Named one of the world's top information security podcasts, The Security Ledger Podcast offers in-depth interviews with the top minds in information (cyber) security. Hosted by Paul Roberts, Editor in Chief of The Security Ledger, each podcast is a conversation about the cyber security stories making headlines and about the most important trends in the information security space including security and the Internet of Things, the latest cyber threats facing organizations and new paradigms for securing data and devices. A must listen if "cyber" is your thing!
Episode 192: It’s Showtime! Are Local Governments Ready To Turn Back Election Hacks?
The 2020 election in the U.S. is less than a week away and warnings about cyber threats to the vote are coming out with about the regularity as polls of the presidential contest between Joe Biden and Donald Trump.
Public Sector Mega-Vendor Tyler Technologies Says It Was Hacked
On October 9, for example, the FBI and DHS warned that so called “Advanced Threat” actors were chaining together multiple vulnerabilities in an attempt to compromise federal, state and local government networks and elections organizations.
Rob Bathurst is the Chief Technology Officer at Digitalware.
Also this month, an outbreak of the Dopplepaymer ransomware affected elections infrastructure in Hall County, Georgia, disabling a database used to verify voter signatures in the authentication of absentee ballots.
Which leads us to ask: despite years of warnings, are state and local governments ready for what Russia, Iran or any number of ransomware gangs have in store for them?
To help answer that question, we invited Rob Bathurst into the studio. Rob is the Chief Technology Officer at Digitalware, a Denver area company that specializes in risk analysis and risk management with Federal, state and local government and F500 companies.
Episode 96: State Elections Officials on Front Line against Russian Hackers
In this conversation, Rob and I talk about what the biggest cyber risks are to state and local governments and how worried we should be about warnings about cyber threats to elections systems are.
Vulnerabilities are just a reality in government networks, Rob says. The key is to avoid being surprised by attacks and also to ensure that you can keep voting systems and other critical systems available even if they are the target of an attack.
Episode 175: Campaign Security lags. Also: securing Digital Identities in the age of the DeepFake
In this conversation, Rob and I talk about the bigger picture of cyber risk for federal state and local governments. We also talk about incidents like the recent hack of government ERP provider Tyler Technologies.
Rob Bathurst is the Chief Technology Officer at the firm Digitalware. he was here talking to us about cyber risks in local governments and the risk to elections systems.
Shifting Compliance Left with Galen Emery of Chef
Galen Emery of Chef comes into the Security Ledger studios to talk about how security and compliance are "shifting left" with DEVSECOPS
Episode 190: 20 Years, 300 CVEs. Also: COVID’s Lasting Security Lessons
In this episode of the podcast (#190), sponsored by LastPass, Larry Cashdollar of Akamai joins us to talk about how finding his first CVE vulnerability, more than 20 years ago, nearly got him fired. Also: Katie Petrillo of LastPass joins us to talk about how some of the security adjustments we’ve made for COVID might not go away any time soon.
[Full Transcript] | [Larry Cashdollar Transcript] | [Katie Petrillo Transcript]
When the so-called Zerologon vulnerability in Microsoft Netlogon surfaced in late September word went out far and wide to patch the 10 out of 10 critical software hole. That job was made considerably easier by a number: 2020-1472, the unique Id assigned to the hole under the Common Vulnerabilities and Exposures – or CVE- system.
Larry Cashdollar is a Senior Security Response Engineer at Akamai
Created by MITRE more than 20 years ago, CVE acts as a kind of registry for software holes, providing a unique identifier, a criticality rating as well as other critical information about all manner of software vulnerabilities. Today, it is a pillar of the information security world. But it wasn’t always that way.
20 Years and 300 CVEs Later…
With another Cybersecurity Awareness month upon us, we decided to roll back the clock and talk about what life was like before the creation of the CVE system. To guide us, we reached out to Larry Cashdollar, a Senior Security Response Engineer at Akamai into the studio to talk. Larry is a veteran bug hunter with more than 300 CVEs to his name. In celebration of cybersecurity awareness month, Larry talked to me about the first CVE he received way back in 1998 for a hole in a Silicon Graphics Onyx/2 – and how discovering it almost got him fired. He also talks about what life was like before the creation of the CVE system and some of the adventures he’s had on the road to recording some of the 300 CVEs.
10 Ways to make Your Remote Work Easy and Secure
The New New Normal
Six months into a pandemic that most of us thought might last six weeks, its time to stop asking when things will return to normal and time to start asking what the new normal will look like when the COVID virus is finally beaten.
The Essential Role of IAM in Remote Work
Katie Petrillo is the manager of LastPass Product Marketing at LogMeIn.
Among the changes to consider are the shifts in the workplace that were expected to be temporary, but are starting to look awfully permanent. Chief among them, the shift to “work from home” and remote work that that has millions of Americans connecting to the office from their dining room tables or home offices.
The pandemic has sent a surge of business to companies like LogMeIn, which makes remote access and security tools for remote workers.
Podcast Episode 189: AppSec for Pandemic Times, A Conversation with GitLab Security VP Jonathan Hunt
The pandemic isn’t the only thing shaking up development organizations. Application security is a top concern and security work is “shifting left” and becoming more intertwined with development. In this podcast, Security Ledger Editor in Chief Paul Roberts talks about it with Jonathan Hunt, Vice President of Security at the firm GitLab.
Even before the COVID pandemic set upon us, the information security industry was being transformed. Security was long a matter of hardening organizations to threats and attacks. The goal was “layered defenses” starting with firewalls and gateway security servers and access control lists to provide hardened network perimeter and intrusion detection and endpoint protection software to protect IT assets within the perimeter.
Spotlight: Synopsys on democratizing Secure Software Development
Security Shifting Left
Jonathan Hunt is the Vice President of Security at GitLab
These days, however, security is “shifting left” – becoming part and parcel of the development process. “DEVSECOPS” marries security processes like code analysis and vulnerability scanning to agile application development in a way that results in more secure products.
That shift is giving rise to a whole new type of security firm, including the likes of GitLab, a web-based DevOps lifecycle tool and Git-repository manager that is steadily building its roster of security capabilities. What does it mean to be a security provider in the age of DEVSECOPS and left-shifted security?
Application Development and COVID
To answer these questions, we invited Jonathan Hunt, the Vice President of Security at GitLab into the Security Ledger studio to talk about it. In this conversation, Jonathan and I talk about what it means to shift security left and marry security processes like vulnerability scanning and fuzzing with development in a seamless way.
Spotlight Podcast: Intel’s Matt Areno – Supply Chain is the New Security Battlefield
We also discuss how the COVID pandemic has shaken up development organizations – including GitLab itself – and how the changes wrought by COVID may remain long after the virus itself has been beaten back.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email.
Spotlight Podcast: Intel’s Matt Areno – Supply Chain is the New Security Battlefield
In this Spotlight Podcast, sponsored by The Trusted Computing Group, we speak with Matthew Areno, a Principal Engineer in the Intel Product Assurance and Security (IPAS) group about the fast-changing landscape of cyber threats including attacks on hardware and software supply chains.
It’s funny that one of the most controversial stories about supply chain security, Bloomberg Businessweek’s scoop on “spy chips” on motherboards by the firm Super Micro that infiltrated “more than 30 companies” is remembered less for what it said than the staunch denials it provoked.
Matthew Areno is a Principal Engineer in the Intel Product Assurance and Security (IPAS) group at Intel.
Whether or not that story was accurate, however, security experts have long agreed that the threat it describes is real – and growing. The deep reliance of the high tech industry on software and hardware supply chains that originate in nations like China has created the conditions for compromised technology to infiltrate U.S. homes, businesses and governments at all level.
Unfortunately, the information security industry has been slow to respond. Companies spend billions of dollars on information security tools and technology every year. But much of that spending is for fighting “the last war:” viruses, spam, application- and denial of service attacks and so on.
Cyber: Fighting the Last War
Our guest this week is here to tell you that those aren’t even close to being the only kinds of threats organizations need to worry about. Matthew Areno spent years conducting both offensive and defensive research at some of the most sophisticated and targeted firms in the world: Sandia National Labs in New Mexico and defense contractor Raytheon among them.
Episode 161: 3 Years after Mirai, IoT DDoS Problem may get Worse
Areno, who now works at Intel, where he is a Principal Engineer in the Intel Product Assurance and Security (IPAS) group, says his work at companies that were in the crosshairs of nation-state actors opened his eyes to “what was possible” in cyber offense. It also taught him how organizations – even sophisticated ones – often fail to discern the full spectrum of possible attacks on their security, with dire consequences.
A Range of Supply Chain Threats
Supply chain attacks could run the gamut from degrading the performance of a sensor to exfiltrating sensitive data to denial of service attacks. “And these attacks can happen at any point in the lifecycle of these products,” Areno told me. That includes attacks on the design network that manufacturers use, attacks on shared or open source software components and – as with SuperMicro- the introduction of malicious components during manufacturing, which is an issue that Areno said is still probably more hype than reality – even if component piracy and counterfeiting is not.
“When we’re sendings our designs over the seas, how much confidence and how much trust do we have that what we sent to them is what we got back,” Areno wonders.
Spotlight Podcast: Dr. Zulfikar Ramzan on RSA’s Next Act: Security Start-Up
Thirty eight years after it was founded, RSA Security is embarking on what may be its most challenging journey yet: cybersecurity startup. In this Spotlight Podcast, sponsored by RSA, we’re joined by Chief Digital Officer Dr. Zulfikar Ramzan about the company’s path forward as an independent company.
The company which was acquired by storage giant EMC back in 2006 and then became a part of Dell when that company acquired EMC in 2015 re-emerges as an independent company this week, more than six months after it was acquired by a group of investors led by Symphony Technology Group.
Zulfikar Ramzan is the Chief Technology Officer at RSA.
What does independence looks like? What will RSA do with its newfound freedoms? And how does the challenging business environment created the ongoing COVID pandemic figure into the company’s plans?
To find out, we invited Dr. Zulfikar Ramzan, RSA’s CTO into the Security Ledger studio. In this conversation, Zulli talks about how RSA’s path forward is informed by the company’s pioneering past, starting all the way in 1977, when three MIT researchers Ron Rivest Adi Shamir and Len Adleman published research on a novel public key cryptosystem that took their name.
Three Decades On: RSA Labs Sets Course for Future
The Past Informing the Future
As Ramzan sees it: the daring and persistence of the founders – whose work helped create the modern Internet, but who initially had to contend with the limitations of contemporary hardware and software, not to mention Cold War era restrictions on the sale of cryptography technology outside the US. That perseverance will serve as an inspiration to RSA as it looks to re-establish its leadership in vastly altered technology and security landscape.
Spotlight Podcast: Managing the Digital Risk in your Digital Transformation
To start off I asked Zulli to talk about RSA’s earliest days and what messages he and other company executives take from the company’s origins almost 4 decades ago.
(*) Disclosure: This podcast and blog post were sponsored by RSA Security for more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.
Customer ReviewsSee All
Excellent and informative
My go-to source for security trends and news, with a well-rounded selection of guests. Paul has an affable yet hard-hitting interview style and always gets the best out of his subjects.
great cyber security podcast!
One of the best and most thoughtful podcasts on the cyber security space. Interviews with hackers, executives, activists and leading policy makers and academics. A 'must-listen' if information security is your thing!