10 episodes

Named one of the world's top information security podcasts, The Security Ledger Podcast offers in-depth interviews with the top minds in information (cyber) security. Hosted by Paul Roberts, Editor in Chief of The Security Ledger, each podcast is a conversation about the cyber security stories making headlines and about the most important trends in the information security space including security and the Internet of Things, the latest cyber threats facing organizations and new paradigms for securing data and devices. A must listen if "cyber" is your thing!

The Security Ledger Podcasts The Security Ledger

    • Technology

Named one of the world's top information security podcasts, The Security Ledger Podcast offers in-depth interviews with the top minds in information (cyber) security. Hosted by Paul Roberts, Editor in Chief of The Security Ledger, each podcast is a conversation about the cyber security stories making headlines and about the most important trends in the information security space including security and the Internet of Things, the latest cyber threats facing organizations and new paradigms for securing data and devices. A must listen if "cyber" is your thing!

    Episode 175: Campaign Security lags. Also: securing Digital Identities in the age of the DeepFake

    Episode 175: Campaign Security lags. Also: securing Digital Identities in the age of the DeepFake

    Sponsored by DigiCert. In our first segment, Andrew Peterson, the CEO of the cyber security firm Signal Sciences joins us to talk about the struggles that campaigns have managing online security. In our second segment: in an age of deep fakes and software supply chain hacks, securing online identity these days is about a lot more than lock icons in your browser window. In part 2 of our podcast we’re joined by Dan Timpson, Chief Technology Officer at Digicert to talk about the fast expanding terrain of securing online identities.

    • 45 min
    Episode 174: GE’s Very Bad Day – Unpacking the MDHex Vulnerabilities

    Episode 174: GE’s Very Bad Day – Unpacking the MDHex Vulnerabilities

    The U.S. Department of Homeland Security warned of critical vulnerabilities in a range of products by GE. We speak with Elad Luz, the head of research at CyberMDX, which discovered the holes.















    Caring for sick patients in a hospital is as much about mastering technology these days as it is about mastering biology, physiology and chemistry. The modern hospital room is a forest of beeping, blinking computer hardware that does everything from measuring vital signs to administering medication or life saving treatments.







    Report: Hacking Risk for Connected Vehicles Shows Significant Decline







    All that hardware and software is prone to cyber security vulnerabilities, however, and cyber risk is a growing concern for providers. Witness the warning issued by the Department of Homeland Security on January 23 about a slew of vulnerabilities in products by healthcare giant GE.







    Elad Luz is the head of research at CyberMDX.







    DHS’s ICS CERT warned that a collection of six cybersecurity vulnerabilities discovered in a range of GE Healthcare devices could allow an attacker to make changes at the software level of the device. Those changes could render the device unusable, interfere with its proper functioning, expose Patient Health Information – or all of the above.







    The vulnerabilities – collectively referred to as MDhex – were discovered by the firm CyberMDX, which was looking into the product’s use of a deprecated open source component known as “webmin” as well as what the company described as “problematic open port configurations” in GE CARESCAPE patient monitoring workstation. Five of the vulnerabilities were given CVSS (v3.1) values of 10, while the remaining vulnerability scored an 8.5 on the National Infrastructure Advisory Council’s (NIAC) 1-10 scale for assessing the severity of computer system vulnerabilities.







    In this episode of the podcast, we invited Elad Luz, the head of research at CyberMDX into the studio to talk about the security holes. Luz and CyberMDX discovered the flaws, reported them to GE and then worked with the company and DHS on a coordinated disclosure of the holes. In this conversation, Elad and I talk about the flaws CyberMDX discovered and some of the challenges facing healthcare organizations as they try to secure medical hardware and software deployed in clinical settings.

    • 21 min
    Episode 173: Iran’s Cyber Payback for Soleimani Killing may have a Long Fuse

    Episode 173: Iran’s Cyber Payback for Soleimani Killing may have a Long Fuse

    As it weighs further response to the assassination of General Qasem Soleimani, Iran is almost certain to consider the use of cyber attacks. We talk with Levi Gundert at the firm Recorded Future about what cyber “payback” from Tehran might look like.















    When missiles from Iran landed near U.S. military bases in Iraq, the world assumed that it was an escalation of tensions between Iran and the U.S. in response to the January 3rd U.S drone assassination of General Qasem Soleimani, a high-ranking member of the Iranian government and the architect of the country’s Middle East policy.







    But fears of a shooting war between the U.S. and Iran have eased in the days following the Iranian missile launch, which caused no U.S. casualties and little damage and which were followed by mollifying comments from both the Iranian and U.S. leadership.







    Disaster averted? Not so fast.







    Levi Gundert, Recorded Future







    Disaster averted? Not so fast, say Middle East experts. “Killing Soleimani crossed a significant threshold in the US-Iran conflict,” Kiersten Todt, managing director of the Cyber Readiness Institute told CNN.  “Iranians will certainly try to retaliate — definitely in the region and they will also look at options in our homeland. Of the options available to them, cyber is most compelling.”







    Government, Private Sector Unprepared for 21st Century Cyber Warfare







    With Iran’s kinetic response mostly symbolic, speculation is now focused on the cyber theater, where Iran’s government has used hacking to advance both domestic and geopolitical objectives before. In recent memory, for example, the country tapped the Chafer hacking group to target aviation repair and maintenance firms in 2018 in an apparent effort to obtain information needed to shore up the safety of that country’s fleet of domestic aircraft, according to research by the firm Symantec.







    Those concerns prompted the U.S. Department of Homeland Security to issue a warning to private sector firms to prepare for the worst. But what might “the worst” look like?







    Episode 80: APT Three Ways







    A well-developed Offensive Cyber Program







    Iran has a well-developed offensive cyber program and has been linked to attacks against public and private interests in Saudi Arabia, the United States and Europe, according to experts. The country already has successfully executed several known major cyber attacks against the United States, with two notable ones occurring in a href="https://www.nytimes.

    • 21 min
    Episode 172: Securing the Election Supply Chain

    Episode 172: Securing the Election Supply Chain

    In this episode of the podcast (#172), Jennifer Bisceglie, the founder and CEO of Interos to talk about the links between America’s voting infrastructure and countries with a history of trying to subvert democracy.















    With an election year upon us, the media’s attention has swung back the vexing issue of election security. Given the documented interference by Russia in the 2016 presidential election and anomalies in the performance of electronic voting systems in both 2016 and 2018, as well as the recent UK Parliamentary elections, both government and watchdog groups worry about foreign actors tampering with election results in crucial (“swing”) districts.







    Report: Chinese Ties to US Tech Firms put Federal Supply Chain at Risk







    Supply chain: the unseen election risk







    Jennifer Bisceglie is the CEO of the firm Interos.







    But efforts to secure voting systems at election time can only go so far, according to research released this month from the firm Interos. The company found that one fifth (20%) of the hardware and software components in a popular voting machine came from suppliers in China. Furthermore, close to two-thirds (59%) of components in that voting machine came from companies with locations in both China and Russia.







    Podcast Episode 142: On Supply Chains Diamond-based Identities are forever







    Heightened awareness of supply chain risk







    The study comes as the U.S. government and Trump Administration are issuing guidance to private sector firms and government agencies to steer clear of hardware and software from countries with a history of spying and espionage within the U.S., including hardware giants like the Chinese firm Huawei.







    In this week’s podcast, we sat down with Jennifer Bisceglie, the founder and CEO of Interos to talk about the links between America’s voting infrastructure and countries with a history of trying to subvert democracy.







    In this conversation, Jennifer and I also talk about the larger issue of supply chain risk, which Bisceglie says goes well beyond cyber security, encompassing ethical sourcing, environmental risks and more.















    As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 

    • 22 min
    Spotlight Podcast: Building Resilience into the IoT with Rob Spiger

    Spotlight Podcast: Building Resilience into the IoT with Rob Spiger

    In this Spotlight edition of the Security Ledger Podcast, sponsored by Trusted Computing Group*: we’re joined by Rob Spiger, a principal security strategist at Microsoft and co-chair of the cyber resilient technologies working group at Trusted Computing Group. Rob talks to us about efforts to make more resilient connected devices and how the advent of the Internet of Things is changing TCG’s approach to building cyber resilient systems.















    When the trusted computing group first hit the scene 20 years ago, the idea was to provide a so-called “root of trust” from which security operations might be launched, and a secure enclave from which devices could recover should all else fail.







    But attacks these days aren’t as simple as removing malware from a windows system and getting it back up and running. Destructive malware like Shamoon, NotPetya and WannaCry have shown that disruption and even physical destruction of devices may be the objective of malware infections and hacks. At the same time, so-called “advanced persistent threat” (APT) actors have made a practice of stealthy, long-lived compromises designed to harvest information or extend control over compromised environments.







    A Focus on Cyber Resilience







    And, as Internet of Things devices permeate both commercial and private networks, the cyber physical consequences of comprises mount. That’s why the Trusted Computing Group is expanding its work on what it calls “cyber resilient technologies” that can help restore connected devices to a working state in the event of a cyber attack or other disruption.







    In this spotlight edition of the podcast, we invited Rob Spiger of Microsoft into the studio to talk about this concept of “cyber resilience.” Rob is a 17 year veteran of Microsoft and the co-chair of the Cyber Resilient Technologies Working Group at TCG.







    Breaking the Ice on DICE: scaling secure Internet of Things Identities







    Rob Spiger is a principal security analyst at Microsoft and co-chair of the Cyber Resilient Technologies Working Group at Trusted Computing Group.







    In this conversation, Rob and I talk about how the importance of cyber resilience has grown in recent years and how TCG is adapting to address the unique challenges of the Internet of Things, including the need to manage physically remote devices and devices deployed at massive scale.







    Rob notes that the concept of resilience is not so much different today from what it was 20 years ago when TCG was first setting up shop, even though technology use cases have changed dramatically.







    “The concept is that devices could be come compromised and you need re-establish them to a trusted stage and resume normal or limited operations if mitigations are not available immediately,” Spiger told me. “The basic concept is to provide better protections and detect if an attack has occurred and then to recover from that attack to a trusted state.”

    • 27 min
    Spotlight Podcast: Beyond HIPAA – a Conversation with Nemours CPO Kevin Haynes

    Spotlight Podcast: Beyond HIPAA – a Conversation with Nemours CPO Kevin Haynes

    In this Spotlight edition of The Security Ledger Podcast, sponsored by RSA Security*, the Chief Privacy Officer at Nemours Healthcare, Kevin Haynes, joins us to talk about the fast evolving privacy demands on healthcare firms and how the Chief Privacy Officer role is evolving to address new privacy and security threats.















    In just a couple weeks The California Consumer Privacy Act – or CCPA – will take effect. Considered the most comprehensive data privacy law in the country, the CCPA could become a de-facto federal standard akin to the EU’s GDPR, at least in the absence of a matching federal law.







    The law, enforcement of which begins in July, 2020, will be a wake up call to many industries that have made a business of collecting, mining and even re-selling their customers data. One industry that is unlikely to be phased by the new requirements, however, is healthcare. That’s because a comprehensive patient data privacy law, HIPAA, has governed that industry for more than two decades.







    Spotlight Podcast: RSA CTO Zulfikar Ramzan on confronting Digital Transformation’s Dark Side







    Healthcare Industry beset by Changes







    Kevin Haynes is the Chief Privacy Officer at Nemours Healthcare.







    But the existence of a strong federal data protection law for patient health information doesn’t leave the healthcare industry immune from controversies, risks or questions about the extent of privacy protections. That’s especially true as a new generation of connected medical devices work their way into clinical settings, exposing them to cyber and operational risks in new ways. And, as data hungry firms like Google look to expand their reach into the massive healthcare industry, healthcare firms are needing to balance their interest in new treatments and better customer service against the privacy rights and concerns of their members. Concerns about data privacy and the abuse of medical information, for example, has dogged initiatives like Google’s Project Nightingale since its inception.







    The Role of Healthcare CPO: Beyond HIPAA







    To learn more about the unique challenges facing healthcare organizations, we invited Kevin Haynes, the Chief Privacy Officer of the Nemours Foundation – a pediatric health provider in six states and the District of Columbia – about how the role of Chief Privacy Officer is changing and adapting to the challenges and threats facing healthcare organizations.







    Massive Marriott Breach Underscores Risk of overlooking Data Liability







    Haynes says that – despite laws like HIPAA and even CCPA- privacy protecti...

    • 29 min

Customer Reviews

AnneViola ,

Excellent and informative

My go-to source for security trends and news, with a well-rounded selection of guests. Paul has an affable yet hard-hitting interview style and always gets the best out of his subjects.

LStar-BOS ,

great cyber security podcast!

One of the best and most thoughtful podcasts on the cyber security space. Interviews with hackers, executives, activists and leading policy makers and academics. A 'must-listen' if information security is your thing!

Top Podcasts In Technology

Listeners Also Subscribed To