The Cybersecurity Readiness Podcast Series Dr. Dave Chatterjee

Application Programming Interfaces (APIs) play a vital role in modern software development, enabling the integration of services and facilitating the exchange of information. The ubiquity of APIs is a testament to their success in supporting many functions. However, their prominence has also made APIs a target for cyberattacks. Jeremy Snyder, Founder & CEO of Firetail.io, joins me in discussing how to secure APIs effectively. Our discussion revolves around the following questions:
What do we need APIs for? Why do we need API security? What are the consequences of lax API security?
What are the risks of APIs today? How can we remedy current API security issues?

Time Stamps

00:02 -- Introduction
00:49 -- Setting the Stage and Context for the Discussion
02:26 -- Guest's Professional Highlights
04:37 -- Overview of APIs
09:12 -- Common API Security Risks and Vulnerabilities
12:29 -- Design with security in mind
13:23 -- Securing APIs
13:36 -- Integrating Security into the Development Process
13:52 -- Different Ways of Security Testing APIs
17:08 -- Vulnerability Monitoring and Promptly Acting on Alerts
19:22 -- Role of Humans in Acting on Vulnerability Alerts
21:33 -- Staying on the Right Side of the Law
23:37 -- Significance of Maintaining Logs
25:36 -- Selecting Robust APIs
27:59 -- Key Takeaways
28:57 -- API Governance
30:25 -- Zero Trust Approach
32:10 -- Use of APIs in Leveraging Large Language Models (AI)
33:41 -- API Governance and Taking Ownership
36:12 -- Final Thoughts

Memorable Jeremy Snyder Quotes/Statements
"Application Programming Interface (API) -- It's basically the way two pieces of software talk to each other, that can be to send data from system A to system B, or that can be for system A to request system B to process something for it."
"We've got sensitive data crossing the wires over an API, but we've also got critical business functions like processing credit card transactions over an API."
"API's are pretty much happening behind the scenes, they enable a huge volume of interactions and transactions every day."
"So we've been cataloging the API data breaches for the last couple of years, these breaches go back about a decade or started about a decade ago, or let me say started to be recognized about a decade ago. And as we've catalogued them, we've kind of categorized them as well, to try to understand in each of these breach scenarios, what was the primary error or breach vector? How was the API breached? And if there's a secondary cause, or things like that, we look at that as well. Two of the main things that we see are are really authentication and authorization."
"Authorization turns out to be the number one root cause of data breaches around API's. And this has been true for many years now."
"Proactive security is always much cheaper than reactive security."
"From the proactive standpoint, the number one thing that any provider of an API can do is actually just check the API's before they go live."
"You should actually pen test your API's before they go live."
"Very often, we find that API's get shipped into production environments without going through either the static code analysis, or the pre launch testing."
"The average time that a vulnerability existed in a production environment before being patched and updated, was around 180 days."
"The best practice that we recommend to customers about reacting to the logs or the alerts or the suspicious conditions that you're seeing in your logs

Attackers have started increasingly targeting victims' backups to prevent organizations from restoring their data. Veeam's "2023 Ransomware Trends Report" found more than 93% of ransomware attacks specifically targeted backup data. My discussion with Gabe Gambill, VP of Product and Technical Operations at Quorum, revolves around the following questions:
• What vulnerabilities of data backups do ransomware hackers exploit?
• What are the common mistakes and barriers when recovering against a ransomware attack?
• How to successfully recover from a ransomware attack?
Time Stamps

00:02 -- Introduction
00:49 -- Setting the Stage and Context for the Discussion
01:41 -- Guest's Professional Highlights
02:16 -- Revisiting Ransomware Attacks
03:24 -- Phishing, the Primary Delivery Method for Ransomware
04:33 -- Ransomware Attack Statistics
05:34 -- Payment of Ransom
06:51 -- Protecting and Defending from Ransomware Attacks
08:07 -- Franchising Ransomware
08:51 -- Last Line of Defense against a Ransomware Attack
10:23 -- Data Backups and Prioritization
11:33 -- Data Recovery Best Practices
13:31 -- Holistic Approach to Tabletop Exercises
14:40 -- Significance of Practicing the Data Recovery Process
14:48 -- Common Mistakes and Barriers when Recovering from a Ransomware Attack
18:47 -- Being Appropriately Prepared For Disaster Recovery
20:38 -- Vulnerability Management
21:37 -- Reasons for Not Being Proactive
24:48 -- CISO Empowerment
25:54 -- Cross-Functional Involvement and Ownership
26:56 -- CISO as a Scapegoat
28:43 -- Multi-factor Authentication
29:47 -- Best Practices to Recover from Ransomware Attacks
31:26 -- Final Thoughts

Memorable Gabriel Gambill Quotes/Statements
"The next logical step was ransomware, where they're taking your data, and they're literally encrypting it right from under your nose and holding you accountable, so that they can get money out of you to give you back your own data."
"More people are paying and not talking about it, which is the worst thing you can do in that situation."
"80% of people that are hit with ransomware are hit again. So if I'm the ransomware person, who am I going to attack? I'm going to attack Caesars Palace (hotel in Las Vegas) again, I know they're going to pay. So there's the trade off there between the right thing to do and the hard thing to do."
"The last line of defense are your backups. So it's like an onion, you're gonna have multiple layers of defense, you're gonna have security layers on your perimeter, you're gonna have antivirus, you're gonna have endpoint protection, you're gonna have things such as network scans. There's all kinds of things you can do to provide layers of protection into your environment."
"The ransomware attack is not through vulnerabilities as much as through phishing. And because of that, people are the weakest link in your security plan, inevitably, it's going to happen to everybody."
"The most common thing that I've found is when they recover from ransomware, they don't contact their insurance first. And the bad part about that, whether you're going to pay whether you're not going to pay, if you didn't contact your insurance first, chances are, they're not going to pay you back."
"The other big mistake I see is people rushing the recovery to get back online versus getting back online safely."
"On the technical side, the mistakes that I often see people make is they want everything to be integrated and simple. And there is a level for that in your production environment that is...

While tabletop exercises (TTX) are considered a proven tool for finding gaps in an organization’s security posture, they can be painstakingly challenging to plan and implement effectively. In a time where information security teams are understaffed and overworked, are TTX still worth the time and resources? Or are there other ways of ensuring incident response readiness? Navroop Mitter, the CEO of ArmorText, a mobile security and privacy startup, sheds light on the various aspects of tabletop exercises and their effectiveness as a preparedness tool.

Time Stamps

00:02 -- Introduction
00:49 -- Setting the Stage and Compelling Stats
02:48 -- Guest's Professional Highlights
05:12 -- Overview of Tabletop Exercises
07:15 -- Comparing Tabletop Exercises to Simulation
11:12 -- Benefits of Running a Tabletop Exercise
12:36 -- Table Top Exercise Resources
15:18 -- Legal Representation in Tabletop Exercises
17:07 -- Doing Tabletop Exercises Right
23:20 -- Mistakes To Be Avoided
29:14 -- Building Resilient Communication Capabilities
34:28 -- Final Thoughts

Memorable Navroop Mitter Quotes/Statements
"A tabletop is a tool for organizations seeking to enhance their cyber resilience and readiness. It helps you develop muscle memory and identify gaps in your existing plans or other opportunities for enhancement."
"Unfortunately, too often, tabletops are seen as something the cyber folks do alone in their dungeons. But they're just as essential for C-suite senior leadership and the board."
"When we're helping organizations think through tabletops, or the simulations they're going to run, whether it's a very quick, lightweight discussion around the table, or a much more nuanced, immersive simulation, we're asking them to assemble stakeholders like senior leadership board members, IT and security teams, public relations, communications teams, legal counsel, human resources and finance together. This is not about the technologist. It's not just about security. This is about operational resilience. And that means the entire organization."
"When you test your IR plan, even without having a formal team in place, just testing the IR plan alone was nearly as effective; you still had 48 days saved just by having rehearsed and tested your plan, just by having run the playbook before, and understanding what it was to be in that scenario, or something similar to it."
"I think the need of the hour is increased executive and senior leadership involvement."
"Done right, tabletops are actually there to help you prepare for managing regulatory litigation and reputational concerns that often follow these events."

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes are released every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
a...

As artificial intelligence (AI) technologies continue to evolve and be leveraged, organizations need to make a concerted effort to safeguard their AI models and related data from different types of cyber-attacks and threats. Chris Sestito (Tito), Co-Founder and CEO of Hidden Layer, shares his thoughts and insights on the vulnerabilities of AI technologies and how best to secure AI applications.
Time Stamps

00:02 -- Introduction
01:48 -- Guest's Professional Highlights
03:55 -- AI is both a cure and a disease
04:49 -- Vulnerabilities of AI
07:01 -- Hallucination Abuse
10:27 -- Recommendations to secure AI applications
13:03 -- Identifying Reputable AI security experts
15:33 -- Getting Rid of AI Ethics Teams
19:18 -- Top Management Involvement and Commitment

Memorable Chris Sestito Quotes/Statements
"Artificial intelligence systems are becoming single points of failure in some cases."
"AI happens to be the fastest deployed and adopted technology we've ever seen. And that sort of imbalance of how vulnerable it is and how fast it's getting out into the world, into our hardware and software, is really concerning."
"When I talk about artificial intelligence being vulnerable, it's vulnerable in a bunch of ways; it's vulnerable at a code level, it's vulnerable at inference time, or essentially, at real time when it's making decisions, It's vulnerable at the input and output stages with the users and customers and the public interacting with your models, it's vulnerable over networks, it's vulnerable at a generative level, such as writing vulnerable code."
"Hallucination abuse would be the threat actor trying to manage and manipulate the scope of those hallucinations to basically curate desired outcomes."
"We should be holding artificial intelligence to the same standards that we hold other technologies."
"The last thing we want to do is slow down innovation, right? We want to be responsible here, but we don't want to stop advancing, especially when other entities that we can be competing against, whether that's in a corporate scenario, or a geopolitical one, we don't want to handcuff ourselves."
"If we're providing inputs and outputs to our models to our customers, they're just as available to threat actors. And we need to see how they're interacting with them."
"If you're bringing a pre trained model, and and you're going to further train it to your use case, scan it, use the solution to understand if there is code where it doesn't belong."
"If we're providing inputs and outputs to our models to our customers, they're just as available to threat actors. And we need to see how they're interacting with them."
"Red teaming models is a wonderful exercise but we also need to look at things that are a little bit more foundational to security before we get all the way to AI red teaming."
"The threats associated with artificial intelligence are the exact same threats that are associated with other technologies. And it's always people. It's always bad people who want to take advantage of the scenario and there's an enormous opportunity to do that right now."

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: a href="https://www.linkedin.com/in/dchatte/" rel="noopener noreferrer"...

The latest disaster recovery statistics reveal that modern businesses still face costly interruptions due to a variety of threats, ranging from ransomware attacks to sudden hardware failures. The monetary costs of disasters and outages can be significant. According to results from Uptime Institute's "Annual Outage Analysis 2023" survey, 25% of respondents reported that their latest outage incurred more than $1 million in direct and indirect costs. In addition, 45% reported that the cost of their most recent outage ranged between $100,000 and $1 million. Another research report reveals that just over half of organizations have disaster recover plans and around 7% of organizations never test their disaster recovery plans. It was a real pleasure having Sagi Brody, Co-Founder and CTO at Opti9 on the podcast to shed light on the various aspects of disaster recovery and how to do it well.

Time Stamps

00:02 -- Introduction
00:54 -- Disaster Recovery Statistics and Guest Introduction
03:08 -- Guest's Professional Highlights
04:40 -- Overview of Disaster Recovery
09:12 -- How do you ensure that the disaster recovery infrastructure does not become the next security incident?
11:51 -- Disaster Recovery Best Practices
15:23 -- Around 7% of organizations never test their disaster recovery plan. Why is that the case? Why wouldn't organizations want to ensure that whatever they have documented whatever they have planned actually works?
19:49 -- How effective are tabletop exercises in the context of rehearsing for disaster recovery? Should organizations be doing more than tabletop exercises?
22:09 -- Disaster Recovery and Outsourcing
25:09 -- Final Thoughts
Memorable Sagi Brody Quotes/Statements
"When you think of backups, I like to think of the word RECOVER. When you think of disaster recovery, I like to think of the word RESUME, you're not restoring data, you're resuming your business operations after a disruption."
"I think one of the biggest mistakes that people make is they sort of build their entire production infrastructure, or their application, get it all up and running, make it perfect. And then later on, they want to focus on disaster recovery."
"Imposing disaster recovery strategy on an already built, let's say, application is much more difficult than having resilience be part of your thought process as you go along building your production environment."
"We need Runbooks (or Playbooks) for what we do during a disaster. Not only that, but we need Runbooks for different types of disasters. If we need to fail over one application versus our entire environment, we need a separate Runbook for testing."
"Today, a lot of people have their applications highly integrated with third party SaaS platforms. So let's be sure that when we test our disaster recovery infrastructure, we're testing the applications, we're not poisoning our production data sitting somewhere else inadvertently."
"You have to be super careful when making decisions on what platforms, what vendors, what software you're using to build your applications and your infrastructure. When you make those decisions, you have to weigh them against your resilience framework and your security framework."
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee

In a very thought provoking discussion, Artificial Intelligence (AI) expert, Tony Hoang, Ph.D., traced the evolution of Gen AI, highlighted the many benefits, and also shared his concerns about the irresponsible and abusive use of this technology. What got my attention were the following realities:
Innovators often prioritize speed over responsible AI development, leading to potential negative consequences.How easy it is to create a software-generated duplicate of someone's voice or video avatar without their consent, using online content such as images and videos.There are no current safeguards to prevent someone from exploiting AI-generated images of someone else, making it a challenge for parents to advise their children on how to protect themselves.

Time Stamps

00:02 -- Introduction
00:49 -- Dr. Tony Hoang's Professional Highlights
02:47 -- AI's evolution, data science, machine learning, and generative AI
10:05 -- Generative AI and cybersecurity
14:07 -- AI and cybersecurity threats in the enterprise
18:45 -- AI-generated explicit content and its impact on teenagers
22:48 --AI-generated content and its potential impact on society
30:05 -- AI-generated fake reviews and their impact on businesses
34:55 -- The potential dangers and benefits of generative AI
Memorable Tony Hoang Quotes/Statements
"Right now, there is a big emphasis on the on the client-side of obviously, privacy and security, on the development side, there isn't primarily because of the fact that everyone wants to rush to the top."
"So, what they're doing is they are taking all of the responsible AI committees, all of the privacy committees, and they basically just laid everyone off in the past six months. And that's kind of frightening to see, because what that means is when you fire your responsible AI committee, what that signals is they want to go fast, because these committees actually slow them down in order to accomplish their goal."
"The stuff that really worries me the most about Gen AI isn't phishing attacks, or any of that stuff; my biggest fear right now is the replication of human images, or video or voices."
"One of the ways that you could use Gen AI to take down a competitor, you would go on their website onto the product review, hit it with AI generated responses and just flood it with negative one star or two star reviews. So that's a way to destroy a company's reputation using Gen AI, and we're actually seeing that right now."
"There's no way for anybody to detect AI generated content right now in an automated fashion."

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
a href="https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712" rel="noopener noreferrer"...