The Southern Fried Security Podcast (general)
Join Andy Willingham, Martin Fisher,Steve Ragan, Yvette Johnson, and Joseph Sokoly as they discuss information security, news, and interview interesting people. Get in the discussion at www.southernfriedsecurity.com.

It's another Front Porch episode!

Yvette talks to her friend Brandon Clark as his first novel "Ransomware" is about to be released.  "Ransomware" is part of Brandon's "Killchain Chronicles" series that will be coming out over time.

You can find the book here:

 https://www.amazon.com/gp/product/1732651108/

We will be back soon with more great new content.

Direct download: SFS_Podcast_-_Episode_207.mp3
Category:general -- posted at: 3:06pm EST

Episode 206 - The Front Porch….

 

Welcome to the first of an occasional series of episodes featuring conversations with a variety of interesting people from both inside and outside of information security.

 

In this inaugural episode you get to listen to dinner conversation between Wendy Nather, Mike Rothman, Wolfgang Goerlich, and Martin Fisher that happened in Atlanta at the Atlas Restaurant. We cover a lot of topics that I’m sure you’ll find interesting.  

 

And, for the record, the “Aristocrat” cocktail at Atlas is something you must try.

 

I appreciate Duo Security and CBI for helping to make this dinner possible.

Direct download: SFS_Podcast_-_Episode_206.mp3
Category:general -- posted at: 2:24pm EST

We recorded this episode as the closing keynote at BSides Atlanta on May 5th, 2018.

We want to give a big round of thanks to the organizers, volunteers, sponsors, and attendees of BSides Atlanta for a great venue and event.  It was a great time and we hope to be there again next year.

Direct download: SFS_Podcast_-_Episode_205.mp3
Category:general -- posted at: 7:22pm EST

Episode 204 - Evaluating Your Security Program: Communications Plan

 

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  2. Start At The Outside and Move Your Way In
    1. If Education & Awareness are how the employees engage the program then Communications is how the management team engage the program
    2. In business life, like everywhere else, if people don’t know who you are or what you do then they aren’t going to be willing or able to support you in times of crisis or need
    3. The higher up in the org you want to communicate the more deliberate your plan needs to be
  3. Why Even Consider Communications?
    1. Each sub-org needs to be considered
      1. CIO-org
      2. CFO-org
      3. COO-org
      4. CMO-org
      5. CCO-org
      1. Unless you report to the CEO the next person down in your chain is going to have to likely carry that water
      2. We will address the opportunities and dangers of directly engaging a CEO at some other podcast
    2. Notice that there is no “CEO-org”
  4. Determine the Audience(s)
    1. Updated status reports are better than a ‘newsletter’
    2. Compelling progress reports (especially if validated by a third party) can be a huge gain
    3. If you invent something new it better be hugely valuable
    4. “Communication is what the listener does”
  5. Leverage Existing Comms Before Inventing Something New
    1. Get over yourself
    2. Really.
  6. “But this is just playing politics!”
Direct download: SFS_Podcast_-_Episode_204.mp3
Category:general -- posted at: 4:37pm EST

Show Notes

 

Episode 203 - Evaluating Your Security Program: Threat Mapping

 

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  2. Start At The Outside and Move Your Way In
    1. How is this different from threat modeling?
    2. Threat modeling is listing what could happen to you.
    3. Threat mapping is mapping the holes in your program.
  3. What is “Threat Mapping”?
    1. Must have a assessment management program
      1. you can’t protect what you don’t know about
      2. This isn’t “I have a CMDB”.  It’s actually taking actions based on what you know about what you have
      1. Map assets to known threats
        1. industry
        2. entry points
        3. technology
        4. Online threat maps
      2. What are you doing to know this?
      3. What controls do you currently have in place to mitigate or reduce the risk?
    2. Understand what your “real” threats are

      1. Apps
      2. Infrastructure
      3. 3rd parties
      4. etc
    3. Scope and prioritize - break down into areas to tackle
  4. How To Get Started
    1. Scorecard (KRI)
      1. What is important and helpful
    2. Risk Registry
  5. How To Measure
    1. Use your risk registry or GRC tool to track progress and keep management updated. You need them onboard to improve.
    2. once you have some areas mapped don’t ignore them
    3. implement solid change control and change management processes
    4. keep risk scores updated so you aren’t focusing on unimportant things
  6. How To Improve/Modify
Direct download: SFS_Podcast_-_Episode_203.mp3
Category:general -- posted at: 7:40pm EST

We're going to use this episode to allow the cast to talk about reaching 200 episodes and you'll hear what *really* happened on the Lost Episode.

 

We will be back in 2018 with more episodes.  Until then be well and stay secure!

Direct download: SFS_Podcast_-_Episode_201.mp3
Category:general -- posted at: 12:24pm EST

The Southern Fried Security Podcast - Episode 191 - Gone Phishin’

 

Phishing your employees - Does it make them aware or do they feel mistrusted?

 

  1. Intro - Phishing - what is it typically?
    1. Example - Emails from a Prince in Nigeria, phished on Match.com, etc
    1. What is it? An email designed to get employees to click on suspicious links or give their credentials
    2. Discuss what I designed as part of my phishing campaign - Partnered with trusted vendor
    3. Designed an email, google doc, supplied AD user list, launch
    4. Stats from our phishing campaign
    5. How GMail caught it and started dumping the emails into spam but some employees even went into spam and clicked (RSA breach!)
    6. Employees used Slack to warn others. Can you avoid neighbors leaning over the cube telling each other? Is this when “see something, say something?” becomes a good thing? How to get employees to follow it?
  2. What about when you phish your employees to improve security?
    1. How often?
    2. Do you target specific areas you know are susceptible (Ex - Marketing, Finance)
    3. What about Engineering? How do you trick them?
  3. What are the benefits of a targeted phishing campaign?
    1. Start with education first. Then to sanctions.
    2. Use to teach - not ridicule.
    3. C-Levels *have* to be part of it.
  4. How do you prevent employees from feeling that Security doesn’t trust them?
  5. People are still the weak link! Solutions and hardware can’t prevent that one user from clicking on a link that creates havoc for the company.
    1. We blow holes in security to allow Phish email through.  What if vendor gets compromised?
  6. Downsides?




Direct download: SFS_Podcast_-_Episode_191.mp3
Category:general -- posted at: 6:55pm EST

Episode 190 - Burnout

 

  1. Intro
    1. Why the topic of burnout?
      1. Because it affects all of us, and yet it’s not talked about much in this field
      2. Disclaimer: We am not a doctor. Or a psychiatrist or psychologist. Nor did we stay in a holiday inn express...
    1. Reason for sabbatical
    2. Martin’s story
  2. Personal Connection
    1. Symptoms may mirror depression
      1. “The Creeping Malaise”
      1. Weight
      2. Panic Attacks, etc
      3. Isolation - even while in a crowd
    2. Physical symptoms
    3. It’s been around for a long time.  http://www.secburnout.org/ & http://www.slideshare.net/secburnout/burnout-in-information-security are from 2011/12
  3. Recognizing Burnout
    1. “It won’t happen to me”
    2. “I just have to make it through this busy season and this end of quarter and the end of FY and…”
    3. “Everybody else is exactly the same…”
    4. Conferences are not vacations and shouldn’t be seen that way.  Cons can be very hard work.
  4. Easy Traps
    1. Outdoor hobbies
      1. Just get outside and away from screens
    2. A physical, people you can talk to in person community
      1. http://www.newyorker.com/humor/daily-shouts/i-work-from-home
      2. http://theoatmeal.com/comics/running
    3. Exercise & diet
    4. Creating and enforcing boundaries (emotional and physical)
  5. Mitigation Strategies
    1. Not liking your job or employer  (that’s quite the opposite problem, actually)
    2. Just hard work for a little while
  6. What burnout isn’t…
    1. http://lisacongdon.com/blog/2016/12/on-burnout-and-the-slow-rebuilding/
  7. Resources
  8. Outro
Direct download: SFS_Podcast_-_Ep_190.mp3
Category:general -- posted at: 6:35pm EST

In this inaugural bonus track we release the interview we did with Nick Selby (@nselby) on his experience validating the work of MedSec on St. Medical devices.

Direct download: SFS_Podcast_-_Episode_189_Bonus_Track.mp3
Category:general -- posted at: 7:55am EST

SFS Podcast Episode: 189

 

Medical Device Security

 

  1. Intro
    1. Hospital devices (infusion pumps, CT, MRI, etc)
    2. Personal devices (pacemaker, insulin pumps, etc)
  2. Medical Devices are a broad category
    1. Discussion of Sentinel Events...
  3. This has some of the same threat landscape as the IoVCT, but the consequences can be much more serious.
    1. Lead times for device approval
    2. Fixed configurations / FDA compliance
    3. Working life of devices
    4. “Well just replace them all!” Cost of devices (esp for small/struggling hospitals)
    5. Sheer number of devices can be overwhelming when looking to upgrade/replace
    6. Vendors that bring in things for a trial w/o involvement of IT/IS
  4. Challenges to Fixing The Problem:
    1. Vuln Disclosure  
      1. Muddy Waters / St Jude
        1. Problem there wasn’t disclosure it was the look of the profit motive
        2. August 25, 2016 > http://www.muddywatersresearch.com/research/stj/mw-is-short-stj/
        3. SJM sued in early September >> http://www.wsj.com/articles/st-jude-medical-sues-short-seller-over-device-allegations-1473258343
        4. http://www.marketwatch.com/story/short-seller-muddy-waters-renews-claims-of-st-jude-medical-cyber-vulnerabilities-2016-10-19
        5. Goes beyond Vulnerability Disclosure and Muddy Waters claims SJM is attacking their First Amendment - Right to Free Speech - rights >> https://www.bloomberg.com/news/articles/2016-10-24/muddy-waters-fights-st-jude-lawsuit-over-pacemaker-reports
        6. Muddy Waters report from Bishop Fox >> http://www.reuters.com/article/us-st-jude-medical-cyber-muddywaters-idUSKCN12O1O1
        1. http://www.csmonitor.com/World/Passcode/2016/0210/FDA-presses-medical-device-makers-to-OK-good-faith-hacking
      2. Bug Bounties
    2. FDA Task Force - http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm481968.htm
      1. I Am The Cavalry - https://iamthecavalry.org/oath
        1. HIMSS Cyber Security Community - http://www.himss.org/get-involved/community/cybersecurity
        2. Archimedes Center for Medical Device Security - https://secure-medicine.blogspot.com
        3. NH-ISAC - http://www.nhisac.org/
        4. MDISS - http://www.mdiss.org
      2. Other interest groups
    3. Other groups
  5. How Can it Get Better
    1. Sometime, somewhere, somehow something bad is going to happen and somebody is going to die.
    2. There will need to be more market pressure - http://thehill.com/blogs/congress-blog/technology/278712-a-new-narrative-on-cyber-security
    3. What will regulators do?  (eg DLink and the FTC)
  6. What’s the Future?
  7. Outro & Credits
Direct download: SFS_Podcast_-_Episode_189.mp3
Category:general -- posted at: 7:56pm EST

Andy and Martin close out 2016 with a quick run through of the major stories of the year and look forward to what's to come in 2017.

Thanks to everyone who came to BSides Atlanta!

Direct download: SFS_Podcast_-_Episode_188.mp3
Category:general -- posted at: 11:10am EST

Martin, Steve, and Yvette discuss the recent DDoS of the DNS provider Dyn and what information security people should be considering in a world where terabit DDoS is a reality.

Direct download: SFS_Podcast_-_Episode_187.mp3
Category:general -- posted at: 8:10pm EST

Martin, Steve, and Yvette talk about recent events at Yahoo and the moral compass questions information security professionals and leaders may be forced to face when their employer appears to be doing something they shouldn't...

Direct download: SFS_Podcast_-_Episode_186.mp3
Category:general -- posted at: 8:15pm EST

For the first time we can think of it's just Yvette and Martin on this episode.  The two of them talk about what to think about and what you might do if you run into some extra budget at the end of the year.  Do you invest in shiny? What about services? Some training might be nice?  Or so you score points with the team down the hall?

Direct download: SFS_Podcast_-_Episode_185.mp3
Category:general -- posted at: 6:46am EST

We interview Nick Selby (@nselby) about a recent blog post where he had a less than optimal experience with a managed security service provider.

 

https://nselby.github.io/When-Security-Monitoring-Provides-Neither-Security-Nor-Monitoring/

 

 

Direct download: SFS_Podcast_-_Episode_184.mp3
Category:general -- posted at: 8:29pm EST

Martin, Andy, and Steve talk about third party risk programs in light of breaches at Target, Banner Health, and other unfortunate souls.

Direct download: SFS_Podcast_-_Episode_183.mp3
Category:general -- posted at: 7:19am EST

Joseph is on sabbatical but the rest of the crew talks about how infosec professionals should focus on their problems and how to effectively interact with "the business".

 

 

Direct download: SFS_Podcast_-_Ep182.mp3
Category:general -- posted at: 9:28am EST

Let's chat with Michelle Klinger about BSidesLV and the Security BSides organization...

Direct download: Microcast_2.mp3
Category:general -- posted at: 5:30pm EST

It's Security Summer Camp time!

 

Join Martin and Jack Daniel over some breakfast and listen in.

Direct download: 2014_Microcast_1.mp3
Category:general -- posted at: 12:59pm EST

Episode 133 - The Doctor is In

Martin, Joseph, and Steve talk about health care and your phone...


https://www.apple.com/ios/ios8/health/
http://www.zdnet.com/new-ios-7-lock-screen-flaw-opens-up-iphones-ipads-in-seconds-7000030335/

http://recode.net/2014/06/02/the-doctor-will-see-you-on-your-iphone-now

http://www.theverge.com/2014/6/5/5765732/talkspace-smartphone-therapy-apps

Direct download: SFS_Podcast_-_Episode_133.mp3
Category:general -- posted at: 8:26pm EST

It feels good to be back in the saddle again, and the gang hit some fun articles tonight:

http://www.csoonline.com/article/748462/pulling-the-reins-on-data-breach-costs

http://www.darkreading.com/management/solving-the-security-workforce-shortage/240166247

http://www.businessinsider.com/mtgox-resigns-from-bitcoin-foundation-2014-2

As always, you can find the direct link to the podcast here: http://sfspodcast.libsyn.com
If you’d like to subscribe, you can find the RSS feed here: http://sfspodcast.libsyn.com/rss or on iTunes.
And if you have any feedback, drop us a comment or find us at @SFSPodcast on Twitter

Direct download: SFS_Podcast_-_Episode_122.mp3
Category:general -- posted at: 8:35pm EST

Martin, Andy, and Steve finally manage to get schedules set and talk.  Unfortunately Joseph can't come out to play this week so the old guys have the mike.  Quick note and apologies about some of the audio quality - we're working to fix it.

Direct download: SFS_Podcast_-_Episode_55.mp3
Category:general -- posted at: 6:44pm EST

Just Andy and Joseph this week, but we hit some fairly hefty topics, particularly the breaches that seem to keep springing up every day lately.

First, Derek Newton has discovered a very interesting flaw in Dropbox's host authentication.
http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/

Then, we discussed the breaches of the week: Barracuda, Hartford, and US Airways.
http://www.theregister.co.uk/2011/04/11/barracuda_networks_attack/
https://www.threatpost.com/en_us/blogs/hartford-hacked-040711
https://www.threatpost.com/en_us/blogs/insider-allegedly-leaked-data-belonging-3000-us-airways-pilots-041111

And in the "too close to home for comfort" category, we finished up with the Texas Comptroller breach:

http://www.statesman.com/blogs/content/shared-gen/blogs/austin/politics/entries/2011/04/11/comptroller_personal_id_inform.html
http://blogs.chron.com/texaspolitics/archives/2011/04/personal_inform.html

As always, you can find the podcast here: http://sfspodcast.libsyn.com/rss

And if you have any feedback, drop us a comment or find us at @SFSPodcast on twitter.

Direct download: SFS_Podcast_-_Episode_49.mp3
Category:general -- posted at: 8:59pm EST

Well, the boys are short the News Yankee this week...

 

Joseph is back from South By Southwest and BSides Austin and gives a brief rundown on the doings there.

 

Martin interviews Larry Ponemon about the "Cost of Compliance" study recently published by the Ponemon Institute.

 

Andy?  He's just hanging out with the infant.

Direct download: SFS_Podcast_-_Episode_47.mp3
Category:general -- posted at: 8:20pm EST