Tag Archives: Security Nation

[Security Nation] Michael Daniel on the Cyber Threat Alliance

Post Syndicated from Rapid7 original https://blog.rapid7.com/2021/10/13/security-nation-michael-daniel-on-the-cyber-threat-alliance/

[Security Nation] Michael Daniel on the Cyber Threat Alliance

In this episode of Security Nation, Jen and Tod chat with Michael Daniel, president and CEO of the Cyber Threat Alliance (CTA), as well as a co-chair on the IST’s Ransomware Task Force. After discussing Michael’s career in cybersecurity with the US government, they talk about what makes information sharing so hard in the security space and how the CTA has addressed this challenge in its efforts to promote better threat intelligence.

Stick around for the Rapid Rundown – with Tod on holiday (AKA vacation), Jen brings on Rapid7’s public policy guru Harley Geiger. They chat about the Cyber Incident Reporting Act, which is likely headed to a Senate floor vote and, if passed, would bring major changes to the reporting requirements around cybersecurity events for owners and operators of critical infrastructure.

Michael Daniel

[Security Nation] Michael Daniel on the Cyber Threat Alliance

Michael Daniel serves as the President and CEO of the Cyber Threat Alliance (CTA), a not-for-profit that enables high-quality cyber threat information sharing among cybersecurity organizations. Prior to CTA, Michael served for four years as US Cybersecurity Coordinator, leading US cybersecurity policy development, facilitating US government partnerships with the private sector and other nations, and coordinating significant incident response activities. From 1995 to 2012, Michael worked for the Office of Management and Budget, overseeing funding for the US Intelligence Community. Michael also works with the Aspen Cybersecurity Group, the World Economic Forum’s Partnership Against Cybercrime, and other organizations improving cybersecurity in the digital ecosystem. In his spare time, he enjoys running and martial arts.

Show notes

Interview links

Rapid Rundown links

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

[Security Nation] Rob Graham on Mike Lindell’s Cyber Symposium

Post Syndicated from Rapid7 original https://blog.rapid7.com/2021/09/29/security-nation-rob-graham-on-mike-lindells-cyber-symposium/

[Security Nation] Rob Graham on Mike Lindell's Cyber Symposium

In this episode of Security Nation, Jen and Tod chat with Rob Graham of Errata Security about his experience attending pillow magnate Mike Lindell’s Cyber Symposium, where he claimed packet captures would reveal incontrovertible evidence of widespread fraud in the 2020 US presidential election. (Spoiler alert: Nothing resembling that description actually occurred at Lindell’s event.) An expert on packet captures, Graham recounts the Kafkaesque forensic logic behind the Cyber Symposium data — some of which was presented in a file type only known to a single living person — as well as the value of having real experts attend highly dubious events like this one.

Stick around for the Rapid Rundown, where Tod and Jen discuss Microsoft’s plan to turn off Basic Auth in Exchange Online next year and the Autodiscover bug that may have prompted the change.

Robert Graham

[Security Nation] Rob Graham on Mike Lindell's Cyber Symposium

Rob Graham is a well-known cybersecurity expert. He created the BlackICE personal firewall, the first IPS, sidejacking, and masscan. He frequently speaks at conferences and blogs.

Show notes

Interview links

magnet:?xt=urn:btih:39a9590de21e77687fdf7eacee4dd743f2683d72&dn=cyber-symposium&tr=udp://9.rarbg.me:2780/announce

Rapid Rundown links

  • The original Bleeping Computer story on Microsoft shutting off Basic Auth
  • The related story about Amit’s Autodiscover bug finding that may have prompted the above
  • A somewhat early reference to some WPAD bugs
  • The earliest reference Tod could find about WPAD exploits… which happened to be written by the very same Tod back in 2009.

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

[Security Nation] Craig Williams of Cisco Talos on Proxyware

Post Syndicated from Rapid7 original https://blog.rapid7.com/2021/09/15/security-nation-craig-williams-of-cisco-talos-on-proxyware/

[Security Nation] Craig Williams of Cisco Talos on Proxyware

In this episode of Security Nation, Jen and Tod chat with Craig Williams, recently of Cisco Talos, about proxyware and integrating security acquisitions the right way. Along the way, they touch on the challenges of being a security communicator with an audience that extends beyond practitioners – and a few real-life stories of people who didn’t realize their cameras were spying on them.

Stick around for our Rapid Rundown, where Tod and Jen talk about the REvilware ransomware gang’s return from “retirement” and how lagging adoption of EMV is leading to high-profile cases of ATM fraud.

Craig Williams

[Security Nation] Craig Williams of Cisco Talos on Proxyware

Craig Williams has always had a passion for learning how things operate – and circumventing security measures. His deep interest in security technology began with research into vulnerabilities, threats, and network detection techniques. His research over the past decade has included running global threat intelligence teams, malware labs, and trying to outwit the very security products he has helped design.

Show notes

Interview Links

  • Craig is on Twitter, but his OpSec is pretty tight so good luck getting that follow back.
  • You can read up on Cisco Talos, and check their most recent on proxyware here.

Rapid Rundown Links

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

[Security Nation] Jill Fraser and Deborah Blyth on Securing Colorado

Post Syndicated from Rapid7 original https://blog.rapid7.com/2021/09/01/security-nation-jill-fraser-deborah-blyth/

[Security Nation] Jill Fraser and Deborah Blyth on Securing Colorado

In this episode of Security Nation, we chat with Deborah Blyth, CISO of the State of Colorado, and Jill Fraser, CISO for Jefferson County, Colorado. They tell Jen and Tod about their experience securing Colorado’s cyber infrastructure at a state-wide level, breaking down silos across the various local governments to come together on an integrated, long-term plan. They go through some of the challenges of funding, collaboration, and generating buy-in — as well as how the recent national focus on election security has impacted the state and local levels.

Stick around for the Rapid Rundown, where Tod and Jen discuss Firefox’s new feature blocking insecure downloads.

Jill Fraser

[Security Nation] Jill Fraser and Deborah Blyth on Securing Colorado

Jill Fraser is the Chief Information Security Officer for Jefferson County in Colorado where she has worked for 9 years. Jill is responsible for managing the county’s enterprise cybersecurity program, which includes policy and procedure guidance, continuous improvement of incident response capabilities, end user awareness training, and risk management. She concentrates on ensuring the county’s security program is a business enabler by maintaining a sound cybersecurity strategy that supports county productivity, growth, and innovation.

Jill is an advocate for cross-organizational collaboration. She was one of the founding members of the Colorado Threat Intelligence Sharing (CTIS) network and is an active partner in the Whole of State cybersecurity program in Colorado (cooperatives formed to improve cybersecurity in Colorado-by-Colorado). Additionally, she participates in a locals-only mentoring group that serves as mechanism of peer support. She is the Chair of Colorado’s Homeland Security Senior Advisory Committee’s Cyber Subcommittee, and she is a member of the Multi-State Information Sharing and Analysis Centers (MS-ISAC) Executive committee.

Jill is an advocate for development of programs that will improve local government’s ability to secure their data and services within the limited budgets and staffing constraints most locals face. Jill has been in the information technology field for over 20 years and is a Certified Information Systems Security professional (CISSP*) as well as a Certified Chief Information Security Officer (C-CISO*).

Deborah Blyth

[Security Nation] Jill Fraser and Deborah Blyth on Securing Colorado

Deborah Blyth is Colorado’s Chief Information Security Officer (CISO), with over 25 years technology background and 15 years leading information security programs. As the CISO, she serves as the point of contact for all information security initiatives in Colorado, informing the state Chief Information Officer and executive agency leadership on security risks and impacts of policy and management decisions on IT-related initiatives. Deborah is responsible for determining the strategic and tactical security direction for executive branch agencies, to meet established objectives.

Before joining the state of Colorado, Deborah led the Information Technology Security and Compliance programs at TeleTech (5 years) and Travelport (3 years). Deborah is a Colorado native and graduated Summa cum Laude with a Bachelor of Science degree from Regis University.

Show notes

Interview links

Rapid Rundown links

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

[Security Nation] Daniel Crowley on Running a Cybersecurity Internship

Post Syndicated from Rapid7 original https://blog.rapid7.com/2021/08/18/security-nation-daniel-crowley/

[Security Nation] Daniel Crowley on Running a Cybersecurity Internship

On the latest episode of Security Nation, we’re joined by Daniel Crowley, IBM X-Force Red’s Research Director — aka Global Research Baron (a title that delights Jen Ellis’s British sensibilities). Daniel tells Jen and Tod all about his team’s security research internship program, which gets undergrad and grad students involved in pentesting and other forms of research in real-world environments through a series of bootcamps. He also divulges some research project ideas for those looking to uncover vulnerabilities in hidden places — including your calendar invites.

Stick around for the Rapid Rundown, where Jen and Tod talk about DEF CON highlights, the Cyber Symposium non-findings, and — you guessed it — ransomware.

Daniel Crowley

[Security Nation] Daniel Crowley on Running a Cybersecurity Internship

Daniel is the primary author of the Magical Code Injection Rainbow, a configurable vulnerability testbed, and FeatherDuster, an automated cryptanalysis tool. In the security industry since 2004, he is a frequent speaker at conferences like Black Hat, DEF CON, Shmoocon and SOURCE. Daniel also holds the noble title of Baron in the Principality of Sealand.

Show notes

Interview Links:

Rapid Rundown Links:

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

[Security Nation] Richard Kaufmann on Cybersecurity in Home Healthcare

Post Syndicated from Rapid7 original https://blog.rapid7.com/2021/08/04/security-nation-richard-kaufmann/

[Security Nation] Richard Kaufmann on Cybersecurity in Home Healthcare

In this episode of Security Nation, we’re joined (for the second time!) by Richard Kaufmann, CISO at Amedisys, a leading provider of home healthcare. He’ll tell us how his company’s aim to heal people at home coincided with hospitals filling up with COVID-19 patients — and how his role as CISO can help (cyber) secure that growing shift into home healthcare.  

And stick around for our Rapid Rundown, where Tod spins a supply chain risk tale for Jen, specifically the drama surrounding the PyPI repository bug.

Richard Kaufmann

[Security Nation] Richard Kaufmann on Cybersecurity in Home Healthcare

“It is now safe to turn off your computer.”  For most of us, this simple message in the late 90’s was a reminder that the operating system processes had stopped and the circuits carrying all of the ‘1’s and ‘0’s were ready to be powered off. For me, it was my first foothold into the information-security arena. Starting at defacing that iconic .JPEG and advancing into running information-security teams across finance, healthcare, and manufacturing organizations, I’ve tried to remove a little bit of entropy in the world via simple solutions to complex problems.

A problem well defined is a problem half solved. In an environment where threat landscapes, frameworks, and shareholder value are constantly changing, the ability to fall back on the fundamentals of logic and computing has become a rare commodity. I like to work with those who have a similar appetite for challenging norms and thinking creatively. This methodology has manifested itself by creating a dialogue between executive non-technical leaders and the boots-on-the-ground engineers that keep enterprises safe from cyber threats. Currently, I’m focused on transforming the approach to cybersecurity within healthcare. By disrupting the “cult of security,” we can increase the quality of patient care, protect the privacy of the data those individuals entrust us with, and innovate for a more effective future.

My daughter is my biggest fan; I enjoy long walks with heavy backpacks; and that inner voice inside my head sounds just like David Goggins.

-Richard Kaufmann, Chief Information Security Officer, Amedisys

Show Notes

From the discussion with Richard:

  • Amedisys: Richard’s home healthcare employer
  • S02E06: Our first time around with Richard
  • S02E10: The mentioned episode with Oliver Day

From the Rapid Rundown:

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

[Security Nation] Philipp Amann on No More Ransom

Post Syndicated from Rapid7 original https://blog.rapid7.com/2021/07/28/security-nation-philipp-amann/

[Security Nation] Philipp Amann on No More Ransom

In this episode of Security Nation, we’re joined by Philipp Amann of Europol. Jen and Tod chat with Philipp about No More Ransom, a Europol-lead effort to combat ransomware by providing technical means to unlock encrypted drives, covering dozens of ransomware kits from Alpha to Ziggy, as well as working with a bunch of countries’ national police forces around the world. Oh, and here’s a spoiler: NMR estimates they’re responsible for saving almost 1 billion dollars in ransom demands over its 5-years-and-counting run. Amazing! NMR also:

  • Features 121 decryption tools addressing 151 ransomware families
  • Has been downloaded approximately 6 million times
  • Saved victim orgs approximately $900 million in unpaid ransoms
  • Read more on NMR in Jen’s recent blog!

Tod and Jen then lament the COVID-19 situation in Las Vegas (stay safe and healthy out there, everyone!) and chat about the latest NTLM attack technique, dubbed PetitPotam. And new on the blog this week: show notes! Just head to the bottom of the page for all the references you could ever want.  

Philipp Amann

[Security Nation] Philipp Amann on No More Ransom

Philipp Amann is the Head of Strategy at the European Cybercrime Centre (EC3). EC3 Strategy is responsible for assessing and acting on relevant trends and threats related to cybercrime and cybersecurity. Other key areas of responsibility include managing EC3’s industry advisory groups, prevention and awareness, and capacity building.

Philipp has worked in various fields; these include the financial sector, global disarmament, international investigations, and on issues related to safety and security in cyberspace, all topics about which he cares deeply.

Show Notes

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

[Security Nation] Brian Honan on creating Ireland’s first CERT

Post Syndicated from Rapid7 original https://blog.rapid7.com/2021/07/21/security-nation-brian-honan/

[Security Nation] Brian Honan on creating Ireland's first CERT

In this episode of Security Nation, we’re joined by Brian Honan of BH Consulting. Jen and Tod chat with Brian about his experience as a founder of Ireland’s first CERT, the continuing scourge of ransomware, and cyber warranties. They also go beyond all of the recent salacious breach headlines, discussing the need to highlight successes and positive happenings in cybersecurity.

And stick around for our Rapid Rundown, where Tod and Jen talk about the under-the-radar WifiDemon vulnerability affecting iPhones and iPads.

Brian Honan

[Security Nation] Brian Honan on creating Ireland's first CERT

Brian Honan is CEO of the cybersecurity and data protection firm BH Consulting, and he is recognised internationally as an expert on cybersecurity. He has acted as a special advisor to Europol’s Cybercrime Centre (EC3), founder of Ireland’s first CERT, and sits on the advisory board for several innovative security companies.

Brian is the author of several books, and regularly contributes to various publications. For his contributions to the cybersecurity industry, Brian has been awarded the “SC Magazine Information Security Person of the Year” and was also inducted into the Infosecurity Hall of Fame.

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

[Security Nation] Jonathan Cran on demystifying startup funding for security companies

Post Syndicated from Rapid7 original https://blog.rapid7.com/2021/07/07/security-nation-jonathan-cran/

[Security Nation] Jonathan Cran on demystifying startup funding for security companies

In this episode of Security Nation, we’re joined by Jonathan Cran. We wade into uncharted territory with Jonathan, as he claims the title of Security Nation’s first repeat guest! He returns with an update on rapidly growing pandemic side project, Intrigue, which turned into a real attack surface management company with real funding and real customers!

Stick around for our Rapid Rundown, where Tod and Jen pointedly do not talk about the Kaseya breach and PrintNightmare, but instead, the Monpass breach and just how many certificate authorities you are implicitly trusting today.

Jonathan Cran

[Security Nation] Jonathan Cran on demystifying startup funding for security companies

Jonathan Cran is a 20-year information-security veteran and expert. Based in Austin, Texas, his career has focused on security assessment, with leadership roles at Rapid7, Bugcrowd, and Kenna Security. He founded Intrigue Corp in 2019 to help enterprise customers map, monitor, and manage their attack surfaces. Intrigue provides proven, data-backed methods to stay ahead of  threats.

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

Don Spies and Kim Grauer on tracking illicit Bitcoin transactions

Post Syndicated from Rapid7 original https://blog.rapid7.com/2021/06/23/don-spies-and-kim-grauer-on-tracking-illicit-bitcoin-transactions/

Don Spies and Kim Grauer on tracking illicit Bitcoin transactions

In this episode of Security Nation, we’re joined by Don Spies and Kim Grauer of Chainalysis. They discuss the relationship between ransomware and cryptocurrency and how Chainalysis leverages unique characteristics of the latter to combat the former.

Stick around for our Rapid Rundown, where Tod and Jen discuss a newly discovered, very old crypto vulnerability (and by crypto we mean encryption!), as well as take a look at election security news here in the wake of literally hundreds of audits of polling results.

Kim Grauer

Don Spies and Kim Grauer on tracking illicit Bitcoin transactions

Kim Grauer is the Director of Research at Chainalysis, where she examines trends in cryptocurrency economics and crime. She was trained in economics at the London School of Economics and in politics at Oxford University. Previously, she explored technological advancements in developing countries as an academic research associate at the London School of Economics and was an economics researcher at the New York City Economic Development Corporation.

Don Spies

Don Spies and Kim Grauer on tracking illicit Bitcoin transactions

Don Spies is the Director of Strategic Initiatives for Chainalysis, where he works with federal agencies to address their cryptocurrency needs. This includes fighting terrorism, enforcing sanctions, and detecting money laundering. Previously, Don held various roles at the U.S. Department of the Treasury. He also spent 13 years as an Intelligence Officer in the U.S. Army Reserve.

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

Taking Inspiration from Our Security Nation in an Otherwise Uninspiring Year

Post Syndicated from Jen Ellis original https://blog.rapid7.com/2020/12/28/taking-inspiration-from-our-security-nation-in-an-otherwise-uninspiring-year/

Taking Inspiration from Our Security Nation in an Otherwise Uninspiring Year

Well, what a year it has been. I won’t waste your time by recapping the many, many difficulties that 2020 has offered us, and instead, I will try to take a slightly different tack. While it has been a challenging (for some, truly hellacious) year, as we close it out, I’ve been trying out a little “Life of Brian” thinking and “looking on the bright side of life.”

I’m fortunate to be able to say that for me, 2020 was not all bad, in part due to the security community with whom I work every day and who have inspired me throughout the year. I’m lucky to be in a position to hear about many of the amazing things this community does, and in particular, I am grateful that I get to interview people for the Security Nation podcast, hearing about and helping share their amazing stories. In reflection of this, I’d like to share some of my own 2020 highlights and thank the community behind them. I’ve also invited some of our 2020 Security Nation guests to also share their highlights from the year.

Reserve Your 2021 Cybersecurity History Calendar

Get Started

Me first!

This is my blog post, so I’m going to share my highlights first 🙂 As I mentioned above, it all kind of comes down to the security community for me.

I’ll start with the security community’s response to the pandemic. We quickly saw the emergence of various volunteer efforts—for example, the CTI League and Cyber Threat Coalition formed in response to COVID-themed attacks. The people participating in these efforts mostly did so on their own time and dime to try to keep others safe during a truly difficult time. As has been much commented on, never has cybersecurity been more important than during a time when both critical health services and the economy at large were suddenly extremely reliant on the internet to function. To those security volunteers that helped make this increased reliance on the internet safer, thank you for everything you did and continue to do!

This volunteering spirit was reflected in our first Security Nation podcast episode of the year, which featured an interview with the amazing Chris Hadnagy, who shares his year’s highlights below. Chris joined us to talk about the Innocent Lives foundation, the nonprofit he founded to help tackle the issue of child exploitation on the internet. Hearing Chris talk about ILF and the work they are doing was incredibly moving and inspiring. If you haven’t done so, I encourage you to check out both the interview and the ILF website.

And speaking of Security Nation, the final 2020 highlight I will share with you is that being the host of this podcast is truly a privilege. Not because I get to inflict my questionable sense of humor and lack of articulation on unwitting listeners (that’s just a side perk), but because every episode we interview “someone cool doing something interesting to advance security.” Or some episodes, it’s someone interesting doing something cool to advance security. There may be some recurring themes here.

The point is that these people are amazing (wow, I found another adjective) and they are doing inspirational things. And there are a LOT of them. In fact, there’s kind of a whole Nation of them <cough cough>. The work they are doing differs depending on their role and area of focus, but their dedication and passion unites them and inspires me. Having the chance to learn from them and help them share their stories is truly something for which I am grateful.

The Security Nation podcast was started by my friend and former Rapid7er, Kyle Flaherty. When, some time after Kyle had moved on, I first started talking about hosting a podcast to showcase the huge diversity of effort and evolution being made in security, we searched for a new name to differentiate ourselves, but I couldn’t get away from this idea that we are all a nation—diverse in so many ways, but unified by a desire to drive security forward and protect others. We kept the name, I owe Kyle some drinks, and it has been my great honor to get to meet and interview the various members of this great Security Nation since.

So, as I look back on a stressful year, I am so grateful to all the amazing people working tirelessly to move security forward, and even more so, to have been able to share the stories and successes of some small number of them. A few of this year’s Security Nation guests have also shared their 2020 highlights below. Here’s to hoping 2021 will be an improvement and offer even more highlights!

Tod Beardsley, Security Nation Co-Host

Tod is Rapid7’s director of research and also my co-host for Security Nation. Importantly, he is The One That Actually Knows Things, which balances me out quite nicely. As well as keeping me on the straightish and narrowish in interviews, he also leads the “Rapid Rundown” section, where he provides his point of view on the main security news of the time.In sharing his highlights, Tod shamelessly hijacked this blog to promote his other podcasts:

Not to play me-too too much, but hosting Security Nation through 2020 has been a real career highlight for me—while we’ve been technically producing this podcast since the summer of 2019, I feel like it was this year we really hit our groove, thanks in large part to the Herculean (or Amazonian?) efforts of Bri Hand, our producer, and of course my co-host, Jen Ellis.

In fact, I’ve had so much fun working on this podcast, I’ve gotten myself in two others! Starting in 2021, I’ll be a regular on a brand-new podcast from the CVE Project, called “We Speak CVE,” wherein we talk about all sorts of issues and topics around vulnerability disclosure and enumeration and assignments of IDs and all that super deep-in-the-weeds technocratic stuff about CVE. We’ve got one or two episodes in the can right now, but no link for public downloads yet, so keep an eye out for that.

Almost wholly unrelated is another podcast that I started in the spring of 2020, mostly as a pandemic isolation hobby. It’s called “Podsothoth: A Lovecraft Book Club,” and in it, I read-slash-perform horror and science fiction stories written a hundred years ago by H.P. Lovecraft, and also talk about things related to those stories with my lovely and insightful wife, Claire Reynolds. You should listen to it. It’s so very gothnerdy and a nice break from the current state of affairs.

In other, non-podcast-related news, I got myself even more involved in election security, which is both personally and professionally important to me. That kicked off in earnest at my first-ever speaking engagement at ShmooCon, along with Casey Ellis, Kimber Dowsett, Amélie E. Koran, and Jack Cable, which was super fun and hopefully enlightening. There was a lot of doom considered, but also a lot of positivity and real-talk about the state of affairs in election-land. This ended up being so well-received that we revisited the topics at DEF CON’s Voting Village, which you can watch here (my part was recorded in my then-new isolation office in my garage), and we four still chat among ourselves and help keep each other sane through the news cycles.

Through these and other efforts through the year, I like to think that I helped a little bit (along with thousands of other election workers across the country) to make the Nov. 3, 2020 election “the most secure in American history,” to quote Chris Krebs at CISA.

Bri Hand, Security Nation Producer

Bri is the great unsung hero of the podcast, as she is the one that actually makes it happen and puts all the work in. She’s not as loud and opinionated as Tod and me (mostly me), but without her, there really would be no episodes making it to the internet.

I am the type of person who measures my success at work in how much I’ve learned and grown—and I have done a lot of both this year! After realizing that my current approach of learning about cybersecurity through blog-editing osmosis wasn’t quite cutting it, I signed up for an introductory course with IBM to experience the space in more of a classroom setting. The result was surprising. I realized simultaneously that I knew a lot more than I was giving myself credit for and that I would never know everything there is to know about the space—and that’s okay! Take that, imposter syndrome!

I also added “animated video” to my repertoire of content types, since shooting anything in person this year was obviously off the table. Writing and producing our “This One Time on a Pen Test” series and “Elf on the Stealth” HaXmas video was an absolute blast!

As always, I’m also so grateful to be able to work across Rapid7 and beyond to compile and share information out with the security community. Whether it was copyediting all 150 pages of our NICER report, publishing important news content about critical vulnerabilities, helping our Security Nation guests share their inspiring stories, or editing COVID cybersecurity safety blogs from the Orlando Airport on March 15 as I fled my ill-timed vacation, I feel especially privileged in my role here.

And while I won’t pretend that 2020 wasn’t the weirdest year of my life, on a personal level I have greatly appreciated the opportunity to slow down a bit and take stock of what really matters. It’s cheesy, but it’s true. Ditching my daily two-hour commute in favor of a much more manageable five-second one has freed me up to focus on activities that make me an all-around happier and better person—going on walks with my dog, flinging my limbs around in virtual Zumba, cooking, reading, and writing. This joy has easily bled into my work life, and I am now more of an advocate than ever on having work-life balance and not wearing burnout as a badge of honor.

Chris Hadnagy, Chief Human Hacker, Social-Engineer.com

As well as running Social-Engineer.com, Chris is also the founder of the Social Engineering Village and various conferences, author of numerous books, an adjunct professor at the University of Arizona, and founder and CEO of the Innocent Lives Foundation. Like many of the folks that come on Security Nation, I have no idea how Chris fits everything in—I’m tired just writing it all out!

Chris’ interview was published on Jan. 27, 2020, kicking off the year for Security Nation. He came on to tell us about the amazing work that he and many other security professionals are doing at Innocent Lives Foundation, working to combat online child exploitation.

In reflecting on 2020, Chris shared the following:

2020 was a year of personal and professional growth for me and my company. We grew more in 2020 than any previous year and we developed new and innovative ways to help secure our clients. I was also about to transfer a class I never thought could be taught online to a fully digital format and got great reviews on it. Overall, I am leaving 2020 with many things learned and new appreciation for the wonderful relationships that have helped me through the year.

Stephanie Helm, Director, MassCyberCenter

Stephanie runs the MassCyberCenter, which is tasked with building cyber resilience for Massachusetts, and establishing Massachusetts as a center for cybersecurity talent and development.

She joined us on the podcast—published on April 16, 2020—to share with us the progress her team has been making in building cybersecurity capabilities in municipalities across Massachusetts. When we recorded the interview, it was just starting to be clear that telehealth and remote working would be super important in 2020, and local government would play a critical role.  

Stephanie and the MassCyberCenter had a number of impressive highlights to call out for the year:

‘Tis the week before Christmas and MassCyberCenter is counting a surprising number of blessings, despite all the craziness in the world. Building on our partnership with the Cyber Resilient Massachusetts Working Group, this summer we virtually held a series of workshops on Cyber Incident Response Planning. We transitioned the Massachusetts Cybersecurity Month to a virtual extravaganza of cybersecurity education events plus a campaign of awareness addressing Life’s Work at Home!  Finally, we established a Cybersecurity Mentorship Program, focusing on matching diverse cybersecurity college students with cybersecurity professionals.  The pilot program wrapped up on Dec. 14 with an announcement that we will be able to continue an expanded version of the program in the spring. A very exciting achievement to promote an inclusive and talented cybersecurity workforce in Massachusetts. With our partners in cybersecurity, we hope 2021 will demonstrate improved resiliency within the state! Best wishes for a Happy New Year!

Katie Moussouris, CEO, Luta Security

2020 was a big year for Katie. Not only did her company, Luta Security, grow hugely, but Katie was also able to spend time raising awareness of, and support for, the need for equality in pay and better hiring and employment practices. Katie has been vocal about practicing what she preaches, sharing a number of the policies Luta has to build employee satisfaction and wellness.

Katie is a world-renowned expert on vulnerability disclosure, and she shared some of this incredible expertise with us during her interview, which was published on June 9, 2020. She also touched on the impact of the pandemic on security and her plans to tackle pay inequality. As you can see from her 2020 highlights, she made some serious strides in the latter.

This year has been full of surprises. A highlight for me was bringing my attempted class action gender discrimination lawsuit against Microsoft to an end in favor of starting the Pay Equity Now Foundation and the law center named after my late mother. This pandemic has revealed the truly insidious disparity between classes. It’s had a disproportionate effect on women and people of color, both health-wise and economically. We can choose to continue the current trajectory of pay equity for women in 50–205 years, depending on race, or we can decide together to fix it. Those on the right side of history are taking action and taking the Pay Equity Now Pledge. If 2020 taught us anything, it’s that we’re all in this together, and that massive changes can happen in the workplace overnight. Let’s prioritize pay equity as one of them.

Christian Wentz, CEO, CTO and Founder, Gradient

Christian is another one of those guests that makes me feel like I have done nothing with my life —a serial entrepreneur that made the transition from from an electrical-engineering-applied-to-neuroscience background to founding Gradient Technologies, a company that is “building a trust fabric for the connected world.” So he’s tackling the small stuff, then.

During his interview—published on Sept. 25, 2020—Christian talked about his approach to building technology solutions that support a zero-trust approach. It sounds like 2020 has been a decent year for them, despite all the challenges.

In 2020, we grew our Boston office and expanded west with a beautiful San Francisco office, only to have a global pandemic push us to remote work. So, we’ve decided to turn this dumpster fire of a year into a 900-degree inferno for late-night rooftop pizzas to welcome our customers, partners, and Rapid7 friends in person. See you all in 2021!

So, this just leaves me to make an awkward sign-off, much as I do on every episode of the podcast. As usual, I will end with thanks, this time to all our wonderful 2020 guests and lovely listeners. If you are interested in subscribing to the podcast, you can do it here. If you would like to share your own 2020 highlights, please add a comment to the blog. Happy holidays!

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

More HaXmas blogs

Help Others Be “Cyber Aware” This Festive Season—And All Year Round!

Post Syndicated from Jen Ellis original https://blog.rapid7.com/2020/12/17/help-others-be-cyber-aware-this-festive-season-and-all-year-round/

Help Others Be

Are you tired of being the cybersecurity help desk for everyone you know? Are you frustrated with spending all your time securing your corporate environment, only to have to deal with the threat that snuck in through naive end-users? Are you new to security and wondering how you ended up here? This blog is for you!

Introducing the Cyber Aware Campaign

Every year, November and December tend to be awash with media articles sharing tips for “safe” online shopping, particularly around Cyber Monday. This has been compounded in 2020, a year characterized in cybersecurity by increased remote working, reliance on online and delivery services, and COVID-19-themed scams and attacks. Many have viewed 2020 as a hacker’s playground.

It’s in this setting then that the U.K. government has relaunched its Cyber Aware campaign to help internet citizens navigate the rocky shores of defending their digital lives. The campaign—which features TV, radio, and print ads, as well as various (virtual) events—offers six practical and actionable tips for helping people protect themselves online.

The tips are designed to be applicable to the broadest audience possible. They are not necessarily the most sophisticated security best practices, but rather (and very intentionally), they are fairly basic and applicable to a wide range of people. The list has been devised as the result of considerable development and testing: The U.K. government not only sought input from security experts, but also from nonprofits and civil society groups representing various constituent groups. This helped them ensure the tips would be practical for everyone from your granny to your favorite athlete (maybe they are the same person).

As with enterprise security, there is regrettably no silver bullet for personal security, so these tips will not make people completely invulnerable. However, they do focus on steps that are manageable and will meaningfully reduce risk exposure for individuals. The U.K. government has focused on finding a balance between being thorough and not alienating people from making the effort, hence settling on just six tips. Naturally, we prefer things that come in sevens, but this is a decent start. 😉

The tips

Four of the six tips focus on passwords and identity access management. This seems like a good choice; it’s extremely hard to change behavior such that people stop sharing personal information or clicking on links, but if you can make it harder for attackers to access accounts, that’s a good step toward meaningfully reducing risk.

So, let’s take a look at the actual tips…

  1. Use a strong and separate password for your email
  2. Create strong passwords using three random words
  3. Save your passwords in your browser
  4. Turn on two-factor authentication (2FA)
  5. Update your devices
  6. Back up your data

We recommend clicking on the links and taking a look at the full guidance. Or, for more information on the tips, how they were developed, and what the Cyber Aware campaign entails, check out this Security Nation podcast interview with the delightful Cub Llewelyn-Davies of the UK National Cyber Security Centre.

As a starting point or personal security baseline, this is a very decent list, and we hope it will have a meaningful impact in encouraging individuals to make a few small changes to protect themselves online.  

As overzealous security enthusiasts, though, we had to take it one step further. We’ve created a free personal security guide of our own that starts with the Cyber Aware steps, then offers additional advice for those that want to go further. We know that for the vast majority of internet users, even six steps feels like too many, but we also hold out hope that many people may be inspired to dig deeper or may just have more specific circumstances they need help with.

You can download the guide for free here. Maybe include it with your holiday cards this year—personal security is the gift that keeps on giving!

Why should you care about this?

If you are reading the Rapid7 blog, the chances are that you already think about security and are almost certainly taking these steps or some appropriate alternative to them (if only more websites accepted 50-character passwords, eh?). Nonetheless, even if you are a security professional, the need to educate others likely affects you. Maybe it’s because you’re sick of constantly being asked for security tips or assistance by family and friends. Maybe you just can’t handle reading more headlines about security incidents that could have been avoided with some basic personal security hygiene. Maybe you’re worried that no matter how diligently you work to protect your corporate environment, an attacker will gain a foothold through an unwitting end-user with access to your systems.

The point is that we are all engaging in the internet together. A better informed internet citizenry is one that makes the job of attackers slightly harder, reducing the potential opportunities for attackers and raising the bar of entry into the cybercrime economy. It’s not a revolution or that ever-elusive silver bullet that will save us all, but increasing even the basic security level of all internet citizens creates a more secure ecosystem for everyone. As security professionals, we should be highly invested in seeing that become a reality, so send the guide or Cyber Aware web page to your less security-savvy friends, family, and/or users today.

Help them become more Cyber Aware, and help create a safer internet for us all.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

More HaXmas blogs