POPULARITY
Welcome to the Boomer Briefing Podcast, where we help you solve a critical business issue in 20 minutes or less. On this special release of the podcast, host L. Gary Boomer, Founder, Visionary, and Strategist of Boomer Consulting, and Eric McMillen, CEO, Chief Security Architect, and Founder of The McMillen Group, discuss the critical role of patch management in the accounting profession. They cover the history and growing necessity of security patches, the challenges of managing vulnerability windows, and the rise of zero-day exploits. The conversation also addresses the difficulties firms face during busy seasons and the risks of neglecting patching. Stay tuned as they emphasize the importance of layered security, strong leadership, and the benefits of automating patch management to enhance security and efficiency. Takeaways Patch management is crucial for maintaining the security and stability of computer systems. Shortening vulnerability windows and the rise of zero-day exploits have increased the urgency of patching. Firms face challenges in patching during busy seasons, but the consequences of neglecting patching can be severe. Layered security, including patch management, is essential for protecting against malware and other threats. Gary on Social Media: X: @lgboomer LinkedIn: lgboomer Eric McMillen on Social Media: X: @ericmcmillen LinkedIn: ericmcmillen Look out for new episodes every Tuesday, involving The Boomer Advantage 5 Pillars of a Successful Firm: leadership, process, technology, talent, and growth. For more information about Boomer Consulting, visit boomer.com
Welcome to the Boomer Briefing Podcast, where we help you solve a critical business issue in 20 minutes or less. On this special release of the podcast, host L. Gary Boomer, Founder, Visionary, and Strategist of Boomer Consulting, and Eric McMillen, CEO, Chief Security Architect, and Founder of The McMillen Group, discuss the impact of AI on privacy and security. They explore the benefits of AI, including threat simulation and enhanced security measures, while also addressing its darker side, such as the use of AI for phishing, malware, and deepfakes. Stay tuned as they highlight the importance of staying informed, embracing AI tools, and implementing proper governance in this rapidly evolving landscape. Takeaways AI is rapidly developing and accelerating, with significant implications for privacy and security. Generative AI has positive applications, such as threat simulation, enhanced security measures, and time-saving capabilities. The malicious use of AI poses risks, including the generation of phishing templates, voice prints, and malware. Deepfakes and AI exploitation can lead to sexploitation, blackmail, and misinformation. Staying informed, embracing AI tools, and implementing proper governance are crucial for navigating the evolving AI landscape. Gary on Social Media: X: @lgboomer LinkedIn: lgboomer Eric McMillen on Social Media: X: @ericmcmillen LinkedIn: ericmcmillen Look out for new episodes every Tuesday, involving The Boomer Advantage 5 Pillars of a Successful Firm: leadership, process, technology, talent, and growth. For more information about Boomer Consulting, visit boomer.com
Welcome to the Boomer Briefing Podcast, where we help you solve a critical business issue in 20 minutes or less. On this special release of the podcast host L. Gary Boomer, Founder, Visionary, and Strategist of Boomer Consulting, and Eric McMillen, CEO, Chief Security Architect, and Founder of The McMillen Group. Together, they will explore the future of passwords, passkeys, and password managers, and delve into the critical importance of enhancing security through education and awareness in privacy and security. Stay tuned as they share practical tips and strategies for both individuals and businesses to stay secure in an increasingly digital world. Takeaways Passwords should be longer and more complex to enhance security Multi-factor authentication is an effective way to protect accounts. Pass keys, using public key cryptography, can enhance authentication. Password managers provide a secure way to store and generate complex passwords. Security awareness education is crucial to address human vulnerabilities. Gary on Social Media: X: @lgboomer LinkedIn: lgboomer Eric McMillen on Social Media: X: @ericmcmillen LinkedIn: ericmcmillen Look out for new episodes every Tuesday, involving The Boomer Advantage 5 Pillars of a Successful Firm: leadership, process, technology, talent, and growth. For more information about Boomer Consulting, visit boomer.com
On this episode of Navigating Forward: the Cybersecurity series, Mike Halstead and Vidhya Sriram from Launch Consulting chat with Rami Zreikat, Chief Security Architect of xTerraLink, and Trinh Ngo, Director of IT Regulatory & Controls Assurance at an insurance company. They discuss best practices for measuring cyber risks and why it's important for organizations to understand their vulnerabilities and the potential impacts of a cyber attack.They also touch on why people are both an org's best defense and its weakest link — highlighting that ongoing education and awareness programs are a key component of risk management. Recognizing that there will always be residual risk and that what's acceptable now may not be acceptable in the future, they also emphasize that risk assessment is a journey and not just something that's one and done. To learn more about how to develop your organization's Future State of Cybersecurity, go to launchconsulting.com/cyber.Follow Rami at https://www.linkedin.com/in/rami-j-z-1338a84/Follow Trinh at https://www.linkedin.com/in/trinh-ngo-mba/Follow Mike at https://www.linkedin.com/in/mike-halstead-77bb6018/Follow Vidhya at https://www.linkedin.com/in/vidhyasriram/
On this episode of Navigating Forward: the Cybersecurity series, Mike Halstead and Vidhya Sriram from Launch Consulting chat with Rami Zreikat, Chief Security Architect of xTerraLink, and Trinh Ngo, Director of IT Regulatory & Controls Assurance at an insurance company. They discuss best practices for measuring cyber risks and why it's important for organizations to understand their vulnerabilities and the potential impacts of a cyber attack.They also touch on why people are both an org's best defense and its weakest link — highlighting that ongoing education and awareness programs are a key component of risk management. Recognizing that there will always be residual risk and that what's acceptable now may not be acceptable in the future, they also emphasize that risk assessment is a journey and not just something that's one and done. To learn more about how to develop your organization's Future State of Cybersecurity, go to launchconsulting.com/cyber.Follow Rami at https://www.linkedin.com/in/rami-j-z-1338a84/Follow Trinh at https://www.linkedin.com/in/trinh-ngo-mba/Follow Mike at https://www.linkedin.com/in/mike-halstead-77bb6018/Follow Vidhya at https://www.linkedin.com/in/vidhyasriram/
We hear a lot about Big Data. But what does it actually mean? Is it, quite simply, lots of data? Or is there more to it than that? Spoiler alert, there is. A lot more. In this episode, we're taking a look at the age of insight, and how Big Data has evolved from a technical concept to a way of extracting enormous value from the fumes of data meant for other purposes. We'll be meeting some of the people who have been taking raw data and adding context and insight to open up a world of value and possibility. We'll also be asking whether Big Data can get too big, and at what point it simply becomes too much to economically handle. We'll also be looking at whether there's a line to be drawn between collecting insights, and invasive mining of our lives for their data value.In this episode, we'll be meeting with Professor Vedran Podobnik, lecturer at the University of Zagreb and Global Lead for Data, Analytics & AI at Hewlett Packard Enterprise. Vedran has been in the field of data, analytic and AI for over 15 years, and understands how the field (and the definition of Big Data) has evolved and grown over the years. He also understands better than anyone the unique challenges that a 'bigger, faster, better, more valuable' approach to our data can bring.Heather Savory probably understands big data in practice better than anyone. In an incredibly varied career, she was the deputy national statistician for Britain's Office for National Statistics. She's also worked on Big Data for the United Nations, and currently sits as the Non Executive Director for the UK Parliament Information Authority. In short, she knows a lot about Big Data, and has spent much of her career transforming big public bodies to take advantage of it and embrace the age of insight. As the spearhead of the drive to open up data in British politics, she has seen first hand the incredible results which can be achieved when disparate and siloed datasets are combined, layered, and opened up to the outside world. She also understands first hand the challenges involved in convincing people to open up their data to scrutiny, and the challenges that can present organisations.But is data alone enough? Well, no. Insights require human expertise to analyse, verify and act on them. That's where Dr Louise Blair comes in. She's the senior analyst and Head of Vaccines and Variants at Airfinity, a data analytics and insights company specialising in healthcare. Airfinity compares data from drug trials, medical reports, news articles and disease heatmaps around the world to offer advice and insight which helps Governments, the pharmaceutical industry and health services plan for the future and expect the unexpected. Taking data from as diverse sources as livestock markets, they are able to offer advice in a way that's never been possible before - by using human intuition to compare vast siloed datasets from different sources. Combining datasets can also be invaluable when it comes to predicting future threats in other spheres. George Webster is Chief Security Architect at HSBC (you may remember him from our last episode, on Ransomware). George has a background in using AI and insight to drive human efficiencies when it comes to cyber security, thinning out the field of false positives and helping identify genuine threats. He understands that a reliance on data alone isn't enough, and that even in the digital sphere, big data and the insights we can gain from it is best utilised to help, rather than replace, human expertise.The long show notes for this episode can be found here: https://community.hpe.com/t5/hpe-blog-uk-ireland-middle-east/big-data-more-than-just-a-number/ba-p/7184566#.ZBA-7HbP2Ul
One of the on-going topics that we cover here on Security Breach is ransomware attacks.The risk of continually discussing a topic is that it can become like white noise – always present, but in the background and potentially easier to dismiss. Well, if that's the case, recent findings from Dragos 2022 Cybersecurity Year in Review report should help to re-orient your perspective.The report indicates that ransomware attacks against industrial organizations increased 87 percent last year, and over 70 percent of all ransomware attacks were directed towards manufacturers. And Dragos is forecasting that 2023 will see more new ransomware groups materialize. Joining us to discuss some of the new concerns (Ransom House), and solutions, surrounding ransomware attacks is Wil Klusovsky, Avertium's Chief Security Architect. Avertium is a leading provider of cybersecurity strategy, response and compliance solutions.We're also excited to announce that Security Breach is being sponsored by Rockwell Automation. For more information on their cybersecurity solutions, you can go to rockwellautomation.comTo catch up on past episodes, you can go to Manufacturing.net, IEN.com or MBTmag.com. You can also check Security Breach out wherever you get your podcasts. If you have a cybersecurity story or topic that you'd like to have us explore on Security Breach, you can reach me at jeff@ien.com.To download our latest report on industrial cybersecurity, The Industrial Sector's New Battlefield, click here.
The OffSec Podcast returns this week with special guest Kai (Shad0wbits), the founder and Chief Security Architect at Black Cipher Security. Host TJ Null begins by asking Kai about what piqued his interest in the Infosec field and what resources he used to get himself started. He shares what made him decide to start his own pentesting firm and gives advice for those looking to start their own business. He then describes his definition of red teaming, his favorite environment to access, and the worst thing he's done in a test. Lastly, Kai explains why it's important for people in the infosec community to share their knowledge with others as well as community projects he's been working on. Enjoy the episode!
In this episode of What That Means, Camille gets into the latest trends in security with Ron Perez, Fellow and Chief Security Architect at Intel. They talk about how AI is being used for security, how security is being developed for AI, how to develop resiliency from cyber attacks, confidential computing, insider threats, quantum compute and post-quantum cryptography, supply chain security, and how companies can start implementing AI and machine learning. To find more episodes of Cyber Security Inside, video interviews, and blogs on cybersecurity topics, visit our website at https://cybersecurityinside.com. The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.
נחשון פינקו מארח את יוסי סאסי מבכירי הסייבר העולמי, פצחן "כובע לבן", מומחה בניהול משברי סייבר ובנוסף מוזיקאי מחונן עם קריירה בינלאומית. בשיחה על תוקפים, מבדקי חדירה ואיך אפשר לנהל שתי קריירות תובעניות בו זמנית להיכנס לראש של תוקף ולנסות להבין את מנגנון החשיבה מה ההבדל בין מבדק חדירה לבין צוות אדום מה החשיבות של הכרות מוקדמת עם מערכות הלקוח למתן מענה נכון ומהיר בזמן משבר (תקיפה) סייבר האם יש כללי זהב לטיפול באירוע סייבר קצת על מוזיקה ואיך אפשר לנהל שתי קריירות מאתגרות ומקצועיות בו זמנית Nachshon Pincu hosts Yossi Sassi, Co-Founder & Chief Security Architect @10ROOT, one of the world's top cyber experts, a "white hat" hacker, an expert in managing cyber crises and incident response, in addition, a gifted musician with an international career. In a conversation about attackers, penetration tests, and how you can manage two demanding careers simultaneously. Get inside the head of a cyber attacker and try to understand the thinking mechanism. What is the difference between penetration testing and a red team? What is the importance of getting to know the client's systems beforehand to provide a correct and fast response during a cyber crisis (attack)? Are there golden rules for handling a cyber incident? Also, some small talk about music and managing two intense careers at once.
The explosion of 5G has resulted in organisations having more efficient signalling for Internet-of-Things (IoT) devices, faster connectivity speeds, and greater network performance. However, the use of 5G has also opened the door to new potential threats and vulnerabilities such as DDOS attacks on 5G service interfaces and cyberattacks on the IoT ecosystem, which has led to zero-day exploits and software tampering. So, as 5G grows in use, what can organisations do to protect themselves against such attacks? In this EM360 podcast, Content Producer Matt Harris talks to https://www.linkedin.com/in/sunil-ravi-065b971/ (Sunil Ravi, Chief Security Architect at Versa Networks), to discuss: The new threats that organisations are exposed to due to 5G such as zero-day exploits, DDOS attacks and lateral movements in 5G networks. Why the telecommunications industry does not take security seriously when it comes to 5G networks and how this mindset can change. How organisations can strike a balance between security and optimal networking performance.
In this episode of Cyber Security Inside What That Means, Camille continues to dive into the idea of confidential computing and trust execution environments with Ron Perez, Intel Fellow, Chief Security Architect, CTO Office. The conversation covers: - What confidential computing and trust execution environments are. - Why we need them, and what data needs to be inside them. - How confidential computing works in something like the cloud. - Balancing security with usage and effectiveness using confidential computing. ...and more. Don't miss it! The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation. Here are some key takeaways: - Security is a very broad term. It can be making sure there are no vulnerabilities in products and also tapping into new capabilities and features for customers. The latter is where Ron focuses, because he wants to make sure technology is not limiting people, but is allowing them to do things they wouldn't or couldn't do before. - An example of this is cloud computing. It makes things more efficient and easier to be shared, but it also comes with security vulnerabilities. So new security needs to be developed to assure the safety of the work in these environments. - A perfect security situation is essentially encasing your computer in cement and not using it. But that's not very useful. People are wanting to do more, share more, and connect more in industry today, which creates a huge challenge. This is why security architects and technologists exist, and why they have so much job security. - Although ransomware is incredibly important to address and focus on right now, it is also the case that we are constantly connecting our networks and striving for computing on a global scale. This might magnify any threat or vulnerability because of the connections. - The idea of “break once, run everywhere” is going to become a real problem with how interconnected our systems are becoming. This is why security assurance is so important, and why we need to move back to focusing on this as an industry. - We have moved past the point of being able to use paper (except maybe for something like voting) because of the speed and connectivity of everything. That's why we have things like zero trust, down to the smallest pieces of software and hardware. - Zero trust and confidential computing are complimentary. Confidential computing is about protecting data in use, by doing the computing in a trusted execution environment that is hardware based. - Why is it difficult to protect data while it's in use? It's being accessed by several different things: memory, processors, another compute engine, the software you're using to do something to the data… There may be copies of it as the software is optimizing, and there is a lot happening to it at once. - A trusted execution environment is focused on confidentiality. It is also about protecting the data and seeing if the data and code have been modified in any way. At a minimum, it must do these two things. - A software like Intel Software Guard Extensions (SGX) can separate what code and data is inside the trusted environment and what is outside, and creates a strong separation between the two. - SGX also protects the memory that the code and data are in during the processing and use, and encrypts it. There are softwares that are also trying to support multiple environments at different levels of capability. - In the past, computer security has been based on a hierarchy, needing to trust your data, the software, the OS, the hardware, and more. You have to secure everything under your data as well. With confidential computing, you only need to trust your data and the environment. - Being about to only need to trust those two things is really powerful when you think on a global, interconnected scale. When your code is running across the globe, confidential computing helps you assure that it is protected. - Because the cloud has grown so much in how much it's being used, there is some worry about who has access to data in it, and the possibility that someone could access it. We're relying a lot on the ethics of the people running the security. It is about the capability to access it more than anything. - Confidential computing now allows those providers to say that they absolutely cannot see their data. You are just paying for their resources and their bandwidth. It is not based on their own ethical code, they physically cannot see it. Some interesting quotes from today's episode: “Security is very broad. It applies to so many things. And in fact, just saying security is not enough, because everybody will have a different image in their head of what that means.” - Ron Perez “But as a security technologist, you realize that yeah, sharing is not necessarily a good thing. That's where bad things happen. So we need new technologies to provide assurances, security assurances - confidence, basically - that you still have the same safety in terms of the security of your workloads in that environment that you can't control.” - Ron Perez “We're really trying to do computing on a global scale. We have a number of cloud service providers and telco providers, etc. All these networks and all these systems are going to be linked together… That massive scale is the part I'm worried about, because now any little vulnerability can be magnified because, most likely, we're using these same technologies everywhere else. So the break once, run everywhere problem is going to be huge.” - Ron Perez “Voting, for example, is probably an area where we should look at still having paper. Other than that, the speed of everything we're doing today really won't allow us to go back to those days. Even those systems that had back then. So what is a server, and can you put it in a silo?” - Ron Perez “The past 40, 50, 60 years now, we've been figuring out how to secure data when it's being stored, at rest, and when it's in transit, over network. That's been the whole purpose of computing security and the research and all the developments we've had. But we've missed this whole in-use part.” - Ron Perez “We're talking about when the homomorphic encryption first reemerged as a real possibility on the scene in 2009, they were thousands of orders of magnitude to worse performance. We've got that down now to just a few orders of magnitude, but even that obviously is not practical for most workloads. So we still have this need for what we can do short of that until we get to that nirvana.” - Ron Perez “Confidential computing now allows us to say, okay, you can take the thing that you care about that you want to protect, and the hardware which implements these trusted execution environments, and that's all you have to trust. You don't have to trust any of the operating system, the hypervisor, the other applications, the other middleware on the platform, the other firmware on the platform. All you have to do is trust those two things.” - Ron Perez
Every organization needs a strong security program. One recent study estimated that a hacker attack occurs somewhere every 37 seconds. Since security programs are only as effective as a team's willingness to follow their rules and protocols, it's increasingly necessary to have not just a widely accessible gold standard of security, but also a practical plan for rolling it out and getting others on board with following it. "Security Awareness For Dummies" gives you the blueprint for implementing this sort of holistic and hyper-secure program in your organization. Written by one of the world's most influential security professionals—and an Information Systems Security Association Hall of Famer—this pragmatic and easy-to-follow book provides a framework for creating new and highly effective awareness programs from scratch, as well as steps to take to improve on existing ones. It also covers how to measure and evaluate the success of your program and highlight its value to management. To pre-order "Security Awareness For Dummies," visit https://www.amazon.com/Security-Awareness-Dummies-Computer-Tech/dp/1119720923
Control System Cyber Security Association International: (CS)²AI
Today, Derek Harp is happy to welcome Paul Forney, the Chief Security Architect for Schneider Electric, as his guest for another episode in the (CS)2AI podcast series on security leaders. Paul is a true pioneer in the industry of securing industrial control systems. Paul traveled the world while growing up because his dad was a cryptographer working for Military Intelligence. His dad was serious about his job, and although he could not talk to Paul about what he did at work, he explained all the basics of encryption and taught him how to protect documents and information. In his first year of college, Paul joined a band. The band got a record deal, so Paul left home and college and traveled the world as a rock and roll bass player. He always wanted to learn about technology, however. So after finally returning to college, he graduated as an electrical engineer in 1990 and went into industrial control systems. Paul still plays music in a small band for fun and to raise money for various children's causes. Security is a journey that is always changing! The threat-scape and the way we think about security are constantly evolving. In this episode of the (CS)²AI Podcast, Paul shares some valuable nuggets of information around the best approach to take and the right processes to design and produce resilient, high-quality security systems. He explains how to get involved with industry standards bodies, talks about how experts from across the world should take a leaf out of the book of the World Health Organization to collaborate to solve industry problems a whole lot faster, and offers his ideas for future careers. He also tells his story, talks about various elements in his professional journey, and discusses his way of bringing balance into his life. If you are interested in making a career in the field of cybersecurity, this is a conversation you won't want to miss! Stay tuned for more! Show highlights: Paul plays bass in a group called The Jazz Execs. They are a consortium of musicians who raise money for children's causes. (4:42) In 1969, Paul started college as an electrical engineer. (8:06) Paul went straight into industrial control systems after graduating from the University of South Florida, in Tampa, with a degree in Electrical Engineering. He eventually moved into designing security for internet portals and communications systems. (9:34) Paul finds that many aspects of control systems are similar to orchestras. (10:16) Some of the patents that Paul came up with are for technology to look for events happening on offshore oil platforms. That kind of work still excites him! (13:49) He was always involved with communications in the early part of his career. (15:25) It was 9/11 that brought Paul into the world of cybersecurity. (17:30) As a security architect, Paul always has to look at the bigger picture to see how data moves around a system to design resilient ways to protect those systems. (22:05) Paul talks about looking at the bigger picture to see how data moves around a system to design resilient ways to protect the system. (22:05) You need to have processes, procedures, and technology to design and produce a quality security product. (24:59) Paul has always sought to learn from those who think outside of the box in the control system world, like his late friend and mentor, Michael Assante. (29:14) Young people can gain a lot of value from mentorship and getting involved with today's standards bodies. (32:19) New technologies, like blockchain, have great value and potential for future careers. (46:27) Mentioned in this episode: Join CS2AI Join the largest organization for cybersecurity professionals. Membership has its benefits! We keep you up to date on the latest cybersecurity news and education. https://cs2ai.captivate.fm/cs2ai (Preroll Membership) Our Sponsors: We'd like to thank our sponsors for their faithful support of this podcast. Without their support we...
This week, we welcome Allie Mellen, Industry Analyst at Forrester Research to discuss Digging Into XDR! In the second segment, Vincent Berk, CTO and Chief Security Architect at Riverbed to talk about Securing the Invisible: Holes in Your Visibility Fabric & Where Hackers Hide! Finally, in the Enterprise Security News for this week: At least a dozen cybersecurity companies announced raises totaling more than $900m - just in the past week!, Permira proposes to take Mimecast private for $5.8bn, The leader of a Swiss tech company is accused of selling access to text message data for surveillance, A former Ubiquiti developer was behind the big breach announced earlier this year - he unsuccessfully tried to extort his employer, SentinelOne tries to bring mobile security back?, Google and Trail of Bits team up to release a tool that scans for vulnerable Python packages, CISA has assembled a panel that will begin making cybersecurity recommendations, Make sure to stick around for, This week's spicy take - Cloudflare recommends ditching your firewall, and This week's squirrel story - a new streaming service from an unexpected source! All that and more, on this episode of Enterprise Security Weekly! Segment Resources: https://visibility.riverbed.com/ https://www.riverbed.com/solutions/security.html https://www.riverbed.com/products/npm/netprofiler-advanced-security-module.html Visit https://securityweekly.com/riverbed to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw253
This week, we welcome Allie Mellen, Industry Analyst at Forrester Research to discuss Digging Into XDR! In the second segment, Vincent Berk, CTO and Chief Security Architect at Riverbed to talk about Securing the Invisible: Holes in Your Visibility Fabric & Where Hackers Hide! Finally, in the Enterprise Security News for this week: At least a dozen cybersecurity companies announced raises totaling more than $900m - just in the past week!, Permira proposes to take Mimecast private for $5.8bn, The leader of a Swiss tech company is accused of selling access to text message data for surveillance, A former Ubiquiti developer was behind the big breach announced earlier this year - he unsuccessfully tried to extort his employer, SentinelOne tries to bring mobile security back?, Google and Trail of Bits team up to release a tool that scans for vulnerable Python packages, CISA has assembled a panel that will begin making cybersecurity recommendations, Make sure to stick around for, This week's spicy take - Cloudflare recommends ditching your firewall, and This week's squirrel story - a new streaming service from an unexpected source! All that and more, on this episode of Enterprise Security Weekly! Segment Resources: https://visibility.riverbed.com/ https://www.riverbed.com/solutions/security.html https://www.riverbed.com/products/npm/netprofiler-advanced-security-module.html Visit https://securityweekly.com/riverbed to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw253
This Thursday on The Route to Networking podcast, Senior IP Network Consultant on the USA team, Harry Stephenson, spoke to Vincent Berk, the Chief Technology Officer, and Chief Security Architect at Riverbed Technology. Vincent talks about his time at university, his PhD and whether or not he found it useful to where he is today. He also discusses some of the concerns he's finding in the industry currently, some of the challenges he's facing daily in his current role and some great advice to anybody looking to pursue a career in the Networking industry. Learn more from Vincent: https://www.linkedin.com/in/vincent-berk-a12314b/
The Internet of Things (IoT) refers to the physical devices around the world, collecting and sharing data, via the internet. For example, things like cell phones, a lightbulb that's turned on via a cell phone app, or even a Nest thermostat in your home. What was once isolated is now exponentially bigger and better connected. This has also greatly increased the attack surface which correlates to ransomware becoming a $6 trillion industry. This week's Reimagining Cyber podcast episode, “IoT, not just alphabet soup,” with guest Kate Scarcella, Chief Security Architect with CyberRes, goes into a deep-dive into IoT, the ramifications of the field's exponential growth, why securing it is critical, and how OT is different.
As agencies look to improve network performance and security, one approach that often gets overlooked involves converging the tools and data belonging to agency NOCs and SOCs — network operations centers and security operations centers. Years of entrenched operating practices, budgeting and acquisition authorities, and cultural dispositions have tended to drive network and security operations teams down separate, albeit closely related, technology lanes. That has often led agency NOCs and SOCs to acquire similar data analytic tools and generate similar data but for different purposes. Agencies would be better served — by being able to improve both network performance and security — if they converged those resources, say two industry chief technology officers. Sponsored by Riverbed. Guests: Marlin McFate, CTO, Public Sector and Vincent Berk, CTO and Chief Security Architect, Riverbed Host: Wyatt Kash, SVP, Content Strategy, Scoop News Group Look for more coverage of “IT Modernization Government” on www.fedscoop.com/listen
Aaron Rinehart is expanding the possibilities of chaos engineering to cybersecurity. He began pioneering security in chaos engineering when he released ChaoSlingr during his tenure as Chief Security Architect at UnitedHealth Group (UHG). Rinehart is the O'Reilly Author on Security Chaos Engineering and has recently founded a chaos engineering startup called Verica with Casey Rosenthal from Netflix. Aaron joins us to explain what the heck security chaos engineering is. We explore the origin story of chaos engineering and security chaos engineering and how a listener starts with this new technique. We hope you enjoy this conversation with...Aaron Rinehart.
Welcome to Software Security Gurus with Matias Madou. In episode 19, he chats to Bankim Tejani, Chief Security Architect and Distinguished Engineer at the Charles Schwab Corporation. They discuss his experience with big data breaches, as well as how secure coding can speed up remediation, and drive quality, performance, and scalability. Want to nominate a guru? Get in touch! www.softwaresecuritygurus.com. --- Send in a voice message: https://anchor.fm/softwaresecuritygurus/message
In the second episode of our series, Enabling Better Health Care & Senior Care Outcomes with Technology, Nathan Gibson, Chief Security Architect and Director of Enterprise Security Architecture at Allstate, and Rebecca Herold, CEO of The Privacy Professor and Privacy Security Brainiacs, help explore the role and value of whole organization information security and privacy plans in the health care and senior living industries.
Chief Security Architect and Cyber Security Researcher Rich Wickersham, joins Hosts George Rettas and Andrew Bonillo to talk about how Nation State Groups and Organized Crime Organizations are using social media platforms like LinkedIn to target users of the system for nefarious purposes. Wickersham explains how targeting occurs on social media platforms and how users can better protect themselves from adversaries who wish to exploit vulnerabilities in their profiles, as well as their professional lives. He goes into detail on how bad guys can use TUA AI models to mine unauthenticated users of LinkedIn to gather information and data that can later be used to blackmail them or attack the businesses they work for. Wickersham also gave his opinion on the recent announcement by LinkedIn that they have purged their system of approximately 21 million accounts, as well as his opinion of the traditional social media attract, retain, monetize (ARM) model.
Lacework Chief Security Architect Dan Hubbard joins the podcast to discuss his new research on container security, the challenges of securing cloud deployments, and why technological advancements have widened attack surfaces.
Join Devin Williams, CNSG's VP of Partner Strategy & Enablement as he discusses key industry trends with Paul Caiazzo, TruShield's co-founder, CEO, and Chief Security Architect. Paul is responsible for developing corporate strategy and leading the product and service development efforts of the company. He has more than 20 years of experience solving complex cyber security challenges within the Financial industry, including financial industry regulators within the Federal government. In the ten years since founding, Paul has led TruShield to become one of the fastest growing companies in the cyber security industry, with hundreds of employees and real-time security operations centers around the globe. He is focused on helping clients understand cyber risks within their own firms as well as within their investment portfolios, and developing practical risk mitigation strategies. In addition to his position at TruShield, he currently serves as Cyber Security Advisor to the Science and Technology Policy Center for Development. Key discussion points: · Compliance and Security, HIPAA being top-of-mind · The need to share sensitive data internally and externally, as a function of business · More secure and accessible health records while maintaining HIPAA compliance · Delivering on expectations for modern services; Online Portals for Prescriptions, Records and Bill-Pay, BYOD, WiFi, etc · Effectively leveraging cloud technology for cost, scalability and productivity improvements Key takeaways: Become dangerous through the enablement that CNSG is providing and get new opportunities by leveraging our respective supplier teams. Want to jump on an opportunity right now? Talk to Devin. email: devin.williams@cnsg.com
Ryan Kazanciyan is the Chief Security Architect at Tanium, and in his spare time worked as Technical Consultant for Mr. Robot alongside writer and producer Kor Adana. Why is Mr. Robot so unique in the quality of its on-screen hacks? How does one make a hack both real AND entertaining a technical and non-technical audience? Is there a lot of pressure knowing that Reddit will screenshot every frame and analyze it? All this and, how afraid should we be of our compromised computers?
Theo Van Wyk, Scalar Decision's Chief Security Architect, says 87% of Canadian Companies Suffered A Cyber Security Breach Last Year.
Jason Brvenik of NSS Labs brings more than 20 years of experience in systems design, integration, and security for both commercial and open markets. He was most recently a Principal Engineer in the Office of the Chief Security Architect at Cisco. Jason joins Michael and Matt to discuss the dogma of the industry! Full Show Notes: https://wiki.securityweekly.com/SSWEpisode55 Visit http://securityweekly.com/category/ssw for all the latest episodes!
Jason Brvenik of NSS Labs brings more than 20 years of experience in systems design, integration, and security for both commercial and open markets. He was most recently a Principal Engineer in the Office of the Chief Security Architect at Cisco. Jason joins Michael and Matt to discuss the dogma of the industry! Full Show Notes: https://wiki.securityweekly.com/SSWEpisode55 Visit http://securityweekly.com/category/ssw for all the latest episodes!
Not to toot our own horn, but this is a great episode. Because we tackle security and with the boom of ICOs sprouting up nowadays, the tools around doing them have matured a bit, so that it's easy for people outside of the space to use them, so you're seeing a proliferation of them because they're much more approachable. We chat with Mushegh Hakhinian, Chief Security Architect at Synchronoss, who is an interpreter for security talk – which means he helps enterprises avoid security mistakes and translates security information into actionable advice for the technical teams. Let's get into it!
Security Current podcast - for IT security, networking, risk, compliance and privacy professionals
As you’ll hear in part two of the conversation between David Cass, Global CISO IBM Cloud and SaaS, and Chris Roberts, Acalvio Chief Security Architect, threat detection technology is allowing enterprises to identify intruders quickly. In this sponsored podcast you’ll hear how this burgeoning field of cybersecurity is helping enterprises protect their perimeters and internal infrastructure while shortening the time to discovery.
Security Current podcast - for IT security, networking, risk, compliance and privacy professionals
It’s becoming an old adage: it isn’t a matter of if an attacker will infiltrate your network but when.” With that being the case and with research showing that attackers often reside on an enterprise’s network for many months doing reconnaissance and exfiltrating data before being identified, what are and can enterprises do? The use of autonomous threat deception technologies to identify an intruder once inside the network is being adopted by enterprises seeking preventive and proactive to technologies. As you’ll hear in this conversation with David Cass, Global CISO IBM Cloud and SaaS CISO, and Chris Roberts, Acalvio Chief Security Architect there has been a significant evolution in threat detection technology to allow enterprises to identify intruders quickly. In this sponsored podcast you’ll hear how a new dynamic and smart approach to traditional honeypots is helping enterprises by allowing them to immediately detect lateral movement, shortening the time to discovery.
Lawrence Pingree and I were having a discussion in the press room at RSA Conference 2016. We talked about his work with Gartner, analyzing deception as part of cybersecurity. His voice was so passionate, I just had to turn on the recorder. I haven't heard many people talking about this subject, but it's intriguing to think about... more than honeypots, true deception. Have a listen. About Lawrence Pingree Lawrence Pingree has been an active member of the Information Security industry for many years. He has consulted for large financial institutions, corporations and government entities on technologies ranging from firewalls, intrusion detection, networks, system penetration, risk management, compliance, eDiscovery and Forensics. He has served as a Chief Security Architect at both Peoplesoft and Netscreen. He is currently an active member of the Information Systems Security Association (ISSA) of Silicon Valley as well as the Open Web Application Security Project (OWASP) and is a published author of two books. Lawrence is a founding board member of the Digital Forensics Association where he is serving as Vice President. In his spare time enjoys trading money on the foreign currency market, hiking, nature and performance cars.
In this episode, I interview Rahul Kashyap, Chief Security Architect and Head of Security Research at Bromium, a company that focuses on stopping cyber-attacks where users are most vulnerable—the endpoint—through virtualization isolation. One of Silicon Valley’s 40 Under 40, Rahul has built a career around developing cyber defense technologies that focus on exploit prevention. At Bromium, Rahul manages R&D and product security, while simultaneously conducting robust industry outreach, speaking at leading security conferences including BlackHat, BlueHat, Hack-In-The-Box, RSA, DerbyCon, BSides, ISSA International, OWASP, InfoSec UK and others. Sponsored By: CIO Security Scoreboard – Go to VisualCIO.com to learn more about how to communicate the status of your IT Security program visually and in minutes. Time Stamped Show Notes: 02:00 – Rahul joins to the show 02:41 – Talking about the 40 Under 40 03:30 – The importance of being “unstoppable”—no one believes in you at the front-end—you need to be relentless in your confidence and determination 04:47 – The genesis of being “unstoppable” 06:05 – The importance of taking on big challenges versus small challenges—Rahul’s Gandhi example 06:43 – We are a function of the problems we choose 07:25 – Even when you don’t hit the target when you take on a “big challenge” when you fall, you’ll fall somewhere along the path and that’s a great place to be 07:55 – The problems Bromium tackles 08:34 – Attackers have found a soft-spot—the end users—and all it takes is one bad click 09:12 – Attackers have nothing to lose, and end-users will continue to make mistakes 09:44 – No one can build the perfect security engine—it’s impossible 10:15 – The key is not worrying about users making mistakes, or attackers attacking—the key is isolating the attack at the end-point and confining it there 13:25 – Bromium focuses primarily on desktops, laptops, and tablets 14:00 – Micro-virtualization is at the executable side 14:46 – Rahul defines Bromium Labs 16:09 – Defensive security versus offensive security 16:52 – Every security company should invest in offensive security because it most accurately resembles how hackers think 18:23 – Offensive security gives you the Why 18:44 – Defensive security gives you the How 20:04 – Anti-Virus is approximately 5% effective 20:30 – It has lost its efficacy because the technology—in principle—hasn’t evolved 22:45 – Bromium Labs’ first focus is to keep your network from getting infected in the first place 25:35 – Does Bromium need to be run in isolation or can it bundled into the software stack at the end-point? 26:49 – The security architecture behind managing disparate end-points 28:02 – Bromium’s pre-deployment analysis tool is under development but will launch soon 28:28 – Bromium’s partnership with Microsoft for Windows 10 30:33 – The frequency of patching has become SUCH a burden for small business, which is why Bromium developed a unique position towards patching 32:15 – Patching is often human error related 33:48 – It’s a new way of doing security—isolation versus prevention 34:16 – Sandboxing, Hardware enforced isolation, micro virtualization 35:18 – Most of your browsers already have a sandbox 36:55 – Companies are tired of investing in so many security products…the industry is too fragmented—Bromium is looking to change that 38:08 – It’s vital to understand the architectural limitations of each technology 38:55 – Rahul’s favorite new technology?—Hive which is exploring the intersection between big data and security 40:48 – Rahul shares his thoughts on machine learning and A.I. 42:33 – Rahul has taken up kayaking to manage stress and stay focused…and Call of Duty on X-Box One 4 Key Points: We are a function of the problems we choose—an important concept to live by. The true soft-spot in today’s cyber-security market is the end-user—end-users always have, and always will make mistakes that result in compromised systems and networks. It is impossible to engineer a perfect security system—the threats change to rapidly—instead of trying to focus on prevention, let’s focus on technologies that accept attacks as the inevitability they are…technologies that let an attack happen, but isolate it immediately at the end-point. The cyber-security business (like most businesses) can be extremely taxing—find an outlet for healthy stress management. Key Resources: Rahul Kashyap – Today’s guest—Chief Security Architect and Head of Security Research at Bromium Sandboxing – Default security mechanism that operates through isolation of threats, now available on most browsers Bromium Labs – Dedicated to advancing the “state of the art” of information security by performing advanced research into current and future security threats. The Hive – An incubator that uses deep learning (a new discipline in AI) and neural network models to automate the learning of data representations and features. Micro Virtualization – A proprietary technology that abstracts applications and sub-processes from hardware and runs them in isolated environments. Credits: Show Notes provided by Mallard Creatives
Materials Available here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Nir-Valtman-Moshe-Ferber-From-zero-to-secure-in-1-minute-UPDATED.pdf From 0 To Secure In 1 Minute — Securing IAAS Nir Valtman CISO – Retail, NCR Moshe Ferber Co-chairman of the board, Cloud Security Alliance Israel Recent hacks to IaaS platforms reveled that we need to master the attack vectors used: Automation and API attack vector, insecure instances and management dashboard with wide capabilities. Those attack vectors are not unique to Cloud Computing but there are magnified due to the cloud characteristics. The fact is that IaaS instance lifecycle is accelerating, nowadays we can find servers that are installed, launched, process data and terminate - all within a range of minutes. This new accelerated lifecycle makes traditional security processes such as periodic patches, vulnerability scanning, hardening, and forensics impossible. In this accelerated lifecycle, there are no maintenance windows for patches or ability to mitigate vulnerability, so the security infrastructure must adapt to new methods. In this new thinking, we require automation of instance security configuration, hardening, monitoring, and termination. Because there are no maintenance windows, Servers must be patched before they boot up, security configuration and hardening procedures should be integrated with server installation and vulnerability scanning and mitigation processes should be automatic. In the presentation, we plan to announce the full version of a new open source tool called "Cloudefigo" and explain how it enables accelerated security lifecycle. We demonstrate how to launch a pre-configured, already patched instance into an encrypted storage environment automatically while evaluating their security and mitigating them automatically if a vulnerability is found. In the live demo, we leverage Amazon Web Services EC2 Cloud-Init scripts and object storage for provisioning automated security configuration, integrating encryption, including secure encryption key repositories for secure server's communication. The result of those techniques is cloud servers that are resilient, automatically configured, with the reduced attack surface. Nir is employed at NCR Corporation as the CISO of NCR Retail. Before the acquisition of Retalix by NCR, he was Chief Security Officer of R&D at the company. As part of his previous positions in the last decade, he worked as Chief Security Architect, Senior Technology Consultant, Application Security Consultant, Systems Infrastructure Security Consultant, and a Technological Trainer. While in these positions, Nir was not only consulting, but also performing hands-on activities in various fields, i.e. hardening, penetration testing, and development for personal/internal applications. In addition, Nir is a public speaker (spoke on BlackHat, DEF CON, OWASP, InfoSec etc.) and open source contributor. Among his contributions, he released an open source anti-defacement tool called AntiDef, and wrote a publication about QRbot, an iPhone QR botnet POC he developed. His latest open source tool is Cloudefigo, which planned to be presented in the conference. Nir has a BSc in Computer Science but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities. Moshe Ferber is an information security entrepreneur and one of the cornerstones of the information security industry in Israel, with over 20 years of experience in various industry the leading positions such as the Security manager for Ness Technologies and founder of leading MSSP services provider. Currently Mr. Ferber focuses in promoting innovation in the Israeli startup scene as an investor, lecturer and evangelist for various cloud security topics. Mr. Ferber is a popular industry speaker and promote cloud security best practices and official lecturer for the Cloud Security Alliance.
Materials Available here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-David-Mortman-Docker-UPDATED.pdf Docker, Docker, Give Me The News, I Got A Bad Case Of Securing You David Mortman Chief Security, Architect & Distinguished Engineer, Dell Software Docker is all the rage these days. Everyone is talking about it and investing in it, from startups to enterprises and everything in between. But is it secure? What are the costs and benefits of using it? Is this just a huge risk or a huge opportunity? There's a while lot of ranting and raving going on, but not nearly enough rational discourse. I'll cover the risks and rewards of using Docker and similar technologies such as AppC as well as discuss the larger implications of using orchestration systems like Mesos or Kubernetes. This talk will cover the deep technical issues to be concerned about as well as the pragmatic realities of the real world. David Mortman is the Chief Security Architect and Distinguished Engineer at Dell Software and is a Contributing Analyst at Securosis. Before Dell, he ran operations and security for C3. Formerly the Chief Information Security Officer for Siebel Systems, Inc., Previously, Mr. Mortman was Manager of IT Security at Network Associates. Mr. Mortman has also been a regular panelist and speaker at RSA, Blackhat, DEF CON and BruCon as well. Mr.Mortman sits on a variety of advisoryboards including Qualys, Lookout and Risk I/O. He holds a BS in Chemistry from the University of Chicago. David writes for Securosis, Emergent Chaos and the New School blogs.
Slides Here; https://www.defcon.org/images/defcon-22/dc-22-presentations/Valtman/DEFCON-22-Nir-Valtman-Bug-Bounty-Programs-Evolution.pdf Extra Materials are available here: https://www.defcon.org/images/defcon-22/dc-22-presentations/Valtman/DEFCON-22-Nir-Valtman-Extras-Bug-Bounty-Programs-Evolution.zip Bug Bounty Programs Evolution Nir Valtman ENTERPRISE SECURITY ARCHITECT Bug bounty programs have been hyped in the past 3 years, but this concept was actually widely implemented in the past. Nowadays, we can see big companies spending a lot of money on these programs, while understanding that this is the right way to secure software. However, there are lots of black spots in these programs which most of you are not aware of, such as handling with black hat hackers, ability to control the testers, etc. Henceforth, this presentation explains the current behaviors around these programs and predicts what we should see in the future. Nir is employed by NCR Corporation as Enterprise Security Architect of NCR Retail, and also works as co-founder and CTO in his start-up company, Crowdome. Before the acquisition of Retalix by NCR, Nir was the Chief Security Officer of R&D in the company. As part of his previous positions in the last decade, he has worked as Chief Security Architect, Senior Technology Consultant, Application Security Consultant, Systems Infrastructure Security Consultant and a Technological Trainer. While in these positions, Nir was not only consulting, but also performing hands-on activities in various fields, i.e. hardening, penetration testing, and development for personalinternal applications. In addition, Nir released an open source anti-defacement tool called AntiDef and has written a publication about QRbot, an iPhone QR botnet POC he developed. Nir has a BSc in computer science, but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities.
Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Valtman/DEFCON-22-Nir-Valtman-A-Journey-To-Protect-POS-UPDATED.pdf A Journey to Protect Points-of-sale Nir Valtman ENTERPRISE SECURITY ARCHITECT, NCR RETAIL Many point-of-sale breaches occurred in the past year and many organizations are still vulnerable against the simplest exploits. In this presentation, I explain about how points-of-sale get compromised from both retailer’s and software-vendor’s perspective. One of the most common threats is memory scraping, which is a difficult issue to solve. Hence, I would like to share with you a demonstration of how it works and what can be done in order to minimize this threat. During this presentation, I will explain the long journey took me to understand how to mitigate it, while walking through the concepts (not exposing vendor names) that don’t work and those that can work. Nir is employed in NCR Corporation as Enterprise Security Architect of NCR Retail, and also works as co-founder and CTO in his start-up company, Crowdome. Before the acquisition of Retalix by NCR, he was Chief Security Officer of R&D in the company. As part of his previous positions in the last decade, he was working as Chief Security Architect, Senior Technology Consultant, Application Security Consultant, Systems Infrastructure Security Consultant and a Technological Trainer. During these positions, Nir was not only consulting, but also performing hands-on activities in various fields, i.e. hardening, penetration testing and development for personalinternal applications. In addition, Nir released an open source anti-defacement tool called AntiDef and written a publication about QRbot, an iPhone QR botnet POC he developed. Nir have a BSc in computer science but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities.
Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Mortman/DEFCON-22-Fail-Panel-Defcon-Comedy-Jam-VII.pdf DEF CON Comedy Jam Part VII, Is This The One With The Whales? David Mortman @MORTMAN Rich Mogull @RMOGULL Chris Hoff @BEAKER Dave Maynor @ERRATADAVE Larry Pesce @HAXORTHEMATRIX James Arlen @MYRCURIAL Rob Graham @ERRATAROB Alex Rothman Shostack @ARS_INFOSECTICA Weeeeeeeeee're baaaaaack. Bring out your FAIL. It's the most talked about panel at DEF CON! A standing room only event with a wait list at the door. Nothing is sacred, not the industry, not the audience, not even each other. Last year we raised over $2000 for the EFF and over $5000 over the last 5 years, let's see how much we can raise this year.... David Mortman is the Chief Security Architect and Distinguished Engineer at Dell Enstratius and is a Contributing Analyst at Securosis. Before enStratus, he ran operations and security for C3. Formerly the Chief Information Security Officer for Siebel Systems, Inc., Previously, Mr. Mortman was Manager of IT Security at Network Associates. Mr. Mortman has also been a regular panelist and speaker at RSA, Blackhat, DEF CON and BruCon as well. Mr.Mortman sits on a variety of advisoryboards including Qualys, Lookout and Virtuosi. He holds a BS in Chemistry from the University of Chicago. David writes for Securosis, Emergent Chaos and the New School blogs. James Arlen, CISA, is a senior consultant at Leviathan Security Group providing security consulting services to the utility, healthcare and financial verticals. He has been involved with implementing a practical level of information security in Fortune 500, TSE 100, and major public-sector corporations for over 20 years. James is also a contributing analyst with Securosis, faculty at IANS and a contributor to the Liquidmatrix Security Digest. Best described as: "Infosec geek, hacker, social activist, author, speaker, and parent." His areas of interest include organizational change, social engineering, blinky lights and shiny things. Larry is a Senior Security Analyst with InGuardians performing penetration testing, wireless assessments, and hardware hacking. He also diverts a significant portion of his attention co-hosting the Paul's Security Weekly podcast and likes to tinker with all things electronic and wireless, much to the disappointment of his family, friends, warranties, and his second Leatherman Multi-tool. Larry is an Extra Class Amateur Radio operator (KB1TNF) and enjoys developing hardware and real-world challenges for the Mid-Atlantic Collegiate Cyber Defense Challenge.
Can you keep business safe from hackers? Many companies now feel besieged by constant attacks and few can claim not to have been targeted. In the first of a new series of the award-winning The Bottom Line Evan Davis and guests discuss the anatomy of a cyber attack - where the threats are coming from and how best to respond. And they'll ask - should businesses be more honest about the security breaches they've faced? Guests Richard Knowlton, Group Corporate Security Director, Vodafone Rashmi Knowles, Chief Security Architect, RSA Seth Berman, Executive MD, Stroz Friedberg Producer : Sally Abrahams.
Black Hat Briefings, USA 2007 [Video] Presentations from the security conference.
Software companies inevitably produce insecure code. In 2006 alone, CERT has recognized over 8,000 published vulnerabilities in applications. Attackers were previously occupied by the weaker operating systems and have moved on to easier targets: applications. What makes this situation worse, is the weaponization of these exploits and the business drivers behind them. Some organizations struggle to deal with this trend to try to protect their products and customers. Other organizations have nothing in place, and need to create measures as soon as possible. This talk will raise several issues that global enterprise organizations currently face with application security and how to overcome them in a cost-effective manner. Some of the issues that will be discussed are software development lifecycle integration, global policy and compliance issues, necessary developer awareness and automated tools, and accurate metrics collection and tracking to measure the progress. Attendees will be introduced to best practices which have worked for McAfee and other large scale global enterprises, and be shown which practices to avoid. If you're only going to invest in a single activity to start, this talk will help you figure out what it should be, and how to measure its success. David Coffey is the manager of product security at McAfee. At McAfee, David is responsible for assessing the current state of security of the products, development process, and architecture. David is also responsible for leading a geographically distributed team to provide guidance and education to McAfee employees on security measures, process, integration as well as industry best practices. David has been a professional in the technology field for over a decade, providing for strong computer fundamentals and is proficient in both NIX and Windows environments. Prior to joining McAfee, David spent several years working as either an employee or a consultant in financial institutions around the New York area. David later concentrated on architecting, developing and securing multi-tiered, high traffic, dynamic websites, with the largest one doing 92 million hits per day. David served as the sole Application Security Engineer in the 4th largest cable company in the US, performing duties ranging from code audits to architecting IDS deployments to assisting in the securing of network architectures. Most recently, David had the role of Principle Consultant at a security consulting company, managing the security process integration and adoption for a large financial institution which handles a little over 1 quadrillion dollars a year. John Viega is Vice President and Chief Security Architect at McAfee, Inc. In this role he is responsible for McAfee Avert Labs' engineering efforts, including the anti-virus engine. In addition to Viega is also in charge of product security strategy, leading security audits of code, and helping to shape the technical directions for the product lines at McAfee. Viega is a well known security expert and cryptographer and has co-authored several books, including Building Secure Software, Secure Programming Cookbook, Network Security with OpenSSL and The 19 Deadly Sins of Software Security. Prior to joining McAfee, Viega was founder and chief technology officer at Secure Software.
Black Hat Briefings, USA 2007 [Audio] Presentations from the security conference.
Software companies inevitably produce insecure code. In 2006 alone, CERT has recognized over 8,000 published vulnerabilities in applications. Attackers were previously occupied by the weaker operating systems and have moved on to easier targets: applications. What makes this situation worse, is the weaponization of these exploits and the business drivers behind them. Some organizations struggle to deal with this trend to try to protect their products and customers. Other organizations have nothing in place, and need to create measures as soon as possible. This talk will raise several issues that global enterprise organizations currently face with application security and how to overcome them in a cost-effective manner. Some of the issues that will be discussed are software development lifecycle integration, global policy and compliance issues, necessary developer awareness and automated tools, and accurate metrics collection and tracking to measure the progress. Attendees will be introduced to best practices which have worked for McAfee and other large scale global enterprises, and be shown which practices to avoid. If you're only going to invest in a single activity to start, this talk will help you figure out what it should be, and how to measure its success. David Coffey is the manager of product security at McAfee. At McAfee, David is responsible for assessing the current state of security of the products, development process, and architecture. David is also responsible for leading a geographically distributed team to provide guidance and education to McAfee employees on security measures, process, integration as well as industry best practices. David has been a professional in the technology field for over a decade, providing for strong computer fundamentals and is proficient in both NIX and Windows environments. Prior to joining McAfee, David spent several years working as either an employee or a consultant in financial institutions around the New York area. David later concentrated on architecting, developing and securing multi-tiered, high traffic, dynamic websites, with the largest one doing 92 million hits per day. David served as the sole Application Security Engineer in the 4th largest cable company in the US, performing duties ranging from code audits to architecting IDS deployments to assisting in the securing of network architectures. Most recently, David had the role of Principle Consultant at a security consulting company, managing the security process integration and adoption for a large financial institution which handles a little over 1 quadrillion dollars a year. John Viega is Vice President and Chief Security Architect at McAfee, Inc. In this role he is responsible for McAfee Avert Labs' engineering efforts, including the anti-virus engine. In addition to Viega is also in charge of product security strategy, leading security audits of code, and helping to shape the technical directions for the product lines at McAfee. Viega is a well known security expert and cryptographer and has co-authored several books, including Building Secure Software, Secure Programming Cookbook, Network Security with OpenSSL and The 19 Deadly Sins of Software Security. Prior to joining McAfee, Viega was founder and chief technology officer at Secure Software.
Lockheed Martin realizes that their newly hired college graduates are an investment in Lockheed Martin's future. As a result the Company looks out for their new college hires. Dr Cherry will talk about several programs dedicated to enhancing the work experience of newly hired and vested college graduates. For instance, one program focuses on new technical graduates right out of college. Another program focuses on new graduates already thinking about a management track. A third program focuses on college graduates that have been around 3-5 years and are serious about focusing on a leadership role. Finally, Dr. Hamilton and Dr. Cherry will dish out relevant insights they gained as they forged ahead in their careers in the corporate world. About the speaker: Dr. Cherry is the Chief Security Architect for a large Intelligence Community program, focused on bringing together disconnected security functionality into a cohesive security infrastructure. Dr. Cherry