POPULARITY
Você já caiu na armadilha da “imagem invulnerável”? Na segunda parte do episódio 164 da sétima temporada do Kubicast, continuamos nosso papo com Alexandre Sieira, fundador da Tenchi Security, entrando de cabeça nos desafios técnicos da segurança prática — aquela do dia a dia, que envolve CVE, GitHub comprometido e decisões que custam caro.Com exemplos reais e reflexões afiadas, Sieira nos mostra por que segurança é mais do que política: é arquitetura, processo e cultura em ação. Problemas enfrentadosImagens de container com base vulnerável sendo tratadas como “seguras”.Falta de visibilidade sobre o que está rodando no pipeline.Risco de dependências excessivas e falta de controle na supply chain.Incidentes reais de comprometimento em ferramentas de CI/CD (como GitHub Actions).Dificuldade em conciliar segurança com performance operacional.Soluções adotadasGestão contínua de vulnerabilidades com foco em redução de superfície de ataque.Uso do SBOM (Software Bill of Materials) como aliado na rastreabilidade.Segregação de ambientes com deploy seguro entre contas e contextos.Otimizações de arquitetura sem abrir mão de práticas seguras.Estreitamento entre times de produto e segurança desde o início da jornada. Ao longo do episódio, ficou claro que segurança eficaz não depende de uma stack perfeita — mas sim de decisões conscientes. Frequentar o mundo real de DevSecOps é entender que agilidade e segurança não só podem coexistir, como se complementam. Releases frequentes, rastreabilidade e cultura de melhoria contínua são fatores que reduzem riscos e aumentam a confiança da operação. Entre as boas práticas discutidas, reforçamos que menos é mais: minimizar dependências, separar ambientes, aplicar princípios como Least Privilege e pensar sempre em blast radius são decisões simples, mas com grande impacto. Além disso, aproximar os times desde a arquitetura ajuda a criar um ambiente de segurança distribuída — e não centralizada como barreira.
Você já parou pra pensar no real papel da segurança em ambientes DevOps e Cloud Native? No episódio 164 da sétima temporada do Kubicast, recebemos Alexandre Sieira, fundador da Tenchi Security, para um papo direto sobre riscos, maturidade e os dilemas que rondam a segurança na nuvem.Com uma bagagem de quem vive segurança no campo de batalha, Sieira compartilhou experiências práticas e provocou reflexões importantes sobre o quanto (ou o quão pouco) estamos preparados.Problemas enfrentadosFalta de maturidade em segurança, especialmente em estruturas que escalam rápido demais.Risco cibernético de terceiros, muitas vezes ignorado por times técnicos.Conflitos entre times Dev, Ops e Sec, gerando lacunas críticas na operação.Uso indiscriminado de ambientes compartilhados (como o namespace default).Soluções adotadasConstrução de ambientes segmentados, com compartimentalização de acesso.Aplicação de princípios como Zero Trust e Least Privilege desde a infraestrutura.Uso consciente de Infraestrutura como Código (IaC) para garantir rastreabilidade e governança.Fortalecimento da comunicação entre times e redefinição de responsabilidades.Ao longo do episódio, algumas lições importantes ficaram muito claras: segurança não é responsabilidade de um time só — ela precisa ser compartilhada entre Dev, Ops e Sec, desde a fundação da infraestrutura. A busca por agilidade não pode justificar decisões que negligenciam riscos estruturais. Invulnerabilidade não existe, mas estar preparado para lidar com ataques é o que separa ambientes resilientes de verdadeiros pontos cegos operacionais.Entre as boas práticas discutidas, ficou evidente a importância de evitar o uso do namespace default, que muitas vezes vira um terreno sem dono e sem governança. Pensar em blast radius ao definir permissões é essencial para limitar o impacto de qualquer falha ou invasão. A centralização inteligente — onde faz sentido — aliada à delegação consciente ajuda a equilibrar autonomia com controle. Por fim, ficou reforçado que segurança não pode ser um impeditivo, e sim uma parte natural da cultura do time, que viabiliza entregas melhores e mais sustentáveis.Apresentado por João Brito, seu host favorito (@juniorjbn). O Kubicast é uma produção da Getup, empresa especialista em Kubernetes e projetos open source para Kubernetes. Os episódios do podcast estão nas principais plataformas de áudio digital e no YouTube.com/@getupcloud.
We heard you missed us. We're back. Windows Microsoft declares 2025 the "year of the Windows 11 PC refresh." As likely as "year of the Linux desktop" The theory: Windows 10 EOL, AI PCs, lingering security fears from CrowdStrike The issue: Windows 10 has 63 usage share right now. At this point in time, Windows 7 had only 25 percent usage share (and was in second place, not first) Intel joins in on this fever dream but we've stopped listening More interesting: AMD is kicking ass and taking names. And we thought the existing chips were good (they are). Related to this, PC makers are embracing AMD like never before. Check out HP's workstations (including laptops) Microsoft is blocking the 24H2 update on PCs with Auto HDR enabled New Canary and Beta builds ring in the New Year Not that it matters, but Windows 11 almost had Vista Ultimate Extras-like dynamic wallpapers Dell kills XPS and all its other PC brands because Dell is stupid and doesn't know what it had Arm & PCs Qualcomm defeated Arm Holdings in licensing dispute court case. And, yes, it won big time, contrary to Arm's nonsense Qualcomm announces an even lower-end Snapdragon X chip for $600 PCs, so ASUS announces an $1100 laptop that uses it Snapdragon Dev Kit update Part 2 of Paul's history of Windows on Arm is up New Arm PCs announced, including desktops. Ahead of CES, Geekom jumped the gun and said it was coming out with a Snapdragon X-based NUC. Lenovo has a NUC/SFF NVIDIA and MediaTek confirm partnership on Arm chips for PCs Microsoft 365 First, GitHub Copilot, but now Microsoft 365 Copilot will allegedly stop using OpenAI exclusively Microsoft reveals (confirms) it will spend $80 billion on AI infrastructure in FY 2025 as it suckles up to Trump like the rest of the tech industry Microsoft and OpenAI allegedly tied AGI milestone to profits, not intelligence Xbox & Gaming Microsoft discusses a console-like experience for Windows handheld gaming. Tied to that, a new generation of handheld gaming PCs is on the way Xbox Game Pass says Happy New Year with a full slate of Activision Blizzard titles. Just kidding NVIDIA announces new graphics cards for PCs No one wants this, but Xbox is coming to LG smart TVs Xbox Rewards shuffles the deck chairs, hopes no one notices it's worse now Tips & Picks Tip of the week: Spend a little, upgrade to Windows 11 App pick of the week: Microsoft PowerToys RunAs Radio this week: Least Privilege in 2025 with Bailey Bercik Brown liquor pick of the week: Kilbeggan Irish Whiskey Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to Windows Weekly at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: uscloud.com zscaler.com/security
We heard you missed us. We're back. Windows Microsoft declares 2025 the "year of the Windows 11 PC refresh." As likely as "year of the Linux desktop" The theory: Windows 10 EOL, AI PCs, lingering security fears from CrowdStrike The issue: Windows 10 has 63 usage share right now. At this point in time, Windows 7 had only 25 percent usage share (and was in second place, not first) Intel joins in on this fever dream but we've stopped listening More interesting: AMD is kicking ass and taking names. And we thought the existing chips were good (they are). Related to this, PC makers are embracing AMD like never before. Check out HP's workstations (including laptops) Microsoft is blocking the 24H2 update on PCs with Auto HDR enabled New Canary and Beta builds ring in the New Year Not that it matters, but Windows 11 almost had Vista Ultimate Extras-like dynamic wallpapers Dell kills XPS and all its other PC brands because Dell is stupid and doesn't know what it had Arm & PCs Qualcomm defeated Arm Holdings in licensing dispute court case. And, yes, it won big time, contrary to Arm's nonsense Qualcomm announces an even lower-end Snapdragon X chip for $600 PCs, so ASUS announces an $1100 laptop that uses it Snapdragon Dev Kit update Part 2 of Paul's history of Windows on Arm is up New Arm PCs announced, including desktops. Ahead of CES, Geekom jumped the gun and said it was coming out with a Snapdragon X-based NUC. Lenovo has a NUC/SFF NVIDIA and MediaTek confirm partnership on Arm chips for PCs Microsoft 365 First, GitHub Copilot, but now Microsoft 365 Copilot will allegedly stop using OpenAI exclusively Microsoft reveals (confirms) it will spend $80 billion on AI infrastructure in FY 2025 as it suckles up to Trump like the rest of the tech industry Microsoft and OpenAI allegedly tied AGI milestone to profits, not intelligence Xbox & Gaming Microsoft discusses a console-like experience for Windows handheld gaming. Tied to that, a new generation of handheld gaming PCs is on the way Xbox Game Pass says Happy New Year with a full slate of Activision Blizzard titles. Just kidding NVIDIA announces new graphics cards for PCs No one wants this, but Xbox is coming to LG smart TVs Xbox Rewards shuffles the deck chairs, hopes no one notices it's worse now Tips & Picks Tip of the week: Spend a little, upgrade to Windows 11 App pick of the week: Microsoft PowerToys RunAs Radio this week: Least Privilege in 2025 with Bailey Bercik Brown liquor pick of the week: Kilbeggan Irish Whiskey Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to Windows Weekly at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: uscloud.com zscaler.com/security
We heard you missed us. We're back. Windows Microsoft declares 2025 the "year of the Windows 11 PC refresh." As likely as "year of the Linux desktop" The theory: Windows 10 EOL, AI PCs, lingering security fears from CrowdStrike The issue: Windows 10 has 63 usage share right now. At this point in time, Windows 7 had only 25 percent usage share (and was in second place, not first) Intel joins in on this fever dream but we've stopped listening More interesting: AMD is kicking ass and taking names. And we thought the existing chips were good (they are). Related to this, PC makers are embracing AMD like never before. Check out HP's workstations (including laptops) Microsoft is blocking the 24H2 update on PCs with Auto HDR enabled New Canary and Beta builds ring in the New Year Not that it matters, but Windows 11 almost had Vista Ultimate Extras-like dynamic wallpapers Dell kills XPS and all its other PC brands because Dell is stupid and doesn't know what it had Arm & PCs Qualcomm defeated Arm Holdings in licensing dispute court case. And, yes, it won big time, contrary to Arm's nonsense Qualcomm announces an even lower-end Snapdragon X chip for $600 PCs, so ASUS announces an $1100 laptop that uses it Snapdragon Dev Kit update Part 2 of Paul's history of Windows on Arm is up New Arm PCs announced, including desktops. Ahead of CES, Geekom jumped the gun and said it was coming out with a Snapdragon X-based NUC. Lenovo has a NUC/SFF NVIDIA and MediaTek confirm partnership on Arm chips for PCs Microsoft 365 First, GitHub Copilot, but now Microsoft 365 Copilot will allegedly stop using OpenAI exclusively Microsoft reveals (confirms) it will spend $80 billion on AI infrastructure in FY 2025 as it suckles up to Trump like the rest of the tech industry Microsoft and OpenAI allegedly tied AGI milestone to profits, not intelligence Xbox & Gaming Microsoft discusses a console-like experience for Windows handheld gaming. Tied to that, a new generation of handheld gaming PCs is on the way Xbox Game Pass says Happy New Year with a full slate of Activision Blizzard titles. Just kidding NVIDIA announces new graphics cards for PCs No one wants this, but Xbox is coming to LG smart TVs Xbox Rewards shuffles the deck chairs, hopes no one notices it's worse now Tips & Picks Tip of the week: Spend a little, upgrade to Windows 11 App pick of the week: Microsoft PowerToys RunAs Radio this week: Least Privilege in 2025 with Bailey Bercik Brown liquor pick of the week: Kilbeggan Irish Whiskey Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to Windows Weekly at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: uscloud.com zscaler.com/security
We heard you missed us. We're back. Windows Microsoft declares 2025 the "year of the Windows 11 PC refresh." As likely as "year of the Linux desktop" The theory: Windows 10 EOL, AI PCs, lingering security fears from CrowdStrike The issue: Windows 10 has 63 usage share right now. At this point in time, Windows 7 had only 25 percent usage share (and was in second place, not first) Intel joins in on this fever dream but we've stopped listening More interesting: AMD is kicking ass and taking names. And we thought the existing chips were good (they are). Related to this, PC makers are embracing AMD like never before. Check out HP's workstations (including laptops) Microsoft is blocking the 24H2 update on PCs with Auto HDR enabled New Canary and Beta builds ring in the New Year Not that it matters, but Windows 11 almost had Vista Ultimate Extras-like dynamic wallpapers Dell kills XPS and all its other PC brands because Dell is stupid and doesn't know what it had Arm & PCs Qualcomm defeated Arm Holdings in licensing dispute court case. And, yes, it won big time, contrary to Arm's nonsense Qualcomm announces an even lower-end Snapdragon X chip for $600 PCs, so ASUS announces an $1100 laptop that uses it Snapdragon Dev Kit update Part 2 of Paul's history of Windows on Arm is up New Arm PCs announced, including desktops. Ahead of CES, Geekom jumped the gun and said it was coming out with a Snapdragon X-based NUC. Lenovo has a NUC/SFF NVIDIA and MediaTek confirm partnership on Arm chips for PCs Microsoft 365 First, GitHub Copilot, but now Microsoft 365 Copilot will allegedly stop using OpenAI exclusively Microsoft reveals (confirms) it will spend $80 billion on AI infrastructure in FY 2025 as it suckles up to Trump like the rest of the tech industry Microsoft and OpenAI allegedly tied AGI milestone to profits, not intelligence Xbox & Gaming Microsoft discusses a console-like experience for Windows handheld gaming. Tied to that, a new generation of handheld gaming PCs is on the way Xbox Game Pass says Happy New Year with a full slate of Activision Blizzard titles. Just kidding NVIDIA announces new graphics cards for PCs No one wants this, but Xbox is coming to LG smart TVs Xbox Rewards shuffles the deck chairs, hopes no one notices it's worse now Tips & Picks Tip of the week: Spend a little, upgrade to Windows 11 App pick of the week: Microsoft PowerToys RunAs Radio this week: Least Privilege in 2025 with Bailey Bercik Brown liquor pick of the week: Kilbeggan Irish Whiskey Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to Windows Weekly at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: uscloud.com zscaler.com/security
How is least privilege different in 2025? Richard talks to Bailey Bercik about the ongoing efforts to minimize users, administrators, and applications' privileges in 2025. Bailey talks about the power of Entra Permissions Management to help you see what permissions are going unused on various accounts so that you can tailor rights to individual accounts without things becoming unmanageable. Artificial intelligence is a forcing function for many permission issues, with these new tools potentially creating problems when given unnecessary rights. But those same tools can help you understand where permissions are being underutilized and help protect your systems!LinksPrinciple of Least PrivilegeEnable Permission ManagementEntra Permissions ManagementMicrosoft Security CopilotCopilot in Microsoft EntraSEC545: GenAI and LLM Application SecurityHow Attackers Use Apps to Attack VideoRecorded December 16, 2024
We heard you missed us. We're back. Windows Microsoft declares 2025 the "year of the Windows 11 PC refresh." As likely as "year of the Linux desktop" The theory: Windows 10 EOL, AI PCs, lingering security fears from CrowdStrike The issue: Windows 10 has 63 usage share right now. At this point in time, Windows 7 had only 25 percent usage share (and was in second place, not first) Intel joins in on this fever dream but we've stopped listening More interesting: AMD is kicking ass and taking names. And we thought the existing chips were good (they are). Related to this, PC makers are embracing AMD like never before. Check out HP's workstations (including laptops) Microsoft is blocking the 24H2 update on PCs with Auto HDR enabled New Canary and Beta builds ring in the New Year Not that it matters, but Windows 11 almost had Vista Ultimate Extras-like dynamic wallpapers Dell kills XPS and all its other PC brands because Dell is stupid and doesn't know what it had Arm & PCs Qualcomm defeated Arm Holdings in licensing dispute court case. And, yes, it won big time, contrary to Arm's nonsense Qualcomm announces an even lower-end Snapdragon X chip for $600 PCs, so ASUS announces an $1100 laptop that uses it Snapdragon Dev Kit update Part 2 of Paul's history of Windows on Arm is up New Arm PCs announced, including desktops. Ahead of CES, Geekom jumped the gun and said it was coming out with a Snapdragon X-based NUC. Lenovo has a NUC/SFF NVIDIA and MediaTek confirm partnership on Arm chips for PCs Microsoft 365 First, GitHub Copilot, but now Microsoft 365 Copilot will allegedly stop using OpenAI exclusively Microsoft reveals (confirms) it will spend $80 billion on AI infrastructure in FY 2025 as it suckles up to Trump like the rest of the tech industry Microsoft and OpenAI allegedly tied AGI milestone to profits, not intelligence Xbox & Gaming Microsoft discusses a console-like experience for Windows handheld gaming. Tied to that, a new generation of handheld gaming PCs is on the way Xbox Game Pass says Happy New Year with a full slate of Activision Blizzard titles. Just kidding NVIDIA announces new graphics cards for PCs No one wants this, but Xbox is coming to LG smart TVs Xbox Rewards shuffles the deck chairs, hopes no one notices it's worse now Tips & Picks Tip of the week: Spend a little, upgrade to Windows 11 App pick of the week: Microsoft PowerToys RunAs Radio this week: Least Privilege in 2025 with Bailey Bercik Brown liquor pick of the week: Kilbeggan Irish Whiskey Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to Windows Weekly at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: uscloud.com zscaler.com/security
We heard you missed us. We're back. Windows Microsoft declares 2025 the "year of the Windows 11 PC refresh." As likely as "year of the Linux desktop" The theory: Windows 10 EOL, AI PCs, lingering security fears from CrowdStrike The issue: Windows 10 has 63 usage share right now. At this point in time, Windows 7 had only 25 percent usage share (and was in second place, not first) Intel joins in on this fever dream but we've stopped listening More interesting: AMD is kicking ass and taking names. And we thought the existing chips were good (they are). Related to this, PC makers are embracing AMD like never before. Check out HP's workstations (including laptops) Microsoft is blocking the 24H2 update on PCs with Auto HDR enabled New Canary and Beta builds ring in the New Year Not that it matters, but Windows 11 almost had Vista Ultimate Extras-like dynamic wallpapers Dell kills XPS and all its other PC brands because Dell is stupid and doesn't know what it had Arm & PCs Qualcomm defeated Arm Holdings in licensing dispute court case. And, yes, it won big time, contrary to Arm's nonsense Qualcomm announces an even lower-end Snapdragon X chip for $600 PCs, so ASUS announces an $1100 laptop that uses it Snapdragon Dev Kit update Part 2 of Paul's history of Windows on Arm is up New Arm PCs announced, including desktops. Ahead of CES, Geekom jumped the gun and said it was coming out with a Snapdragon X-based NUC. Lenovo has a NUC/SFF NVIDIA and MediaTek confirm partnership on Arm chips for PCs Microsoft 365 First, GitHub Copilot, but now Microsoft 365 Copilot will allegedly stop using OpenAI exclusively Microsoft reveals (confirms) it will spend $80 billion on AI infrastructure in FY 2025 as it suckles up to Trump like the rest of the tech industry Microsoft and OpenAI allegedly tied AGI milestone to profits, not intelligence Xbox & Gaming Microsoft discusses a console-like experience for Windows handheld gaming. Tied to that, a new generation of handheld gaming PCs is on the way Xbox Game Pass says Happy New Year with a full slate of Activision Blizzard titles. Just kidding NVIDIA announces new graphics cards for PCs No one wants this, but Xbox is coming to LG smart TVs Xbox Rewards shuffles the deck chairs, hopes no one notices it's worse now Tips & Picks Tip of the week: Spend a little, upgrade to Windows 11 App pick of the week: Microsoft PowerToys RunAs Radio this week: Least Privilege in 2025 with Bailey Bercik Brown liquor pick of the week: Kilbeggan Irish Whiskey Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to Windows Weekly at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: uscloud.com zscaler.com/security
Send us a textUnlock the secrets to a more secure digital environment as we dissect the potential impact of a TP-Link router ban in the U.S., spurred by security vulnerabilities and foreign influence concerns. How will this affect consumers, businesses, and ISPs reliant on these budget-friendly devices? Tune in to discover the broader implications of a shift towards U.S.-manufactured electronics and what it means for cybersecurity practices nationwide.Explore the intricate balance of power and security through the principle of least privilege (POLP) and the need-to-know principle. We decode the strategies to implement POLP successfully, reducing attack surfaces while maintaining efficiency, and align these techniques with essential regulatory standards such as GDPR and HIPAA. Discover how the military's compartmentalization tactics can be mirrored in the corporate world to safeguard sensitive information.Finally, we unravel the complexities of insider threats and privileged account management. From job rotations to mandatory vacations, learn how these innovative strategies can help mitigate fraudulent activities and insider risks. We emphasize the crucial role of Privileged Account Management systems in enhancing security, despite their setup complexities and costs, providing invaluable tools for IT professionals seeking to bolster their cybersecurity measures. Don't miss this comprehensive guide designed to fortify your cybersecurity defenses.Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!
In this Brand Story episode, Marco Ciappelli and Sean Martin sit down with Danny Jenkins, CEO and co-founder of ThreatLocker, to uncover the fascinating journey and innovative approach of ThreatLocker in the cybersecurity realm. The episode sheds light on the company's mission, the challenges it faces, and the transformative solutions it offers.Danny Jenkins recounts the origin story of ThreatLocker, beginning with his early career in IT and his fortuitous stumble into cybersecurity. He explains how witnessing firsthand the devastating impact of ransomware led to the inception of ThreatLocker. His experience with ethical hacking and ransomware recovery highlighted a critical need for more effective IT security solutions, enabling Jenkins to spearhead the development of ThreatLocker with a central philosophy: deny by default.ThreatLocker's primary goal is to help organizations implement a zero trust framework by making it as simple and automated as possible. Jenkins emphasizes that effective security requires blocking untrusted software and limiting what trusted software can do. He articulates the importance of learning the intricacies of each environment ThreatLocker protects, from small businesses to massive enterprises like JetBlue. By examining each endpoint and understanding the specific software and dependencies, ThreatLocker ensures that systems remain secure without disrupting daily operations.One of the key aspects discussed is ThreatLocker's unique human element combined with technological innovation. Jenkins introduces the concept of their 'cyber hero' team, dedicated to providing 24/7 support. This team is crucial, especially when onboarding new clients or assisting those already affected by ransomware. This commitment to customer service underscores ThreatLocker's philosophy of not only providing top-tier solutions but ensuring they are successfully implemented and maintained.Jenkins also touches upon the broader industry challenges, specifically the common pitfalls enterprises fall into by relying on endpoint detection and response (EDR) systems alone. He argues that such systems are often reactive, addressing symptoms rather than root causes. ThreatLocker's approach, focusing on proactive prevention and least privilege access, aims to mitigate vulnerabilities before they can be exploited.Finally, Jenkins discusses the future vision for ThreatLocker, highlighting continued growth and innovation. The company's commitment to maintaining high support levels while expanding its product offerings ensures it remains at the forefront of cybersecurity solutions. Events like Zero Trust World serve as educational opportunities for clients to deepen their understanding and enhance their security postures.Overall, this episode provides an in-depth look at ThreatLocker's strategic approach to cybersecurity, emphasizing the importance of proactive prevention, customer service, and continuous improvement.Learn more about ThreatLocker: https://itspm.ag/threatlocker-r974Note: This story contains promotional content. Learn more.Guest: Danny Jenkins, CEO of ThreatLocker [@ThreatLocker]On LinkedIn | https://www.linkedin.com/in/dannyjenkinscyber/ResourcesZero Trust World Conference: https://itspm.ag/threat5mu1Learn more and catch more stories from ThreatLocker: https://www.itspmagazine.com/directory/threatlockerView all of our HITRUST Collaborate 2024 coverage: https://www.itspmagazine.com/hitrust-collaborate-2024-information-risk-management-and-compliance-event-coverage-frisco-texasAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story
In this Brand Story episode, Marco Ciappelli and Sean Martin sit down with Danny Jenkins, CEO and co-founder of ThreatLocker, to uncover the fascinating journey and innovative approach of ThreatLocker in the cybersecurity realm. The episode sheds light on the company's mission, the challenges it faces, and the transformative solutions it offers.Danny Jenkins recounts the origin story of ThreatLocker, beginning with his early career in IT and his fortuitous stumble into cybersecurity. He explains how witnessing firsthand the devastating impact of ransomware led to the inception of ThreatLocker. His experience with ethical hacking and ransomware recovery highlighted a critical need for more effective IT security solutions, enabling Jenkins to spearhead the development of ThreatLocker with a central philosophy: deny by default.ThreatLocker's primary goal is to help organizations implement a zero trust framework by making it as simple and automated as possible. Jenkins emphasizes that effective security requires blocking untrusted software and limiting what trusted software can do. He articulates the importance of learning the intricacies of each environment ThreatLocker protects, from small businesses to massive enterprises like JetBlue. By examining each endpoint and understanding the specific software and dependencies, ThreatLocker ensures that systems remain secure without disrupting daily operations.One of the key aspects discussed is ThreatLocker's unique human element combined with technological innovation. Jenkins introduces the concept of their 'cyber hero' team, dedicated to providing 24/7 support. This team is crucial, especially when onboarding new clients or assisting those already affected by ransomware. This commitment to customer service underscores ThreatLocker's philosophy of not only providing top-tier solutions but ensuring they are successfully implemented and maintained.Jenkins also touches upon the broader industry challenges, specifically the common pitfalls enterprises fall into by relying on endpoint detection and response (EDR) systems alone. He argues that such systems are often reactive, addressing symptoms rather than root causes. ThreatLocker's approach, focusing on proactive prevention and least privilege access, aims to mitigate vulnerabilities before they can be exploited.Finally, Jenkins discusses the future vision for ThreatLocker, highlighting continued growth and innovation. The company's commitment to maintaining high support levels while expanding its product offerings ensures it remains at the forefront of cybersecurity solutions. Events like Zero Trust World serve as educational opportunities for clients to deepen their understanding and enhance their security postures.Overall, this episode provides an in-depth look at ThreatLocker's strategic approach to cybersecurity, emphasizing the importance of proactive prevention, customer service, and continuous improvement.Learn more about ThreatLocker: https://itspm.ag/threatlocker-r974Note: This story contains promotional content. Learn more.Guest: Danny Jenkins, CEO of ThreatLocker [@ThreatLocker]On LinkedIn | https://www.linkedin.com/in/dannyjenkinscyber/ResourcesZero Trust World Conference: https://itspm.ag/threat5mu1Learn more and catch more stories from ThreatLocker: https://www.itspmagazine.com/directory/threatlockerAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story
In this episode of the InfosecTrain podcast, we explore the Principle of Least Privilege (PoLP)—a fundamental security concept that limits access rights for users, applications, and systems to only what is necessary to perform their tasks. Learn how this principle helps reduce the attack surface, prevent insider threats, and minimize the damage from potential breaches. Our experts will also share real-world use cases and practical tips for implementing PoLP in your organization.
I assume that most of you know about the principle of least privilege. If not, please read this short blog from Brian Kelley and make sure you understand how you should approach security. In the modern world, we also ought to adapt our systems for the zero trust model, which includes the least privilege principle. However, I wonder how many of your organizations really follow these security guidelines internally. Are you strict about adding limited access and removing it when people change jobs/roles? If you use Windows Auth (or Entra), are your admins doing that or just adding in new roles? Do you scope down database access roles in granular ways or just stick with 1-2 roles for the most common things people do? Read the rest of Least Privilege
What's the best way to navigate least privilege complexities in a multi cloud environment? And how is the role of identity management evolving? We spoke to Jeff Moncrief from Sonrai Security on why identity is the new network in the cloud-driven world. We speak about the challenges of implementing least privilege in cloud environments, the misconceptions surrounding identity roles, and the critical importance of segmenting access across public clouds just as rigorously as we did on-premises. Guest Socials: Jeff's Linkedin Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Podcast- Youtube - Cloud Security Newsletter - Cloud Security BootCamp Questions asked: (00:00) Introduction (01:59) A bit about Jeff (03:01) How is identity different in the Cloud? (05:40) Misconceptions about least priviledge in the cloud (08:50) Cloud Native solutions for Permission Attack Surface Management (15:36) Common themes when addressing privilege in Cloud (17:22) Starting point when dealing with identities (20:03) Frameworks when working through least privilege (23:21) Showing ROI on doing least privilege
All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our sponsored guest, Sandy Bird, co-founder and CTO, Sonrai Security. In this episode: Why does scaling least privilege in the cloud remain challenging? Is throwing more people at the problem feasible? How are you managing it? What aspects haven't been considered? Thanks to our podcast sponsor, Sonrai Security A one-click solution that removes excessive permissions and unused services, quarantines unused identities, and restricts specific regions within the cloud. Later, maintain this level of security by automatically enforcing policies as new accounts, roles, permissions, and services are added to your environment. Start a free trial today! sonrai.co/ciso
In this episode, Jim and Jeff welcome back Sandy Bird, the CTO and Co-Founder of Sonrai Security, for a sequel to their first sponsor spotlight. Sandy returns to discuss the groundbreaking Cloud Permissions Firewall with Permissions on Demand. The trio dives into how this new solution revolutionizes the way organizations can clamp down on excessive cloud permissions, streamline operations, and secure their cloud environments with unprecedented speed and efficiency. The discussion illuminates the concept of "default deny," the exhilaration of zapping "zombie" identities, and the seamless integration with cloud native tools. Sandy also shares insights on how customers can measure success with Sonrai's solution and the significant security benefits provided. For a visual walkthrough of Sonrai's Cloud Permissions Firewall, visit http://sonrai.co/idac to see the demo in action and learn how you can try it out with a 14-day free trial. And if you're at RSA, AWS re:Inforce, or Gartner IAM, look for the Sonrai Security booth and experience the epiphany moment for yourself. Connect with Sandy on LinkedIn: https://www.linkedin.com/in/sandy-bird-835b5576 Learn more about Sonrai Security: https://sonrai.co/idac Introducing the Cloud Permissions Firewall (YouTube): https://www.youtube.com/watch?v=ffQbM6KGDbY Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at idacpodcast.com and follow @IDACPodcast on Twitter. Episode Keywords Identity And Access Management (Iam), Cloud Security, Aws, Azure, Gcp (Google Cloud Platform), Least Privilege, Identity Risk, Cloud Permissions Firewall, Infrastructure As Code, Security Operations (Secops), Cloud Operations (Cloudops), Permissions Management, Excessive Privileges, Zombie Identities, Identity Governance, Access Analyzer, Sensitive Permissions, Role-Based Access Control (Rbac), Service Control Policies (Scp), Cloud Native Security
In this episode of Trust Issues, David welcomes back Shay Nahari, VP of CyberArk Red Team Services, to discuss the topic of secure browsing and session-based threats. They delve into the dangers of cookie theft, the expanding attack surface, and the importance of identity security. Shay explains how cookies sit post-authentication and how attackers can bypass the entire authentication process by stealing them. He also discusses how browsers have been designed for consumers, not for the enterprise, and how this creates a fundamental problem in the way we treat and design identities around the usage of browsers... until now. Shay introduces the CyberArk Secure Browser, which eliminates cookies from the disk completely and provides an end-to-end control of the flow of identity. The conversation also touches on the expanding attack surface, new identities, and how organizations can protect themselves from session-based attacks. Shay emphasizes the importance of least privilege, monitoring, and an assume breach mindset.
This podcast shares research that reveals how many of the most common cloud security risks—despite being tied to basic security guidelines such as the Principle of Least Privilege—are widely overlooked in organizations of all sizes, even in those with a high maturity level in terms of cloud security. We'll explain why that is and investigate approaches to reduce your risk. Speakers: Neil Carpenter, Principal Technical Evangelist, Orca Security Bar Kaduri, Research Team Leader, Orca Security Tatyana Sanchez, Content and Programming Coordinator, RSAC Kacy Zurkus, Senior Content Strategist, RSAC
Ready to conquer the CISSP exam? Let's take a deep dive into the world of cybersecurity operations, breaking down complex concepts into easy-to-understand explanations. We'll explore how 'need to know access,' 'least privilege,' 'separation of duties' are vital defenses in the cybersecurity landscape, offering insights from real-life scenarios like the pricey MGM hack and a critical flaw in Cisco routers. Get ready to challenge yourself with CISSP questions tied to domain seven, focusing on access granted based on job descriptions, least access required, separation of duties, two-person control, and the benefits of job rotation.Looking to level up your security team's skills? Cross-training could be the golden ticket. We'll narrow down how cross-training embeds versatility into your team, enabling them to deal with a diverse set of roles and smoothly execute two-person control. We'll also touch on why earning a CISSP certification can be a game-changer for your career, and share the exhilaration of acing the exam. We'll also tackle 15 vital CISSP questions, offering comprehensive answers and explanations to enrich your understanding. Pop in those earbuds, and let's boost your cybersecurity prowess and CISSP exam readiness!Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.
Do you really know who has access to your sensitive data? Let's unravel the veil of cybersecurity, highlighting a ransomware incident that cost Caesar's and MGM a staggering $15 million. Tune in as we explore CISSP domain 7.4 and the critical need-to-know principle that insists on access to sensitive data only for those who genuinely need it. We'll also touch on the invaluable resources available on CISSP Cyber Training that can aid in your exam preparation.In this fascinating dialogue, we venture into the world of zero trust architecture, least privilege principles, and identity and access management. We reveal how these strategies can fortify your company's network. We'll also discuss GRC, an essential part of SAP that assists in managing user access and the division of duties. We walk you through the financial industry's use of instant approval for high-level transactions and the concept of just-in-time privileges. Ever wondered about the risks of granting too much privilege? We'll break it down for you. We'll also shed light on the role of a managed service provider during a security incident and the importance of using pre-set, securely stored credentials. Learn about situations where temporary privilege elevation becomes vital, such as software patch installation, data migration, and compliance auditing. And let's not forget about time-bound access, multi-factor authentication, and separation of duties. So, strap in and prepare to arm yourself with vital cybersecurity knowledge.Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.
https://www.yourcyberpath.com/101/ In this short episode, we are back discussing the Security Design Principles, with the third principle, Economy of Mechanism. Jason and Kip explain the principle of Economy of Mechanism and how you want to apply it in your career as a cybersecurity professional without falling into the trap of overcomplicating things and most importantly, staying within the limits of your budget. You should always keep things simple and practical and focus on providing value instead of following tedious complex processes. Economy of Mechanism can be simplified in the following, “You don't want to build a $100,000 fence to protect a $1000 horse”. Context is everything here, you need to understand what you are protecting and how your protections should be relevant to that. What You'll Learn ● What is the Economy of Mechanism? ● What happens when you overcomplicate technical controls? ● What are some examples of Economy of Mechanism? Relevant Websites For This Episode ● https://www.yourcyberpath.com/ ● https://www.udemy.com/course/irresistible-cybersecurity/ ● https://www.yourcyberpath.com/ask/ Other Relevant Episodes ● Episode 94 - Ten Security Design Principles (SDP) ● Episode 96 - SDP 1: Least Privilege ● Episode 98 - SDP 2: Psychological Acceptability
Diana Kelley, Chief Information Security Officer (CISO) at Protect AI joins host David Puner for a dive into the world of artificial intelligence (AI) and machine learning (ML), exploring the importance of privacy and security controls amid the AI Gold Rush. As the world seeks to capitalize on generative AI's potential, risks are escalating. From protecting data from nefarious actors to addressing privacy implications and cyber threats, Kelley highlights the need for responsible AI development and usage. The conversation explores the principle of least privilege (PoLP) in AI, the privacy implications of using AI and ML platforms and the need for proper protection and controls in the development and deployment of AI and ML systems.
https://www.yourcyberpath.com/96/ In this episode, we unpack the first of the Security Design Principles, Least Privilege. If you have never heard of it before, Least Privilege is the act of giving a person the most minimal amount of privilege for them to be able to do their job. Our hosts take the time in this short episode to discuss the ups and downs of Least Privilege and why it's not utilized as widely as it should be. Then they go over how Least Privilege should be implemented at home and at work and how much it affects your personal and professional Cyber Hygiene. In the end, Jason discusses how Least Privilege can affect Software Development and the importance of setting different accesses and permissions for different users to improve your security posture. What You'll Learn ● What is a CR-MAP? ● What is Least Privilege? ● What are the costs of using Least Privilege? ● How does Least Privilege affect you as a user? ● How can software utilize Least Privilege? Relevant Websites For This Episode ● https://www.akylade.com/ ● https://www.yourcyberpath.com/podcasts/ Other Relevant Episodes ● Episode 80 - Risk Management Framework with Drew Church ● Episode 83 - Automating NIST Risk Management Framework with Rebecca Onuskanich ● Episode 94 - Ten Security Design Principles (SDP)
https://www.yourcyberpath.com/94/ To start off this episode, our hosts go on a short chat about ChatGPT and how it can be useful for cybersecurity professionals and job hunters. They also highlight the difference between transitional and transformational tech. Then, they get into the episode topic which is an introduction for a 10-part series that is going to come out in the following months which is Security Design Principles. Kip mentions in the beginning how these design principles are not laws, but they are very important guardrails for the safety of any system, while Jason highlights that they are best practices that every organization should aim to implement to avoid future implications. Defense in depth is like layering your protections, and it has become extremely important to do since the deperimeterization of our networks where we have devices all over the place, and not just in separate perimeters. Security Design Principles are independent of technology. They are about strategies that can be applied to guide your work in many aspects. Then, our hosts go over some simple examples of the Security Design Principles like Fail-safe Defaults and Least Privilege. In the end, you must realize that when you plan for implementations ahead of time, it is always a huge time, money, and effort-saver for you and your organization. What You'll Learn ● Is AI going to take over jobs? ● What certifications mention Security Design Principles? ● What is defense in depth? ● What is the principle of fail-safe defaults? Relevant Websites For This Episode ● Saltzer and Schroeder's Design Principles ● www.YourCyberPath.com
You know how we tell you to limit the amount of privilege each admin gets, in order to limit the blast radius if their account is compromised? What if you could apply that concept to applications that use private data to accomplish their task? We blindly give everything we have on each person to just about any app that needs anything. But if you had an app that only needs first name and email address, why not just give it that? And if it asks for more than that, what if you had a way to give it masked data, since it doesn't really need it anyway? That's how I would describe Sky Flow, a privacy as a service company, after interviewing its Head of Marketing, Sean Falconer. Fascinating new approach to the problem of personal data sprawl.
With the recent takeover of the "Linus Tech Tips" YouTube channel, what can we learn? In this episode, Jay and Joao will discuss some of the ways you can prevent such an event from happening to you (and it's not just YouTube that's a target).
Application security is a critical aspect of all application design and architecture. Security best practices specify that nobody should be given universal access to any system or service. Instead, a given service, system, or person should be given only the access required to get the job done, and absolutely no more permissions than that. To give someone more access than they absolutely need is to open a potential security vulnerability.This security best practice is known as the Principle of Least Privilege.This is Tech Tapas Tuesday, on Modern Digital Business.Useful LinksArchitecting for Scale, 2nd Edition, O'Reilly Media About LeeLee Atchison is a software architect, author, public speaker, and recognized thought leader on cloud computing and application modernization. His most recent book, Architecting for Scale (O'Reilly Media), is an essential resource for technical teams looking to maintain high availability and manage risk in their cloud environments. Lee has been widely quoted in multiple technology publications, including InfoWorld, Diginomica, IT Brief, Programmable Web, CIO Review, and DZone, and has been a featured speaker at events across the globe.Take a look at Lee's many books, courses, and articles by going to leeatchison.com. Looking to modernize your application organization?Check out Architecting for Scale. Currently in it's second edition, this book, written by Lee Atchison, and published by O'Reilly Media, will help you build high scale, highly available web applications, or modernize your existing applications. Check it out! Available in paperback or on Kindle from Amazon.com or other retailers. Don't Miss Out!Subscribe here to catch each new episode as it becomes available.Want more from Lee? Click here to sign up for our newsletter. You'll receive information about new episodes, new articles, new books and courses from Lee. Don't worry, we won't send you spam and you can unsubscribe at any time.
Least privilege is the philosophy which restricts access rights for users purely to the essentials. Providing employees with the minimal level of privilege needed to do their job has its downsides; but goes a long way to reduce the attack firms of tech firms across the world. In this episode of the EM360 Podcast, Editor Matt Harris speaks to Stephen Cobbe, CEO of Opal, to explore: Least privilege and its importance The shifting of business leader mindset Access management and how it's evolved
In our rapidly changing digital world, agencies must evolve security strategies. A goal of Zero Trust is to create a security and network architecture that is dynamic, adaptable, and protected. The Executive Order on Cybersecurity has moved the term “Zero Trust” from a buzzword to a much-needed baseline for action planning around how we secure agency data and systems. Agencies must leverage Zero Trust principles to never trust, always verify, and only allow access when contextual parameters are met. Identity sits at the heart of Zero Trust. In a perimeter-less world, agencies must protect identities to stop adversaries from getting into our networks, moving laterally, escalating privileges, and ultimately accessing and manipulating our data. Leveraging ICAM and robust identity security strategies enables agencies to move from a network-based approach to a data-centric approach to defending systems. Join government security experts for a discussion to understand: Why Privileged Access Management (PAM) is essential to major DoD initiatives like ICAM, Thunderdome, and Zero TrustHow ICAM supports the Executive OrderThe Defense Department's outlook on data-centric security and defending agency systemsThe path to secure modernization using Least Privilege
Today, thanks to cheap plug-and-play ransomware kits, anyone with a credit card can get into the cyber extortion action. No special training or skills required. So, what can we do? In the premiere episode of the Trust Issues™ podcast, David Puner talks about this and more with Andy Thompson, advisor & evangelist at CyberArk Labs.
Identity is the thing that ties everything together. Lose control of that, and on the one hand, you see IT help desks and security teams inundated by requests; on the other, you worry about getting hit by attacks from account takeovers. So what exactly is the balance? In Episode 8 of the Ask A CISO #podcast, Gill Langston, Senior Product Manager, MSP at JumpCloud talks about access control security automation and his take on why there are organizations on both sides of the spectrum of Identity and Access Management. If you are interested in learning more how the top organizations enforce the Principle of Least Privilege, register for this live webinar happening next week: https://www.horangi.com/lp/horangi-jumpcloud-webinar-2022 -- Show Notes and Transcript -- https://www.horangi.com/blog/using-warden-iam-jumpcloud-bamboohr-for-smooth-onboarding The Ask A CISO podcast is a production of Horangi Cyber Security, Asia's leading cloud security provider. The show is hosted weekly by cofounder and CEO, Paul Hadjy. -- About Horangi Cybersecurity -- More information about the Ask A CISO podcast: https://www.horangi.com/resources/ask-a-ciso-podcast About Horangi Cyber Security: https://www.horangi.com --- About the Guest -- Gill Langston LinkedIn: https://www.linkedin.com/in/gilllangston/ -- Attributions -- Ending Music: I Dunno by Grapes http://ccmixter.org/files/grapes/16626 Creative Commons — Attribution 3.0 Unported— CC BY 3.0 Free Download / Stream: https://bit.ly/i-dunno-grapes Music promoted by Audio Library https://youtu.be/sNAE8-mB5lQWe
In this episode I talk about Personnel Security, Separation of Duties, Least Privilege, Need to Know, Vendor, Consultant and Contractor Controls, Security Governance, Risk Management. If you like this episode do share it with your buddies and also feel free to reach out to me with your suggestions, comments and queries. https://linkedin.com/in/tanayshandilya --- Send in a voice message: https://anchor.fm/tanayshandilya/message Support this podcast: https://anchor.fm/tanayshandilya/support
This week, we're continuing our series looking at each of the pillars of the well architected framework. We talked about the operational excellence pillar in the last episode. We're going to talk about security this time which is our favourite well architected pillar. There are 10 questions for this pillar and a couple of different sections. The well architected security pillar is aimed at checking how secure your organisation is. It goes into things like: How are you managing accounts? Is your control tower hooked up? Are you using guard duty? It promotes team awareness of security across the organisation. The types of things to engage with when looking at workload are blast radius: If something goes down, how are we going to recover it? Or is there a case there for failover? Or resiliency? It is broad but there are things you can zoom in and focus on in that question. With the modern techniques, capabilities and improvements, you can be fine grained and have more accounts. Single sign also helps manage that burden. And AWS organisations, control tower and cloud trail are mature capabilities that help you get a good initial posture. One thing about well architected is that there is a nice flow to the questions and sessions. The first question: 'how do you securely operate your workload?', straight away gets into identity and access management, your inventory of people on machines and how you manage that. Or how do you manage blast radius, permissions, and the process of adding and removing people, accounts, machine accounts and different resources. In a modern cloud environment, rule number one is that it is tightly managed and automated. Normally, it ties back into the enterprise or a broader policy and it gets teams asking what are the authorization controls for this component. The Least Privilege principle comes to the fore especially for serverless workloads. As you ephemerally spin stuff up and down, you can be tempted to give star-star to everything and open up the world meaning your blast radius is massive and you've got a big security hole. So you need to be aware of the Least Privilege principle and give it the minimal amount to be functional. You have got to automate that and build it as part of your automation. Otherwise it becomes unmanageable burden and an ephemeral sort of workspace. The next is one of my favourite: detective controls, how you detect and control security events. I always love the way security people talk about 'left of attack': all the things that happen before the attack. There is the time when the attack happens and that's panic stations. But there's usually a whole bunch of stuff before that, that you can act on. And that could be two years prior. So there's a whole mindset around detecting weird activity when people are probing your system, before the actual attack. That's the hunter side of cybersecurity when people try to find breaches. It's about keeping abreast of latest developments and responding to new emerging threat vectors, like 'Log4j'. How do you respond to that new information to the left of your detection? Do you have the right logging, monitoring, alerting and alarming for rapidly detecting and remediating these events? The next one is data protection. There's stuff here about both encryption etc, in rest and in transition. We have mentioned that code as a liability. Your data can also be a liability that you need to manage appropriately. Organisations have a good data classification document or something that describes data classification as it pertains to the industry or the organisation. I think the challenge you've got is getting engineering teams to understand it. Previously we've woven in data classification into the threat model exercise so the first section is what sort of data are we dealing with. The last section is 'incident response'. It's fairly self explanatory. How do you respond and recover from incidents? You want to be well drilled with as much automation as possible. Sounds straightforward. But it's complicated. It ties back to the operational excellence pillar. You're anticipating these events ahead of time. If you're anticipating them, you have associated runbooks or playbooks to facilitate squads in particular circumstances. So there's a lot around education as well and making sure that everybody in the organisation understands what you do in the event of an incident. You don't want a junior developer noticing something, and not feeling confident or capable to raise their hand and say something is not right here. You want a psychologically safe environment for everybody to raise an incident or a query something that's not quite right. In the security pillar, there's a nice arc that starts with people and ends with people. It goes through all the technical stuff in the middle. But security is a 'people' responsibility. Serverless Craic from The Serverless Edge theserverlessedge.com @ServerlessEdge
In this episode of CISO Talks we talk all about least privilege. A lot of organizations don't really adhere to fully to a least privilege model. We discuss how this reduces risk and we determine whether organizations are reducing their risk effectively. Guest in this episode: Reuven Aronashvili - Founder and CEO at CYE https://www.linkedin.com/in/reuven-aronashvili/ Also available on: IGTV: www.instagram.com/instalepide SoundCloud: bit.ly/2MYHwxR Spotify: spoti.fi/2N0XGXR iTunes: apple.co/2N0sO9P Follow us on Social Media: LinkedIn - bit.ly/2FWHKoM Twitter - bit.ly/2FWNO0C Instagram - bit.ly/2FWMxXj Facebook - bit.ly/2FXb2Ue In this episode of CISO Talks we talk all about least privilege. A lot of organizations don't really adhere to fully to a least privilege model. We discuss how this reduces risk and we determine whether organizations are reducing their risk effectively. Guest in this episode: Reuven Aronashvili - Founder and CEO at CYE https://www.linkedin.com/in/reuven-aronashvili/ Also available on: SoundCloud: bit.ly/2MYHwxR Spotify: spoti.fi/2N0XGXR iTunes: apple.co/2N0sO9P Follow us on Social Media: LinkedIn - bit.ly/2FWHKoM Twitter - bit.ly/2FWNO0C Instagram - bit.ly/2FWMxXj Facebook - bit.ly/2FXb2Ue #Lepide #data #datasecurity #cybersecurity #cybersecuritypodcast #security #DCAP #enterprisebusiness #CIO #CISOTalks #Businesschallenges #cyberchallenges #LepideAuditor #databreach #GDPR #CCPA #DataPrivacy #CISO #alerting #dataprotection #CISOStrategies #CISOHelp #CISOAdvice #CISOChallenges #Infosec #InsiderThreats #leastprivilege #privilegedaccessmanagement
Tour your identity options when moving to the Zero Trust security model. Our last Essentials episode gave a high-level overview of the Zero Trust security model principles: identity, endpoints, applications, networks, infrastructure, and data. Join our host, Jeremy Chapman, as he unpacks the foundational layer of the model with identity. As the primary control plane for Zero Trust, it acts as the front door for people, service accounts, and devices as each requests access to resources. Identity is at the core of the Zero Trust concepts of never trust, always verify and grant the appropriate level of access through the principle of least privilege. Verify Explicitly Azure AD - easily implement additional protections to verify explicitly Multi-factor authentication (MFA) - requires an additional authentication factor. Replace passwords with Microsoft Authenticator, Windows Hello, or FIDO2 keys. Activity reports in the Authentication methods - see who’s capable of MFA and passwordless authentication, how many recent registrations and by type. Usage - see the distribution of MFA sign-ins and by method, as well as the number of password changes and resets. Least Privilege access Conditional Access in Azure AD - uses real-time intelligence at the time of sign-in to assess the risk level, then blocks or grants access. Built-in Insights and Reporting - expose the impact of enabled policies pre- and post enforcement. ► QUICK LINKS: 00:00 - Introduction 00:37 - Demo in Azure AD 01:47 - Azure AD Application Proxy 02:50 - How to set up multi-factor authentication 04:44 - Activity Reports for admins 05:21 - Least privileged access and conditional access 07:22 - Conditional Access Insights and Reporting 08:16 - Wrap up ► Link References: For tips and demonstrations, check out our series at https://aka.ms/ZeroTrustMechanics Learn more at https://aka.ms/zerotrust ► Unfamiliar with Microsoft Mechanics? We are Microsoft’s official video series for IT. You can watch and share valuable content and demos of current and upcoming tech from the people who build it at #Microsoft. Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries?sub_confirmation=1 Join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog Watch or listen via podcast here: https://microsoftmechanics.libsyn.com/website ► Keep getting this insider knowledge, join us on social: Follow us on Twitter: https://twitter.com/MSFTMechanics Follow us on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/ Follow us on Facebook: https://facebook.com/microsoftmechanics/
In dieser Epsiode spricht Dennis über das Principle of Least Privilege und wie es (nicht nur) bei AWS umgesetzt werden kann. Der offizielle deutschsprachige Podcast rund um Amazon Web Services (AWS), für Neugierige, Cloud-Einsteiger und AWS-Experten, produziert von Dennis Traub, Developer Advocate bei AWS. Bei Fragen, Anregungen und Feedback wendet euch gerne direkt an Dennis auf Twitter (@dtraub) oder per Mail an traubd@amazon.com. Links zum Thema: - Wikipedia-Artikel zum Thema - https://en.wikipedia.org/wiki/Principle_of_least_privilege - Granty least privilege im AWS IAM User Guide - https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege - Artikel zum Thema im AWS Security Blog - https://aws.amazon.com/blogs/security/tag/least-privilege/ Für mehr Infos, Tipps und Tricks rund um AWS und die Cloud folgt Dennis auf: - Twitter - https://twitter.com/dtraub - Twitch - https://www.twitch.tv/dennis_at_work - YouTube - https://www.youtube.com/dennistraub
Beskrivelse:I episode 4 går Olav og Karim gjennom domene 6, Identity and Access Management, og domene 7, Privileged Access Management.Under domene 6 forklarer vi hvorfor IAM har blitt så viktig og samtidig er et av de vanskeligste Cyber Security domenene, IAM best practice, 2FA og MFA, Least Privilege, SSO og Føderasjon, Identity Governance og viktige
The appearance of safety and actual security often do not align as closely as we would like to think. As enterprise security products get "smarter", the access that they require to your most sensitive data grows. What are some of the risks associated with common classes of security products? Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw201
The appearance of safety and actual security often do not align as closely as we would like to think. As enterprise security products get "smarter", the access that they require to your most sensitive data grows. What are some of the risks associated with common classes of security products? Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw201
Zero Trust sounds impressive and futuristic, but it isn't really a new concept — and what does it actually mean? It is not that different from past trust models such as Trust But Verify and Least Privilege.So, here we are once again, stating the obvious: if we don't think differently about the problems we face, we're not going to be able to solve them.Security practitioners and managers are bombarded by marketing messages that require decoding and interpretation, and how to make a decision is more than a matter of trust v literally. Do they listen to analysts, vendors, auditors, their peers, or their gut?Security professionals and their teams are expected to keep up with the changes as new industry reports come out and new technologies are brought to market. Still, they are often forced to continuously think differently about the problems they face in a confusing, distracting, and counterproductive way. This is simply not good for our industry nor our businesses' security.In today's episode, we muse and question the status quo that has characterized our industry for the past 20 years. We go beyond this debate and beyond the Zero Trust concept to look at how organizations should evaluate not just their tech stack but also their teams, operations, and processes. We reflect on where trust fits in, how it plays a crucial role in a security program, and why it isn't binary in nature.Yes, you must think differently, but it's not a good idea to rely on others to think differently for you. Think for yourself and your organization — as you are the one that knows what matters the most for your business.Then, put your thinking cap on and enjoy this episode of Redefining Security."You have this perfect plan, but then you hit the real world and no plan survives contact with the enemy." —Dr. Zulfikar Ramzan"Why do we keep doing this? We continue to chase technology. Why do we not think about the human? Why do we think about the process and procedures? Zero Trust would be great if we could actually know where the hell all the data was inside an environment." —Chris Roberts"We are our own worst enemy. We produce something that is beautiful in our head, but it doesn't work in practice." —Francesco Cipollone"We're always looking for the easy button as an industry and then blame vendors when they buy the easy button and it doesn't work." —Siân JohnGuest(s)Siân John | Zulfikar Ramzan | Chris Roberts | Francesco CipolloneThis Episode's Sponsors:Nintex: https://itspm.ag/itspntweb____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?
In this episode we will discuss the overarching importance of securing privileged access throughout the organization as it relates to the overall security posture and compliance requirements. CyberArk’s Principle Solutions Engineer Matt Tarr will explain the principle of least privilege, its regulatory and security aspects, and how least privilege can be enforced in a real-life implementation. He will also discuss concepts such as just-in-time privileged access, endpoint security, multi-factor authentication, password rotation and other important aspects of managing identity security and privileged access security as it relates to regulation including PCI DSS, GBLA and others. This segment is sponsored by CyberArk. Visit https://securityweekly.com/cyberark to learn more about them! Endpoint Privilege Manager Free Trial: https://www.cyberark.com/products/privileged-account-security-solution/endpoint-privilege-manager/endpoint-privilege-manager-free-trial/ Blueprint for PAM Implementation: https://www.cyberark.com/blueprint/ Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/scw39
Everything I am talking about is public knowledge and I do not speak for, or against, any company. Hope you enjoy. --- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/app Support this podcast: https://anchor.fm/james-sweet9/support
Least Privilege has become a pervasive term in cyber security these days. But what does Least Privilege actually mean? How has Zero Trust transformed into building trust and adaptive security that helps employees do their jobs efficiently and securely? Join Joseph Carson, Chief Security Scientist from Thycotic and author of “Least Privilege for Dummies,” along with Mike Gruen from Cybrary as they dive into the topic of Least Privilege and how it can transform an organization with more automation.
Welcome to the 13th episode of our Security Culture Campaign! On today’s show Matt Konda discusses least privilege. Least Privilege is at first glance obvious and self defining. It means only giving users the access they actually need to perform a particular task in a system. On its face, it seems like you would never give users more privileges than they need so it should be something we do by default all the time. Examples where we apply least privilege include: Google Drive - who should be able to read, comment and edit on which drives and documents? AWS - what services does a given application need? Our custom code - what do the roles and privilege models look like? In practice, applying least privilege can be difficult for a couple of reasons. Learn more on the blog Click here for the associated YouTube video. The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts. Click here to request a topic.
Zugriffs- und Zutritts-Sicherheit in einem Unternehmen beginnt am Eingang oder Werktor. Wie steuern wir, dass die richtigen Personen zum richtigen Zeitpunkt Zugriff auf benötigte Daten oder Informationen bekommen? Im Gespräch mit Desirée Degutis von IBM klären wir, was die Konzepte Zero Trust und Least Privilege bedeuten.
In this lively episode, fellow Irishman, Joe Carson, and I discuss a variety of inter-related cybersecurity topics with regards to the overarching theme of Insider Threats. We covered a lot of ground in a short time. Check it out! ## Here's the episode timeline: 12:52 - Vendors talking risk. 17:44 - Business Risk 21:54 - Cyber Security Frameworks 24:46 - Insider Threats 33:50 - Cyber Insurance Fraud 35:54 - Data Classification & Shadow IT 48:15 - Q&A (Don't skip this!) #About Joe: Joseph Carson has more than 25 years of experience in enterprise security, an InfoSec award winner, author of Privileged Account Management for dummies and Cybersecurity for dummies. He is a CISSP and an active member of the cybercommunity, speaking at conferences globally. He’s a cybersecurity advisor to several governments, as well as critical infrastructure, financial, and maritime industries. ## Joe's Book, Least Privilege for Dummies ## Start a Privilege Manager Cloud Trial --- Send in a voice message: https://anchor.fm/cyberspeakslive/message
After the latest Microsoft Ignite conference, the enduring dilemma of how CISOs explain security matters to the C-Suite bubbled to the surface again. How technical do you get? Also, when the latest and greatest demos are given at one of the world’s most premier technology show, it can be easy to get overwhelmed with fancy new tools. What’s more important is to remember the basics: patching, least privilege, incident response, etc. Other articles discussed: Engineer fined for not disclosing a vulnerability responsibly Young Mirai botnet authors avoid jail time Is public shaming bad security a good idea? Tool of the week: cspparse - A tool to evaluate Content Security Policies Panelists: Cindy Ng, Kilian Englert, Matt Radolec, Mike Buckbee
Jon's roof doesn't collapse. Eric talks about a moon and snow caving. Then they actually talk about security stuff. Sorta. Thoughts on Chronicle, Alphabet's now named security company. Then, is there a solution for the AWS IAM permissions? And "Jackpotting" ATMs is the new thing in the US (Yay! WinXP!). Finally, Eric wants to know the first thing you bought on Amazon and Jon is looking to get stung. Links: Alphabet announces Chronicle: https://chronicle.security PolySwarm.io: https://polyswarm.io/ Using AWS X-Ray to achieve Least Privilege: https://medium.com/@glicht/using-aws-x-ray-to-achieve-least-privilege-permissions-93dfd6701318 Snyk.io: https://snyk.io/ Functional One - AWS Least Privilege: https://github.com/functionalone/aws-least-privilege Jackpotting: https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/
Next up in the Critical Security Controls is number nine, Network Limits. Much like your users and computers the network should be in a Least Privilege mode. Listen to hear the details and reasons behind this control. Be aware, be safe. ------------------------------------ Website - https://www.binaryblogger.com Twitter - https://www.twitter.com/binaryblogger iTunes - https://itunes.apple.com/us/podcast/security-in-five-podcast/id1247135894?mt=2 Podcast RSS - http://securityinfive.libsyn.com/rss YouTube - https://www.youtube.com/binaryblogger Email - contactme@binaryblogger.com Music in this episode: Greenhorn by Mystery Mammal is licensed under a Attribution-ShareAlike License.
Can Group Policy help protect your user's machines? Definitely! Richard chats with Jeremy Moskowitz about his on-going work with group policy, including his cool tool, PolicyPak. Jeremy talks about applying least privilege principles via Group Policy, including a case of a patch from June 2016 that may have broken some of your group policies because the machine that has to apply them doesn't have sufficient privileges! Other important least privilege aspects discussed include better management of local admin accounts, control over who actually makes and changes group policy, and how to deal with users who want to install apps. Lots to learn!
Failing to properly isolate components in the same address space has resulted in a substantial amount of vulnerabilities. Enforcing the least privilege principle for memory accesses can selectively isolate software components to restrict attack surface and prevent unintended cross-component memory corruption. However, the boundaries and interactions between software components are hard to reason about and existing approaches have failed to stop attackers from exploiting vulnerabilities caused by poor isolation. We present the secure memory views (SMV) model: a practical and efficient model for secure and selective memory isolation in monolithic multithreaded applications. SMV is a third generation privilege separation technique that offers explicit access control of memory and allows concurrent threads within the same process to partially share or fully isolate their memory space in a controlled and parallel manner following application requirements. An evaluation of our prototype in the Linux kernel (TCB < 1,800 LOC) shows negligible runtime performance overhead in real-world applications including Cherokee web server (< 0.69%), Apache httpd web server (< 0.93%), and Mozilla Firefox web browser (< 1.89%) with at most 12 LOC changes. About the speaker: Terry Hsu is a PhD candidate at Purdue University studying memory systems and system security. His research is concerned with the development of operating systems. Particular topics of interest include memory model, memory safety, memory isolation, and operating system security
Failing to properly isolate components in the same address space has resulted in a substantial amount of vulnerabilities. Enforcing the least privilege principle for memory accesses can selectively isolate software components to restrict attack surface and prevent unintended cross-component memory corruption. However, the boundaries and interactions between software components are hard to reason about and existing approaches have failed to stop attackers from exploiting vulnerabilities caused by poor isolation. We present the secure memory views (SMV) model: a practical and efficient model for secure and selective memory isolation in monolithic multithreaded applications. SMV is a third generation privilege separation technique that offers explicit access control of memory and allows concurrent threads within the same process to partially share or fully isolate their memory space in a controlled and parallel manner following application requirements. An evaluation of our prototype in the Linux kernel (TCB < 1,800 LOC) shows negligible runtime performance overhead in real-world applications including Cherokee web server (< 0.69%), Apache httpd web server (< 0.93%), and Mozilla Firefox web browser (< 1.89%) with at most 12 LOC changes.
An individual should only be given the least amount of privilege necessary to do their job. Granting more access than is necessary can lead to unnecessary security violations. of the National Cybersecurity Institute explains.
Robert Verell and I chat about good security practices and the principle of least privilege. We discuss Robert's rule to never give anyone db_owner, other groups and Robert's home grown group to give instead of db_owner. Be sure to check out http://sqldatapartners.com/2015/08/19/principleofleastprivilege/ for the show notes.