Cloud Security, Configuration management, Attack simulation

SCW #7

November 19, 2019

 

 

Verizon finds payment security declines for 2nd consecutive year, Is My PCI Compliance Good Enough to Serve as a Network Cybersecurity Audit?, Getting Prepared for New York’s Expanded Security Breach and Data Security Requirements, Virginia Builds New Model for Quantifying Cybersecurity Risk, Five Cyber Program Elements Financial Services Firms Must Cover To Stay Compliant, and more!

Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

CCPA, GDPR, Uber, PCI, and You Can’t Find Me!

Jeff’s Stories

  1. Verizon finds payment security declines for 2nd consecutive year
  2. Is My PCI Compliance Good Enough to Serve as a Network Cybersecurity Audit?
  3. Getting Prepared for New York’s Expanded Security Breach and Data Security Requirements
  4. Virginia Builds New Model for Quantifying Cybersecurity Risk
  5. Five Cyber Program Elements Financial Services Firms Must Cover To Stay Compliant

Matt’s Stories

  1. Enterprise Risk 2020: Are We Ready for Security 4.0?
  2. Where the CCPA and GDPR Overlap and Diverge

Josh’s Stories

  1. Compliant Cannabis Banking
  2. Are Uber Drivers employees? NJ says yes! Pay Taxes!!!
  3. AI to help with M&A? We need people involved, why?
  4. You can’t fine me!! I’m not playing!
  5. SSN’s need to be protected, right guys?

Hosts

Jeff Man

Jeff Man – Sr. InfoSec Consultant

Josh Marpet

Josh Marpet – COO

Matt Alderman

Matt Alderman – CEO

Scott Lyons

Scott Lyons – CEO

Guests

Announcements

  • We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences, Ian McShane from Endgame, or Stephen Smith and Jeff Braucher of LogRhythm (or all 3!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand

On SCW this week, we talk about the 2019 Verizon Payment Security Report. We discuss Why is PCI Compliance Decreasing?, why is it decreasing?, what’s missing?, and what needs to change?

Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

2019 Verizon Payment Security Report

Hosts

Jeff Man

Jeff Man – Sr. InfoSec Consultant

Josh Marpet

Josh Marpet – COO

Matt Alderman

Matt Alderman – CEO

Scott Lyons

Scott Lyons – CEO

Guests

Announcements

  • We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences, Ian McShane from Endgame, or Stephen Smith and Jeff Braucher of LogRhythm (or all 3!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand



Cloud has and continues to disrupt many traditional business processes, activities and IT paradigms. Compliance will also be revolutionized by cloud computing. In this session we will dive into many of the headaches and pain points traditionally associated with compliance, explaining how leveraging cloud can improve both compliance and security.

Segment Resources:

https://acloudguru.com/blog/business/compliance-is-cumbersome-but-cloud-can-help

https://www.mediaopsevents.com/devopsconnect

Visit https://www.securityweekly.com/scw for all the latest episodes!
Full Episode Show Notes

Compliance Innovations in the Cloud, Part 1

Guests

Chris Hughes

Chris Hughes – Principal Cybersecurity Engineer at Rise8

@ResilientCyber

Chris has nearly 15 years of IT/Cybersecurity experience. This ranges from active duty time with the U.S. Air Force, a Civil Servant with the U.S. Navy and General Services Administration (GSA)/FedRAMP as well as time as a consultant in the private sector.

In addition, he also is an Adjunct Professor for M.S. Cybersecurity programs at Capitol Technology University and University of Maryland Global Campus. Chris also participates in industry Working Groups such as the Cloud Security Alliances Incident Response Working Group and serves as the Membership Chair for Cloud Security Alliance D.C. Chris also co-hosts the Resilient Cyber Podcast.

Hosts

Jeff Man

Jeff Man – Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – COO at Red Lion

@quadling

COO of Red Lion
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Liam Downward

Liam Downward – CEO at CYRISMA

Liam started his career in 1998 in Dublin, Ireland and each year brought new challenges and with this where my passion of Information Security grew. In 2018, he saw that Cyber Security was becoming more complex and organizations would rather ignore risks as their budgets could not afford solutions to protect their data and CYRISMA was born.

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Our next live webcast will be on April 29th at 11am ET where you will learn how to prepare for & prevent modern ransomware attacks! Our next technical training will be on May 6th at 11am ET. This technical training webcast will explore common misconfigurations of NGINX, the damage they could do, and how to avoid them. Also join us May 13th at 11am ET for a technical training with Thycotic to see how attackers gain access to endpoints and learn defensive strategies to protect against those attacks. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand



Cloud has and continues to disrupt many traditional business processes, activities and IT paradigms. Compliance will also be revolutionized by cloud computing. In this session we will dive into many of the headaches and pain points traditionally associated with compliance, explaining how leveraging cloud can improve both compliance and security.

Segment Resources:

https://acloudguru.com/blog/business/compliance-is-cumbersome-but-cloud-can-help

https://www.mediaopsevents.com/devopsconnect
Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

Compliance Innovations in the Cloud, Part 2

Guests

Chris Hughes

Chris Hughes – Principal Cybersecurity Engineer at Rise8

@ResilientCyber

Chris has nearly 15 years of IT/Cybersecurity experience. This ranges from active duty time with the U.S. Air Force, a Civil Servant with the U.S. Navy and General Services Administration (GSA)/FedRAMP as well as time as a consultant in the private sector.

In addition, he also is an Adjunct Professor for M.S. Cybersecurity programs at Capitol Technology University and University of Maryland Global Campus. Chris also participates in industry Working Groups such as the Cloud Security Alliances Incident Response Working Group and serves as the Membership Chair for Cloud Security Alliance D.C. Chris also co-hosts the Resilient Cyber Podcast.

Hosts

Jeff Man

Jeff Man – Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – COO at Red Lion

@quadling

COO of Red Lion
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Liam Downward

Liam Downward – CEO at CYRISMA

Liam started his career in 1998 in Dublin, Ireland and each year brought new challenges and with this where my passion of Information Security grew. In 2018, he saw that Cyber Security was becoming more complex and organizations would rather ignore risks as their budgets could not afford solutions to protect their data and CYRISMA was born.

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!



Richard Struse, Director of The Center for Threat-Informed Defense from MITRE Engenuity joins the SCW crew for a two part interview!

-What is threat-informed defense and how does it relate to other aspects of cybersecurity?
-The importance of ATT&CK as a lens through which you can view your security posture.
-Center for Threat-Informed Defense R&D products aimed at helping defenders better assess the efficacy of the controls they have in place. Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

ATT&CK & CTID, Part 1

https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings

Guests

Richard Struse

Richard Struse – Director, The Center for Threat-Informed Defense at MITRE Engenuity

Richard Struse is the founding director of The Center for Threat-Informed Defense, a collaborative public interest R&D initiative of MITRE Engenuity. Prior to co-founding the Center, he served as the Chief Strategist for Cyber Threat Intelligence at MITRE. In 2018, Mr. Struse was elected to serve on the board of directors of OASIS, a not-for-profit international standards and open-source organization where he also is the co-chair of the Cyber Threat Intelligence Technical Committee.

Previously, Mr. Struse served as the Chief Advanced Technology Officer for the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) where he was responsible for technology vision, strategy and implementation. Mr. Struse is the creator of the STIX and TAXII automated information sharing initiatives which have been widely adopted across the public and private sectors. In October 2014, Secretary of Homeland Security Jeh Johnson presented Mr. Struse with one of the department’s highest honors, the Secretary’s Award for Excellence, in recognition of his pioneering work on STIX and TAXII. Federal Computer Week recognized Mr. Struse as one of the “Federal 100” in recognition of his leadership role in the development of cyber threat intelligence technology standards.

Prior to joining DHS, Mr. Struse was Vice President of Research and Development at VOXEM, where he was responsible for the architecture, design and development of a high?performance, extreme high?reliability communications software platform that is in use in telecommunications systems around the world. He began his technical career at Bell Laboratories.

Hosts

Fredrick

Fredrick “Flee” Lee – CSO at Gusto

@fredrickl

Fredrick “Flee” Lee is the Chief Security Officer at Gusto, where he leads information and physical security strategies including consumer protection, compliance, governance and risk. Before Gusto, Lee spent more than 15 years leading global information security and privacy efforts at large financial services companies and technology startups, most recently as Square’s Head of Information Security. He previously held senior security and privacy roles at Bank of America, NetSuite and Twilio. Lee was born and raised in Mississippi and holds a bachelor’s degree in computer engineering from the University of Oklahoma.

Jeff Man

Jeff Man – #HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – COO at Red Lion

@quadling

COO of Red Lion
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Security Weekly listeners save $100 on their RSA Conference 2021 All Access Pass! RSA Conference will be a fully virtual experience from May 17th-20th, 2021. Security Weekly will be live streaming Monday-Thursday in the virtual broadcast alley, interviewing some of the top sponsors and speakers for the event. To register using our discount code, please visit https://securityweekly.com/rsac2021 [securityweekly.com] and use the code 5U1CYBER! We hope to “see” you there!

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!



Richard Struse, Director of The Center for Threat-Informed Defense from MITRE Engenuity joins the SCW crew for a two part interview!

-What is threat-informed defense and how does it relate to other aspects of cybersecurity
-The importance of ATT&CK as a lens through which you can view your security posture
-Center for Threat-Informed Defense R&D products aimed at helping defenders better assess the efficacy of the controls they have in place Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

ATT&CK and CTID, Part 2

https://github.com/MrJeffMan/Mapping-MITREATT-CK-to-PCIDSS

Guests

Richard Struse

Richard Struse – Director, The Center for Threat-Informed Defense at MITRE Engenuity

Richard Struse is the founding director of The Center for Threat-Informed Defense, a collaborative public interest R&D initiative of MITRE Engenuity. Prior to co-founding the Center, he served as the Chief Strategist for Cyber Threat Intelligence at MITRE. In 2018, Mr. Struse was elected to serve on the board of directors of OASIS, a not-for-profit international standards and open-source organization where he also is the co-chair of the Cyber Threat Intelligence Technical Committee.

Previously, Mr. Struse served as the Chief Advanced Technology Officer for the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) where he was responsible for technology vision, strategy and implementation. Mr. Struse is the creator of the STIX and TAXII automated information sharing initiatives which have been widely adopted across the public and private sectors. In October 2014, Secretary of Homeland Security Jeh Johnson presented Mr. Struse with one of the department’s highest honors, the Secretary’s Award for Excellence, in recognition of his pioneering work on STIX and TAXII. Federal Computer Week recognized Mr. Struse as one of the “Federal 100” in recognition of his leadership role in the development of cyber threat intelligence technology standards.

Prior to joining DHS, Mr. Struse was Vice President of Research and Development at VOXEM, where he was responsible for the architecture, design and development of a high?performance, extreme high?reliability communications software platform that is in use in telecommunications systems around the world. He began his technical career at Bell Laboratories.

Hosts

Fredrick

Fredrick “Flee” Lee – CSO at Gusto

@fredrickl

Fredrick “Flee” Lee is the Chief Security Officer at Gusto, where he leads information and physical security strategies including consumer protection, compliance, governance and risk. Before Gusto, Lee spent more than 15 years leading global information security and privacy efforts at large financial services companies and technology startups, most recently as Square’s Head of Information Security. He previously held senior security and privacy roles at Bank of America, NetSuite and Twilio. Lee was born and raised in Mississippi and holds a bachelor’s degree in computer engineering from the University of Oklahoma.

Jeff Man

Jeff Man – #HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – COO at Red Lion

@quadling

COO of Red Lion
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Our next live webcast will be on April 29th at 11am ET where you will learn how to prepare for & prevent modern ransomware attacks! Our next technical training will be on May 6th at 11am ET. This technical training webcast will explore common misconfigurations of NGINX, the damage they could do, and how to avoid them. Also join us May 13th at 11am ET for a technical training with Thycotic to see how attackers gain access to endpoints and learn defensive strategies to protect against those attacks. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand



Just last month, Virginia became the second state in the U.S. to pass a privacy law – the Consumer Data Protection Act (CDPA). While this doesn’t take effect until 2023, it’s important for businesses to understand what it means for them and start preparing for data security compliance now. Chris Pin, VP of Security and Privacy at PKWARE, will be discussing:
• How Virginia’s law differs from CCPA and GDPR and the key points companies need to know
• Where and how companies may need to enhance their data privacy policies and processes, and specifically how it’s imperative to know the five W’s of data: Who, What, Why, When, Where and one H, How
• How companies should begin incorporating data discovery, data classification, data minimization, records of data processing activities, and data protection assessments as part of their everyday processes and controls, if they haven’t already
• Real life situations that businesses could find themselves in Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

Data Security Compliance & Virginia’s New Privacy Law, Part 1

Guests

Chris Pin

Chris Pin – VP, Privacy and Security at PKWARE

Chris Pin serves as PKWARE’s VP, Security and Privacy. In this role, Chris drives value and awareness for all PKWARE customers regarding the various challenges that both privacy and security regulations bring to the data-driven world. He works closely with all customers and potential customers to help them better understand how PKWARE solutions best fit into their environments and processes. He also works very closely with many other departments such as Sales, Marketing, Partners, and Product to help build brand awareness and product insights.

Hosts

Jeff Man

Jeff Man – #HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – COO at Red Lion

@quadling

COO of Red Lion
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Security Weekly listeners save $100 on their RSA Conference 2021 All Access Pass! RSA Conference will be a fully virtual experience from May 17th-20th, 2021. Security Weekly will be live streaming Monday-Thursday in the virtual broadcast alley, interviewing some of the top sponsors and speakers for the event. To register using our discount code, please visit https://securityweekly.com/rsac2021 [securityweekly.com] and use the code 5U1CYBER! We hope to “see” you there!

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!



Just last month, Virginia became the second state in the U.S. to pass a privacy law – the Consumer Data Protection Act (CDPA). While this doesn’t take effect until 2023, it’s important for businesses to understand what it means for them and start preparing for data security compliance now. Chris Pin, VP of Security and Privacy at PKWARE, will be discussing:
• How Virginia’s law differs from CCPA and GDPR and the key points companies need to know
• Where and how companies may need to enhance their data privacy policies and processes, and specifically how it’s imperative to know the five W’s of data: Who, What, Why, When, Where and one H, How
• How companies should begin incorporating data discovery, data classification, data minimization, records of data processing activities, and data protection assessments as part of their everyday processes and controls, if they haven’t already
• Real life situations that businesses could find themselves in Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

Data Security Compliance & Virginia’s New Privacy Law, Part 2

Guests

Chris Pin

Chris Pin – VP, Privacy and Security at PKWARE

Chris Pin serves as PKWARE’s VP, Security and Privacy. In this role, Chris drives value and awareness for all PKWARE customers regarding the various challenges that both privacy and security regulations bring to the data-driven world. He works closely with all customers and potential customers to help them better understand how PKWARE solutions best fit into their environments and processes. He also works very closely with many other departments such as Sales, Marketing, Partners, and Product to help build brand awareness and product insights.

Hosts

Jeff Man

Jeff Man – #HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – COO at Red Lion

@quadling

COO of Red Lion
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

  • Our next technical training will be on May 6th at 11am ET exploring common misconfigurations of NGINX, the damage they could do, and how to avoid them! Next up, see how attackers gain access to endpoints and learn defensive strategies to protect against those attacks in our May 13th technical training also at 11am ET! Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand



A flurry of legislative and legal activity is re-shaping the way privacy and cybersecurity professionals conduct business. As a result, in addition to actually carrying out their protection responsibilities, professionals charged with protecting private and confidential data must be also be constantly aware of these evolving regulatory and legal obligations.

Segment Resources:
https://www.otterbourg.com/assets/htmldocuments/Protecting%20Privilege%20in%20Cyberspace%20New%20York%20State%20Bar%20Association%20Erik%20Weinick%20March%202021.pdf Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

Hot Legal Topics in Privacy and Cybersecurity, Part 1

Guests

Erik Weinick

Erik Weinick – Partner at Otterbourg PC

Erik B. Weinick is a graduate of Cornell University and Cornell Law School, and is a co-founder of the Privacy & Cybersecurity Practice at Otterbourg P.C., a Manhattan-based law firm, where he is a partner. In addition to his work on privacy and cybersecurity matters, Erik is a member of Otterbourg’s bankruptcy and litigation departments. Admitted to practice in both New York and Florida, Erik has represented a wide array of commercial and financial firms, entrepreneurs, individuals, as well as domestic and foreign governmental agencies, before regulators, state and federal courts, and alternative dispute resolution tribunals. He is a certified CIPP-US privacy professional, a member of the Advisory Board of Agnes Intelligence, Inc., an artificial intelligence technology firm, and is a prolific writer and speaker on issues relating to privacy and cybersecurity.

Hosts

Jeff Man

Jeff Man – #HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – COO at Red Lion

@quadling

COO of Red Lion
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Priya Chaudhry

Priya Chaudhry – Jedi Warrior Princess at ChaudhryLaw PLLC

@Chaudhrylaw

Criminal Defense Trial Lawyer

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Security Weekly listeners save $100 on their RSA Conference 2021 All Access Pass! RSA Conference will be a fully virtual experience from May 17th-20th, 2021. Security Weekly will be live streaming Monday-Thursday in the virtual broadcast alley, interviewing some of the top sponsors and speakers for the event. To register using our discount code, please visit https://securityweekly.com/rsac2021 [securityweekly.com] and use the code 5U1CYBER! We hope to “see” you there!

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!



A flurry of legislative and legal activity is re-shaping the way privacy and cybersecurity professionals conduct business. As a result, in addition to actually carrying out their protection responsibilities, professionals charged with protecting private and confidential data must be also be constantly aware of these evolving regulatory and legal obligations.

Segment Resources:
https://www.otterbourg.com/assets/htmldocuments/Protecting%20Privilege%20in%20Cyberspace%20New%20York%20State%20Bar%20Association%20Erik%20Weinick%20March%202021.pdf
Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

Hot Legal Topics in Privacy and Cybersecurity, Part 2

Guests

Erik Weinick

Erik Weinick – Partner at Otterbourg PC

Erik B. Weinick is a graduate of Cornell University and Cornell Law School, and is a co-founder of the Privacy & Cybersecurity Practice at Otterbourg P.C., a Manhattan-based law firm, where he is a partner. In addition to his work on privacy and cybersecurity matters, Erik is a member of Otterbourg’s bankruptcy and litigation departments. Admitted to practice in both New York and Florida, Erik has represented a wide array of commercial and financial firms, entrepreneurs, individuals, as well as domestic and foreign governmental agencies, before regulators, state and federal courts, and alternative dispute resolution tribunals. He is a certified CIPP-US privacy professional, a member of the Advisory Board of Agnes Intelligence, Inc., an artificial intelligence technology firm, and is a prolific writer and speaker on issues relating to privacy and cybersecurity.

Hosts

Jeff Man

Jeff Man – #HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – COO at Red Lion

@quadling

COO of Red Lion
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Priya Chaudhry

Priya Chaudhry – Jedi Warrior Princess at ChaudhryLaw PLLC

@Chaudhrylaw

Criminal Defense Trial Lawyer

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • In our next technical training webcast on May 13th at 11am ET, see how attackers gain access to endpoints, and learn how to use defensive strategies to protect against those attacks! In our May 27th webcast at 11am ET, we’ll explore the latest attacks against DNS and the latest techniques that make it possible to discover and disrupt attacks. Then join our webcast on June 3 to learn about pen testing tools and why every organization should be using them regularly. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand



What is SBOM?
Who needs to think about this?
Is this required today, and what might the future of compliance look like?
What is in the recent EO?

Segment Resources:

ntia.gov/SBOM Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

SBOM, Part 1

Guests

Allan Friedman

Allan Friedman – Director of Cybersecurity Initiatives at NTIA (National Telecommunication and Information Administration) US Dept of Commerce

@allanfriedman

Dr. Allan Friedman is Director of Cybersecurity at the National Telecommunications and Information Administration in the US Department of Commerce. He coordinates NTIA’s multi-stakeholder processes on cybersecurity, convening cross-sector working groups with a focus on resilience in a vulnerable ecosystem. This has included pioneering government engagement on coordinated vulnerability disclosure, IoT security, and software component transparency. Prior to joining the Federal government, Friedman spent over 15 years as a noted cybersecurity and tech policy scholar at Harvard’s Computer Science Department, the Brookings Institution and George Washington University’s Engineering School. He is the co-author of the popular text Cybersecurity and Cyberwar: What Everyone Needs to Know, has a degree in computer science from Swarthmore College and a PhD in public policy from Harvard University.

Hosts

Jeff Man

Jeff Man – #HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – COO at Red Lion

@quadling

COO of Red Lion
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Liam Downward

Liam Downward – CEO at CYRISMA

Liam started his career in 1998 in Dublin, Ireland and each year brought new challenges and with this where my passion of Information Security grew. In 2018, he saw that Cyber Security was becoming more complex and organizations would rather ignore risks as their budgets could not afford solutions to protect their data and CYRISMA was born.

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Security Weekly is more than happy to announce that we will be at InfoSec World 2021 IN PERSON October 25th-27th, 2021! This year, our annual partnership with InfoSec World is extra special, as we are both business units under the CyberRisk Alliance brand! What does that mean for Security Weekly listeners & InfoSec World attendees? You will get to see and hear from many of the Security Weekly team at the event AND you will save 20% off on your world pass! Visit https://securityweekly.com/isw2021 to register using our discount code!

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!



What is SBOM?
Who needs to think about this?
Is this required today, and what might the future of compliance look like?
What is in the recent EO?

Segment Resources:

ntia.gov/SBOM Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

SBOM, Part 2

Guests

Allan Friedman

Allan Friedman – Director of Cybersecurity Initiatives at NTIA (National Telecommunication and Information Administration) US Dept of Commerce

@allanfriedman

Dr. Allan Friedman is Director of Cybersecurity at the National Telecommunications and Information Administration in the US Department of Commerce. He coordinates NTIA’s multi-stakeholder processes on cybersecurity, convening cross-sector working groups with a focus on resilience in a vulnerable ecosystem. This has included pioneering government engagement on coordinated vulnerability disclosure, IoT security, and software component transparency. Prior to joining the Federal government, Friedman spent over 15 years as a noted cybersecurity and tech policy scholar at Harvard’s Computer Science Department, the Brookings Institution and George Washington University’s Engineering School. He is the co-author of the popular text Cybersecurity and Cyberwar: What Everyone Needs to Know, has a degree in computer science from Swarthmore College and a PhD in public policy from Harvard University.

Hosts

Jeff Man

Jeff Man – #HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – COO at Red Lion

@quadling

COO of Red Lion
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Liam Downward

Liam Downward – CEO at CYRISMA

Liam started his career in 1998 in Dublin, Ireland and each year brought new challenges and with this where my passion of Information Security grew. In 2018, he saw that Cyber Security was becoming more complex and organizations would rather ignore risks as their budgets could not afford solutions to protect their data and CYRISMA was born.

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

  • In our May 27th webcast at 11am ET, we’ll explore the latest attacks against DNS and the latest techniques that make it possible to discover and disrupt attacks. In our June 3 webcast at 11am ET, you will learn about pen testing tools and why every organization should be using them regularly. Then join us June 10 at 11am ET for our webcast on insider risk to learn how to quickly mitigate data exposure risks. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand



Doing business with the Federal government has always had its share of requirements and regulations, especially when it comes to storing, processing, or transmitting any sensitive data. In fact, organizations doing business with the Federal government involving sensitive data are well acquainted with the cybersecurity controls they must implement based on controls from well-known frameworks such as the National Institute of Standards and Technology (NIST) Special Publication 800-53 (NIST SP 800-53) and NIST SP 800-171. However, in the last several years these controls (and the method by which organizations must demonstrate compliance have drastically changed, culminating in the Cybersecurity Maturity Model Certification (CMMC) Framework.

Segment Resources:
Official DoD Acquisition Site for CMMC Program Info: https://www.acq.osd.mil/cmmc/

Official Site of the CMMC Program: https://cmmcab.org/

Official NIST Site for publications such as 800-53, 800-171: https://csrc.nist.gov/publications Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

CMMC Program and the DIB Preparation, Part 1

Guests

Doug Landoll

Doug Landoll – CEO at Lantego

@DougLandoll

Douglas Landoll has over three decades of information security experience. He has led security risk assessments and established security programs for top corporations and government agencies. He is an expert in security risk assessment, security risk management, security criteria, and building corporate security programs and the author of three cybersecurity books.

His background includes evaluating cybersecurity at the National Security Agency (NSA), North Atlantic Treaty Organization (NATO), Central Intelligence Agency (CIA), the Federal Bureau of Investigations (FBI), and other government agencies; co-founding the Arca Common Criteria Testing Laboratory, co-authoring the systems security engineering capability maturity model (SSE-CMM); teaching at NSA’s National Cryptologic School; and speaking at national and international cybersecurity conferences.

Doug has founded or directed four information security firms including the southwest security services at Exodus Communications, Veridyn (sold to EnPointe Technologies), the Risk and Compliance Management division at Accuvant (now Optiv) and Lantego. Doug is currently the CEO of Lantego, specializing in risk assessment, policy development, and training. He is a CISSP. He holds a BS degree from James Madison University and an MBA from the University of Texas at Austin.
In his 30+ years in the industry he has performed over 100 cybersecurity risk assessment, written policies for scores of organizations, and instructed over 2500 CISSP and CISA candidates. Doug Landoll is dynamic speaker, perceptive author, and information security expert, who always brings a unique mix of business strategy, keen insight, and technical know-how to current cybersecurity topics.

Hosts

Fredrick

Fredrick “Flee” Lee – CSO at Gusto

@fredrickl

Fredrick “Flee” Lee is the Chief Security Officer at Gusto, where he leads information and physical security strategies including consumer protection, compliance, governance and risk. Before Gusto, Lee spent more than 15 years leading global information security and privacy efforts at large financial services companies and technology startups, most recently as Square’s Head of Information Security. He previously held senior security and privacy roles at Bank of America, NetSuite and Twilio. Lee was born and raised in Mississippi and holds a bachelor’s degree in computer engineering from the University of Oklahoma.

Josh Marpet

Josh Marpet – Executive Director at RM-ISAO

@quadling

Executive Director, RM-ISAO
Co-founder, MJM Growth
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Security Weekly is more than happy to announce that we will be at InfoSec World 2021 IN PERSON October 25th-27th, 2021! This year, our annual partnership with InfoSec World is extra special, as we are both business units under the CyberRisk Alliance brand! What does that mean for Security Weekly listeners & InfoSec World attendees? You will get to see and hear from many of the Security Weekly team at the event AND you will save 20% off on your world pass! Visit https://securityweekly.com/isw2021 to register using our discount code!

  • Security Weekly is ecstatic to announce that Security Weekly Unlocked will be held IN PERSON this December 5-8 at the Hilton Lake Buena Vista! Call for presentations & early registration for Security Weekly listeners is open now! Visit securityweekly.com/unlocked to submit your presentation & register for the early registration price before it expires!



Doing business with the Federal government has always had its share of requirements and regulations, especially when it comes to storing, processing, or transmitting any sensitive data. In fact, organizations doing business with the Federal government involving sensitive data are well acquainted with the cybersecurity controls they must implement based on controls from well-known frameworks such as the National Institute of Standards and Technology (NIST) Special Publication 800-53 (NIST SP 800-53) and NIST SP 800-171. However, in the last several years these controls (and the method by which organizations must demonstrate compliance have drastically changed, culminating in the Cybersecurity Maturity Model Certification (CMMC) Framework.

Segment Resources:
Official DoD Acquisition Site for CMMC Program Info: https://www.acq.osd.mil/cmmc/

Official Site of the CMMC Program: https://cmmcab.org/

Official NIST Site for publications such as 800-53, 800-171: https://csrc.nist.gov/publications Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

CMMC Program and the DIB Preparation, Part 2

Guests

Doug Landoll

Doug Landoll – CEO at Lantego

@DougLandoll

Douglas Landoll has over three decades of information security experience. He has led security risk assessments and established security programs for top corporations and government agencies. He is an expert in security risk assessment, security risk management, security criteria, and building corporate security programs and the author of three cybersecurity books.

His background includes evaluating cybersecurity at the National Security Agency (NSA), North Atlantic Treaty Organization (NATO), Central Intelligence Agency (CIA), the Federal Bureau of Investigations (FBI), and other government agencies; co-founding the Arca Common Criteria Testing Laboratory, co-authoring the systems security engineering capability maturity model (SSE-CMM); teaching at NSA’s National Cryptologic School; and speaking at national and international cybersecurity conferences.

Doug has founded or directed four information security firms including the southwest security services at Exodus Communications, Veridyn (sold to EnPointe Technologies), the Risk and Compliance Management division at Accuvant (now Optiv) and Lantego. Doug is currently the CEO of Lantego, specializing in risk assessment, policy development, and training. He is a CISSP. He holds a BS degree from James Madison University and an MBA from the University of Texas at Austin.
In his 30+ years in the industry he has performed over 100 cybersecurity risk assessment, written policies for scores of organizations, and instructed over 2500 CISSP and CISA candidates. Doug Landoll is dynamic speaker, perceptive author, and information security expert, who always brings a unique mix of business strategy, keen insight, and technical know-how to current cybersecurity topics.

Hosts

Fredrick

Fredrick “Flee” Lee – CSO at Gusto

@fredrickl

Fredrick “Flee” Lee is the Chief Security Officer at Gusto, where he leads information and physical security strategies including consumer protection, compliance, governance and risk. Before Gusto, Lee spent more than 15 years leading global information security and privacy efforts at large financial services companies and technology startups, most recently as Square’s Head of Information Security. He previously held senior security and privacy roles at Bank of America, NetSuite and Twilio. Lee was born and raised in Mississippi and holds a bachelor’s degree in computer engineering from the University of Oklahoma.

Josh Marpet

Josh Marpet – Executive Director at RM-ISAO

@quadling

Executive Director, RM-ISAO
Co-founder, MJM Growth
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

  • Join us on June 10 at 11am ET for our technical training on insider risk to learn how to quickly mitigate data exposure risks. Then join us June 24 at 11 AM ET to learn how web application firewalls can help mitigate exposure in a complex threat landscape. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand



Join this segment with Danny Akacki to learn about educating both practitioners and executives on security topics of the day and helping to build community initiatives like trust groups and community groups like local DEF CON chapters. Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

Security Training, Evangelism, & Community Building, Part 1

Guests

Danny Akacki

Danny Akacki – Security Advocate at Splunk

@dakacki

Who am I? I’m just a storyteller perpetually looking for a stage. I love nothing more than being able to attend conferences, give talks, write blogs, and find news ways to reach as many people as I can to educate about security. For me, there is no greater satisfaction than community building.
I’ve been fortunate enough to spend my career in Defense, learning from some of the best in the business including teams at Mandiant, GE capital, & most recently as a Security Advocate with Splunk. I love what I do and the people I get to do it with.

Hosts

Jeff Man

Jeff Man – #HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – Executive Director at RM-ISAO

@quadling

Executive Director, RM-ISAO
Co-founder, MJM Growth
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Kat Valentine

Kat Valentine – Compliance Free Agent (Consultant) at Osmosis Security

@kjvalentine

Getting her start with phones and computers at the early age of 6, Kat decided to put fear of success and failure aside to start Osmosis Security, a boutique security firm that supported her vision of what the professional hacker community should be focused on. Kat had humble beginnings and started her career working technical support for a local dial-up ISP in 1998. Since then, Kat worked in many different roles, from network voice engineer, vulnerability researcher to auditor, and is responsible for the secure and compliant design of several well-known cloud providers, payment providers, security platforms and end user applications, including the first compliance automation platform.

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Security Weekly is ecstatic to announce that Security Weekly Unlocked will be held IN PERSON this December 5-8 at the Hilton Lake Buena Vista! Call for presentations & early registration for Security Weekly listeners is open now! Visit securityweekly.com/unlocked to submit your presentation & register for the early registration price before it expires!

  • Join us June 24 at 11 AM ET to learn how web application firewalls can help mitigate exposure in a complex threat landscape. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand



Join this segment with Danny Akacki to learn about educating both practitioners and executives on security topics of the day and helping to build community initiatives like trust groups and community groups like local DEF CON chapters. Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

Security Training, Evangelism, & Community Building, Part 2

Guests

Danny Akacki

Danny Akacki – Security Advocate at Splunk

@dakacki

Who am I? I’m just a storyteller perpetually looking for a stage. I love nothing more than being able to attend conferences, give talks, write blogs, and find news ways to reach as many people as I can to educate about security. For me, there is no greater satisfaction than community building.
I’ve been fortunate enough to spend my career in Defense, learning from some of the best in the business including teams at Mandiant, GE capital, & most recently as a Security Advocate with Splunk. I love what I do and the people I get to do it with.

Hosts

Jeff Man

Jeff Man – #HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – Executive Director at RM-ISAO

@quadling

Executive Director, RM-ISAO
Co-founder, MJM Growth
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Kat Valentine

Kat Valentine – Compliance Free Agent (Consultant) at Osmosis Security

@kjvalentine

Getting her start with phones and computers at the early age of 6, Kat decided to put fear of success and failure aside to start Osmosis Security, a boutique security firm that supported her vision of what the professional hacker community should be focused on. Kat had humble beginnings and started her career working technical support for a local dial-up ISP in 1998. Since then, Kat worked in many different roles, from network voice engineer, vulnerability researcher to auditor, and is responsible for the secure and compliant design of several well-known cloud providers, payment providers, security platforms and end user applications, including the first compliance automation platform.

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Security Weekly is more than happy to announce that we will be at InfoSec World 2021 IN PERSON October 25th-27th, 2021! This year, our annual partnership with InfoSec World is extra special, as we are both business units under the CyberRisk Alliance brand! What does that mean for Security Weekly listeners & InfoSec World attendees? You will get to see and hear from many of the Security Weekly team at the event AND you will save 20% off on your world pass! Visit https://securityweekly.com/isw2021 to register using our discount code!

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!



Join Dr. Casey Marks’ discussion of the merits of cybersecurity certification and learn whether and how it provides training or proves experience or both, the pros and cons, how to start or approach getting certified, and more. Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

Value & Importance of Cybersecurity Certification for Professionals, Part 1

Guests

Casey Marks

Casey Marks – Chief Product Officer and Vice President at (ISC)2

Casey’s responsibilities are inclusive of (ISC)² product vision, strategy, design, development and delivery. He serves as the lead executive developing psychometrically sound and legally defensible information security certifications that advance the mission and vision of (ISC)².?

With 20 years of experience in large-scale assessment, Casey has published and presented extensively. He is recognized as an expert on issues related to adoption and vendor transition of Computer-Based-Testing for high-stakes, large-scale testing programs, international program expansion and examination security.

Casey served as an invited expert for the International Organization for Standardization (ISO) Working Group for the Revision of ISO/IEC 17024 and is a past president of the Association of Test Publishers (ATP).?

Casey holds a B.S. degree from the University of Illinois and a PhD in Measurement, Evaluation and Statistical Analysis from the University of Chicago. He is a Certified Association Executive (CAE).

Hosts

Jeff Man

Jeff Man – #HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – Executive Director at RM-ISAO

@quadling

Executive Director, RM-ISAO
Co-founder, MJM Growth
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

  • Security Weekly is ecstatic to announce that Security Weekly Unlocked will be held IN PERSON this December 5-8 at the Hilton Lake Buena Vista! Call for presentations & early registration for Security Weekly listeners is open now! Visit securityweekly.com/unlocked to submit your presentation & register for the early registration price before it expires!



Join Dr. Casey Marks’ discussion of the merits of cybersecurity certification and learn whether and how it provides training or proves experience or both, the pros and cons, how to start or approach getting certified, and more. Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

Value & Importance of Cybersecurity Certification for Professionals, Part 2

Guests

Casey Marks

Casey Marks – Chief Product Officer and Vice President at (ISC)2

Casey’s responsibilities are inclusive of (ISC)² product vision, strategy, design, development and delivery. He serves as the lead executive developing psychometrically sound and legally defensible information security certifications that advance the mission and vision of (ISC)².?

With 20 years of experience in large-scale assessment, Casey has published and presented extensively. He is recognized as an expert on issues related to adoption and vendor transition of Computer-Based-Testing for high-stakes, large-scale testing programs, international program expansion and examination security.

Casey served as an invited expert for the International Organization for Standardization (ISO) Working Group for the Revision of ISO/IEC 17024 and is a past president of the Association of Test Publishers (ATP).?

Casey holds a B.S. degree from the University of Illinois and a PhD in Measurement, Evaluation and Statistical Analysis from the University of Chicago. He is a Certified Association Executive (CAE).

Hosts

Jeff Man

Jeff Man – #HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – Executive Director at RM-ISAO

@quadling

Executive Director, RM-ISAO
Co-founder, MJM Growth
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Security Weekly is more than happy to announce that we will be at InfoSec World 2021 IN PERSON October 25th-27th, 2021! This year, our annual partnership with InfoSec World is extra special, as we are both business units under the CyberRisk Alliance brand! What does that mean for Security Weekly listeners & InfoSec World attendees? You will get to see and hear from many of the Security Weekly team at the event AND you will save 20% off on your world pass! Visit https://securityweekly.com/isw2021 to register using our discount code!

  • Join us June 24 at 11 AM ET to learn how web application firewalls can help mitigate exposure in a complex threat landscape. In our July 14th democast at 11 AM ET, learn how to reveal and protect your entire attack surface. Then join us July 15 at 11 AM ET to learn how a thoughtful approach to SASE can improve security and enable scalability. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand



We will review how synthetics are being utilized to perpetrate pandemic related frauds in the Payroll Protection Program and Unemployment Insurance. An overview of the government programs will take place with the controls that were in place, how they were compromised, by who and what you can do to remediate risk. Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

CARES Act Fraud, Paying People & Fraudsters, Part 1

Guests

Steve Lenderman

Steve Lenderman – Director, Strategic Fraud Prevention at ADP

Steve Lenderman has been working in the financial crimes sector for over 20 years and is currently with ADP as the Director, Strategic Fraud Prevention in the Global Security Organization. At ADP, Lenderman oversees fraud prevention for all lines of business, including payroll for 6 in 10 Americans and nearly 80% of the Fortune 500.

Prior to ADP, he was the Fraud Operations Lead for PayPal Business Loans where he was responsible for managing fraud detection, investigations and mitigation. Lenderman has spent time with Barclaycard US where he oversaw major investigations, internal investigations, bust outs / credit abuse, FINCEN reporting including SAR’s and 314A & B compliance. Lenderman, was involved in counterfeit card defense, the implementation of chip cards and Apple Pay in the US market.

Additionally, Lenderman has been heavily involved in investigating and identifying synthetic identities and entities. Lenderman is considered an industry expert and serves as the Co-Chair of the Bust Out Synthetic Identity (BOSI) working group. He is the Vice President of the IAFCI Delaware Valley Chapter and is involved with the National Cyber-Forensics &Training Alliance (NCFTA), Innovative Payment Alliance (IPA) and the Payroll Fraud Prevention Group (PFPG).

Lenderman, was also employed with First USA, Bank One and Chase working in various fraud roles. He is a graduate of the University of Delaware with a degree in Criminal Justice and is a regular speaker at numerous fraud conferences, law enforcement trainings and community outreach programs.

Hosts

Jeff Man

Jeff Man – #HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – Executive Director at RM-ISAO

@quadling

Executive Director, RM-ISAO
Co-founder, MJM Growth
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Liam Downward

Liam Downward – CEO at CYRISMA

Liam started his career in 1998 in Dublin, Ireland and each year brought new challenges and with this where my passion of Information Security grew. In 2018, he saw that Cyber Security was becoming more complex and organizations would rather ignore risks as their budgets could not afford solutions to protect their data and CYRISMA was born.

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Security Weekly Unlocked will be held IN PERSON this December 5-8 at the Hilton Lake Buena Vista! Our Call For Presentations Deadline has been extended through July 5th at 11:59 pm ET! Visit securityweekly.com/unlocked to submit your presentation!

  • In our July 14th democast at 11 AM ET, learn how to reveal and protect your entire attack surface. Then join us July 15 at 11 AM ET to learn how a thoughtful approach to SASE can improve security and enable scalability. Finally, in our July 22nd technical training at 11 AM ET, learn how Guided-SaaS NDR Enables Rapid Response. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand



We will review how synthetics are being utilized to perpetrate pandemic related frauds in the Payroll Protection Program and Unemployment Insurance. An overview of the government programs will take place with the controls that were in place, how they were compromised, by who and what you can do to remediate risk. Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

CARES Act Fraud, Paying People & Fraudsters, Part 2

Guests

Steve Lenderman

Steve Lenderman – Director, Strategic Fraud Prevention at ADP

Steve Lenderman has been working in the financial crimes sector for over 20 years and is currently with ADP as the Director, Strategic Fraud Prevention in the Global Security Organization. At ADP, Lenderman oversees fraud prevention for all lines of business, including payroll for 6 in 10 Americans and nearly 80% of the Fortune 500.

Prior to ADP, he was the Fraud Operations Lead for PayPal Business Loans where he was responsible for managing fraud detection, investigations and mitigation. Lenderman has spent time with Barclaycard US where he oversaw major investigations, internal investigations, bust outs / credit abuse, FINCEN reporting including SAR’s and 314A & B compliance. Lenderman, was involved in counterfeit card defense, the implementation of chip cards and Apple Pay in the US market.

Additionally, Lenderman has been heavily involved in investigating and identifying synthetic identities and entities. Lenderman is considered an industry expert and serves as the Co-Chair of the Bust Out Synthetic Identity (BOSI) working group. He is the Vice President of the IAFCI Delaware Valley Chapter and is involved with the National Cyber-Forensics &Training Alliance (NCFTA), Innovative Payment Alliance (IPA) and the Payroll Fraud Prevention Group (PFPG).

Lenderman, was also employed with First USA, Bank One and Chase working in various fraud roles. He is a graduate of the University of Delaware with a degree in Criminal Justice and is a regular speaker at numerous fraud conferences, law enforcement trainings and community outreach programs.

Hosts

Jeff Man

Jeff Man – #HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – Executive Director at RM-ISAO

@quadling

Executive Director, RM-ISAO
Co-founder, MJM Growth
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Liam Downward

Liam Downward – CEO at CYRISMA

Liam started his career in 1998 in Dublin, Ireland and each year brought new challenges and with this where my passion of Information Security grew. In 2018, he saw that Cyber Security was becoming more complex and organizations would rather ignore risks as their budgets could not afford solutions to protect their data and CYRISMA was born.

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Security Weekly is more than happy to announce that we will be at InfoSec World 2021 IN PERSON October 25th-27th, 2021! This year, our annual partnership with InfoSec World is extra special, as we are both business units under the CyberRisk Alliance brand! What does that mean for Security Weekly listeners & InfoSec World attendees? You will get to see and hear from many of the Security Weekly team at the event AND you will save 20% off on your world pass! Visit https://securityweekly.com/isw2021 to register using our discount code!

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

prestitial ad