Tag Archives: Security Nation

[Security Nation] Brian Honan on creating Ireland’s first CERT

Post Syndicated from Rapid7 original https://blog.rapid7.com/2021/07/21/security-nation-brian-honan/

[Security Nation] Brian Honan on creating Ireland's first CERT

In this episode of Security Nation, we’re joined by Brian Honan of BH Consulting. Jen and Tod chat with Brian about his experience as a founder of Ireland’s first CERT, the continuing scourge of ransomware, and cyber warranties. They also go beyond all of the recent salacious breach headlines, discussing the need to highlight successes and positive happenings in cybersecurity.

And stick around for our Rapid Rundown, where Tod and Jen talk about the under-the-radar WifiDemon vulnerability affecting iPhones and iPads.

Brian Honan

[Security Nation] Brian Honan on creating Ireland's first CERT

Brian Honan is CEO of the cybersecurity and data protection firm BH Consulting, and he is recognised internationally as an expert on cybersecurity. He has acted as a special advisor to Europol’s Cybercrime Centre (EC3), founder of Ireland’s first CERT, and sits on the advisory board for several innovative security companies.

Brian is the author of several books, and regularly contributes to various publications. For his contributions to the cybersecurity industry, Brian has been awarded the “SC Magazine Information Security Person of the Year” and was also inducted into the Infosecurity Hall of Fame.

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

[Security Nation] Jonathan Cran on demystifying startup funding for security companies

Post Syndicated from Rapid7 original https://blog.rapid7.com/2021/07/07/security-nation-jonathan-cran/

[Security Nation] Jonathan Cran on demystifying startup funding for security companies

In this episode of Security Nation, we’re joined by Jonathan Cran. We wade into uncharted territory with Jonathan, as he claims the title of Security Nation’s first repeat guest! He returns with an update on rapidly growing pandemic side project, Intrigue, which turned into a real attack surface management company with real funding and real customers!

Stick around for our Rapid Rundown, where Tod and Jen pointedly do not talk about the Kaseya breach and PrintNightmare, but instead, the Monpass breach and just how many certificate authorities you are implicitly trusting today.

Jonathan Cran

[Security Nation] Jonathan Cran on demystifying startup funding for security companies

Jonathan Cran is a 20-year information-security veteran and expert. Based in Austin, Texas, his career has focused on security assessment, with leadership roles at Rapid7, Bugcrowd, and Kenna Security. He founded Intrigue Corp in 2019 to help enterprise customers map, monitor, and manage their attack surfaces. Intrigue provides proven, data-backed methods to stay ahead of  threats.

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

Don Spies and Kim Grauer on tracking illicit Bitcoin transactions

Post Syndicated from Rapid7 original https://blog.rapid7.com/2021/06/23/don-spies-and-kim-grauer-on-tracking-illicit-bitcoin-transactions/

Don Spies and Kim Grauer on tracking illicit Bitcoin transactions

In this episode of Security Nation, we’re joined by Don Spies and Kim Grauer of Chainalysis. They discuss the relationship between ransomware and cryptocurrency and how Chainalysis leverages unique characteristics of the latter to combat the former.

Stick around for our Rapid Rundown, where Tod and Jen discuss a newly discovered, very old crypto vulnerability (and by crypto we mean encryption!), as well as take a look at election security news here in the wake of literally hundreds of audits of polling results.

Kim Grauer

Don Spies and Kim Grauer on tracking illicit Bitcoin transactions

Kim Grauer is the Director of Research at Chainalysis, where she examines trends in cryptocurrency economics and crime. She was trained in economics at the London School of Economics and in politics at Oxford University. Previously, she explored technological advancements in developing countries as an academic research associate at the London School of Economics and was an economics researcher at the New York City Economic Development Corporation.

Don Spies

Don Spies and Kim Grauer on tracking illicit Bitcoin transactions

Don Spies is the Director of Strategic Initiatives for Chainalysis, where he works with federal agencies to address their cryptocurrency needs. This includes fighting terrorism, enforcing sanctions, and detecting money laundering. Previously, Don held various roles at the U.S. Department of the Treasury. He also spent 13 years as an Intelligence Officer in the U.S. Army Reserve.

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

Taking Inspiration from Our Security Nation in an Otherwise Uninspiring Year

Post Syndicated from Jen Ellis original https://blog.rapid7.com/2020/12/28/taking-inspiration-from-our-security-nation-in-an-otherwise-uninspiring-year/

Taking Inspiration from Our Security Nation in an Otherwise Uninspiring Year

Well, what a year it has been. I won’t waste your time by recapping the many, many difficulties that 2020 has offered us, and instead, I will try to take a slightly different tack. While it has been a challenging (for some, truly hellacious) year, as we close it out, I’ve been trying out a little “Life of Brian” thinking and “looking on the bright side of life.”

I’m fortunate to be able to say that for me, 2020 was not all bad, in part due to the security community with whom I work every day and who have inspired me throughout the year. I’m lucky to be in a position to hear about many of the amazing things this community does, and in particular, I am grateful that I get to interview people for the Security Nation podcast, hearing about and helping share their amazing stories. In reflection of this, I’d like to share some of my own 2020 highlights and thank the community behind them. I’ve also invited some of our 2020 Security Nation guests to also share their highlights from the year.

Reserve Your 2021 Cybersecurity History Calendar

Get Started

Me first!

This is my blog post, so I’m going to share my highlights first 🙂 As I mentioned above, it all kind of comes down to the security community for me.

I’ll start with the security community’s response to the pandemic. We quickly saw the emergence of various volunteer efforts—for example, the CTI League and Cyber Threat Coalition formed in response to COVID-themed attacks. The people participating in these efforts mostly did so on their own time and dime to try to keep others safe during a truly difficult time. As has been much commented on, never has cybersecurity been more important than during a time when both critical health services and the economy at large were suddenly extremely reliant on the internet to function. To those security volunteers that helped make this increased reliance on the internet safer, thank you for everything you did and continue to do!

This volunteering spirit was reflected in our first Security Nation podcast episode of the year, which featured an interview with the amazing Chris Hadnagy, who shares his year’s highlights below. Chris joined us to talk about the Innocent Lives foundation, the nonprofit he founded to help tackle the issue of child exploitation on the internet. Hearing Chris talk about ILF and the work they are doing was incredibly moving and inspiring. If you haven’t done so, I encourage you to check out both the interview and the ILF website.

And speaking of Security Nation, the final 2020 highlight I will share with you is that being the host of this podcast is truly a privilege. Not because I get to inflict my questionable sense of humor and lack of articulation on unwitting listeners (that’s just a side perk), but because every episode we interview “someone cool doing something interesting to advance security.” Or some episodes, it’s someone interesting doing something cool to advance security. There may be some recurring themes here.

The point is that these people are amazing (wow, I found another adjective) and they are doing inspirational things. And there are a LOT of them. In fact, there’s kind of a whole Nation of them <cough cough>. The work they are doing differs depending on their role and area of focus, but their dedication and passion unites them and inspires me. Having the chance to learn from them and help them share their stories is truly something for which I am grateful.

The Security Nation podcast was started by my friend and former Rapid7er, Kyle Flaherty. When, some time after Kyle had moved on, I first started talking about hosting a podcast to showcase the huge diversity of effort and evolution being made in security, we searched for a new name to differentiate ourselves, but I couldn’t get away from this idea that we are all a nation—diverse in so many ways, but unified by a desire to drive security forward and protect others. We kept the name, I owe Kyle some drinks, and it has been my great honor to get to meet and interview the various members of this great Security Nation since.

So, as I look back on a stressful year, I am so grateful to all the amazing people working tirelessly to move security forward, and even more so, to have been able to share the stories and successes of some small number of them. A few of this year’s Security Nation guests have also shared their 2020 highlights below. Here’s to hoping 2021 will be an improvement and offer even more highlights!

Tod Beardsley, Security Nation Co-Host

Tod is Rapid7’s director of research and also my co-host for Security Nation. Importantly, he is The One That Actually Knows Things, which balances me out quite nicely. As well as keeping me on the straightish and narrowish in interviews, he also leads the “Rapid Rundown” section, where he provides his point of view on the main security news of the time.In sharing his highlights, Tod shamelessly hijacked this blog to promote his other podcasts:

Not to play me-too too much, but hosting Security Nation through 2020 has been a real career highlight for me—while we’ve been technically producing this podcast since the summer of 2019, I feel like it was this year we really hit our groove, thanks in large part to the Herculean (or Amazonian?) efforts of Bri Hand, our producer, and of course my co-host, Jen Ellis.

In fact, I’ve had so much fun working on this podcast, I’ve gotten myself in two others! Starting in 2021, I’ll be a regular on a brand-new podcast from the CVE Project, called “We Speak CVE,” wherein we talk about all sorts of issues and topics around vulnerability disclosure and enumeration and assignments of IDs and all that super deep-in-the-weeds technocratic stuff about CVE. We’ve got one or two episodes in the can right now, but no link for public downloads yet, so keep an eye out for that.

Almost wholly unrelated is another podcast that I started in the spring of 2020, mostly as a pandemic isolation hobby. It’s called “Podsothoth: A Lovecraft Book Club,” and in it, I read-slash-perform horror and science fiction stories written a hundred years ago by H.P. Lovecraft, and also talk about things related to those stories with my lovely and insightful wife, Claire Reynolds. You should listen to it. It’s so very gothnerdy and a nice break from the current state of affairs.

In other, non-podcast-related news, I got myself even more involved in election security, which is both personally and professionally important to me. That kicked off in earnest at my first-ever speaking engagement at ShmooCon, along with Casey Ellis, Kimber Dowsett, Amélie E. Koran, and Jack Cable, which was super fun and hopefully enlightening. There was a lot of doom considered, but also a lot of positivity and real-talk about the state of affairs in election-land. This ended up being so well-received that we revisited the topics at DEF CON’s Voting Village, which you can watch here (my part was recorded in my then-new isolation office in my garage), and we four still chat among ourselves and help keep each other sane through the news cycles.

Through these and other efforts through the year, I like to think that I helped a little bit (along with thousands of other election workers across the country) to make the Nov. 3, 2020 election “the most secure in American history,” to quote Chris Krebs at CISA.

Bri Hand, Security Nation Producer

Bri is the great unsung hero of the podcast, as she is the one that actually makes it happen and puts all the work in. She’s not as loud and opinionated as Tod and me (mostly me), but without her, there really would be no episodes making it to the internet.

I am the type of person who measures my success at work in how much I’ve learned and grown—and I have done a lot of both this year! After realizing that my current approach of learning about cybersecurity through blog-editing osmosis wasn’t quite cutting it, I signed up for an introductory course with IBM to experience the space in more of a classroom setting. The result was surprising. I realized simultaneously that I knew a lot more than I was giving myself credit for and that I would never know everything there is to know about the space—and that’s okay! Take that, imposter syndrome!

I also added “animated video” to my repertoire of content types, since shooting anything in person this year was obviously off the table. Writing and producing our “This One Time on a Pen Test” series and “Elf on the Stealth” HaXmas video was an absolute blast!

As always, I’m also so grateful to be able to work across Rapid7 and beyond to compile and share information out with the security community. Whether it was copyediting all 150 pages of our NICER report, publishing important news content about critical vulnerabilities, helping our Security Nation guests share their inspiring stories, or editing COVID cybersecurity safety blogs from the Orlando Airport on March 15 as I fled my ill-timed vacation, I feel especially privileged in my role here.

And while I won’t pretend that 2020 wasn’t the weirdest year of my life, on a personal level I have greatly appreciated the opportunity to slow down a bit and take stock of what really matters. It’s cheesy, but it’s true. Ditching my daily two-hour commute in favor of a much more manageable five-second one has freed me up to focus on activities that make me an all-around happier and better person—going on walks with my dog, flinging my limbs around in virtual Zumba, cooking, reading, and writing. This joy has easily bled into my work life, and I am now more of an advocate than ever on having work-life balance and not wearing burnout as a badge of honor.

Chris Hadnagy, Chief Human Hacker, Social-Engineer.com

As well as running Social-Engineer.com, Chris is also the founder of the Social Engineering Village and various conferences, author of numerous books, an adjunct professor at the University of Arizona, and founder and CEO of the Innocent Lives Foundation. Like many of the folks that come on Security Nation, I have no idea how Chris fits everything in—I’m tired just writing it all out!

Chris’ interview was published on Jan. 27, 2020, kicking off the year for Security Nation. He came on to tell us about the amazing work that he and many other security professionals are doing at Innocent Lives Foundation, working to combat online child exploitation.

In reflecting on 2020, Chris shared the following:

2020 was a year of personal and professional growth for me and my company. We grew more in 2020 than any previous year and we developed new and innovative ways to help secure our clients. I was also about to transfer a class I never thought could be taught online to a fully digital format and got great reviews on it. Overall, I am leaving 2020 with many things learned and new appreciation for the wonderful relationships that have helped me through the year.

Stephanie Helm, Director, MassCyberCenter

Stephanie runs the MassCyberCenter, which is tasked with building cyber resilience for Massachusetts, and establishing Massachusetts as a center for cybersecurity talent and development.

She joined us on the podcast—published on April 16, 2020—to share with us the progress her team has been making in building cybersecurity capabilities in municipalities across Massachusetts. When we recorded the interview, it was just starting to be clear that telehealth and remote working would be super important in 2020, and local government would play a critical role.  

Stephanie and the MassCyberCenter had a number of impressive highlights to call out for the year:

‘Tis the week before Christmas and MassCyberCenter is counting a surprising number of blessings, despite all the craziness in the world. Building on our partnership with the Cyber Resilient Massachusetts Working Group, this summer we virtually held a series of workshops on Cyber Incident Response Planning. We transitioned the Massachusetts Cybersecurity Month to a virtual extravaganza of cybersecurity education events plus a campaign of awareness addressing Life’s Work at Home!  Finally, we established a Cybersecurity Mentorship Program, focusing on matching diverse cybersecurity college students with cybersecurity professionals.  The pilot program wrapped up on Dec. 14 with an announcement that we will be able to continue an expanded version of the program in the spring. A very exciting achievement to promote an inclusive and talented cybersecurity workforce in Massachusetts. With our partners in cybersecurity, we hope 2021 will demonstrate improved resiliency within the state! Best wishes for a Happy New Year!

Katie Moussouris, CEO, Luta Security

2020 was a big year for Katie. Not only did her company, Luta Security, grow hugely, but Katie was also able to spend time raising awareness of, and support for, the need for equality in pay and better hiring and employment practices. Katie has been vocal about practicing what she preaches, sharing a number of the policies Luta has to build employee satisfaction and wellness.

Katie is a world-renowned expert on vulnerability disclosure, and she shared some of this incredible expertise with us during her interview, which was published on June 9, 2020. She also touched on the impact of the pandemic on security and her plans to tackle pay inequality. As you can see from her 2020 highlights, she made some serious strides in the latter.

This year has been full of surprises. A highlight for me was bringing my attempted class action gender discrimination lawsuit against Microsoft to an end in favor of starting the Pay Equity Now Foundation and the law center named after my late mother. This pandemic has revealed the truly insidious disparity between classes. It’s had a disproportionate effect on women and people of color, both health-wise and economically. We can choose to continue the current trajectory of pay equity for women in 50–205 years, depending on race, or we can decide together to fix it. Those on the right side of history are taking action and taking the Pay Equity Now Pledge. If 2020 taught us anything, it’s that we’re all in this together, and that massive changes can happen in the workplace overnight. Let’s prioritize pay equity as one of them.

Christian Wentz, CEO, CTO and Founder, Gradient

Christian is another one of those guests that makes me feel like I have done nothing with my life —a serial entrepreneur that made the transition from from an electrical-engineering-applied-to-neuroscience background to founding Gradient Technologies, a company that is “building a trust fabric for the connected world.” So he’s tackling the small stuff, then.

During his interview—published on Sept. 25, 2020—Christian talked about his approach to building technology solutions that support a zero-trust approach. It sounds like 2020 has been a decent year for them, despite all the challenges.

In 2020, we grew our Boston office and expanded west with a beautiful San Francisco office, only to have a global pandemic push us to remote work. So, we’ve decided to turn this dumpster fire of a year into a 900-degree inferno for late-night rooftop pizzas to welcome our customers, partners, and Rapid7 friends in person. See you all in 2021!

So, this just leaves me to make an awkward sign-off, much as I do on every episode of the podcast. As usual, I will end with thanks, this time to all our wonderful 2020 guests and lovely listeners. If you are interested in subscribing to the podcast, you can do it here. If you would like to share your own 2020 highlights, please add a comment to the blog. Happy holidays!


Get the latest stories, expertise, and news about security today.

More HaXmas blogs

Help Others Be “Cyber Aware” This Festive Season—And All Year Round!

Post Syndicated from Jen Ellis original https://blog.rapid7.com/2020/12/17/help-others-be-cyber-aware-this-festive-season-and-all-year-round/

Help Others Be

Are you tired of being the cybersecurity help desk for everyone you know? Are you frustrated with spending all your time securing your corporate environment, only to have to deal with the threat that snuck in through naive end-users? Are you new to security and wondering how you ended up here? This blog is for you!

Introducing the Cyber Aware Campaign

Every year, November and December tend to be awash with media articles sharing tips for “safe” online shopping, particularly around Cyber Monday. This has been compounded in 2020, a year characterized in cybersecurity by increased remote working, reliance on online and delivery services, and COVID-19-themed scams and attacks. Many have viewed 2020 as a hacker’s playground.

It’s in this setting then that the U.K. government has relaunched its Cyber Aware campaign to help internet citizens navigate the rocky shores of defending their digital lives. The campaign—which features TV, radio, and print ads, as well as various (virtual) events—offers six practical and actionable tips for helping people protect themselves online.

The tips are designed to be applicable to the broadest audience possible. They are not necessarily the most sophisticated security best practices, but rather (and very intentionally), they are fairly basic and applicable to a wide range of people. The list has been devised as the result of considerable development and testing: The U.K. government not only sought input from security experts, but also from nonprofits and civil society groups representing various constituent groups. This helped them ensure the tips would be practical for everyone from your granny to your favorite athlete (maybe they are the same person).

As with enterprise security, there is regrettably no silver bullet for personal security, so these tips will not make people completely invulnerable. However, they do focus on steps that are manageable and will meaningfully reduce risk exposure for individuals. The U.K. government has focused on finding a balance between being thorough and not alienating people from making the effort, hence settling on just six tips. Naturally, we prefer things that come in sevens, but this is a decent start. 😉

The tips

Four of the six tips focus on passwords and identity access management. This seems like a good choice; it’s extremely hard to change behavior such that people stop sharing personal information or clicking on links, but if you can make it harder for attackers to access accounts, that’s a good step toward meaningfully reducing risk.

So, let’s take a look at the actual tips…

  1. Use a strong and separate password for your email
  2. Create strong passwords using three random words
  3. Save your passwords in your browser
  4. Turn on two-factor authentication (2FA)
  5. Update your devices
  6. Back up your data

We recommend clicking on the links and taking a look at the full guidance. Or, for more information on the tips, how they were developed, and what the Cyber Aware campaign entails, check out this Security Nation podcast interview with the delightful Cub Llewelyn-Davies of the UK National Cyber Security Centre.

As a starting point or personal security baseline, this is a very decent list, and we hope it will have a meaningful impact in encouraging individuals to make a few small changes to protect themselves online.  

As overzealous security enthusiasts, though, we had to take it one step further. We’ve created a free personal security guide of our own that starts with the Cyber Aware steps, then offers additional advice for those that want to go further. We know that for the vast majority of internet users, even six steps feels like too many, but we also hold out hope that many people may be inspired to dig deeper or may just have more specific circumstances they need help with.

You can download the guide for free here. Maybe include it with your holiday cards this year—personal security is the gift that keeps on giving!

Why should you care about this?

If you are reading the Rapid7 blog, the chances are that you already think about security and are almost certainly taking these steps or some appropriate alternative to them (if only more websites accepted 50-character passwords, eh?). Nonetheless, even if you are a security professional, the need to educate others likely affects you. Maybe it’s because you’re sick of constantly being asked for security tips or assistance by family and friends. Maybe you just can’t handle reading more headlines about security incidents that could have been avoided with some basic personal security hygiene. Maybe you’re worried that no matter how diligently you work to protect your corporate environment, an attacker will gain a foothold through an unwitting end-user with access to your systems.

The point is that we are all engaging in the internet together. A better informed internet citizenry is one that makes the job of attackers slightly harder, reducing the potential opportunities for attackers and raising the bar of entry into the cybercrime economy. It’s not a revolution or that ever-elusive silver bullet that will save us all, but increasing even the basic security level of all internet citizens creates a more secure ecosystem for everyone. As security professionals, we should be highly invested in seeing that become a reality, so send the guide or Cyber Aware web page to your less security-savvy friends, family, and/or users today.

Help them become more Cyber Aware, and help create a safer internet for us all.


Get the latest stories, expertise, and news about security today.

More HaXmas blogs