IoT, OT & Network Device Attacks, Trends, Stories & Threat Prevention – Brian Contos – ESW #302
Military-grade xIoT hacking tools are in use, cybercrime for hire that’s predicated on compromised xIoT devices has been monetized, and organizations worldwide are already “pwned” without even knowing it. Bad actors are counting on you being passive when it comes to xIoT security. Disappoint them!
Segment Resources: xIoT Threat & Trend Report https://phosphorus.io/xiot-threat-and-trend-report-2022/
xIoT Security Podcast https://phosphorus.io/podcast/
Phosphorus Labs https://phosphorus.io/labs/
With two IPOs & eight acquisitions, Brian has helped build some of the most successful security companies in the world. He has over 25 years in the security industry as a security company entrepreneur, board advisor, investor, and author. After getting his start with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions, including Riptech, ArcSight, Imperva, McAfee, Solera Networks, Cylance, JASK, Verodin, and Mandiant.
Brian has worked in over 50 countries across six continents. He authored the book Enemy at the Water Cooler and co-authored Physical & Logical Security Convergence with former NSA Deputy Director William Crowell. He was featured in the cyberwar documentary 5 Eyes alongside General Michael Hayden, former NSA, and CIA Director. Brian writes for Forbes and regularly presents at conferences like Black Hat, RSA, OWASP, and BSides.
Thank you for listening to or watching our podcasts! We want to ensure that we are creating the most relevant and useful content for our audience across our network! It is crucial to us that we are delivering to you more of what you want to hear and learn about. Please take a few minutes to complete our listener survey so that we can craft our content based on your needs. Visit https://securityweekly.com/survey to submit your feedback.
Europe & Privacy, Why It Matters to Security Pros – Isabelle Roccia – ESW #302
Europe is a global driver for privacy rules and digital legislation. Which means it is also a force to be reckoned with when it comes to enforcement. With privacy and security being so intertwined, this conversation will focus on the current mindset in Europe and discuss recent regulators’ decision e.g. on Microsoft 365.
Segment Resources: The International Association of Privacy Professionals (IAPP) is the world’s largest global information privacy community. IAPP website https://iapp.org/ About membership: https://iapp.org/join/
IAPP training is a path to professional advancement and ANSI/ISO-accredited certification. Developed with leading privacy and data protection experts, our in-depth courses span legal, regulatory, governance, and operational issues. Choose the subjects and training modalities that fit your career goals.
More info about all IAPP trainings: https://iapp.org/train/
For example:
• IAPP Foundations of Privacy and Data Protection (Your Starting Point in Privacy Education): https://iapp.org/train/foundations/
• IAPP Privacy in Technology training – CIPT (for Software developers, information security professionals, data architects…): https://iapp.org/train/cipt-training/
Check out IAPP news and resources: https://iapp.org/news/ and https://iapp.org/resources/
As Managing Director, Europe, Roccia leads the IAPP’s growing Brussels office and engages with senior industry leaders, policymakers, regulators and civil society, keeping IAPP members informed and apprised of local developments. She serves as the public voice for the IAPP across Europe and provides strategic guidance on European engagement and market expansion.
Prior to joining the IAPP, Roccia served as Director of Policy, EMEA of BSA | The Software Alliance in Brussels, Belgium. In this role, she developed and advanced policy positions on a range of key issues to the global software industry, with a focus on data privacy, international data flows, cybersecurity, digital trade and digital transformation. She is a recognized contributor to policymaking on these issues on national, European and multilateral levels. Prior to that, Roccia was the Senior Policy Advisor at the U.S. Mission to the EU in Brussels.
Follow Security Weekly Productions on LinkedIn for exclusive show clips, insights, and updates across our organization! Stay connected with our hosts and fellow community members, and join the conversation that's shaping the future of cybersecurity.
IronNet, Windows 7 EOL, Cloud Sec Trends, ChatGPT, & Personal CyberSec – ESW #302
Finally, in the enterprise security news, Not much funding this week, but Netskope raises $400M, and Hack the Box raises $55M! Also, what went wrong with IronNet? The Open Source Index highlights popular security projects, Windows 7 and Windows 8.1 have been put out to pasture, Predictions about personal cybersecurity, Cloud security trends, The ongoing impact of ChatGPT on the security industry, Password hygiene revealed to be terrible in the US Government, All that and more, on this episode of Enterprise Security Weekly.
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Adrian Sanabria
- FUNDING: Netskope Receives $401M In New Funding
There's not much funding today, but the funding we have is large and pointed at only a few companies. A few years ago, Netskope said it was doing fine, wasn't in a hurry to IPO, and didn't really need their Series G, but took the cash to 'top up the warchest'.
Four rounds of funding later, and I've got to wonder if that IPO is ever coming, if Netskope is comfortable as a private company, or if a PE sale is coming soon.
- FUNDING: Hack The Box Secures $55 Million in Series B Funding Led by Carlyle
A sizable series B from a security training firm is NOT something I was expecting in 2023. The best estimate of SANS Institute revenue is around $56M. If that's accurate, there's a sizable pie for HackTheBox to take a bite out of here.
The market seems rather saturated to me, but with 1.7m users, HackTheBox does seem to be doing rather well. It's typically one of the first names I hear dropped when someone new to the industry asks for self-guided training recommendations.
- (DE)FUNDING: IronNet cybersecurity faces delisting threat, potential insolvency – Baltimore Business Journal
- NEW PRODUCTS: Snyk announces general availability of its cloud platform
- NEW TOOLS: Open Source Security Index
A fantastic collection and analysis of the most popular open source security tools! 100% better than trying to manually search Github for the best free SAST tool.
- DISCONTINUED: End of Support for Previous Versions of Windows
- ESSAYS: 10 Reasons for VCs to Invest in a Network of Security Leaders
Looking forward to Tyler Shields' thoughts on this one!
- TRENDS: This Week in Startups – Em Herrera predicts Personal Cybersecurity will be big in 2023
There is actually some discussion about personal cybersecurity before the point I link to in this YouTube video, so you might want to listen to the whole segment (which starts at 50:29). Herrera mentions that she actually divides personal cybersecurity (a term I like more than consumer cybersecurity) into 6 categories, and I'd love to know what those are!
- TRENDS: Hackers went after personally identifiable information the most, study says
Reading the headlines, you'd be forgiven for thinking that the vast majority of data breaches were ransomware and extortion-driven. Reading this story, you might be surprised to hear that ransomware is only the 4th most common cause of a breach, at 10.4%. I sought out the source study, which made things a bit more clear. Ransomware was the 4th most common root cause of a data breach.
The way I'm reading this is that an extortion case where the root cause is phishing, but employs ransomware at a later stage of the campaign, would be counted as "social engineering", not "ransomware" as the root cause.
Though some of this is a bit foggy to me, the report has some good insights, like a good breakdown of the key mistakes and oversights companies can correct to prevent data breaches.
Note that the scope of this report was "100 of the largest and well-known data breaches to date". It's unclear if all these events happened in the past 5 years, or go back 20 years or more, which I would think would dull the value of the report. There's no methodology listed for the report.
- TRENDS (CloudSec): Lessons on cloud security from the ‘Twitter Whistleblower’
- TRENDS (CloudSec): Are threat actors gaining cloud skills faster than enterprises?
- TRENDS (AI EDITION): AI for Cybersecurity Market Giants Spending Is Going To Boom
- TRENDS (AI EDITION): ChatGPT is enabling script kiddies to write functional malware
- TRENDS: US Farmers win right to repair John Deere equipment
- TRENDS: How a single developer dropped AWS costs by 90%, then disappeared.
They call it freejacking - automating opening massive new accounts on services that have free trials and then abusing the free trials for profit.
Mining crypto is usually the endgame with freejacking, but in this story, someone uses it to con a company into thinking they've somehow saved them 90% on their cloud bills, when they've actually temporarily saved them money by funneling workloads to accounts with temporary free trials!
- TRENDS: 2023 threat predictions: Beware ‘economic uncertainty’ for the cybersecurity community
I'd normally pass a story like this up, but with quotes from 49 industry executives, I found this worth a skim. There are some interesting takes in there, but yes, there are also some that read like a ChatGPT prompt titled, "boilerplate 2023 prediction for the cybersecurity market written by an exec worried about offending anyone"
- HACKS: Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More
An absolutely breathtaking collection of automotive vulnerabilities. It seems like this small group of research likely had access to tens of millions of vehicles spread across 16 brands over the last 5 years!
That sounds like it might result in a 300 page PDF, but this blog post is surprisingly concise for the amount of pwnage that has occurred here.
- HACKS: Taking over a Dead IoT Company
- REPORTS: P@s$w0rds at the U.S. Department of the Interior
Figure 5, Page 18
Boy, if you're not convinced we need to ditch passwords a few pages into this report, you certainly will by the time you get to Figure 5 on Page 18.
- DISCONTINUED: Palo Alto pulls out of the consumer market; kills the Okyo Garde
We reported on the surprising news that Palo Alto broke into the consumer market with their Okyo Garde home network appliance back in Q3 2021. Less surprisingly, they ended sales a year later and ended service on December 31st, 2022.
Folks that weren't aware of the service ending got a very abrupt surprise as the device failed closed.
I doubt anyone got refunds for their devices. Normally, I wouldn't even consider that question, except that I just received a refund for everything I had ever bought that was attached to Google's Stadia cloud gaming platform, even though all my purchases were over 3 years ago!
- SQUIRREL: All the FTX Films and TV Series in Production Right Now – Decrypt
