The Southern Fried Security Podcast
Join Andy Willingham, Martin Fisher,Steve Ragan, Yvette Johnson, and Joseph Sokoly as they discuss information security, news, and interview interesting people. Get in the discussion at www.southernfriedsecurity.com.

Episode 190 - Burnout

 

  1. Intro
    1. Why the topic of burnout?
      1. Because it affects all of us, and yet it’s not talked about much in this field
      2. Disclaimer: We am not a doctor. Or a psychiatrist or psychologist. Nor did we stay in a holiday inn express...
    1. Reason for sabbatical
    2. Martin’s story
  2. Personal Connection
    1. Symptoms may mirror depression
      1. “The Creeping Malaise”
      1. Weight
      2. Panic Attacks, etc
      3. Isolation - even while in a crowd
    2. Physical symptoms
    3. It’s been around for a long time.  http://www.secburnout.org/ & http://www.slideshare.net/secburnout/burnout-in-information-security are from 2011/12
  3. Recognizing Burnout
    1. “It won’t happen to me”
    2. “I just have to make it through this busy season and this end of quarter and the end of FY and…”
    3. “Everybody else is exactly the same…”
    4. Conferences are not vacations and shouldn’t be seen that way.  Cons can be very hard work.
  4. Easy Traps
    1. Outdoor hobbies
      1. Just get outside and away from screens
    2. A physical, people you can talk to in person community
      1. http://www.newyorker.com/humor/daily-shouts/i-work-from-home
      2. http://theoatmeal.com/comics/running
    3. Exercise & diet
    4. Creating and enforcing boundaries (emotional and physical)
  5. Mitigation Strategies
    1. Not liking your job or employer  (that’s quite the opposite problem, actually)
    2. Just hard work for a little while
  6. What burnout isn’t…
    1. http://lisacongdon.com/blog/2016/12/on-burnout-and-the-slow-rebuilding/
  7. Resources
  8. Outro
Direct download: SFS_Podcast_-_Ep_190.mp3
Category:general -- posted at: 6:35pm EST

In this inaugural bonus track we release the interview we did with Nick Selby (@nselby) on his experience validating the work of MedSec on St. Medical devices.

Direct download: SFS_Podcast_-_Episode_189_Bonus_Track.mp3
Category:general -- posted at: 7:55am EST

SFS Podcast Episode: 189

 

Medical Device Security

 

  1. Intro
    1. Hospital devices (infusion pumps, CT, MRI, etc)
    2. Personal devices (pacemaker, insulin pumps, etc)
  2. Medical Devices are a broad category
    1. Discussion of Sentinel Events...
  3. This has some of the same threat landscape as the IoVCT, but the consequences can be much more serious.
    1. Lead times for device approval
    2. Fixed configurations / FDA compliance
    3. Working life of devices
    4. “Well just replace them all!” Cost of devices (esp for small/struggling hospitals)
    5. Sheer number of devices can be overwhelming when looking to upgrade/replace
    6. Vendors that bring in things for a trial w/o involvement of IT/IS
  4. Challenges to Fixing The Problem:
    1. Vuln Disclosure  
      1. Muddy Waters / St Jude
        1. Problem there wasn’t disclosure it was the look of the profit motive
        2. August 25, 2016 > http://www.muddywatersresearch.com/research/stj/mw-is-short-stj/
        3. SJM sued in early September >> http://www.wsj.com/articles/st-jude-medical-sues-short-seller-over-device-allegations-1473258343
        4. http://www.marketwatch.com/story/short-seller-muddy-waters-renews-claims-of-st-jude-medical-cyber-vulnerabilities-2016-10-19
        5. Goes beyond Vulnerability Disclosure and Muddy Waters claims SJM is attacking their First Amendment - Right to Free Speech - rights >> https://www.bloomberg.com/news/articles/2016-10-24/muddy-waters-fights-st-jude-lawsuit-over-pacemaker-reports
        6. Muddy Waters report from Bishop Fox >> http://www.reuters.com/article/us-st-jude-medical-cyber-muddywaters-idUSKCN12O1O1
        1. http://www.csmonitor.com/World/Passcode/2016/0210/FDA-presses-medical-device-makers-to-OK-good-faith-hacking
      2. Bug Bounties
    2. FDA Task Force - http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm481968.htm
      1. I Am The Cavalry - https://iamthecavalry.org/oath
        1. HIMSS Cyber Security Community - http://www.himss.org/get-involved/community/cybersecurity
        2. Archimedes Center for Medical Device Security - https://secure-medicine.blogspot.com
        3. NH-ISAC - http://www.nhisac.org/
        4. MDISS - http://www.mdiss.org
      2. Other interest groups
    3. Other groups
  5. How Can it Get Better
    1. Sometime, somewhere, somehow something bad is going to happen and somebody is going to die.
    2. There will need to be more market pressure - http://thehill.com/blogs/congress-blog/technology/278712-a-new-narrative-on-cyber-security
    3. What will regulators do?  (eg DLink and the FTC)
  6. What’s the Future?
  7. Outro & Credits
Direct download: SFS_Podcast_-_Episode_189.mp3
Category:general -- posted at: 7:56pm EST

Andy and Martin close out 2016 with a quick run through of the major stories of the year and look forward to what's to come in 2017.

Thanks to everyone who came to BSides Atlanta!

Direct download: SFS_Podcast_-_Episode_188.mp3
Category:general -- posted at: 11:10am EST

Martin, Steve, and Yvette discuss the recent DDoS of the DNS provider Dyn and what information security people should be considering in a world where terabit DDoS is a reality.

Direct download: SFS_Podcast_-_Episode_187.mp3
Category:general -- posted at: 8:10pm EST

Martin, Steve, and Yvette talk about recent events at Yahoo and the moral compass questions information security professionals and leaders may be forced to face when their employer appears to be doing something they shouldn't...

Direct download: SFS_Podcast_-_Episode_186.mp3
Category:general -- posted at: 8:15pm EST

For the first time we can think of it's just Yvette and Martin on this episode.  The two of them talk about what to think about and what you might do if you run into some extra budget at the end of the year.  Do you invest in shiny? What about services? Some training might be nice?  Or so you score points with the team down the hall?

Direct download: SFS_Podcast_-_Episode_185.mp3
Category:general -- posted at: 6:46am EST

We interview Nick Selby (@nselby) about a recent blog post where he had a less than optimal experience with a managed security service provider.

 

https://nselby.github.io/When-Security-Monitoring-Provides-Neither-Security-Nor-Monitoring/

 

 

Direct download: SFS_Podcast_-_Episode_184.mp3
Category:general -- posted at: 8:29pm EST

Martin, Andy, and Steve talk about third party risk programs in light of breaches at Target, Banner Health, and other unfortunate souls.

Direct download: SFS_Podcast_-_Episode_183.mp3
Category:general -- posted at: 7:19am EST

Joseph is on sabbatical but the rest of the crew talks about how infosec professionals should focus on their problems and how to effectively interact with "the business".

 

 

Direct download: SFS_Podcast_-_Ep182.mp3
Category:general -- posted at: 9:28am EST