ESW #287 – Jeff Orloff, Paul Roberts
Full Audio
View Show IndexSegments
1. Optimizing the Human Element of Cybersecurity – Jeff Orloff – ESW #287
Security training isn't just about anti-phishing and security awareness for employees. When reading through breach details, a similar picture often emerges: the people were there, the tools were in place, but the people didn't know how to use the tools effectively. Every day, security tools catch attacks, but it doesn't matter if a human doesn't notice and tools are in 'monitor only' modes.
This segment is sponsored by RangeForce. Visit https://securityweekly.com/rangeforce to learn more about them!
Announcements
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Guest
Jeff Orloff is the Tech Evangelist and Vice President of Product at RangeForce. He has more than 10 years of experience in cybersecurity, system administration, and computer and network security. He lives in Tampa, Florida.
Hosts
2. Why Our Right to Repair Is Critical To Securing The Internet Of Things – Paul Roberts – ESW #287
From its origins a decade ago, the grassroots movement to enshrine in law the right to repair our stuff (read: cell phones, laptops, home appliances, cars, machinery) has morphed into a potent, global movement. Today, much of the debate over right to repair laws has focused on issues like concentrations of market power by large corporations and anti-competitive behavior with regard to service and repair of "smart," connected products. However, there is a less-discussed but equally potent argument in favor of repair: cybersecurity and data privacy. In this conversation, Paul Roberts, the founder of SecuRepairs.org (pron: Secure Repairs), talks about the dire state of device security on the Internet of Things and how efforts by manufacturers to limit access to software updates, diagnostic tools and parts exacerbates IoT cyber risk, even as it burdens consumers and the environment.
Segment Resources: Securepairs.org: https://securepairs.org Fight to Repair Newsletter: https://fighttorepair.substack.com The Security Ledger: https://securityledger.com
Announcements
Security Weekly is proud to partner with Hack Red Con for their first annual in-person event! Hack Red Con is happening at the Hyatt Regency in Louisville, KY from September 7th-11th. As a part of our partnership, Security Weekly listeners receive a 10% discount on registration! Visit https://securityweekly.com/hackredcon to register now! We hope to see you there!
Guest
Paul Roberts is the founder of SecuRepairs (pron: Secure Repairs)(securepairs.org), a volunteer group of more than 200 information technology and information security professionals who support a legal right to repair. He is also the Publisher and Editor in Chief of The Security Ledger (securityledger.com), an independent security news website that explores the intersection of cyber security with the Internet of Things.
Paul is a seasoned reporter, editor and industry analyst with more than a decade of experience covering the information technology security space. His writing about cyber security has appeared in publications including Mother Jones; The Christian Science Monitor; MIT Technology Review; The Economist Intelligence Unit; CIO Magazine; ZDNet and Fortune Small Business. He has appeared on NPR’s Marketplace Tech Report and The Oprah Show.
Prior to launching The Security Ledger, Paul worked as a Senior Analyst in The 451 Group’s Enterprise Security Practice and held positions as a senior writer and editor at noted industry publications including Threatpost, Infoworld and eWeek and The IDG News Service.
Hosts
3. Open Source MFA, Layoffs, Krit, AWS Incident Response, & Product Led Growth Talk – ESW #287
In the Enterprise Security News This week: more layoff announcements than funding announcements! Krit acquired by GreyNoise, Incident Response in AWS is different, Awesome open source projects for SecOps folks, Tyler Shields can’t wait to talk about Product Led Growth, Forcing open source maintainers to use MFA, Twilio - the breach that keeps on pwning, The US Governments earmarks $15.6 BILLION for cybersecurity and we hear vendors salivating already, & more!
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Security Weekly listeners save 20% on InfoSec World 2022 passes! InfoSec World will be held September 27th through the 29th at Disney's Coronado Springs Resort in Lake Buena Vista, Florida. Visit securityweekly.com/isw and use the code ISW22-SECWEEK20 to secure your spot now!
Hosts
- 1. FUNDING: Privado raises $14 million in Series A Funding to Embed Privacy in Software Development$14M Series A led by Insight Partners and Sequoia India. Privado scans code repos for PII use and points where private data is sent to third parties. An interesting take on the resurgence of data security startups we've seen, organizations definitely need a better handle on data flows and responsibility for customer data.
- 2. FUNDING: BalkanID Closes $8.1 Million Seed Funding Round Amid Surging Demand for its Intelligent Access Governance PlatformAn add-on round to BalkanID's seed, making the round larger than some Series A raises we see. From what I can tell, BalkanID discovers security issues within the spaghetti mess of permissions and access controls across all of a company's cloud and SaaS use.
- 3. ACQUISITIONS: Krit has been acquired by GreyNoise IntelligenceKrit was a well-known, but small cybersecurity product UI/UX consulting firm. GreyNoise needed product management and design help and has funding, so this acquihire made a lot of sense for them.
- 4. LAYOFFS: NSO lays off 100 employees, CEO Shalev Hulio to step downNSO has a mess to work through. The CEO is stepping down again, the company is sanctioned in the US, and the company is viewed as quite the villain in the press. The word is that the company will be looking for a buyer.
- 5. LAYOFFS: Malwarebytes lays off 125 employees citing ‘strategic reorg’ – TechCrunchFollowing with layoff trends, another Endpoint Security vendor tightens its belt.
- 6. LAYOFFS: Okta lays off US sourcing teamA sourcing team of 25 was let go. This is a fraction of a percent of Okta's total workforce, so nothing much to worry about for other employees or Okta customers.
- 7. LEARNING: Incident Response in AWS – Chris Farris
- 8. OPEN SOURCE: Kubernetes v1.25: Pod Security Admission Controller in Stable
- 9. OPEN SOURCE: The Elastic Container Project for Security ResearchQuickly stand up a local, fully containerized Elastic Stack, complete with Kibana, Fleet, and Detection Engine!
- 10. OPEN SOURCE: Matano – The Open Source Security Lake Platform for AWSAlong with the Elastic Container Project for Security Research, we're seeing some amazing free security tools popping up lately!
- 11. TRENDS: To bring PLG to cybersecurity, let’s change our hiring habitsPLG = Product Led Growth. In short, PLG is all about focusing on building a product compelling enough that it becomes the primary driver of sales. Typically accompanied by transparent pricing, a freemium tier, and self-service billing, to reduce sales friction. Slack is a key example. In short, it's Tyler Shield's favorite term and you should get his opinion on this story ;)
- 12. TRENDS: The case for a SaaS bill of materialsAs much as I hate the fact that the authors are trying to make "SaaSBOM" a thing, the article asks some excellent and pertinent questions about SBOMs and their SaaS equivalent.
- 13. TRENDS: Requiring MFA on popular gem maintainers – RubyGems BlogThe trend of requiring popular package maintainers on package repos to use MFA continues, as it becomes more and more common to see malicious code inserted into open source projects.
- 14. SUPPLY CHAIN: The Twilio Breach goes DeepTwilio is the kind of 3rd party supply chain breach we've worried about for years - a one-to-many situation. 1. The attackers spearphish some Twilio employees, stealing their credentials 2. The attackers hit Cloudflare, but failed due to use of security keys 3. Signal users were targeted with data from the Twilio breach 4. 93 Authy users affected; attackers attached devices to their accounts to hijack 2FA 5. DOORDASH was affected, with some customers' data exposed 6. Twilio claims only 176 customers were affected, but it seems clear the damage done goes much deeper than the numbers suggest (and might go much further than what's currently known to the public)
- 15. BREACHES: Notice of Recent Security Incident – The LastPass BlogBig deal, or nothingburger?
- 16. INTEL: CISA Adds 10 new Known Actively Exploited Vulnerabilities to its CatalogCISA has expanded their known exploited vulnerabilities catalog yet again (and apparently we're using the KEV acronym now?) Notable additions include Apple operating systems, PEAR Archive_Tar, WebRTC, Grafana, CouchDB, and dotCMS. If you're not actively using this list of sure-to-get-you-hacked items to prioritize your vuln mgmt work, you probably should be.
- 17. FEDERAL: U.S. Government Spending $15.6 Billion on Cybersecurity$15.6B isn't "staggering" when compared to the DoD budget (which is where most of this money is going), but compared to the entire cybersecurity industry's revenue - it's a TENTH of it. $2.9B of it is going to CISA, however, which is encouraging. CISA has been doing some great work over the past few years (some of which we're highlighting in the news today!) There's a good breakdown of where the money is going here: https://rollcall.com/2022/07/12/house-appropriators-back-over-15-6-billion-for-cybersecurity/
- 18. CAREERS: Almost No One Has Been Hired Through DHS’ Much-Hyped Cyber Talent ProgramWiz has hired nearly 250 employees in the last 6 months. I initially misread the subtitle of this story as "only 146 of the 150 person goal had been hired". The actual number hired is only FOUR. DHS hasn't been able to hire more than FOUR people through this program in the last 9-10 months? The original press release for this program had an ambitious title: "DHS Launches Innovative Hiring Program to Recruit and Retain World-Class Cyber Talent" What's wrong? I'm not sure... looking at some of these openings (e.g. https://www.usajobs.gov/job/672059700), the pay seems decent, many positions are remote, I don't see a CISSP requirement anywhere and many openings require as little as 2 years of security experience. Maybe there's just too much competition for candidates with 3-5 years of experience? Maybe they didn't market it very well.
- 19. CAREERS: Senior-Level Women Leaders in Cybersecurity Form New NonprofitStarting as an informal group at the start of the pandemic, The Forte Group now has 90 members and is now a non-profit. The non-profit's mission is to "offer career assistance, advocacy, mentoring, and educational programs for women an the infosec and technology fields."
- 20. SQUIRREL: Walmart lists a 30TB portable SSD for $39. It is, naturally, a scamThe picture of janky, hot-glued micro-SD cards are worth the click alone.