POPULARITY
16 episodes with netspi
5 episodes with netspi
3 episodes with netspi
2 episodes with netspi
3 episodes with netspi
3 episodes with netspi
2 episodes with netspi
3 episodes with netspi
2 episodes with netspi
Does Open-Source AI Create a False Sense of Security?Listen to Suryaprakash Nalluri, an accomplished application security leader, discuss the shifting landscape of application security, challenges with open-source software, and the critical role of DevSecOps in modern development. + + +Find more episodes on YouTube or wherever you listen to podcasts, as well as at netspi.com/agentofinfluence.
On today's show, we chat with Joe Evangelisto, CISO at NetSPI. He recounts his journey to becoming a Chief Information Security Officer, one that started as an IT sysadmin, advanced to management, and led him ultimately to the CISO role. Joe talks about building security programs from the ground up and developing both personally and... Read more »
On today's show, we chat with Joe Evangelisto, CISO at NetSPI. He recounts his journey to becoming a Chief Information Security Officer, one that started as an IT sysadmin, advanced to management, and led him ultimately to the CISO role. Joe talks about building security programs from the ground up and developing both personally and... Read more »
Bridging the Cybersecurity DivideJoin host Nabil Hannan in conversation with Robert Wagner, Advisory CISO and Managing Director at NetSPI. The two discuss the cybersecurity divide and how to prioritize security efforts for small and medium-size businesses in the latest episode of Agent of Influence.+ + +Find more episodes on YouTube or wherever you listen to podcasts, as well as at netspi.com/agentofinfluence.
Security in Sync: Aligning Enterprise and Product TeamsListen to the latest episode of Agent of Influence featuring Nancy Brainerd from Medtronic as we explore bridging the gap between enterprise and product security, fostering dynamic collaboration, and harmonizing efforts across teams to create a unified approach to cybersecurity.+ + +Find more episodes on YouTube or wherever you listen to podcasts, as well as at netspi.com/agentofinfluence.
Digital Trust in the Age of AIHear from Aaron Shilts, CEO of NetSPI, as he sits down with Nabil Hannan, NetSPI Field CISO and host of Agent of Influence, to explore NetSPI's evolution and cyber predictions for 2025. + + +Find more episodes on YouTube or wherever you listen to podcasts, as well as at netspi.com/agentofinfluence.
New Year, New Role: 3 Key Strategies for Cyber LeadersListen to the latest Agent of Influence episode with Bindi Davé, Deputy CISO at DigiCert, as she discusses the Golden Triangle approach when entering a new company, focusing on asset discovery, defining acceptable risk, and fostering a comprehensive cybersecurity culture. + + +Find more episodes on YouTube or wherever you listen to podcasts, as well as at netspi.com/agentofinfluence.
In this second episode of our new Data, Privacy and Cyber Digest podcast series, DACB partner Chris Air is joined by Giles Inkson, Director of Services at NetSPI, and Sam Cheshire, Head of Cyber (UK Retail) at Gallagher, to discuss essential measures to implement in the final days leading up to the DORA deadline of 17 January 2025. Together they consider what challenges have consistently arisen during preparations for in-scope companies, what wider impact DORA could, as an EU regulation, have on the UK, and if there are any aspects of DORA's enforcement that could be considered controversial.Click here to read the Office for National Statistics dataset for 'UK trade in services: service type by partner country, non-seasonally adjusted'Click here to download the House of Commons Library research briefing on 'Statistics on UK trade with the EU'Click here to read the International Monetary Fund on The Last Mile: Financial Vulnerabilities and RisksClick here to find out more about DORA
In this special Black Hat edition of Breaking Badness, Part 2 of a 5 Part Series, we dive deep into the world of vulnerability management, cyber resilience, and supply chain security. Our expert guests—Jacob Graves, Director of Solution Architecture at Gutsy, Theresa Lanowitz, Chief Evangelist at Level Blue, Pukar Hamal, CEO at SecurityPal, and Vinay Anand, Chief Product Officer at NetSPI discuss the increasing complexity of managing vulnerabilities, the critical importance of reducing mean time to detect (MTTD) and mean time to repair (MTTR), and the emerging strategies for securing the supply chain against growing risks. Learn how vulnerability management isn't just a technical challenge but an organizational one, and explore the nuanced roles of the CIO, CTO, and CISO in maintaining a resilient cyber infrastructure.
Giles Inkson, Director of Services EMEA, NetSPIThe European Union's Digital Operational Resilience Act, which comes into force in January 2025, addresses a key issue in EU financial regulation. DORA means financial institutions must follow rules for protection, detection, containment, recovery and repair capabilities against ICT-related incidents. Previously most institutions managed the main categories of operational risk with the allocation of capital, but did not manage all components of operational resilience. Robin Amlôt of IBS Intelligence speaks to Giles Inkson, Director of Services EMEA for NetSPI.
What if you could build your own embedded security tools, glitching devices for a fraction of the cost that you might expect. Like having a $150,000 laser setup for less than $500. A talk at Black Hat USA 2024 says you can. Sam Beaumont (Panth13r), Director of Transportation, mobility and cyber physical systems at NetSPI, and Larry Trowell (patch), Director of hardware embedded systems at NetSPI, along with a team of others, say that you can. Their talk, Laser Beams & Light Streams: Letting Hackers Go Pew Pew, Building Affordable Light-Based Hardware Security Tooling, should be a wake up call for all IoT and OT device vendors who should defend our IoT and OT devices, even against the unlikely attacks. Because soon enough, those attacks will become likely.
In today's episode of Tech Talks Daily, I sit down with Nick Walker and Giles Inkson from NetSPI to explore how proactive approaches are reshaping cybersecurity. NetSPI recently rebranded and launched a unified security platform designed to help organizations take a more proactive stance against cyber threats. This platform combines Penetration Testing as a Service (PTaaS), Attack Surface Management (ASM), and Breach and Attack Simulation (BAS) to provide a comprehensive view of assets, risks, and security improvements. We discuss the latest trends in cybersecurity, including the rapid adoption of generative AI and the complex risks it introduces. As cyber attacks grow more sophisticated, there's a significant shift towards holistic risk management beyond just vulnerability patching. This involves understanding critical assets and the pathways that could be exploited. The role of the Chief Information Security Officer (CISO) is evolving too, with an increasing focus on board-level communication and strategic risk management. CISOs are now essential in translating cyber risks to leadership and ensuring cost-effective security programs. We also discuss the EU's Digital Operational Resilience Act (DORA), set to take effect in January 2024. This regulation mandates practices like threat-led testing and intelligence sharing for financial institutions, aiming to enhance resilience through rigorous scenario-based tests and improved information sharing. How do you see the role of proactive measures in cybersecurity evolving? We'd love to hear your thoughts. Connect with us online to continue the conversation and learn more about the topics we covered today.
Federal Tech Podcast: Listen and learn how successful companies get federal contracts
The volume of cyber attacks on federal organizations has gotten to the level that traditional methods have lost their efficacy. If you merely react to an intrusion, the malicious actor has gotten what he wants and has left. Today, we sat down with Vinay Anand, the Chief Product Officer for a company called NetSPI. Back in 2001, they were founded to improve server, network, and application penetration services. Their initial offering of penetration testing has become so successful that it is being used by nine out of the top ten banks in the United States. Over the decades, they have learned that true security went beyond penetration testing. They had to take a more initiative-taking approach. For example, the attack surface back in 2001 was minuscule compared to what is happening today. Covid has encouraged remote access, sensors are everywhere, and cheap storage has allowed malicious actors the opportunity to place code in unimaginable places. A tech leader must be able to identify and protect the unknown. The first step is to protect the external-facing network and the internal network. The internal aspects can be controlled by tools classified as Cyber Asset Attack Surface Management analysis. The external system can be examined by an External Attack Surface Management system as well. That may be a terrific beginning, but this knowledge must be augmented while simulating an attack. NetSPI can assist an agency in developing an attack plan and narrative. That way, they can understand their risk profile and optimize methods to recover from an attack. During the interview, Vinay Anand gives a terrific overview of the development of different methodologies behind system protection. Want to leverage you next podcast appearance? https://content.leadquizzes.com/lp/fk1JL_FgeQ Connect to John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com
We've made a slight tweak to the news format, only focusing on the most interesting funding and acquisition stories. As always, you can go check out Mike Privette's Return on Security newsletter for the full list of funded and acquired companies every week. This week, we discuss two $100M+ rounds, from Huntress and Semperis. We also discuss NetSPI's acquisition of Hubble, and the future of the CAASM market. We focus on the important of detection engineering, echoing some of Martin Roesch's thoughts from our interview with him just before the news. One story is from the excellent DFIR report, a website and newsletter you should absolutely be subscribed to if detection engineering is important to you. The other story is from Thinkst, and showcases their ability to create file share honeypots with file listings that can now be tailored to specific industries. We discuss the results of some polls that RSnake ran on Twitter, to get feedback from folks on what they think about these models where CISOs are reportedly getting kickbacks for buying products from companies they advise. We also discuss the latest whistleblower insights about Microsoft and the state of security there, and the recent Polyfill.io incident that targeted over 100k websites with malware. Finally, we spend the rest of the news segment discussing the current state of Generative AI, from our own perspectives, but also through the lens of Bruce Schneier's latest blog post, a year old post from Marc Andreesen, and a rage-fueled rant from an angry Aussie. Don't miss the squirrel story - we highly recommend sending it to all your PhD friends (or not, if they're easily insulted and/or likely to hold a grudge). Show Notes: https://securityweekly.com/esw-366
We've made a slight tweak to the news format, only focusing on the most interesting funding and acquisition stories. As always, you can go check out Mike Privette's Return on Security newsletter for the full list of funded and acquired companies every week. This week, we discuss two $100M+ rounds, from Huntress and Semperis. We also discuss NetSPI's acquisition of Hubble, and the future of the CAASM market. We focus on the important of detection engineering, echoing some of Martin Roesch's thoughts from our interview with him just before the news. One story is from the excellent DFIR report, a website and newsletter you should absolutely be subscribed to if detection engineering is important to you. The other story is from Thinkst, and showcases their ability to create file share honeypots with file listings that can now be tailored to specific industries. We discuss the results of some polls that RSnake ran on Twitter, to get feedback from folks on what they think about these models where CISOs are reportedly getting kickbacks for buying products from companies they advise. We also discuss the latest whistleblower insights about Microsoft and the state of security there, and the recent Polyfill.io incident that targeted over 100k websites with malware. Finally, we spend the rest of the news segment discussing the current state of Generative AI, from our own perspectives, but also through the lens of Bruce Schneier's latest blog post, a year old post from Marc Andreesen, and a rage-fueled rant from an angry Aussie. Don't miss the squirrel story - we highly recommend sending it to all your PhD friends (or not, if they're easily insulted and/or likely to hold a grudge). Show Notes: https://securityweekly.com/esw-366
We all might be a little worn out on this topic, but there's no escaping it. Executives want to adopt GenAI and it is being embedded into nearly every software product we use in both our professional and personal lives. In this interview, Anurag joins us to discuss how his company evaluated and ultimately integrated AI-based technologies into their products. We discuss: What to be aware of when deploying GenAI Key use cases and successes organizations are having with GenAI Some of the risks to be aware of How to prepare employees for GenAI Best practices to prepare for evolving threats For decades, security teams have been focused on preventing and detecting threats, only to find themselves buried so deep in alerts, they can't detect anything at all! We clearly need a different approach, which will be the topic of our conversation today with Marty. We'll be discussing a shift in philosophy and tactics. We'll discuss whether SecOps has a hoarding problem, and possible paths out of the current situation preventing today's teams from successfully detecting attacks. Finally, we'll discuss the impact AI has on all this (if any). Segment Resources: Why It's Time to Evolve from Threat-centric to Compromise-centric Security Evolve from Threat-Centric to Compromise-Centric Security How to Close the Visibility Gaps Across Your Multi-Cloud Environment Defend HPC Data Centers with Frictionless Security & Observability We've made a slight tweak to the news format, only focusing on the most interesting funding and acquisition stories. As always, you can go check out Mike Privette's Return on Security newsletter for the full list of funded and acquired companies every week. This week, we discuss two $100M+ rounds, from Huntress and Semperis. We also discuss NetSPI's acquisition of Hubble, and the future of the CAASM market. We focus on the important of detection engineering, echoing some of Martin Roesch's thoughts from our interview with him just before the news. One story is from the excellent DFIR report, a website and newsletter you should absolutely be subscribed to if detection engineering is important to you. The other story is from Thinkst, and showcases their ability to create file share honeypots with file listings that can now be tailored to specific industries. We discuss the results of some polls that RSnake ran on Twitter, to get feedback from folks on what they think about these models where CISOs are reportedly getting kickbacks for buying products from companies they advise. We also discuss the latest whistleblower insights about Microsoft and the state of security there, and the recent Polyfill.io incident that targeted over 100k websites with malware. Finally, we spend the rest of the news segment discussing the current state of Generative AI, from our own perspectives, but also through the lens of Bruce Schneier's latest blog post, a year old post from Marc Andreesen, and a rage-fueled rant from an angry Aussie. Don't miss the squirrel story - we highly recommend sending it to all your PhD friends (or not, if they're easily insulted and/or likely to hold a grudge). Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-366
We all might be a little worn out on this topic, but there's no escaping it. Executives want to adopt GenAI and it is being embedded into nearly every software product we use in both our professional and personal lives. In this interview, Anurag joins us to discuss how his company evaluated and ultimately integrated AI-based technologies into their products. We discuss: What to be aware of when deploying GenAI Key use cases and successes organizations are having with GenAI Some of the risks to be aware of How to prepare employees for GenAI Best practices to prepare for evolving threats For decades, security teams have been focused on preventing and detecting threats, only to find themselves buried so deep in alerts, they can't detect anything at all! We clearly need a different approach, which will be the topic of our conversation today with Marty. We'll be discussing a shift in philosophy and tactics. We'll discuss whether SecOps has a hoarding problem, and possible paths out of the current situation preventing today's teams from successfully detecting attacks. Finally, we'll discuss the impact AI has on all this (if any). Segment Resources: Why It's Time to Evolve from Threat-centric to Compromise-centric Security Evolve from Threat-Centric to Compromise-Centric Security How to Close the Visibility Gaps Across Your Multi-Cloud Environment Defend HPC Data Centers with Frictionless Security & Observability We've made a slight tweak to the news format, only focusing on the most interesting funding and acquisition stories. As always, you can go check out Mike Privette's Return on Security newsletter for the full list of funded and acquired companies every week. This week, we discuss two $100M+ rounds, from Huntress and Semperis. We also discuss NetSPI's acquisition of Hubble, and the future of the CAASM market. We focus on the important of detection engineering, echoing some of Martin Roesch's thoughts from our interview with him just before the news. One story is from the excellent DFIR report, a website and newsletter you should absolutely be subscribed to if detection engineering is important to you. The other story is from Thinkst, and showcases their ability to create file share honeypots with file listings that can now be tailored to specific industries. We discuss the results of some polls that RSnake ran on Twitter, to get feedback from folks on what they think about these models where CISOs are reportedly getting kickbacks for buying products from companies they advise. We also discuss the latest whistleblower insights about Microsoft and the state of security there, and the recent Polyfill.io incident that targeted over 100k websites with malware. Finally, we spend the rest of the news segment discussing the current state of Generative AI, from our own perspectives, but also through the lens of Bruce Schneier's latest blog post, a year old post from Marc Andreesen, and a rage-fueled rant from an angry Aussie. Don't miss the squirrel story - we highly recommend sending it to all your PhD friends (or not, if they're easily insulted and/or likely to hold a grudge). Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-366
In this episode, Host Ron Eddings talks with guest Isaac Clayton, Senior Research Engineer at NetSPI. Ron and Isaac discuss the importance of ASM for organizations of all sizes, the challenges of asset identification, and framing a practical strategy to handle ASM. Impactful Moments: 00:00 - Welcome 03:00 - Introducing guest, Isaac Clayton 04:25 - Understanding ASM 07:57 - Factoring in Attackers 10:47 - “Admit it's a hard problem” 12:35 - Challenges & Surprises 15:03 - From our Sponsor, NetSPI 15:41 - The Right Medicine, The Right Dosage 19:04 - Zero Trust is Not Enough 20:37 - Prioritization— Baked In! 21:33 - The ASM Learning Curve 26:12 - “Not all ASM is Created Equal” Links: Connect with our guest, Isaac Clayton : https://www.linkedin.com/in/isaac-clayton-24088696/ Check out NetSPI: asm.netspi.com Join our creative mastermind and stand out as a cybersecurity professional: https://www.patreon.com/hackervalleystudio Become a sponsor of the show to amplify your brand: https://hackervalley.com/work-with-us/ Love Hacker Valley Studio? Pick up some swag: https://store.hackervalley.com Continue the conversation by joining our Discord: https://hackervalley.com/discord
Mandiant Twitter account restored after crypto scam hack Law firm that handles data breaches hit by data breach Spanish mobile carrier suffers outage after account takeover Thanks to today's episode sponsor, NetSPI Take the hassle out of dealing with alert fatigue, validation, and prioritization. Instead, use NetSPI's ASM platform to hone in on what's actually important. Attack surface vulnerabilities constantly evolve, causing a lack of visibility and overwhelm for your security teams. Start the new year off right by partnering with NetSPI to enhance your security program. Visit netspi.com/ASM to learn more. For the stories behind the headlines, head to CISOseries.com.
Link to blog post This week's Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Johna Till Johnson, CEO, Nemertes, and podcaster at Heavy Strategy. Thanks to our show sponsor, NetSPI Take the hassle out of dealing with alert fatigue, validation, and prioritization. Instead, use NetSPI's ASM platform to hone in on what's actually important. Attack surface vulnerabilities constantly evolve, causing a lack of visibility and overwhelm for your security teams. Start the new year off right by partnering with NetSPI to enhance your security program. Visit netspi.com/ASM All links and the video of this episode can be found on CISO Series.com
A call for formal ban on ransomware payments FTC asks for ideas to fight voice cloning Cyberattack impacts French township Thanks to today's episode sponsor, NetSPI Take the hassle out of dealing with alert fatigue, validation, and prioritization. Instead, use NetSPI's ASM platform to hone in on what's actually important. Attack surface vulnerabilities constantly evolve, causing a lack of visibility and overwhelm for your security teams. Start the new year off right by partnering with NetSPI to enhance your security program. Visit netspi.com/ASM to learn more.
Google settles $5 billion ‘incognito mode' lawsuit Over $80 million in crypto stolen from Orbit Chain Watchdog calls for updated medical device cyber agreement Thanks to today's episode sponsor, NetSPI Take the hassle out of dealing with alert fatigue, validation, and prioritization. Instead, use NetSPI's ASM platform to hone in on what's actually important. Attack surface vulnerabilities constantly evolve, causing a lack of visibility and overwhelm for your security teams. Start the new year off right by partnering with NetSPI to enhance your security program. Visit netspi.com/ASM to learn more. Take the hassle out of dealing with alert fatigue, validation, and prioritization. Instead, use NetSPI's ASM platform to hone in on what's actually important. Attack surface vulnerabilities constantly evolve, causing a lack of visibility and overwhelm for your security teams. Start the new year off right by partnering with NetSPI to enhance your security program. Visit netspi.com/ASM to learn more. For the stories behind the headlines, visit CISOseries.com.
Swedish national grocer stung by Cactus Flaw in Black Basta decryptor allows recovery of victims' files - temporarily Cyberattack hist Boston area hospital Thanks to today's episode sponsor, NetSPI Take the hassle out of dealing with alert fatigue, validation, and prioritization. Instead, use NetSPI's ASM platform to hone in on what's actually important. Attack surface vulnerabilities constantly evolve, causing a lack of visibility and overwhelm for your security teams. Start the new year off right by partnering with NetSPI to enhance your security program. Visit netspi.com/ASM to learn more. For the stories behind the headlines, head to CISOseries.com.
Is Offensive Security part of your 2024 Security Roadmap? We caught up with Sam Kirkman, Director at NetSPI EMEA at BlackHat Europe 2023 about what an Offensive Security Roadmap going into 2024 should look like. Offensive security is much more than pentesting. We spoke about how to build a capable team, different maturity stages of building such a program and resources you can lean on while you are on this journey across different industries. Guest Socials: Sam's Linkedin (@sam-kirkman-cybersecurity) Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Podcast- Youtube - Cloud Security Newsletter - Cloud Security BootCamp Questions asked: (00:00) Introduction (02:53)A bit about Sam Kirkman (03:53) What is offensive security? (04:52) The attack landscape (07:34) Offensive Security Roadmap (09:43) Components of Offensive Security Roadmap (11:04) Whats a good starting point? (12:55) Skillsets required in the team (16:57) Different stages of maturity (19:09) Where can people learn more about this? (22:03) Where you can connect with Sam You can learn more about NetSPI and offensive security here
The adversary is using Artificial Intelligence. Why aren't you? In this episode, Host Chris Cochran talks with Scott Sutherland, VP of Research at NetSPI, about everyone's favorite hot topics; ransomware and AI. Scott will detail his experience with simulating ransomware attack scenarios, as well as discussing the difficulties businesses face when dealing with ransomware threats and prevention mechanisms and how AI can be leveraged to help. Impactful Moments 00:00 - Welcome 01:10 - Introducing guest, Scott Sunderland 03:24 - Interactions with Generative AI Chatbots 04:14 - Use of AI and Readiness 15:16 - A word from our Sponsor, NetSPI 15:55 - Using AI to develop Exercises 20:46 - Collaboration beats Adversaries 25:08 - Ransomware Bots 26:15 - Role of AI in Storytelling Continuously keep pace with your expanding attack surface with the most comprehensive suite of offensive security solutions: https://www.netspi.com/hackervalley Links: Connect with Scott Sutherland: https://www.linkedin.com/in/scottpsutherland/ Learn more about our sponsor, NetSPI: https://www.netspi.com/ Join our creative mastermind and stand out as a cybersecurity professional: https://www.patreon.com/hackervalleystudio Become a sponsor of the show to amplify your brand: https://hackervalley.com/work-with-us/ Love Hacker Valley Studio? Pick up some swag: https://store.hackervalley.com Continue the conversation by joining our Discord: https://hackervalley.com/discord
On this episode of How to Grow a CMO, host Ali Hussain is joined by Heather Dodgers-Rubash, SVP of Marketing at NetSPI. Heather's journey into marketing came via stints in journalism and politics, before landing roles at a number of start-up and established tech providers. In their conversation, Heather and Ali discuss the importance of balancing brand and demand, the power of cultivating strong interpersonal relationships within teams, and how collaboration is critical to the successful delivery of projects. How to Grow a CMO is brought to you by The Marketing Practice - the global leader in B2B technology marketing. To find out more, visit https://www.themarketingpractice.com
On this episode of How to Grow a CMO, host Ali Hussain is joined by Heather Dodgers-Rubash, SVP of Marketing at NetSPI. Heather's journey into marketing came via stints in journalism and politics, before landing roles at a number of start-up and established tech providers. In their conversation, Heather and Ali discuss the importance of balancing brand and demand, the power of cultivating strong interpersonal relationships within teams, and how collaboration is critical to the successful delivery of projects. How to Grow a CMO is brought to you by The Marketing Practice - the global leader in B2B technology marketing. To find out more, visit https://www.themarketingpractice.com
Karl Fosaaen, the author of Penetration Testing "Azure for Ethical Hacker" and the VP of Research at NetSPI, came as a guest to share why the penetration Test of a Web Application hosted on Azure Cloud in 2023 is quite different to just a simple/traditional web app pentesting and the skills you need to pentest Azure environments. Cloud Penetration testing is misunderstood to be just config review in Microsoft Azure Cloud just like in AWS and Google Cloud. In this video, we have Karl Fosaaen was kind enough to answer the following questions and methods. Episode YouTube: Video Link Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Karl's Linkedin (Karl Fosaaen) Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Newsletter - Cloud Security BootCamp Spotify TimeStamp for Interview Question (00:00) Introduction (02:32) A bit about Karl Fosaaen (03:26) How is pentesting in Azure different from AWS? (04:35) Cloud pentesting is not just config review (05:42) Cloud pentesting vs Network pentesting (06:25) Cloud Pentest - Next evolution of Network Pentest? (07:14) Boundaries of cloud pentesting (09:07) Do you need prior approval for Azure Pentest? (09:32) Working with Microsoft Security Research Centre (10:35) Process of pentesting in Azure (11:57) Low hanging fruits to start off with! (13:37) How to persist and escalate? (14:58) Managed Identities in Azure (16:23) Impact of peripheral services to Azure (18:33) Scale of deployments in Azure (21:02) Getting access to permissions for Azure Entra (22:36) Scaling your pentest tools (23:34) TTPs or Matrix you can use (25:30) Getting into Azure Pentesting (26:56) Transitioning from network to azure pentesting (28:37) Connect with Karl Resources: The NetSPI Blog to learn more about offensive cloud security Mitre - Cloud Attack Matrix ATRM Karl's Book - Penetration Testing Azure for Ethical Hackers: Develop practical skills to perform pentesting and risk assessment of Microsoft Azure environments See you at the next episode!
A few years ago, the topic for the 3rd episode for the #RealTalk with Aaron Bregg podcast about Diversity And Inclusion in the Cybersecurity Industry. To this date it is one of the most downloaded episodes. Since that episode was publish a LOT has changed in the world. I felt that it was time to revisit the topic but with a little bit of a twist. The need for a twist comes from the fact that DEI in cybersecurity still where it needs to be.As luck would have it I had met Angela Hill a few years back when Matt Nelson and I were looking to have her as a keynote speaker. While due to scheduling issues it didn't work out, it did lead to this moment.Join me as I have a #RealTalk conversation about 'Rethinking DEI' and more specifically focusing on Latinas in Cybersecurity. Angela Hill from Palo Alto Networks, Samantha Bolet. from TikTok, Vanessa Morales. from NBC Universal who are some of the co-founders of Latinas In Cyber challenge me and themselves into taking a different approach to solving this problem.Talking Points:What kind of restrictions do you run into? E.g. Cultural roadblocks, etc.What issues do you run into when it comes to showcasing your 'real world' experience?The importance of having a security 'brand' - VanessaHow do we need to change our approach to DEI? The importance of DEI in academia and starting to embrace creativity - SamA HUGE thanks to SevCo, Cadre and NetSPI today the podcast donated $500 to support Latinas in Cyber!
While PenTesting (i.e. hacking) may be the most visible part of Information Security, it is sometimes can lead to a false sense of security. In this episode I had a chance to talk with Nabil Hannan about rethinking your penetration testing strategy and moving towards Attack Surface Management. Nabil is the Field Chief Information Security Officer for NetSPI and has a ton of useful information to share about starting this journey.Talking points include:What are the biggest misconceptions with PenTesting?The problem with buying security 'things'Understanding your Attack Surface using Breach and Attack SimulationsTargeting your ransomware readinessEpisode Sponsor:NetSPI is a penetration testing company based out of Minneapolis, Minnesota.Episode Charity:This episode's charity is Latinas in Cyber. LAIC is focused on continuing to break barriers and open paths for those who chose to pursue careers in cybersecurity. Our mission is to empower through mentorship, networking, support, and representation.
Live on-location from Infosecurity Europe 2023, Sean Martin connects with Nabil Hannan, the field CISO at NetSPI, to discuss Attack Surface Management (ASM) and how it has evolved in recent years to become the minimum cybersecurity benchmark that organizations need. ASM provides a more targeted approach to vulnerability management, allowing testers to focus on building a platform with automation that identifies areas that need attention and validates them.Sean and Nabil also cover API security, the challenges of authentication and authorization, and the need for organizations to prioritize building secure-by-design frameworks. Nabil stresses the importance of understanding an organization's external perimeter and what exposures might exist, as well as the need for good cybersecurity hygiene that starts with good cybersecurity basics before bringing others in to help with the problem.ASM is an important element in modern cybersecurity with its role as the first line of defense reinforces the critical need to have a continuous view of an organization's external-facing perimeter.Note: This story contains promotional content. Learn more: https://www.itspmagazine.com/their-storyGuest: Nabil Hannan, Field Chief Information Security Officer (CISO) at NetSPI [@NetSPI]On Linkedin | https://www.linkedin.com/in/nhannan/ResourcesLearn more about NetSPI: https://itspm.ag/netspi-hcjvBe sure to tune in to all of our Infosecurity Europe 2023 conference coverage: https://www.itspmagazine.com/infosecurity-europe-2023-infosec-london-cybersecurity-event-coverageCatch the full Infosecurity Europe 2023 YouTube playlist: https://www.youtube.com/playlist?list=PLnYu0psdcllTOeLEfCLJlToZIoJtNJB6BAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story____________________________If you are a cybersecurity vendor with a story to share, you can book your pre-event video podcast briefing here (https://itspm.ag/iseu23tsv) and your on-location audio podcast briefing here (https://itspm.ag/iseu23tsp).Explore the full conference coverage sponsorship bundle here: https://itspm.ag/iseu23bndlFor more ITSPmagazine advertising and sponsorship opportunities:
Live on-location from Infosecurity Europe 2023, Sean Martin connects with Nabil Hannan, the field CISO at NetSPI, to discuss Attack Surface Management (ASM) and how it has evolved in recent years to become the minimum cybersecurity benchmark that organizations need. ASM provides a more targeted approach to vulnerability management, allowing testers to focus on building a platform with automation that identifies areas that need attention and validates them.Sean and Nabil also cover API security, the challenges of authentication and authorization, and the need for organizations to prioritize building secure-by-design frameworks. Nabil stresses the importance of understanding an organization's external perimeter and what exposures might exist, as well as the need for good cybersecurity hygiene that starts with good cybersecurity basics before bringing others in to help with the problem.ASM is an important element in modern cybersecurity with its role as the first line of defense reinforces the critical need to have a continuous view of an organization's external-facing perimeter.Note: This story contains promotional content. Learn more: https://www.itspmagazine.com/their-storyGuest: Nabil Hannan, Field Chief Information Security Officer (CISO) at NetSPI [@NetSPI]On Linkedin | https://www.linkedin.com/in/nhannan/ResourcesLearn more about NetSPI: https://itspm.ag/netspi-hcjvBe sure to tune in to all of our Infosecurity Europe 2023 conference coverage: https://www.itspmagazine.com/infosecurity-europe-2023-infosec-london-cybersecurity-event-coverageCatch the full Infosecurity Europe 2023 YouTube playlist: https://www.youtube.com/playlist?list=PLnYu0psdcllTOeLEfCLJlToZIoJtNJB6BAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story____________________________If you are a cybersecurity vendor with a story to share, you can book your pre-event video podcast briefing here (https://itspm.ag/iseu23tsv) and your on-location audio podcast briefing here (https://itspm.ag/iseu23tsp).Explore the full conference coverage sponsorship bundle here: https://itspm.ag/iseu23bndlFor more ITSPmagazine advertising and sponsorship opportunities:
On this episode, Perry sits down with Chad Peterson, Managing Director at NetSPI, to discuss the importance of penetration testing. We touch on aspects of social engineering, discussing complex security issues with Boards of Directors, the prevalence of Ransomware, and some of the unique challenges facing the healthcare industry. Guest: Chad Peterson (LinkedIn) (Twitter) Books & References (Books are Amazon Associate links) CISO Desk Reference Guide: A Practical Guide for CISOs by Bill Bonney, Gary Hayslip, & Matt Stamper Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman Practical Social Engineering: A Primer for the Ethical Hacker by Joe Gray Ransomware Protection Playbook by Roger Grimes The Smartest Person in the Room: The Root Cause and New Solution for Cybersecurity by Christian Espinosa Perry's Books (Amazon Associate links) Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors, by Perry Carpenter The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer by Perry Carpenter & Kai Roer Perry's new show, Digital Folklore kicked-off Jan 16, 2023. It's all about the oddities and importance of online culture. Check out the website (https://digitalfolklore.fm/) to see our custom artwork, subscribe to the newsletter, check out our merch, Patreon, and more. Want to check out what others are saying? Here's some recent press about the show: https://digitalfolklore.fm/in-the-news Production Credits: Music and Sound Effects by Blue Dot Sessions, Envato Elements, Storyblocks, & EpidemicSound. 8Li cover art by Chris Machowski @ https://www.RansomWear.net/. 8th Layer Insights theme music composed and performed by Marcos Moscat @ https://www.GameMusicTown.com/ Want to get in touch with Perry? Here's how: LinkedIn Twitter Instagram Email: perry [at] 8thLayerMedia [dot] com
Join hosts Ron and Chris as they dive into the world of Attack Surface Management (ASM) in this episode recorded live at RSAC 2023. Special guest Nabil Hannan, a seasoned industry expert and Field CISO at NetSPI, shares his wealth of knowledge and expertise in this critical field. Together, they explore the evolving landscape of ASM, highlighting NetSPI's unique approach compared to other solution providers and shedding light on the state of ASM to empower listeners to enhance their security posture. NetSPI has a team of skilled pen-testers that can help you find those critical vulnerabilities and become your partner in creating the right remediation game plan for you. Check them out at https://www.netspi.com/HVM Links: Connect with Nabil Hannan on LinkedIn: https://www.linkedin.com/in/nhannan/ Connect with us on LinkedIn: https://www.linkedin.com/company/hackervalleystudio Love Hacker Valley Studio? Pick up some swag: https://store.hackervalley.com Continue the conversation by joining our Discord: https://hackervalley.com/discord Impactful Moments: 01:08 - Introducing Nabil Hannan 01:25 - Relationship-building through play 04:39 - The power of authenticity 05:39 - What is a Field CISO? 07:02 - The rise of attack surface management 09:17 - What makes NetSPI different? 11:26 - A word from our sponsor 12:17 - Attack surface management for SMBs 15:15 - ASM solutions & false positives 17:16 - An ASM case study 21:15 - Red teaming influence on ASM 24:12 - Where do I get started with ASM?
This week, we start with the news: 2 weeks of news to catch up on! 16 funding stories, 4 M&A stories, Cybereason prunes its valuation… a lot, First Republic Bank seized by FDIC, Ransomware is irrelevant Sun Tzu hates infosec, AI Trends, Kevin Mandia's 7 tips for defense, & How much time should we spend automating tasks? Christopher will delve into what lateral security/lateral movement are and identify key lateral security tools (network segmentation, micro-segmentation, advanced threat prevention systems, network sandboxes, and network traffic analysis/network detection and response). He will also touch on why automation is important when it comes to consistent security and the current threat landscape. This segment is sponsored by VMware. Visit https://securityweekly.com/vmwarenetsecrsac to learn more about them! AT&T Cybersecurity released its 12th annual Cybersecurity Insights Report, “Edge Ecosystem,” which highlights the dramatic shift in computing underpinned by 5G, the edge, and the convergence of networking and security. The report found that business and technology leaders are finally coming together not just to understand the new edge computing ecosystem, but to make more predictable, data-informed business decisions. Collaboration among these leaders, as well as external partners in the ecosystem, will be critical for the edge journey ahead – but more progress must be made to better leverage the edge and transform the business. This segment is sponsored by AT&T Cybersecurity. Visit https://securityweekly.com/attrsac to learn more about them! EASM is a critical component of continuous threat exposure management and a necessary step in improving validation and vulnerability management processes. Gartner recently published a report describing the evolution of EASM and where it's headed in the market. We're excited to see the market move in this direction because, at NetSPI, we're already committed to investing in our team and technology to stay ahead of these trends. We already have a head start. This segment is sponsored by NetSpi. Visit https://securityweekly.com/netspirsac to learn more about them! “Man plans, the Universe laughs” - unfortunately, that's been the saying for far too long when it comes to cybersecurity. Security leaders know it's only a matter of time before their organization gets breached, but instead of being ready for it, they rely on fixing the problem after it happens. In Cisco's newest report, the first ever Cybersecurity Readiness Index, it was found that a small minority of businesses globally (15%) consider themselves to be ready and able to defend against the expanding array of cybersecurity risks and threats of today. Organizations need to get ready and stay ready with solutions they can trust. This segment is sponsored by Cisco. Visit https://securityweekly.com/ciscorsac to learn more about them! OpenText Cybersecurity is on a mission to simplify security by delivering smarter, innovative solutions. Geoff Bibby, the SVP of OpenText Cybersecurity Marketing & Strategy, will offer insight into the company's purpose-built approach to create a powerhouse cybersecurity portfolio that scales to meet the security needs of large enterprises down to individual consumers. This segment is sponsored by OpenText. Visit https://securityweekly.com/opentextrsac to learn more about them! The continued headcount shortage facing cybersecurity teams is driving many organizations to embrace Managed Detection and Response (MDR) as a way to combat cyber threats. With this demand, dozens of MDR companies have emerged over the past two years. Critical Start's CTO, Randy Watkins, will discuss the origin of MDR, share evaluation tips, and reveal some of the potential pitfalls. This segment is sponsored by Critical Start. Visit https://securityweekly.com/criticalstartrsac to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw316
This week, we start with the news: 2 weeks of news to catch up on! 16 funding stories, 4 M&A stories, Cybereason prunes its valuation… a lot, First Republic Bank seized by FDIC, Ransomware is irrelevant Sun Tzu hates infosec, AI Trends, Kevin Mandia's 7 tips for defense, & How much time should we spend automating tasks? Christopher will delve into what lateral security/lateral movement are and identify key lateral security tools (network segmentation, micro-segmentation, advanced threat prevention systems, network sandboxes, and network traffic analysis/network detection and response). He will also touch on why automation is important when it comes to consistent security and the current threat landscape. This segment is sponsored by VMware. Visit https://securityweekly.com/vmwarenetsecrsac to learn more about them! AT&T Cybersecurity released its 12th annual Cybersecurity Insights Report, “Edge Ecosystem,” which highlights the dramatic shift in computing underpinned by 5G, the edge, and the convergence of networking and security. The report found that business and technology leaders are finally coming together not just to understand the new edge computing ecosystem, but to make more predictable, data-informed business decisions. Collaboration among these leaders, as well as external partners in the ecosystem, will be critical for the edge journey ahead – but more progress must be made to better leverage the edge and transform the business. This segment is sponsored by AT&T Cybersecurity. Visit https://securityweekly.com/attrsac to learn more about them! EASM is a critical component of continuous threat exposure management and a necessary step in improving validation and vulnerability management processes. Gartner recently published a report describing the evolution of EASM and where it's headed in the market. We're excited to see the market move in this direction because, at NetSPI, we're already committed to investing in our team and technology to stay ahead of these trends. We already have a head start. This segment is sponsored by NetSpi. Visit https://securityweekly.com/netspirsac to learn more about them! “Man plans, the Universe laughs” - unfortunately, that's been the saying for far too long when it comes to cybersecurity. Security leaders know it's only a matter of time before their organization gets breached, but instead of being ready for it, they rely on fixing the problem after it happens. In Cisco's newest report, the first ever Cybersecurity Readiness Index, it was found that a small minority of businesses globally (15%) consider themselves to be ready and able to defend against the expanding array of cybersecurity risks and threats of today. Organizations need to get ready and stay ready with solutions they can trust. This segment is sponsored by Cisco. Visit https://securityweekly.com/ciscorsac to learn more about them! OpenText Cybersecurity is on a mission to simplify security by delivering smarter, innovative solutions. Geoff Bibby, the SVP of OpenText Cybersecurity Marketing & Strategy, will offer insight into the company's purpose-built approach to create a powerhouse cybersecurity portfolio that scales to meet the security needs of large enterprises down to individual consumers. This segment is sponsored by OpenText. Visit https://securityweekly.com/opentextrsac to learn more about them! The continued headcount shortage facing cybersecurity teams is driving many organizations to embrace Managed Detection and Response (MDR) as a way to combat cyber threats. With this demand, dozens of MDR companies have emerged over the past two years. Critical Start's CTO, Randy Watkins, will discuss the origin of MDR, share evaluation tips, and reveal some of the potential pitfalls. This segment is sponsored by Critical Start. Visit https://securityweekly.com/criticalstartrsac to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw316
Christopher will delve into what lateral security/lateral movement are and identify key lateral security tools (network segmentation, micro-segmentation, advanced threat prevention systems, network sandboxes, and network traffic analysis/network detection and response). He will also touch on why automation is important when it comes to consistent security and the current threat landscape. Segment Resources: https://cio.vmware.com/2023/03/why-cisos-are-looking-to-lateral-security-to-mitigate-ransomware.html https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/lateral-security-is-the-new-cybersecurity-battleground-solution-overview.pdf https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-ransomware-lateral-security.pdf This segment is sponsored by VMware. Visit https://securityweekly.com/vmwarenetsecrsac to learn more about them! AT&T Cybersecurity released its 12th annual Cybersecurity Insights Report, “Edge Ecosystem,” which highlights the dramatic shift in computing underpinned by 5G, the edge, and the convergence of networking and security. The report found that business and technology leaders are finally coming together not just to understand the new edge computing ecosystem, but to make more predictable, data-informed business decisions. Collaboration among these leaders, as well as external partners in the ecosystem, will be critical for the edge journey ahead – but more progress must be made to better leverage the edge and transform the business. This segment is sponsored by AT&T Cybersecurity. Visit https://securityweekly.com/attrsac to learn more about them! EASM is a critical component of continuous threat exposure management and a necessary step in improving validation and vulnerability management processes. Gartner recently published a report describing the evolution of EASM and where it's headed in the market. e're excited to see the market move in this direction because, at NetSPI, we're already committed to investing in our team and technology to stay ahead of these trends. We already have a head start. This segment is sponsored by NetSpi. Visit https://securityweekly.com/netspirsac to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw316
Christopher will delve into what lateral security/lateral movement are and identify key lateral security tools (network segmentation, micro-segmentation, advanced threat prevention systems, network sandboxes, and network traffic analysis/network detection and response). He will also touch on why automation is important when it comes to consistent security and the current threat landscape. Segment Resources: https://cio.vmware.com/2023/03/why-cisos-are-looking-to-lateral-security-to-mitigate-ransomware.html https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/lateral-security-is-the-new-cybersecurity-battleground-solution-overview.pdf https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-ransomware-lateral-security.pdf This segment is sponsored by VMware. Visit https://securityweekly.com/vmwarenetsecrsac to learn more about them! AT&T Cybersecurity released its 12th annual Cybersecurity Insights Report, “Edge Ecosystem,” which highlights the dramatic shift in computing underpinned by 5G, the edge, and the convergence of networking and security. The report found that business and technology leaders are finally coming together not just to understand the new edge computing ecosystem, but to make more predictable, data-informed business decisions. Collaboration among these leaders, as well as external partners in the ecosystem, will be critical for the edge journey ahead – but more progress must be made to better leverage the edge and transform the business. This segment is sponsored by AT&T Cybersecurity. Visit https://securityweekly.com/attrsac to learn more about them! EASM is a critical component of continuous threat exposure management and a necessary step in improving validation and vulnerability management processes. Gartner recently published a report describing the evolution of EASM and where it's headed in the market. e're excited to see the market move in this direction because, at NetSPI, we're already committed to investing in our team and technology to stay ahead of these trends. We already have a head start. This segment is sponsored by NetSpi. Visit https://securityweekly.com/netspirsac to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw316
In this episode of the podcast, Ron Eddings and Chris Cochran share insights and tips on how to navigate a career in cybersecurity. They discuss the importance of having the right mindset, finding the right career path, building a network, and negotiating a salary. Ron and Chris emphasize the value of having a positive attitude and being open to learning and growth. They suggest exploring different areas within cybersecurity to find the best fit for your interests and skills. Additionally, they stress the importance of building a strong network, both online and in-person, to connect with industry professionals and stay up to date on the latest trends and technologies. Ron offers advice on negotiating a salary and knowing your worth. Ron and Chris also encourage listeners to do their research and interview for multiple jobs to get a sense of market rates for different roles. They also discuss the taboo around discussing salaries in cybersecurity and offer suggestions on how to navigate this sensitive topic. Be sure to subscribe to Hacker Valley Studio, the premiere cybersecurity podcast for cybersecurity professionals. NetSPI has a team of skilled pen-testers that can help you find those critical vulnerabilities and become your partner in creating the right remediation game plan for you. Check them out at http://netspi.com/HVM ........................... Links: Purchase an HVS t-shirt at our shop Join our Patreon monthly creative mastermind Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Continue the conversation by joining our Discord
In this episode of the Hacker Valley Studio podcast, hosts Ron and Chris tackle arguably one of the most difficult roles in cybersecurity: Incident Response. Drawing on his years of experience at organizations such as US Cyber Command, NSA, and Netflix, Chris shares his knowledge on what it takes to properly handle Severity 1, 2, and 3 level incidents. Together, Ron and Chris cover everything from the roles and responsibilities of an incident commander to the steps of bringing an incident to a close. Lastly, the two share their tips for improving incident response and steps that individuals and organizations can take to integrate incident command and communication efforts. Be sure to subscribe to Hacker Valley Studio, the premiere cybersecurity podcast for cybersecurity professionals. NetSPI has a team of skilled pen-testers that can help you find those critical vulnerabilities and become your partner in creating the right remediation game plan for you. Check them out at http://netspi.com/HVM ........................... Links: Purchase an HVS t-shirt at our shop Join our Patreon monthly creative mastermind Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Continue the conversation by joining our Discord
Maxime “Max” Lamothe-Brassard, Founder of LimaCharlie, brings a tech-focused community perspective and a history of working at Google to Hacker Valley this week. Inspired by the internal motivation to empower others and build what didn't exist, Maxime created LimaCharlie to help security teams automate and manage security operations. In this episode, Max walks through his founder's journey and points out the problems that are begging for innovative solutions from the brightest minds in cyber. Timecoded Guide: [01:59] Improving community & empowering practitioners [06:04] Leaving Google for LimaCharlie [10:55] Unpacking the incentivization problem of cyber [16:21] Targeted products vs massive suites of problem solvers [21:29] Looking at a red team-less future Sponsor Links: Thank you to our sponsors Axonius and NetSPI for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human-delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more. Where would you say your passion for improving our community comes from? From the moment Max opens his mouth to talk about cybersecurity, his passion for the global community of cyber practitioners is clear. It turns out, the community is Max's passion because he's been in so many cybersecurity roles and has experienced so many of the same issues in each position. Suffering pain and fatigue no matter the role shouldn't be the reality for today's practitioners, and Max wants to empower them to do their best, most enjoyable work. “When I started, the goal wasn't to make the silver bullet that somehow was going to automatically save everybody, but really to just help people that were working and doing their jobs and empower them.” How was your experience going from Google to having your own thing with LimaCharlie? Taking the red pill of entrepreneurship wasn't as scary of an experience for Max as one might think. Instead, the product idea behind LimaCharlie existed for years before Max left Google, and everything Max has done in his career prepared him to take that risky step into doing his own thing. When push came to shove, Max was comfortable taking the risk because he knew he would always have opportunities to support the industry, even if he failed. “Really, throughout my whole career, without necessarily knowing at the time, [creating LimaCharlie] was where I was heading. Looking back, I've always been trying to build the thing that didn't exist where I was and push those limits.” What are there problems in the community or in the industry that you don't see anyone solving yet? A major opportunity for growth and improvement in cybersecurity is incentivization, according to Max. The debate of what's worth fixing and who should decide on prioritizing vulnerabilities leads to tension and confusion amongst practitioners. The key to this problem might just be finding that special someone to somehow access the information with the right types of models and protocols around risk evaluation. Insurance might be the easiest answer, but Max wants practitioners to explore their potential to solve these problems, too. “The problem is that, as an industry, for us to make a risk-reward call on security vulnerabilities— it's incredibly difficult for us that are in security every day. Fundamentally, we can't even make that call ourselves.” What is one topic of division in cyber that you wish we could all come together on? Division is inevitable in a field that grows as fast as cybersecurity. However, if Max could dream big about a major division to solve himself, it would be that of a red team's purpose. In an ideal security world, people don't need the red team to buy them into cybersecurity. Max hopes that, over time, the industry shifts more towards the blue team, where vulnerabilities are understood as important and worth protecting against without red team demonstrations. “I hope that, over time, we're able to move away from having to drive this idea that these things are real and they're important because people are already bought into this idea that, yes, we need to defend everything.” --------------- Links: Keep up with our guest Maxime Lamothe-Brassard on LinkedIn Learn more about LimaCharlie on LinkedIn and the LimaCharlie website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase an HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio
Brian Haugli, Founder and CEO of SideChannel, brings his CISO expertise to the pod this week for a discussion about strategy and leadership in cybersecurity. Working alongside CISOs and fractional VCISOs, Brian has seen his share of leadership mistakes and has learned about the purposeful approach that security needs along the way. In this episode, Brian revises the mantra of “people, process, and technology,” to include the first and most important element in your security success: purposeful strategy. Timecoded Guide: [02:01] People, process, and technology in your leadership strategy [05:12] Tenants of a strong security strategy [13:11] Setting up new fractional CISOs for success [18:29] Creating SideChannel & walking the line between CISO vs consultant [27:44] Thriving professionally by thriving personally Sponsor Links: Thank you to our sponsors Axonius and NetSPI for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human-delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more. What has been your philosophy throughout the years when it comes to leadership versus technology? The security adage of “people, process, technology” isn't one combined concept. That is, in Brian's opinion, why so many leaders make the mistake of prioritizing technology as a central part of their strategy. Strategy is not what technology you use, and you can't buy your way out of every security conflict with a shiny new product. Ask yourself what problem you're supposed to solve, not which tech is going to solve your problems. “Strategy is not technology, it's figuring out what you want to look like when you grow up, in a sense. Everyone jumps to the shiny object. What can I buy to go solve this problem? You never stop and question: Was that the first problem I was supposed to solve?” What are the tenants of making sure that you've done the work of creating a strong security strategy? The North Star of your security strategy should be the identity and purpose of your business, according to Brian. If you don't have a current assessment of your current capabilities, assets, resources, and objectives, you aren't positioning yourself for success. Strategy comes from a knowledge and understanding of where you are now, and where you need to be. When your company “grows up,” what do you want security to look like for you? Understanding that guides you towards your target state without wasting your time on the wrong problems or objectives. “I think a lot of people throw strategy around as a grander concept and don't actually think about the elements that need to go into building one. You need to align to a definition that supports your business and outcomes, and that's what is strategic. The idea is not strategic.” Let's say I'm a brand new fractional CISO and I have my first client. What are the top three questions I'm going to ask of this organization to set me on the right path? When dealing with a new client, fractional CISOs have to understand why they're involved with this client in the first place. Why are you here? Who brought you here? And, most importantly, what is the reason security is being addressed now? A fractional CISO can't defend what they don't know exists, and they can't meet a deadline without first understanding what this company's unique security environment needs are. “You don't jump into, ‘Okay, well, what's the budget?' No, I like to understand what I have to actually defend and build to, how fast I have to actually make that happen, that then informs and sets up the much better discussion around, realistically, what you should be considering.” What advice do you have for our audience that is interested in becoming a CISO? Although Brian jokes that he would advise anyone against taking on a CISO role due to the workload, he understands and loves the grind of cybersecurity leadership. To not only survive but thrive as a CISO, Brian believes a practitioner has to keep their love for problem-solving and protecting organizations at the forefront. Still, as passionate as someone might be, Brian also advises knowing when to unplug and unwind to avoid burning out fast in such a strenuous role. “Look, just take care of yourself. I think exercising is huge. Eat right, sleep right. You've got to take care of your mental health, take care of physical health, you've got to take care of your spiritual health. You've got to do all that, or you're never going to be good professionally.” --------------- Links: Keep up with our guest Brian Haugli on LinkedIn and Twitter Learn more about SideChannel on LinkedIn and the SideChannel website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase an HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio
Allison Minutillo, President of Rebel Interactive Group and Host of the Rebel Leadership podcast, joins the Hacker Valley team this week to talk about her journey from individual contributor to company leader. With a leader's mind and a rebel's heart, Allison wants Rebel Interactive Group to break down barriers and say what needs to be said. In this episode, Allison talks about intuition vs insecurity, practitioners vs leaders, and burning out vs staying invested and engaged in the world around you. Timecoded Guide: [00:00] Shifting from an employee to a leadership mindset [07:44] Getting real about leadership struggles on the Rebel Leadership podcast [13:24] Rebelling for the great good of your company & yourself [19:40] Finding career inspiration as a business owner & company president [25:41] Struggling to realize your full leadership potential as an individual Sponsor Links: Thank you to our sponsors Axonius and NetSPI for bringing this episode to life! Life is complex. But it's not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more. What went into that mindset shift from individual contributor to leader for you? Leadership was an appealing concept to Allison, but stepping into the role of President at a company was beyond her wildest dreams. Being close with Bryn, the former President of Rebel, opened her eyes to the qualities of leadership she wanted in herself. However, the true mindset shift from contributor to leader came from Bryn's understanding of Allison's skills. It wasn't until he brought up her being his successor that Allison saw the leader she knew she could be. “I set my sights on what I thought was high. I started over-talking to [Bryn, at Rebel] because I was so nervous, and he said, ‘No, I'm talking about you being my successor, about you being president of Rebel.' I instantly stopped everything I was saying and it became crystal clear.” What exactly is Rebel Leadership and how does it relate back to your philosophies? The term “rebel leadership” is a concept that existed before Allison's Rebel Leadership podcast began, but it embodies what Allison hopes Rebel Interactive Group represents for all of their clients. Being a rebel isn't just about breaking the rules or telling it like it is, it's about making a difference. Being a rebel leader is about challenging the status quo for the greater good of your clients, your employees, and your industry. “It's not rebelling for rebels' sake, it's that we're not good with the status quo. We're not okay with it, but we're not careless. We rebel with purpose. It's informed. It's data backed, it's compelling, it's precise, it's meaningful. We are not afraid to state what needs to be said.” What do you say to those leaders that approach leadership almost like being a martyr? The hustle and grind of being a leader can feel like endless amounts of hard work. However, in Allison's experience, overworking yourself and refusing to disconnect maximizes the pain, but minimizes what you gain. Burnout is real, and cybersecurity practitioners definitely know burnout can be fatal for your career. Allison advises resting and giving yourself the time to reflect at the end of a long day, instead of forcing yourself to be a martyr. “Doing that next ‘to-do' list on your couch at 10:30pm when you're spent and you're drained is not going to make you the leader you want to be tomorrow. It's going to make you frustrated and tired and not able to perform at a high level the next day.” How do you differentiate the good advice of intuition from your inner echo chamber of not-so-good advice? It's easy to get caught up in the eternal inner echo chamber when you're trying hard to learn and reflect on your experiences. Allison has had this happen to her, too; getting caught up reading online comments and letting self-doubt control her thoughts. However, Allison explains that the grit of a true leader can drive you through the setbacks of criticism, whether that criticism comes from outside or within. What matters most is choosing to believe in yourself as a leader. “That's when grit and will come in, in those moments where you're at the bottom of the barrel. Do you believe in yourself? Are you going to choose to believe in yourself, or are you going to choose to believe the comments?” --------------- Links: Keep up with our guest Allison Minutillo on LinkedIn Learn more about Rebel Interactive Group on LinkedIn and the Rebel website Listen to the Rebel Leadership podcast Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase a HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio
Cody Wass, VP of Services at NetSPI, brings his near-decade of experience to the pod to talk about longevity, development, and leadership. It's no secret that cybersecurity is in need of people. Cody's journey from intern to VP at NetSPI has shown him the importance of training employees, creating opportunities for new graduates, and engaging teams effectively, both virtually and in-person. In this episode, Cody provides the roadmap towards intentional employee investment in the ever-changing cyber industry. Timecoded Guide: [00:00] Cyber career longevity from NetSPI intern to VP [07:51] Putting people before process & technology at NetSPI [15:33] Collaboration as the foundation of the cybersecurity industry [18:13] Understanding cyber's entry level position problem [24:12] Investing intentionally in employee development Sponsor Links: Thank you to our sponsor NetSPI for bringing this episode to life! For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more. You've been at NetSPI for 9 years. When you think about a rewarding feeling in your journey at the company, what comes to mind? Starting his journey at NetSPI as an intern, Cody has had the rare but impactful opportunity to grow alongside the company. Now, as VP of Services, looks back at the lives he's impacted himself and the opportunities he's had to see others grow. Employee development is a huge part of NetSPI's success. Cody is proud to have seen newcomers join his team and become amazing practitioners over the years. “It's really rewarding seeing people come into this industry as a fresh face with a specific skill set, to watch them grow over and see them really spread their wings, and come out the other side stronger, better, and having a skill set that you never would have imagined day one.” NetSPI has a very unique culture and philosophy about balancing that duality between technology and people. Could you tell us a little bit about that? People come first, before process and technology, at NetSPI. While all three elements of this sacred cyber trifecta are important, Cody and his team believe that the balance should focus on making the lives, skills, and experiences of the people at NetSPI better. Process should be taught to the people, with a focus on prosperity and consistency. Technology should be implemented intelligently, with proper training and time given to the people for the best results. “NetSPI's differentiator is our people, first and foremost, and then, our process and our technology. We have a ton of really cool things we're doing with tech, but the focus is always on: How can you use that tech to make a person more efficient at their job?” How important is collaboration for you and your team at NetSPI? Collaboration is built into the DNA of NetSPI, from how employees are trained to how NetSPI interacts with the industry around them. Cybersecurity thrives when teams, practitioners, and organizations work together for the sake of the greater good. Even though COVID and remote workers have increased the virtual footprint of NetSPI, Cody still emphasizes the importance of communication and collaboration to his team and to practitioners around the world. “This industry we work in is super interesting. It'll never be finished; you're never going to learn everything there is about security and be able to call it done. We're far past the point where one person is going to be the expert of everything in cybersecurity.” For anyone in a cybersecurity leadership position who wants to start to really invest in their people, what would be your recommendation on where to start? Intentionality is vital for the success of any leader trying to invest in their employees. Cody explains that it's one thing for leaders to want to invest in training and professional development opportunities for their team, but another thing entirely when it comes to implementation. If a leader isn't intentional, they won't have clear goals for investment and will risk letting implementation fall to the wayside for the sake of a budgetary line. “Yes, we are going to be making this investment. It is going to cost us. It will cost us time, it will cost us money, but we are committed to making that investment because we know the payoff in 12 months or 18 months or 24 months is going to ultimately be worth it.” --------------- Links: Keep up with our guest Cody Wass on LinkedIn Learn more about NetSPI on LinkedIn and the NetSPI website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase a HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio
Brad Liggett, CTI Intel Engineer Manager at Cybersixgill, puts on his improv hat and joins the pod ready for anything. After COVID pressed pause on daily life, Brad kept himself sane and gained some new skills by returning to his improv roots (a hobby he had in the ‘90s) and taking up Dungeons & Dragons. In this episode, Brad covers the importance of improv skills in the professional world, the opportunities to add elements of gaming into cyber, and advice for practitioners looking to be more agile. Timecoded Guide: [00:00] Introducing the unique combination of improv & cybersecurity [05:57] Being a life-long learner in cybersecurity & in improv groups [13:20] Practicing improvisational skills for cybersecurity customer conversations [18:17] Bringing in games & elements of play into cybersecurity environments [24:38] Advice for a more agile, improvisational tomorrow Sponsor Links: Thank you to our sponsors Axonius and NetSPI for bringing this episode to life! Life is complex. But it's not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more. Is there a skill that you called upon during an interaction with a customer where you really leaned on your improv muscle? Improv often involves one phrase that Brad believes other industries should incorporate, too: “Yes, and.” In cybersecurity, Brad leans heavily on the “Yes, and,” phrase because it encourages conversations to move forward authentically. Meetings aren't successful when customers and clients feel uncomfortable and unengaged. Being able to think on his feet and prepare for changes makes Brad a stronger, more agile practitioner and communicator. “The whole concept of moving the meeting forward and making sure that there's no uncomfortable silences. Be prepared, have an idea of what you want to talk about, but inevitably, the client you're talking to, everyone's going to be unique.” What do you think is the glue that holds your interests in cyber and improv together? Being a life-long learner is something extremely important and valuable for Brad. For improv, research on the latest media, memes, and movies influences his work and motivates him to stay up-to-date and involved in some fun research. Cybersecurity is the same way. Brad believes to be the best practitioner and leader for his team, he needs to be knowledgeable about vendors, threats, products, and all things new in the industry. “You always have to be reading, you always have to be aware of what's going on in the environment out there in the world, so that as those things come up, at least you can somewhat talk to them and start to put those pieces together.” What has been your experience with bringing an element of play into cyber? Cybersecurity can't be all work and no play. Instead, Brad believes that cybersecurity teams should continue to prioritize the gamification of training processes, as well as just letting their teams have a little fun. Sometimes, to build a strong, trusting team, there needs to be an outside outlet for problem solving, puzzling, and creativity. Brad even brought his team at Cybersixgill to a Meow Wolf exhibition this year for that same team building reason. “We work hard, but we also should make sure that we play, and not only just do that individually, but even as teams, especially now. It's not always going to be about the training aspect, you also have to take that time to bring that team together.” What is a piece of wisdom that people could take with them into work tomorrow to make them more agile and improvisational? When it comes to agility and improvisational skills, you have to have a strong foundation to build off of. For Brad, taking time for himself and understanding when and how he learns best has been vital to his success. Listening to podcasts at the gym, reading something new at hotels, and getting a good night's sleep are all little things that help Brad consistently become more agile and improvisational at work. “For me, it's always having some sacred time at the end of the day. There's no TV in my bedroom, and my phone is telling me around 8:30, ‘Hey, it's wind down time,' and that's when I'm getting in the mode for sleep, and then making sure I've got a good night's sleep.” --------------- Links: Keep up with our guest Brad Liggett on LinkedIn and Twitter Learn more about Cybersixgill on LinkedIn and the Cybersixgill website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase a HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio
James and Paul talk to Alex Jones (not THAT one) from NetSPI about the heretofore unseen connections between penetration testing and security. Alex brings a fresh perspective from his sales and marketing leadership positions, and it really stretched our imaginations.
Richard Rushing, CISO at Motorola Mobility, brings his decades of experience to the show this week to talk about leadership, communication, and perhaps most importantly of all: prioritization. After joining Motorola through a startup acquisition, Richard has been a leader in the company and a defining example of what a CISO should be doing: simplifying the complicated. Richard talks about how his role has changed over the last 10 years and what's next for him and for cybersecurity. Timecoded Guide: [00:00] Ascending into a leadership role in cybersecurity & joining the Motorola team [06:28] Defining CSO & CISO at a time when no one understood cybersecurity [13:01] Communicating with the C-suite about cyber: best practices & tenants [24:37] Harnessing a proactive cybersecurity mindset with prioritization [32:13] Extending your cybersecurity career for decades Sponsor Links: Thank you to our sponsors Axonius and NetSPI for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more. What was your experience of being a Chief Security Officer in the early 2000s? Richard jokes that he became a part of the cyber industry before the industry was even called cybersecurity, but behind the joke lies the truth that cyber looked extremely different back then. However, no matter how much time passes, Richard is still used to the odd confused looks that come from saying he's a CISO. People misunderstand the role, Richard explains, but at least more people than ever before understand the importance of cybersecurity. “There were a lot of other things that you had to talk about, you had to evangelize a lot coming into this [industry] because a lot of the cybersecurity industry was brand new. People were moving around and trying to figure these things out and everybody struggled.” How many times would you say you feel like you've had a new job or a new role being in the same role for over 10 years? Being a CISO has had its ups and downs during the 10 years Richard has spent in that role at Motorola, but the changes have been welcome and interesting. Every few years, the technology landscape changes, and with those changes in tech come massive changes in company ownership, leadership, and security. However, Richard is thankful that through these changes, his core team has stayed the same, giving him a trustworthy group to learn from. “It's always changing, but at the same time, there's some static components. When I came on to Motorola 15 years ago and established teams, most of my team, except for a very small portion of people that retired or left, are still with me today.” What are your thoughts and best practices for proactive cybersecurity? Although “proactive cybersecurity” has become a buzzword we're all paying attention to, Richard warns that most companies aren't really being proactive with cybersecurity just yet. Instead, what the industry has shifted towards is prioritization. Understanding what's important, prioritizing those aspects of a business, and knowing what you don't have the resources to handle can make the security work you're doing feel more proactive. “Why do I need to prioritize? Because you're getting more alerts than you have people to be able to handle it, or technologies to be able to handle it in an automated way. So, you have to prioritize what's important.” What would you recommend people consider to extend their cybersecurity career life as long as you have? After nearly four decades in the industry and over ten years at Motorola, Richard has been in cybersecurity longer than most modern-day practitioners. When asked about his secrets for an extended cybersecurity career, Richard reflects back on his advice around prioritization over “proactive cybersecurity”, and emphasizes the importance of community. Cybersecurity is a collaborative field, and practitioners have to stay open to learning together to succeed. “In the cybersecurity world, we will talk to our competitors and share what we're seeing. I think that community effort is one of the key things. You have to enjoy what you're doing, reach out and be collaborative with people. Don't be the security guy that people are scared of.” --------------- Links: Keep up with our guest Richard Rushing on LinkedIn and Twitter Learn more about Motorola Mobility on LinkedIn and the Motorola website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase an HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio
Kenneth Ellington, Senior Cybersecurity Consultant at EY and Founder of the Ellington Cyber Academy, achieves his goal of being on the Hacker Valley Studio this week. From working at Publix in college to becoming an online course instructor, Kenneth's journey into the cyber industry has been heavily influenced by online educators like Chris and Ron. Kenneth covers barriers to entry for cyber, SOAR vs SIM, and how much further we need to go for representation in the industry. Timecoded Guide: [00:00] Starting a cyber career at the Publix deli counter [05:16] Fighting through introversion to become an online instructor [11:02] Setting equitable & understandable prices for cyber courses [15:54] Looking into the future of SOAR vs SIM to see what's next [19:27] Taking the chance on content creation as a new cyber professional Sponsor Links: Thank you to our sponsors Axonius and NetSPI for bringing this episode to life! Life is complex. But it's not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more. What areas do you feel confident in as a new teacher, and what do you still struggle to get your footing on? As someone newer to online teaching, having only done it for 2 years, Kenneth is confident in his communication skills, but still struggles with fully grasping new technology. On the bright side, Kenneth believes those technical skills come with time and practice, something he's 100% willing to do. What helps him stand out as a strong teacher is something harder to learn— communication with others and de-escalating stressful situations for students. “I worked at Publix for four years in the deli, dealing with customers, and that forced me to develop those soft skills about how to talk to people and how to communicate and how to de-escalate situations. That's how I set myself apart.” What are some of the things that you're thinking about when it comes to setting the pricing for your course content? No matter how his prices change or how skilled he becomes, Kenneth still believes in fair and equitable pricing for his course content. Considering his experience and expertise, Kenneth charges at least half of what I vendor might charge for similar content and knowledge. However, Kenneth doesn't believe in thousands of dollars being spent on his courses, because he wants entry level students like himself to be able to afford to learn. “I'm very honest with myself, what my skill level is, and the value I bring towards it. Because I've been doing this for over two years, technically, I've gotten a pretty good gauge as to what people are willing to pay for and the value that I can bring.” Do you have anything you're looking to expand into with Ellington Academy? While SOAR and SIM are Ellington Academy's bread and butter, Kenneth is looking forward to continuing to expand his expertise and scale his content. A future upcoming goal Kenneth has is giving back to the country of Jamaica, where his family is originally from. Through providing courses or recruitment opportunities, he wants to bring cyber skills to everyone. “From a legacy perspective, I want to leave a positive mark on this world, just to make it better than when I got here. One of my big goals, I don't know if it's gonna happen, but my family is from Jamaica, so I'm hoping I can maybe put ECA there someday.” What advice would you give to a newbie in cybersecurity looking to start making content? Kenneth got his start at the Publix deli counter, and he understands that the beginning of someone's cyber journey can look just like his— inexperienced but hungry for knowledge. For newcomers to the industry, Kenneth wants to reassure that you're never too young to teach or too old to learn. Take courses, expand your knowledge, and give back to the people with less knowledge than you through accessible learning content of your own. “Take the opportunity to try to do something new because your knowledge is valuable, no matter how much or how little that you have. Everybody can learn something from everyone. I always try to help out however I can.” --------------- Links: Keep up with our guest Kenneth Ellington on LinkedIn Check out the Ellington Cyber Academy Learn more about EY on LinkedIn and the EY website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase a HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio
Lesley Carhart, Director of Incident Response at Dragos, takes some time off mentoring cybersecurity practitioners, responding to OT incidents, and training in martial arts to hop on the mics this week. Named Hacker of the Year in 2020, Lesley's impact on the industry stretches far and wide. As an incredible content creator for cybersecurity, Lesley advises listeners on how to find their niche and who to be willing to educate along the way. Timecoded Guide: [00:00] Giving back to the community through martial arts & cyber education [06:13] Being excluded from the cyber industry & turning to content creation instead [12:33] Comparing incident response in IT vs OT environments [19:46] Dealing with post-COVID problems with the wrong OT systems online [26:51] Finding your cyber niche & exploring education options within it Sponsor Links: Thank you to our sponsors Axonius and NetSPI for bringing this episode to life! Life is complex. But it's not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human-delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more. What inspired you to start creating cybersecurity content? Lesley's cybersecurity content has vastly influenced and impacted many cyber practitioners in the industry, including Ron and Chris. Unfortunately, Lesley's journey into content creation was inspired by the lack of mentorship they received from other professionals when they were starting out. Never wanting anyone to feel the way they did, Lesley created an online world of resources to warmly welcome and educate new practitioners. “It's not a really glamorous story. When I got into cybersecurity, I wanted to do digital forensics and nobody would help me, nobody would actually take me seriously and give me a shot. Everybody should have a chance to get into cybersecurity if it's something they want to do.” How has teaching cyber to a general audience been appealing to you? When not educating new cyber practitioners or tearing it up in the martial arts studio, Lesley likes to reach out to their community and give talks to audiences outside of typical tech and security groups. From churches to universities, Lesley loves meeting people outside of the cyber industry. These individuals always offer them a new perspective and a feeling of accomplishment for showing someone something new. “It's enjoyable to me to find other people out there who want to learn about an entirely new topic and expose themselves to its problems and how it impacts society and things like that. I appreciate that. Cybersecurity is important and it impacts everything around us all the time.” In your world, where does incident response start, and where does it stop? Like many of cyber's most complicated concepts, the answer to where incident response starts and ends is subjective to certain resources and elements of an organization. Lesley explains that incident response has to be planned and that the planning process has to involve when to declare an incident and when to close the said incident. Without proper planning in advance, an organization is at risk for a crisis that could've been responded to quickly turning into an out-of-control attack. “There's no perfect defense against an incident, everybody's vulnerable. You do your best to mitigate and avoid having a cybersecurity incident, but there's only so much you can do. Eventually, you have to assume that you're gonna have an incident.” What piece of advice do you have for anyone looking to share more knowledge and make the cyber industry better? Although everything in cybersecurity can seem daunting, expansive, and interesting to everyone, Lesley's recommendation to new practitioners is to find a niche in cyber and stick to it for a while. Finding a niche doesn't have to be permanent, but Lesley believes that niche will help you carve out extensive knowledge worth sharing and creating content around. When you discover that niche, don't be afraid to reach out to other industry experts along the way. “Pick an area and then find mentorship in that and try to focus for a couple of years on a particular area. You can always change your mind later on, just like degrees, just like training programs, but it's going to help you a lot to focus for a little while.” --------------- Links: Keep up with our guest Lesley Carhart on LinkedIn, Twitter, and their blog Learn more about Dragos, Inc on LinkedIn and the Dragos website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase Hacker Valley swag at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio
Brian Kime, VP of Intelligence Strategy and Advisory at ZeroFox, talks about all things threat intelligence this week. Brian explains why he chose threat intelligence as his focus, where he's seen opportunities for growth in recent years, and what challenges for cyber threat intelligence lie ahead. Using his intelligence experience developed first in the US Army Special Forces, Brian delivers his argument for intelligence-driven security, instead of the marketing-driven security industry we have today. Timecoded Guide: [00:00] Diving into the VP of Intelligence Strategy role [05:25] Learning intelligence in the Army Special Forces [10:09] Seeing the past, present, & future of threat intelligence [19:31] Measuring efficacy & ROI of cyber threat data [25:18] Building your own cyber threat intelligence capabilities Sponsor Links: Thank you to our sponsors Axonius and NetSPI for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley A lot of folks shift from intelligence into other areas of cyber, what inspired you to continue down the intelligence route? After Brian graduated from Georgia Tech and the nation experienced the tragedy of 9/11, Brian felt called to enlist in the US Army Reserve. While the war in Afghanistan was not as short-lived as anyone expected, Brian found his calling in military intelligence, where he was inspired to put his experiences in IT and intelligence together. It turns out that fusion already existed in the form of cyber threat intelligence, and Brian wanted to focus on that completely. “I want to bring all these things together and really start pushing our customers and pushing the security community in general towards more intelligence-driven security. Mostly, what I see even today still just feels like marketing-driven security.” Where are we today with threat intelligence technology, in terms of challenges and opportunities? Brian believes we're already in a really exciting place today in terms of threat intelligence technology. What feels especially opportune for him at the moment includes opportunities and technology that involve internal data from previous threats, freely available external data from sources like blogs, and third-party vendors. However, the challenges facing threat intelligence now involve how to make that technology available for small and medium businesses. “That's what I would love to see become the standard, that big corporations incorporate threat intelligence to the level that they can start to actually extend that value into their supply chain. That way, the whole system becomes more resilient, more secure.” How does a security team measure the efficacy and ROI of intelligence? In Brian's opinion, most cybersecurity practitioners don't track the ROI of their intelligence vendors, or they fail to measure intelligence for effectiveness. The metrics cyber teams should focus on include number of new detections created, incidents discovered, adversary dwell time, and improved security decision making. Unfortunately, improved decision making is the hardest to measure because it requires practitioner feedback. “At the end of the day, if stakeholders are making security decisions based on intelligence that I'm providing, that's a really good measure of effectiveness. All the security decisions that were influenced by threat intelligence, that's what we're going for.” When you don't have an intelligence capability and you want to create one, what is typically the first thing that an intelligence team member does? If you're intending to collect data from your customers (which almost every company out there is trying to do), then Brian believes that privacy and security need to be considered from the start. Critical security controls and a solid framework are key to early success for even the smallest security team. The best place to start? Software and hardware inventory. If you don't know what you have, you won't be able to secure your technology properly. “At the beginning of the critical security controls, it's always software and hardware inventory. If I don't know what I have, then I really can't do anything well in security. I can't do incident response because I don't know where my data is.” --------------- Links: Keep up with our guest Brian Kime on LinkedIn and Twitter Learn more about ZeroFox on LinkedIn and the ZeroFox website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase a HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio
Hacker Valley: On the Road is a curated collection of conversations that Chris and Ron have had during conferences and events around the globe. In this episode, NTT's Dirk Hodgson, Director of Cybersecurity, and Adam Green, Senior Cybersecurity Executive, speak with the Hacker Valley team at CyberCon in Melbourne, Australia. Dirk and Adam cover the intersection of their roles at NTT, their experiences at conferences like RSA, their country's cybersecurity industry, and their team's cultivated trust with clients. Timecoded Guide: [00:00] Reuniting at CyberCon after years of COVID limiting security conferences [06:30] Differentiating Australia's cybersecurity industry from the rest of the world [10:48] Watching current cyber trends with CMMC & the Essential 8 frameworks [25:41] Creating interpersonal communication in a technology-driven industry [34:58] Building trust by knowing your clients & your adversaries equally Sponsor Links: Thank you to our sponsor Axonius for bringing this episode to life! Life is complex. But it's not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more. How are Australian cybersecurity practitioners different from the rest of the world? According to Adam, the past 3 years have led to a massive shift in maturity for Australia's cybersecurity industry. Previously, Australia relied on its physical isolation as a country as a means of security, but breaches have become more high profile and more impactful for Australian businesses in recent years. Now, Adam is pleased to see there be a greater understanding beyond the 101 of cybersecurity and more collaboration with security teams. “Three years ago, we used to say Australia was 5 years behind the rest of the world [in cybersecurity]. We used to think, because of proximity to the rest of the world, we were pretty safe, but it's definitely become more of a professional approach to security now.” — Adam How do your roles as Director and Executive work together at NTT? For Dirk, cybersecurity is the ultimate team sport— and Adam is an impactful element to his cybersecurity team. While Adam often focuses on strategic planning through his background as a practitioner, Dirk enjoys how his business-driven perspective contrasts with Adam and with other members of the team. With a variety of experiences and perspectives in the room, NTT can cover issues from all sides, instead of falling victim to tunnel vision. “Adam is the person on the team, who's great at that scenario planning piece. ‘Here are the things that are gonna go wrong.' Whereas myself and a couple of the other people on the team, look at that go, ‘What's that going to cost the organization?'” —Dirk Where are the strengths and weaknesses in communication in cybersecurity? Just like Dirk's thoughts about cybersecurity being a team sport, Adam believes that you have to cultivate a team member-like trust with your clients. The client in an initial conversation might seem defensive of your advice or critical of your actions. However, Adam explains that establishing credibility, especially in the business-focused cyber industry in Australia, goes a long way to creating the opportunity for more casual conversations down the line. “What we find is, in Australia in particular, it's about not just the company, but you as an individual. Do you have my back? Can I trust you? If I don't like you, will you at least mitigate my risk for me? You have to establish credibility real fast.” —Adam What advice would you give to someone interested in cultivating more trust between clients and their team? Dirk loves a good James Bond villain, but the average hacker attacking the average business is nothing like the movies. Establishing trust with clients starts with not only understanding what they need, Dirk explains, but also knowing the most likely threats beyond the showstopping Blackhats of media fame. Being able to explain to and protect clients from the most common threats keeps their data safest and strengthens their trust in your team. “I think it's about making sure that you know what the worst case scenario is, what the most dangerous course of action that the attacker or a potential attacker could follow, but also, being able to talk credibly about what's the most likely threat.” —Dirk --------------- Links: Keep up with our guest Dirk Hodgson on LinkedIn Keep up with our guest Adam Green on LinkedIn Learn more about NTT on LinkedIn and the NTT website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase a HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio
Alton Johnson, Founder and Principal Security Consultant at Vonahi Security, automates his way out of his pen testing job in this week's episode. An AOl hacking gone wild got Alton into defensive cybersecurity years ago, and now, as the Founder of Vonahi, Alton advocates for automation and efficiency in the pen testing process. Alton talks about his connection to defensive over offensive, customizing a pen test report to your audience, and finding that sweet spot between practitioner and entrepreneur. Timecoded Guide: [00:00] Learning the importance of automation in defensive cyber [07:48] Connecting with automation & defensive cybersecurity over offensive [12:01] Showing the results that matter to the right people in a pen test report [15:27] Prioritizing exploitations in the world of vulnerability assessments [21:59] Maintaining the cyber practitioner & the entrepreneurial side of Vonahi Sponsor Links: Thank you to our sponsors Axonius and NetSPI for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more. How have you seen automation change yourself and your role? As a penetration tester, Alton explains that time is often not on his side. There's a limited amount of time to do an assessment, and the measure of a good pen tester is often determined by fast, high quality reporting. Automating the repetitive tasks of pen testing not only saves time, but Alton believes it genuinely changes the role into something much more efficient, high value, and successful. “Automation obviously plays a huge part in growing in the career too, because the more you can do, the more value you can provide, and the faster you can provide that value makes you a better pentester.” How do you convey the story of a red team engagement in different ways so that message is received by everyone in the company? At Vonahi Security, Alton's team separates pen testing reports into an executive summary and a technical report. The executive summary is high level, demonstrating the impact and severity of what was discovered from a business point of view. Many business executives don't need the technical play by play, which is why that is saved for the technical report. The technical report acts as a scene by scene story of what was done and how to technically fix it. “We separate the two conversations. Here's what we did at a high level to anyone that doesn't really care about the technical stuff, but only cares about how it impacts the business, and then, for the person that has to fix the issues, here's everything that they would need.” What would you tell the newer generation of cybersecurity practitioners about the offensive side? When Alton first started his cybersecurity journey, he was very into hacking and coding. That passion for code has served him well, allowing him to become successful enough to start his own business with Vonahi. For the younger generation of cyber practitioners, Alton recommends not skipping that coding education. As technically advanced and automated as cybersecurity tools are, practitioners should be prepared to code when something breaks or doesn't work as intended. “I think coding is extremely valuable, because there's going to be many times that tools that you use don't work and you have to have the experience and knowledge to basically fix those problems with coding.” What have you learned over the past few years that has helped you to maintain both the technical and business side of Vonahi? 21 Efficiency is the name of the game for Vonahi— and it's the one thing that has allowed Alton to remain in a hands-on pen testing role while still being a business owner. Keeping it efficient is more than just technology and automation. Alton believes his success is a direct result of the efficient technology around him and the hardworking, intelligent, efficient team members working with him at Vonahi. “It is really just about efficiency. We look to all these other leaders, but for me, I like to learn from other people's failures. I don't want to take the same growth processes as the person who failed and didn't do well.” --------------- Links: Keep up with our guest Alton Johnson on LinkedIn and his personal website Learn more about Vonahi Security on LinkedIn and the Vonahi Security website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase a HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio
Every year, management needs to figure out what initiatives will be prioritized for the upcoming year. This simple, free method uses a quantitative approach based on CIS controls with input from the front-line analysts and engineers. The outcome is an engaging team discussion and clear plan for what the team should prioritize. Segment Resources: https://www.cisecurity.org/controls It's CyberSecurity Awareness Month and this year's theme, set by CISA, is See Yourself in Cyber. We're going to take some liberties in the interpretation of this to talk about the lines blurring between personal and work accounts and devices. We'll also discuss MFA risks - what types of MFA are safe to use, and which aren't in 2022? This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them! Finally, in the enterprise security news, Cloudflare has 1.25 billion incentives to draw customers away from AWS, NetSPI raises $410M for pen testing? Tines extends their Series B an extra $55M, Detectify and Eclypsium also raise funding, Some big funding for Web3 security startups, Adversary emulation tools for blue teamers, Breaking news: the security market isn't out of money, it's just fine, The art of selling to cybersecurity people, and more! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw291
Every year, management needs to figure out what initiatives will be prioritized for the upcoming year. This simple, free method uses a quantitative approach based on CIS controls with input from the front-line analysts and engineers. The outcome is an engaging team discussion and clear plan for what the team should prioritize. Segment Resources: https://www.cisecurity.org/controls It's CyberSecurity Awareness Month and this year's theme, set by CISA, is See Yourself in Cyber. We're going to take some liberties in the interpretation of this to talk about the lines blurring between personal and work accounts and devices. We'll also discuss MFA risks - what types of MFA are safe to use, and which aren't in 2022? This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them! Finally, in the enterprise security news, Cloudflare has 1.25 billion incentives to draw customers away from AWS, NetSPI raises $410M for pen testing? Tines extends their Series B an extra $55M, Detectify and Eclypsium also raise funding, Some big funding for Web3 security startups, Adversary emulation tools for blue teamers, Breaking news: the security market isn't out of money, it's just fine, The art of selling to cybersecurity people, and more! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw291
Finally, in the enterprise security news, Cloudflare has 1.25 billion incentives to draw customers away from AWS, NetSPI raises $410M for pen testing? Tines extends their Series B an extra $55M, Detectify and Eclypsium also raise funding, Some big funding for Web3 security startups, Adversary emulation tools for blue teamers, Breaking news: the security market isn't out of money, it's just fine, The art of selling to cybersecurity people, and more! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw291
Finally, in the enterprise security news, Cloudflare has 1.25 billion incentives to draw customers away from AWS, NetSPI raises $410M for pen testing? Tines extends their Series B an extra $55M, Detectify and Eclypsium also raise funding, Some big funding for Web3 security startups, Adversary emulation tools for blue teamers, Breaking news: the security market isn't out of money, it's just fine, The art of selling to cybersecurity people, and more! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw291
Apple is asking suppliers to move some AirPods and Beats headphone production to India for the first time, as it attempts to step up the diversification of its global supply chain that is currently almost entirely dependent on China, Nikkei reports. Wipro has asked staff to turn up for work at the office at least three times a week, Business Standard reports. NetSPI, with $410 million from KKR, plans to set up a base in India. Notes: Apple is asking suppliers to move some AirPods and Beats headphone production to India for the first time, as it attempts to step up the diversification of its global supply chain that is currently almost entirely dependent on China. Apple's top contract manufacturers are already expanding their production of iPhones, iPads, and MacBook series laptops in India and Vietnam. Meanwhile, the European Parliament voted to confirm an earlier agreement to standardise the USB type C charging port for mobile phones, tablets and cameras by 2024 – a move that is likely to affect Apple the most, whose iPhones use the company's proprietary lightning connector, The Guardian reports. Wipro has asked employees to be in the office at least three days a week, joining larger rival TCS in getting staff to return to the office, Business Standard reports. India's top IT services companies are seeking to get staff to spend more time in the office as concerns mount over moonlighting, high staff churn, and the global economic slowdown. In an e-mail to its employees, the Bangalore-based company said “Starting October 10, Wipro's office will be open Mondays, Tuesdays, Thursdays, & Fridays. We will not be open on Wednesdays,” according to Business Standard. “We encourage you to work from the office on at least three of these four days,” the email reads. Last month, TCS, India's biggest IT services company, installed a mandatory rostering system to ensure that employees worked from the office at least three days a week, according to Business Standard. As concerns about the trustworthiness and ethical use of AI rise with its growing capabilities, the US government, this week, released a Blueprint for an AI Bill of Rights, following the EU and joining a growing international movement to counter the impact of AI on human rights and values. The blueprint outlines five principles that should guide the design, use and deployment of automated systems, VentureBeat reports. NetSPI, a provider of enterprise penetration testing and attack surface management technologies, yesterday announced that private equity firm KKR is increasing its investment in the company with $410 million in new funding. This investment will help NetSPI deepen and expand its products, and establish strong teams in Canada, EMEA, and India, the Minneapolis-based company said in a press release. Theme music courtesy Free Music & Sounds: https://soundcloud.com/freemusicandsounds
On this episode, we speak with Dalin McClellan, a penetration tester and social engineer for NetSPI. The idea for this episode came from a blog post that Dalin wrote here: Not Your Average Bug Bounty: How an Email, a Shirt and a Sticker Compromised a High Security Datacenter. Dalin explains the preparation necessary for an on site physical penetration test when the location is highly secured with barbed wire fencing, human guards 24x7, retinal scanners and mantraps. Sometimes very simple solutions can be used to bypass highly technical controls. Just ask.
Killnet hits Norwegian websites. Hacktivists are tied to Russia's government. Amunet as a case study in C2C market differentiation. C2C commodification extends to script kiddies. Andrea Little Limbago from Interos examines borderless data. Rick Howard speaks with Cody Chamberlain from NetSPI on Breach Communication. Roscosmos publishes locations of Western defense facilities…and subsequently says it sustained a DDoS attack. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/125 Selected reading. Pro-Russian hacker group says it attacked Norway (The Independent Barents Observer) Cyberattack hits Norway, pro-Russian hacker group fingered (AP NEWS) Norway blames "pro-Russian group" for cyber attack (Reuters) Mandiant Finds Possible Link Between Kremlin, Pro-Russian ‘Hacktivists' (Bloomberg) Market Differentiation: Cybercriminal Forums' Unusual Features Designed To Attract Users (Digital Shadows) Minors Use Discord Servers to Earn Extra Pocket Money Through Spreading Malware (PR Newswire) Russia publishes Pentagon coordinates, says Western satellites 'work for our enemy' (Reuters) Russian Space Agency Targeted in Cyberattack (Wall Street Journal) Cyberattack hits Russian space agency site after sharing NATO photos (Jerusalem Post)
Indestroyer2 and Ukraine's power grid. More on last week's distributed denial-of-service attack against Finland. Anonymous claims to have doxed Russia's Ministry of Culture. Hafnium gets evasive. Enemybot is under development but worth keeping an eye on. Changing the phish hook. Patch Tuesday notes. Tim Eades from Cyber Mentor Fund on digital & security transformations. Our guest is Aaron Shilts from NetSPI onproactive public-private sector security collaboration. Sanctions evasion is serious business. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/71 Selected reading. Why Russia's Cyber Warriors Haven't Crippled Ukraine (The National Interest) In Ukraine, a ‘Full-Scale Cyberwar' Emerges (Wall Street Journal) Russian hackers tried to bring down Ukraine's power grid to help the invasion (MIT Technology Review) Russia's Sandworm Hackers Attempted a Third Blackout in Ukraine (Wired) Ukraine Thwarts Cyberattack on Electric Grid, Officials Say (Wall Street Journal) Zhadnost strikes again… this time in Finland. (SecurityScorecard) Anonymous Hits Russian Ministry of Culture- Leaks 446GB of Data (HackRead) Tarrask malware uses scheduled tasks for defense evasion (Microsoft Security Blog) Enemybot: A Look into Keksec's Latest DDoS Botnet (Fortinet Blog) Enemybot: a new Mirai, Gafgyt hybrid botnet joins the scene (ZDNet) Qbot malware switches to new Windows Installer infection vector (BleepingComputer) Microsoft Releases April 2022 Security Updates (CISA) Google Releases Security Updates for Chrome (CISA) Citrix Releases Security Updates for Multiple Products (CISA) Apache Releases Security Advisory for Struts 2 (CISA) Valmet DNA (CISA) Mitsubishi Electric MELSEC-Q Series C Controller Module (CISA) Inductive Automation Ignition (CISA) Mitsubishi Electric GT25-WLAN (CISA) Aethon TUG Home Base Server (CISA) U.S. crypto researcher sentenced to five years for helping North Korea evade sanctions (Reuters)
Alex Jones, CRO at NetSPI, joins me today to talk about his journey into the cybersecurity sales world and what he's doing at NetSPI to continue to build a great sales team. Alex spent most of his time building a career outside of cyber (in recruitment), until 5 years ago when he joined NetSpi. At NetSPI, Alex had to dive in head first to learn the terminology and become familiar with the space. Luckily, the nontraditional aspect of his background paid off when he had to make hires to build up his sales team. Alex tells us the 5 key traits he looks for in all potential new hires: Coachability Curiosity Prior successIntelligence Work ethic Tune into today's episode where we expand more on Alex's tactics to creating a great sales team! If you are a sales leader at a startup, or you're in the sales team, and you're searching for your repeatable scalable sales process to grow sales faster, then please get in touch with me at andrew@unstoppable.do or you can also go to my site at www.unstoppable.do. Sign up for our newsletter (https://www.salesbluebird.com)We want your questions and topic suggestions for future episodes. Send them to andrew@unstoppable.do or send us a voice/video at https://zipmessage.com/unstoppableNetSPI is hiring so, get in touch with Alex on LinkedIn: https://www.linkedin.com/in/alex-jones-9ab28811/ or he says you can find his email - a good sales rep will find it! Support the show (http://www.unstoppable.do)
A Day in the Life of a NetSPI Penetration TesterIn this episode of Agent of Influence, Nabil sits down with NetSPI's very own security consultants Austin Altmann and Marissa Allen. They discuss what it's like to be a penetration tester, NetSPI's entry-level training program (NetSPI University), improvements to the current computer science curriculum, cybersecurity career misconceptions, characteristics of a successful pentester, refurbishing old Macs, and Kiwi the cockatiel.
The Future of Penetration Testing is Not Check-the-Box | Get to Know NetSPI's New CTOIn this episode of Agent of Influence, Nabil speaks with Travis Hoyt, a well-known financial services security leader – and NetSPI's new Chief Technology Officer (CTO)! They discuss why he's excited to be at NetSPI and his priorities as CTO, the value of tech-enabled services, the future of pentesting, the growth of the virtual CISO (vCISO) space, how we can improve security education, and what's “next next” in cybersecurity technology innovation.
Cybersecurity starts with you."It's about people," said Nabil Hannan, managing director at cybersecurity firm NetSPI when asked when cybersecurity goes right and when it goes wrong. He added in this podcast that Covid-19 and credit union responses have triggered their own cybersecurity issues that are very particular to today.But they also need timely responses to thwart hackers.Case in point: some workers are instructed to take their desktop computer home to work. Question: does that box have full disk encryption set up? Many office computers do not. But what if it is stolen from the home?Maybe even worse, some organizations sent workers home with older machines running old versions of Windows - including XP - and the bad news is that hackers already have bots scouring the net looking for XP machines because there are readily available hacking scripts that effectively automate an attack. No computer skill is needed by the hacker who has found an XP machine.Hannan also has worked on cybersecurity issues that arise when two institutions merge - something many experts believe will happen with accelerated frequency among credit unions dealing with the fallout of the Covid-19 impacts on the economy.In one case he worked for 2-1/2 to 3 years sorting out cybersecurity issues that arose when two large financial institutions merged. Two credit unions probably won't have that much complexity. But even a merger of small credit unions raises cybersecurity complexities because generally the two institutions will have divergent approaches and a common ground has to be found and implemented. ASAP. Because hackers hunt for gaps and exploit the ones they find.A bottomline problem: too many credit unions see cybersecurity as a cost. Period. It does cost. That's a fact. But think of the enormous costs of a security failure. What hurts more?Don't think this is a techie podcast. It's not. It's an enjoyable - intelligent - look a what a credit union executive needs to know about cybersecurity in today's Covid-19 world. It's not just for propellerheads. It's news you need to know.Listen up.Fyi: Hannan has his own podcast, Agent of Influence. Hear it here.Like what you are hearing? Find out how you can help sponsor this podcast here. Very affordable sponsorship packages are available. Email rjmcgarvey@gmail.comFind out more about CU2.0 and the digital transformation of credit unions here. It's a journey every credit union needs to take. Pronto
© 2020-2025 Ivy Podcast Discovery LLC
