Cover image of Cyber Security Dispatch
(7)
Technology
News
Tech News

Cyber Security Dispatch

Updated 8 days ago

Technology
News
Tech News
Read more

Cyber Security Dispatch brings you to the front lines of cyber security. In our podcast we interview leading experts and practitioners who are fighting attacks, securing systems, and exploring the cutting edge of cyber security and cyber warfare.

Read more

Cyber Security Dispatch brings you to the front lines of cyber security. In our podcast we interview leading experts and practitioners who are fighting attacks, securing systems, and exploring the cutting edge of cyber security and cyber warfare.

iTunes Ratings

7 Ratings
Average Ratings
7
0
0
0
0

Suprisingly good.

By ChrisDiL - Mar 19 2018
Read more
The background noise a few episodes was a bit off putting but then I realized it was recorded live at a conference. I guess that comes with the territory of interviewing interesting people. And it really wasn't that bad. By the way, did I mention how the people being interviewed are interesting? And the topics are interesting? And Andy is great in really getting people to talk about what they know, and just let's them talk. My final thing is that there is no super long intro/outro which is much appreciated. If the episode is 29 minutes you are basically getting 28 minutes of quality interview and 1 minute of chit-chat. Highly recommended. (at least the episodes i've listened to so far). Hopefully it gets even better from here.

Cool interviews

By nyc cyberguy - Mar 01 2018
Read more
Really interesting viewpoint on cyber security space

iTunes Ratings

7 Ratings
Average Ratings
7
0
0
0
0

Suprisingly good.

By ChrisDiL - Mar 19 2018
Read more
The background noise a few episodes was a bit off putting but then I realized it was recorded live at a conference. I guess that comes with the territory of interviewing interesting people. And it really wasn't that bad. By the way, did I mention how the people being interviewed are interesting? And the topics are interesting? And Andy is great in really getting people to talk about what they know, and just let's them talk. My final thing is that there is no super long intro/outro which is much appreciated. If the episode is 29 minutes you are basically getting 28 minutes of quality interview and 1 minute of chit-chat. Highly recommended. (at least the episodes i've listened to so far). Hopefully it gets even better from here.

Cool interviews

By nyc cyberguy - Mar 01 2018
Read more
Really interesting viewpoint on cyber security space
Cover image of Cyber Security Dispatch

Cyber Security Dispatch

Latest release on Jan 29, 2019

The Best Episodes Ranked Using User Listens

Updated by OwlTail 8 days ago

Rank #1: From One CISO to Another, Get Back to the Basics - An Interview with Jaya Baloo CISO of KPN

Podcast cover
Read more

Key Points From This Episode:
Learn more about the 2012 KPN hack and its impacts on cyber security today.
Riding the security rollercoaster: How to sustainably manage vulnerabilities and incidents.
Dealing with the known knowns, the known unknowns and the unknown unknowns…
How KPN works to reduce the window of opportunity for a potential hack to take place.
How does KPN ensure that security becomes embedded in different organizations.
Jaya shares more about the impact of cyber security when it comes to saving lives.
Why companies need to get their basics right before adding on more security services.
KPN’s risk mitigation strategies and why Jaya believes that risk acceptance is pretty evil.
Learn more about KPN’s “dumb” tool and the information they decided to make open source.
Jaya shares more about the KPN CISO app and where you can download it for free.
Jaya’s candid advice to fellow CISO’s and cyber-security product buyers out there today.
And much more!

May 30 2018

19mins

Play

Rank #2: Keeping the Lights On - An Interview with Arthur House, Chief Risk Officer for The State of Connecticut.

Podcast cover
Read more

Key Points From This Episode:
Arthur’s background in International Relations and role in the Obama administration.
The new challenge that cyber security poses to the state commission.
Highlights from the important process of Connecticut cyber security report.
The meetings that followed this report process and what contributed to its success.
Differences between public utilities and the general business sector.
Responding to the ongoing and evolving challenge of cyber crime.
The idea of cyber resilience replacing that of security.
Better communication and cooperation across the board to aid this issue.
Responding the potential foreign threat and timely recovery to these.
And much more!

Links Mentioned in Today’s Episode:
Arthur House — https://csi.uconn.edu/cyberseed-speakers- 2017/arthur-house/
Connecticut Cyber Security Report — http://portal.ct.gov/Office-of- the-Governor/Press-
Room/Press-Releases/2017/07- 2017/Gov-Malloy- Releases-Cybersecurity- Strategy-for-
Connecticut
C2M2 — https://www.energy.gov/oe/cybersecurity-critical- energy-infrastructure/cybersecurity-
capability-maturity- model-c2m2- program
Eversource — https://www.eversource.com/content/
Avangrid — https://www.avangrid.com
Connecticut Water — https://www.ctwater.com/
Aquarion — http://www.aquarion.com/CT/
Dr. Ron Ross — https://www.nist.gov/people/ronald-s- ross
NIST — https://www.nist.gov/
Belfer Center — https://www.belfercenter.org/

May 07 2018

38mins

Play

Rank #3: Security in the Cloud - An Interview with Ratinder Ahuja, CEO of ShieldX

Podcast cover
Read more

Key Points From This Episode:
The beginnings of ShieldX and the time leading up to this.
The arrival of the cloud and the effect of ‘east-west’ security.
Implications for the lack of orchestration for traditional systems.
Reducing the total cost of ownership in addressing these scenarios.
Transferring the security of on-premise systems to the larger, cloud scale.
The logistics of migrating your security to any of the large cloud services.
The futility of an agent based approach to cloud security.
Compatibility and the platforms with which ShieldX corresponds.
Customer experience and how the service has been most widely utilized.
The three dimensional problem that ShieldX solves and secures.
Some information on ShieldX’s investors.
And much more!

Jun 04 2018

32mins

Play

Rank #4: How Bad is IOT Security? - An Interview with Stephen Cobb and Tony Anscombe from ESET

Podcast cover
Read more

Key Points From This Episode:
An introduction to our guests and their roles at ESET.
What brings our guests to RSA.
High detection, low maintenance and avoiding false positives.
Resistance to the cloud and what the slow migration means for security.
The obvious relationship between cyber security and the Internet of Things.
Practical and safe application of IOT in the home.
Targeted attacks and specific ransomware.
Looking at how these products in our homes can be leveraged by cyber criminals.
The benefits of complexity and putting the pieces together.
The reflected complexity of the criminal tactics.
The ongoing struggle even as security technology develops.
GDPR, cars that start with your phone and the future now.
Creating a ‘naughty list’ of companies to avoid?
And much more!

Jun 07 2018

29mins

Play

Rank #5: The Current State Of Protecting Industrial Systems and Safeguarding Civilization Today-An Interview with Joe Slowik, Adversary Hunter at Dragos

Podcast cover
Read more

Key Points From This Episode:

•    Learn more about Joe Slowik and his non-traditional CS Background.

•    Joe gives his overview of the current thought around industrial controls.

•    Find out how we defend industrial control systems today.

•    How can attacks be actualized to impact an ICS environment?

•    Script locking and reevaluating credential storage and credential use.

•    Adopting a strategic perspective and designing network defense.

•    Discover more about the Perdue model and what this means for defense.

•    Tackling the misconception that the attacker only needs to get it right once.

•    Who are getting industrial control systems right and what to aspire to.

•    Why we need to develop a more analytical approach to threat behavior.

•    How to empower individuals to respond and react to threats as they arise.

•    Learn more about the Dragos company motto of safeguarding civilization.

•    And much more!

Feb 07 2018

27mins

Play

Rank #6: What The Future Of The Internet Looks Like and How We Can Secure It Humanely - An Interview with Andrea Little Limbago, Chief Social Scientist at Endgame

Podcast cover
Read more

Key Points From This Episode:

Andrea's journey from academia to cyber security.
Why cyber security is also a retention challenge.
How companies can protect their employees from burnout.
What happened to the utopian idea of the internet?
State sovereignty and the balkanize internet or splinter net.
The implications of China’s new social credit system.
Learn more about GDPR and the control over your own data.
Does Russia’s internet look different to the rest of the internet?
The effects of the crypto currency movement on cyber security.
Learn more about the Russia-China authoritarian model.
Will GDPR be successful in helping democracies move forward?
Discover what Endgame does and how it operates on a daily basis.
Find out what it’s like being a woman in cyber security today.
Fake news and cyber hacks and their effect on the political climate.
And much more!

Feb 12 2018

26mins

Play

Rank #7: Air Gaps Are Like Unicorns - An Interview With Galina Antova

Podcast cover
Read more

Introduction:

Welcome to another edition of cyber security dispatch. This is your host Andy Anderson. In this episode, Air Gaps Are Like Unicorns, we talk with Galina Antova. One of the co-founders of Claroty, a fast growing security startup in the world of industrial control systems. She shares her experience working to protect these critical systems and the journey that led her to found Claroty.

Transcript:

Andy Anderson: Everybody sort of ends up in cyber security in kind of a unique way. Like I don't think there is a single kid who grows up being like, "I want to be a cyber security expert." What was your path into this biz?

Galina Antova:  You're absolutely right, it was kind of like by accident to me. I started my career with IBM. So  just the whole software development, security topic was fascinating. When I came across the industrial domain, it was basically the intersection of  the stuff that runs the world and cyber security. And so I just became fascinated by that topic. And this is how I ended up just getting into it more and more, and eventually co-founding Claroty.

AA: So Claroty has sort of established itself as sort of a thought leader and sort of a category creator in this industrial control systems and SCADA systems. For somebody who is as immersed in that world, what's sort of happening there for people who, if they haven't been reading all of the hacker news?

GA:  Well I think that what happened over the last few years really allowed for the industry to become a real market opportunity. The thing that is not new and that is not easy to change is the security posture of those industrial control system environments. So, in the office environment, we're used to kind of changing our laptops every couple of years. You can't really do that in the industrial control system environment.

The lifecycle of those machines is 35, sometimes 40 years, and so we can't just rip and replace. So, you've got to work with existing infrastructure that, when that infrastructure was designed, security wasn't really an key requirement. That hasn't changed and that's kind of like the one of the sources of the problem.

What has changed rapidly over the last few years is actually how interconnected those systems are. When the first POCs were designed, they weren't actually meant to be connected to non-control networks. So the fact that we've got everything on networks now means that everything is interconnected so therefore, no “air gaps.” So you've got to find a way of actually monitoring that environment.

The third thing that has also changed significantly in the last couple of years, is that in terms of the threat landscape, first of all, I think a lot of folks have realized that those networks are critical; they are more valuable. Downtime can cost millions and an attack can damage expensive equipment or harm people.  Once an attacker actually gets into the OT networks, from there on, they don't really need to exploit new or know vulnerabilities to cause damage. They can simply send legitimate commands, just leveraging the existing infrastructure and the existing commands to make changes to the process that can be catastrophic.

So the threat landscape, together with “insecure by design” industrial control systems, is what is actually creating the opportunity.

AA: Yeah, the sort of ability to really to cause physical harm is literally -

GA:  Exactly. The impact is completely different than that in the IT domain.

AA: Yeah, and to sort of looking at the backdrop against the security, which you're looking to improve, obviously if you've been in this space you've heard of Stuxnet; maybe you heard about kind of what was happening in Saudi Arabia, where things were happening with Saudi Aramco; maybe some of the other stuff that happened with WannaCry. For someone who is just coming to this space, how do you see this increase of threat level, particularly like the involvement ... Attribution is always hard but potentially nation states fall apart.

GA:  No, I'm not going to talk about attribution, because nowadays it is almost impossible to do. There are so many sophisticated ways in which you can do a false flag, so I'll leave that for other hosts to discuss. But really at the core of the issue is the fact that those networks are really, really, really valuable. Valuable in many different ways. Valuable because they could be used to cause physical damage; valuable because in many cases they actually hold some of the IP of those companies, for example the way a chemical company produces things.

So from that perspective, people will be people. I mean bad people will have interest in attacking industrial networks. Now it doesn't necessarily have to be a nation-state. There is “weaponized” malware available in the wild, so think of terrorists, think of all kinds of crazy people with agendas. I think what was proven over the last few years, starting with Stuxnet, is that it is possible to manipulate those networks. For many of those large companies, that had been the wake-up call, that industrial control systems could actually be manipulated so that it broke the process or equipment or could harm people.

AA: And when you think about essentially the security that you're layering on to their systems, is it in many cases just sort of a mirroring of what has happened on the more traditional IT systems? Like are you essentially just taking those models and those processes and those tools and essentially adapting them to the other side?

GA:  We're trying to do the complete opposite. And this goes against probably every kind of common sense advice that you would hear in the cyber security industry. But basically there is about a 10 year gap in the cyber security posture of IT networks and industrial networks. And so if we repeat the same cycle, it's not going to get us anywhere. What we try to do with our technology is get to the end result, not necessarily by applying the same security controls, because many of those security controls will not be relevant.

For example, something as simple and in many cases useless as anti-virus, is not even something that you can deploy on a controller because of the warranty issue. That's a real-time machine.

I don't need anti-virus on the controllers and I don't need some of the other measures that do not give me what I'm looking for, and are destructive to the network. So, what we've done is our approach is a completely passive data acquisition approach. We read the networks so we're transparent. That also means that the attackers cannot see us on the network. But because of the ability in which we understand those networks, and the protocols that are running those networks, we're basically able to detect the very first steps the attackers make. In cyber terms, we are able to detect attackers at the earliest stages of the “kill chain” so that we can stop them before they progress.

It's a different way of approaching the problem.

AA: Very cool. And essentially then, who ever is managing your system for a company is then able to, once they've been alerted that there may be an issue, do you guys get involved in sort of remediation or understanding what to do?  What's that next step?

GA:  Yeah, first of all for industrial control system networks, the ability to be able to see that something wrong is going on, it's a huge impact. Because right now the security teams are going into those networks completely blind. And if you look at any of the sophisticated attacks, I mean attackers were on those networks months, so that initial detection is kind of extremely key.

In terms of the remediation, it depends on what level of the network. So if something is detected at the really lower levels of the network, where the controllers actually operate the physical process, no one should automatically block traffic from an automatic technology prospective. That needs to be handled in a more manual way, otherwise you can break the operational process or cause a real safety issue.

If we see something from a higher level of the network, from the IT domain, then yes, absolutely. We actually integrate our technology with other security technologies that are able to then take action, based on that information and intelligence.

AA: Very cool. As you think about some of the systems that you're getting involved with, they really are literally critical infrastructure. It’s power plants and those sorts of things. How in that landscape, what do you see in terms of the interaction between both technology providers like yourself, industry, as well as sort of the government sector as well? Is there collaboration that's happening or is it really very silo separate?

GA:  Well there is some collaboration but it's really hard to rely on the government or rely on a standard body, to kind of tell you what to do. I have a lot of respect for, and actually we're workingwith a lot of advisors centered around standard bodies. But standards creation and implementation take a long time and threat actors change tactics very quickly. And so we are creating a completely new paradigm of how to actually address the threat now.

When it comes to governments involvement with standards, I think that a lot of the large companies have just taken that into their own hands, because the government can really interfere with some of those attacks. And as you mentioned, early attribution is really hard.

AA: Yeah. Sort of switching gears, in terms of some of those major industrial players, I saw that you guy had some big partnerships recently. Schneider Electric.

GA:  Schneider Electric, and also Rockwell Automation. Yeah.

AA: Walk me through kind of like that process and what that was like and what that's sort of been able -

GA:  It's a very long process because they go through a lot of checks now. But it's a great working relationship with all in industrial control system vendors that we're working with. First of all, I think that for us, it’s great to get the validation from them, that our technology works as intended and that it's not disrupting the industrial processes their customers are running, which is huge.

And secondly, they also leverage our technology to go to market, because in a real-world scenario, whether you're and oil gas company or a large manufacturer, you don't just have one industrial control system, it’s better if you have all of them. And so our technology cuts across all of them, and so all of those partners can actually take this as a component and plug us into whatever cybersecurity offering they may have.

AA: I mean it's a related question, but as you think about getting installed in major systems, large corporates, you potentially begin to become a threat back to yourself, right, if you have access? So how do you handle those concerns?

GA:  Good question.

So one of the things that I mentioned is with our passive technology, we are actually completely out of band on the industrial network. So we don't exist to the attacker. The attacker would not see us as an IP on the network, etc. We're in stealth, so to speak in the network itself.

Now of course we go through the regular and kind of rigorous security testing in our own lab and have third parties audit our own technology. But the biggest thing is we're actually passive, we sit on a SPAN port, not inside the OT network and not installed on the systems within the network. So we don’t provide an attack vector for bad guys.

AA: So you're outside.

GA:  Yeah.

AA: Great. We've been covering a lot of stuff. Anything you want to go over specifically to talk about? Is there anything that you're like, "I've been waiting to sort of tell people about?"

GA:  No.

AA: Okay. Maybe in general sort of the IoT space, we've all seen the graph, like the number of devices and then it looks like a good investment return, right? Hockey stick. How do you think about that? Does that scare you? Does that excite you? Like there is just going to be everybody buying our stuff. From your perspective, how do you think about sort of a more connected world?

GA:  Good question and actually I do want to say something now. It's actually a great thing that you guys are covering industrial cyber security. It’s been kind of like such an isolated domain, so to speak, that even amongst the overall cyber security industry it has been kind of isolated. So part of what we're trying to do is bring it into  mainstream cyber security so that folks talk about it. For example, at the last DEFCON we did a workshop on ICS together with some of the partners.We’re educating the overall cyber security industry.

Now that kind of translates into your question about IoT. So IoT is everything. People can think of it as the networks that are running in nuclear power plants and then the intelligence in my toaster. So it's not really the same; there is a huge difference between what IoT is.

AA: Hopefully a different, more sophisticated system.

GA:  The way I think about it is that you cannot stop it. The interconnectivity is a good thing if you can actually leverage the power that that gives you. But you can't stop it, right? So the initial push back against security technologies in the ICS domain, was because we're just going to air gap them. Well, it's not practically possible and it's kind of the same thing with the IoT-- you are deploying sensors everywhere in your plant and leveraging that data for all sorts of things.

So I would say, for me, it's very exciting, because when everything is connected and everything is talking to each other, you can do so much more in terms of orchestration in how things flow. That being said, the more we think about security as a priority, and we bake it into the process, the better we'll be off. So it's a fact, you can't really change it.

AA: I mean gosh, having not been involved in industrial control systems to the level that you have, I sort of read about them from afar. But gosh, I didn't realize that the lifecycle was really 35-40 years, that long.

Are you seeing now that maybe the treat, the understanding of the potential threats is increasing -- at least vendors and people who are involved are starting to think about building systems?

GA:  Oh they started that a long time ago. A few years ago, all of the ICS vendors already started being much more open about their vulnerabilities and how they cover them. But again you’ve got to think through the timeline of that, right? So okay, you're getting really serious about improving your security postures, so you started the design of your next controller. That design phase itself, in most cases, is a five year process. And then you launch it on the market and that doesn't mean that the large multinationals are going to go and rip and replace the billions of dollars of infrastructure that they have invested. It might be another 15 years before they actually have to operate.

So that being said, just last week I just came from  probably one of the best, certainly the most technical, ICS cyber security conference in the industry,  S4X18 in Miami. And what we saw there was Schneider Electric talking openly about the recent incident on the Triconic safety system, which was just absolutely admirable. The fact that they're so transparent about that, engaging with the community is something that would not have happened 7-8 years ago.

So the fact that we're seeing vendors not just increase proactively their security, but being very open with the industry is a huge, huge step forward.

AA: Yeah, it is. A sea change in a community when there are problems that everyone has quietly known exists, suddenly -

GA: You might as well be upfront about it and show and tell the community what you're doing about it and how you're solving it.

AA: Yeah, sunshine cures a lot of ills for sure.

The session that you're in, you've made one of the best quotes I've ever heard, which was that, "Air gaps are like unicorns; lots of people talk about them, but we're not sure that we've ever actually seen one."

GA:  Especially in industrial control systems.

AA: Oh, that's hilarious.

So in general and part of the reason that this publication exists is, a lot of people talk about the problems, like what's wrong. And it's easy as a community whenever anybody's system goes down, pretty quickly that person get tarred and feathered. So we always try and talk about the positive, an actual focus on solutions. So what's working and who is doing a good job? Who is admirable right now? Whether that's yourself or partners or companies that you work with. You do not need to name names.

GA:  Actually, I'll take it from a different perspective. I think that one of the biggest changes that kind of enabled our industry to even exist is the fact that board-level members started paying attention and actually understanding what does it mean if they don't have cyber security for the industrial networks. So seeing that awareness at the board level, and then the board members asking the CEO, and then the CIO, to actually do something about it, creates the budget, which means that now we can actually solve the problem.

No problem is unsolvable, you just have to have kind of like a focus on it. I think that most of the large Fortune 500 companies that have industrial networks, and the vast majority of them do, even if it's not things that we think about. I mean this building has HVAC, and elevators and lighting; all of that is ICS, right?

So I think that the boards have done a really good job of asking the right questions. I think that specifically after Wannacry and NotPetya, when the security teams realized that, even though they're not targeted, some of that stuff can get into the shop floor. I think that was a huge wake-up call. And so we've seen quite a lot of interest after that. I think the security teams are also doing a good job of just asking practically, what they can do better in their networks.

AA: Some sort of quiet, stunning headlines after that, in terms of like what Maersk is saying they potentially lost.

GA:  And that was just the tip of the iceberg. That was just really a very small fraction of what actually happened behind the scene.

AA: We're really curious what happens, kind of post GDP on, because I think maybe some changes before that, but just in terms of the disclosure requirements and timing. We just see a flood of more information come out because they're worried about otherwise getting huge [inaudible 00:18:43].

This has been great, just to sort of switch gears for a little bit. For people in the industry, what are you reading? What are you following? How do you kind of stay up?

GA: Good question. Every once in a while I try to read stuff that's not related to cyber security. Which you know, I kind of have to remind myself, because I think what kind of the time that we live in right now is so fascinating, and there is so much that could be done, that it just kind of keeps me up to date.

I actually talk to people. I'm privileged to have access to a lot of the smartest folks in cyber security, both on the technical side as well as the issues that they are facing; it’s just a tremendous challenges. What I tell a lot of my clients is that I never want to have their jobs because they have to be good all of the time and attackers just need to be good once an a while.

But I also work with some of the smartest folks that come from an offensive cyber background. And so a lot of exciting things on just how we think about technology and what we can do with technology. I try to talk to people, because otherwise there is just too much hype in the media, no offense but, right? There is just a lot of hype, especially when it comes to critical infrastructure and those control systems, because the general public does not understand it that well, and usually we see headlines of like the world's exploding or the US grid is going to come down, or something like that.

AA: If it bleeds, it leads, right?

GA:  Exactly.

AA: Cool. Yeah.  I mean that's most of what I wanted to cover. I mean thank you.

GA:  Wait well thank you for getting into that topic of international cyber security. Like I said, we need more education, not just for the general public, even for the folks that understand cyber in general really well. That's kind of a new domain.

AA: If people wanted to kind of check out any of your stuff, or see sort of what you're doing, where would you have them go?

GA:  I think I’ve got most of the things that I write on Linkedin so probably they can check my page

AA: Thank you so much.

Mar 26 2018

21mins

Play

Rank #8: Who is Watching the Watchers - An Interview with Marton Illes of Balabit.

Podcast cover
Read more

Key Points From This Episode:
Martin’s background and the current climate of privileged access management.
Managing the changing roles of privileges within hierarchical organizations.
How the inevitable shift to the cloud is changing cyber security concerns.
Who watches the watchers? What is the freedom of a super-user?
Points of friction within and without organizations around admin roles.
The increasing space of AI and what that means for job creation.
The lack of development in cyber security skills due to increased AI roles.
Data regulation and balancing freedom with control.
Comparing Europe and the US and the influence of GDPR.
Who should be considering the option of security privileges?
And much more!

Jun 27 2018

21mins

Play

Rank #9: Everybody’s Phishing - An Interview with Joe Gray of Advanced Persistent Security

Podcast cover
Read more

Key Points From This Episode:
Learn more about phishing for awareness and what this entails.
How Joe helps companies set up phishing engagements against their employees.
Incident response and why phishing attempts are never going to be 100% effective.
Assuring those who have been phished that their credentials aren’t necessarily useable.
The difference between pen testing and red teaming in light of Haroon Meer’s work.
Why less black box pen testing and more white box red teaming could be the way.
How are organizations measuring both potential vulnerabilities and risk taking.
Compliance versus privacy versus security: Why GDPR is winter and winter is coming.
Learn more about national and international regulations for cyber security response.
Find out more about the threats out there today (like IOT) that are terrifying Joe.
Seriously, why would you need a Bluetooth controlled water heater in your home?
Hear more about the $29 Amazon home router that Joe easily attacked.
Why we need to go back to protecting people before protecting business.
Joe gives a few simple steps toward better cyber security in the home.
Learn more about using deceptive technologies and disinformation to secure yourself.
Disinformation, trolls and bots and their influence on the on the US election.
A current update on various state approaches to cyber security laws and bills.
The positive movements that Joe is seeing in the field of cyber security today.
And much more!

Jun 15 2018

24mins

Play

Rank #10: Hacking The Pentagon - An Interview with Lisa Wiswell of Grimm & HackerOne

Podcast cover
Read more

Key Points From This Episode:
Discover how Lisa entered the field of cyber security.
How Lisa came to work as a “bureaucracy hacker” at the Pentagon.
Learn more about the aims and direction of the DARPA program.
Lisa shares more about DARPA’s flagship program titled PlanX.
Find out more about the intricate links between Cybercom and the NSA.
Hear what Lisa believes is the problem with standards and compliance.
How to ensure mature cyber security ecosystems today? Lisa’s thoughts.
Hacking the Pentagon: How, why, when did this happen? Because it did.
Also, hacking the defense travel system, the Army and Air Force (twice).
How Hacking the Pentagon saved over a million dollars in defense.
The effects of the demonization of hackers in popular media today.
Why you cannot tell the world you are secure if you aren’t!
How Hack the Pentagon created a culture shift in security practices.
Lisa shares her view on vulnerability disclosure and policy.
See something, say something: The importance of reporting vulnerabilities.
And much more!

May 15 2018

37mins

Play