POPULARITY
The latest iteration of the National Institutes of Standards and Technology's (NIST) Cybersecurity Framework (CSF) helps organizations strengthen their security posture and align their cybersecurity efforts with enterprise-wide risk management. NIST's Steven Quinn, the project lead for the Cybersecurity Framework, provides a comprehensive overview of the key updates and transformative features in the 2.0 version. At the center of the new framework is the introduction of the "govern" function, which empowers executives and risk management professionals to seamlessly integrate cybersecurity risk into their existing enterprise-level decision-making processes. By bridging the gap between technical security controls and business objectives, the framework enables organizations to make more informed, strategic investments in their cybersecurity programs. Additionally, the framework has been enhanced to address emerging technologies, such as quantum computing and artificial intelligence, ensuring an organization is prepared to navigate the evolving threat landscape.
⬥GUEST⬥Jake Braun, Acting Principal Deputy National Cyber Director, The White House | On LinkedIn: https://www.linkedin.com/in/jake-braun-77372539/⬥HOST⬥Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine: https://www.itspmagazine.com/sean-martin⬥EPISODE NOTES⬥Cybersecurity is often framed as a battle between attackers and defenders, but what happens when hackers take on a different role—one of informing policy, protecting critical infrastructure, and even saving lives? That's the focus of the latest Redefining Cybersecurity podcast episode, where host Sean Martin speaks with Jake Braun, former Acting Principal Deputy National Cyber Director at the White House and current Executive Director of the Cyber Policy Initiative at the University of Chicago.Braun discusses The Hackers' Almanack, a project developed in partnership with DEF CON and the Franklin Project to document key cybersecurity findings that policymakers, industry leaders, and technologists should be aware of. This initiative captures some of the most pressing security challenges emerging from DEF CON's research community and translates them into actionable insights that could drive meaningful policy change.DEF CON, The Hackers' Almanack, and the Franklin ProjectDEF CON, one of the world's largest hacker conferences, brings together tens of thousands of security researchers each year. While the event is known for its groundbreaking technical discoveries, Braun explains that too often, these findings fail to make their way into the hands of policymakers who need them most. That's why The Hackers' Almanack was created—to serve as a bridge between the security research community and decision-makers who shape regulations and national security strategies.This effort is an extension of the Franklin Project, named after Benjamin Franklin, who embodied the intersection of science and civics. The initiative includes not only The Hackers' Almanack but also a volunteer-driven cybersecurity support network for under-resourced water utilities, a critical infrastructure sector under increasing attack.Ransomware: Hackers Filling the Gaps Where Governments Have StruggledOne of the most striking sections of The Hackers' Almanack examines the state of ransomware. Despite significant government efforts to disrupt ransomware groups, attacks remain as damaging as ever. Braun highlights the work of security researcher Vangelis Stykas, who successfully infiltrated ransomware gangs—not to attack them, but to gather intelligence and warn potential victims before they were hit.While governments have long opposed private-sector hacking in retaliation against cybercriminals, Braun raises an important question: Should independent security researchers be allowed to operate in this space if they can help prevent attacks? This isn't just about hacktivism—it's about whether traditional methods of law enforcement and national security are enough to combat the ransomware crisis.AI Security: No Standards, No Rules, Just ChaosArtificial intelligence is dominating conversations in cybersecurity, but according to Braun, the industry still hasn't figured out how to secure AI effectively. DEF CON's AI Village, which has been studying AI security for years, made a bold statement: AI red teaming, as it exists today, lacks clear definitions and standards. Companies are selling AI security assessments with no universally accepted benchmarks, leaving buyers to wonder what they're really getting.Braun argues that industry leaders, academia, and government must quickly come together to define what AI security actually means. Are we testing AI applications? The algorithms? The data sets? Without clarity, AI red teaming risks becoming little more than a marketing term, rather than a meaningful security practice.Biohacking: The Blurry Line Between Innovation and BioterrorismPerhaps the most controversial section of The Hackers' Almanack explores biohacking and its potential risks. Researchers at the Four Thieves Vinegar Collective demonstrated how AI and 3D printing could allow individuals to manufacture vaccines and medical devices at home—at a fraction of the cost of commercial options. While this raises exciting possibilities for healthcare accessibility, it also raises serious regulatory and ethical concerns.Current laws classify unauthorized vaccine production as bioterrorism, but Braun questions whether that definition should evolve. If underserved communities have no access to life-saving treatments, should they be allowed to manufacture their own? And if so, how can regulators ensure safety without stifling innovation?A Call to ActionThe Hackers' Almanack isn't just a technical report—it's a call for governments, industry leaders, and the security community to rethink how we approach cybersecurity, technology policy, and even healthcare. Braun and his team at the Franklin Project are actively recruiting volunteers, particularly those with cybersecurity expertise, to help protect vulnerable infrastructure like water utilities.For policymakers, the message is clear: Pay attention to what the hacker community is discovering. These findings aren't theoretical—they impact national security, public safety, and technological advancement in ways that require immediate action.Want to learn more? Listen to the full episode and explore The Hackers' Almanack to see how cybersecurity research is shaping the future.⬥SPONSORS⬥LevelBlue: https://itspm.ag/attcybersecurity-3jdk3ThreatLocker: https://itspm.ag/threatlocker-r974⬥RESOURCES⬥The DEF CON 32 Hackers' Almanack: https://thehackersalmanack.com/defcon32-hackers-almanackDEF CON Franklin Project: https://defconfranklin.com/ | On LinkedIn: https://www.linkedin.com/company/def-con-franklin/DEF CON: https://defcon.org/Cyber Policy Initiative: https://harris.uchicago.edu/research-impact/initiatives-partnerships/cyber-policy-initiative⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity:
⬥GUEST⬥Jake Braun, Acting Principal Deputy National Cyber Director, The White House | On LinkedIn: https://www.linkedin.com/in/jake-braun-77372539/⬥HOST⬥Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine: https://www.itspmagazine.com/sean-martin⬥EPISODE NOTES⬥Cybersecurity is often framed as a battle between attackers and defenders, but what happens when hackers take on a different role—one of informing policy, protecting critical infrastructure, and even saving lives? That's the focus of the latest Redefining Cybersecurity podcast episode, where host Sean Martin speaks with Jake Braun, former Acting Principal Deputy National Cyber Director at the White House and current Executive Director of the Cyber Policy Initiative at the University of Chicago.Braun discusses The Hackers' Almanack, a project developed in partnership with DEF CON and the Franklin Project to document key cybersecurity findings that policymakers, industry leaders, and technologists should be aware of. This initiative captures some of the most pressing security challenges emerging from DEF CON's research community and translates them into actionable insights that could drive meaningful policy change.DEF CON, The Hackers' Almanack, and the Franklin ProjectDEF CON, one of the world's largest hacker conferences, brings together tens of thousands of security researchers each year. While the event is known for its groundbreaking technical discoveries, Braun explains that too often, these findings fail to make their way into the hands of policymakers who need them most. That's why The Hackers' Almanack was created—to serve as a bridge between the security research community and decision-makers who shape regulations and national security strategies.This effort is an extension of the Franklin Project, named after Benjamin Franklin, who embodied the intersection of science and civics. The initiative includes not only The Hackers' Almanack but also a volunteer-driven cybersecurity support network for under-resourced water utilities, a critical infrastructure sector under increasing attack.Ransomware: Hackers Filling the Gaps Where Governments Have StruggledOne of the most striking sections of The Hackers' Almanack examines the state of ransomware. Despite significant government efforts to disrupt ransomware groups, attacks remain as damaging as ever. Braun highlights the work of security researcher Vangelis Stykas, who successfully infiltrated ransomware gangs—not to attack them, but to gather intelligence and warn potential victims before they were hit.While governments have long opposed private-sector hacking in retaliation against cybercriminals, Braun raises an important question: Should independent security researchers be allowed to operate in this space if they can help prevent attacks? This isn't just about hacktivism—it's about whether traditional methods of law enforcement and national security are enough to combat the ransomware crisis.AI Security: No Standards, No Rules, Just ChaosArtificial intelligence is dominating conversations in cybersecurity, but according to Braun, the industry still hasn't figured out how to secure AI effectively. DEF CON's AI Village, which has been studying AI security for years, made a bold statement: AI red teaming, as it exists today, lacks clear definitions and standards. Companies are selling AI security assessments with no universally accepted benchmarks, leaving buyers to wonder what they're really getting.Braun argues that industry leaders, academia, and government must quickly come together to define what AI security actually means. Are we testing AI applications? The algorithms? The data sets? Without clarity, AI red teaming risks becoming little more than a marketing term, rather than a meaningful security practice.Biohacking: The Blurry Line Between Innovation and BioterrorismPerhaps the most controversial section of The Hackers' Almanack explores biohacking and its potential risks. Researchers at the Four Thieves Vinegar Collective demonstrated how AI and 3D printing could allow individuals to manufacture vaccines and medical devices at home—at a fraction of the cost of commercial options. While this raises exciting possibilities for healthcare accessibility, it also raises serious regulatory and ethical concerns.Current laws classify unauthorized vaccine production as bioterrorism, but Braun questions whether that definition should evolve. If underserved communities have no access to life-saving treatments, should they be allowed to manufacture their own? And if so, how can regulators ensure safety without stifling innovation?A Call to ActionThe Hackers' Almanack isn't just a technical report—it's a call for governments, industry leaders, and the security community to rethink how we approach cybersecurity, technology policy, and even healthcare. Braun and his team at the Franklin Project are actively recruiting volunteers, particularly those with cybersecurity expertise, to help protect vulnerable infrastructure like water utilities.For policymakers, the message is clear: Pay attention to what the hacker community is discovering. These findings aren't theoretical—they impact national security, public safety, and technological advancement in ways that require immediate action.Want to learn more? Listen to the full episode and explore The Hackers' Almanack to see how cybersecurity research is shaping the future.⬥SPONSORS⬥LevelBlue: https://itspm.ag/attcybersecurity-3jdk3ThreatLocker: https://itspm.ag/threatlocker-r974⬥RESOURCES⬥The DEF CON 32 Hackers' Almanack: https://thehackersalmanack.com/defcon32-hackers-almanackDEF CON Franklin Project: https://defconfranklin.com/ | On LinkedIn: https://www.linkedin.com/company/def-con-franklin/DEF CON: https://defcon.org/Cyber Policy Initiative: https://harris.uchicago.edu/research-impact/initiatives-partnerships/cyber-policy-initiative⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity:
⬥GUESTS⬥Sandy Dunn, Consultant Artificial Intelligence & Cybersecurity, Adjunct Professor Institute for Pervasive Security Boise State University | On Linkedin: https://www.linkedin.com/in/sandydunnciso/Rock Lambros, CEO and founder of RockCyber | On LinkedIn | https://www.linkedin.com/in/rocklambros/Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine: https://www.itspmagazine.com/sean-martinView This Show's Sponsors⬥EPISODE NOTES⬥The rise of large language models (LLMs) has reshaped industries, bringing both opportunities and risks. The latest OWASP Top 10 for LLMs aims to help organizations understand and mitigate these risks. In a recent episode of Redefining Cybersecurity, host Sean Martin sat down with Sandy Dunn and Rock Lambros to discuss the latest updates to this essential security framework.The OWASP Top 10 for LLMs: What It Is and Why It MattersOWASP has long been a trusted source for security best practices, and its LLM-specific Top 10 is designed to guide organizations in identifying and addressing key vulnerabilities in AI-driven applications. This initiative has rapidly gained traction, becoming a reference point for AI security governance, testing, and implementation. Organizations developing or integrating AI solutions are now evaluating their security posture against this list, ensuring safer deployment of LLM technologies.Key Updates for 2025The 2025 iteration of the OWASP Top 10 for LLMs introduces refinements and new focus areas based on industry feedback. Some categories have been consolidated for clarity, while new risks have been added to reflect emerging threats.• System Prompt Leakage (New) – Attackers may manipulate LLMs to extract system prompts, potentially revealing sensitive operational instructions and security mechanisms.• Vector and Embedding Risks (New) – Security concerns around vector databases and embeddings, which can lead to unauthorized data exposure or manipulation.Other notable changes include reordering certain risks based on real-world impact. Prompt Injection remains the top concern, while Sensitive Information Disclosure and Supply Chain Vulnerabilities have been elevated in priority.The Challenge of AI SecurityUnlike traditional software vulnerabilities, LLMs introduce non-deterministic behavior, making security testing more complex. Jailbreaking attacks—where adversaries bypass system safeguards through manipulative prompts—remain a persistent issue. Prompt injection attacks, where unauthorized instructions are inserted to manipulate output, are also difficult to fully eliminate.As Dunn explains, “There's no absolute fix. It's an architecture issue. Until we fundamentally redesign how we build LLMs, there will always be risk.”Beyond Compliance: A Holistic Approach to AI SecurityBoth Dunn and Lambros emphasize that organizations need to integrate AI security into their overall IT and cybersecurity strategy, rather than treating it as a separate issue. AI governance, supply chain integrity, and operational resilience must all be considered.Lambros highlights the importance of risk management over rigid compliance: “Organizations have to balance innovation with security. You don't have to lock everything down, but you need to understand where your vulnerabilities are and how they impact your business.”Real-World Impact and AdoptionThe OWASP Top 10 for LLMs has already been widely adopted, with companies incorporating it into their security frameworks. It has been translated into multiple languages and is serving as a global benchmark for AI security best practices.Additionally, initiatives like HackerPrompt 2.0 are helping security professionals stress-test AI models in real-world scenarios. OWASP is also facilitating industry collaboration through working groups on AI governance, threat intelligence, and agentic AI security.How to Get InvolvedFor those interested in contributing, OWASP provides open-access resources and welcomes participants to its AI security initiatives. Anyone can join the discussion, whether as an observer or an active contributor.As AI becomes more ingrained in business and society, frameworks like the OWASP Top 10 for LLMs are essential for guiding responsible innovation. To learn more, listen to the full episode and explore OWASP's latest AI security resources.⬥SPONSORS⬥LevelBlue: https://itspm.ag/attcybersecurity-3jdk3ThreatLocker: https://itspm.ag/threatlocker-r974⬥RESOURCES⬥OWASP GenAI: https://genai.owasp.org/Link to the 2025 version of the Top 10 for LLM Applications: https://genai.owasp.org/llm-top-10/Getting Involved: https://genai.owasp.org/contribute/OWASP LLM & Gen AI Security Summit at RSAC 2025: https://genai.owasp.org/event/rsa-conference-2025/AI Threat Mind Map: https://github.com/subzer0girl2/AI-Threat-Mind-MapGuide for Preparing and Responding to Deepfake Events: https://genai.owasp.org/resource/guide-for-preparing-and-responding-to-deepfake-events/AI Security Solution Cheat Sheet Q1-2025:https://genai.owasp.org/resource/ai-security-solution-cheat-sheet-q1-2025/HackAPrompt 2.0: https://www.hackaprompt.com/⬥ADDITIONAL INFORMATION⬥✨ To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcastRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist on YouTube:
⬥GUESTS⬥Sandy Dunn, Consultant Artificial Intelligence & Cybersecurity, Adjunct Professor Institute for Pervasive Security Boise State University | On Linkedin: https://www.linkedin.com/in/sandydunnciso/Rock Lambros, CEO and founder of RockCyber | On LinkedIn | https://www.linkedin.com/in/rocklambros/Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine: https://www.itspmagazine.com/sean-martinView This Show's Sponsors⬥EPISODE NOTES⬥The rise of large language models (LLMs) has reshaped industries, bringing both opportunities and risks. The latest OWASP Top 10 for LLMs aims to help organizations understand and mitigate these risks. In a recent episode of Redefining Cybersecurity, host Sean Martin sat down with Sandy Dunn and Rock Lambros to discuss the latest updates to this essential security framework.The OWASP Top 10 for LLMs: What It Is and Why It MattersOWASP has long been a trusted source for security best practices, and its LLM-specific Top 10 is designed to guide organizations in identifying and addressing key vulnerabilities in AI-driven applications. This initiative has rapidly gained traction, becoming a reference point for AI security governance, testing, and implementation. Organizations developing or integrating AI solutions are now evaluating their security posture against this list, ensuring safer deployment of LLM technologies.Key Updates for 2025The 2025 iteration of the OWASP Top 10 for LLMs introduces refinements and new focus areas based on industry feedback. Some categories have been consolidated for clarity, while new risks have been added to reflect emerging threats.• System Prompt Leakage (New) – Attackers may manipulate LLMs to extract system prompts, potentially revealing sensitive operational instructions and security mechanisms.• Vector and Embedding Risks (New) – Security concerns around vector databases and embeddings, which can lead to unauthorized data exposure or manipulation.Other notable changes include reordering certain risks based on real-world impact. Prompt Injection remains the top concern, while Sensitive Information Disclosure and Supply Chain Vulnerabilities have been elevated in priority.The Challenge of AI SecurityUnlike traditional software vulnerabilities, LLMs introduce non-deterministic behavior, making security testing more complex. Jailbreaking attacks—where adversaries bypass system safeguards through manipulative prompts—remain a persistent issue. Prompt injection attacks, where unauthorized instructions are inserted to manipulate output, are also difficult to fully eliminate.As Dunn explains, “There's no absolute fix. It's an architecture issue. Until we fundamentally redesign how we build LLMs, there will always be risk.”Beyond Compliance: A Holistic Approach to AI SecurityBoth Dunn and Lambros emphasize that organizations need to integrate AI security into their overall IT and cybersecurity strategy, rather than treating it as a separate issue. AI governance, supply chain integrity, and operational resilience must all be considered.Lambros highlights the importance of risk management over rigid compliance: “Organizations have to balance innovation with security. You don't have to lock everything down, but you need to understand where your vulnerabilities are and how they impact your business.”Real-World Impact and AdoptionThe OWASP Top 10 for LLMs has already been widely adopted, with companies incorporating it into their security frameworks. It has been translated into multiple languages and is serving as a global benchmark for AI security best practices.Additionally, initiatives like HackerPrompt 2.0 are helping security professionals stress-test AI models in real-world scenarios. OWASP is also facilitating industry collaboration through working groups on AI governance, threat intelligence, and agentic AI security.How to Get InvolvedFor those interested in contributing, OWASP provides open-access resources and welcomes participants to its AI security initiatives. Anyone can join the discussion, whether as an observer or an active contributor.As AI becomes more ingrained in business and society, frameworks like the OWASP Top 10 for LLMs are essential for guiding responsible innovation. To learn more, listen to the full episode and explore OWASP's latest AI security resources.⬥SPONSORS⬥LevelBlue: https://itspm.ag/attcybersecurity-3jdk3ThreatLocker: https://itspm.ag/threatlocker-r974⬥RESOURCES⬥OWASP GenAI: https://genai.owasp.org/Link to the 2025 version of the Top 10 for LLM Applications: https://genai.owasp.org/llm-top-10/Getting Involved: https://genai.owasp.org/contribute/OWASP LLM & Gen AI Security Summit at RSAC 2025: https://genai.owasp.org/event/rsa-conference-2025/AI Threat Mind Map: https://github.com/subzer0girl2/AI-Threat-Mind-MapGuide for Preparing and Responding to Deepfake Events: https://genai.owasp.org/resource/guide-for-preparing-and-responding-to-deepfake-events/AI Security Solution Cheat Sheet Q1-2025:https://genai.owasp.org/resource/ai-security-solution-cheat-sheet-q1-2025/HackAPrompt 2.0: https://www.hackaprompt.com/⬥ADDITIONAL INFORMATION⬥✨ To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcastRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist on YouTube:
¡APRENDE SecTY Podcast! EP4.48 ¿Cuál es el mejor marco de referencia para tu negocio? Cuando quieres poner en orden la ciberseguridad en tu negocio a veces necesitas una base de controles que te guíen, pero ¿cuál es el mejor marco de referencia para tu negocio? Pues te lo cuento en este episodio presentado por Aeronet. Te explico los pasos que necesitas para hacer tu análisis de impacto de tu negocio Este episodio es presentado por AeroNet. Empresa de tecnología 100% puertorriqueña, líder en soluciones de conectividad para negocios y residencias en Puerto Rico. Go Faster, Go Save. AeroNet Wireless - Reliable High Speed Internet (aeronetpr.com) ¡Escucha el video sobre este tema en el canal de YOUTUBE de Aprende SecTY y suscríbete! https://www.youtube.com/@aprendesecty/?sub_confirmation=1 Recuerda: Síguenos en Facebook, Instagram, X y LinkedIN como: @SecTYCS Envíame tus preguntas o recomendaciones a: aprende@sectycs.com Video recomendado: ¿Qué Cambió en el Cybersecurity Framework del NIST?:https://youtu.be/dpvZTUzgDIA #ciberseguridad #SecurityAwareness #InformtaionTechnology #ITSecurity #Empoderamiento #Confianza #NIST #COBIT #ISACA #CIS #PCI #ISO27001 #marcosdereferencia #cybersecurityframework
Our latest in a series of interviews discussing cybersecurity career paths, today we talk to Jayson Grace his path into cybersecurity and his experience building red teams at national labs and purple teams at Meta. We also talk about his community impact, giving talks and building open source tools. Jayson just left Meta for an AI safety startup named Dreadnode, which we'll discuss as well. Segment Resources: CyberSecEval 3: Advancing the Evaluation of Cybersecurity Risks and Capabilities in Large Language Models The [TTPForge] (https://github.com/facebookincubator/TTPForge) is a Cybersecurity Framework for developing, automating, and executing attacker Tactics, Techniques, and Procedures (TTPs). ForgeArmory provides TTPs that can be used with the TTPForge Wired, by Lily Hay Newman: Facebook's ‘Red Team X' Hunts Bugs Beyond the Social Network's Walls MOSE (Master Of SErvers) is a post exploitation tool for configuration management servers. BSides SF 2024 - Beyond Quick Cash: Rethinking Bug Bounties for Greater Impact BSides LV 2023 - [GF - Enemy Within: Leveraging Purple Teams for Advanced Threat Detection & Prevention - https://www.youtube.com/watch?v=-MT0tNi2vvc This week in the enterprise security news, we've got: Torq, Tamnoon, and Defect Dojo raise funding Checkmarx acquires ZAP Commvault acquires Clumio Would you believe San Francisco is NOT the most funded metro area for cybersecurity? Auto-doxxing Smart glasses are now possible Meta gets fined $100M for storing plaintext passwords AI coding assistants might not be living up to expectations Worst Practices Dumpster fires and truth bombs All that and more, on this episode of Enterprise Security Weekly! The way we use browsers has changed, so has the way we need to secure them. Using a secure enterprise browser to execute content away from the endpoint, inside a secure cloud browser is a dramatically more effective and cost-effective approach to protect users and secure access. This segment is sponsored by Menlo Security. Visit https://securityweekly.com/menloisw to learn more about them! Sevco is a cloud-native vulnerability and exposure management platform built atop asset intelligence to enable rapid risk prioritization, mitigation, validation, and metrics. Segment Resources: Customer Testimonials: https://www.sevcosecurity.com/testimonials/ Product Videos: https://www.sevcosecurity.com/sevcoshorts/ This segment is sponsored by Sevco Security. Visit https://securityweekly.com/sevcoisw to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-378
Our latest in a series of interviews discussing cybersecurity career paths, today we talk to Jayson Grace his path into cybersecurity and his experience building red teams at national labs and purple teams at Meta. We also talk about his community impact, giving talks and building open source tools. Jayson just left Meta for an AI safety startup named Dreadnode, which we'll discuss as well. Segment Resources: CyberSecEval 3: Advancing the Evaluation of Cybersecurity Risks and Capabilities in Large Language Models The [TTPForge] (https://github.com/facebookincubator/TTPForge) is a Cybersecurity Framework for developing, automating, and executing attacker Tactics, Techniques, and Procedures (TTPs). ForgeArmory provides TTPs that can be used with the TTPForge Wired, by Lily Hay Newman: Facebook's ‘Red Team X' Hunts Bugs Beyond the Social Network's Walls MOSE (Master Of SErvers) is a post exploitation tool for configuration management servers. BSides SF 2024 - Beyond Quick Cash: Rethinking Bug Bounties for Greater Impact BSides LV 2023 - [GF - Enemy Within: Leveraging Purple Teams for Advanced Threat Detection & Prevention - https://www.youtube.com/watch?v=-MT0tNi2vvc This week in the enterprise security news, we've got: Torq, Tamnoon, and Defect Dojo raise funding Checkmarx acquires ZAP Commvault acquires Clumio Would you believe San Francisco is NOT the most funded metro area for cybersecurity? Auto-doxxing Smart glasses are now possible Meta gets fined $100M for storing plaintext passwords AI coding assistants might not be living up to expectations Worst Practices Dumpster fires and truth bombs All that and more, on this episode of Enterprise Security Weekly! The way we use browsers has changed, so has the way we need to secure them. Using a secure enterprise browser to execute content away from the endpoint, inside a secure cloud browser is a dramatically more effective and cost-effective approach to protect users and secure access. This segment is sponsored by Menlo Security. Visit https://securityweekly.com/menloisw to learn more about them! Sevco is a cloud-native vulnerability and exposure management platform built atop asset intelligence to enable rapid risk prioritization, mitigation, validation, and metrics. Segment Resources: Customer Testimonials: https://www.sevcosecurity.com/testimonials/ Product Videos: https://www.sevcosecurity.com/sevcoshorts/ This segment is sponsored by Sevco Security. Visit https://securityweekly.com/sevcoisw to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-378
Our latest in a series of interviews discussing cybersecurity career paths, today we talk to Jayson Grace his path into cybersecurity and his experience building red teams at national labs and purple teams at Meta. We also talk about his community impact, giving talks and building open source tools. Jayson just left Meta for an AI safety startup named Dreadnode, which we'll discuss as well. Segment Resources: CyberSecEval 3: Advancing the Evaluation of Cybersecurity Risks and Capabilities in Large Language Models The [TTPForge] (https://github.com/facebookincubator/TTPForge) is a Cybersecurity Framework for developing, automating, and executing attacker Tactics, Techniques, and Procedures (TTPs). ForgeArmory provides TTPs that can be used with the TTPForge Wired, by Lily Hay Newman: Facebook's ‘Red Team X' Hunts Bugs Beyond the Social Network's Walls MOSE (Master Of SErvers) is a post exploitation tool for configuration management servers. BSides SF 2024 - Beyond Quick Cash: Rethinking Bug Bounties for Greater Impact BSides LV 2023 - [GF - Enemy Within: Leveraging Purple Teams for Advanced Threat Detection & Prevention - https://www.youtube.com/watch?v=-MT0tNi2vvc Show Notes: https://securityweekly.com/esw-378
Our latest in a series of interviews discussing cybersecurity career paths, today we talk to Jayson Grace his path into cybersecurity and his experience building red teams at national labs and purple teams at Meta. We also talk about his community impact, giving talks and building open source tools. Jayson just left Meta for an AI safety startup named Dreadnode, which we'll discuss as well. Segment Resources: CyberSecEval 3: Advancing the Evaluation of Cybersecurity Risks and Capabilities in Large Language Models The [TTPForge] (https://github.com/facebookincubator/TTPForge) is a Cybersecurity Framework for developing, automating, and executing attacker Tactics, Techniques, and Procedures (TTPs). ForgeArmory provides TTPs that can be used with the TTPForge Wired, by Lily Hay Newman: Facebook's ‘Red Team X' Hunts Bugs Beyond the Social Network's Walls MOSE (Master Of SErvers) is a post exploitation tool for configuration management servers. BSides SF 2024 - Beyond Quick Cash: Rethinking Bug Bounties for Greater Impact BSides LV 2023 - [GF - Enemy Within: Leveraging Purple Teams for Advanced Threat Detection & Prevention - https://www.youtube.com/watch?v=-MT0tNi2vvc Show Notes: https://securityweekly.com/esw-378
The future of cybersecurity is changing as threats evolve. NIST's Cybersecurity Center of Excellence works with partners in the public and private sectors to address securing IT systems and critical infrastructure. Cherilyn Pascoe, director of NCCoE, at Billington Cyber Summit in Washington, D.C., discussed the center's collaboration with industry and government agencies, NIST's Cybersecurity Framework 2.0 and migrating to post-quantum cryptography standards to protect against quantum computer threats.
Join Sean Martin and TAPE3 as they dive into key insights from Black Hat 2024, highlighting the crucial need to embed cybersecurity into core business practices to drive growth and resilience. Discover how leveraging AI, modular frameworks, and human expertise can transform cybersecurity from a defensive function into a strategic enabler of business success.________This fictional story represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence.Enjoy, think, share with others, and subscribe to "The Future of Cybersecurity" newsletter on LinkedIn.Sincerely, Sean Martin and TAPE3________Sean Martin is the host of the Redefining CyberSecurity Podcast, part of the ITSPmagazine Podcast Network—which he co-founded with his good friend Marco Ciappelli—where you may just find some of these topics being discussed. Visit Sean on his personal website.TAPE3 is the Artificial Intelligence for ITSPmagazine, created to function as a guide, writing assistant, researcher, and brainstorming partner to those who adventure at and beyond the Intersection Of Technology, Cybersecurity, And Society. Visit TAPE3 on ITSPmagazine.Follow our Black Hat USA 2024 coverage: https://www.itspmagazine.com/black-hat-usa-2024-hacker-summer-camp-2024-event-coverage-in-las-vegas
Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society. Justin Smulison interviews Daniel Eliot of NIST about NIST, its new publications on cybersecurity, including two Quick Start Guides, the Cybersecurity Framework 2.0, and more, Daniel's history with cybersecurity for small businesses and his career-long passion for helping small businesses protect themselves against cybercrime. Listen in for the latest information on NIST and cybersecurity guidelines for your organization. Key Takeaways: [:01] About RIMS. [:14] RISKWORLD 2025 will take place in Chicago, Illinois from May 4th through May 7th. The call for submissions is now open through August 27th. A link to the submission form is in this episode's show notes. [:30] About this episode. We will be joined by Daniel Eliot from the National Institute of Standards and Technology, or NIST. [:52] First, let's talk about RIMS Virtual Workshops. The full calendar of virtual workshops is at RIMS.org/VirtualWorkshops. August 15th starts the three-part series, Leveraging Data and Analytics for Continuous Risk Management. Other dates for the Fall and Winter are available on the Virtual Workshops full calendar at RIMS.org/VirtualWorkshops. [1:14] Let's talk about prep courses for the RIMS-CRMP. On September 10th and 11th, the RIMS-CRMP Exam Prep will be held with NAIT. There is another RIMS-CRMP Exam Prep on September 12th and 13th. [1:29] The next RIMS-CRMP-FED Exam Prep course will be hosted along with George Mason University on December 3rd through 5th, 2024. Links to these courses can be found on the Certification Page of RIMS.org and in this episode's show notes. [1:44] We've got the DFW RIMS 2024 Fall Conference and Spa Event happening on September 19th in Irving, Texas. Learn more about that event in Episode 299, which features an interview with the Texas State Office of Risk Management. [2:02] Also on September 19th is the RIMS Chicago Chapter's Chicagoland Risk Forum 2024. Register at ChicagolandRiskForum.org. [2:12] Registration opened for the RIMS Canada Conference 2024 which will be held from October 6th through the 9th in Vancouver. Visit RIMSCanadaConference.ca to register. [2:25] Registration is also open for the RIMS Western Regional, which will be held from September 29th through October 1st at the Sun River Resort in Oregon. Register at RIMSWesternRegional.com. [2:38] We want you to join us in Boston on November 18th and 19th for the RIMS ERM Conference 2024. The agenda is live. The keynote will be announced soon. We want to see you there! A link is in this episode's show notes. [2:53] The nominations are now open for the RIMS ERM Award of Distinction 2024. Nominations are due August 30th. A link to the nomination form is in this episode's show notes. [3:07] If you or someone you know manages an ERM program that delivers the goods, we want to hear about it. A link is in this episode's show notes. All RIMS regional conference information can be found on the Events page at RIMS.org. [3:24] On with the show! In October, we will celebrate National Cybersecurity Awareness Month. You should observe it all year round, of course. My guest today has a lot of great insight into risk frameworks. He is Daniel Eliot, the Lead for Small Business Engagement in the Applied Cybersecurity Division of The National Institute of Standards and Technology (NIST). [3:48] NIST is part of the U.S. Department of Commerce. Today, we will discuss some of the publicly available risk management frameworks and how they've evolved through the years and the new frameworks that address AI, as well. [4:05] You may remember Daniel from his appearance on an episode in April 2020, when he was with the National Cybersecurity Alliance. He is back to provide some new tips for the global risk management community. [4:18] Daniel Eliot, welcome back to RIMScast! [4:42] Justin and Daniel comment on some things that have changed since April 2020. Daniel was at the National Cybersecurity Alliance (NCA). [5:50] Now Daniel is the Lead for Small Business Engagement in the Applied Cybersecurity Division of The NIST. He shares his journey from NCA to NIST via the National Cybersecurity Center of Excellence, a NIST facility operated by Mitre. [6:52] Daniel is happy to be back supporting the small business community. [7:04] Daniel had worked in a small tech startup for almost seven years. He helped them scale the business and manage the development of their product. Next, Daniel joined the University of Delaware's Small Business Development Center, helping tech businesses start and scale. [8:16] Daniel applied for an SBA grant to help small businesses with cybersecurity. This was in 2014. The Cybersecurity Framework was published in 2014. Daniel applied the Cybersecurity Framework to small businesses. That started Daniel's career in small business cybersecurity. [9:32] There's a new NIST Risk Management Framework (RMF) Small Enterprise Quick Start Guide. Daniel's role at NIST is to coordinate across NIST, government, and the private sector, to create opportunities for the small business community to engage with NIST expertise. [10:19] The RMF Small Enterprise Quick Start Guide is a product of that coordination across NIST, government, and the private sector community. In February, NIST produced the Cybersecurity Framework 2.0 Small Business Quick Start Guide. [10:44] NIST decided to do a Quick Start Guide for a risk management framework for small to medium enterprises. The Risk Management Framework is a process. It's a holistic and repeatable seven-step process for managing security and privacy risks. [11:23] The NIST RMF Quick Start Guide provides an overview of the seven steps of the process, the foundational tasks for each step, tips for getting started with each step, a sample planning table, key terminology and definitions, questions to consider, and related resources. [11:53] It's RIMS plug time! Webinars! All RIMS Webinar registration pages are available at RIMS/org/Webinars. On August 27th, Riskonnect returns to discuss How To Successfully Deploy AI in Risk Management. [12:12] On September 5th, Merrill Herzog makes their RIMS Webinars debut with the Role of Insurance in Building Resilience Against an Active Assailant Attack. On September 19th, Origami Risk returns to deliver Leveraging Integrated Risk Management For Strategic Advantage. [12:28] Justin jumped ahead a bit. On September 12th, HUB International returns to deliver the third part of their Ready for Tomorrow series, Pivot and Swerve: Staying Agile During Shifting Market Dynamics. [12:44] Justin is delighted to be joined by the moderator for that session, the Chief Marketing Officer for Canada at HUB International, Linda Regner Dykeman. Justin welcomes Linda to RIMScast! [13:13] The webinar will be at 1:00 p.m. Eastern Time on September 12th. Linda says they will be discussing current market trends and challenges. The industry has been able to produce some very strong profits over the last few years. [13:29] The market needed correction after many years of unprofitability driven by weather events in the property line where rates seemed to be unsustainable. Casualty also had its issues, particularly with Directors and Officers Liability. [13:47] As a result of the profitability the industry was able to achieve over the last few years, most carriers have become more competitive in growing their books of business. This competition is not being seen in all lines, segments, or geographies. [14:04] Some catastrophe-prone zones such as BC and Alberta have not seen the same level of competition across the board. As the market transitions from a hard market to a competitive environment, there is some unusual and inconsistent behavior. [14:21] Carriers in Canada are being more flexible with their appetite. London is looking to grow significantly over the next couple of years with goals of hitting $100 billion by 2025. Add to that NGAs who are seeing their market share change as local carriers become more competitive. [14:39] As we transition out of what was considered to be a hard market, we see a lot of inconsistency in this market. [14:48] Add to this the supply chain issues, which are not what they once were, the economy is flat with spending, once normalized for an increase in population, it reflects that of a market in a recession. [15:02] We, as brokers are finding competitive solutions to protect our clients. We have to pivot and swerve to discover the right opportunities. [15:13] We had a significant rain event in Toronto, followed by one of the worst wildfires Jasper has ever seen, seemingly a once-in-a-hundred-year event; weather catastrophes are more severe and more frequent. [15:27] How is this going to change the availability of capacity and pricing? Time will tell, as insurers try to figure out if their pricing models included the right loadings for these events. [15:49] Being informed by what is happening in the market; the trends, the opportunities, what's available, and partnering with the right broker, will help a risk manager make an informed decision, appropriate for their business. [16:11] The panelists have decades of experience and expertise across North America. They work with clients, markets, and other experts and bring a much broader perspective and experience to this session. [16:26] Steve Pottle is the risk manager on the panel. He's been omnipresent in RIMS Canada for years. He's a former RIMS VP and is currently the Director for Risk and Safety Services at Thompson Rivers University. Justin says he's one of the best and Linda agrees. [16:57] Linda will moderate. She'll ask the panelists questions HUB International has received from its clients, based on what they are seeing happening in the environment around them. She would also like the audience to pose some questions. Audience participation is encouraged. [17:21] Justin thanks Linda Regner Dykeman of HUB International, and will see her again on September 12th, 2024 for the third installment of HUB's Ready for Tomorrow series, Pivot and Swerve: Staying Agile During Shifting Market Dynamics. [17:37] Let's return to today's interview with Daniel Eliot from NIST. [17:53] Daniel states that the Risk Management Framework is a repeatable seven-step process for managing security and privacy risks. It starts with preparation, categorizing, and understanding the information that your organization processes, stores, and transmits. [18:20] Then you select controls, and implement those controls to protect the security and privacy of the systems. Then you assess, authorize, and monitor the controls. Are the selected controls producing the desired results? Are there changes to the organization that require new controls? [18:45] You follow the seven steps of the framework in order and repeat them in a cycle. Keep going through it. Every organization regularly changes. Technologies change. People change. That's why the framework has to be repeatable and flexible. [19:05] NIST published this Risk Management Framework Smal Enterprise Quick Start Guide as a tool to raise awareness within the Small and Medium Enterprise (SME) Community about what the Risk Management Framework is and how to get started with it. [19:26] This Quick Start Guide is not intended to guide you on your journey from start to finish for a comprehensive risk management implementation. It is a starting point. [19:41] The Guide has an overview of the steps of the Risk Management Framework, some foundational tasks for each of the RMF steps, some tips for getting started, some sample planning tables, and graphics to help people understand concepts that might be new to them. [20:02] NIST spent a lot of time defining key terminology, extracting terms out of the Risk Management Framework, and highlighting them in this Quick Start Guide. There are phrases and terms in the Risk Management Framework that some people new to it might not understand. [20:24] For example, “authorization boundary.” The Guide highlights and illustrates what these terms mean in the Risk Management Framework and adds questions for organizations to consider and use internally for discussion. The answers may be different for every organization. [21:12] This Guide is a derivative tool from the existing publication that went out for public comment. The Quick Start Guide did not go out for public comment but NIST has circulated Quick Start Guides to some small businesses they know to make sure it's hitting the right note. [21:56] Daniel monitors commentary and looks at how the Guide is received out in the world once it's published. In every Quick Start Guide, there is an opportunity for people to contact NIST if they have questions or if there is an error. NIST is always open to feedback. [23:03] In small businesses, Daniel finds the owner or operator is the Chief Risk Officer, the Janitor, the CISO, and the Chief Marketing Officer. Anyone can use the Risk Management Framework. It's a process. [23:25] Federal agencies, contractors to the federal government, and other sources that use or operate a federal information system typically use the suite of NIST Risk Management Standards and Guidelines to develop and implement a risk-based approach. [23:48] A lot of the audience for this Small Enterprise Quick Start Guide might be small universities, small municipalities, or small federal agencies implementing this Risk Management Framework. [24:27] We have time for one more break! The Spencer Educational Foundation's goal is to help build a talent pipeline of risk management and insurance professionals. That is achieved, in part, by a collaboration with risk management and insurance educators across the U.S. and Canada. [24:45] Whether you want to apply for a grant, participate in the Risk Manager on Campus program, or just learn more about Spencer, visit SpencerEd.org. [24:55] On September 12th, 2024, we look forward to seeing you at the Spencer Funding Their Future Gala at The Cipriani 42nd Street in New York City. Our recent guest from Episode 293, Lilian Vanvieldt-Gray, will be our honoree. [25:11] Lilian is the Executive Vice President and Chief Diversity, Equity, and Inclusion Officer at Alliant Insurance Services and she will be honored for her valuable contributions to supporting the future of risk management and insurance. [25:28] That was a great episode, so after you finish this one, please go back and listen to Episode 293. [25:34] Let's conclude our interview with Daniel Eliot of NIST. [26:10] Daniel introduces the U.S. AI Safety Institute, housed within NIST. It's tasked with advancing the science, practice, and adoption of AI safety across the spectrum of risks, including those to national security, public safety, and individual rights. [26:39] The efforts of the U.S. AI Safety Institute initially focused on the priorities assigned to NIST under President Biden's Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. [26:51] On July 26th, 2024, they released resources for a variety of aspects of AI technology. Two are new to the public. The first is an initial public draft of a guidance document intended to help software developers mitigate the risks of generative AI and dual-use foundation models. [27:19] The other is a testing platform intended to help AI system users and developers measure how certain types of attacks can degrade the performance of an AI system. These are two opportunities for the public to provide comments on these publications and tools. [27:49] There is a link to the call for comments in this episode's show notes. [28:03] At NIST, foundational publications go out for public comment. NIST wants to hear from U.S. citizens and people all over the world to get their perspectives on NIST's approach to what they're addressing. This is a community effort. Comment periods are important. [28:37] From Daniel's perspective of small business, he seeks the comments of small businesses on these publications. Authors need to hear from organizations, large and small. [28:53] These two new publications are open for public comment. [28:59] three releases are final publications. One is The AI Risk Management Framework Generative AI Profile, which helps organizations identify unique risks posed by generative AI. It includes actions for generative AI risk management. [29:34] A second publication is the Secure Software Development Practices for Generative AI and Dual Use Foundation Models. It addresses concerns about Generative AI systems being compromised with malicious training data that would adversely affect system performance. [30:16] The third publication is A Plan for Global Engagement on AI Standards. It's intended to drive worldwide development and implementation of AI-related consensus standards. Standards require global input from businesses, governments, non-profits, and academia. [30:57] These three final publications have been informed by public comment periods. They're ready to hit the ground running and people can put them into action. [31:15] Daniel is part of the Applied Cybersecurity Division of NIST. The U.S. AI Safety Institute is a different part of NIST. [31:44] Every once in a while, public comments receive spammy messages. [32:23] Daniel says all cybersecurity and privacy risk management comes back to governance and having policies and procedures in place, knowing your contractual and legal responsibilities. Organizations need policies that guide behavior for the appropriate use of AI in their business. [32:59] Individuals in companies have pasted confidential company information into publicly available AI systems. That creates a vulnerability. Have a policy around the use of these tools. [33:31] Criminals have used AI to upgrade phishing scams, reduce grammatical errors, and craft more convincing appeals. [35:00] NIST is raising awareness of different ways of identifying phishing attacks besides looking for grammatical errors, such as looking at the links and the calls to action and other factors that show it is a phishing scam. AI is contributing to their increasing sophistication. [35:43] Daniel shares his tip for new risk professionals. Familiarize yourselves with the suite of resources that NIST has available for cybersecurity and privacy risk management. They have a broad variety of risk management frameworks and resources, like the Quick Start Guide. [36:42] There are online courses, extensive FAQs with answers, and archived talks from SMEs. Take advantage of these resources. Also, let NIST know what other resources might be helpful to you. The core of NIST guidance for any framework is good governance. [37:21] Understand your mission and requirements. Create and maintain policies for good behavior. Understand your supply chain dependencies and vulnerabilities. Good governance sets your organization up for success when implementing and monitoring risk-mitigating controls. [37:56] NIST offers consistent, clear, concise, and actionable resources to small businesses. Since 2018, they have maintained a website, NIST Small Business Cybersecurity Corner, with over 70 resources on the site, all tailored to small businesses. The Quick Start Guides are there. [38:32] The resources include short videos, tip sheets, case studies, and guidance organized by both topic and industry. All the resources are free and produced by federal agencies, such as NIST, FBI, CISA, as well as nonprofit organizations. It's a one-stop shop for this information. [39:04] The resources are regularly updated and expanded to keep the content fresh and relevant. The resource library has the Cybersecurity Basics Section, with eight basic steps businesses can inexpensively implement to reduce cybersecurity risks. [39:28] The Cybersecurity Framework Page highlights the CSF and small business resources related to the CSF. There is topical guidance on Multi-Factor Authentication, Ransomware, Phishing, Government Contracting Requirements, and Choosing a Vendor or Service Provider. [39:53] All the resources are available at NIST.gov/ITL/SmallBusinessCyber. The link is in this episode's show notes. The resources are there for you to use in your organization. [40:30] Justin says, “It has been such a pleasure to reconnect with you here on RIMScast! I always love it when you post on LinkedIn! I think you're great! You're keeping me informed. Happy National Cybersecurity Awareness Month to you!” [40:55] With developments in tech and AI, cybersecurity has taken a back seat, but Justin says it will come back pretty hard. Justin feels it will be sooner than four-and-a-half years for Daniel to return to RIMScast. [41:23] Whatever new technology comes out, cybercriminals are looking at it to see how they can exploit it. There will always be a cybersecurity component to it. [42:05] Daniel Eliot, thank you so much for rejoining us here on RIMScast! [42:10] Special thanks again to Daniel Eliot of NIST for rejoining us here on RIMScast. Lots of links are in this episode's show notes to aid small enterprise owners and risk professionals. [42:25] These resources are publicly available and complimentary, so by all means, use them and leverage them to ensure your organization's cyber resilience. I've got lots of links in this episode's show notes for more cybersecurity coverage from RIMS, as well. [42:44] It's RIMS plug time! The RIMS App is available to RIMS members exclusively. Go to the App Store and download the RIMS App with all sorts of RIMS resources and coverage. It's different from the RIMS Events App. Everyone loves the RIMS App! [43:18] You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in our show notes. RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let's collaborate and help you reach them! Contact pd@rims.org for more information. [44:02] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information. [44:20] Risk Knowledge is the RIMS searchable content library that provides relevant information for today's risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more. [44:36] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management. Justin Smulison is the Business Content Manager at RIMS. You can email Justin at Content@RIMS.org. [44:58] Thank you for your continued support and engagement on social media channels! We appreciate all your kind words. Listen every week! Stay safe! Mentioned in this Episode: DFW RIMS 2024 Fall Conference and Spa Event | Sept 19‒20 Chicagoland Risk Forum 2024 — Presented by RIMS Chicago Chapter — Sept. 19, 2024 RIMS Western Regional — Sept 29‒Oct 1, Oregon | Registration is open! RIMS Canada Conference 2024 — Oct. 6‒9 | Registration is open! Spencer Educational Foundation — Funding Their Future Gala 2024 | Sept. 12, 2024 RIMS ERM Conference 2024 will be in Boston, MA Nov. 18‒19 | Register Now RIMS ERM Award of Distinction — Nominations Open Through Aug. 30, 2024! RISKWORLD 2025 will be in Chicago! May 4‒7 Education Content Submissions for RISKWORLD 2025 NIST Risk Management Framework Small Enterprise Quick Start GuideCybersecurity Framework 2.0 Small Business Quick Start Guide NIST Small Business Cybersecurity Corner U.S. Artificial Intelligence Safety Institute New Guidance and Tools to mitigate AI Risks Managing Misuse Risk for Dual-Use Foundation Models Testing How AI System Models Respond to Attacks Users can send feedback to: dioptra@nist.gov RIMS DEI Council RIMS-Certified Risk Management Professional (RIMS-CRMP) RIMS Strategic & Enterprise Risk Center NEW FOR MEMBERS! RIMS Mobile App RIMS Webinars: How to Successfully Deploy AI in Risk Management | Sponsored by Riskonnect | Aug. 27, 2024 Role of Insurance in Building Resilience Against an Active Assailant Attack | Sponsored by Merrill Herzog | Sept. 5, 2024 HUB Ready for Tomorrow Series: Pivot and Swerve — Staying Agile During Shifting Market Dynamics | Sept. 12, 2024 Leveraging Integrated Risk Management For Strategic Advantage | Sponsored by Origami Risk | Sept. 19, 2024 RIMS.org/Webinars Upcoming Virtual Workshops: Leveraging Data and Analytics for Continuous Risk Management (Part I) 2024 — Aug 15 See the full calendar of RIMS Virtual Workshops RIMS-CRMP Prep Workshops Related RIMScast Episodes: “Daniel Eliot's 2020 RIMScast Debut: Cybersecurity Tips for Small Businesses” “300th Episode Spectacular with RIMS CEO Gary LaBranche” “Mid-Year Risk Update with Morgan O'Rourke and Hilary Tuttle” “Emerging Cyber Trends with Davis Hake” “Cybersecurity Awareness Month with Pamela Hans of Anderson Kill” Sponsored RIMScast Episodes: “Weathering Today's Property Claims Management Challenges” | Sponsored by AXA XL (New!) “Storm Prep 2024: The Growing Impact of Convective Storms and Hail” | Sponsored by Global Risk Consultants, a TÜV SÜD Company (New!) “Partnering Against Cyberrisk” | Sponsored by AXA XL (New!) “Harnessing the Power of Data and Analytics for Effective Risk Management” | Sponsored by Marsh “Accident Prevention — The Winning Formula For Construction and Insurance” | Sponsored by Otoos “Platinum Protection: Underwriting and Risk Engineering's Role in Protecting Commercial Properties” | Sponsored by AXA XL “Elevating RMIS — The Archer Way” | Sponsored by Archer “Alliant's P&C Outlook For 2024” | Sponsored by Alliant “Why Subrogation is the New Arbitration” | Sponsored by Fleet Response “Cyclone Season: Proactive Preparation for Loss Minimization” | Sponsored by Prudent Insurance Brokers Ltd. “Subrogation and the Competitive Advantage” | Sponsored by Fleet Response “Cyberrisk Outlook 2023” | Sponsored by Alliant “Chemical Industry: How To Succeed Amid Emerging Risks and a Challenging Market” | Sponsored by TÜV SÜD “Insuring the Future of the Environment” | Sponsored by AXA XL “Insights into the Gig Economy and its Contractors” | Sponsored by Zurich “The Importance of Disaster Planning Relationships” | Sponsored by ServiceMaster RIMS Publications, Content, and Links: RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community! RIMS Virtual Workshops On-Demand Webinars RIMS-Certified Risk Management Professional (RIMS-CRMP) RIMS-CRMP Stories — New interviews featuring RIMS Risk Management Honor Roll Inductee Mrunal Pandit! RIMS Events, Education, and Services: RIMS Risk Maturity Model® RIMS Events App Apple | Google Play Sponsor RIMScast: Contact sales@rims.org or pd@rims.org for more information. Want to Learn More? Keep up with the podcast on RIMS.org and listen on Spotify and Apple Podcasts. Have a question or suggestion? Email: Content@rims.org. Join the Conversation! Follow @RIMSorg on Facebook, Twitter, and LinkedIn. About our guests: Daniel Eliot, Lead for Small Business Engagement Small Business Cybersecurity CornerApplied Cybersecurity DivisionNational Institute of Standards and Technology U.S. Department of Commerce Linda Regner Dykeman, HUB International, Chief Marketing Officer for Canada Tweetables (Edited For Social Media Use): I'm happy to be back at NIST, supporting the small business community. — Daniel Eliot The industry has been able to produce some very strong profits over the last few years, after many years of unprofitability driven by weather events in the property line. — Linda Regner Dykeman Follow the seven steps of the framework in order and repeat them in a cycle. Keep going through it. Every organization regularly changes. Technologies change. People change. That's why it has to be repeatable and flexible. — Daniel Eliot There are phrases and terms associated with the Risk Management Framework that some people who are new to this might not understand. — Daniel Eliot When talking about small businesses, the owner or operator is the Chief Risk Officer, the Janitor, the CISO, and the Chief Marketing Officer. — Daniel Eliot An AI system is only as good as the information that's put into it. — Daniel Eliot
Join Sean Martin and TAPE3 as they dive into key insights from Black Hat 2024, highlighting the crucial need to embed cybersecurity into core business practices to drive growth and resilience. Discover how leveraging AI, modular frameworks, and human expertise can transform cybersecurity from a defensive function into a strategic enabler of business success.________This fictional story represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence.Enjoy, think, share with others, and subscribe to "The Future of Cybersecurity" newsletter on LinkedIn.Sincerely, Sean Martin and TAPE3________Sean Martin is the host of the Redefining CyberSecurity Podcast, part of the ITSPmagazine Podcast Network—which he co-founded with his good friend Marco Ciappelli—where you may just find some of these topics being discussed. Visit Sean on his personal website.TAPE3 is the Artificial Intelligence for ITSPmagazine, created to function as a guide, writing assistant, researcher, and brainstorming partner to those who adventure at and beyond the Intersection Of Technology, Cybersecurity, And Society. Visit TAPE3 on ITSPmagazine.Follow our Black Hat USA 2024 coverage: https://www.itspmagazine.com/black-hat-usa-2024-hacker-summer-camp-2024-event-coverage-in-las-vegas
Our new episode of the Wolf Theiss Soundshot Podcast is the sixth one in our "Digital Law" series.In this episode, Roland Marko and Lisa Bernsteiner discuss the EU's new cybersecurity framework and examine the latest legal acts designed to enhance protection against the increasing number and sophistication of cyberattacks across EU countries. This includes the NIS2 Directive, which establishes a stricter framework with comprehensive compliance and reporting obligations for a much broader range of companies, including those within the supply chain.Our experts also discuss the Critical Entities Resilience (CER) Directive, aimed at ensuring the maintenance of vital societal functions and economic activities, the Digital Operational Resilience Act (DORA), which focuses on managing ICT risks in the financial services sector, the Cyber Resilience Act and other EU acts containing cybersecurity provisions, such as the Machinery Regulation, the Data Act and the AI Act.Tune in to learn more about the EU's approach to tackling cyber threats, how it may impact your organisation, and how to start preparing for these new comprehensive compliance requirements. Listen to the new podcast episode on our website, Spotify, Apple Podcasts, Google Podcasts or Amazon Music under “Wolf Theiss Soundshot”.If you have any questions, please do not hesitate to contact us at soundshot@wolftheiss.com.
NIST's new Cybersecurity Framework published earlier this year gives organizations a new set of harmonized cybersecurity guidelines and best practices. It's the first major update in 10 years and broadens its scope beyond critical infrastructure entities. Cherilyn Pascoe, director of NIST's Cybersecurity Center of Excellence, had a large role in developing the new framework. She said the plan emphasizes the importance of cybersecurity in an evolving technological environment and discusses how others can tailor it to their organizations across missions. Pascoe also highlights a growing focus in broader cybersecurity priorities around post-quantum cryptography and AI, and explains how NIST's Center of Excellence is developing additional guidance for the community.
Lots of people pay attention to the Cybersecurity Framework from the National Institute of Standards and Technology. NIST came out with a major update recently. The first such update since 2018. For an analysis of what's changed, Federal Drive Host Tom Temin spoke with attorney Lance Taubin, senior associate on the Cyber and Data Team at Alston and Bird. Learn more about your ad choices. Visit megaphone.fm/adchoices
Lots of people pay attention to the Cybersecurity Framework from the National Institute of Standards and Technology. NIST came out with a major update recently. The first such update since 2018. For an analysis of what's changed, Federal Drive Host Tom Temin spoke with attorney Lance Taubin, senior associate on the Cyber and Data Team at Alston and Bird. Learn more about your ad choices. Visit podcastchoices.com/adchoicesSee Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
Bob Metzger, shareholder at Rogers Joseph O'Donnell, joins Off the Shelf this week and provides his incisive analysis and insights regarding the federal government's cybersecurity framework.Metzger outlines the complex, ever-changing threat environment facing government and industry. From near peer adversaries to independent criminal elements, he frames the threat against the government's ongoing program and regulatory cyber initiatives.Metzger analyzes the government's underlying cyber strategy currently being implemented through procurement regulation, and he gives his take on the FAR's cybersecurity regulations/clauses and the Department of Defense's Cybersecurity Maturity Model Certification (CMMC) program.Metzger also shares his thoughts regarding the impact of the cyber regulatory framework's impact on small businesses and the government's long term access to commercial innovation, and whether the government should move to a more “performance-based approach” to cybersecurity versus the current more prescriptive model outlined in a host of proposed rules. Learn more about your ad choices. Visit podcastchoices.com/adchoicesSee Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
Bob Metzger, shareholder at Rogers Joseph O'Donnell, joins Off the Shelf this week and provides his incisive analysis and insights regarding the federal government's cybersecurity framework. Metzger outlines the complex, ever-changing threat environment facing government and industry. From near peer adversaries to independent criminal elements, he frames the threat against the government's ongoing program and regulatory cyber initiatives. Metzger analyzes the government's underlying cyber strategy currently being implemented through procurement regulation, and he gives his take on the FAR's cybersecurity regulations/clauses and the Department of Defense's Cybersecurity Maturity Model Certification (CMMC) program. Metzger also shares his thoughts regarding the impact of the cyber regulatory framework's impact on small businesses and the government's long term access to commercial innovation, and whether the government should move to a more “performance-based approach” to cybersecurity versus the current more prescriptive model outlined in a host of proposed rules.
Guest: Nitin Raina, Global CISO, Thoughtworks [@thoughtworks]On LinkedIn | https://www.linkedin.com/in/nnraina/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinView This Show's Sponsors___________________________Episode NotesIn this episode of the Redefining Cybersecurity Podcast, host Sean Martin connects with Nitin Raina, the global Chief Information Security Officer (CISO) for ThoughtWorks. The discussion centers around Nitin's innovative approaches to transforming and elevating cybersecurity, drawing from his rich experience and strategic mindset. Nitin shares his journey in cybersecurity, emphasizing the evolution of the security program under his leadership. He discusses the significance of adapting a business-centric approach to cybersecurity, breaking away from conventional, technology-focused strategies. This includes the development and successful implementation of a business security maturity model designed to align with the organization's diverse, global operations.A notable aspect of Nitin's strategy is the emphasis on leadership activation and the importance of governance in driving cybersecurity initiatives. By fostering a culture of security ownership across all levels of leadership and the broader organization, Nitin underscores the transformational shift in how cybersecurity is perceived and managed within ThoughtWorks. He highlights the collaborative efforts with different departments, such as IT operations and legal compliance, to ensure a cohesive approach to protecting the organization's 'crown jewels.' Through anecdotes and examples, Nitin illustrates the impact of these strategies on enhancing security awareness, decision-making, and operational effectiveness across the company.The conversation also touches on the technical side, discussing the role of developers within the cybersecurity landscape and the utilization of contemporary technologies and frameworks to bolster the security posture. The episode concludes with insights into the future of cybersecurity, advocating for a more integrated and business-aligned approach. Nitin's reflections on the journey and achievements of his company's cybersecurity initiatives provide valuable lessons for organizations aiming to redefine their security strategies in a rapidly evolving digital world.Key Questions AddressedHow did Nitin Raina's leadership and strategies transform the cybersecurity posture at his company?What role does leadership activation play in redefining cybersecurity across an organization?How can cybersecurity be aligned with business strategies to foster growth and innovation?___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
Guest: Nitin Raina, Global CISO, Thoughtworks [@thoughtworks]On LinkedIn | https://www.linkedin.com/in/nnraina/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinView This Show's Sponsors___________________________Episode NotesIn this episode of the Redefining Cybersecurity Podcast, host Sean Martin connects with Nitin Raina, the global Chief Information Security Officer (CISO) for ThoughtWorks. The discussion centers around Nitin's innovative approaches to transforming and elevating cybersecurity, drawing from his rich experience and strategic mindset. Nitin shares his journey in cybersecurity, emphasizing the evolution of the security program under his leadership. He discusses the significance of adapting a business-centric approach to cybersecurity, breaking away from conventional, technology-focused strategies. This includes the development and successful implementation of a business security maturity model designed to align with the organization's diverse, global operations.A notable aspect of Nitin's strategy is the emphasis on leadership activation and the importance of governance in driving cybersecurity initiatives. By fostering a culture of security ownership across all levels of leadership and the broader organization, Nitin underscores the transformational shift in how cybersecurity is perceived and managed within ThoughtWorks. He highlights the collaborative efforts with different departments, such as IT operations and legal compliance, to ensure a cohesive approach to protecting the organization's 'crown jewels.' Through anecdotes and examples, Nitin illustrates the impact of these strategies on enhancing security awareness, decision-making, and operational effectiveness across the company.The conversation also touches on the technical side, discussing the role of developers within the cybersecurity landscape and the utilization of contemporary technologies and frameworks to bolster the security posture. The episode concludes with insights into the future of cybersecurity, advocating for a more integrated and business-aligned approach. Nitin's reflections on the journey and achievements of his company's cybersecurity initiatives provide valuable lessons for organizations aiming to redefine their security strategies in a rapidly evolving digital world.Key Questions AddressedHow did Nitin Raina's leadership and strategies transform the cybersecurity posture at his company?What role does leadership activation play in redefining cybersecurity across an organization?How can cybersecurity be aligned with business strategies to foster growth and innovation?___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
¡APRENDE SecTY Podcast! EP4.11: Lo nuevo sobre el Cybersecurity Framework 2.0 del NIST Ya sabes cual es lo nuevo del Cybersecurity Framework del NIST, pues yo te resalto hoy mi parte favorita. Escucha los detalles en este episodio presentado por Aeronet. Este episodio es presentado por AeroNet. Empresa de tecnología 100% puertorriqueña, líder en soluciones de conectividad para negocios y residencias en Puerto Rico. Go Faster, Go Save. AeroNet Wireless - Reliable High Speed Internet (aeronetpr.com) Marco de Referencia de Ciberseguridad del NIST 2.0: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf Te invito a que te registres al nuevo taller del 2024: Evita ser victima de un fraude cibernético. è 18 de abril 2024 è 7:00PM è Por Zoom Regístrate aquí: https://bit.ly/EvitaSerVictimaDeUnFraude Si deseas orientación o evaluación sobre ciberseguridad para tu negocio o capacitar a tus empleados sobre seguridad de información en tu negocio, entra a nuestra página en https://wwwaprendesecty.com o escríbeme a aprende@sectycs.com para poder ayudarte porque ofrecemos capacitación de seguridad a grupos de usuarios para pequeños negocios. Si quieres ver el video completo de las diferencias mas importantes entre las versiones de CSF 1.0 & 2.0 del NIST, SUSCRIBETE en nuestro canal de YouTube Aprende SecTY: https://www.youtube.com/channel/UC1E9yilgLf5HZMQVDf_ViRw Recuerda: Síguenos en Facebook, Instagram, X y LinkedIN como: @SecTYCS Envíame tus preguntas o recomendaciones a: itsec@sectycs.com Deja tu reseña en iTunes/Apple Podcast y compártelo con personas que necesiten mejorar la seguridad en su negocio y en su vida. Puedes escucharnos también por medio de: iTunes/Apple Podcast, Spotify, Google Podcast, Amazon Music y iHeartRadio.
Podcast: Control Loop: The OT Cybersecurity Podcast (LS 34 · TOP 3% what is this?)Episode: Addressing maritime cyber threats.Pub date: 2024-03-06NIST releases Cybersecurity Framework 2.0. Biden administration issues executive order on maritime cybersecurity. Suspected Chinese threat actor continues to exploit Ivanti vulnerabilities. ThyssenKrupp sustains ransomware attack. Guests Liz Martin, Global Advisory Solution Architect at Dragos, and Blake Benson, Senior Director at ABS Group, talk through the latest Maritime Executive Order. . The Learning Lab is taking a break and will return soon. Stay tuned.Control Loop News Brief.NIST releases Cybersecurity Framework 2.0.NIST Releases Version 2.0 of Landmark Cybersecurity Framework (NIST)Biden administration issues executive order on maritime cybersecurity.On-the-Record Press Call on the Biden-Harris Administration Initiative to Bolster the Cybersecurity of U.S. Ports (The White House)Biden to sign executive order on US port cybersecurity targeting Chinese-manufactured shipping cranes (CNBC)Suspected Chinese threat actor continues to exploit Ivanti vulnerabilities.Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts (Mandiant)ThyssenKrupp sustains ransomware attack.German Steelmaker Thyssenkrupp Confirms Ransomware Attack (SecurityWeek)Control Loop Interview.Guests Liz Martin, Global Advisory Solution Architect at Dragos, and Blake Benson, Senior Director at ABS Group, talk through the latest Maritime Executive Order. For more information, review the Executive Order on Amending Regulations Relating to the Safeguarding of Vessels, Harbors, Ports, and Waterfront Facilities of the United States and White House's FACT SHEET: Biden-Harris Administration Announces Initiative to Bolster Cybersecurity of U.S. Ports. Control Loop Learning Lab.The Learning Lab is on break and will return in the near future. Stay tuned. Control Loop Audience Survey.Please take a moment to fill out our super quick survey. Thanks!Control Loop OT Cybersecurity Briefing.A companion monthly newsletter is available through free subscription and on N2K Networks website.The podcast and artwork embedded on this page are from N2K Networks, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
Podcast: Control Loop: The OT Cybersecurity Podcast (LS 35 · TOP 3% what is this?)Episode: Addressing maritime cyber threats.Pub date: 2024-03-06NIST releases Cybersecurity Framework 2.0. Biden administration issues executive order on maritime cybersecurity. Suspected Chinese threat actor continues to exploit Ivanti vulnerabilities. ThyssenKrupp sustains ransomware attack. Guests Liz Martin, Global Advisory Solution Architect at Dragos, and Blake Benson, Senior Director at ABS Group, talk through the latest Maritime Executive Order. The Learning Lab is taking a break and will return soon. Stay tuned.Control Loop News Brief.NIST releases Cybersecurity Framework 2.0.NIST Releases Version 2.0 of Landmark Cybersecurity Framework (NIST)Biden administration issues executive order on maritime cybersecurity.On-the-Record Press Call on the Biden-Harris Administration Initiative to Bolster the Cybersecurity of U.S. Ports (The White House)Biden to sign executive order on US port cybersecurity targeting Chinese-manufactured shipping cranes (CNBC)Suspected Chinese threat actor continues to exploit Ivanti vulnerabilities.Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts (Mandiant)ThyssenKrupp sustains ransomware attack.German Steelmaker Thyssenkrupp Confirms Ransomware Attack (SecurityWeek)Control Loop Interview.Guests Liz Martin, Global Advisory Solution Architect at Dragos, and Blake Benson, Senior Director at ABS Group, talk through the latest Maritime Executive Order. For more information, review the Executive Order on Amending Regulations Relating to the Safeguarding of Vessels, Harbors, Ports, and Waterfront Facilities of the United States and White House's FACT SHEET: Biden-Harris Administration Announces Initiative to Bolster Cybersecurity of U.S. Ports. Control Loop Learning Lab.The Learning Lab is on break and will return in the near future. Stay tuned. Control Loop Audience Survey.Please take a moment to fill out our super quick survey. Thanks!Control Loop OT Cybersecurity Briefing.A companion monthly newsletter is available through free subscription and on N2K Networks website.The podcast and artwork embedded on this page are from N2K Networks, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
The United States is in the process of rolling out a sweeping regulation for personal data transfers. But the rulemaking is getting limited attention because it targets transfers to our rivals in the new Cold War – China, Russia, and their allies. Adam Hickey, whose old office is drafting the rules, explains the history of the initiative, which stems from endless Committee on Foreign Investment in the United States efforts to impose such controls on a company-by-company basis. Now, with an executive order as the foundation, the Department of Justice has published an advance notice of proposed rulemaking that promises what could be years of slow-motion regulation. Faced with a similar issue—the national security risk posed by connected vehicles, particularly those sourced in China—the Commerce Department issues a laconic notice whose telegraphic style contrasts sharply with the highly detailed Justice draft. I take a stab at the riskiest of ventures—predicting the results in two Supreme Court cases about social media regulations adopted by Florida and Texas. Four hours of strong appellate advocacy and a highly engaged Court make predictions risky, but here goes. I divide the Court into two camps—the Justices (Thomas, Alito, probably Gorsuch) who think that the censorship we should worry about comes from powerful speech-monopolizing platforms and the Justices (Kavanagh, the Chief) who see the cases through a lens that values corporate free speech. Many of the remainder (Kagan, Sotomayor, Jackson) see social media content moderation as understandable and justified, but they're uneasy about the power of large platforms and reluctant to grant a sweeping immunity to those companies. To my mind, this foretells a decision striking down the laws insofar as they restrict content moderation. But that decision won't resolve all the issues raised by the two laws, and industry's effort to overturn them entirely on the current record is also likely to fail. There are too many provisions in those laws that some of the justices considered reasonable for Netchoice to win a sweeping victory. So I look for an opinion that rejects the “private censorship” framing but expressly leaves open or even approves other, narrower measures disciplining platform power, leaving the lower courts to deal with them on remand. Kurt Sanger and I dig into the Securities Exchange Commission's amended complaint against Tim Brown and SolarWinds, alleging material misrepresentation with respect to company cybersecurity. The amended complaint tries to bolster the case against the company and its CISO, but at the end of the day it's less than fully persuasive. SolarWinds didn't have the best security, and it was slow to recognize how much harm its compromised software was causing its customers. But the SEC's case for disclosure feels like 20-20 hindsight. Unfortunately, CISOs are likely to spend the next five years trying to guess which intrusions will look bad in hindsight. I cover the National Institute of Standards and Technology's (NIST) release of version 2.0 of the Cybersecurity Framework, particularly its new governance and supply chain features. Adam reviews the latest update on section 702 of FISA, which likely means the program will stumble into 2025, thanks to a certification expected in April. We agree that Silicon Valley is likely to seize on the opportunity to engage in virtue-signaling litigation over the final certification. Kurt explains the remarkable power of adtech data for intelligence purposes, and Senator Ron Wyden's (D-OR) effort to make sure such data is denied to U.S. agencies but not to the rest of the world. He also pulls Adam and me into the debate over whether we need a federal backup for cyber insurance. Bruce Schneier thinks we do, but none of us is persuaded. Finally, Adam and I consider the divide between CISA and GOP election officials. We agree that it has its roots in CISA's imprudently allowing election security mission creep, from the cybersecurity of voting machines to trying to combat “malinformation,” otherwise known as true facts that the administration found inconvenient. We wish CISA well in the vital job of protecting voting machines and processes, as long as it manages in this cycle to stick to its cyber knitting. Download 494th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets
The United States is in the process of rolling out a sweeping regulation for personal data transfers. But the rulemaking is getting limited attention because it targets transfers to our rivals in the new Cold War – China, Russia, and their allies. Adam Hickey, whose old office is drafting the rules, explains the history of the initiative, which stems from endless Committee on Foreign Investment in the United States efforts to impose such controls on a company-by-company basis. Now, with an executive order as the foundation, the Department of Justice has published an advance notice of proposed rulemaking that promises what could be years of slow-motion regulation. Faced with a similar issue—the national security risk posed by connected vehicles, particularly those sourced in China—the Commerce Department issues a laconic notice whose telegraphic style contrasts sharply with the highly detailed Justice draft. I take a stab at the riskiest of ventures—predicting the results in two Supreme Court cases about social media regulations adopted by Florida and Texas. Four hours of strong appellate advocacy and a highly engaged Court make predictions risky, but here goes. I divide the Court into two camps—the Justices (Thomas, Alito, probably Gorsuch) who think that the censorship we should worry about comes from powerful speech-monopolizing platforms and the Justices (Kavanagh, the Chief) who see the cases through a lens that values corporate free speech. Many of the remainder (Kagan, Sotomayor, Jackson) see social media content moderation as understandable and justified, but they're uneasy about the power of large platforms and reluctant to grant a sweeping immunity to those companies. To my mind, this foretells a decision striking down the laws insofar as they restrict content moderation. But that decision won't resolve all the issues raised by the two laws, and industry's effort to overturn them entirely on the current record is also likely to fail. There are too many provisions in those laws that some of the justices considered reasonable for Netchoice to win a sweeping victory. So I look for an opinion that rejects the “private censorship” framing but expressly leaves open or even approves other, narrower measures disciplining platform power, leaving the lower courts to deal with them on remand. Kurt Sanger and I dig into the Securities Exchange Commission's amended complaint against Tim Brown and SolarWinds, alleging material misrepresentation with respect to company cybersecurity. The amended complaint tries to bolster the case against the company and its CISO, but at the end of the day it's less than fully persuasive. SolarWinds didn't have the best security, and it was slow to recognize how much harm its compromised software was causing its customers. But the SEC's case for disclosure feels like 20-20 hindsight. Unfortunately, CISOs are likely to spend the next five years trying to guess which intrusions will look bad in hindsight. I cover the National Institute of Standards and Technology's (NIST) release of version 2.0 of the Cybersecurity Framework, particularly its new governance and supply chain features. Adam reviews the latest update on section 702 of FISA, which likely means the program will stumble into 2025, thanks to a certification expected in April. We agree that Silicon Valley is likely to seize on the opportunity to engage in virtue-signaling litigation over the final certification. Kurt explains the remarkable power of adtech data for intelligence purposes, and Senator Ron Wyden's (D-OR) effort to make sure such data is denied to U.S. agencies but not to the rest of the world. He also pulls Adam and me into the debate over whether we need a federal backup for cyber insurance. Bruce Schneier thinks we do, but none of us is persuaded. Finally, Adam and I consider the divide between CISA and GOP election officials. We agree that it has its roots in CISA's imprudently allowing election security mission creep, from the cybersecurity of voting machines to trying to combat “malinformation,” otherwise known as true facts that the administration found inconvenient. We wish CISA well in the vital job of protecting voting machines and processes, as long as it manages in this cycle to stick to its cyber knitting. Download 494th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets
NIST releases Cybersecurity Framework 2.0. Biden administration issues executive order on maritime cybersecurity. Suspected Chinese threat actor continues to exploit Ivanti vulnerabilities. ThyssenKrupp sustains ransomware attack. Guests Liz Martin, Global Advisory Solution Architect at Dragos, and Blake Benson, Senior Director at ABS Group, talk through the latest Maritime Executive Order. The Learning Lab is taking a break and will return soon. Stay tuned. Control Loop News Brief. NIST releases Cybersecurity Framework 2.0. NIST Releases Version 2.0 of Landmark Cybersecurity Framework (NIST) Biden administration issues executive order on maritime cybersecurity. On-the-Record Press Call on the Biden-Harris Administration Initiative to Bolster the Cybersecurity of U.S. Ports (The White House) Biden to sign executive order on US port cybersecurity targeting Chinese-manufactured shipping cranes (CNBC) Suspected Chinese threat actor continues to exploit Ivanti vulnerabilities. Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts (Mandiant) ThyssenKrupp sustains ransomware attack. German Steelmaker Thyssenkrupp Confirms Ransomware Attack (SecurityWeek) Control Loop Interview. Guests Liz Martin, Global Advisory Solution Architect at Dragos, and Blake Benson, Senior Director at ABS Group, talk through the latest Maritime Executive Order. For more information, review the Executive Order on Amending Regulations Relating to the Safeguarding of Vessels, Harbors, Ports, and Waterfront Facilities of the United States and White House's FACT SHEET: Biden-Harris Administration Announces Initiative to Bolster Cybersecurity of U.S. Ports. Control Loop Learning Lab. The Learning Lab is on break and will return in the near future. Stay tuned. Control Loop Audience Survey. Please take a moment to fill out our super quick survey. Thanks! Control Loop OT Cybersecurity Briefing. A companion monthly newsletter is available through free subscription and on N2K Networks website.
On today's episode of the Business of Tech, key updates include the unveiling of Cybersecurity Framework 2.0 by the National Institute for Standards and Technology, addressing supply chain risks and introducing the govern function. Lockbit's resurgence and exploits targeting unpatched ConnectWise Screen Connect flaws are discussed. Additionally, KKR is set to acquire VMware's end-user computing business for $4 billion. The episode also delves into the Biden robocall incident and the implications of deepfake technology.Four things to know today00:00 Cybersecurity Framework 2.0 Unveiled: NIST Addresses Supply Chain Risks, Introduces Govern Function03:29 Lockbit's Comeback and Unpatched ConnectWise ScreenConnect Flaws Exploited by Hackers04:45 KKR Set to Acquire VMware's End User Computing Business for $4 Billion07:37 From Deepfake to Deep Trouble: The Biden Robocall Incident Unfolds Supported by: https://coreview.com/msp/ Looking for a link from the stories? The entire script of the show, with links to articles, are posted in each story on https://www.businessof.tech/ Do you want the show on your podcast app or the written versions of the stories? Subscribe to the Business of Tech: https://www.businessof.tech/subscribe/ Support the show on Patreon: https://patreon.com/mspradio/ Want our stuff? Cool Merch? Wear “Why Do We Care?” - Visit https://mspradio.myspreadshop.com Follow us on:LinkedIn: https://www.linkedin.com/company/28908079/YouTube: https://youtube.com/mspradio/Facebook: https://www.facebook.com/mspradionews/Instagram: https://www.instagram.com/mspradio/TikTok: https://www.tiktok.com/@businessoftech
The National Institute of Standards and Technology is out with a major update to its landmark Cybersecurity Framework. But the key changes in “CSF 2.0” aren't major shifts in cybersecurity best practices. Instead, officials point out that the new document reflects the broad use of the framework across different industries and technologies, as well as the deepening push to regulate cybersecurity in many sectors. NIST released the CSF 2.0 today, culminating a two-year effort to update a framework that was first published in 2014. Learn more about your ad choices. Visit megaphone.fm/adchoices
The National Institute of Standards and Technology is out with a major update to its landmark Cybersecurity Framework.But the key changes in “CSF 2.0” aren't major shifts in cybersecurity best practices. Instead, officials point out that the new document reflects the broad use of the framework across different industries and technologies, as well as the deepening push to regulate cybersecurity in many sectors.NIST released the CSF 2.0 today, culminating a two-year effort to update a framework that was first published in 2014. Learn more about your ad choices. Visit podcastchoices.com/adchoicesSee Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
NIST's Cybersecurity Framework gets an upgrade. ONCD makes a case against memory-related software bugs. A recent cyberattack targets Canada's Royal Canadian Mounted Police. US dethrones Russia as top target in cyber breaches. Caveat podcast cohost Ben Yelin discusses remedies in the generative AI copyright cases.And, Reggaeton Be Gone, a creative way to deal with your neighbors' music choices. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Ben Yelin, cohost of Caveat podcast and Program Director, Public Policy & External Affairs at University of Maryland Center for Health and Homeland Security, thinking about remedies in the generative AI copyright cases. You can find the Lawfare article Ben references here. Selected Reading NIST Releases Version 2.0 of Landmark Cybersecurity Framework (NIST) After decades of memory-related software bugs, White House calls on industry to act (The Record) Canada's RCMP, Global Affairs Hit by Cyberattacks (SecurityWeek) A cyber attack hit the Royal Canadian Mounted Police (Security Affairs) UK email mistake put ‘lives at risk' for Afghans who had worked with British military (The Record) Russia and Belarus targeted by at least 14 nation-state hacker groups, researchers say (The Record) Number of data breaches falls globally, triples in the US (TechSpot) Steel giant ThyssenKrupp confirms cyberattack on automotive division (Bleeping Computer) The Change Healthcare cyberattack is still impacting pharmacies. It's a bigger deal than you think (Fast Company) US Pharmacy Outage Triggered by 'Blackcat' Ransomware at UnitedHealth Unit, Sources Say (US News and World Report) Getting Ahead of Cybersecurity Materiality Mayhem (Security Boulevard) Raspberry Pi maker builds device to hack neighbor's Bluetooth speakers that were streaming annoying music (TechSpot) Reggaeton Be Gone (Hackster.io) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
CyberIntel - Talking Cybersecurity and Compliance (Presented by VikingCloud)
In this episode of CyberIntel, Brian Odian explores this recently released ransomware profile, which claims it can help organizations mitigate ransomware threats. If you have any questions you want answered on CyberIntel, email us at cyberintel@vikingcloud.com and our experts will be in touch - we may even make it the subject of a future episode! CyberIntel provides a deep dive into the world of cybersecurity and compliance. Hosted by Brian Odian, VikingCloud's Director of Managed Compliance Services APAC, amongst other cybersecurity and compliance expert advisors, we explore the nuances of various compliance standards and the latest in cybersecurity news, trends and threats. New episodes every two weeks! CyberIntel is presented by VikingCloud. VikingCloud is leading the Predict-to-Prevent cybersecurity and compliance company, offering businesses a single, integrated solution to make informed, predictive, and cost-effective risk mitigation decisions - faster. VikingCloud is the one-stop partner trusted by 4+ million customers every day to provide the predictive intelligence and competitive edge they need to stay one step ahead of cybersecurity and compliance disruption to their business.
Alex Canizares, partner at Perkins Coie, joins Off the Shelf for a discussion of the evolving cybersecurity framework and what it means for government contractors. Cybersecurity has become a foundational performance requirement for government contractors. In a wide-ranging discussion Canizares first addresses the cybersecurity basics starting with what is controlled unclassified information and moving on to discuss the basics of NIST 800-171, the standard FAR based safeguarding clause, and the DFARS clauses. He also provides some historical context, discussing the role of Executive Order 14028 (May 2021) and the White House National Cybersecurity Strategy (March 2023). Canizares highlights the government's keen focus on cybersecurity compliance, pointing to the Department of Justice's (DOJ's) Civil Cyber-Frand Initiative. DOJ's Civil Cyber-Fraud Initiative brings the Civil False Claims Act (FCA) front and center as an enforcement tool for cybersecurity compliance in government contracts. Finally Canizares outlines the risks to government contractors and shares best practices for mitigating those risks, and provides his thoughts and analysis of two new proposed FAR rules addressing cybersecurity and reporting: The cyber incident and information sharing Standardizing cybersecurity requirements for unclassified federal information.
Alex Canizares, partner at Perkins Coie, joins Off the Shelf for a discussion of the evolving cybersecurity framework and what it means for government contractors.Cybersecurity has become a foundational performance requirement for government contractors. In a wide-ranging discussion Canizares first addresses the cybersecurity basics starting with what is controlled unclassified information and moving on to discuss the basics of NIST 800-171, the standard FAR based safeguarding clause, and the DFARS clauses.He also provides some historical context, discussing the role of Executive Order 14028 (May 2021) and the White House National Cybersecurity Strategy (March 2023). Canizares highlights the government's keen focus on cybersecurity compliance, pointing to the Department of Justice's (DOJ's) Civil Cyber-Frand Initiative. DOJ's Civil Cyber-Fraud Initiative brings the Civil False Claims Act (FCA) front and center as an enforcement tool for cybersecurity compliance in government contracts. Finally Canizares outlines the risks to government contractors and shares best practices for mitigating those risks, and provides his thoughts and analysis of two new proposed FAR rules addressing cybersecurity and reporting: The cyber incident and information sharing Standardizing cybersecurity requirements for unclassified federal information. Learn more about your ad choices. Visit podcastchoices.com/adchoicesSee Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
In this episode of the TechTank Podcast, co-Host Nicol Turner Lee discusses what is new in the more recently updated Cybersecurity Framework 2.0. Joining the podcast to discuss those changes is Cherilyn Pascoe, Director of the National Cybersecurity Center of Excellence, National Institute of Standards and Technology (NIST), who also shares resources and tools that all organizations of any size and sector can access. Hosted on Acast. See acast.com/privacy for more information.
The cybersecurity team at the National Institute of Standards and Technology (NIST), is about to finalize a new version of a signature document: The Cybersecurity Framework. Next week it holds a workshop to get one last round of input on the new framework draft. For more, Federal Drive Host Tom Temin spoke with Kevin Stine, the Chief of NIST's Applied Cybersecurity Division. Learn more about your ad choices. Visit podcastchoices.com/adchoicesSee Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
The cybersecurity team at the National Institute of Standards and Technology (NIST), is about to finalize a new version of a signature document: The Cybersecurity Framework. Next week it holds a workshop to get one last round of input on the new framework draft. For more, Federal Drive Host Tom Temin spoke with Kevin Stine, the Chief of NIST's Applied Cybersecurity Division. Learn more about your ad choices. Visit megaphone.fm/adchoices
Summary: In this month's Digital Health Roundup, Medtech Insight's Marion Webb highlights VR, AI and other high tech trends in rehabilitation and gait training. Hannah Daniel discusses cybersecurity updates such as the new NIST published draft for an updated version of the Cybersecurity Framework, a recent report by Health-ISAC, and an interview with MedCrypt's Naomi Schwartz about the upcoming FDA cybersecurity regulations for premarket approvals. Medtech Insight articles addressing topics discussed in this episode: GaitBetter On Mission To Bring VR, AI-Based Solution To Gait Training; Will Physical Therapists Pay For It? ReWalk Robotics' Planned Acquisition Of Anti-Gravity Maker AlterG For $19M Paves Way To Profitability NIST Cybersecurity Framework 2.0 Expands Guidance's Scope, Introduces ‘Govern' Function Vulnerabilities Up 59%: The State Of Healthcare Cybersecurity In 2023 Cybersecurity Expert Says eSTAR Requirement Will Push FDA, Industry In Positive Direction
Two things to know today00:00 NIST Releases Draft Update to Cybersecurity Framework, Adding a 'Govern' Pillar03:41 SaaS Companies Face Growth Challenges as Net Retention Rate SlipsAdvertiser: https://www.cynomi.com/how-to-add-vciso-services/https://partnerhero.com/businessoftech/Do you want the show on your podcast app or the written versions of the stories? Subscribe to the Business of Tech: https://www.businessof.tech/subscribe/Support the show on Patreon: https://patreon.com/mspradio/Want our stuff? Cool Merch? Wear “Why Do We Care?” - Visit https://mspradio.myspreadshop.comFollow us on:Facebook: https://www.facebook.com/mspradionews/Twitter: https://twitter.com/mspradionews/Instagram: https://www.instagram.com/mspradio/LinkedIn: https://www.linkedin.com/company/28908079/
Guests: Cat Self, Principal Adversary Emulation Engineer, MITRE [@MITREcorp]On Linkedin | https://www.linkedin.com/in/coolestcatiknow/On Twitter | https://twitter.com/coolestcatiknowKate Esprit, Senior Cyber Threat Intelligence Analyst at MITRE [@MITREcorp]On Linkedin | https://www.linkedin.com/in/kate-e-2b262695/____________________________Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast and Audio Signals PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________This Episode's SponsorsIsland.io | https://itspm.ag/island-io-6b5ffd____________________________Episode NotesIn this new Chats on the Road to Black Hat USA 2023 on the ITSPmagazine Podcast Network, hosts Sean and Marco are joined by Cat and Kate from MITRE to discuss the world of adversary emulation and its importance in improving cybersecurity. The conversation covers MITRE's role as an industry thought leader and their focus on making the cyber world a safer place. They explain how MITRE ATT&CK, a framework based on observations from blue and red engagements, led to the development of ATT&CK evaluations, which aim to raise the standard of the industry and provide transparency. The hosts and guests emphasize the need for transparency in adversary emulation and how MITRE releases their methodology, results, and code to make the practice more accessible.The group also discusses the challenges faced in aligning emulation plans with the diverse and unique solutions deployed by different vendors and the importance of maintaining the integrity of what the adversaries would actually do. The conversation also touches on the differences between adversary emulation and simulation. While emulation replicates the actions and techniques of specific adversaries, simulation allows for more flexibility and blends different components of multiple adversaries.The hosts and guests also explore the power and responsibility that comes with conducting adversary emulation, drawing parallels to superheroes like Batman and Spider-Man.About the session — Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK EvaluationsBatman once said, "you either die a hero or live long enough to see yourself become the villain." What if there was a way to become a cyber villain for the greater good? For the last 5 years, the MITRE ATT&CK Evaluations team has been improving the industry by "becoming the villain." We study some of the world's most advanced threat actors, develop a scenario, build malware and tools, then execute the operations against major EDR vendors. And the best part? Not only do we get the business justification of becoming a villain to advance defenders, but our code is also open-sourced.Using a Latin American APT as our real-world villain, this talk will showcase how to merge CTI and red development capabilities for adversary emulation.First, our cyber threat intelligence team (CTI) demonstrates how to evaluate reports with the sufficient technical data needed to emulate the adversary's usage of particular techniques. We will build a scenario, create CTI diagrams based on our analysis, address gaps in data, and create alternative attack methods for the red team.Next, the red team enters the scene to collaborate with the CTI team. They begin building malware, tools, and infrastructure. Translating approved open-source CTI reporting into code, we will walk through process injection, persistence, hands-on-keyboard discovery, and lateral movement for the emulation. Finally, it is time to launch the attack and see how our defenders respond, discern where to search for clues, and help them uncover our plot.To coincide with this presentation, our code, research, and emulation plans will be publicly released. We hope this empowers the community to use our "become the villain" methodology to improve defenses. Helping defenders discern where to look for our footprints is how we justify our villainous acts.Subscribe to our podcast, share it with your network, and join us in pondering the questions this conversation raises. Be part of the ongoing dialogue around this pressing issue, and we invite you to stay tuned for further discussions in the future.Stay tuned for all of our Black Hat USA 2023 coverage: https://www.itspmagazine.com/bhusa____________________________ResourcesBecoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations: https://www.blackhat.com/us-23/briefings/schedule/index.html#becoming-a-dark-knight-adversary-emulation-demonstration-for-attck-evaluations-33209Post: https://medium.com/mitre-engenuity/managed-services-evaluations-round-2-2023-attribution-and-speed-and-efficiency-oh-my-59aa207641faPodcast: https://itspmagazine.simplecast.com/episodes/mitre-att-ck-a-conversation-at-the-edge-with-katie-nickels-fred-wilmot-and-ryan-kovarFor more Black Hat USA 2023 Event information, coverage, and podcast and video episodes, visit: https://www.itspmagazine.com/black-hat-usa-2023-cybersecurity-event-coverage-in-las-vegasAre you interested in telling your story in connection with our Black Hat coverage? Book a briefing here:
In this throwback episode of The Power Producers Podcast, David Carothers and co-host Kyle Houck interview Angel Rojas, CEO of DataCorps Technology Solutions, Inc. Angel discusses what cybersecurity is all about and the five best practices that every business should implement. Episode Highlights: Angel shares his background. (2:10) Angel shares what he sees in the current marketplace. (9:58) Angel mentions what is a ransomware attack. (10:45) Angel explains the five best practices that every business should implement. (13:56) Angel shares a story about a client that got hit by a ransomware event. (17:46) Angel mentions the five-step process of the Cybersecurity Framework. (20:51) Angel shares how to think differently about how you do things. (34:42) Angel shares his experience working with the FBI and the Secret Service. (37:54) Angel explains why there should be more collaboration within their industry. (48:14) Tweetable Quotes: “The most important thing I do is to help you see around the corners by making sure you're focused on what you do and focused on serving your clients. I focus on helping you see what's around the corners with your technology and also see where I can add value like. Adding value by being on the podcast and helping you share some of the cyber perspectives on insurance.” - Angel Rojas “Let's take all the sins that we committed last year and let's just accept the fact that we committed them. Then let's just start cleaning up all the mess that's left behind.” - Angel Rojas “Sometimes you have to dig through the network and find those answers. At the end of the day, the very first thing you need to do is perform that risk assessment and decide that you've got a problem. If you don't know that you don't have the problem, you have the problem. That's just non-negotiable.” - Angel Rojas Resources Mentioned: Angel Rojas LinkedIn DataCorps Technology Solutions, Inc. David Carothers Kyle Houck Florida Risk Partners The Extra 2 Minutes
In this throwback episode of The Power Producers Podcast, David Carothers and co-host Kyle Houck interview Angel Rojas, CEO of DataCorps Technology Solutions, Inc. Angel discusses what cybersecurity is all about and the five best practices that every business should implement. Episode Highlights: Angel shares his background. (2:10) Angel shares what he sees in the current marketplace. (9:58) Angel mentions what is a ransomware attack. (10:45) Angel explains the five best practices that every business should implement. (13:56) Angel shares a story about a client that got hit by a ransomware event. (17:46) Angel mentions the five-step process of the Cybersecurity Framework. (20:51) Angel shares how to think differently about how you do things. (34:42) Angel shares his experience working with the FBI and the Secret Service. (37:54) Angel explains why there should be more collaboration within their industry. (48:14) Tweetable Quotes: “The most important thing I do is to help you see around the corners by making sure you're focused on what you do and focused on serving your clients. I focus on helping you see what's around the corners with your technology and also see where I can add value like. Adding value by being on the podcast and helping you share some of the cyber perspectives on insurance.” - Angel Rojas “Let's take all the sins that we committed last year and let's just accept the fact that we committed them. Then let's just start cleaning up all the mess that's left behind.” - Angel Rojas “Sometimes you have to dig through the network and find those answers. At the end of the day, the very first thing you need to do is perform that risk assessment and decide that you've got a problem. If you don't know that you don't have the problem, you have the problem. That's just non-negotiable.” - Angel Rojas Resources Mentioned: Angel Rojas LinkedIn DataCorps Technology Solutions, Inc. David Carothers Kyle Houck Florida Risk Partners The Extra 2 Minutes
How to start your privacy career? A talk with Akarsh Singh and Punit Bhatia in the FIT4PRIVACY Podcast E081 S4 Is a privacy career for you? How would you start without any experience? Watch this podcast dedicated on discussing what a successful privacy career journey looks like and how to grow in this path, with Akarsh Singh and Punit Bhatia. KEY CONVERSATION POINTS 00:02:25 GDPR 00:04:01 Who is a privacy career for and who is it not for? 00:06:52 How would you recommend someone to start their career in privacy 00:09:22 About certification CIPP-E, CIPM, CIPT, and more 00:12:20 How do you join the industry without any experience 00:18:53 Starting salary 00:29:24 About Tsaaro ABOUT THE GUEST Akarsh Singh is the CEO and Co-founder of Tsaaro, a privacy and cybersecurity consulting firm, and Tsaaro Academy, a unique privacy certification training platform. Akarsh is an expert in privacy and helps multinationals and startups with their emerging privacy and cybersecurity challenges. He possesses the right mix of Information Technology and analytical skills. He holds a Bachelor's Degree in Manufacturing Engineering from the National Institute of Advanced Manufacturing Technology in Ranchi (Formerly NIFFT) and began his career at KPMG, where he helped several IT/ITes organizations strategize, reinvent, rethink, build, and operationalize their Cybersecurity Framework and Privacy Programs. He has proven experience in Consulting, Stakeholder Management, and Project Delivery roles. He is a Fellow in Information Privacy (FIP) by IAPP - the highest certification in the field of Privacy. He also possesses certifications in CIPT - Certified Information Privacy Technologist, CIPP/e - Certified Information Privacy Professional, CIPM - Certified Information Privacy Manager, and ISO 27001 Lead Auditor. Akarsh also hosts data privacy and cybersecurity podcasts on his channel Privacy Cast, where privacy experts from around the globe join to share their knowledge and help the audience understand data privacy technology, its evolution, and the change it brings to society. ABOUT THE HOST Punit Bhatia is one of the leading privacy experts who works independently and has worked with professionals in over 30 countries. Punit works with business and privacy leaders to create an organizational culture with high privacy awareness and compliance as a business priority. Selectively, Punit is open to mentoring and coaching privacy professionals. Punit is the author of books “Be Ready for GDPR” which was rated as the best GDPR Book, “AI & Privacy – How to Find Balance”, “Intro To GDPR”, and “Be an Effective DPO”. Punit is a global speaker who has spoken at over 30 global events. Punit is the creator and host of the FIT4PRIVACY Podcast. This podcast has been featured among the top GDPR and privacy podcasts. As a person, Punit is an avid thinker and believes in thinking, believing, and acting in line with one's values to have joy in life. He has developed the philosophy named ‘ABC for joy of life' which passionately shares. Punit is based out of Belgium, the heart of Europe. RESOURCES Websites http://www.fit4privacy.com, http://www.punitbhatia.com Podcast https://www.fit4privacy.com/podcast Blog https://www.fit4privacy.com/blog YouTube http://youtube.com/fit4privacy --- Send in a voice message: https://anchor.fm/fit4privacy/message
Social engineering with generative AI. Mylobot and BHProxies. PureCrypter is deployed against government organizations and staged through Discord. Dish Network reports disruption. Third-party app and software as a service risk. Further assessments of the cyber phase of Russia's war so far, with warnings to stay alert. Are tough times coming in gangland? Comments on NIST's revisions to its Cybersecurity Framework are due this Friday. AJ Nash from ZeroFox on Mis/Dis/and Malinformation. Rick Howard digs into Zero Trust. And get this—AI is writing science fiction! For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/38 Selected reading. Social engineering with generative AI. (CyberWire) Who's Behind the Botnet-Based Service BHProxies? (KrebsOnSecurity) Mylobot: Investigating a proxy botnet (Bitsight) PureCrypter targets government entities through Discord (Menlo Security) PureCrypter malware hits govt orgs with ransomware, info-stealers (BleepingComputer) Uncovering the Risks & Realities of Third-Party Connected Apps: 2023 SaaS-to-SaaS Access Report (Adaptive Shield) Ukraine war anniversary likely to bring ‘disruptive' cyberattacks on West, agencies warn (Global News) How the Ukraine War Has Changed Russia's Cyberstrategy (Foreign Policy) A year of wiper attacks in Ukraine (WeLiveSecurity) Russia's yearlong cyber focus on Ukraine (Axios) A year after Russia's invasion, cyberdefenses have improved around the world (Washington Post) One year on, how is the war playing out in cyberspace? (WeLiveSecurity) The Russia-Ukraine cyber war: one year later (IT World Canada) Russia launched large-scale operations in cyberspace alongside war (euronews) WSJ News Exclusive | Hackers Extort Less Money, Are Laid Off as New Tactics Thwart More Ransomware Attacks (Wall Street Journal) AI-generated fiction is flooding literary magazines — but not fooling anyone (The Verge)
In the US we often focus on SOC-2, NIST Special Pubs, and the Cybersecurity Framework. In Europe (and most of the rest of the world), ISO 27001 is the primary standard. ISO concerns itself with policy, practice, and proof, whereas NIST often shows the method to follow. Michael points out that a CISO is responsible for governance, (internal) consulting, and audit. In early stages of growing a security function, a CISO needs to be technically-focused, but as a security department matures, the CISO must be organizationally-focused. Also, to effectively grow your team, first determine what actions need to take place, how much effort it requires, and how often it needs to take place. Then, build an action sheet and collect data for three months. Finally, take that to your executives and document your requirements for more staff. Michael Krausz LinkedIn Profile https://www.linkedin.com/in/michael-krausz-b55862/ Michael Krausz Website: https://i-s-c.co.at/ Full Transcript https://docs.google.com/document/d/13fghym7IWyPvuRANQXUvmv-ulkSj93xv
Nikki - What do you see as emerging trends around cybersecurity guidance and frameworks? With the newer NIST 800-53r5 and the SSDF, there is a TON of literature coming out from NIST. What's next? Chris - I wanted to dig into SSDF a bit. Can you tell us a bit about being involved in that? How it came about after the Cyber EO and your experience writing it? Chris - We know OMB is now requiring Federal agencies to start to self-attest to secure software development practices, specifically SSDF practices. How does it feel to have your work be cited in something this far reaching?Chris - What do you think organizations neglect most when it comes to secure software development, do you think the OMB memo will have a rising tide impact on the ecosystem like other frameworks such as CSF outside of Government?Nikki - What are some of the most fun parts of your job? You've written so much incredible content for not just the cybersecurity industry, but so many SMB's and non-for-profits can use the NIST guidance as a place to build their cybersecurity programs. Nikki - What is one of the biggest challenges in writing something like the SSDF or the Cybersecurity Framework? I would imagine there are so many considerations that go into deciding on everything from format to the type of language you use. Chris - What are your thoughts around the attention as of late on software supply chain security, SBOM's and topics in that domain? Do you think we need more guidance and publications on this front?Nikki - Before taking us to our last question, I wanted to ask you about your blog! It's called Scarfone Cybersecurity and I know you're just getting this going. Can you talk a little bit about why you wanted to start this blog? What are you interested in writing about? Nikki - What does Cyber Resiliency mean to you?