Podcasts about risk based security

#191: Securing the Public Cloud: How Seattle & LA County DCFS Are Transforming CybersecurityFrom Asset Management to AI: Building Modern Security for Vulnerable CommunitiesFeaturing:Greg Smith, Chief Information Security Officer and Director of Security & Infrastructure, City of Seattle ITAllen Ohanian, Chief Information Security Officer, Los Angeles County Department of Children and Family ServicesBrent Byrnes, Account Executive SLED, WizIn this episode, you'll learn:How Seattle's risk-based approach is transforming traditional government cybersecurityLA County DCFS's strategy for securing the nation's largest welfare agency's sensitive data in the cloudWhy emerging IoT devices and cloud assets are creating new visibility challenges for government infrastructureThe role of cloud visibility and democratized security in modern government environmentsReal-world lessons from Seattle's cross-agency incident response and recovery strategiesTimestamps(00:00) Introduction and Guest Backgrounds (03:14) Seattle's Evolution to Risk-Based Security (04:52) Securing LA County DCFS's Cloud Environment (07:38) Cloud Visibility in Government (09:22) Asset Management Challenges in Modern Infrastructure (12:45) Cross-Agency Incident Response: Seattle Library Case Study (16:33) Crisis Communication Strategies (22:18) AI Implementation and Security Threats (27:42) Managing Modern Security Vendors (31:15) Future of Government Cloud Security To hear more, visit www.techtables.com

"Can you “demonstrate due diligence to a defensible standard of care” as your risk management approach? This would replace ""red/yellow/green"" approaches or advanced statistics. Let's find out with our guest, Karen Worstell, who is a “Senior Cybersecurity Strategist” and a “CxO Security Advisor” with VMware. Your hosts are Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates. If you want to learn more about DOCRA (The Duty of Care Risk Analysis Standard) check out our previous episode -- https://cr-map.com/59 ""Risk-Based Security is the Emperor's New Clothes"" https://taosecurity.blogspot.com/2006/06/risk-based-security-is-emperors-new.html

1. Is it safe to use SECRETS_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED?- https://datasociety.net/wp-content/up...This first story is a react development issue. A developer was asking if a specific property was safe to use. This shows the importance of naming in understanding the security risks when using specific properties. 2. Adam Shostack -- Fast, cheap, and good threat models-https://www.securityjourney.com/podca...Adam is very well known in the world of threat modeling as a thought leader. This is his take on some new approaches he wants everyone in the industry to understand.3. SHA-256 explained step-by-step visually- https://sha256algorithm.com/This is a website that will describe how SHA-256 works. Hashing algorithms are a critical part of how we protect information whether it is at rest or in transit. This is a fascinating way to go through the steps and understand how they work. 4. Over 28,000 Vulnerabilities Disclosed in 2021: Report- https://sha256algorithm.com/This article is describing a report published by Risk Based Security highlighting the 28,000 vulnerabilities that were disclosed in 2021. It shows that not much has changed since 2020, but check it out to see all the details. 5. Known exploited vulnerabilities catalog- https://www.cisa.gov/known-exploited-...This is the Know Exploited Vulnerabilities Catalog from CISA. There was a pointer in the previous story to the site as a resource to search and stay up to date on different exploitable vulnerabilities and their remediations.

Podcast: The Industrial Security Podcast (LS 33 · TOP 5% what is this?)Episode: Risk-based Security Levels - updating ISA/IEC 62443-3-3 [The Industrial Security Podcast]Pub date: 2022-03-15The widely-used 62443-3-3 standard is being updated. One big change is making security levels risk-based. Join Alex Nicoll, co-chair of the ISA committee updating the standard, to look at what this means and how it will work.The podcast and artwork embedded on this page are from PI Media, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

The widely-used 62443-3-3 standard is being updated. One big change is making security levels risk-based. Join Alex Nicoll, co-chair of the ISA committee updating the standard, to look at what this means and how it will work.

The widely-used 62443-3-3 standard is being updated. One big change is making security levels risk-based. Join Alex Nicoll, co-chair of the ISA committee updating the standard, to look at what this means and how it will work.

In the Enterprise Security News for this week: Pentera announces a $150m Series C - YAU (Yet Another Unicorn), Herjavec Group merges with Fishtech, Google acquires SOAR vendor SIEMplify, A European grocery store buys BAS vendor XM Cyber, Flashpoint acquires vuln intel vendor Risk Based Security, Recorded Future acquires SecurityTrails, Drama in the Israeli cybersecurity news, Security, Analyst is the #1 best job of 2022, Microsoft to start rolling out its own hardware security chip, & Some annoying words get banned!   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw256

In the Enterprise Security News for this week: Pentera announces a $150m Series C - YAU (Yet Another Unicorn), Herjavec Group merges with Fishtech, Google acquires SOAR vendor SIEMplify, A European grocery store buys BAS vendor XM Cyber, Flashpoint acquires vuln intel vendor Risk Based Security, Recorded Future acquires SecurityTrails, Drama in the Israeli cybersecurity news, Security, Analyst is the #1 best job of 2022, Microsoft to start rolling out its own hardware security chip, & Some annoying words get banned!   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw256

It's a new year and a time when we make resolutions…which often drop off by the start of February. To keep your security resolutions for 2022, today's show will be about enterprise security pitfalls and the areas corporations should focus on when planning their cybersecurity strategy for the year. Topics will include proper data hygiene; ransomware prevention and recovery techniques; challenges in securing a distributed workforce and the changing role of IT and containing data sprawl. We're looking forward to keeping you informed throughout 2022! 2021 was the most active year in federal cybersecurity policy. Ever. The Biden administration used executive orders, new regulations, public/private partnerships and novel law enforcement strategies to shore up federal systems and engage with industry. Meanwhile, an otherwise active year in Congress took a hit when several major pieces of legislation like incident reporting mandates and federal cybersecurity reform were left of the NDAA. SC Media government reporter Derek B. Johnson will discuss what came out last year's flurry and what we can expect Congress to prioritize in 2022. In the Enterprise Security News for this week: Pentera announces a $150m Series C - YAU (Yet Another Unicorn), Herjavec Group merges with Fishtech, Google acquires SOAR vendor SIEMplify, A European grocery store buys BAS vendor XM Cyber, Flashpoint acquires vuln intel vendor Risk Based Security, Recorded Future acquires SecurityTrails, Drama in the Israeli cybersecurity news, Security, Analyst is the #1 best job of 2022, Microsoft to start rolling out its own hardware security chip, & Some annoying words get banned!   Show Notes: https://securityweekly.com/esw256 Segment Resources: https://www.scmagazine.com/feature/policy/every-month-has-been-cybersecurity-awareness-month-for-the-biden-administration   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

It's a new year and a time when we make resolutions…which often drop off by the start of February. To keep your security resolutions for 2022, today's show will be about enterprise security pitfalls and the areas corporations should focus on when planning their cybersecurity strategy for the year. Topics will include proper data hygiene; ransomware prevention and recovery techniques; challenges in securing a distributed workforce and the changing role of IT and containing data sprawl. We're looking forward to keeping you informed throughout 2022! 2021 was the most active year in federal cybersecurity policy. Ever. The Biden administration used executive orders, new regulations, public/private partnerships and novel law enforcement strategies to shore up federal systems and engage with industry. Meanwhile, an otherwise active year in Congress took a hit when several major pieces of legislation like incident reporting mandates and federal cybersecurity reform were left of the NDAA. SC Media government reporter Derek B. Johnson will discuss what came out last year's flurry and what we can expect Congress to prioritize in 2022. In the Enterprise Security News for this week: Pentera announces a $150m Series C - YAU (Yet Another Unicorn), Herjavec Group merges with Fishtech, Google acquires SOAR vendor SIEMplify, A European grocery store buys BAS vendor XM Cyber, Flashpoint acquires vuln intel vendor Risk Based Security, Recorded Future acquires SecurityTrails, Drama in the Israeli cybersecurity news, Security, Analyst is the #1 best job of 2022, Microsoft to start rolling out its own hardware security chip, & Some annoying words get banned!   Show Notes: https://securityweekly.com/esw256 Segment Resources: https://www.scmagazine.com/feature/policy/every-month-has-been-cybersecurity-awareness-month-for-the-biden-administration   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Risk based security programs are all the rage, from managers looking to "trim" the security budget to regulatory bodies looking for excuses to fine your company. Nick is a security pro who has seen it all -- programs done well, programs done poorly, and implemented one or two of them himself, and would love to share the lessons learned from those experiences.   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw250

Risk based security programs are all the rage, from managers looking to "trim" the security budget to regulatory bodies looking for excuses to fine your company. Nick is a security pro who has seen it all -- programs done well, programs done poorly, and implemented one or two of them himself, and would love to share the lessons learned from those experiences.   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw250

In this episode of Managing Cyber Risk, Mark Sangster, VP Industry Security Strategy at eSentire and Tia Hopkins, VP, Cyber Risk Advisory and Solutions Architecture at eSentire, join host Hillarie McClure to discuss how advancements in technology aren't always better at protecting us, how organizations can move to a risk-based approach to security, and more. eSentire is the Authority in Managed Detection and Response. eSentire's mission is to hunt, investigate and stop cyber threats before they become business disrupting events. To learn more about our sponsor, visit https://esentire.com

That is according to a survey by Risk Based Security, which found that the number of records exposed reached a staggering 36 billion in the first three quarters of 2020 alone. The most exposed data types included access credentials in the form of email addresses and passwords. This is a stark reminder to everyone of the importance of maintaining good cyber hygiene, especially having unique, complex passwords for every site they access.

We heard on last week's show how security has become the department of everything through the lockdown. And if that is the case, is it time to give some of that back? If the essence of physical security is about protecting everything then we could say ESRM is all about prioritizing. But does the idea of prioritizing risks fly in the face of your instincts as a protector Today we're going to be talking with Rachelle Loyear who is a VP innovation and product management at G4S about her work in the Enterprise Security Risk Management sector. We're going to hear how the ESRM philosophy can apply to many security fields, including close protection.  Join us for this deep dive into ESRM as we discuss…   How we can take a different approach towards trying to protect everything and instead put the responsibility on the people who are going to be the most impacted. How we can overlay traditional Risk Management against security risk to form a framework and a guideline on how to approach it and tactics for implementing it. How to make your company or service a more valuable asset. Because, if you're managing a risk that nobody cares about, you're wasting company money. How to better communicate the value of security, not just in conversation, but in metrics and measurable ways.   ESRM is a hot topic and an evolving topic. Tune in to this week's show to discover more beyond the buzzword and learn a new philosophy.    More about Rachelle Loyear:   Rachelle is the Director of Program Management for Integrated Security Solutions at G4S North America, having spent over a decade managing programs in corporate security organizations. Focusing strongly on security risk management, she has been responsible for ensuring enterprise resilience in the face of many different types of risks, both physical and cyber. In 2016 she co-authored The Manager's Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security, in 2017, she released the book The Manager's Guide to Simple, Strategic, Service-Oriented Business Continuity, and is a co-author of the 2018 book, Enterprise Security Risk Management: Concepts and Applications. Rachelle is the current program manager of the ASIS ESRM program, is a member and recent chair of the ASIS Crisis Management and Business Continuity Council, and is a member of the ASIS IT Security Council. She is a Certified Information Security Manager (CISM) through ISACA, a Master Business Continuity Professional (MBCP) through DRI International, an Associate Fellow of Business Continuity International (AFBCI), and a certified Project Management Professional (PMP) through the Project Management Institute (PMI).  https://www.linkedin.com/in/rachelle-loyear/ (Rachelle Loyear) https://www.g4s.com/en-us/academy/our-experts/rachelle-loyear (G4S)  https://www.amazon.co.uk/Books-Rachelle-Loyear/s?rh=n%3A266239%2Cp_27%3ARachelle+Loyear (Publications) More about the Circuit  The Circuit Magazine is written and produced by volunteers, most of who are operationally active, working full time in the security industry. The magazine is a product of their combined passion and desire to give something back to the industry. By subscribing to the magazine you are helping to keep it going into the future. https://circuit-magazine.com/read/ (Find out more >) If you liked this podcast, we have an accompanying weekly newsletter called 'On the Circuit' where we take a deeper dive into the wider industry. http://bit.ly/OntheCircuit (Opt in here >) The Circuit team is: Jon Moss Shaun West Elijah Shaw Phelim Rowe Connect with Us:  https://circuit-magazine.com/ (Circuit Magazine) https://mailchi.mp/the-bba.org.uk/bba-connect (BBA Connect) https://www.theprotectorapp.com/ (NABA Protector) https://the-bba.org.uk/ (British Bodyguard Association)

When it comes to executive protection professionals Ivor Terret is not just one of the best but one of the most intelligent individuals I've come across. It’s not just my opinion but if you follow him you’ll see that he has spoken on a number of extremely reputable stages within our industry and that most if not all of the high-end events that are some time or another. He is a bona fide industry leader who is a genuine man of peace and I always admire his aim to simply be a good person, which always shines through when I interact with him. He doesn’t overcomplicate things to sound more intelligent but rather he talks about simple principles and tactics that make all the difference, period. As a person, I truly respect this man and as a professional, I can see why he is revered by so many. I’m honored to have him as a subject matter expert within our executive protection masters class curriculums and every time we interact I feel like I’ve truly gained something through our conversations. There’s so much in this episode and truly once again something for everyone. Enjoy! Protector by nature and by trade Byron

Jake Kouns, CEO & CISO of Risk Based Security, met with our host, Ashwin Krishnan, at RSAC 2020. They discuss the intelligence gap in cybersecurity and the overwhelming effect of Patch Tuesday. Jake explains, “People need to focus on not just security, but the right security, and in order to do that we need to […]

What is Risk-Based Security? How does compliance and/or security programs/points-of-view help or hinder risk-based security efforts? How can we change this? Is there a more apparent path forward to teach/educate on the importance of focusing on risk? Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/SCWEpisode17

The Risk Based Security research facility has been routinely publishing reports outlining various data breaches during the year. This report is based on the disclosed breaches that companies have announced which this company then releases periodically. One of the most recent reports is the 2019 MidYear QuickView Data Breach Report, which issued some pretty frightening numbers and details. To put it into perspective, the report announced that in the first six months of 2019, there have been over 3,800 publicly disclosed breaches. This totalled the number of compromised records to total roughly 4.1 billion. That’s way over half of the world population at the time of this recording. But what’s actually shocking about this is that a large chunk - about 3.2 billion - of those compromised records stemmed from eight of those breaches. The report also summarized that 70% of the breaches exposed emails and 65% of the breaches exposed passwords. Crucial information, but not as severe as addresses, social insurance or security numbers, or credit card numbers. Looking at the report further there’s some things to keep in mind. While you may be hung up about the fact that so much information was exposed from eight breaches alone, it’s key we pay attention to the bigger picture. The report mentioned that the vast majority of breaches were moderate to low severity, meaning they exposed 10,000 records or less. This is key to know because many business today assume that if they’re small, people wouldn’t bother them. The truth is that according to data, small businesses are being targeted a lot. After all, most don’t have tight security measures compared to larger companies. Today, the average cyber-criminal is lazy and will do anything to gather small bits of information. And it’s effortless to get it from systems that aren’t as robust. Overall the report outlines the importance of small businesses stepping up their security of customer information. The business sector alone accounts for 67% of all reported breaches and 84.6% of the exposed records. It doesn’t take a genius to figure that out and consumers should be pushing any small business owner to have a more robust system. And even if customers aren’t, business owners should take the initiative to have a good security system. Best of all, it doesn’t have to be anything highly complex. The report noted that misconfigured databases was a big cause. Out of the 3,813 breaches, 149 of them were from misconfigured databases. While that’s small, the report noted that amongst those breaches, 3.2 billion records were exposed. So making a point that your systems runs smoothly ought to be a top priority for businesses. Another step is ensuring people are more aware of security and get proper training. The report found that these problems that are coming up are nothing new. Quarter after quarter, year after year, the same mistakes are being made. Since January 2018, the top causes of breaches have been unauthorized access to systems, skimmers, and exposure of sensitive information have been the ongoing themes of breaches, All too often, businesses focus on the external threats while people fail to send the proper emails to the right people or aren’t simply aware of what can pose a threat. Having training in place to address a lot of these common issues can ensure there will be less breaches in the future.

Links and images for this episode can be found on CISO Series (https://cisoseries.com/ciso-confessions-its-not-you-its-me-/) Vendors are trying to understand why CISOs are ghosting them and sometimes, it really isn't their fault. CISOs accept the blame on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and joining me is special guest co-host Betsy Bevilacqua (@HEALTHeSECURITY), CISO, Butterfly Network. Our guest will be Matt Southworth (@bronx), CISO of Priceline. This episode was recorded live in WeWork's Times Square location on September 5th, 2019. Here are all the photos. Enormous thanks to WeWork for hosting this event. They're hiring! Contact JJ Agha, vp of information security at WeWork. Also, huge thanks to David Raviv and the NY Information Security Meetup group for partnering with us on this event. Thanks to this week's podcast sponsor Tehama, Tenable, and Devo. Tehama provides secure and compliant virtual desktops on the cloud, and all the IT infrastructure needed for enterprises to connect and grow global and remote teams. Tehama's built-in SOC 2 Type II controls reduce the risk of malware intrusion from endpoint devices, data breaches, and other vulnerabilities.  Learn more at tehama.io. Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization. SOC teams have been struggling with many of the same issues for years – lack of visibility, too much noise – all while the threat landscape grows more complex. Devo Security Operations is a next-gen cloud SIEM that enables you to gain complete visibility, reduce noise, and focus on the threats that matter most to the business. On this week's episode How are CISOs digesting the latest security news? An article on Bloomberg and an ensuing discussion on LinkedIn pointed out that costs after a breach go beyond fines and lost reputation. It also includes the cost to keep top cybersecurity talent. Salaries for a CISO post-breach can range from $2.5-$6.5 million, that includes stock. What could a security professional show and demonstrate in this time of crisis that they are the one to hire to garner such a salary? Hey, you're a CISO, what's your take on this? Michael Mortensen of Risk Based Security asks a question about when there's considerable dialogue with a prospect, and they go cold. Michael wants to know what causes this? He has theories on sales people being impatient or wrong set of expectations, but he's interested in the CISO's viewpoint. Assuming you have had conversations with a vendor, have you gone cold on their outreach? If so, what was the reason? It's time to play, "What's Worse?!" Two rounds lots of agreement, but plenty of struggle. Why is everybody talking about this now? Cryptography firm Crown Sterling has sued Black Hat for breaching its sponsorship agreement and also suing 10 individuals for orchestrating a disruption of the company's sponsored talk at the conference in which the CEO presented a finding on discovering prime numbers which are key to public-key encryption. The crowd didn't like it and they booed him. You can see a video of one individual yelling, "Get off the stage, you shouldn't be here." Crown Sterling argued that Black Hat was in violation of their sponsorship agreement because they didn't do enough to stop it. At Black Hat and related parties I saw many printed signs about codes of conduct. It doesn't appear anyone had a plan to enforce those rules. What has happened in the security community that some security professionals feel they have the right to shout down a speaker like this? If one of these 10 disruptors was your employee, how would you respond? What's a CISO to do? So much of a job of a CISO is to change behavior. How do CISOs change behavior to a more secure posture? Where should a CISO start? What's the low hanging fruit? It’s time for the audience question speed round Our audience has questions, and our CISOs tried to come up with as many answers as possible. Our closing question put my guest co-host in the hot seat.

Vulnerability Response is only as good as the information available to you. Better data matters because it enables better prioritization decisions and quicker remediation. RBS’ VulnDB Vulnerability Database has data on over 200,000 vulnerabilities, including over 68,000 that aren’t found in the National Vulnerability Database (NVD / CVE) which feeds most scanner tools. In this video, Jay Wigard, Product Development Leader from ITS Partners, and Jake Kouns, CISO at Risk-Based Security discuss the new VulnDB Vulnerability Integration. Developed by ITS Partners, the VulnDB Vulnerability Integration can enrich your ServiceNow Vulnerability Response program with greatly improved data and arm your analysts with the information needed to quickly mitigate vulnerability risks.

Nessus (https://www.tenable.com/products/nessus) , celebrated its 15th anniversary in 2013 and is considered the de facto standard for vulnerability scanning worldwide. Renaud co-founded Tenable Network Security (https://www.tenable.com/) in 2002. As Chief Technology Officer, he drives product strategy and development. Before Tenable, Renaud was the primary author of the Nessus vulnerability scanner – releasing the first version of Nessus when he was 17. Renaud continues to contribute to the global security community; he is the author of three patents related to network scanning and security and has published his work in books and magazines. In this episode, we discuss building the first version of Nessus when he was a teenager, getting the basics right, challenges with the cloud, IoT and embedded devices security, responsible vulnerability disclosure, and so much more. Where you can find Renaud: LinkedIn (https://www.linkedin.com/in/renaud-deraison-26051982/) Tenable (https://www.tenable.com/profile/renaud-deraison) Dark Reading: The Argument for Risk-Based Security (https://www.darkreading.com/attacks-breaches/the-argument-for-risk-based-security/a/d-id/1330687?)

Fancy Bear’s latest campaign is using malware reported to Virus Total by US Cyber Command. IBM’s X-Force looks at cybersecurity for travelers, and shares a bunch of horror stories. Security Scorecard looks at the online security of political parties in the US and Europe: some are better than others, but all could use some help. Updates on Huawei and other Chinese companies facing US sanctions. And if you’re listening to this in the US, you may believe you know more than you in fact do. Johannes Ullrich from SANS and the ISC Stormcast podcast on website vulnerabilities due to third party tools. Guest is Inga Goddijn from Risk Based Security on their Q1 Data Breach Report and cyber insurance issues. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_22.html  Support our show

Our guest today is Brian Martin, vice president of vulnerability intelligence at Risk Based Security, a company that provides risk identification and security management tools leveraging their data-breach and vulnerability intelligence. Brian shares his experience turning data into meaningful, actionable intelligence, common misperceptions he's encountered along the way, and why he thinks companies shopping around for threat intelligence need to be careful to ask the right questions.

Our guest today is Brian Martin, vice president of vulnerability intelligence at Risk Based Security, a company that provides risk identification and security management tools leveraging their data-breach and vulnerability intelligence. Brian shares his experience turning data into meaningful, actionable intelligence, common misperceptions he’s encountered along the way, and why he thinks companies shopping around for threat intelligence need to be careful to ask the right questions.

Researchers at Risk Based Security took a detailed look back at the 2014 Sony hack, comparing analysis that occurred while the facts were still unfolding with what we know, today. There are interesting lessons to be learned, especially when it comes to attribution. Brian Martin is V.P. of vulnerability intelligence at Risk Based Security, and he shares their findings. The research can be found here: https://www.riskbasedsecurity.com/2018/09/you-didnt-think-the-sony-saga-was-over-did-you/ The CyberWire's Research Saturday is presented by the Hewlett Foundation Cyber Initiative. Thanks to our sponsor Enveil, closing the last gap in data security.

Researchers at Risk Based Security took a detailed look back at the 2014 Sony hack, comparing analysis that occurred while the facts were still unfolding with what we know, today. There are interesting lessons to be learned, especially when it comes to attribution. Brian Martin is V.P. of vulnerability intelligence at Risk Based Security, and he shares their findings. The research can be found here: https://www.riskbasedsecurity.com/2018/09/you-didnt-think-the-sony-saga-was-over-did-you/

In today's podcast, we hear that warnings of Russian prep for an attack on power grids become more pointed. Phishing and impersonation attacks continue to rise. Microsoft patches a patch. The SingHealth breach remains under investigation. The Satori botnet may be taking another run at Android devices. Bluetooth vulnerabilities render paired devices susceptible to man-in-the-middle attacks. And evil maid attacks may be less difficult than you thought. Emily Wilson from Terbium Labs, sharing her experience attending a conference for professionals working to fight fraud. Guest is Brian Martin from Risk Based Security with their research on vulnerabilities they discovered with the Click2Gov service.   For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/July/CyberWire_2018_07_24.html

In today's podcast, Dark Web trading post AlphaBay looks buggy, and leaky. Some not-so-bad news on ransomware (and bravo to those Gateway City librarians). Risk Based Security's 2016 breach report says the USA is number one (but not in a good way). Sweden's armed forces recover from a cyberattack by unnamed parties. Saudi Arabia remains on high-alert for fresh infestations of Shamoon. Dan Larson from CrowdStrike weighs in on ransomware evolution. Markus Rauschecker from the University of Maryland Center for Health and Homeland Security highlights a Dept. of Commerce report on the IoT. And the Russian treason case may be closer to what would look like a corruption case under Western eyes.

Join the interview in progress featuring Jake Kouns of Risk Based Security. Coffee machines, HVAC systems… What are the present-day issues facing enterprise corporations as more and more of our daily devices become connected? Jake gives some brief insight on his upcoming presentation at FIRST 2015. Jake and co-presenter, Carsten Eiram (Risk Based Security) present, “Bring Your Own Internet of Things,” Tuesday, June 16th at 14:45.

Slides Here: https://www.defcon.org/images/defcon-22/dc-22-presentations/Kouns-Eiram/DEFCON-22-Kouns-Eiram-Screw-Becoming-A-Pentester-Bug-Bounty-Hunter-UPDATED.pdf Screw Becoming A Pentester - When I Grow Up I Want To Be A Bug Bounty Hunter! Jake Kouns CISO, RISK BASED SECURITY Carsten Eiram CHIEF RESEARCH OFFICER, RISK BASED SECURITY Everywhere you turn it seems that companies are having serious problems with security, and they desperately need help. Getting into information security provides an incredible career path with what appears to be no end in sight. There are so many disciplines that you can choose in InfoSec with the fundamental argument being whether you join Team Red or Team Blue. Most people tend to decide on the Red team and that becoming a professional pentester is the way to go, as it is the most sexy (and typically pays well). However, with bug bounties currently being all the rage and providing a legal and legitimate way to profit off vulnerability research, who really wants to be a pentester, when you can have so much more fun being a bug bounty hunter! Researcher motivation in the old days and options for making money off of vulnerabilities were much different than today. This talk analyzes the history of selling vulnerabilities, the introduction of bug bounties, and their evolution. We cover many facets including the different types of programs and the ranges of money that can be made. We then focus on researchers, who have currently chosen the bug bounty hunter lifestyle and provide details on how to get involved in bug bounty programs, which likely pay the best, and which vendors you may want to avoid. What constitutes a good bug bounty program that makes it worth your time? What do you need to know to make sure that you keep yourself out of legal trouble? Ultimately, we’ll provide thoughts on the value of bug bounties, their future, and if they can be a full-time career choice instead of a more traditional position such as pentesting. Jake Kouns is the CISO for Risk Based Security and the CEO of the Open Security Foundation, that oversees the operations of the OSVDB.org and DataLossDB.org. Mr. Kouns has presented at many well-known security conferences including RSA, DEF CON, CISO Executive Summit, EntNet IEEE GlobeCom, FIRST, CanSecWest, SOURCE and SyScan. He is the co-author of the book Information Technology Risk Management in Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. He holds both a Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University. In addition, he holds a number of certifications including ISC2's CISSP, and ISACA's CISM, CISA and CGEIT. Twitter: @jkouns Carsten Eiram is the Chief Research Officer of Risk Based Security and previously worked 10 years for Secunia, managing the Research team. Carsten has a reverse engineering background and extensive experience in the field of Vulnerability Intelligence, referring to himself as a vulnerability connoisseur. He has deep insights into vulnerabilities, root causes, and trends, and is also an avid vulnerability researcher, having discovered critical vulnerabilities in high-profile products from major vendors including: Microsoft, Adobe, Symantec, IBM, Apple, Novell, SAP, Blue Coat, and Trend Micro. Carsten has been interviewed for numerous news articles about software security and has presented at conferences such as FIRST Conference, RSA Conference, DEF CON, RVAsec, as well as keynoting Defcamp 2013. He is also a regular contributor to the "Threat of the Month" column in SC Magazine, a credited contributor for the "CWE/SANS Top 25 Most Dangerous Software Errors" list, and member of the CVE Editorial Board and FIRST VRDX-SIG. Twitter: @CarstenEiram