On this episode you can hear the tale of three conferences. Listen and learn about the history of BSides, Black Hat, and DEF CON. Learn what makes these conferences special and enjoy some of the untold history of each conference.
A CISO’s Guide to Pentesting References https://en.wikipedia.org/wiki/Penetration_test https://partner-security.withgoogle.com/docs/pentest_guidelines#assessment-methodology https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf https://pentest-standard.readthedocs.io/en/latest/ https://www.isecom.org/OSSTMM.3.pdf https://s2.securit...
I've been a fan of Sean Heritage for years when I first discovered his blog, "Connecting the Dots." Today I have the privilege to listen to his thoughts on cybersecurity careers in both the military and the "real world," how to prioritize your life, what careers goals you should (and should NOT) aim for, and the importance of great leadership. Book reference: Connecting the Dots: Deliberate Observations and Leadership Musings About Everyday Life https://www.amazon.com/Connecting-Dots-Deliberate-...
This episode of CISO Tradecraft, Andy Ellis from Orca Security stops by to talk about three really hard problems that CISOs have struggled with for decades. How do we build a phishing program that works? How do we build a 3rd party risk management program that isn't a paper exercise? How do we actually get good at patch management? Stick around for some great answers such as: Human error is a system in need of redesign How do we put every employee on an island protected from the company? If we s...
On this episode of CISO Tradecraft, Bryce Kunz from Stage 2 Security stops by to discuss how offensive cyber operations are evolving. Come and learn how attackers are bypassing MFA and EDR solutions to target your cloud environment. You can also hear what Bryce recommends to beat the bear that is Ransomware. References: Link How Attackers Bypass MFA with Evilginx 2 Link Stage 2 Security Black Hat Course...
This episode features Rafeeq Rehman . He discusses the need for a CISO Mindmap and 6 Focus Areas for 2022-2023: 1. Re-evaluate ransomware defenses, detection and response capabilities, perform a business impact analysis and identify critical processes, applications and data. 2. Reduce/consolidate security tools/technologies and vendors. More tools don’t necessarily reduce risk but do add the need for maintaining expertise on security teams. 3. To serve your business better, train staff on busine...
On this episode of CISO Tradecraft, we feature Helen Patton . Helen shares many of her career experiences working across JP Morgan, The Ohio State University, and now Cisco. -Is technical acumen needed for CISOs? -Surviving organizational politics (34:45) Helen discusses The Fab 5 Security Outcomes study. Volume 1 Study - Link Volume 2 Study - Link...
On this episode of CISO Tradecraft we feature Robin Dreeke from People Formula. Robin was the former head of the FBI Counterintelligence Behavioral Analysis Program and has an amazing background in learning how individuals think, build trust, and communicate. Robin highlights 4 Pillars of Communicating: Seek the thoughts and opinions of others Talk in terms of priorities, pain points, and challenges of others Use Nonjudgmental validation (ie seek to understand others without judging) Empower oth...
This episode is sponsored by Varonis . You can learn more on how to reduce your ransomware radius by performing a free ransomware readiness assessment Link On this episode, Sounil Yu continues his discussion about his new book (" Cyber Defense Matrix "). Listen to learn more about: Pre-Event Structural Awareness vs Post-Event Situational Awareness Environmental vs Contextual Awareness Understanding Security Handoffs Rationalizing Technologies Portfolio Analysis Responding to Emerging Buzzwords (...
This episode is sponsored by Varonis . You can learn more on how to reduce your ransomware radius by performing a free ransomware readiness assessment Link This episode of CISO Tradecraft has Sounil Yu talk about his new book, " Cyber Defense Matrix : The Essential Guide to Navigating the Cybersecurity Landscape". Sounil reviews the Cyber Defense Matrix in depth. We discuss how the Cyber Defense Matrix can be used for: Capturing & Organizing Measurements & Metrics Developing a Cyber Secu...
On this episode of CISO Tradecraft, John Hellickson from Coalfire talks about his career as a CISO. Listen and learn about: The evolving role of the CISO How John got started as a CISO Whis is a Field CISO and how does it differ from a traditional CISO role Tips on getting your career to the next level by attending the right conferences and getting an executive coach How to get Business Alignment How the Security Advisor Alliance is helping the next generation of cyber talent...
A respected journalist focusing on cybersecurity and our community of people for over 25 years, Deb Radcliff remains a trusted information source who checks and double-checks her sources before publication -- a refreshing change to the low signal - high noise world of social media. In this episode, we discuss where CISOs might turn for accurate information, how the industry has evolved in complexity, and take a look at the first of three fictional novels she's writing about a future world where ...
On this Episode of CISO Tradecraft we talk about the Top 10 areas of concern for the C Suite about Ransomware. Note you can read the full ISC2 Study here ( Link ). Cybersecurity professionals should keep the following golden rules in mind when communicating with the C-suite about ransomware. Increase Communication and Reporting to Leadership Temper Overconfidence as Needed Tailor Your Message Make the Case for New Staff and Other Investments Make Clear that Ransomware Defense is Everyone’s Respo...
On this episode of CISO Tradecraft, Christian Hyatt from risk3sixty stops by to discuss the 3 major Business Objectives for CISOs: Risk Management Cost Reduction Revenue Generation He also discusses the five CISO Archetypes. The Executive The Engineer The GRC Guru The Technician The Builder References: The 5 CISO Archetypes Book Link Designing the CISO Role Link...
Chances are your organization has information that someone else wants. If it's another nation state, their methods may not be friendly or even legal. In this episode we address assessing risk, known "bad" actors, information targets, exfiltration, cyber security models, what the federal government is doing for contractors, and response strategies. Listen now so you don't become a statistic later. References: https://www.fbi.gov/file-repository/china-exec-summary-risk-to-corporate-america-2019.pd...
Our career has been growing like crazy with an estimated 3.5 million unfilled cybersecurity jobs within the next few years. More certs, more quals, more money, right? The sky’s the limit. But what if we’re wrong? AI, machine learning, security-by-design, outsourcing, and H-1B programs may put huge downward pressure on future job opportunities (and pay) in this country. Of course, we don’t WANT this, but shouldn’t a wise professional prepare for possibilities? [We did a ton of research looking at...
On this episode of CISO Tradecraft, we discuss how to avoid Death By PowerPoint by creating cyber awareness training that involves and engages listeners. Specifically we discuss: The EDGE method: Explain, Demonstrate, Guide, and Enable Escape Rooms Tabletop Exercises Polling During Presentations Short videos from online resources References: https://blog.scoutingmagazine.org/2017/05/05/living-on-the-edge-this-is-the-correct-way-to-teach-someone-a-skill/ http://www.inquiry.net/ideals/scouting_gam...
On this episode of CISO Tradecraft, we focus on the Password Security and how it's evolving. Tune in to learn about: Why do we need passwords Ways consumers login and authenticate How bad actors attack passwords How long does it take to break passwords Different types of MFA The future of passwords with conditional access policies Infographic: References: https://danielmiessler.com/blog/not-all-mfa-is-equal-and-the-differences-matter-a-lot/ https://www.hivesystems.io/blog/are-your-passwords-in-t...
Winn Schwartau is a well-recognized icon in the cybersecurity community, and also a dear friend for over 25 years. Always one to stir the pot and offer radical ideas (many of which come true), we discuss Hacker Jeopardy, INFOWARCON, his books "Pearl Harbor Dot Com", "Time-Based Security", and his magnum opus "Analog Security." We speculate on the future of our industry with respect to quantum and probabilistic computing, and after hanging up his pen, looks like he's doing a Tom Brady and writing...
On this episode of CISO Tradecraft, Anton Chuvakin talks about Logging, Security Information & Event Management (SIEM) tooling, and Cloud Security. Anton share’s fantastic points of view on: How moving to the cloud is like moving to a space station (13:44) How you may be one IAM mistake away from a breach (20:05) How a SIEM is a logging based approach, whereas EDRs require agents at endpoints. This becomes really interesting when cloud solutions don’t have an endpoint to install an agent (26...
On this special episode of CISO Tradecraft, we have Gary Hayslip talk about his lessons learned being a CISO. He shares various tips and tricks he has used to work effectively as a CISO across multiple companies. Everything from fish tacos and beer to how to look at an opportunity when your boss has no clue about cyber frameworks. There's lots of great information to digest. Additionally, Gary has co-authored a number of amazing books on cyber security that we strongly recommend reading. You can...
On this episode of CISO Tradecraft you can learn how to build relationships of trust with other executives by demonstrating executive skill & cyber security expertise. You can learn what to say to each of the following executives to build common ground and meaningful work: CFO Legal Marketing Business Units CEO CIO HR Note Robin Dreeke mentions 5 keys to building goals.: Learn… about their priorities, goals, and objectives. Place… theirs ahead of yours Allow them to talk…. suspend your own n...
On this episode of CISO Tradecraft, we talk about how cyber can help the four business key objectives identified by InfoTech: 1. Profit generation: The revenue generated from a business capability with a product that is enabled with modern technologies. 2. Cost reduction: The cost reduction when performing business capabilities with a product that is enabled with modern technologies. 3. Service enablement: The productivity and efficiency gains of internal business operations from products and ca...
Today we speak with Richard Thieme, a man with a reputation for stretching your mind with his insights, who has spoken at 25 consecutive DEFCONs as well as keynoted BlackHat 1 and 2. In a far-ranging discussion, we cover the concept of what it's like to be a heretic (hint: it's one step beyond being a visionary), the thought that the singularity has already arrived, Pierre Teilhard de Chardin's noosphere, disinformation and cyber war, ethical decision-making in automated systems, and why there i...
On this episode of CISO Tradecraft we are going to talk about various Access Control & Authentication technologies. Access Control Methodologies: Mandatory Access Control or (MAC) Discretionary Access Control or (DAC) Role Based Access Control or (RBAC) Privileged Access Management or (PAM) Rule Based Access Control Attribute Based Policy Control (ABAC) or Policy Based Access Control (PBAC) Authentication Types: Password-based authentication Certificate-based authentication Token-based authe...
On this episode of CISO Tradecraft , you can learn about supply chain vulnerabilities and the 6 important steps you can take to mitigate this attack within your organization: Centralize your software code repository Centralize your artifact repository Scan open source software for malware Scan software for vulnerabilities and vendor support Run a Web Application Firewall (WAF) Run a Runtime Application Self Protection (RASP) References: https://owasp.org/www-project-threat-and-safeguard-matrix/ ...
Gamification is a superpower that CISOs can use to change the culture of an organization. On this episode of CISO Tradecraft we discuss how to use gamification concepts as a CISO. What’s in a Game? Objective Rules Challenge/Competition Randomness or unpredictability Designed for fun and sometimes learning What Makes a Game Fun? Challenge requires reasonable level of difficulty Fantasy compelling setting for game action; temporary suspension of reality Curiosity random events so that play is not c...
On this episode of CISO Tradecraft, we feature Allan Alford from The Cyber Ranch Podcast . Allan brings a wealth of knowledge as a CISO and shares the three things every CISO needs to bring to the table: Use a Cyber Maturity Model such as CMMI to identify the current situation and build a roadmap of where the organization is headed Quantify Known Risks through a Risk Register which gets routinely briefed to Executives Align Cyber to Business Objectives to enable the business If you enjoy listeni...
As a cyber executive you should expect disaster and disruption. When these unfortunate events occur, you can protect the business by maintaining critical business functions, ensuring employees are able to access an alternate work facility, and providing vital records to perform business functions. The secret to accomplishing these objectives can be found in three important documents. Those being a Business Continuity Plan, Disaster Recovery Plan, & a Business Impact Analysis. Enjoy the show ...
On this episode, we talk about the four types of skills you need to demonstrate in your career to climb through the ranks: (Technical Skills, Management Skills, Leadership Skills, & Political Skills) We also highlight 6 crucial areas to improve your political skills Social Astuteness - You need to get your cues right. Socially astute managers are well-versed in social interaction. In social settings they accurately assess their own behavior as well as that of others. Their strong powers of d...
