POPULARITY
Fastest 5 Minutes, The Podcast Government Contractors Can't Do Without
This week's episode covers two proposed rules implementing Executive Order 14028, “Improving the Nation's Cybersecurity,” the Department of Labor's announcement of a change in the minimum wage rates for federal contractors, and the White House directive that federal agencies incorporate interim Social Cost of Greenhouse Gases estimates into the procurement function, and is hosted by Peter Eyre and Yuan Zhou. Crowell & Moring's "Fastest 5 Minutes" is a biweekly podcast that provides a brief summary of significant government contracts legal and regulatory developments that no government contracts lawyer or executive should be without.
The Cyber Safety Review Board was created by a Biden administration Executive Order entitled, “Improving the Nation's Cybersecurity.” The Board reviews major cyber events and makes concrete recommendations that can drive improvements within the private and public sectors. Lawfare Senior Editor Stephanie Pell sat down with Robert Silvers, Under Secretary for Strategy, Policy, and Plans at the Department of Homeland Security and Chair of the Cyber Safety Review Board, to discuss the Board's mission and work. They talked about the two reports that the Board has issued, one that it's currently working on, and a legislative proposal from DHS that seeks to codify the Board in the law and ensure that the Board receives the information it needs to continue to advance the overall security and resiliency of our digital ecosystem.Support this show http://supporter.acast.com/lawfare. Hosted on Acast. See acast.com/privacy for more information.
The Department of Homeland Security's U.S. Citizenship and Immigration Services will be leveraging machine learning to make decisions on trusted users and devices for a more real-time zero trust model. USCIS Chief Information Security Officer Shane Barney said at a recent FedScoop event that his agency is going to be developing a more fluid and adaptive cybersecurity model. At the Zero Trust Summit produced by CyberScoop, Barney joined a panel with CGI's Chris Lavergne moderated by Scoop News Group's Mike Farrell to discuss the evolution of zero trust architecture across government. Executive Order 14028 turns two years old this May. The Biden Administration EO on Improving the Nation's Cybersecurity has been a spark plug for federal agencies to develop formal zero trust architecture implementation plans and to prioritize the adoption of cloud technologies. Also at Zero Trust Summit, Centers for Medicare and Medicaid Services CISO Robert Wood explains how the EO helped shape his organization's cybersecurity strategy. The Daily Scoop Podcast is available every Tuesday and Thursday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on Apple Podcasts, Google Podcasts, Spotify and Stitcher. And if you like what you hear, please let us know in the comments.
Joining the podcast this week is Eric Mill, Senior Advisor on Technology and Cybersecurity to the Federal CIO in the Office of Management and Budget (OMB). We discuss some of the latest and impactful security initiatives, policies and technologies in U.S. Government today – and highlights from some that OMB is helping to drive. We cover topics spanning the Executive Order on Improving the Nation's Cybersecurity, the Technology Modernization Fund, Zero Trust and what it has come to mean today, FIDO and PIV, and so much more! Eric also shares an interesting essay that is worth a read, “Reflections on Trusting Trust” by Ken Thompson. Read it here: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf. Eric Mill A leader in technology policy and cybersecurity, with a long background in public service. Eric currently serves in the Biden-Harris administration in the Office of Management and Budget as the Senior Advisor on Technology and Cybersecurity to the Federal Chief Information Officer, Clare Martorana. Prior to that, Eric was the Lead Product Manager for the security of the Chrome web browser at Google. In 2019, Eric worked for Senator Amy Klobuchar through the TechCongress program, with a focus on election security, vulnerability disclosure, and management of the .gov internet domain. Before that, Eric served in the 18F team at the U.S. General Services Administration, where he led the federal government's adoption of strong encryption for its online services. While at GSA, Eric oversaw Login.gov, which lets millions of people sign into U.S. public services securely and privately. Prior to 18F, Eric was a part of the Sunlight Foundation, a civil society group dedicated to government transparency. At Sunlight, Eric created open data services that helped the public follow government activity, advised Congress on its open data strategy, and provided expert guidance to anti-corruption NGOs around the world. For links and resources discussed in this episode, please visit our show notes at https://www.forcepoint.com/govpodcast/e207
The ITAM Executive: A Podcast for IT Asset Management Professionals
Host: Philippe de Raet, VP of Business Development at Anglepoint (https://www.linkedin.com/in/pderaet/) Speaker: Blake DeShaw, Security Manager at Anglepoint As the world becomes more connected, digital security is paramount—not simply for maintaining positive customer relations but for global security and safety. This is one of, if not the most important parts of a robust ITAM & Security strategy. However, the task has never been more monumental. Not only do your organization's tens of thousands of networked devices need to be tracked, but even employees' personal devices, such as their phones and personal computers, need to be taken into consideration. Protecting information from cyber-attacks is so crucial that extensive Executive Orders are in place to guide what companies are accountable for. Executive Order 14028: Improving the Nation's Cybersecurity was a direct result of the Solar Winds incident, which was released in 2021. Based on this EO, Memorandum M2218: Enhancing the Security of the Software Supply Chain through Secure Software Development Practices was also recently released. Listen in as Blake helps dive into what this means for your organization. We discuss: 3 major security breach case studies The triggers you need to keep an eye on Importance of accurate data, inventories, and usage How to reduce and mitigate security exposures If you're interested in learning more about Blake, connect with him on LinkedIn (https://www.linkedin.com/in/blake-w-deshaw-52513661/). Dig into more insights from ITAM executives by subscribing on Apple Podcasts, Spotify, or wherever you listen to podcasts. Listening on a desktop & can't see the links? Just search for The ITAM Executive in your favorite podcast player.
In this episode of The Stream Life Podcast, Bradley chats with Sean Ellis and Desi Gavis-Houghson about the problems facing federal agencies with observability and security data. Links Cribl Stream for the Public Sector Download the FREE REPORT: The State of Security Data Management 3 Common Misconceptions about Executive Order 14028: Improving the Nation's Cybersecurity If you want to get every episode of the Stream Life podcast automatically, you can subscribe on Apple Podcasts, Spotify, Pocket Casts, Overcast, RSS, or wherever you get your podcasts.
We all read the Executive Order on Improving the Nation's Cybersecurity when it came out. It was great at telling federal technology leaders “what.” Unfortunately, it was not too detailed on “how.” Today's discussion gives the listener a fantastic dose of practical applications. We have tech visionaries from the DoD, CISA, GSA, and CrowdStrike. They offer suggestions based on years of federal experience. The discussion ranges from gap analysis to prioritize needs to the evolution of the Trusted Internet Connection (TIC) from 1.0 to 3.0. Further, an analysis is given of the progress of agencies on incorporating point of a reference architecture to specific recommendations for the DoD to comply with zero trust. Kevin Gallo gives an overview of TIC. Initially, its goal was to limit the number of connections a federal agency had to outside sources. Since its inception in 2007, the federal government has seen an explosion in endpoints and cloud services. As a result, some view TIC 3.0 has a distributed cybersecurity policy enforcement tool. Speaking of the multiplicity of clouds, there are so many moving parts that any solution must include the ability to interconnect with many systems. Ned Miller from CrowdStrike talks about the millions of endpoints CrowdStrike has already secured in an incredibly complex system. For civilian agencies, the GSA is offering a Buyer's Guide that can assist leaders in assessing offerings that can lead to a stable zero-trust architecture. Additionally, they offer free workshops on implementing Zero Trust where hundreds of federal technical people have participated. From the DoD Randy Resnik gives the listener a detailed description of the 45 capabilities and the 151 activities that must be accomplished before an effective deployment of Zero Trust can be accomplished. If that is not a full plate, the interview ends with a serious overview of threat hunting. Perhaps this august group and meet again and provide more details on this important topic.
On this episode of the IoT: The Internet of Threats podcast, Mariam Baksh, Staff Reporter at Nextgov, joins podcast host Eric Greenwald to explore the evolution of cybersecurity regulation, from the Biden Administration's 2021 Executive Order on Improving the Nation's Cybersecurity to September's OMB Memorandum on software supply chain security. Mariam and Eric discuss the cybersecurity goals of the administration, the merits of first-party versus third-party attestation, and the fine line that NIST walks between effecting change in cybersecurity versus overwhelming the resources of security practitioners and compliance personnel. Interview with Mariam Baksh Mariam Baksh is a staff reporter for Nextgov, a Washington, DC-based publication that reports on federal IT and tech policy through journalism, podcasts, and more. In her role at Nextgov, Mariam reports on the development of federal cybersecurity policy. Mariam has been covering technology governance since 2014 and earned her master's degree in journalism and public affairs from American University. In this episode, Eric and Mariam discuss: Why the Biden administration issued last year's EO NIST's balancing act between improving cybersecurity and avoiding the imposition of costly requirements on companies The challenges involved in measuring cybersecurity performance The implications of a first-party vs. third-party attestation model The value of an SBOM and its growing role in cybersecurity regulation Whether the EO or the OMB memo will deliver any enforcement on the requirements they impose Find Mariam on LinkedIn: Mariam Baksh: https://www.linkedin.com/in/mariam-baksh-99b1b428/ Learn more about Nextgov: https://www.linkedin.com/company/Nextgov/ Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems. If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast. To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/. Note: This interview has been edited for length and clarity.
FEATURED VOICES IN THIS EPISODEClint BruceClint Bruce is a former Navy Special Warfare Officer, a graduate of the US Naval Academy, decorated athlete, and seasoned entrepreneur. A 4-year letter winner at Navy playing middle linebacker, captain and MVP of the '96 Aloha Bowl Championship team, he was named to multiple all-star teams his senior year. He enjoyed opportunities with both the Baltimore Ravens and New Orleans Saints and was inducted into the Navy/Marine Corps Stadium Hall of Fame in 2009. Clint's desire to serve was deep and firmly rooted. He left the NFL to pursue becoming a Navy SEAL and successfully completed BUDS (Basic Underwater Demolition SEAL Training) in 1998 with Class 217. Joining SEAL Team FIVE, Clint completed multiple deployments pre and post-911 directly involved in counter-terrorism and national security missions globally. He is a co-founder of Carry the Load, which was founded to restore true meaning to Memorial Day and celebrate the service and sacrifice of Police, Fire, and Rescue personnel and their families during the month of May. Clint lives in Dallas with his college sweetheart and three daughters who are not impressed that he played football or was a Navy SEAL.Patrick GrayPatrick Gray is the producer and presenter of the Risky Business weekly information security podcast, a weekly podcast that launched in 2007. He formerly was a journalist for publications including Wired.com, ZDNet Australia, The Sydney Morning Herald, The Age, The Bulletin (magazine) and Men's Style Australia.Eric OlsonEric Olson is the Director of Threat Intelligence for Jet Blue Airways. A threat intelligence professional for more than 20 years, Eric has had executive roles including Senior Vice President of Product Management and Vice President, Intellugence Operations, at LookingGlass Cyber Solutions, and was VP of Product Strategy at Cyveillance.Allan FriedmanAllan Friedman is Senior Advisor and Strategist at the United States Cybersecurity and Infrastructure Security Agency, and one of the nation's leading experts on Software Bill of Materials. Allan leads CISA's efforts to coordinate SBOM initiatives inside and outside the US government, and around the world. He is known for applying technical and policy expertise to help audiences understand the pathways to change in an engaging fashion, and is frequently invited to speak or keynote to industry, academic, and public audiences. Wearing the hats of both a technologist and a policy maker, Allan has over 15 years of experience in international cybersecurity and technology policy. His experience and research focuses on economic and market analyses of information security. On the practical side, he has designed, convened, and facilitated national and international multistakeholder processes that have produced real results, helping diverse organizations finding common ground on contentious, cutting edge issues.Evan Sultanik, PhDEvan Sultanik is a Principal Computer Security Researcher at Trail of Bits. A computer scientist with extensive experience both in industry (as a software engineer) and academia, Evan is an active contributor to open source software. He is author of more than two dozen peer-reviewed academic papers, and is particularly interested in intelligent, distributed/peer-to-peer systems. Evan is editor of and frequent contributor to the International Journal of PoC||GTFO. William WoodruffWilliam Woodruff is a senior security engineer at Trail of Bits, contributing to the engineering and research practices in work for corporate and governmental clients. He has developed several of our open-source projects (e.g., twa, winchecksec, KRF, and mishegos). His work focuses on fuzzing, program analysis, and automated vulnerability reasoning. Outside of Trail of Bits, William helps to maintain the Homebrew project, the dominant macOS package manager. Before joining Trail of Bits, he was a software engineering intern at Cipher Tech Solutions, a small defense subcontractor. He has participated in the Google Summer of Code for four years (two as a student, two as a mentor) and taught a class in ethical hacking as a college senior. William holds a BA in philosophy from the University of Maryland (2018).HOST: Nick SelbyAn accomplished information and physical security professional, Nick leads the Software Assurance Practice at Trail of Bits, giving customers at some of the world's most targeted companies a comprehensive understanding of their security landscape. He is the creator of the Trail of Bits podcast, and does everything from writing scripts to conducting interviews to audio engineering to Foley (e.g. biting into pickles). Prior to Trail of Bits, Nick was Director of Cyber Intelligence and Investigations at the NYPD; the CSO of a blockchain startup; and VP of Operations at an industry analysis firm.PRODUCTION STAFFStory Editor: Chris JulinAssociate Editor: Emily HaavikExecutive Producer: Nick SelbyExecutive Producer: Dan GuidoRECORDINGRecorded at Rocky Hill Studios, Ghent, NY - Nick Selby, Engineer;22Springroad Tonstudio, Übersee, Germany - Volker Lesch, EngineerRemote recordings were conducted at Whistler, BC, Canada (Nick Selby); Clint Bruce was recorded in a Google Meet session; Patrick Gray provided recordings of himself from Australia, courtesy of the Risky Business podcast. Eric Olson recorded himself on an iPhone. Washington, DC (tape sync of Allan Friedman by George Mocharko). Trail of Bits supports and adheres to the Tape Syncers United Fair Rates Card.Edited by Emily Haavik and Chris JulinMastered by Chris JulinMUSICDispatches From Technology's Future, the Trail of Bits theme, Chris JulinEVERYBODY GET UP - No Vocals & FX - Ian PostJD SCAVENGER by Randy SharpRIPPLES by Tamuz DekelFUTURE PERFECT, Evgeny BardyuzhaTHE SWINDLER, The Original Orchestra]BLUE - ALTERNATIVE - INSTRUMENTAL VERSION by Faith RichardsOU ALLONS NOUS D'ICI - INSTRUMENTAL, Dan ZeituneLITTLE EDGY, Chris JulinSCAPES: Gray NorthReproductionWith the exception of any Copyrighted music herein, Trail of Bits Season 1 Episode 3; It Depends © 2022 by Trail of Bits is licensed under Attribution-NonCommercial-NoDerivatives 4.0 International. This license allows reuse: reusers may copy and distribute the material in any medium or format in unadapted form and for noncommercial purposes only (noncommercial means not primarily intended for or directed towards commercial advantage or monetary compensation), provided that reusers give credit to Trail of Bits as the creator. No derivatives or adaptations of this work are permitted. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/4.0/.Referenced in this Episode:The original blog post announcing the availability of It Depends describes the history you just heard with more technical specificity, and also of course links to the GitHub repository where you can download It Depends and try it for yourself. That blog post also links to the repository where you can download pip-audit, and give that a whirl.In the 2021 Executive Order on Improving the Nation's Cybersecurity, the Biden Administration announced that it would require SBOMs for all software vendors selling to the federal government.Dependabot is a tool available to GitHub users. If you're interested in the catalog of open source projects Trail of Bits participates in and contributes to, please read the blog post Celebrating our 2021 Open Source Contributions. There, you can read about our work contributing for example to LLVM - the compiler and toolchain technologies we discuss in the Podcast episode Future - to Pwndbg, a GDB plug-in that makes debugging with GDB “suck less.” The post includes links to contributions our engineer consultants have made to a huge range of open source projects from assert-rs to ZenGo-X.Meet the Team:CHRIS JULINChris Julin has spent years telling audio stories and helping other people tell theirs. These days he works as a story editor and producer for news outlets like APM Reports, West Virginia Public Broadcasting, and Marketplace. He has also taught and mentored hundreds of young journalists as a professor. For the Trail of Bits podcast, he serves as story and music editor, sound designer, and mixing and mastering engineer.EMILY HAAVIKFor the past 10 years Emily Haavik has worked as a broadcast journalist in radio, television, and digital media. She's spent time writing, reporting, covering courts, producing investigative podcasts, and serving as an editorial manager. She now works as an audio producer for several production shops including Us & Them from West Virginia Public Broadcasting and PRX, and APM Reports. For the Trail of Bits podcast, she helps with scripting, interviews, story concepts, and audio production.
On this week's State of Identity, host Cameron D'Ambrosi welcomes Mike Vesey, CEO at IdRamp for an action-packed discussion surrounding zero-trust frameworks, identity orchestration, and interoperability. They explore low-code/no-code orchestration services, what to consider when making long-term complex identity decisions, and what the US is doing to protect Americans from sophisticated cyber threats after the White House issued Executive Order 14028 on Improving the Nation's Cybersecurity.
It's been almost a year since the White House issued its Executive Order on Improving the Nation's Cybersecurity that mandates agencies and departments execute a Zero Trust security strategy. As the Cybersecurity & Infrastructure Security Agency, National Security Agency, Department of Defense and others lead this federal march to Zero Trust, the question becomes, is the timeline fast enough? And as cyber warfare escalates, how can private and public sectors work together to strengthen critical infrastructure and universal cybersecurity defenses with Zero Trust?Guests:Steve Haselhorst, Zero Trust Program Manager, OCISO Organization, FDIC; Michael Friedrich, VP, Federal Technical Strategy and Innovation, AppgateModerator:George Wilkes, VP of Demand Generation, AppgateFor more Zero Trust security resources, visit www.appgate.com.
Almost a year after President Biden signed an Executive Order on “Improving the Nation's Cybersecurity,” federal agencies are beginning their zero-trust journeys. According to one cybersecurity expert, the time is now for action. “This is something that's more akin to transformation,” says Steve Faehl, security chief technology officer for Microsoft Federal. “Zero trust is that security transformation, and it's based on lessons learned. We can't wait to implement lessons learned… and so as a result, we need to be agile.” This podcast was produced by Scoop News Group for The Daily Scoop Podcast and underwritten by Microsoft. Guest: Steve Faehl, security chief technology officer, Microsoft Federal Host: Francis Rose, The Daily Scoop Podcast, Scoop News Group
Domestic Preparedness and Homeland Security Audio Interviews
Cybersecurity and Compliance with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001
In today's episode, the PTG team breaks down, step-by-step, the safeguards recommended by the White House in their special announcement, released on Monday, March 21, 2022, entitled, "Statement by President Biden on our Nation's Cybersecurity," as well as the accompanying "FACT SHEET: Act Now to Protect Against Potential Cyberattacks" in which the Biden Administration gives Americans guidance on hardening your cyber defenses to protect against a looming cyberwar with Russia.Political differences aside, the White House gives US citizens (mostly) great advice (with just a few caveats). Listen now to find out what steps YOU can take to secure your home and your business.Today's Links: STATEMENT: https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity/FACT SHEET: https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/fact-sheet-act-now-to-protect-against-potential-cyberattacks/Host: CraigCo-Hosts: BJ & ErinPlease like, subscribe and visit all of our properties at:YouTube: https://www.youtube.com/channel/UC8Hgyv0SzIqLfKqQ03ch0BgYouTube: https://www.youtube.com/channel/UCa9l3tgOOHMJ6dClNn8BiqQ Podcasts: https://petronellatech.com/podcasts/ Website: https://compliancearmor.comWebsite: https://blockchainsecurity.comLinkedIn: https://www.linkedin.com/in/cybersecurity-compliance/ Please be sure to Call 877-468-2721 or visit https://petronellatech.com
In this follow-up podcast, Heather chats with Hurricane Labs' Director of Security Operations about further security implications of the Russia-Ukraine conflict. Also, make sure to check out some of the articles and resources mentioned during this episode: SOC Talk: The Russia-Ukraine Crisis, Part 1 Statement by President Biden on our Nation's Cybersecurity (Full) Act Now to Protect Against Potential Cyberattacks – Security hardening recommendations via the Biden-Harris Administration President Signs New Executive Order Chartering Course New Course to Improve the Nation's Cybersecurity and Protect Federal Government Networks Backdoors & Breaches via Black Hills Information Security Russia Cyber Threat Overview and Advisories via CISA How to Run a Security Tabletop Scenario via Hurricane Labs Need help with your security? Contact us! Click here for our podcast episode transcript.
Cybersecurity and Compliance with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001
***In order to get the breaking cyber news to you guys FAST we are posting these right after the live broadcast! If you prefer your news more filtered, keep an eye out for the edited posting tomorrow!***In today's episode, the PTG team breaks down, step-by-step, the safeguards recommended by the White House in their special announcement, released on Monday, March 21, 2022, entitled, "Statement by President Biden on our Nation's Cybersecurity," as well as the accompanying "FACT SHEET: Act Now to Protect Against Potential Cyberattacks" in which the Biden Administration gives Americans guidance on hardening your cyber defenses to protect against a looming cyberwar with Russia.Political differences aside, the White House gives US citizens (mostly) great advice (with just a few caveats). Listen now to find out what steps YOU can take to secure your home and your business.Today's Links: STATEMENT: https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity/FACT SHEET: https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/fact-sheet-act-now-to-protect-against-potential-cyberattacks/Host: CraigCo-Hosts: BJ & ErinPlease like, subscribe and visit all of our properties at:YouTube: https://www.youtube.com/channel/UC8Hgyv0SzIqLfKqQ03ch0BgYouTube: https://www.youtube.com/channel/UCa9l3tgOOHMJ6dClNn8BiqQ Podcasts: https://petronellatech.com/podcasts/ Website: https://compliancearmor.comWebsite: https://blockchainsecurity.comLinkedIn: https://www.linkedin.com/in/cybersecurity-compliance/ Please be sure to Call 877-468-2721 or visit https://petronellatech.com
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Maldoc Cleaned by Anti-Virus https://isc.sans.edu/forums/diary/Maldoc+Cleaned+by+AntiVirus/28460/ Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain IBM Spectrum Protect Update https://www.ibm.com/support/pages/node/6564745 Lapsus$ May have Breached Microsoft https://www.theregister.com/2022/03/21/microsoft_lapsus_breach_probe/ Statement by President Biden on our Nation's Cybersecurity https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity/
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Maldoc Cleaned by Anti-Virus https://isc.sans.edu/forums/diary/Maldoc+Cleaned+by+AntiVirus/28460/ Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain IBM Spectrum Protect Update https://www.ibm.com/support/pages/node/6564745 Lapsus$ May have Breached Microsoft https://www.theregister.com/2022/03/21/microsoft_lapsus_breach_probe/ Statement by President Biden on our Nation's Cybersecurity https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity/
Guests Amelie Koran, formerly the Senior Technology Advisor at Splunk and now Director of External Technology Relations at Electronic Arts (EA), and Lauren Bedula, Managing Director at Beacon Global Strategies, debunk myths, highlight areas of tension, and offer insights into how to improve the relationship between two cultures that are often framed as worlds apart. References Executive Order (EO) on Improving the Nation's Cybersecurity (https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/)
With Solarwinds, Colonial Pipeline and a rash of other alarming breaches, it's no surprise that cybersecurity regulation is ramping up. In May, President Biden signed an Executive Order “Improving the Nation's Cybersecurity.” And, now there are more than 130 bills making their way through Congress. That's only taking into account what's going on at the Federal level. States also are getting in on the action. In this episode of Cybersecurity Simplified, we'll discuss some of the new and proposed rules and how they may impact your cybersecurity strategies.
In this episode of S&C's Critical Insights, Tony Lewis and Kamil Shields discuss two Department of Justice announcements—the launch of a Civil Cyber-Fraud Initiative and the creation of a National Cryptocurrency Enforcement Team. They also explore how these measures, alongside a series of recent high-profile cybercrime incidents and enforcement actions, fit into the DOJ's comprehensive cyber strategy following the issuance of recent DOJ policy related to cryptocurrency enforcement and President Biden's executive order to strengthen the nation's cybersecurity infrastructure.
In the end, any IT system is only as secure as its various components. Federal, state, and local agencies have learned that the hard way, as software platform and application providers have been hacked as a way to get into government systems. The Executive Order on Improving the Nation's Cybersecurity issued by the White House in May dedicates Section 4 to the topic of enhancing the security of the software supply chain.
Cheryl Davis, senior director for Strategic Initiatives at Oracle, joins host Roger Waldron on Off the Shelf to discuss the many cyber security challenges facing contractors and the federal government.
President Biden's May, 2021 formal compliance mandate for federal civilian executive branch agencies, or FCEBs, to include specific shortterm and longterm deadlines designed to enhance the federal government's digital defense posture.
President Biden's May, 2021 formal compliance mandate for federal civilian executive branch agencies, or FCEBs, to include specific shortterm and longterm deadlines designed to enhance the federal government's digital defense posture.
In this week's episode, we hear from an esteemed panel of cybersecurity professionals on two big ticket items of this year: President Biden's Executive Order on Improving the Nation's Cybersecurity, and the Rule 41 Search and Seizure warrant obtained by the FBI in response to the Microsoft Exchange Server data breach this past spring. This panel is moderated by ABA Cybersecurity Legal Task Force Co-Chair Claudia Rast Speakers: Dan Sutherland is the Chief Counsel for CISA: https://www.cisa.gov/dan-sutherland Christopher Peters is the Chief Security Officer at Entergy: https://www.linkedin.com/in/peterscso/ Terrence Berg is a U.S. District Court Judge for the Eastern District of Michigan: https://www.mied.uscourts.gov/index.cfm?pageFunction=chambers&judgeid=37 To view the full webinar: https://www.americanbar.org/groups/cybersecurity/ Executive Order on Improving the Nation's Cybersecurity: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ Rule 41 Search and Seizure: https://casetext.com/statute/united-states-code/title-18-appendix/federal-rules-of-criminal-procedure/section-41-search-and-seizure
Links: How to Make Your Next Third-Party Risk Conversation Less Awkward: https://www.darkreading.com/vulnerabilities-threats/how-to-make-your-next-third-party-risk-conversation-less-awkward 5 Vexing Cloud Security Issues: https://www.itprotoday.com/hybrid-cloud/5-vexing-cloud-security-issues Attackers Increasingly Target Linux in the Cloud: https://www.darkreading.com/threat-intelligence/attackers-increasingly-target-linux-in-the-cloud Top 5 Best Practices for Cloud Security: https://www.infosecurity-magazine.com/magazine-features/top-5-best-practices-for-cloud/ Zix Releases 2021 Mid-Year Global Threat Report: https://www.darkreading.com/cloud/zix-releases-2021-mid-year-global-threat-report The big three innovations transforming cloud security: https://siliconangle.com/2021/08/21/big-three-innovations-transforming-cloud-security/ The Benefits of a Cloud Security Posture Assessment: https://fedtechmagazine.com/article/2021/08/benefits-cloud-security-posture-assessment How to Maintain Accountability in a Hybrid Environment: https://www.darkreading.com/cloud/how-to-maintain-accountability-in-a-hybrid-environment 6 Cloud Security Must-Haves–with Help from CSPM, CWPP or CNAPP: https://www.eweek.com/security/6-cloud-security-must-haves-with-help-from-cspm-cwpp-or-cnapp/ The hybrid-cloud security road map: https://www.techradar.com/news/the-hybrid-cloud-security-road-map How Biden's Cloud Security Executive Order Stacks Up to Industry Expectations: https://securityintelligence.com/articles/biden-executive-order-industry-expectations/ Cloud Security: Adopting a Structured Approach: https://customerthink.com/cloud-security-adopting-a-structured-approach/ The Overlooked Security Risks of the Cloud: https://threatpost.com/security-risks-cloud/168754/ TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use them. It's an awesome approach to detecting breaches. I've used something similar for years myself before I found them. Check them out. But wait, there's more because they also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It's awesome. If you don't do something like this, instead you're likely to find out that you've gotten breached the very hard way. So, check it out. It's one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You'll know which one of those you fall into. Take a look. I'm a big fan. More to come from Thinkst Canary weeks ahead.Jesse: It is 2021. Conference calls and remote meetings have the same decade-old problems. Connection drops, asking if anyone can hear us, asking if anyone can see our screen, even though we can clearly see the platform is in sharing mode with our window front and center. Why is this so hard? We live in the golden age of the cloud.Shouldn't we be easily connecting and sharing like we're in the same room rather than across the planet? Yes we should. Sure, there have been improvements, and now we can do high-quality video, connect dozens or hundreds of people from everywhere on a webinar, and usually most of us can manage a video meeting with some screen sharing. I don't understand how we can have Amazon Chime, WebEx, Teams, Zoom, Google Meet—or whatever it's called this month—GoToMeeting, Adobe Connect, FaceTime, and other options, and still not have a decent way for multiple people to see and hear one another and share a document, or an application, or screen without routine problems. All of these are cloud-based solutions.Why do they all suck? When I have to use some of these platforms, I dread the coming meeting. The worst I've seen is Amazon Chime—yes, that's you, Amazon—Microsoft Teams—as always—and Adobe Connect. Oof. The rest are largely similar with more or less the same features and quality, except FaceTime, which is still only a personal use platform and not so great for conferences for work. I just want one of these to not suck so much.Meanwhile in the news. How to Make Your Next Third-Party Risk Conversation Less Awkward. You know that moment. Someone asks a question at the networking event. The deafening silence while you stare at the floor trying to find a way to get out of embarrassing yourself. Do your future self a favor and do some work before this happens again. You'll feel better and you'll have better visibility while improving your security posture.5 Vexing Cloud Security Issues. Unlike the tips and best practices list, this one is a ‘don't be stupid' type list. Some of these are foundational basic security steps. Watch out for the zombies.Attackers Increasingly Target Linux in the Cloud. Linux is the most common cloud-hosted OS. It shouldn't be surprising that it's the most common platform to attack, as well. Secure and monitor your cloud hosts closely. This is also a good reason to consider pushing toward a dynamic services model without traditional operating system footprints.Top 5 Best Practices for Cloud Security. Oh, yay. Another top number list for newbs. We all need reminding of the basics of best practices, especially as they evolve. Are you doing these five things? Why not?Announcer: Have you implemented industry best practices for securely accessing SSH servers, databases, or Kubernetes? It takes time and expertise to set up. Teleport makes it easy. It is an identity-aware access proxy that brings automatically expiring credentials for everything you need, including role-based access controls, access requests, and the audit log. It helps prevent data exfiltration and helps implement PCI and FedRAMP compliance. And best of all, teleport is open-source and a pleasure to use. Download teleport at goteleport.com. That's goteleport.com.Jesse: Zix Releases 2021 Mid-Year Global Threat Report. I suggest looking at the whole report, however, know attackers are using email, SMS and text messages, and customizing phishing more than ever before. Your people are going to see more social engineering attacks, so be sure everyone understands the basics of what types of things not to say on the phone and the usual about not following URLs in messages and emails.The big three innovations transforming cloud security. CASB, SASE, and CSPM—pronounced ‘cazzbee' ‘sassy' and, well, nothing fancy for CSPM that rolls off the tongue, so just use the letters—are your new friends. With the three of these used for your cloud environment, you'll have better visibility and control of your risk profile and security posture.The Benefits of a Cloud Security Posture Assessment. Okay, so we've covered CSPM some, but you need a CSPA before you implement your CSPM. I tried to use more acronyms but I ran out of energy. Seriously, an assessment of your risks and security posture are invaluable. Without it, you may be missing vital areas that leave you exposed.How to Maintain Accountability in a Hybrid Environment. If you support delivery of services to mobile apps, you should consider the security of the client end as relates to your application. You could get caught by some nasty surprises, no matter how secure your server environment appears to be.6 Cloud Security Must-Haves–with Help from CSPM, CWPP or CNAPP. Gartner loves making up—I mean defining, new markets so they can invent new acronyms and sell us yet another Magic Quadrant subscription. Sadly, it's the lens through which we must view the industry because media and vendors rely too much on Gartner Magic Quadrants.The hybrid-cloud security road map. Migrating some or all of our services to the cloud can feel like scaling an inverted cliff with butter on our hands, but it's easier than you think. Sometimes we just need some gentle guidance on an approach that might work for us.How Biden's Cloud Security Executive Order Stacks Up to Industry Expectations. US President Biden's Executive Order number 14028, “Executive Order on Improving the Nation's Cybersecurity” is surprisingly relevant to the real problems we face in cybersecurity every day. If you don't have time or energy to read the entirety of the 24-page document, you should understand the impact of it. Hint: it's a good thing for security.Cloud Security: Adopting a Structured Approach. Sure, the basics are largely the same as security in non-cloud environments. However, there are new ways to implement much of these security measures, and if you aren't careful, you will miss all the new ways you must protect your resources and services that either change or are wholly new in the cloud.The Overlooked Security Risks of the Cloud. It's easy to think moving things to the cloud offloads work and lowers our risk profiles. Don't forget there are tradeoffs. We have to do more and different security things to ensure our services, data, and users are protected.And now for the Tip of the Week. Lock down your AMIs. If you have Amazon Machine Images—or AMIs—be sure they aren't available to other people. Even if these don't have your proprietary information in them, they do disclose your foundational EC2 image, so attackers can more easily tailor their approach to get into your real infrastructure. Ensure your AMI permissions are restrictive so the public can't touch them.Go to your AWS Console, EC2, and then AMIs. Select your AMIs, and then Actions, Modify Image Permissions, and then add your accounts. And that it for the week, folks. Securely yours, Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Guest Tomislav Peričin, Reversing Labs' Chief Software Architect and Co-Founder, joins Dave to discuss his team's research that addresses the importance of validating third-party software components as a way to manage the risks that they can introduce. Developing software solutions is a complex task requiring a lot of time and resources. In order to accelerate time to market and reduce the cost, software developers create smaller pieces of functional code which can be reused across many projects. The concept of code reuse is one of the cornerstones of modern software engineering and it is universally accepted that everybody should strive towards it. However, in addition to the positives, organizations need to be aware of the security risks introduced by such third-party components. The growing number of cyber incidents that target the software supply chain are focused on high-value target compromises. With the latest surge and public uproar, the US President Biden has issued the Executive Order on Improving the Nation's Cybersecurity in order to create an institutional framework addressing these kinds of security risks. The research can be found here: Third-party code comes with some baggage
Guest Tomislav Peričin, Reversing Labs' Chief Software Architect and Co-Founder, joins Dave to discuss his team's research that addresses the importance of validating third-party software components as a way to manage the risks that they can introduce. Developing software solutions is a complex task requiring a lot of time and resources. In order to accelerate time to market and reduce the cost, software developers create smaller pieces of functional code which can be reused across many projects. The concept of code reuse is one of the cornerstones of modern software engineering and it is universally accepted that everybody should strive towards it. However, in addition to the positives, organizations need to be aware of the security risks introduced by such third-party components. The growing number of cyber incidents that target the software supply chain are focused on high-value target compromises. With the latest surge and public uproar, the US President Biden has issued the Executive Order on Improving the Nation's Cybersecurity in order to create an institutional framework addressing these kinds of security risks. The research can be found here: Third-party code comes with some baggage
In the Season 1 Finale, Yosef Lehrman talks to Nick and Chris about the Executive Order on Improving the Nation's Cybersecurity.
Podcast: Hack the Plant (LS 30 · TOP 5% what is this?)Episode: Biden Admin's Cybersecurity Executive OrderPub date: 2021-07-27On May 12, 2021, the Biden Administration issued an Executive Order “On Improving the Nation's Cybersecurity.” This came in the wake of ransomware attacks drawing national attention: Solar Winds, Colonial Pipeline, and more.We take a deep dive into the Executive Order, and what it means for public and private efforts to keep our critical infrastructure safe with two attorneys and cybersecurity experts.Megan Brown is a Partner at Wiley Rein. She has deep expertise in cybersecurity and data privacy issues, working for national and global companies on cutting edge compliance and risk management. Liz Wharton the Chief of Staff at SCYTHE where she serves as a strategic advisor for the CEO and leadership team, building and maintaining cross-department relationships, crafting external initiatives, and driving day-to-day projects and tasks. Previously she was the Senior Assistant City Attorney with the City of Atlanta, where she served on the immediate incident response team for the City of Atlanta's ransomware incident. The podcast and artwork embedded on this page are from Bryson Bort, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
On May 12, 2021, the Biden Administration issued an Executive Order “On Improving the Nation's Cybersecurity.” This came in the wake of ransomware attacks drawing national attention: Solar Winds, Colonial Pipeline, and more.We take a deep dive into the Executive Order, and what it means for public and private efforts to keep our critical infrastructure safe with two attorneys and cybersecurity experts.Megan Brown is a Partner at Wiley Rein. She has deep expertise in cybersecurity and data privacy issues, working for national and global companies on cutting edge compliance and risk management. Liz Wharton the Chief of Staff at SCYTHE where she serves as a strategic advisor for the CEO and leadership team, building and maintaining cross-department relationships, crafting external initiatives, and driving day-to-day projects and tasks. Previously she was the Senior Assistant City Attorney with the City of Atlanta, where she served on the immediate incident response team for the City of Atlanta's ransomware incident.
Please join industry experts as they discuss White House Executive Order 14028, Improving the Nation's Cybersecurity focusing on improving Threat Intelligence sharing and predictive security.
Join Scott Young and Shaun Sturby from Optrics Engineering as they discuss the Dell Bios Connect vulnerability, the 1 billion records that were leaked from CVS Health, Western Digital's MyBook remote factory reset issue and the Zero Trust cybersecurity framework. For more IT tips go to: > www.OptricsInsider.com Timecodes: 0:00 - Intro 0:19 - Today's 4 topics 0:42 - Topic 1: Dell Bios Connect Vulnerability 4:14 - Topic 2: CVS Health Leak 10:48 - Topic 3: Western Digital MyBook Remote Factory Reset 15:10 - Topic 4: Zero Trust 21:15 - Closing remarks Dell BiosConnect Vulnerability: > Eclypsium Discovers Multiple Vulnerabilities Affecting 129 Dell Models via Dell Remote OS Recovery and Firmware Update Capabilities > DSA-2021-106: Dell Client Platform Security Update for Multiple Vulnerabilities in the BIOSConnect and HTTPS Boot features as part of the Dell Client BIOS > Dell SupportAssist contained RCE flaw allowing miscreants to remotely reflash your BIOS with code of their creation WD My Book Live and My Book Live Duo getting a remote factory reset - all data appears gone: > Important Announcement About Your WD My Book Live Product: WDC-21008 > Recommended Security Measures for WD My Book Live and WD My Book Live Duo Zero Trust cybersecurity - moving from hard shell / soft center to NoTrustForYou!: > Executive Order on Improving the Nation's Cybersecurity > https://en.wikipedia.org/wiki/Zero_trust_security_model > What is Zero Trust? A model for more effective security > Embrace Proactive Security with Zero Trust Need help with your network security? We can help! Contact us at: > www.Optrics.com --- Send in a voice message: https://anchor.fm/optrics-insider/message
In this episode, host Evan Wolff discusses the Biden Administration's recent Executive Order on Improving the Nation's Cybersecurity. Crowell & Moring's “Byte-Sized Q&A” podcast takes the complex world of government contracts cybersecurity and breaks it down into byte-sized pieces.
Allan Friedman of the National Telecommunications and Information Administration (NTIA) has long been one of the world's leading proponents of Software Bill of Materials, or SBOM. With the President's Executive Order on Improving the Nation's Cybersecurity, SBOM has begun to receive the wider attention it deserves, and Allan joins Chris and Nick to discuss SBOM and how it can help with tech debt burndown.
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry. In this special episode, our host Brian Selfridge provides a rundown of the presidential executive order, Improving the Nation's Cybersecurity, signed by President Biden in May. Also covered is the executive order, America's Supply Chains, signed in February of this year. The executive order is the second and most comprehensive of two executive orders issued by President Biden on cybersecurity topics this year. Brian provides a summary of the orders and discusses implications for healthcare entities. Analysis is provided for key topics from the executive order including: Enabling the sharing of threat intelligence and protection mechanisms Modernizing federal government cybersecurity Enhancing software supply chain security The establishment of a cyber safety review board Standardizing the federal government's playbook for responding to cybersecurity incidents and vulnerabilities Improving detection of cybersecurity vulnerabilities and incidents on federal government networks Improving the federal government's investigative and remediation capabilities National security systems requirements
The Zscaler CISO team delves into what happened at Colonial Pipeline, and the federal government's response to the attack in the form of the Executive Order on Improving the Nation's Cybersecurity. What the Colonial Pipeline attack was The nature of ransomware attacks The issues with Colonial Pipeline's response Some details on how the the new EO addresses Colonial Pipeline reporting failures
Join Scott Young and Shaun Sturby from Optrics Engineering as they discuss President Biden's recent executive order on cybersecurity as well as the Outlook email bug fix that Microsoft recently fixed. For more IT tips go to: > www.OptricsInsider.com Timecodes: 0:00 - Intro 0:20 - Today's 2 topics 0:33 - Topic 1: US Executive Order on Cybersecurity 7:12 - Topic 2: Microsoft Outlook Bug Fix 11:07 - Closing remarks New US Executive Order on Cybersecurity: > Biden Signs Executive Order to Bolster Federal Government's Cybersecurity > FACT SHEET: President Signs Executive Order Charting New Course to Improve the Nation's Cybersecurity and Protect Federal Government Networks Microsoft Fixes Outlook Email Bug: > Welcome to beta testing of Outlook --- Send in a voice message: https://anchor.fm/optrics-insider/message
The News: The Biden administration signed an executive order on Wednesday, May 12, 2020 aimed at hardening the Federal government's cybersecurity cybersecurity defenses following the Colonial Pipeline hack. More at CNBC. Biden Administration Signs Executive Order Aimed at Hardening Fed Cybersecurity Defenses Analyst Take: The executive order signed by President Biden directs the Commerce Department to create new standards for software vendors supplying the federal government. While this executive order immediately followed the Colonial Pipeline ransomware attack and the fallout from that, no doubt the recent SolarWinds attack, along with the Microsoft Exchange server attacks play a role in the government stepping in. The Executive Order addresses the fact that the incremental improvements that have heretofore been made along the way are not effective at providing the security the Federal government needs and that “bold changes and significant investments” are needed to defend the many institutions that are a necessary part of American life. It finally seems clear that cybersecurity is and must be a top priority for the Federal government and, more importantly, that the Feds intend to lead by example as it relates to standards and requirements. Under the executive order, the standard for software vendors supplying to the federal government will essentially be a rating system that mandates multi-factor user verification to new technology, and also requires added encryption. Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency (CISA) remarked on this in a podcast on CBS this last week saying that this action by Biden is a “dramatic game change” and showed a commitment by the administration of prioritizing cybersecurity concerns. He also mentioned that establishing these kinds of standards will have a “cascading effect” for products sold to others, not only impacting government entities. Now is a great time to be in the business of selling solutions that provide enhanced security, like IBM's Confidential Computing and AWS's Nitro Enclave, both of which we've written about before here. This order establishes a Cybersecurity Safety Review Board that is modeled after the National Transportation Safety Board and which includes members from both private and public sectors. Equally as important, it also clearly shows the administration's intent to move the federal government to cloud systems that are more secure. My colleague Fred McClimans and I covered this Executive Order in our Cybersecurity Shorts series of the Futurum Tech Webcast this last week. You'll find our discussion on that topic here: You can find the full text of the Executive Order on Improving the Nation's Cybersecurity here.
Thanks to high-profile cybersecurity operations — the recent U.S. cyberattack against Iran and Russia's 2016 attack on Ukraine's power grid, for example — the public is much more aware of the digital threats that the U.S. faces. While the public lags behind in understanding these threats, the U.S. has for years been taking steps to keep U.S. assets safe from foreign and domestic hackers. The National Security Agency has long been responsible for cybersecurity operations, and the military has stepped up by raising individual cybersecurity commands. Private contractors have also taken part — or even led the charge — in the digital defense arena, but not without controversy. A Navy contractor was responsible for a Chinese hack last year that resulted in stolen U.S. anti-ship missile data. Edward Snowden, an NSA contractor, became a household name after leaking reams of sensitive data. Richard Clarke, special cybersecurity adviser to President George W. Bush and author of "The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats," joins us this week on Force for Hire. Clarke addresses cybersecurity threats and how military contractors have helped and hurt U.S. national security. Clarke has worked for the Pentagon, State Department and the White House, and his decades of experience make him among the top experts in the field.