BSW #278 – Fleming Shi
Full Audio
View Show IndexSegments
1. The Untold Stories of Ransomware – Fleming Shi – BSW #278
New fourth-annual research report analyzes ransomware attack patterns that occurred between August 2021 and July 2022
In the past 12 months, Barracuda researchers identified and analyzed 106 highly publicized ransomware attacks and found the dominant targets are still five key industries: education, municipalities, healthcare, infrastructure, and financial.
Researchers also saw a spike in the number of service providers that have been hit with a ransomware attack.
The volume of ransomware threats detected spiked between January and June of this year to more than 1.2 million per month.
Most ransomware attacks don’t make headlines, though. Many victims choose not to disclose when they get hit, and the attacks are often sophisticated and extremely hard to handle for small businesses. To get a closer look at how ransomware is affecting smaller businesses, the report details three examples that researchers have seen through Barracuda SOC-as-a-Service, the anatomy of each attack, and the solutions that can help stop these attacks.
Segment Resources: Read the full Threat Spotlight blog post: https://blog.barracuda.com/2022/08/24/threat-spotlight-the-untold-stories-of-ransomware/ This segment is sponsored by Barracuda Networks. Visit https://securityweekly.com/barracuda to learn more about them!
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Guest
Fleming joined Barracuda in 2004 as the founding engineer for the company’s web security product offerings, helping to create the first version of Barracuda’s message archiving product and paving the way for expansion into new content security product areas. As Chief Technology Officer, Fleming leads the company’s threat research and innovation engineering teams in building future technology platforms to deliver continued success in our security and data protection products. He has more than 20 patents granted or pending in network and content security.
Hosts
2. Firing Your Entire Cybersecurity Team? Really? Board Doesn’t Care About Buzzwords! – BSW #278
In the leadership and communications section, Attention CISOs: The Board Doesn’t Care About Buzzwords, The Best Managers Are Leaders — and Vice Versa, Firing Your Entire Cybersecurity Team? Are You Sure?, and more!
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts
- 1. All-in-One Cybersecurity Board ReportWith cybersecurity as a board-level issue, many CISOs face the same level of inquiry and scrutiny as a CFO or CEO. Cyber is no longer an abstract concept that can be assessed with the question “Are we secure?” and a brief “Yes.” Successful CISOs are leaders, communicators, and managers. All CISOs must be prepared to convey their organization’s progress to ensure business continuity, make informed decisions, and improve cybersecurity incident response plans.
- 2. Attention CISOs: The Board Doesn’t Care About BuzzwordsWe live in an IT world surrounded by buzzwords that are largely marketing gimmicks. Zero Trust, for example, is a concept no one actually understands and is slapped onto everything, including derivatives like Zero Trust networks (ZTN) and Zero Trust network access (ZTNA). Then there’s Secure Access Service Edge (SASE), Security Service Edge (SSE) and everything that falls under these frameworks such as Cloud Access Security Broker (CASB), Secure Web Gateway (SWG). If you’ve ever presented to a board of directors, then you’ll know that they don’t care about any of this. The only time the board encounters any industry jargon is when they read about it in the Financial Times or Wall Street Journal. I was asked about a buzzword once in my career and it was in 1999: “OK, Paul, what are we doing about Y2K?”
- 3. New SEC Cybersecurity Rules Could Affect Private Companies TooIn preparation for SEC requirements, IT security managers should verify the preparation and corporate approval of: Risk Report - At least IT technical risks, but ideally includes general business risks as well. - List: - Specific risks - Likelihood of each risk without controls in place - Controls and policies that address specific risks - LIkelihood of each risk with controls and policies in place Policies - Policies should cover categories of risk and will often be entitled for the type of controls such as: - Data theft: encryption and data monitoring policies - Unauthorized access: access, password, and incident response policies - Zero-day vulnerability: Vulnerability detection and remediation policy - Policies should define minimum standards for controls to meet to mitigate risks. Controls - Controls should be implemented to meet or exceed policy requirements - For companies without existing policies, policies can be written that describe current IT standards in place (assuming they are sufficient).
- 4. The Best Managers Are Leaders — and Vice VersaMost of the long-running debate over “leaders” vs. “managers” focuses on nouns when it should focus on verbs. Everyone needs both “leading” and “managing” in their work, and the best executives balance the two. Over the last 15 years, the author asked a thousand executives about the difference between leading and managing, recording their responses. The distinction remains interesting and important, but it’s healthier as a balance that every individual tries to strike instead of as two distinct skillsets or roles within an organization.
- 5. 5 ways to grow the cybersecurity workforceThe cybersecurity workforce shortage and related skills gap stubbornly persists. Here are five ways to attract talent now: 1. Make job postings more attractive to diverse candidates 2. Attract security-minded software engineers looking for opportunities 3. Find talent by offering incentives to collaborate with the security team 4. Invest in employee certification programs 5. Draw out gender diversity by getting girls interested early
- 6. Firing Your Entire Cybersecurity Team? Are You Sure?What on earth were they thinking? That's what we – and other security experts – were wondering when content giant Patreon recently dismissed its entire internal cybersecurity team in exchange for outsourced services.