Below the Surface (Audio) - The Supply Chain Security Podcast

Eclypsium
  • 0.0 (0)
  • TECHNOLOGY
  • UPDATED FORTNIGHTLY
Below the Surface (Audio) - The Supply Chain Security Podcast

A lively discussion of the threats affecting supply chain, specifically focused on firmware and low-level code that is a blind spot for many organizations. This podcast will feature guests from the cybersecurity industry discussing the problems surrounding supply chain-related issues and potential solutions. Get the Supply Chain Security Toolkit from Eclypsium here: https://eclypsium.com/go

  1. CVE-2024-54085: The First of Its Kind

    1 DAY AGO

    CVE-2024-54085: The First of Its Kind

    In this episode, the hosts delve into the critical vulnerabilities associated with Baseboard Management Controllers (BMCs), with a particular focus on CVE-2024-54085. They discuss the ease of exploitation, the potential threat actors involved, and the implications for data center security. The conversation highlights the challenges in detecting and mitigating these vulnerabilities, the importance of firmware updates, and the need for community tools to aid in vulnerability detection and mitigation. The episode concludes with a call to action for organizations to patch their systems and implement robust security measures. Chapters   00:00 Introduction to BMC Vulnerabilities 02:21 Exploring CVE 2024-54085 05:04 Understanding Exploitation and Threat Actors 07:47 The Implications of BMC Vulnerabilities 10:46 Mitigation Strategies and Challenges 13:35 The Future of BMC Security 28:36 Understanding BMC Vulnerabilities 36:24 The Importance of Disclosure and Community Tools 45:13 Navigating Firmware Updates and Vendor Challenges 52:19 Community Engagement and Future Considerations

    56 min
  2. Exploring the Evolution of Zero Trust

    2 DAYS AGO

    Exploring the Evolution of Zero Trust

    In this episode, the hosts discuss the evolving landscape of AI infrastructure security, focusing on the complexities of building and maintaining AI data centers. They explore the critical role of Baseboard Management Controllers (BMCs) as an attack surface, the importance of supply chain security, and best practices for hardware procurement. The conversation underscores the importance of validating hardware and firmware integrity for organizations while also addressing the significant security risks associated with AI workloads. As AI data centers continue to grow, understanding these challenges and implementing robust security measures will be essential for future success. Chapters   00:00 Introduction to Zero Trust and Its Evolution 03:33 Current State of Zero Trust Implementation 05:22 Micro-Segmentation and Infrastructure Security 10:02 Zero Trust and Lateral Movement Prevention 11:32 The Role of Zero Trust in Ransomware Defense 14:51 Chase Cunningham's Insights on Cyber Warfare 16:23 The Intersection of Cyber Warfare and Modern Conflicts 21:35 The Future of Warfare: Drones and Cybersecurity 24:01 Understanding the Drone Threat 28:28 The Evolution of Cyber Warfare 35:00 The State of Critical Infrastructure 39:26 The Economics of Breaches 44:29 Incentivizing Cybersecurity Improvements

    51 min
  3. Securing the Future of AI Infrastructure

    1 JUL

    Securing the Future of AI Infrastructure

    In this episode, the hosts discuss the evolving landscape of AI infrastructure security, focusing on the complexities of building and maintaining AI data centers. They explore the critical role of Baseboard Management Controllers (BMCs) as an attack surface, the importance of supply chain security, and best practices for hardware procurement. The conversation underscores the importance of validating hardware and firmware integrity for organizations while also addressing the significant security risks associated with AI workloads. As AI data centers continue to grow, understanding these challenges and implementing robust security measures will be essential for future success.

    1h 1m
  4. When Windows 10 Expires

    30 MAY

    When Windows 10 Expires

    In this episode, the hosts discuss the impending end of life for Windows 10 and the necessary preparations for upgrading to Windows 11. They explore the specific hardware requirements for Windows 11, including the importance of Secure Boot and TPM 2.0, and the challenges enterprises face in managing large-scale migrations. The conversation underscores the importance of meticulous planning to prevent costly failures and the influence of legacy systems on the upgrade process. In this conversation, the speakers discuss the implications of transitioning to Windows 11, focusing on the challenges posed by legacy systems, supply chain issues, and the importance of modern hardware for security. They delve into the Black Lotus UEFI boot kit and the necessary mitigations, emphasizing the need for organizations to validate their security controls and establish a robust trust framework. The discussion also highlights the growing importance of third-party risk management in cybersecurity, particularly in relation to supply chain security.

    54 min
  5. SBOMs, HBOMs, and Supply Chain Visibility

    15 MAY

    SBOMs, HBOMs, and Supply Chain Visibility

    Summary In this episode, Paul Asadoorian and Joshua Marpet delve into the complexities of compliance, inventory management, and the emerging concepts of SBOMs, HBOMs, and FBOMs (no, not that FBOM). They discuss the importance of understanding the components and origins of hardware and software, the challenges of managing technology lifecycles, and the need for clear standards and regulations in the tech industry. The conversation emphasizes the critical role of asset inventories in maintaining security and compliance in an ever-evolving technological landscape. In this conversation, Joshua Marpet and Paul Asadoorian delve into the complexities of hardware security, the cultural shifts needed in security practices, and the importance of transparency in software and firmware management. They discuss the challenges posed by hardware backdoors, the necessity of Software Bill of Materials (SBOMs), and the hidden risks associated with firmware updates. The dialogue emphasizes the need for a cultural change in how organizations approach security and compliance, advocating for continuous management and transparency to inspire confidence in security practices. Chapters 00:00 Introduction and Technical Challenges 02:02 Exploring Compliance and Frameworks 05:06 Understanding S-bombs, H-bombs, and F-bombs 10:10 The Importance of Inventory and Asset Management 15:01 Navigating Hardware and Software Lifecycle 19:58 Standards and Regulations in Technology 23:56 The Manchurian Microchip and Hardware Backdoors 27:44 Cultural Change in Security Practices 30:47 The Importance of Transparency and SBOMs 36:39 Challenges in Compliance and Risk Management 42:42 The Hidden Risks of Firmware and Hardware Updates

    45 min
  6. The Hidden Risks of Open Source Components

    6 MAY

    The Hidden Risks of Open Source Components

    In this episode, Paul Asadorian and Josh Bressers delve into the complexities of open source supply chain security, discussing the prevalence of open source components in modern software, the challenges posed by legacy systems, and the critical importance of vulnerability management. They explore the regulatory landscape surrounding software liability and the need for better tools and practices to ensure secure product development. The conversation highlights the necessity of understanding dependencies and the implications of consumer security in a market driven by features rather than security. In this conversation, Josh Bressers and Paul discuss the importance of Software Bill of Materials (SBOMs) in enhancing supply chain security and vulnerability management. They explore the role of metadata in programming languages like Go and Rust, the challenges of accurately identifying vulnerabilities through CVEs, and the need for better automation in vulnerability detection. The discussion also touches on the potential of AI in identifying vulnerabilities, the introduction of tools like SIFT and GRIPE for generating SBOMs and scanning for vulnerabilities, and the future implications of these technologies in software security.

    53 min
  7. Hardware Hacking Tips & Tricks

    7 APR

    Hardware Hacking Tips & Tricks

    In this episode, Paul and Chase delve into the world of hardware hacking, focusing on devices like the Flipper Zero and ESP32. They discuss the various applications of these tools, their impact on awareness in the hacking community, and the security implications surrounding their use. The conversation also touches on vulnerabilities in hotel security systems, challenges in remediating legacy systems, and the commoditization of hacking tools. Through practical examples and insights, the hosts explore the evolving landscape of cybersecurity and the role of hardware in it. In this conversation, Paul and Chase delve into the world of hardware hacking, discussing the accessibility of devices like the Flipper Zero and ESP32, the importance of supply chain security, and the real-world implications of vulnerabilities in firmware and bootloaders. They emphasize the need for validation in the supply chain and explore the growing interface between hardware hacking and enterprise risk.

    54 min
  8. BMC&C Part 3

    19 MAR

    BMC&C Part 3

    In this episode, Paul Asadoorian, Vlad Babkin, and Chase Snyder delve into the latest vulnerability disclosures related to Baseboard Management Controllers (BMCs), specifically focusing on AMI Megarac and Redfish. They discuss the nature of the vulnerabilities, the discovery process, and the potential impacts of a BMC compromise. The conversation highlights the importance of understanding BMCs in the context of supply chain security and the risks associated with exposing these components to the internet. The conversation delves into the vulnerabilities associated with Baseboard Management Controllers (BMCs), particularly focusing on the Redfish API and the potential for exploitation. The speakers discuss the implications of these vulnerabilities on hardware, the challenges faced by vendors in patching, and the importance of network segmentation and monitoring. They also highlight the limitations of logging and the effectiveness of Web Application Firewalls (WAFs) in this context. The discussion emphasizes the need for robust security measures to protect enterprise networks from potential attacks.

    49 min
See All (54)

About

A lively discussion of the threats affecting supply chain, specifically focused on firmware and low-level code that is a blind spot for many organizations. This podcast will feature guests from the cybersecurity industry discussing the problems surrounding supply chain-related issues and potential solutions. Get the Supply Chain Security Toolkit from Eclypsium here: https://eclypsium.com/go

Information

You Might Also Like

To listen to explicit episodes, sign in.

Stay up to date with this show

Sign in or sign up to follow shows, save episodes and get the latest updates.
Select a country or region

Africa, Middle East, and India

Asia Pacific

Europe

Latin America and the Caribbean

The United States and Canada