Business continuity, Careers, Incident response, Security awareness, Third-party risk, Vulnerability management

ESW #287 – Jeff Orloff, Paul Roberts

In the Enterprise Security News This week: more layoff announcements than funding announcements! Krit acquired by GreyNoise, Incident Response in AWS is different, Awesome open source projects for SecOps folks, Tyler Shields can’t wait to talk about Product Led Growth, Forcing open source maintainers to use MFA, Twilio - the breach that keeps on pwning, The US Governments earmarks $15.6 BILLION for cybersecurity and we hear vendors salivating already, & more!

Security training isn't just about anti-phishing and security awareness for employees. When reading through breach details, a similar picture often emerges: the people were there, the tools were in place, but the people didn't know how to use the tools effectively. Every day, security tools catch attacks, but it doesn't matter if a human doesn't notice and tools are in 'monitor only' modes.

This segment is sponsored by RangeForce. Visit https://securityweekly.com/rangeforce to learn more about them!

From its origins a decade ago, the grassroots movement to enshrine in law the right to repair our stuff (read: cell phones, laptops, home appliances, cars, machinery) has morphed into a potent, global movement. Today, much of the debate over right to repair laws has focused on issues like concentrations of market power by large corporations and anti-competitive behavior with regard to service and repair of "smart," connected products. However, there is a less-discussed but equally potent argument in favor of repair: cybersecurity and data privacy. In this conversation, Paul Roberts, the founder of SecuRepairs.org (pron: Secure Repairs), talks about the dire state of device security on the Internet of Things and how efforts by manufacturers to limit access to software updates, diagnostic tools and parts exacerbates IoT cyber risk, even as it burdens consumers and the environment.

Segment Resources:

Securepairs.org: https://securepairs.org

Fight to Repair Newsletter: https://figh

View Show Index

Full Audio

Segments

1. Optimizing the Human Element of Cybersecurity – Jeff Orloff – ESW #287

Security training isn't just about anti-phishing and security awareness for employees. When reading through breach details, a similar picture often emerges: the people were there, the tools were in place, but the people didn't know how to use the tools effectively. Every day, security tools catch attacks, but it doesn't matter if a human doesn't notice and tools are in 'monitor only' modes.

This segment is sponsored by RangeForce. Visit https://securityweekly.com/rangeforce to learn more about them!

Sponsored By

RangeForce

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Guest

Jeff  Orloff
Jeff Orloff
Technical Evangelist and VP of Product at RangeForce

Jeff Orloff is the Tech Evangelist and Vice President of Product at RangeForce. He has more than 10 years of experience in cybersecurity, system administration, and computer and network security. He lives in Tampa, Florida.

Hosts

Joe South
Joe South
Sr Content Creator at CyberRisk Alliance
Katie Teitler
Katie Teitler
Senior Security Strategist at Axonius
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security
Tyler Shields
Tyler Shields
CMO at JupiterOne

2. Why Our Right to Repair Is Critical To Securing The Internet Of Things – Paul Roberts – ESW #287

From its origins a decade ago, the grassroots movement to enshrine in law the right to repair our stuff (read: cell phones, laptops, home appliances, cars, machinery) has morphed into a potent, global movement. Today, much of the debate over right to repair laws has focused on issues like concentrations of market power by large corporations and anti-competitive behavior with regard to service and repair of "smart," connected products. However, there is a less-discussed but equally potent argument in favor of repair: cybersecurity and data privacy. In this conversation, Paul Roberts, the founder of SecuRepairs.org (pron: Secure Repairs), talks about the dire state of device security on the Internet of Things and how efforts by manufacturers to limit access to software updates, diagnostic tools and parts exacerbates IoT cyber risk, even as it burdens consumers and the environment.

Segment Resources:

Securepairs.org: https://securepairs.org

Fight to Repair Newsletter: https://fighttorepair.substack.com

The Security Ledger: https://securityledger.com

Announcements

  • Security Weekly is proud to partner with Hack Red Con for their first annual in-person event! Hack Red Con is happening at the Hyatt Regency in Louisville, KY from September 7th-11th. As a part of our partnership, Security Weekly listeners receive a 10% discount on registration! Visit https://securityweekly.com/hackredcon to register now! We hope to see you there!

Guest

Paul Roberts
Paul Roberts
Founder, SecuRepairs (pron: Secure Repairs), Publisher, The Security Ledger at SecuRepairs.org

Paul Roberts is the founder of SecuRepairs (pron: Secure Repairs)(securepairs.org), a volunteer group of more than 200 information technology and information security professionals who support a legal right to repair. He is also the Publisher and Editor in Chief of The Security Ledger (securityledger.com), an independent security news website that explores the intersection of cyber security with the Internet of Things.

Paul is a seasoned reporter, editor and industry analyst with more than a decade of experience covering the information technology security space. His writing about cyber security has appeared in publications including Mother Jones; The Christian Science Monitor; MIT Technology Review; The Economist Intelligence Unit; CIO Magazine; ZDNet and Fortune Small Business. He has appeared on NPR’s Marketplace Tech Report and The Oprah Show.

Prior to launching The Security Ledger, Paul worked as a Senior Analyst in The 451 Group’s Enterprise Security Practice and held positions as a senior writer and editor at noted industry publications including Threatpost, Infoworld and eWeek and The IDG News Service.

Hosts

Joe South
Joe South
Sr Content Creator at CyberRisk Alliance
Katie Teitler
Katie Teitler
Senior Security Strategist at Axonius
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security
Tyler Shields
Tyler Shields
CMO at JupiterOne

3. Open Source MFA, Layoffs, Krit, AWS Incident Response, & Product Led Growth Talk – ESW #287

In the Enterprise Security News This week: more layoff announcements than funding announcements! Krit acquired by GreyNoise, Incident Response in AWS is different, Awesome open source projects for SecOps folks, Tyler Shields can’t wait to talk about Product Led Growth, Forcing open source maintainers to use MFA, Twilio - the breach that keeps on pwning, The US Governments earmarks $15.6 BILLION for cybersecurity and we hear vendors salivating already, & more!

Announcements

  • Security Weekly listeners save 20% on InfoSec World 2022 passes! InfoSec World will be held September 27th through the 29th at Disney's Coronado Springs Resort in Lake Buena Vista, Florida. Visit securityweekly.com/isw and use the code ISW22-SECWEEK20 to secure your spot now!

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Hosts

Joe South
Joe South
Sr Content Creator at CyberRisk Alliance
Adrian Sanabria
Adrian Sanabria
Director of Product Management at Tenchi Security
  1. 1. FUNDING: Privado raises $14 million in Series A Funding to Embed Privacy in Software Development - $14M Series A led by Insight Partners and Sequoia India. Privado scans code repos for PII use and points where private data is sent to third parties. An interesting take on the resurgence of data security startups we've seen, organizations definitely need a better handle on data flows and responsibility for customer data.
  2. 2. FUNDING: BalkanID Closes $8.1 Million Seed Funding Round Amid Surging Demand for its Intelligent Access Governance Platform - An add-on round to BalkanID's seed, making the round larger than some Series A raises we see. From what I can tell, BalkanID discovers security issues within the spaghetti mess of permissions and access controls across all of a company's cloud and SaaS use.
  3. 3. ACQUISITIONS: Krit has been acquired by GreyNoise Intelligence - Krit was a well-known, but small cybersecurity product UI/UX consulting firm. GreyNoise needed product management and design help and has funding, so this acquihire made a lot of sense for them.
  4. 4. LAYOFFS: NSO lays off 100 employees, CEO Shalev Hulio to step down - NSO has a mess to work through. The CEO is stepping down again, the company is sanctioned in the US, and the company is viewed as quite the villain in the press. The word is that the company will be looking for a buyer.
  5. 5. LAYOFFS: Malwarebytes lays off 125 employees citing ‘strategic reorg’ – TechCrunch - Following with layoff trends, another Endpoint Security vendor tightens its belt.
  6. 6. LAYOFFS: Okta lays off US sourcing team - A sourcing team of 25 was let go. This is a fraction of a percent of Okta's total workforce, so nothing much to worry about for other employees or Okta customers.
  7. 7. LEARNING: Incident Response in AWS – Chris Farris
  8. 8. OPEN SOURCE: Kubernetes v1.25: Pod Security Admission Controller in Stable
  9. 9. OPEN SOURCE: The Elastic Container Project for Security Research - Quickly stand up a local, fully containerized Elastic Stack, complete with Kibana, Fleet, and Detection Engine!
  10. 10. OPEN SOURCE: Matano – The Open Source Security Lake Platform for AWS - Along with the Elastic Container Project for Security Research, we're seeing some amazing free security tools popping up lately!
  11. 11. TRENDS: To bring PLG to cybersecurity, let’s change our hiring habits - PLG = Product Led Growth. In short, PLG is all about focusing on building a product compelling enough that it becomes the primary driver of sales. Typically accompanied by transparent pricing, a freemium tier, and self-service billing, to reduce sales friction. Slack is a key example. In short, it's Tyler Shield's favorite term and you should get his opinion on this story ;)
  12. 12. TRENDS: The case for a SaaS bill of materials - As much as I hate the fact that the authors are trying to make "SaaSBOM" a thing, the article asks some excellent and pertinent questions about SBOMs and their SaaS equivalent.
  13. 13. TRENDS: Requiring MFA on popular gem maintainers – RubyGems Blog - The trend of requiring popular package maintainers on package repos to use MFA continues, as it becomes more and more common to see malicious code inserted into open source projects.
  14. 14. SUPPLY CHAIN: The Twilio Breach goes Deep - Twilio is the kind of 3rd party supply chain breach we've worried about for years - a one-to-many situation. 1. The attackers spearphish some Twilio employees, stealing their credentials 2. The attackers hit Cloudflare, but failed due to use of security keys 3. Signal users were targeted with data from the Twilio breach 4. 93 Authy users affected; attackers attached devices to their accounts to hijack 2FA 5. DOORDASH was affected, with some customers' data exposed 6. Twilio claims only 176 customers were affected, but it seems clear the damage done goes much deeper than the numbers suggest (and might go much further than what's currently known to the public)
  15. 15. BREACHES: Notice of Recent Security Incident – The LastPass Blog - Big deal, or nothingburger?
  16. 16. INTEL: CISA Adds 10 new Known Actively Exploited Vulnerabilities to its Catalog - CISA has expanded their known exploited vulnerabilities catalog yet again (and apparently we're using the KEV acronym now?) Notable additions include Apple operating systems, PEAR Archive_Tar, WebRTC, Grafana, CouchDB, and dotCMS. If you're not actively using this list of sure-to-get-you-hacked items to prioritize your vuln mgmt work, you probably should be.
  17. 17. FEDERAL: U.S. Government Spending $15.6 Billion on Cybersecurity - $15.6B isn't "staggering" when compared to the DoD budget (which is where most of this money is going), but compared to the entire cybersecurity industry's revenue - it's a TENTH of it. $2.9B of it is going to CISA, however, which is encouraging. CISA has been doing some great work over the past few years (some of which we're highlighting in the news today!) There's a good breakdown of where the money is going here: https://rollcall.com/2022/07/12/house-appropriators-back-over-15-6-billion-for-cybersecurity/
  18. 18. CAREERS: Almost No One Has Been Hired Through DHS’ Much-Hyped Cyber Talent Program - Wiz has hired nearly 250 employees in the last 6 months. I initially misread the subtitle of this story as "only 146 of the 150 person goal had been hired". The actual number hired is only FOUR. DHS hasn't been able to hire more than FOUR people through this program in the last 9-10 months? The original press release for this program had an ambitious title: "DHS Launches Innovative Hiring Program to Recruit and Retain World-Class Cyber Talent" What's wrong? I'm not sure... looking at some of these openings (e.g. https://www.usajobs.gov/job/672059700), the pay seems decent, many positions are remote, I don't see a CISSP requirement anywhere and many openings require as little as 2 years of security experience. Maybe there's just too much competition for candidates with 3-5 years of experience? Maybe they didn't market it very well.
  19. 19. CAREERS: Senior-Level Women Leaders in Cybersecurity Form New Nonprofit - Starting as an informal group at the start of the pandemic, The Forte Group now has 90 members and is now a non-profit. The non-profit's mission is to "offer career assistance, advocacy, mentoring, and educational programs for women an the infosec and technology fields."
  20. 20. SQUIRREL: Walmart lists a 30TB portable SSD for $39. It is, naturally, a scam - The picture of janky, hot-glued micro-SD cards are worth the click alone.
Katie Teitler
Katie Teitler
Senior Security Strategist at Axonius
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security
Tyler Shields
Tyler Shields
CMO at JupiterOne
prestitial ad