptably secure. In this podcast, Carol Woody and Christopher Alberts introduce the prototype Software Assurance Framework (SAF), a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain. The SAF can be used to assess an acquisition program’s current cybersecurity practices and chart a course for improvement, ultimately reducing the cybersecurity risk of deployed software-reliant systems. Listen on Apple Podcasts.

Software Engineering Institute (SEI) Podcast Series
The SEI Fellow Series: Nancy Mead

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Aug 10, 2016 28:37


The position of SEI Fellow is awarded to people who have made an outstanding contribution to the work of the SEI and from whom the SEI leadership may expect valuable advice for continued success in the institute's mission. Nancy Mead, a principal researcher in the SEI’s CERT Division, was named an SEI Fellow in 2013. This podcast is the first in a series highlighting interviews with SEI Fellows.   Listen on Apple Podcasts.

fellow sei cert division
Software Engineering Institute (SEI) Webcast Series
CERT® Alignment with Cyber COI Challenges and Gaps

Software Engineering Institute (SEI) Webcast Series

Play Episode Listen Later Dec 16, 2015 29:59


Greg Shannon discusses the CERT Division's current work associated with cyber community of interest (COI).

The SupplyChainBrain Podcast
The Plague of Cybercrime: Is There Any Hope

The SupplyChainBrain Podcast

Play Episode Listen Later Sep 18, 2015 28:23


This is a ''watershed year'' for cybercrime, according to a new survey on the topic. Yet many companies are falling short in their efforts to battle it. The state of corporate cybercrime protection is mixed at best. Government agencies and boards of directors are taking an increased role in the adoption of good preventive practices, according to a new survey by PwC, CSO, the U.S. Secret Service, and the CERT Division of the Software Engineering Institute at Carnegie Mellon University. On the other hand, many companies still aren't fully aware of the threat presented by hackers, terrorists and foreign governments. Shockingly, one in five of the surveyed executives said they aren't worried about the risk that cybercrime poses to their supply chains. Even some of the more forward-thinking organizations haven't progressed very far on the maturity curve. On this episode, we discuss the implications of the survey with PwC partner Quentin Orr. He outlines the various kinds of cyber threats, addresses the critical issue of third-party risks, and reports on the level and types of corporate investment in people, process and systems. Finally, he answers the key question: Given the sophistication and persistence of cyber-criminals today, is there any hope?

Software Engineering Institute (SEI) Podcast Series
Capturing the Expertise of Cybersecurity Incident Handlers

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Aug 27, 2015 26:01


In this podcast, Dr. Richard Young, a professor with Carnegie Mellon’s Tepper School of Business, teams with Sam Perl, a member of the CERT Division’s Enterprise Threat and Vulnerability Management team, to discuss their research on how expert cybersecurity incident handlers think, learn, and act when faced with an incident. The research study focuses on critical cognitive factors that such experts use to make decisions when faced with a complex incident, including how to deal with critical information that is missing. Study results may be used to enhance the knowledge and skills of less experienced responders. Listen on Apple Podcasts.

Software Engineering Institute (SEI) Podcast Series
Designing Security Into Software-Reliant Systems

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Jun 25, 2015 11:41


Software is a growing component of modern business- and mission-critical systems. As organizations become more dependent on software, security-related risks to their organizational missions are also increasing. Traditional security-engineering approaches rely on addressing security risks during the operation and maintenance of software-reliant systems. However, the costs required to control security risks increase significantly when organizations wait until systems are deployed to address those risks. It is more cost effective to address software security risks as early in the lifecycle as possible. As a result, researchers from the CERT Division of the Software Engineering Institute (SEI) have started investigating early lifecycle security risk analysis (i.e., during requirements, architecture, and design). In this podcast, CERT researcher Christopher Alberts introduces the Security Engineering Risk Analysis (SERA) Framework, a systematic approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle. The framework integrates system and software engineering with operational security by requiring engineers to analyze operational security risks as software-reliant systems are acquired and developed. Initial research activities have focused on specifying security requirements for these systems. Listen on Apple Podcasts.

security software traditional designing initial cert reliant cert division software engineering institute sei
Software Engineering Institute (SEI) Webcast Series
Lessons in External Dependency and Supply Chain Risk Management

Software Engineering Institute (SEI) Webcast Series

Play Episode Listen Later Jan 5, 2015 87:53


In this webinar, John Haller and Matthew Butkovic of the CERT Division of the Software Engineering Institute will discuss real-world incidents, including recent industrial control system attacks and incidents affecting Department of Defense capabilities, and the lessons that organizations should take away. The session will focus on the lifecycle of supply chain relationships and introduce concepts to help organizations manage them more effectively. Managing the risks of depending on external entities and supply chains to support critical services has increasingly become an area of concern for both the federal government and private critical infrastructure organizations. External dependencies may consist of business partners that your organization relies on, cloud services such as data processing, or storage facilities. Or these dependencies may take the form of reliance on public infrastructure such as transportation or the electrical grid. The webinar speakers, John and Matthew, will discuss the HAVEX malware attacks on industrial control system vendors, which were reported to the security community in June 2014. For supply chain risk management, a key lesson from the HAVEX case is the importance of having a process to identify and prioritize external dependencies. The speakers will also explore and discuss methods for addressing this problem in a realistic, reliable way. Also covered in the webinar are the lessons for third-party risk management that organizations should take away from recent attacks on DoD-affiliated transportation contractors. The speakers will explain how to correctly scope and build security programs around key, organizationally critical services. The speakers will discuss how your organization can learn from these incidents, including best practices around forming relationships with external entities and managing the relationship over time to support your organization's incident management and situational awareness processes. The webinar closes with a recap of key supply chain risk management capabilities and an update to CERT research into the state of these capabilities across U.S. critical infrastructure sectors.

Software Engineering Institute (SEI) Podcast Series
Characterizing and Prioritizing Malicious Code

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later May 29, 2014 27:08


Every day, major anti-virus companies and research organizations are inundated with new malware samples. Although estimates vary, approximately 150,000 new malware strains are released each day. Not enough manpower exists to manually address the volume of new malware samples that arrive daily in analysts' queues. Malware analysts need an approach that allows them to sort samples in a fundamental way so they can assign priority to the most malicious binary files. In this podcast, Jose Morales, a malicious software researcher with the CERT Division, discusses an approach for prioritizing malware samples, helping analysts to identify the most destructive malware to examine first, based on the binary file's execution behavior and its potential impact. Related Training Malware Analysis Apprenticeship Listen on Apple Podcasts.

Software Engineering Institute (SEI) Podcast Series
Using the Cyber Resilience Review to Help Critical Infrastructures Better Manage Operational Resilience

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Nov 26, 2013 27:46


The U.S. Department of Homeland Security (DHS) conducts a no-cost, voluntary Cyber Resilience Review (CRR) to evaluate and enhance cybersecurity capacities and capabilities within all 18 Critical Infrastructure and Key Resources (CIKR) Sectors, as well as State, Local, Tribal, and Territorial (SLTT) governments. The goal of the CRR is to develop an understanding of an organization’s operational resilience and ability to manage cyber risk to its critical services and assets during normal operations and during times of operational stress and crises. In this podcast, Kevin Dillon, Branch Chief for Stakeholder Risk Assessment and Mitigation with DHS and Matthew Butkovic, the CERT Division’s Technical Portfolio Manager for Infrastructure Resilience, discuss the DHS Cyber Resilience Review and how it is helping critical infrastructure owners and operators improve their operational resilience and security. Listen on Apple Podcasts.