Cover image of The Southern Fried Security Podcast
(30)
Technology

The Southern Fried Security Podcast

Updated 2 months ago

Technology
Read more

Read more

iTunes Ratings

30 Ratings
Average Ratings
23
4
3
0
0

Listen at work or on the road

By DevSec - Mar 08 2016
Read more
This is a great security podcast filled with lots of great commentary on the latest security news. Lots of great insight and enjoyable to listen to. Also, the intro song is awesome! :)

Indispensable security podcast

By EDinATL - Feb 06 2016
Read more
I enjoy these guys and gain valuable insights into a complex and exciting industry. Very well put together show every time. I’m not the biggest fan of the intro music, but it does remind me that we’re all southerners, which is a good thing.

iTunes Ratings

30 Ratings
Average Ratings
23
4
3
0
0

Listen at work or on the road

By DevSec - Mar 08 2016
Read more
This is a great security podcast filled with lots of great commentary on the latest security news. Lots of great insight and enjoyable to listen to. Also, the intro song is awesome! :)

Indispensable security podcast

By EDinATL - Feb 06 2016
Read more
I enjoy these guys and gain valuable insights into a complex and exciting industry. Very well put together show every time. I’m not the biggest fan of the intro music, but it does remind me that we’re all southerners, which is a good thing.
Cover image of The Southern Fried Security Podcast

The Southern Fried Security Podcast

Latest release on Jan 11, 2019

Read more

Rank #1: Episode 78: Episode 187 - The Internet Is Down

Podcast cover
Read more

Martin, Steve, and Yvette discuss the recent DDoS of the DNS provider Dyn and what information security people should be considering in a world where terabit DDoS is a reality.

Oct 25 2016

21mins

Play

Rank #2: Episode 90: Episode 198 - Building a Security Strategy Part 1

Podcast cover
Read more

Episode 198 – Building a Security Strategy – Part 1

Strategy is the hardest thing a CISO will do in their career...except if they have to explain a massive breach…

  1. What is a Strategy?
    1. What’s the difference between a strategy and a policy?
      1. A policy is binding statements
      2. A strategy is thought out planning
      1. A list of tech you want to buy
      2. A remediation plan that follows an audit/assessment
      3. A continued justification for the way you’ve always done things
      4. The stuff your favorite vendor told you needs doing
    2. What a strategy isn’t…
      1. Based on the needs and desires of the org and its senior leaders
      2. Culturally relevant
      3. A guide to where investment (money and people) need to be made
      4. Balanced between boldness and reassurance
      5. Built on a set of capabilities that map to business success criteria
    3. A strategy is…
    1. Creates a consistent frame of reference for talking about the program
    2. Helps senior leaders understand the where/why of the investments
    3. Lays out a connected story for CFOrg to make budget less hard
    4. Provides a decision-making framework that enables effective choices
  2. Why do you want one?
    1. Understand the business of your Business
    2. Know who your stakeholders really are
    3. Capability = (Tech + Service) * Process
    4. Crawl, Walk, Run
    5. It Takes A Village
  3. How do I make one?

In our next episodes we’ll break down each of the steps and talk more about strategy…

Jun 24 2017

25mins

Play

Rank #3: Episode 58: Episode 168 - Passwords Passwords Passwords

Podcast cover
Read more

Oct 13 2015

30mins

Play

Rank #4: Episode 71: Episode 180 - Interview with Patrick Heim

Podcast cover
Read more

This evening, Martin sat down with Patrick Heim from Dropbox. Enjoy the interview, and the gang will be back next episode.

May 19 2016

24mins

Play

Rank #5: Episode 80: Episode 189 - Medical Device Security

Podcast cover
Read more

SFS Podcast Episode: 189

Medical Device Security

  1. Intro
    1. Hospital devices (infusion pumps, CT, MRI, etc)
    2. Personal devices (pacemaker, insulin pumps, etc)
  2. Medical Devices are a broad category
    1. Discussion of Sentinel Events...
  3. This has some of the same threat landscape as the IoVCT, but the consequences can be much more serious.
    1. Lead times for device approval
    2. Fixed configurations / FDA compliance
    3. Working life of devices
    4. “Well just replace them all!” Cost of devices (esp for small/struggling hospitals)
    5. Sheer number of devices can be overwhelming when looking to upgrade/replace
    6. Vendors that bring in things for a trial w/o involvement of IT/IS
  4. Challenges to Fixing The Problem:
    1. Vuln Disclosure  
      1. Muddy Waters / St Jude
        1. Problem there wasn’t disclosure it was the look of the profit motive
        2. August 25, 2016 > http://www.muddywatersresearch.com/research/stj/mw-is-short-stj/
        3. SJM sued in early September >> http://www.wsj.com/articles/st-jude-medical-sues-short-seller-over-device-allegations-1473258343
        4. http://www.marketwatch.com/story/short-seller-muddy-waters-renews-claims-of-st-jude-medical-cyber-vulnerabilities-2016-10-19
        5. Goes beyond Vulnerability Disclosure and Muddy Waters claims SJM is attacking their First Amendment - Right to Free Speech - rights >> https://www.bloomberg.com/news/articles/2016-10-24/muddy-waters-fights-st-jude-lawsuit-over-pacemaker-reports
        6. Muddy Waters report from Bishop Fox >> http://www.reuters.com/article/us-st-jude-medical-cyber-muddywaters-idUSKCN12O1O1
        1. http://www.csmonitor.com/World/Passcode/2016/0210/FDA-presses-medical-device-makers-to-OK-good-faith-hacking
      2. Bug Bounties
    2. FDA Task Force - http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm481968.htm
      1. I Am The Cavalry - https://iamthecavalry.org/oath
        1. HIMSS Cyber Security Community - http://www.himss.org/get-involved/community/cybersecurity
        2. Archimedes Center for Medical Device Security - https://secure-medicine.blogspot.com
        3. NH-ISAC - http://www.nhisac.org/
        4. MDISS - http://www.mdiss.org
      2. Other interest groups
    3. Other groups
  5. How Can it Get Better
    1. Sometime, somewhere, somehow something bad is going to happen and somebody is going to die.
    2. There will need to be more market pressure - http://thehill.com/blogs/congress-blog/technology/278712-a-new-narrative-on-cyber-security
    3. What will regulators do?  (eg DLink and the FTC)
  6. What’s the Future?
  7. Outro & Credits

Feb 01 2017

31mins

Play

Rank #6: Episode 91: Episode 199 - Building a Security Strategy - Part II

Podcast cover
Read more

Episode 199 - Building A Security Strategy - Part II

  1. Recap
    1. Strategy vs Policy
    1. Understand the business of your Business
    2. Know who your stakeholders really are
    3. Capability = (Tech + Service) * Process
    4. Crawl, Walk, Run
    5. It Takes A Village
  2. The Question is “How do I make one?”
    1. Almost no business is in the business of information security
    2. Follow The Money
    3. Understand The Decisioning Process
    4. “Culture Eats Strategy For Breakfast”
    5. Vocabulary Matters
  3. Understand the Business of Your Business
    1. Know the Formal and Informal Org Charts
    2. Influencers are as important as Deciders
    3. Beware the Spoiler
    4. “Culture Eats Strategy For Breakfast”
    5. Don’t Give a Vote or Veto Unnecessarily
  4. Know Who Your Stakeholders Really Are
    1. We will keep discussing this.
    2. Underestimating the power of culture WILL result in your plan faling
    3. That’s a majority of the reason that Strategy Is Hard
  5. Culture Is The Key

Aug 09 2017

28mins

Play

Rank #7: Episode 85: Episode 193 - Chief Information Security Oh-Crap

Podcast cover
Read more

Tonight's episode is all about those learning moments. 

CISOs and security orgs find new and interesting way to screw up all the time.  Leaving that Any-Any rule in place on the new firewall…  Disabling the CEOs account by accident…  Not realizing that Shadow IT had just installed a new egress point…

Here are our stories.  The name have been changed to protect the culpable.

Apr 13 2017

26mins

Play

Rank #8: Episode 67: Episode 176 - Money Changes Everything

Podcast cover
Read more

InfoSec programs without money are like cereal but no milk, peanut butter but no jelly, Milli but no Vanilli… (Get over it, I’m old - Martin)

Martin is doing a talk on “The ABCs of Getting Your InfoSec Program Funded” and we’re going to discuss how this works in the real world at all of the different levels.

Find us on Twitter: @SFSPodcast @armorguy @jsokoly @andywillingham @SteveD3 @jetsetyvette

And if you have any feedback, questions, or comments, drop us a comment or find us at @SFSPodcast on Twitter. And if you’ve found our Facebook page, we’re sorry. We’re going to fix that up.

Mar 23 2016

28mins

Play

Rank #9: Episode 69: Episode 178 - Peak Vuln Logo

Podcast cover
Read more

This evening, Martin, Steve, and Joseph talk about overhyped vulnerabilities, and how that affects communication with the business.

Badlock’s Site Sadlock Hyping vulnerabilities is no longer helping application security awareness | TechCrunch

Find us on Twitter: @SFSPodcast @armorguy @jsokoly @andywillingham @SteveD3 @jetsetyvette

And if you have any feedback, questions, or comments, drop us a comment or find us at @SFSPodcast on Twitter. And if you’ve found our Facebook page, we’re sorry. We’re going to fix that up.

Apr 19 2016

23mins

Play

Rank #11: Episode 75: Episode 184 - Nick Selby (@nselby)

Podcast cover
Read more

We interview Nick Selby (@nselby) about a recent blog post where he had a less than optimal experience with a managed security service provider.

https://nselby.github.io/When-Security-Monitoring-Provides-Neither-Security-Nor-Monitoring/

Aug 30 2016

23mins

Play

Rank #12: Episode 62: Episode 171 - 2015 in Review

Podcast cover
Read more

Tonight, Martin, Joseph, Steve, and Andy got together and went over how their 2015 predictions went, and laid out what their predictions were for 2016.

The gang is on break from now until the new year, happy holidays!

Nov 17 2015

32mins

Play

Rank #13: Episode 56: Episode 166 - Interview with Martin Fisher

Podcast cover
Read more

This week Martin and Joseph sat down and talked about stress, burnout, and why Martin took a break for a while. 

Sep 15 2015

23mins

Play

Rank #14: Episode 66: Episode 175 - RSAC Wrapup and More

Mar 08 2016

27mins

Play

Rank #15: Episode 86: Episode 194 - Evaluating Security Product Vendors

Podcast cover
Read more

Evaluating Security Product Vendors

In light of recent news about “Vendors Behaving Badly” we want to talk about how a security professional should evaluate vendors and their products.

Recent News:

Tanium exposed hospital’s IT while using its network in sales demos: https://arstechnica.com/security/2017/04/security-vendor-uses-hospitals-network-for-unauthorized-sales-demos/

Lawyers, malware, and money: The antivirus market’s nasty fight over Cylance: https://arstechnica.com/information-technology/2017/04/the-mystery-of-the-malware-that-wasnt/

  1. There are so many different sources of information about vendors and their products.  You owe it to yourself to evaluate not just the vendor but also each source of information.
    1. Analyst Firms:  Gartner/Forrester/etc
      1. Always remember they take a very generic view using a notional enterprise as the standard.
      2. Current customer interviews are important but, remember, those customer contacts likely came from the vendor.
      3. The perception of “Pay for Play” is there no matter how much the firms want to squelch that.
      1. These tests presume a lot so make sure you understand what the conditions of the test were.
      2. The “Pay for Play” perception exists here too….
      3. The results of the testing aren’t specific but can help show outliers in a group
    2. 3rd Party Testing:  NSS Labs, etc.
      1. Obviously your best and most relevant source of information.  :-)
    3. Podcasts
      1. If you have developed a reliable network of peers you can reach out and ask folks.  But, remember, buy them a beer for their troubles…
      2. Always remember perspective is everything.  Some people just don’t like Company_Z and will always hate their products.
    4. Networking
  2. Information Sources
    1. Start with 3rd party data and demos.  This will determine if your requirements (you did write out your requirements, right?) are met by the product
      1. Do not allow the vendor to drive the definition of “success” in a PoC
      2. Try to break it.  I mean REALLY try to break it.
      3. Remember during the PoC is going to be the best support and interaction you will ever get.  If that sucks you might want to move along.
      4. Test all of your use cases. (you do have documented use cases, right?)
    2. Do a PoC (Proof of Concept).
  3. Product Evaluation Rules
    1. Service providers such as penetration testers and MSSPs
  4. Edge Cases

Apr 27 2017

24mins

Play

Rank #16: Episode 89: Episode 197 - After the Penetration Test

Podcast cover
Read more

Episode 197 - After the Penetration Test 

We've kind of talked about how to choose your vendors, and we’ll get more into services soon, but we wanted to take some time to talk about penetration tests and especially what to do as they wrap up, how they affect the organization, and how you can manage your penetration tests to make sure they're actually effective.

  • Receiving the report
    • First and foremost, you are the customer. The report is not done until you say it is done.
      • That doesn't mean to massage the data, but you need to be sure that the penetration testers actually provided value.
    • If there isn't a solid executive summary, send it back. Period. Your testers should be able to summarize what they did, what they found, and what they think for your executives.
    • A Nessus or Burp scan is not a report. Ever.
    • Always ask “how did we do for this application/organization size” etc. You’re not just paying for someone to run Nessus on your network, you’re paying for their analysis. Ask for that.
  • Triaging the Results
    • Results rarely go to the same place in the organization. You might have findings for different teams, or entirely different parts of your org. Make sure they get to the right people.
    • Results may be inaccurate for your organization. A penetration tester isn't necessarily familiar with your organization’s risk profile, priorities, or anything else. What they mark as a medium may be a high or critical for you, or vice versa.
      • Example: Information disclosure in Healthcare is often rated much higher when triaging than in other types of businesses.
  • Working with the stakeholders
    • Work in systems that make sense to people that need to do the work. Rally, Jira, etc.
      • This can also give you traceability for when things are actually fixed.
    • Don’t dump on people in big group meetings, take the findings to the specific teams
      • That will give them time to develop a plan for the findings that are affecting them
  • Managing upwards
    • No matter how well or poorly the report is written, it’s still going to end up being your job to explain “how bad is this thing you handed me?”
    • Have to manage the findings and their perception upwards
      • Remediate, mitigate, or accept
      • That's an upper management call
  • Dealing with the Re-test
    • Most penetration tests have a clause in there for re-testing findings. Make sure you actually take advantage of that.
      • This looks good from both an actual security posture position and a management position
    • Some penetration testers will let you remediate quickly and have them re-test, which can be reflected in the final report
      • Especially if your report might going to customers, this is incredibly useful. Take advantage of this if at all possible.

Jun 08 2017

26mins

Play

Rank #17: Episode 95: Episode 203 - Evaluating Your Security Program: Threat Mapping

Podcast cover
Read more

Show Notes

Episode 203 - Evaluating Your Security Program: Threat Mapping

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  2. Start At The Outside and Move Your Way In
    1. How is this different from threat modeling?
    2. Threat modeling is listing what could happen to you.
    3. Threat mapping is mapping the holes in your program.
  3. What is “Threat Mapping”?
    1. Must have a assessment management program
      1. you can’t protect what you don’t know about
      2. This isn’t “I have a CMDB”.  It’s actually taking actions based on what you know about what you have
      1. Map assets to known threats
        1. industry
        2. entry points
        3. technology
        4. Online threat maps
      2. What are you doing to know this?
      3. What controls do you currently have in place to mitigate or reduce the risk?
    2. Understand what your “real” threats are
      1. Apps
      2. Infrastructure
      3. 3rd parties
      4. etc
    3. Scope and prioritize - break down into areas to tackle
  4. How To Get Started
    1. Scorecard (KRI)
      1. What is important and helpful
    2. Risk Registry
  5. How To Measure
    1. Use your risk registry or GRC tool to track progress and keep management updated. You need them onboard to improve.
    2. once you have some areas mapped don’t ignore them
    3. implement solid change control and change management processes
    4. keep risk scores updated so you aren’t focusing on unimportant things
  6. How To Improve/Modify

Feb 13 2018

24mins

Play

Rank #18: Episode 88: Episode 196 - WannaCry: Woulda, Coulda, Shoulda

Podcast cover
Read more

SFS Podcast - Episode 196

Wannacry: Woulda, Coulda, Shoulda 

First and foremost: Why was medical hit so hard by WannaCry? See Episode 189 - Medical Device Security and Risky Business 455 - https://risky.biz/RB455/

  1. The Lead-Up
    1. Threat Intelligence is A Thing
    2. Threat Intelligence is Hard
    3. Threat Intelligence Feeds are [REDACTED] for many/most
    1. Do
      1. Stay Calm
        1. You have finite human resources
        2. You have finite time
      2. Prioritize Your Responses
        1. Episode 192 - Security Waste
      3. Know what all your tools can do and be ready to use them
        1. Your Business Continuity Program can inform that
        2. You do have a BCP, right?
      4. Know what area to focus on first
      5. Be willing to cut off an arm to save the body
      6. When you can remember that Herd Immunity is a Thing.
      1. Scare the Children
      2. Waffle in decision making
        1. This is not the time to point out for the millionth time that your patching program is suboptimal
        2. This is not the time to point out that if you’d only gotten that BlinkyBox last capital season this wouldn’t be an issue
      3. Focus on what you can’t do
      4. Overpromise
    2. Don’t…
  2. When the Crisis Arrives
    1. Be sure you’re in Aftermath and not still in Crisis
    2. Do a Hot Wash and a full After Action Review/Post-Mortem
    3. Document your lessons learned and distribute them widely
    4. Follow Up, Follow Up, FOLLOW UP!!
  3. The Aftermath

May 25 2017

29mins

Play

Rank #19: Episode 41: Episode 154 - Open Source Architecture w/@mubix

Podcast cover
Read more

 Martin & Steve get a change to talk to Rob Fuller (@mubix) about his ideas on Open Source Architecture.  It's a great conversation where you can see the idea grow in front of your own ears!

The link to the Open Source Architecture group is:

https://groups.google.com/forum/#!forum/ossag

Remember BSidesATL and BSidesLV!

Mar 03 2015

32mins

Play

Rank #20: Episode 49: Apple and Privacy with Guillaume Ross

Podcast cover
Read more

The show notes for this episode have some screenshots, see the website for the full notes:

http://www.southernfriedsecurity.com/apple-and-privacy-with-guillaume-ross/

Find us on Twitter: @SFSPodcast @jsokoly @gepeto42

Jun 09 2015

26mins

Play

Episode 100: Episode 208 - All Good Things...

Podcast cover
Read more

It's been 9 years and over 210 different content items since we started this thing in January of 2010.  As much as we hate it we feel it's time to end this project and start thinking about What Comes Next.

Don't worry - the episodes and website aren't going anywhere anytime soon so you'll still be able to download all the content.  We're also discussing some new ideas to stay engaged with the cybersecurity community so you'll want to keep this feed live on your podcast listening device to catch updates on where we are on that.

All of us would like to thank all of you for your support over the last 9 years.  This started as just something Andy, Steve, and Martin did because they 'had things to say and didn't even care if anybody listened' and it's grown into more than any of us could have imagined.  Joseph and Yvette joined them for the ride and added so much color and sparkle in every episode.

Thank you and we hope to be talking to you again.

Jan 11 2019

34mins

Play

Episode 99: Episode 207 - On the Front Porch with Yvette and Brandon

Podcast cover
Read more

It's another Front Porch episode! Yvette talks to her friend Brandon Clark as his first novel "Ransomware" is about to be released.  "Ransomware" is part of Brandon's "Killchain Chronicles" series that will be coming out over time. You can find the book here:  https://www.amazon.com/gp/product/1732651108/ We will be back soon with more great new content.

Aug 31 2018

31mins

Play

Episode 98: Episode 206 - The Front Porch w/@wendynather @securityincite @jwgoerlich

Podcast cover
Read more

Episode 206 - The Front Porch….

Welcome to the first of an occasional series of episodes featuring conversations with a variety of interesting people from both inside and outside of information security.

In this inaugural episode you get to listen to dinner conversation between Wendy Nather, Mike Rothman, Wolfgang Goerlich, and Martin Fisher that happened in Atlanta at the Atlas Restaurant. We cover a lot of topics that I’m sure you’ll find interesting.  

And, for the record, the “Aristocrat” cocktail at Atlas is something you must try.

I appreciate Duo Security and CBI for helping to make this dinner possible.

Jun 24 2018

1hr

Play

Episode 97: Episode 205 - LIve from BSides Atlanta!

Podcast cover
Read more

We recorded this episode as the closing keynote at BSides Atlanta on May 5th, 2018.

We want to give a big round of thanks to the organizers, volunteers, sponsors, and attendees of BSides Atlanta for a great venue and event.  It was a great time and we hope to be there again next year.

May 08 2018

58mins

Play

Episode 96: Episode 204 - Evaluating Your Security Program: Communications Plan

Podcast cover
Read more

Episode 204 - Evaluating Your Security Program: Communications Plan

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  2. Start At The Outside and Move Your Way In
    1. If Education & Awareness are how the employees engage the program then Communications is how the management team engage the program
    2. In business life, like everywhere else, if people don’t know who you are or what you do then they aren’t going to be willing or able to support you in times of crisis or need
    3. The higher up in the org you want to communicate the more deliberate your plan needs to be
  3. Why Even Consider Communications?
    1. Each sub-org needs to be considered
      1. CIO-org
      2. CFO-org
      3. COO-org
      4. CMO-org
      5. CCO-org
      1. Unless you report to the CEO the next person down in your chain is going to have to likely carry that water
      2. We will address the opportunities and dangers of directly engaging a CEO at some other podcast
    2. Notice that there is no “CEO-org”
  4. Determine the Audience(s)
    1. Updated status reports are better than a ‘newsletter’
    2. Compelling progress reports (especially if validated by a third party) can be a huge gain
    3. If you invent something new it better be hugely valuable
    4. “Communication is what the listener does”
  5. Leverage Existing Comms Before Inventing Something New
    1. Get over yourself
    2. Really.
  6. “But this is just playing politics!”

Mar 12 2018

24mins

Play

Episode 95: Episode 203 - Evaluating Your Security Program: Threat Mapping

Podcast cover
Read more

Show Notes

Episode 203 - Evaluating Your Security Program: Threat Mapping

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  2. Start At The Outside and Move Your Way In
    1. How is this different from threat modeling?
    2. Threat modeling is listing what could happen to you.
    3. Threat mapping is mapping the holes in your program.
  3. What is “Threat Mapping”?
    1. Must have a assessment management program
      1. you can’t protect what you don’t know about
      2. This isn’t “I have a CMDB”.  It’s actually taking actions based on what you know about what you have
      1. Map assets to known threats
        1. industry
        2. entry points
        3. technology
        4. Online threat maps
      2. What are you doing to know this?
      3. What controls do you currently have in place to mitigate or reduce the risk?
    2. Understand what your “real” threats are
      1. Apps
      2. Infrastructure
      3. 3rd parties
      4. etc
    3. Scope and prioritize - break down into areas to tackle
  4. How To Get Started
    1. Scorecard (KRI)
      1. What is important and helpful
    2. Risk Registry
  5. How To Measure
    1. Use your risk registry or GRC tool to track progress and keep management updated. You need them onboard to improve.
    2. once you have some areas mapped don’t ignore them
    3. implement solid change control and change management processes
    4. keep risk scores updated so you aren’t focusing on unimportant things
  6. How To Improve/Modify

Feb 13 2018

24mins

Play

Episode 94: Episode 202: -Evaluating Your Security Program : Awareness & Education

Podcast cover
Read more

Episode 202 - Evaluating Your Security Program: Awareness & Education

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  2. Start At The Outside and Move Your Way In
    1. What do you think you do?
      1. Mandatory CBLs
      2. CyberCyberCyberStuff (Posters, Email, Swag)
      3. Briefings and Classes
      4. Phishing Awareness
      5. $NOVEL_IDEA
      1. How many people is it designed to engage?
        1. Not how many people took the awareness, how many people were ENGAGED?
      2. How many people were actually engaged?
      3. How did they do? (CBL completions, % phished, reviews, etc)
        1. If CBL_Completion = 15(clicks) then you may want to rethink that
        2. 0% phished is not a sign of a great security program...more likely a sign of a bad phishing program
        3. If there is no way to allow for anonymous reviews of training/briefings/etc then you’re not likely to get fully honest reviews (Who wants to piss off security?)
      4. Are you being honest with yourself?
    2. How do you measure it?
  3. Measuring Awareness & Education
    1. Don’t change the measurement...change the program
      1. The key to long term success is consistently measuring the same thing over time
      2. You may want to update goals (up or down) but be able to explain why especially if you are making the test easier
      1. Big changes in delivery will skew the numbers in ways you likely will not like
      2. Constant large turmoil is counter to most corporate cultures
      3. Small changes take advantage of previous investments best
      4. “Iterate small and grow larger” - doing too much too fast almost always ends is highly suboptimal results over time
    2. Don’t make drastic changes until Year 3 unless you have to make drastic changes
    3. Clearly failing components should be axed and replaced and not tweaked around the edges - especially if there’s a compliance or safety aspect
  4. Adjusting The Program
  5. If this feels like “Wash, Rinse, Repeat” it’s because is it “Wash, Rinse, Repeat”

Jan 29 2018

33mins

Play

Episode 93: Episode 201 - Celebration

Podcast cover
Read more

We're going to use this episode to allow the cast to talk about reaching 200 episodes and you'll hear what *really* happened on the Lost Episode.

We will be back in 2018 with more episodes.  Until then be well and stay secure!

Oct 11 2017

27mins

Play

Episode 92: Episode 200 - Building a Security Strategy - Part III

Podcast cover
Read more

Episode 200 - Building A Security Strategy - Part III

  1. Recap
    1. Strategy vs Policy
    1. Understand the business of your Business
    2. Know who your stakeholders really are
    3. Capability = (Tech + Service) * Process
    4. Crawl, Walk, Run
    5. It Takes A Village
  2. The Question is “How do I make one?”
    1. Tech
      1. Tech, by itself, only consumes electricity and turns cool air into warm air
      2. So many choices….
      3. The tech selection is the least critical one for developing a capability
      4. http://www.southernfriedsecurity.com/episode-192-security-waste/
      1. This is the “Stuff You Have To Do”
      2. Usually determined by regulation, policy, or corporate edict
      3. Describes a desired outcome - not how to get there
      4. Examples include “Malware Detection”, “Email Security”
    2. Service
      1. How you do the crazy things you do
      2. Security is not a One-Off - things must be repeatable and consistent
    3. Process
      1. Describes value team brings to org
      2. While tech and service selection is important the biggest improvement usually comes from better process
    4. Capability
  3. Capability = (Tech + Service) * Process
    1. Armorguy’s Maxim of Life: “Start small and iterate larger”
    2. Try to do to much out of the gate and you WILL fail
    3. Define success criteria for each stage that allows for error and learning
  4. Crawl, Walk, Run
    1. Security cannot exist as an island
    2. Interdependence with business units is key - if you don’t you are the foreigner and will be rejected
    3. The relationship with IT Operations is going to be wonky at first
  5. It Takes A Village
    1. Where do you look for more info?
  6. Strategy - It’s What CISOs Do…

Sep 13 2017

26mins

Play

Episode 91: Episode 199 - Building a Security Strategy - Part II

Podcast cover
Read more

Episode 199 - Building A Security Strategy - Part II

  1. Recap
    1. Strategy vs Policy
    1. Understand the business of your Business
    2. Know who your stakeholders really are
    3. Capability = (Tech + Service) * Process
    4. Crawl, Walk, Run
    5. It Takes A Village
  2. The Question is “How do I make one?”
    1. Almost no business is in the business of information security
    2. Follow The Money
    3. Understand The Decisioning Process
    4. “Culture Eats Strategy For Breakfast”
    5. Vocabulary Matters
  3. Understand the Business of Your Business
    1. Know the Formal and Informal Org Charts
    2. Influencers are as important as Deciders
    3. Beware the Spoiler
    4. “Culture Eats Strategy For Breakfast”
    5. Don’t Give a Vote or Veto Unnecessarily
  4. Know Who Your Stakeholders Really Are
    1. We will keep discussing this.
    2. Underestimating the power of culture WILL result in your plan faling
    3. That’s a majority of the reason that Strategy Is Hard
  5. Culture Is The Key

Aug 09 2017

28mins

Play

Episode 90: Episode 198 - Building a Security Strategy Part 1

Podcast cover
Read more

Episode 198 – Building a Security Strategy – Part 1

Strategy is the hardest thing a CISO will do in their career...except if they have to explain a massive breach…

  1. What is a Strategy?
    1. What’s the difference between a strategy and a policy?
      1. A policy is binding statements
      2. A strategy is thought out planning
      1. A list of tech you want to buy
      2. A remediation plan that follows an audit/assessment
      3. A continued justification for the way you’ve always done things
      4. The stuff your favorite vendor told you needs doing
    2. What a strategy isn’t…
      1. Based on the needs and desires of the org and its senior leaders
      2. Culturally relevant
      3. A guide to where investment (money and people) need to be made
      4. Balanced between boldness and reassurance
      5. Built on a set of capabilities that map to business success criteria
    3. A strategy is…
    1. Creates a consistent frame of reference for talking about the program
    2. Helps senior leaders understand the where/why of the investments
    3. Lays out a connected story for CFOrg to make budget less hard
    4. Provides a decision-making framework that enables effective choices
  2. Why do you want one?
    1. Understand the business of your Business
    2. Know who your stakeholders really are
    3. Capability = (Tech + Service) * Process
    4. Crawl, Walk, Run
    5. It Takes A Village
  3. How do I make one?

In our next episodes we’ll break down each of the steps and talk more about strategy…

Jun 24 2017

25mins

Play

Episode 89: Episode 197 - After the Penetration Test

Podcast cover
Read more

Episode 197 - After the Penetration Test 

We've kind of talked about how to choose your vendors, and we’ll get more into services soon, but we wanted to take some time to talk about penetration tests and especially what to do as they wrap up, how they affect the organization, and how you can manage your penetration tests to make sure they're actually effective.

  • Receiving the report
    • First and foremost, you are the customer. The report is not done until you say it is done.
      • That doesn't mean to massage the data, but you need to be sure that the penetration testers actually provided value.
    • If there isn't a solid executive summary, send it back. Period. Your testers should be able to summarize what they did, what they found, and what they think for your executives.
    • A Nessus or Burp scan is not a report. Ever.
    • Always ask “how did we do for this application/organization size” etc. You’re not just paying for someone to run Nessus on your network, you’re paying for their analysis. Ask for that.
  • Triaging the Results
    • Results rarely go to the same place in the organization. You might have findings for different teams, or entirely different parts of your org. Make sure they get to the right people.
    • Results may be inaccurate for your organization. A penetration tester isn't necessarily familiar with your organization’s risk profile, priorities, or anything else. What they mark as a medium may be a high or critical for you, or vice versa.
      • Example: Information disclosure in Healthcare is often rated much higher when triaging than in other types of businesses.
  • Working with the stakeholders
    • Work in systems that make sense to people that need to do the work. Rally, Jira, etc.
      • This can also give you traceability for when things are actually fixed.
    • Don’t dump on people in big group meetings, take the findings to the specific teams
      • That will give them time to develop a plan for the findings that are affecting them
  • Managing upwards
    • No matter how well or poorly the report is written, it’s still going to end up being your job to explain “how bad is this thing you handed me?”
    • Have to manage the findings and their perception upwards
      • Remediate, mitigate, or accept
      • That's an upper management call
  • Dealing with the Re-test
    • Most penetration tests have a clause in there for re-testing findings. Make sure you actually take advantage of that.
      • This looks good from both an actual security posture position and a management position
    • Some penetration testers will let you remediate quickly and have them re-test, which can be reflected in the final report
      • Especially if your report might going to customers, this is incredibly useful. Take advantage of this if at all possible.

Jun 08 2017

26mins

Play

Episode 88: Episode 196 - WannaCry: Woulda, Coulda, Shoulda

Podcast cover
Read more

SFS Podcast - Episode 196

Wannacry: Woulda, Coulda, Shoulda 

First and foremost: Why was medical hit so hard by WannaCry? See Episode 189 - Medical Device Security and Risky Business 455 - https://risky.biz/RB455/

  1. The Lead-Up
    1. Threat Intelligence is A Thing
    2. Threat Intelligence is Hard
    3. Threat Intelligence Feeds are [REDACTED] for many/most
    1. Do
      1. Stay Calm
        1. You have finite human resources
        2. You have finite time
      2. Prioritize Your Responses
        1. Episode 192 - Security Waste
      3. Know what all your tools can do and be ready to use them
        1. Your Business Continuity Program can inform that
        2. You do have a BCP, right?
      4. Know what area to focus on first
      5. Be willing to cut off an arm to save the body
      6. When you can remember that Herd Immunity is a Thing.
      1. Scare the Children
      2. Waffle in decision making
        1. This is not the time to point out for the millionth time that your patching program is suboptimal
        2. This is not the time to point out that if you’d only gotten that BlinkyBox last capital season this wouldn’t be an issue
      3. Focus on what you can’t do
      4. Overpromise
    2. Don’t…
  2. When the Crisis Arrives
    1. Be sure you’re in Aftermath and not still in Crisis
    2. Do a Hot Wash and a full After Action Review/Post-Mortem
    3. Document your lessons learned and distribute them widely
    4. Follow Up, Follow Up, FOLLOW UP!!
  3. The Aftermath

May 25 2017

29mins

Play

Episode 87: Episode 195 - Annual Policy Review - Making it Worthwhile

Podcast cover
Read more

Episode 195 - Annual Policy Review - Making It Worthwhile

  1. Define policy vs. standards vs. procedures
    1. What is a Policy? It is a guiding principle to set the direction of an organization. High level, governing, statements. Do not include technical details.
      1. Example: Policy statement = Users must authenticate with a unique ID and password
      2. Standard: User passwords must be: # of characters, include one uppercase letter, one special character, be at least 10 characters in length. This type of information would go into an Access Control Standard.
    2. What is a Standard? Standards support the policy, make it more meaningful and effective.
    3. What is a Procedure? A procedure is a step by step, how to guide to which is consistent with the end result being the same. These are the steps for configuring your firewalls, setting up a new user, building a server, etc.
    1. Every policy guide everywhere says you need to review your policies regularly which almost always means annually.
    2. Failure to do the annual review can get you in hot water with your regulator and/or auditor.
    3. It just Makes Sense.
  2. Why review your policies?
    1. It’s the one time a year you can nudge the organization where it needs to go
      1. Past Problems
      2. Current Issues
      3. Future Challenges
    2. Killing off/modifying policies that get in the way of people doing work will Make Friends And Influence People
    3. There is no better way to ensure your team is working on what needs to be worked on than aligning with stated policy.
  3. Making Sense of Policy Review
    1. Alert The Approvers
    2. Line Them Up
    3. Divide and Conquer
    4. Bring The Business Into The Process
      1. Internal Audit
      2. Legal
      3. Risk
      4. Corporate Security
      5. IT
      6. Marketing / Public Relations
    5. As Needed Bring In
    6. Change Crosswalks FTW
    7. Communicate, Communicate, Communicate.
  4. The Review Process
    1. Have a process to deal with questions.  Route questions to the authoritative source for an answer - don’t answer stuff you can’t/shouldn’t
  5. Questions?
  6. Resources?

More Notes

  • Make sure what is being added is enforceable. This is a legal document and can be used in court. Statements support what is being done today, not what you would like to do or wish the program would do in the future.
  • Go back to those “parking lot” statements that were not added or removed from a draft because you couldn’t enforce them at the time. Can they be added? Don’t lose sight of them if they are important to your security program  
  • Does the corporate culture / C levels support statements in the policy? As a security practitioner you may firmly believe that your security program must abide by certain policy statements but the corporate culture or your CEO/CFO even CISO may not support it. They may become “parking lot” items for a future version or you may be able to successfully display that the program can support that statement without affecting the culture.
  • Legal is an important reviewer. It feels nitpicky during the review but Legal knows when “should” and “must” are appropriate.
  • Don’t reinvent the wheel. ISO 27001 is a good framework for your policy. Use it. Don’t try to come up with statements because you think you have to appear to be an Info Sec Policy God. KISS!
  • Don’t write standards and procedures in your policy! We’ve reviewed countless policies that had what we’d consider a standard or “step by step instructions for making firewall changes. That’s a procedure! Keep it out of your policy.

May 11 2017

34mins

Play

Episode 86: Episode 194 - Evaluating Security Product Vendors

Podcast cover
Read more

Evaluating Security Product Vendors

In light of recent news about “Vendors Behaving Badly” we want to talk about how a security professional should evaluate vendors and their products.

Recent News:

Tanium exposed hospital’s IT while using its network in sales demos: https://arstechnica.com/security/2017/04/security-vendor-uses-hospitals-network-for-unauthorized-sales-demos/

Lawyers, malware, and money: The antivirus market’s nasty fight over Cylance: https://arstechnica.com/information-technology/2017/04/the-mystery-of-the-malware-that-wasnt/

  1. There are so many different sources of information about vendors and their products.  You owe it to yourself to evaluate not just the vendor but also each source of information.
    1. Analyst Firms:  Gartner/Forrester/etc
      1. Always remember they take a very generic view using a notional enterprise as the standard.
      2. Current customer interviews are important but, remember, those customer contacts likely came from the vendor.
      3. The perception of “Pay for Play” is there no matter how much the firms want to squelch that.
      1. These tests presume a lot so make sure you understand what the conditions of the test were.
      2. The “Pay for Play” perception exists here too….
      3. The results of the testing aren’t specific but can help show outliers in a group
    2. 3rd Party Testing:  NSS Labs, etc.
      1. Obviously your best and most relevant source of information.  :-)
    3. Podcasts
      1. If you have developed a reliable network of peers you can reach out and ask folks.  But, remember, buy them a beer for their troubles…
      2. Always remember perspective is everything.  Some people just don’t like Company_Z and will always hate their products.
    4. Networking
  2. Information Sources
    1. Start with 3rd party data and demos.  This will determine if your requirements (you did write out your requirements, right?) are met by the product
      1. Do not allow the vendor to drive the definition of “success” in a PoC
      2. Try to break it.  I mean REALLY try to break it.
      3. Remember during the PoC is going to be the best support and interaction you will ever get.  If that sucks you might want to move along.
      4. Test all of your use cases. (you do have documented use cases, right?)
    2. Do a PoC (Proof of Concept).
  3. Product Evaluation Rules
    1. Service providers such as penetration testers and MSSPs
  4. Edge Cases

Apr 27 2017

24mins

Play

Episode 85: Episode 193 - Chief Information Security Oh-Crap

Podcast cover
Read more

Tonight's episode is all about those learning moments. 

CISOs and security orgs find new and interesting way to screw up all the time.  Leaving that Any-Any rule in place on the new firewall…  Disabling the CEOs account by accident…  Not realizing that Shadow IT had just installed a new egress point…

Here are our stories.  The name have been changed to protect the culpable.

Apr 13 2017

26mins

Play

Episode 84: Episode 192 - Security Waste

Podcast cover
Read more

Today's Topic: Security Waste - Buying new tools without maximizing use of current tool set

It’s not just a security problem but we often add to our arsenal without fully (or even mostly) utilizing the tools that we do have.

Problems associated with this are:

  • Have more complexity in your environment
  • Needing more staff or requiring current staff to stretch themselves thin to support differing tools
  • Increased cost (capital, operational, support)
  • Information overload - even with a SIEM more data requires more analysis
    • Increased chance of missing key events
    • Increased false positives
  • What am I missing?

How do we work through this when you’re not the decision maker?

  • “Operational Excellence” - Martin’s story

How do we work with our vendors to ensure that we are leveraging their tools without over dependence on one tool or vendor?

Mar 16 2017

27mins

Play

Episode 83: Episode 191 - Gone Phishin'

Podcast cover
Read more

The Southern Fried Security Podcast - Episode 191 - Gone Phishin’

Phishing your employees - Does it make them aware or do they feel mistrusted?

  1. Intro - Phishing - what is it typically?
    1. Example - Emails from a Prince in Nigeria, phished on Match.com, etc
    1. What is it? An email designed to get employees to click on suspicious links or give their credentials
    2. Discuss what I designed as part of my phishing campaign - Partnered with trusted vendor
    3. Designed an email, google doc, supplied AD user list, launch
    4. Stats from our phishing campaign
    5. How GMail caught it and started dumping the emails into spam but some employees even went into spam and clicked (RSA breach!)
    6. Employees used Slack to warn others. Can you avoid neighbors leaning over the cube telling each other? Is this when “see something, say something?” becomes a good thing? How to get employees to follow it?
  2. What about when you phish your employees to improve security?
    1. How often?
    2. Do you target specific areas you know are susceptible (Ex - Marketing, Finance)
    3. What about Engineering? How do you trick them?
  3. What are the benefits of a targeted phishing campaign?
    1. Start with education first. Then to sanctions.
    2. Use to teach - not ridicule.
    3. C-Levels *have* to be part of it.
  4. How do you prevent employees from feeling that Security doesn’t trust them?
  5. People are still the weak link! Solutions and hardware can’t prevent that one user from clicking on a link that creates havoc for the company.
    1. We blow holes in security to allow Phish email through.  What if vendor gets compromised?
  6. Downsides?

Mar 01 2017

29mins

Play

Episode 82: Episode 190 - Burnout

Podcast cover
Read more

Episode 190 - Burnout

  1. Intro
    1. Why the topic of burnout?
      1. Because it affects all of us, and yet it’s not talked about much in this field
      2. Disclaimer: We am not a doctor. Or a psychiatrist or psychologist. Nor did we stay in a holiday inn express...
    1. Reason for sabbatical
    2. Martin’s story
  2. Personal Connection
    1. Symptoms may mirror depression
      1. “The Creeping Malaise”
      1. Weight
      2. Panic Attacks, etc
      3. Isolation - even while in a crowd
    2. Physical symptoms
    3. It’s been around for a long time.  http://www.secburnout.org/ & http://www.slideshare.net/secburnout/burnout-in-information-security are from 2011/12
  3. Recognizing Burnout
    1. “It won’t happen to me”
    2. “I just have to make it through this busy season and this end of quarter and the end of FY and…”
    3. “Everybody else is exactly the same…”
    4. Conferences are not vacations and shouldn’t be seen that way.  Cons can be very hard work.
  4. Easy Traps
    1. Outdoor hobbies
      1. Just get outside and away from screens
    2. A physical, people you can talk to in person community
      1. http://www.newyorker.com/humor/daily-shouts/i-work-from-home
      2. http://theoatmeal.com/comics/running
    3. Exercise & diet
    4. Creating and enforcing boundaries (emotional and physical)
  5. Mitigation Strategies
    1. Not liking your job or employer  (that’s quite the opposite problem, actually)
    2. Just hard work for a little while
  6. What burnout isn’t…
    1. http://lisacongdon.com/blog/2016/12/on-burnout-and-the-slow-rebuilding/
  7. Resources
  8. Outro

Feb 14 2017

31mins

Play

Episode 81: Episode 189 - Bonus Track

Podcast cover
Read more

In this inaugural bonus track we release the interview we did with Nick Selby (@nselby) on his experience validating the work of MedSec on St. Medical devices.

Feb 08 2017

33mins

Play

iTunes Ratings

30 Ratings
Average Ratings
23
4
3
0
0

Listen at work or on the road

By DevSec - Mar 08 2016
Read more
This is a great security podcast filled with lots of great commentary on the latest security news. Lots of great insight and enjoyable to listen to. Also, the intro song is awesome! :)

Indispensable security podcast

By EDinATL - Feb 06 2016
Read more
I enjoy these guys and gain valuable insights into a complex and exciting industry. Very well put together show every time. I’m not the biggest fan of the intro music, but it does remind me that we’re all southerners, which is a good thing.