In this joint episode of the Security Break podcast and CISO Tradecraft podcast, hosts from both platforms come together to discuss a variety of current cybersecurity topics. They delve into the challenge of filtering relevant information in the cybersecurity sphere, elaborate on different interpretations of the same news based on the reader's background, and share a detailed analysis on specific cybersecurity news stories. The discussion covers topics such as the implications of data sharing without user consent by major wireless providers and the fines imposed by the FCC, the significance of increasing bug bounty payouts by tech companies like Google, and a comprehensive look at how edge devices are exploited by hackers to create botnets for various cyberattacks. The conversation addresses the complexity of the cybersecurity landscape, including how different actors with varied objectives can simultaneously compromise the same devices, making it difficult to attribute attacks and protect networks effectively.

Transcripts: https://docs.google.com/document/d/1GtFIWtDf_DSIIgs_7CizcnAHGnFTTrs5

Chapters

• 00:00 Welcome to a Special Joint Episode: Security Break & CISO Tradecraft
• 01:27 The Challenge of Filtering Cybersecurity Information
• 04:23 Exploring the FCC's Fine on Wireless Providers for Privacy Breaches
• 06:41 The Complex Landscape of Data Privacy Regulations
• 16:00 The Economics of Data Breaches and Regulatory Fines
• 24:23 Bug Bounties and the Value of Security Research
• 33:21 Exploring the Economics of Cybersecurity
• 33:50 The Lucrative World of Bug Bounties
• 34:38 The Impact of Security Vulnerabilities on Businesses
• 35:50 Navigating the Complex Landscape of Cybersecurity
• 36:22 The Ethical Dilemma of Selling Exploit Information
• 37:32 Understanding the Market Dynamics of Cybersecurity
• 38:00 Focusing on Android Application Security
• 38:34 The Importance of Targeting in Cybersecurity Efforts
• 42:33 Exploring the Threat Landscape of Edge Devices
• 46:37 The Challenge of Securing Outdated Technology
• 49:28 The Role of Cybersecurity in Modern Warfare
• 53:15 Strategies for Enhancing Cybersecurity Defenses
• 01:05:25 Concluding Thoughts on Cybersecurity Challenges

In this episode of CISO Tradecraft, host G. Mark Hardy discusses seven critical issues facing the cybersecurity industry, offering a detailed analysis of each problem along with counterarguments. The concerns range from the lack of a unified cybersecurity license, the inefficiency and resource waste caused by auditors, to the need for a federal data privacy law. Hardy emphasizes the importance of evaluating policies, prioritizing effective controls, and examining current industry practices. He challenges the audience to think about solutions and encourages sharing opinions and additional concerns, aiming to foster a deeper understanding and improvement within the field of cybersecurity.

Transcripts: https://docs.google.com/document/d/1H_kTbCG8n5f_d1ZHNr1QxsXf82xb08cG

Chapters

• 00:00 Introduction
• 01:28 Introducing the Seven Broken Things in Cybersecurity
• 02:00 1. The Lack of a Unified Cybersecurity License
• 06:53 2. The Problem with Cybersecurity Auditors
• 10:09 3. The Issue with Treating All Controls as High Priority
• 14:12 4. The Obsession with New Cybersecurity Tools
• 19:23 5. Misplaced Accountability in Cybersecurity
• 22:38 6. Rethinking Degree Requirements for Cybersecurity Jobs
• 26:49 7. The Need for Federal Data Privacy Laws
• 30:53 Closing Thoughts and Call to Action

In this episode of CISO Tradecraft, hosts G Mark Hardy and guests Jeff Majka and Andrew Dutton discuss the vital role of competitive threat intelligence in cybersecurity. They explore how Security Bulldog's AI-powered platform helps enterprise cybersecurity teams efficiently remediate vulnerabilities by processing vast quantities of data, thereby saving time and enhancing productivity. The conversation covers the importance of diverse threat intelligence sources, including open-source intelligence and insider threat awareness, and the strategic value of AI in analyzing and prioritizing data to manage cybersecurity risks effectively. The discussion also touches on the challenges and potentials of AI in cybersecurity, including the risks of data poisoning and the ongoing battle between offensive and defensive cyber operations.

The Security Bulldog: https://securitybulldog.com/contact/

Transcripts: https://docs.google.com/document/d/1D6yVMAxv16XWtRXalI5g-ZdepEMYmQCe

Chapters

• 00:00 Introduction
• 00:56 Introducing the Experts: Insights from the Field
• 02:43 Unpacking Cybersecurity Intelligence: Definitions and Importance
• 04:02 Exploring Cyber Threat Intelligence (CTI): Applications and Strategies
• 13:11 The Role of AI in Enhancing Cybersecurity Efforts
• 16:43 Navigating the Complex Landscape of Cyber Threats and Defenses
• 19:07 The Future of AI in Cybersecurity: A Balancing Act
• 22:33 Exploring AI's Role in Cybersecurity
• 22:50 The Practical Application of AI in Cybersecurity
• 25:08 Challenges and Trust Issues with AI in Cybersecurity
• 26:52 Managing AI's Risks and Ensuring Reliability
• 31:00 The Evolution and Impact of AI Tools in Cyber Threat Intelligence
• 34:45 Choosing the Right AI Solution for Cybersecurity Needs
• 37:27 The Business Case for AI in Cybersecurity
• 41:22 Final Thoughts and the Future of AI in Cybersecurity

This episode of CISO Tradecraft features a comprehensive discussion between host G Mark Hardy and guest Rafeeq Rehman, centered around the evolving role of CISOs, the impact of Generative AI, and strategies for effective cybersecurity leadership. Rafeeq shares insights on the CISO Mind Map, a tool for understanding the breadth of responsibilities in cybersecurity leadership, and discusses various focal areas for CISOs in 2024-2025, including the cautious adoption of Gen AI, tool consolidation, cyber resilience, branding for security teams, and maximizing the business value of security controls. The episode also addresses the importance of understanding and adapting to technological advancements, advocating for cybersecurity as a business-enabling function, and the significance of lifelong learning in information security.

Cybersecurity Learning Saturday: https://www.linkedin.com/company/cybersecurity-learning-saturday/

2024 CISO Mindmap: https://rafeeqrehman.com/2024/03/31/ciso-mindmap-2024-what-do-infosec-professionals-really-do/

Transcripts: https://docs.google.com/document/d/1axXQJoAdJI26ySKVfROI9rflvSe9Yz50

Chapters

• 00:00 Introduction
• 00:57 Rafeeq Rehman: Beyond the CISO MindMap
• 04:17 The Evolution of the CISO MindMap
• 08:30 AI and the Future of Cybersecurity Leadership
• 11:47 Embracing Change: The Role of AI in Cybersecurity
• 14:16 Generative AI: Hype, Reality, and Strategic Advice for CISOs
• 22:32 Navigating the Future Job Market with AI
• 22:53 Framing AI for Specific Roles
• 24:12 Harnessing Creativity with Generative AI
• 25:14 Consolidating Security Tools for Efficiency
• 28:31 Evaluating Security Tools: A Deep Dive
• 32:21 Cyber Resilience: Beyond Incident Response
• 35:51 Building a Business-Focused Security Strategy
• 39:39 Maximizing Business Value Through Security
• 43:15 Looking Ahead: Focus Areas for the Future
• 43:53 Concluding Thoughts and Future Predictions

In this episode of CISO Tradecraft, host G Mark Hardy welcomes Alex Dorr to discuss Reality-Based Leadership and its impact on reducing workplace drama and enhancing productivity. Alex shares his journey from professional basketball to becoming an evangelist of reality-based leadership, revealing how this approach helped him personally and professionally. They delve into the concepts of SBAR (Situation, Background, Analysis, Recommendation) for effective communication, toggling between low self and high self to manage personal reactions, and practical tools like 'thinking inside the box' to confront and solve workplace issues within given constraints. The conversation underscores the importance of focusing on actionable strategies over arguing with the drama and reality of workplace dynamics, aiming to foster a drama-free, engaged, and productive work environment.

Alex Dorr's Linkedin: https://www.linkedin.com/in/alexmdorr/

Reality-Based Leadership Website: https://realitybasedleadership.com/

Transcripts: https://docs.google.com/document/d/1wge0pFLxE4MkS6neVp68bdz8h9mHrwje

Chapters

• 00:00 Introduction
• 00:57 Alex Dorr's Journey from Basketball to Leadership Expert
• 03:54 The Core Principles of Reality-Based Leadership
• 06:20 Understanding the Human Condition in the Workplace
• 09:19 Tackling Workplace Drama with Reality-Based Leadership
• 11:58 The Power of Positive Energy Management
• 17:42 Navigating Unpreferred Realities and Finding Impact
• 19:44 Reality-Based Leadership in Action: Techniques and Outcomes
• 23:12 The Importance of Skill Development Over Perfecting Reality
• 24:32 The Challenge of Employee Engagement
• 25:49 Secrets to Embracing Reality and Taking Action
• 25:58 Leadership vs. Management: Navigating Workplace Dynamics
• 28:28 Empowering Employees with the SBAR Framework
• 34:04 Addressing Venting and Negative Behaviors
• 36:17 Developing People: The Core of Leadership
• 37:50 Choosing Happiness Over Being Right
• 40:15 Integrating New Leadership Models and Making Them Stick
• 46:24 Concluding Thoughts and Contact Information

This episode of CISO Tradecraft dives deep into the New York Department of Financial Services Cybersecurity Regulation, known as Part 500. Hosted by G Mark Hardy, the podcast outlines the significance of this regulation for financial services companies and beyond. Hardy emphasizes that Part 500 serves as a high-level framework applicable not just in New York or the financial sector but across various industries globally due to its comprehensive cybersecurity requirements. The discussion includes an overview of the regulation's history, amendments to enhance governance and incident response, and a detailed analysis of key sections such as multi-factor authentication, audit trails, access privilege management, and incident response. Additionally, the need for written policies, designating a Chief Information Security Officer (CISO), and ensuring adequate resources for implementing a cybersecurity program are highlighted. The podcast also offers guidance on how to approach certain regulatory mandates, emphasizing the importance of teamwork between CISOs, legal teams, and executive management to comply with and benefit from the regulation's requirements.

AuditScripts: https://www.auditscripts.com/free-resources/critical-security-controls/

NYDFS: https://www.dfs.ny.gov/industry_guidance/cybersecurity

Transcripts: https://docs.google.com/document/d/1CWrhNjHXG1rePtOQT-iHyhed2jfBaZud

Chapters

• 00:00 Introduction
• 00:35 Why Part 500 Matters Beyond New York
• 01:48 The Evolution of Financial Cybersecurity Regulations
• 03:20 Understanding Part 500: Definitions and Amendments
• 08:44 The Importance of Multi-Factor Authentication
• 14:33 Navigating the Complexities of Cybersecurity Regulations
• 20:23 The Critical Role of Asset Management and Access Privileges 25:37 The Essentials of Application Security and Risk Assessment
• 31:11 Incident Response and Business Continuity Management
• 32:36 Concluding Thoughts on NYDFS Cybersecurity Regulation

In this episode of CISO Tradecraft, host G. Mark Hardy delves into the crucial topic of the OWASP Top 10 Web Application Security Risks, offering insights on how attackers exploit vulnerabilities and practical advice on securing web applications. He introduces OWASP and its significant contributions to software security, then progresses to explain each of the OWASP Top 10 risks in detail, such as broken access control, injection flaws, and security misconfigurations. Through examples and recommendations, listeners are equipped with the knowledge to better protect their web applications and ultimately improve their cybersecurity posture.

OWASP Cheat Sheets: https://cheatsheetseries.owasp.org/

OWASP Top 10: https://owasp.org/www-project-top-ten/

Transcripts: https://docs.google.com/document/d/17Tzyd6i6qRqNfMJ8OOEOOGpGGW0S8w32

Chapters

• 00:00 Introduction
• 01:11 Introducing OWASP: A Pillar in Cybersecurity
• 02:28 The Evolution of Web Vulnerabilities
• 05:01 Exploring Web Application Security Risks
• 07:46 Diving Deep into OWASP Top 10 Risks
• 09:28 1) Broken Access Control
• 14:09 2) Cryptographic Failures
• 18:40 3) Injection Attacks
• 23:57 4) Insecure Design
• 25:15 5) Security Misconfiguration
• 29:27 6) Vulnerable and Outdated Software Components
• 32:31 7) Identification and Authentication Failures
• 36:49 8) Software and Data Integrity Failures
• 38:46 9) Security Logging and Monitoring Practices
• 40:32 10) Server Side Request Forgery (SSRF)
• 42:15 Recap and Conclusion: Mastering Web Application Security

In this episode of CISO Tradecraft, host G Mark Hardy delves into the critical subject of vulnerability management for cybersecurity leaders. The discussion begins with defining the scope and importance of vulnerability management, referencing Park Foreman's comprehensive approach beyond mere patching, to include identification, classification, prioritization, remediation, and mitigation of software vulnerabilities. Hardy emphasizes the necessity of a strategic vulnerability management program to prevent exploitations by bad actors, illustrating how vulnerabilities are exploited using tools like ExploitDB, Metasploit, and Shodan. He advises on deploying a variety of scanning tools to uncover different types of vulnerabilities across operating systems, middleware applications, and application libraries. Highlighting the importance of prioritization, Hardy suggests focusing on internet-facing and high-severity vulnerabilities first and discusses establishing service level agreements for timely patching. He also covers optimizing the patching process, the significance of accurate metrics in measuring program effectiveness, and the power of gamification and executive buy-in to enhance security culture. To augment the listener's knowledge and toolkit, Hardy recommends further resources, including OWASP TASM and books on effective vulnerability management.

Transcripts: https://docs.google.com/document/d/13P8KsbTOZ6b7A7HDngk9Ek9FcS1JpQij

OWASP Threat and Safeguard Matrix - https://owasp.org/www-project-threat-and-safeguard-matrix/

Effective Vulnerability Management - https://www.amazon.com/Effective-Vulnerability-Management-Vulnerable-Ecosystem/dp/1394221207

Chapters

• 00:00 Introduction
• 00:56 Understanding Vulnerability Management
• 02:15 How Bad Actors Exploit Vulnerabilities
• 04:26 Building a Comprehensive Vulnerability Management Program
• 08:10 Prioritizing and Remediation of Vulnerabilities
• 13:09 Optimizing the Patching Process
• 15:28 Measuring and Improving Vulnerability Management Effectiveness
• 18:28 Gamifying Vulnerability Management for Better Results
• 20:38 Securing Executive Buy-In for Enhanced Security
• 21:15 Conclusion and Further Resources