SCW #6 | SC Media
Cybersecurity Asset Management, Configuration management, Deception, Blue team

SCW #6

November 15, 2019

 

 

Payment Security Compliance Declines – 1 in 3 Companies Make the Grade, RMC Agrees to $3M HIPAA Settlement Over Mobile Device Encryption, How Emerging Technologies Are Disrupting the Banking Compliance Landscape, and much more!

Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

Security and Compliance News

Jeff’s Stories

  1. Payment Security Compliance Declines – 1 in 3 Companies Make the Grade Why does this matter? Or does it Matter?
  2. ‘Robust’ security foils cyber attack on Labour Party Who says we never report on good news – but then it was just a DDOS attack
  3. Why CFOs Must be Involved in Cybersecurity #FacePalm that this is the topic of an article. The serious question is, “what is the appropriate place for cybersecurity in an organization?”
  4. The password reuse problem is a ticking time bomb Love the conclusion: “stop looking at [password management] as a compliance task and start looking at it as a layer of protection”
  5. URMC Agrees to $3M HIPAA Settlement Over Mobile Device Encryption Does HIPAA require encryption?

Matt’s Stories

Scott’s Stories

  1. Project Nightingale: Google accesses trove of US patient data

Hosts

Jeff Man

Jeff Man – Sr. InfoSec Consultant

Josh Marpet

Josh Marpet – COO

Matt Alderman

Matt Alderman – CEO

Scott Lyons

Scott Lyons – CEO

Guests

Announcements

  • We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences, Ian McShane from Endgame, or Stephen Smith and Jeff Braucher of LogRhythm (or all 3!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand

 

 

They answer questions like what is a security program and what is a compliance program?, Aren’t they the same thing?, What are some differences?, Where do they overlap or how should they work together?, Do they compete for the same budget?, and more!

Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

Building A Security and Compliance Program

Hosts

Jeff Man

Jeff Man – Sr. InfoSec Consultant

Josh Marpet

Josh Marpet – COO

Matt Alderman

Matt Alderman – CEO

Scott Lyons

Scott Lyons – CEO

Guests

Announcements

  • We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences, Ian McShane from Endgame, or Stephen Smith and Jeff Braucher of LogRhythm (or all 3!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand



Securing an organization means more than just spending money. For those that fall below the “security poverty line,” many other dynamics come into play that make it harder for them to accomplish even the basics. How do we help them rather than scolding them? Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

The Security Poverty Line, Part 1

https://www.cisco.com/c/dam/en/us/products/se/2019/10/Collateral/security-bottom-line-cybersecurity.pdf

https://uk.finance.yahoo.com/news/duo-security-finds-36-uk-070000377.html?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAAEHvedgStYBIt1nOn17s2gkprz1ZSC3HHHGsc2YvlW12HeZSp6mlgRZEt4L9bkq9m__6aDux_azLagypQTl4OJW0FpdPZZbwMREFdwv-XTubG1bZ_FBUG0eoxyc2rzIIrGDI7VjIgXbP6j3IzkXpBvoryExmrWKD45ye_doz-bI9

https://www.404techsupport.com/2017/05/01/security-poverty-line/

Guests

Wendy Nather

Wendy Nather –

Head of Advisory CISOs at Duo Security at Cisco

Hosts

Jeff Man

Jeff Man –

Sr. InfoSec Consultant at Online Business Systems

Josh Marpet

Josh Marpet –

COO at Red Lion

Kat Valentine

Kat Valentine –

Compliance Free Agent (Consultant) at Osmosis Security

Scott Lyons

Scott Lyons –

CEO at Red Lion

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Audio



Securing an organization means more than just spending money. For those that fall below the “security poverty line,” many other dynamics come into play that make it harder for them to accomplish even the basics. How do we help them rather than scolding them? Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

The Security Poverty Line, Part 2

https://www.cisco.com/c/dam/en/us/products/se/2019/10/Collateral/security-bottom-line-cybersecurity.pdf

https://uk.finance.yahoo.com/news/duo-security-finds-36-uk-070000377.html?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAAEHvedgStYBIt1nOn17s2gkprz1ZSC3HHHGsc2YvlW12HeZSp6mlgRZEt4L9bkq9m__6aDux_azLagypQTl4OJW0FpdPZZbwMREFdwv-XTubG1bZ_FBUG0eoxyc2rzIIrGDI7VjIgXbP6j3IzkXpBvoryExmrWKD45ye_doz-bI9

https://www.404techsupport.com/2017/05/01/security-poverty-line/

Guests

Wendy Nather

Wendy Nather –

Head of Advisory CISOs at Duo Security at Cisco

Hosts

Jeff Man

Jeff Man –

Sr. InfoSec Consultant at Online Business Systems

Josh Marpet

Josh Marpet –

COO at Red Lion

Kat Valentine

Kat Valentine –

Compliance Free Agent (Consultant) at Osmosis Security

Scott Lyons

Scott Lyons –

CEO at Red Lion

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • Next Thurs, Feb 4th @ 11am ET, in our first technical training of 2021, you’ll Learn How to Manage Insider Risks in the Work-from-Anywhere World! Register at https://securityweekly.com/webcasts. If you missed any of our 2020 webcasts or technical trainings, they are available at https://securityweekly.com/ondemand

Audio



We welcome our resident legal expert and co-host Priya Chaudry to catch us up on the status of the Supreme Court case concerning the Computer Fraud and Abuse Act (CFAA) and some other legal topics. Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

Update on CFAA

Hosts

Josh Marpet

Josh Marpet –

COO at Red Lion

Priya Chaudhry

Priya Chaudhry –

Jedi Warrior Princess at ChaudhryLaw PLLC

Scott Lyons

Scott Lyons –

CEO at Red Lion

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Audio



Our co-host, Priya Chaudry will enlighten us on several other topics of interest to our community. There might be a mention of Solarwinds, Southwest Airlines, HIQ Labs, and more. Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

Security & Compliance Legal Highlights

Hosts

Josh Marpet

Josh Marpet –

COO at Red Lion

Priya Chaudhry

Priya Chaudhry –

Jedi Warrior Princess at ChaudhryLaw PLLC

Scott Lyons

Scott Lyons –

CEO at Red Lion

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Audio



Jeff, Flee, & Scott talk to John Threat about his background and what led him to becoming a hacker. Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

The Journey Of An Inner City Street Hacker, Part 1

Guests

John Threat

John Threat –

Hacker at Mediathreat

Hosts

Fredrick

Fredrick “Flee” Lee –

CSO at Gusto

Jeff Man

Jeff Man –

Sr. InfoSec Consultant at Online Business Systems

Scott Lyons

Scott Lyons –

CEO at Red Lion

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Audio



The world of hacking and the threat actors that do that sort of thing. What are the implications on comp sec in 2021 for persons, corporations, nation states and maybe even your cat? Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

The Journey Of An Inner City Street Hacker, Part 2

Guests

Chris Cochran

Chris Cochran –

Founder and Producer at Hacker Valley Media

John Threat

John Threat –

Hacker at Mediathreat

Ronald Eddings

Ronald Eddings –

Security Architect & Podcast Host at Hacker Valley Studio

Hosts

Fredrick

Fredrick “Flee” Lee –

CSO at Gusto

Jeff Man

Jeff Man –

Sr. InfoSec Consultant at Online Business Systems

Scott Lyons

Scott Lyons –

CEO at Red Lion

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Our next live webcast will be on March 18th at 11am ET where you will learn how to Prepare Linux Hosts for Unexpected Threats! Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Audio



Nickel Lietzau and Mike Volk have heard that we are not huge fans of cyber insurance on SCW, and they have graciously agreed to subject themselves to our scrutiny. In the first segment we’ll touch on common myths and misconceptions about Cyber Insurance and let Nickel and Mike set us straight. Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

Cyber Insurance: Debunking Myths

Guests

Albert

Albert “Nickel” Lietzau, V –

Account Executive at PSA Insurance & Financial Services

Mike Volk

Mike Volk –

VP, Cyber Risk Solutions at PSA Insurance & Financial Services

Hosts

Jeff Man

Jeff Man –

Sr. InfoSec Consultant at Online Business Systems

Josh Marpet

Josh Marpet –

COO at Red Lion

Liam Downward

Liam Downward –

CEO at CYRISMA

Scott Lyons

Scott Lyons –

CEO at Red Lion

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Audio



Assuming Nickel and Mike survived the first segment, we’re asking them for practical advice in this segment on how to consider and ultimately select the right cyber insurance program for you. We’re looking for the usual suspects, gotchas, and recommended actions.

Suggested reading:

https://www.psafinancial.com/2020/03/covid-19-5-cybersecurity-risks-you-need-to-consider/

https://www.psafinancial.com/2019/06/psa-insurance-financial-services-launches-turnkey-cyber-risk-management-solution-for-smbs/

https://www.psafinancial.com/2018/04/cyber-insurance-your-backstop-in-your-cyber-incident-response/
Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

Tips and Advice: Practical Steps When Considering Cyber Insurance

Guests

Albert

Albert “Nickel” Lietzau, V –

Account Executive at PSA Insurance & Financial Services

Mike Volk

Mike Volk –

VP, Cyber Risk Solutions at PSA Insurance & Financial Services

Hosts

Jeff Man

Jeff Man –

Sr. InfoSec Consultant at Online Business Systems

Josh Marpet

Josh Marpet –

COO at Red Lion

Liam Downward

Liam Downward –

CEO at CYRISMA

Scott Lyons

Scott Lyons –

CEO at Red Lion

Tyler Robinson

Tyler Robinson –

Managing Director of Network Operations at Nisos, Inc

Tyler Shields

Tyler Shields –

CMO at JupiterOne

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • Our next live webcast will be on March 18th at 11am ET where you will learn how to Prepare Linux Hosts for Unexpected Threats! Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Audio



Industrial Control Systems (ICS) and Operational Technology (OT) have risks and consequences in the real world, such as the health and safety of people, but how those industries handle the potential cybersecurity risks varies greatly depending on the regulation that has been applied. The US Government has declared many different industries as critical infrastructures with different levels of prioritization placed on cybersecurity regulation. Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

ICS/OT Regulation

Guests

Jim Gilsinn

Jim Gilsinn –

Principal Industrial Consultant at Dragos

Hosts

Jeff Man

Jeff Man –

Sr. InfoSec Consultant at Online Business Systems

Josh Marpet

Josh Marpet –

COO at Red Lion

Scott Lyons

Scott Lyons –

CEO at Red Lion

Announcements

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

  • Our next live webcast will be on March 18th at 11am ET where you will learn how to Prepare Linux Hosts for Unexpected Threats! Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Audio



Industrial Control Systems (ICS) and Operational Technology (OT) have risks and consequences in the real world, such as the health and safety of people, but how those industries handle the potential cybersecurity risks varies greatly depending on the regulation that has been applied. The US Government has declared many different industries as critical infrastructures with different levels of prioritization placed on cybersecurity regulation. Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

ICS/OT Regulation, Part 2

Guests

Jim Gilsinn

Jim Gilsinn –

Principal Industrial Consultant at Dragos

Hosts

Jeff Man

Jeff Man –

Sr. InfoSec Consultant at Online Business Systems

Josh Marpet

Josh Marpet –

COO at Red Lion

Scott Lyons

Scott Lyons –

CEO at Red Lion

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Audio



We’re letting Priya have the bulk of the time to discuss what’s on her mind in terms of legal implications of security & compliance news and events. Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

Security & Compliance Legal Highlights – Part Deux

Hosts

Jeff Man

Jeff Man – Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – COO at Red Lion

@quadling

COO of Red Lion
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Priya Chaudhry

Priya Chaudhry – Jedi Warrior Princess at ChaudhryLaw PLLC

@Chaudhrylaw

Criminal Defense Trial Lawyer

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Our next live webcast will be on March 18th at 11am ET where you will learn how to Prepare Linux Hosts for Unexpected Threats! Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Audio



We’re excited to have Priya Chaudry with us today, so we are going to focus our discussion on news and events with legal implications (or the legal implications of news and events)!

For starters, the U.S. Cyber Command recently held a virtual edition of its 2021 Legal Conference. The annual conference explores current law and policy issues related to offensive and defensive cyberspace operations. Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

Security & Compliance Legal Highlights

https://www.cybercom.mil/Media/News/Article/2526508/us-cyber-command-holds-2021-legal-conference/

Links to the videos can be found here:

https://www.dvidshub.net/tags/video/uscybercomlegalconference2021

Hosts

Jeff Man

Jeff Man – Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – COO at Red Lion

@quadling

COO of Red Lion
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Priya Chaudhry

Priya Chaudhry – Jedi Warrior Princess at ChaudhryLaw PLLC

@Chaudhrylaw

Criminal Defense Trial Lawyer

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Audio



This week, Jeff, Liam Downward, Scott, & Josh talk PCI with Dan DeCloss and Shawn Scott from PlexTrac! Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

PlexTrac Talks PCI, Part 1

Guests

Dan DeCloss

Dan DeCloss – Founder / CEO & President at PlexTrac

@wh33lhouse

Dan has over 15 years of experience in cybersecurity. Dan started his career in the Department of Defense and then moved on to consulting where he worked for various companies. Prior to PlexTrac, Dan was the Director of Cybersecurity for Scentsy where he and his team built the security program out of its infancy into a best-in-class program. Dan has a master’s degree in Computer Science from the Naval Postgraduate School with an emphasis in Information Security. Additionally, Dan holds the OSCP and CISSP certifications.

Shawn Scott

Shawn Scott – Vice President of Success at Plextrac

@shawnhscott

Shawn honed his expertise during 23 years of service in the United States Air Force, where he led both kinetic and cyber operations. After retirement from the DoD, he operated an information security consultancy where he developed a profound distaste for manual report writing. After discovering and using PlexTrac to save countless hours, Shawn joined the PlexTrac team in 2019 to help others realize these same benefits.

Hosts

Jeff Man

Jeff Man – Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – COO at Red Lion

@quadling

COO of Red Lion
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Liam Downward

Liam Downward – CEO at CYRISMA

Liam started his career in 1998 in Dublin, Ireland and each year brought new challenges and with this where my passion of Information Security grew. In 2018, he saw that Cyber Security was becoming more complex and organizations would rather ignore risks as their budgets could not afford solutions to protect their data and CYRISMA was born.

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Audio



The conversation continues as the PlexTrac team, Dan DeCloss & Shawn Scott, demonstrate how PlexTrac can tackle compliance (among other things)! Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

PlexTrac Talks PCI, Part 2

Guests

Dan DeCloss

Dan DeCloss – Founder / CEO & President at PlexTrac

@wh33lhouse

Dan has over 15 years of experience in cybersecurity. Dan started his career in the Department of Defense and then moved on to consulting where he worked for various companies. Prior to PlexTrac, Dan was the Director of Cybersecurity for Scentsy where he and his team built the security program out of its infancy into a best-in-class program. Dan has a master’s degree in Computer Science from the Naval Postgraduate School with an emphasis in Information Security. Additionally, Dan holds the OSCP and CISSP certifications.

Shawn Scott

Shawn Scott – Vice President of Success at Plextrac

@shawnhscott

Shawn honed his expertise during 23 years of service in the United States Air Force, where he led both kinetic and cyber operations. After retirement from the DoD, he operated an information security consultancy where he developed a profound distaste for manual report writing. After discovering and using PlexTrac to save countless hours, Shawn joined the PlexTrac team in 2019 to help others realize these same benefits.

Hosts

Jeff Man

Jeff Man – Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – COO at Red Lion

@quadling

COO of Red Lion
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Liam Downward

Liam Downward – CEO at CYRISMA

Liam started his career in 1998 in Dublin, Ireland and each year brought new challenges and with this where my passion of Information Security grew. In 2018, he saw that Cyber Security was becoming more complex and organizations would rather ignore risks as their budgets could not afford solutions to protect their data and CYRISMA was born.

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • Our next live webcast will be on April 29th at 11am ET where you will learn how to prepare for modern ransomware attacks! Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Audio



The SCW hosts discuss Rafal Los’ recent blog post “Vulnerability Management is Still a Mess” (https://blogwh1t3rabbit.medium.com/vulnerability-management-is-still-a-mess-27519ffcecc0). In the first segment, we will learn all about Rafal’s cybersecurity background and why vulnerability management has not evolved in line with the technology. Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

Vulnerability Management is Still a Mess – Part 1

Guests

Rafal Los

Rafal Los – Chief Security Strategist at Lightstream Managed Services

@Wh1t3Rabbit

Rafal Los is an industry innovator, strategist, and personality. His career spans 20+ years while working inside companies from the Fortune 10 to a firm of less than 10. Rafal’s strengths include strategic leadership in security products and services – focusing on market strategy, roadmap development and execution, process optimization, and bringing teams together to solve complex problems. Recent achievements include delivering on a company strategy pivot from infrastructure provider to security-as-a-service by rebuilding pre-sales strategy and delivery; implementing significant changes in business process that led to the company’s ability to measure the direct impact of changes on sales and customer lifecycle.

Hosts

Fredrick

Fredrick “Flee” Lee – CSO at Gusto

@fredrickl

Fredrick “Flee” Lee is the Chief Security Officer at Gusto, where he leads information and physical security strategies including consumer protection, compliance, governance and risk. Before Gusto, Lee spent more than 15 years leading global information security and privacy efforts at large financial services companies and technology startups, most recently as Square’s Head of Information Security. He previously held senior security and privacy roles at Bank of America, NetSuite and Twilio. Lee was born and raised in Mississippi and holds a bachelor’s degree in computer engineering from the University of Oklahoma.

Jeff Man

Jeff Man – Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – COO at Red Lion

@quadling

COO of Red Lion
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server, or follow us on our newest live-streaming platform, Twitch!

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Audio



In the second segment, the SCW hosts will continue the discussion with Raf and hopefully come up with some guidance on what can be done to make vulnerability management work better. Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

Vulnerability Management is Still a Mess – Part 2

Guests

Rafal Los

Rafal Los – Chief Security Strategist at Lightstream Managed Services

@Wh1t3Rabbit

Rafal Los is an industry innovator, strategist, and personality. His career spans 20+ years while working inside companies from the Fortune 10 to a firm of less than 10. Rafal’s strengths include strategic leadership in security products and services – focusing on market strategy, roadmap development and execution, process optimization, and bringing teams together to solve complex problems. Recent achievements include delivering on a company strategy pivot from infrastructure provider to security-as-a-service by rebuilding pre-sales strategy and delivery; implementing significant changes in business process that led to the company’s ability to measure the direct impact of changes on sales and customer lifecycle.

Hosts

Fredrick

Fredrick “Flee” Lee – CSO at Gusto

@fredrickl

Fredrick “Flee” Lee is the Chief Security Officer at Gusto, where he leads information and physical security strategies including consumer protection, compliance, governance and risk. Before Gusto, Lee spent more than 15 years leading global information security and privacy efforts at large financial services companies and technology startups, most recently as Square’s Head of Information Security. He previously held senior security and privacy roles at Bank of America, NetSuite and Twilio. Lee was born and raised in Mississippi and holds a bachelor’s degree in computer engineering from the University of Oklahoma.

Jeff Man

Jeff Man – Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – COO at Red Lion

@quadling

COO of Red Lion
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

Audio



Errol will talk about his experiences with information sharing and building the world’s first Information Sharing & Analysis Center in 1999. Errol brings unique perspective to the table as he was the service provider behind the Financial Services ISAC, then a subscriber and ISAC member for 13 years in the banking and finance sector.

Segment Resources:
Errol’s Testimony Before the House Financial Services Subcommittee

Transcript – https://www.sifma.org/wp-content/uploads/2012/06/WeissCitionbehalfofSIFMAHFSsubchrgcybersecurity20120601.pdf

Video – https://www.c-span.org/video/?306361-1/cyberthreats-us-financial-industry (Errol Weiss – 30:03) Visit https://www.securityweekly.com/scw for all the latest episodes!
Full Episode Show Notes

Information Sharing – A 360 Degree View, Part 1

Guests

Errol Weiss

Errol Weiss – Chief Security Officer at Health-ISAC

@errolw65

Errol Weiss joined Health Information Sharing & Analysis Center (Health-ISAC) in April 2019 as its first Chief Security Officer. Errol created and staffed Health-ISAC’s Threat Operations Center in Titusville. Florida, providing members with meaningful and actionable threat intelligence relevant for IT and Infosec professionals in the healthcare sector.

Errol has over 25 years of experience in Information Security. He began his career with the National Security Agency (NSA) conducting vulnerability analyses and penetrations of classified government systems and then spent ten years delivering Information Security Services for Fortune-100 companies. Errol is one of four named inventors on the patent for Trusted and Anonymous Information Sharing and was responsible for the creation, implementation and operation of the world’s first ISAC.

Hosts

Jeff Man

Jeff Man – Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – COO at Red Lion

@quadling

COO of Red Lion
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Kat Valentine

Kat Valentine – Compliance Free Agent (Consultant) at Osmosis Security

@kjvalentine

Getting her start with phones and computers at the early age of 6, Kat decided to put fear of success and failure aside to start Osmosis Security, a boutique security firm that supported her vision of what the professional hacker community should be focused on. Kat had humble beginnings and started her career working technical support for a local dial-up ISP in 1998. Since then, Kat worked in many different roles, from network voice engineer, vulnerability researcher to auditor, and is responsible for the secure and compliant design of several well-known cloud providers, payment providers, security platforms and end user applications, including the first compliance automation platform.

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!



Errol will talk about his experiences with information sharing and building the world’s first Information Sharing & Analysis Center in 1999. Errol brings unique perspective to the table as he was the service provider behind the Financial Services ISAC, then a subscriber and ISAC member for 13 years in the banking and finance sector.

Segment Resources:
National Council of ISACs – great resource to find out about all the different ISACs
https://www.nationalisacs.org/

ISAOs – https://www.isao.org/information-sharing-groups/

Information Sharing Best Practices Toolkit:
https://h-isac.org/h-isac-information-sharing-best-practices/ Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

Information Sharing – A 360 Degree View, Part 2

Guests

Errol Weiss

Errol Weiss – Chief Security Officer at Health-ISAC

@errolw65

Errol Weiss joined Health Information Sharing & Analysis Center (Health-ISAC) in April 2019 as its first Chief Security Officer. Errol created and staffed Health-ISAC’s Threat Operations Center in Titusville. Florida, providing members with meaningful and actionable threat intelligence relevant for IT and Infosec professionals in the healthcare sector.

Errol has over 25 years of experience in Information Security. He began his career with the National Security Agency (NSA) conducting vulnerability analyses and penetrations of classified government systems and then spent ten years delivering Information Security Services for Fortune-100 companies. Errol is one of four named inventors on the patent for Trusted and Anonymous Information Sharing and was responsible for the creation, implementation and operation of the world’s first ISAC.

Hosts

Jeff Man

Jeff Man – Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – COO at Red Lion

@quadling

COO of Red Lion
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Kat Valentine

Kat Valentine – Compliance Free Agent (Consultant) at Osmosis Security

@kjvalentine

Getting her start with phones and computers at the early age of 6, Kat decided to put fear of success and failure aside to start Osmosis Security, a boutique security firm that supported her vision of what the professional hacker community should be focused on. Kat had humble beginnings and started her career working technical support for a local dial-up ISP in 1998. Since then, Kat worked in many different roles, from network voice engineer, vulnerability researcher to auditor, and is responsible for the secure and compliant design of several well-known cloud providers, payment providers, security platforms and end user applications, including the first compliance automation platform.

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

  • Our next live webcast will be on April 29th at 11am ET where you will learn how to prepare for modern ransomware attacks! Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand



Today we are going to take a look at security awareness training programs in organizations. We are joined to day by Kelley Bray and Stephanie Pratt who will help facilitate the discussion. We’ll start with the history and evolution of security awareness programs; what has worked, or more precisely what hasn’t worked. We’ll also touch on how most security awareness programs stem from compliance requirements but could be doing so much more.

The “Breaking Security Awareness” webinar:
https://www.livingsecurity.com/webinar-series-from-compliance-to-culture Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

Security Awareness Culture Change, Part 1

Guests

Kelley Bray

Kelley Bray – Director, Client Success & Sr. Security Awareness Strategist at Living Security

For the better part of 10 years, Kelley has built training and awareness programs for the Federal Government, DoD and private sector. After delivering online and in-person training to hundreds of thousands of users worldwide, Kelley has tried all the tools and techniques, learned from valuable mistakes, and had a lot of fun celebrating security program success along the way. Her passion for this topic is fueled in equal parts by the rapidly changing risks that all users must combat, and the amount of technology that her 3 children have access to.

Kelley holds a Bachelor’s Degree from George Mason University and currently serves on the Board of Directors for the National Cybercrime Support Center. In her free time, she enjoys reading, gardening and spending time with her family.

Stephanie Pratt

Stephanie Pratt – Head of Content at Living Security

@stephaniehpratt

Stephanie Pratt is the Senior Security Awareness Content Manager at Living Security. She developed a passion for cybersecurity at Blackbaud where she created the company’s first-ever security awareness program. Her program included a champions program, phishing simulation, a monthly speaker series, and a robust cybersecurity awareness month. She earned her SANS Security Awareness Practitioner, SSAP, certification in July 2019. Before joining Blackbaud, Stephanie worked for more than a decade in broadcast journalism as a TV reporter in Oregon, South Carolina, New Hampshire, and New York. She holds a B.S. from Emerson College.

Hosts

Jeff Man

Jeff Man – Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – COO at Red Lion

@quadling

COO of Red Lion
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Priya Chaudhry

Priya Chaudhry – Jedi Warrior Princess at ChaudhryLaw PLLC

@Chaudhrylaw

Criminal Defense Trial Lawyer

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!



We continue the discussion about the importance of effective security awareness programs and what that would actually look like. We’ll also examine how to move beyond “bare minimum” check-box mentality about meeting security awareness training requirements and imagine building a culture of security aware employees in the organization. Visit https://www.securityweekly.com/scw for all the latest episodes!

Full Episode Show Notes

Security Awareness Culture Change, Part 2

Guests

Kelley Bray

Kelley Bray – Director, Client Success & Sr. Security Awareness Strategist at Living Security

For the better part of 10 years, Kelley has built training and awareness programs for the Federal Government, DoD and private sector. After delivering online and in-person training to hundreds of thousands of users worldwide, Kelley has tried all the tools and techniques, learned from valuable mistakes, and had a lot of fun celebrating security program success along the way. Her passion for this topic is fueled in equal parts by the rapidly changing risks that all users must combat, and the amount of technology that her 3 children have access to.

Kelley holds a Bachelor’s Degree from George Mason University and currently serves on the Board of Directors for the National Cybercrime Support Center. In her free time, she enjoys reading, gardening and spending time with her family.

Stephanie Pratt

Stephanie Pratt – Head of Content at Living Security

@stephaniehpratt

Stephanie Pratt is the Senior Security Awareness Content Manager at Living Security. She developed a passion for cybersecurity at Blackbaud where she created the company’s first-ever security awareness program. Her program included a champions program, phishing simulation, a monthly speaker series, and a robust cybersecurity awareness month. She earned her SANS Security Awareness Practitioner, SSAP, certification in July 2019. Before joining Blackbaud, Stephanie worked for more than a decade in broadcast journalism as a TV reporter in Oregon, South Carolina, New Hampshire, and New York. She holds a B.S. from Emerson College.

Hosts

Jeff Man

Jeff Man – Sr. InfoSec Consultant at Online Business Systems

@MrJeffMan

Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon. Currently a Sr. InfoSec Consultant for Online Business Systems.

Josh Marpet

Josh Marpet – COO at Red Lion

@quadling

COO of Red Lion
IANS Faculty
Blockchain Patent Holder
MISTI Instructor
Entrepreneurship Curmudgeon
Board Member BSidesDE
Board Member BSidesDC
Ex-cop and Fireman

Priya Chaudhry

Priya Chaudhry – Jedi Warrior Princess at ChaudhryLaw PLLC

@Chaudhrylaw

Criminal Defense Trial Lawyer

Scott Lyons

Scott Lyons – CEO at Red Lion

@Csp3r

CEO at Red Lion

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Our next live webcast will be on April 29th at 11am ET where you will learn how to prepare for & prevent modern ransomware attacks! Our next technical training will be on May 6th at 11am ET. This technical training webcast will explore common misconfigurations of NGINX, the damage they could do, and how to avoid them. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

prestitial ad