The Cybersecurity Readiness Podcast Series

Dr. Dave Chatterjee

The Cybersecurity Readiness Podcast Series serves to have a reflective, thought-provoking and jargon free discussion on how to enhance the state of cybersecurity at an individual, organizational and national level. Host Dr. Dave Chatterjee converses with subject matter experts, business and technology leaders, trainers and educators and members of user communities. He has been studying cybersecurity for over a decade. He has delivered talks, conducted webinars, consulted with companies and served on a cybersecurity SWAT team with CISO's. He is an Associate Professor of Management Information Systems at the University of Georgia and Visiting Professor at Duke University. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/ read less
BusinessBusiness

Episodes

Securing the Future: Inside Student-Led Cybersecurity Clinics
May 5 2024
Securing the Future: Inside Student-Led Cybersecurity Clinics
Student-led cybersecurity clinics are increasingly playing an essential role in strengthening the digital defenses of nonprofits, hospitals, municipalities, small businesses, and other under-resourced organizations in our communities while also developing a talent pipeline for cyber-civil defense. Sarah Powazek, Program Director - Public Interest Cybersecurity at the University of California, Berkeley Center for Long Term Cybersecurity (CLTC), sheds light on this important development. One of the highlights of the discussion was the recognition that the cybersecurity field is such a melting pot of different skill sets. In Sarah's words, "it's actually one of the biggest advantages we have; threats are changing every day. If we don't have folks from different backgrounds and different life experiences, we're really not going to be prepared; we're not going to be able to adapt."Time Stamps00:02 -- Introduction01:46 -- Guest's Professional Highlights04:35 -- Center for Long-Term Cybersecurity (CLTC) Initiatives06:13 -- Training students07:20 -- How do the cybersecurity clinics benefit students?09:11 -- Resources for Non-Profits and Under-Privileged Organizations11:01 -- Types of Clients for Student-Run Cybersecurity Clinics11:42 -- Guidance to universities who want to create student-led cybersecurity clinics14:29 -- Consortium of Cybersecurity Clinics17:20 -- Not-technical roles in cybersecurity18:46 -- Cybersecurity field is a melting pot of different skill sets21:12 -- Different Cybersecurity Roles23:32 -- Final ThoughtsMemorable Sarah Powazek Quotes/Statements"Cybersecurity clinics are modeled after medical and law school clinics.""We're running programs where students will learn how to provide a cybersecurity maturity assessment. We accept students from all different majors, at least at UC Berkeley, it's very interdisciplinary. They spend the first part of the course learning all about cybersecurity and about the basics, basic cyber hygiene, multi-factor authentication, regular patching schedules, incident response plans, etc.""There isn't a real clear academic pathway into cybersecurity.""One of the big student-run clinics is the University of Nevada, Las Vegas. They operate as a student club; the students train each other, create programming, and engage with the clients, and they operate year-round. They've got a really interesting model for clinics where they're working with clients, but the students are really the ones taking on that responsibility. And the faculty advises them.""We have a toolkit on the Consortium's website that actually has step-by-step instructions on how to design a clinic. How do you pick out the curriculum? ""There's a couple of things that we really encourage folks to have, if they want to start up a clinic program, the first is a faculty champion.""So we've really switched the focus and formed the consortium a number of years ago around centralizing resources, making it easier for folks around the country to start up programs, making the programs even better and more effective at both training students and providing real value to clients. And we have a goal of having a clinic in every state by 2030.""I think that there are many people worldwide who care about the mission and protecting their communities but haven't gotten some of those skills yet. And anyone can learn. Anyone can learn cybersecurity. I truly believe that, I think people from all backgrounds provide something really valuable to the field.""Cybersecurity is really a trade. It's something that anyone can learn." "I'm starting to meet a lot of...
Developing Resilient and Secure Mission Critical Facilities (Data Centers)
Apr 24 2024
Developing Resilient and Secure Mission Critical Facilities (Data Centers)
Developing and maintaining resilient and secure data centers is a huge part of cybersecurity readiness. Spiros Liolis, Chief Technologist and Managing Consultant, EYP Mission Critical Facilities, Part of Ramboll, joins me to discuss the challenges and best practices of creating and maintaining state-of-the-art data centers. Topics covered include a) elements and attributes of resilient data centers, b) creating and maintaining a resilient and adaptive data center, and c) the different types of risks – geological, meteorological, and human – that must be considered when building and maintaining the data centers.Time Stamps00:02 -- Introduction00:49 -- Setting the Stage and Context for the Discussion01:54 -- Guest's Professional Highlights02:56 -- Overview of Data Center Resiliency05:41 -- Criticality of Data Centers 07:53 -- Key Elements of a Resilient Data Center12:06 -- Build Your Own or Co-locate15:00 -- Assessing the Effectiveness of a Data Center19:32 -- Significance of Simulated Exercises/Tabletop Exercises21:46 -- Importance of On-Site Visits23:56 -- Technical, Commercial and Operational Due Diligence26:17 -- Adaptive Design28:32 -- Data Center Facility Locations30:15 -- Best Practices & Final ThoughtsMemorable Spiros Liolis Quotes/Statements"Everything we do today, as professionals and as consumers, relies heavily on data centers.""There's a cloud of course, but nothing up there, 35,000 feet above the ground, is hosting servers. The cloud is practically data centers on Earth, right.""What do we mean by secure and resilient data centers? will refer to the ability of essential data center infrastructure to withstand and recover from disruptions and ensure their continued operations.""When we talk about potential threats, we need to think of them in terms of geological, meteorological, accidental, or even intentional risks. These are primarily the risk types we talk about when it comes to data center resiliency.""The moment you power up a data center, you practically cannot shut it down.""So the resiliency of a data center must consider how to build enough redundancy by design and by implementation into these data centers.""So our methodology is to look at the different risk factors that may have an impact on the facility itself, whether it is your own, or whether it is being hosted; you need to evaluate, and measure the impact of different risks and these are geological risks, meteorological risks and human risks, whether accidental or unintentional.""Nothing beats an on-site visit to check a data center's resiliency.""So the hybrid design is really all about building the necessary critical infrastructure that capitalizes on multiple sources of energy.""Education awareness is absolutely paramount. And that is probably one of our faults as well, data centers today are considered to be the naughty neighbors. I mean, they say, Oh, they're energy consuming, they take our water, they take our power; we as an industry need to educate our communities, we need to tell them what is it that we do. And of course, we need to make sure that we build them in a sustainable way, we'll use renewables, we will become community friendly. All of that must happen."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms:...
Securing Application Programming Interfaces (APIs)
Apr 10 2024
Securing Application Programming Interfaces (APIs)
Application Programming Interfaces (APIs) play a vital role in modern software development, enabling the integration of services and facilitating the exchange of information. The ubiquity of APIs is a testament to their success in supporting many functions. However, their prominence has also made APIs a target for cyberattacks. Jeremy Snyder, Founder & CEO of Firetail.io, joins me in discussing how to secure APIs effectively. Our discussion revolves around the following questions:What do we need APIs for? Why do we need API security? What are the consequences of lax API security?What are the risks of APIs today? How can we remedy current API security issues?Time Stamps00:02 -- Introduction00:49 -- Setting the Stage and Context for the Discussion02:26 -- Guest's Professional Highlights04:37 -- Overview of APIs09:12 -- Common API Security Risks and Vulnerabilities12:29 -- Design with security in mind13:23 -- Securing APIs13:36 -- Integrating Security into the Development Process13:52 -- Different Ways of Security Testing APIs17:08 -- Vulnerability Monitoring and Promptly Acting on Alerts19:22 -- Role of Humans in Acting on Vulnerability Alerts21:33 -- Staying on the Right Side of the Law23:37 -- Significance of Maintaining Logs25:36 -- Selecting Robust APIs27:59 -- Key Takeaways28:57 -- API Governance30:25 -- Zero Trust Approach32:10 -- Use of APIs in Leveraging Large Language Models (AI)33:41 -- API Governance and Taking Ownership36:12 -- Final ThoughtsMemorable Jeremy Snyder Quotes/Statements"Application Programming Interface (API) -- It's basically the way two pieces of software talk to each other, that can be to send data from system A to system B, or that can be for system A to request system B to process something for it.""We've got sensitive data crossing the wires over an API, but we've also got critical business functions like processing credit card transactions over an API.""API's are pretty much happening behind the scenes, they enable a huge volume of interactions and transactions every day.""So we've been cataloging the API data breaches for the last couple of years, these breaches go back about a decade or started about a decade ago, or let me say started to be recognized about a decade ago. And as we've catalogued them, we've kind of categorized them as well, to try to understand in each of these breach scenarios, what was the primary error or breach vector? How was the API breached? And if there's a secondary cause, or things like that, we look at that as well. Two of the main things that we see are are really authentication and authorization." "Authorization turns out to be the number one root cause of data breaches around API's. And this has been true for many years now.""Proactive security is always much cheaper than reactive security.""From the proactive standpoint, the number one thing that any provider of an API can do is actually just check the API's before they go live.""You should actually pen test your API's before they go live.""Very often, we find that API's get shipped into production environments without going through either the static code analysis, or the pre launch testing." "The average time that a vulnerability existed in a production environment before being patched and updated, was around 180 days.""The best practice that we recommend to customers about reacting to the logs or the alerts or the suspicious conditions that you're seeing in your logs
The Last Line of Defense Against a Ransomware Attack
Mar 27 2024
The Last Line of Defense Against a Ransomware Attack
Attackers have started increasingly targeting victims' backups to prevent organizations from restoring their data. Veeam's "2023 Ransomware Trends Report" found more than 93% of ransomware attacks specifically targeted backup data. My discussion with Gabe Gambill, VP of Product and Technical Operations at Quorum, revolves around the following questions: • What vulnerabilities of data backups do ransomware hackers exploit?• What are the common mistakes and barriers when recovering against a ransomware attack?• How to successfully recover from a ransomware attack?Time Stamps00:02 -- Introduction00:49 -- Setting the Stage and Context for the Discussion01:41 -- Guest's Professional Highlights02:16 -- Revisiting Ransomware Attacks03:24 -- Phishing, the Primary Delivery Method for Ransomware04:33 -- Ransomware Attack Statistics05:34 -- Payment of Ransom06:51 -- Protecting and Defending from Ransomware Attacks08:07 -- Franchising Ransomware08:51 -- Last Line of Defense against a Ransomware Attack10:23 -- Data Backups and Prioritization11:33 -- Data Recovery Best Practices13:31 -- Holistic Approach to Tabletop Exercises14:40 -- Significance of Practicing the Data Recovery Process14:48 -- Common Mistakes and Barriers when Recovering from a Ransomware Attack18:47 -- Being Appropriately Prepared For Disaster Recovery20:38 -- Vulnerability Management21:37 -- Reasons for Not Being Proactive24:48 -- CISO Empowerment25:54 -- Cross-Functional Involvement and Ownership26:56 -- CISO as a Scapegoat28:43 -- Multi-factor Authentication29:47 -- Best Practices to Recover from Ransomware Attacks31:26 -- Final ThoughtsMemorable Gabriel Gambill Quotes/Statements"The next logical step was ransomware, where they're taking your data, and they're literally encrypting it right from under your nose and holding you accountable, so that they can get money out of you to give you back your own data.""More people are paying and not talking about it, which is the worst thing you can do in that situation.""80% of people that are hit with ransomware are hit again. So if I'm the ransomware person, who am I going to attack? I'm going to attack Caesars Palace (hotel in Las Vegas) again, I know they're going to pay. So there's the trade off there between the right thing to do and the hard thing to do.""The last line of defense are your backups. So it's like an onion, you're gonna have multiple layers of defense, you're gonna have security layers on your perimeter, you're gonna have antivirus, you're gonna have endpoint protection, you're gonna have things such as network scans. There's all kinds of things you can do to provide layers of protection into your environment." "The ransomware attack is not through vulnerabilities as much as through phishing. And because of that, people are the weakest link in your security plan, inevitably, it's going to happen to everybody.""The most common thing that I've found is when they recover from ransomware, they don't contact their insurance first. And the bad part about that, whether you're going to pay whether you're not going to pay, if you didn't contact your insurance first, chances are, they're not going to pay you back.""The other big mistake I see is people rushing the recovery to get back online versus getting back online safely.""On the technical side, the mistakes that I often see people make is they want everything to be integrated and simple. And there is a level for that in your production environment that is...
Overcoming the Stale Nature of Tabletop Exercises
Mar 13 2024
Overcoming the Stale Nature of Tabletop Exercises
While tabletop exercises (TTX) are considered a proven tool for finding gaps in an organization’s security posture, they can be painstakingly challenging to plan and implement effectively. In a time where information security teams are understaffed and overworked, are TTX still worth the time and resources? Or are there other ways of ensuring incident response readiness? Navroop Mitter, the CEO of ArmorText, a mobile security and privacy startup, sheds light on the various aspects of tabletop exercises and their effectiveness as a preparedness tool.Time Stamps00:02 -- Introduction00:49 -- Setting the Stage and Compelling Stats02:48 -- Guest's Professional Highlights05:12 -- Overview of Tabletop Exercises07:15 -- Comparing Tabletop Exercises to Simulation11:12 -- Benefits of Running a Tabletop Exercise12:36 -- Table Top Exercise Resources15:18 -- Legal Representation in Tabletop Exercises 17:07 -- Doing Tabletop Exercises Right23:20 -- Mistakes To Be Avoided29:14 -- Building Resilient Communication Capabilities34:28 -- Final ThoughtsMemorable Navroop Mitter Quotes/Statements"A tabletop is a tool for organizations seeking to enhance their cyber resilience and readiness. It helps you develop muscle memory and identify gaps in your existing plans or other opportunities for enhancement.""Unfortunately, too often, tabletops are seen as something the cyber folks do alone in their dungeons. But they're just as essential for C-suite senior leadership and the board.""When we're helping organizations think through tabletops, or the simulations they're going to run, whether it's a very quick, lightweight discussion around the table, or a much more nuanced, immersive simulation, we're asking them to assemble stakeholders like senior leadership board members, IT and security teams, public relations, communications teams, legal counsel, human resources and finance together. This is not about the technologist. It's not just about security. This is about operational resilience. And that means the entire organization.""When you test your IR plan, even without having a formal team in place, just testing the IR plan alone was nearly as effective; you still had 48 days saved just by having rehearsed and tested your plan, just by having run the playbook before, and understanding what it was to be in that scenario, or something similar to it.""I think the need of the hour is increased executive and senior leadership involvement.""Done right, tabletops are actually there to help you prepare for managing regulatory litigation and reputational concerns that often follow these events."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes are released every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Securing Artificial Intelligence (AI) Applications
Feb 28 2024
Securing Artificial Intelligence (AI) Applications
As artificial intelligence (AI) technologies continue to evolve and be leveraged, organizations need to make a concerted effort to safeguard their AI models and related data from different types of cyber-attacks and threats. Chris Sestito (Tito), Co-Founder and CEO of Hidden Layer, shares his thoughts and insights on the vulnerabilities of AI technologies and how best to secure AI applications.Time Stamps00:02 -- Introduction01:48 -- Guest's Professional Highlights03:55 -- AI is both a cure and a disease04:49 -- Vulnerabilities of AI07:01 -- Hallucination Abuse10:27 -- Recommendations to secure AI applications13:03 -- Identifying Reputable AI security experts15:33 -- Getting Rid of AI Ethics Teams19:18 -- Top Management Involvement and CommitmentMemorable Chris Sestito Quotes/Statements"Artificial intelligence systems are becoming single points of failure in some cases.""AI happens to be the fastest deployed and adopted technology we've ever seen. And that sort of imbalance of how vulnerable it is and how fast it's getting out into the world, into our hardware and software, is really concerning." "When I talk about artificial intelligence being vulnerable, it's vulnerable in a bunch of ways; it's vulnerable at a code level, it's vulnerable at inference time, or essentially, at real time when it's making decisions, It's vulnerable at the input and output stages with the users and customers and the public interacting with your models, it's vulnerable over networks, it's vulnerable at a generative level, such as writing vulnerable code.""Hallucination abuse would be the threat actor trying to manage and manipulate the scope of those hallucinations to basically curate desired outcomes.""We should be holding artificial intelligence to the same standards that we hold other technologies.""The last thing we want to do is slow down innovation, right? We want to be responsible here, but we don't want to stop advancing, especially when other entities that we can be competing against, whether that's in a corporate scenario, or a geopolitical one, we don't want to handcuff ourselves.""If we're providing inputs and outputs to our models to our customers, they're just as available to threat actors. And we need to see how they're interacting with them.""If you're bringing a pre trained model, and and you're going to further train it to your use case, scan it, use the solution to understand if there is code where it doesn't belong." "If we're providing inputs and outputs to our models to our customers, they're just as available to threat actors. And we need to see how they're interacting with them.""Red teaming models is a wonderful exercise but we also need to look at things that are a little bit more foundational to security before we get all the way to AI red teaming.""The threats associated with artificial intelligence are the exact same threats that are associated with other technologies. And it's always people. It's always bad people who want to take advantage of the scenario and there's an enormous opportunity to do that right now."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn:
Building a Resilient Disaster Recovery Infrastructure
Feb 14 2024
Building a Resilient Disaster Recovery Infrastructure
The latest disaster recovery statistics reveal that modern businesses still face costly interruptions due to a variety of threats, ranging from ransomware attacks to sudden hardware failures. The monetary costs of disasters and outages can be significant. According to results from Uptime Institute's "Annual Outage Analysis 2023" survey, 25% of respondents reported that their latest outage incurred more than $1 million in direct and indirect costs. In addition, 45% reported that the cost of their most recent outage ranged between $100,000 and $1 million. Another research report reveals that just over half of organizations have disaster recover plans and around 7% of organizations never test their disaster recovery plans. It was a real pleasure having Sagi Brody, Co-Founder and CTO at Opti9 on the podcast to shed light on the various aspects of disaster recovery and how to do it well.Time Stamps00:02 -- Introduction00:54 -- Disaster Recovery Statistics and Guest Introduction03:08 -- Guest's Professional Highlights04:40 -- Overview of Disaster Recovery09:12 -- How do you ensure that the disaster recovery infrastructure does not become the next security incident?11:51 -- Disaster Recovery Best Practices15:23 -- Around 7% of organizations never test their disaster recovery plan. Why is that the case? Why wouldn't organizations want to ensure that whatever they have documented whatever they have planned actually works?19:49 -- How effective are tabletop exercises in the context of rehearsing for disaster recovery? Should organizations be doing more than tabletop exercises?22:09 -- Disaster Recovery and Outsourcing25:09 -- Final ThoughtsMemorable Sagi Brody Quotes/Statements"When you think of backups, I like to think of the word RECOVER. When you think of disaster recovery, I like to think of the word RESUME, you're not restoring data, you're resuming your business operations after a disruption.""I think one of the biggest mistakes that people make is they sort of build their entire production infrastructure, or their application, get it all up and running, make it perfect. And then later on, they want to focus on disaster recovery.""Imposing disaster recovery strategy on an already built, let's say, application is much more difficult than having resilience be part of your thought process as you go along building your production environment.""We need Runbooks (or Playbooks) for what we do during a disaster. Not only that, but we need Runbooks for different types of disasters. If we need to fail over one application versus our entire environment, we need a separate Runbook for testing.""Today, a lot of people have their applications highly integrated with third party SaaS platforms. So let's be sure that when we test our disaster recovery infrastructure, we're testing the applications, we're not poisoning our production data sitting somewhere else inadvertently.""You have to be super careful when making decisions on what platforms, what vendors, what software you're using to build your applications and your infrastructure. When you make those decisions, you have to weigh them against your resilience framework and your security framework."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee
Unraveling the Positive and Negative Impacts of Generative AI
Nov 22 2023
Unraveling the Positive and Negative Impacts of Generative AI
In a very thought provoking discussion, Artificial Intelligence (AI) expert, Tony Hoang, Ph.D., traced the evolution of Gen AI, highlighted the many benefits, and also shared his concerns about the irresponsible and abusive use of this technology. What got my attention were the following realities:Innovators often prioritize speed over responsible AI development, leading to potential negative consequences.How easy it is to create a software-generated duplicate of someone's voice or video avatar without their consent, using online content such as images and videos.There are no current safeguards to prevent someone from exploiting AI-generated images of someone else, making it a challenge for parents to advise their children on how to protect themselves.Time Stamps00:02 -- Introduction00:49 -- Dr. Tony Hoang's Professional Highlights02:47 -- AI's evolution, data science, machine learning, and generative AI10:05 -- Generative AI and cybersecurity14:07 -- AI and cybersecurity threats in the enterprise18:45 -- AI-generated explicit content and its impact on teenagers22:48 --AI-generated content and its potential impact on society30:05 -- AI-generated fake reviews and their impact on businesses34:55 -- The potential dangers and benefits of generative AIMemorable Tony Hoang Quotes/Statements"Right now, there is a big emphasis on the on the client-side of obviously, privacy and security, on the development side, there isn't primarily because of the fact that everyone wants to rush to the top.""So, what they're doing is they are taking all of the responsible AI committees, all of the privacy committees, and they basically just laid everyone off in the past six months. And that's kind of frightening to see, because what that means is when you fire your responsible AI committee, what that signals is they want to go fast, because these committees actually slow them down in order to accomplish their goal.""The stuff that really worries me the most about Gen AI isn't phishing attacks, or any of that stuff; my biggest fear right now is the replication of human images, or video or voices.""One of the ways that you could use Gen AI to take down a competitor, you would go on their website onto the product review, hit it with AI generated responses and just flood it with negative one star or two star reviews. So that's a way to destroy a company's reputation using Gen AI, and we're actually seeing that right now.""There's no way for anybody to detect AI generated content right now in an automated fashion."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Best Practices for Overcoming Troublesome Vulnerability Management Trends
Nov 1 2023
Best Practices for Overcoming Troublesome Vulnerability Management Trends
A 2023 State of Vulnerability Management Report finds that only half of the surveyed organizations (51%) have, at best, a moderate level of visibility into vulnerabilities. Several other vulnerability management metrics, such as maturity levels, frequency of vulnerability scans, and patch deployment speed, reveal an alarming and troublesome trend. In this episode, Ashley Leonard, CEO at Syxsense, joins me in reviewing the research report findings and discussing vulnerability management challenges and best practices.Time Stamps00:02 -- Introduction02:20 -- Ashley Leonard's Professional Highlights04:00 -- Scope of Vulnerability Management06:34 -- Human Vulnerability Factor08:57 -- AI-enabled Phishing Attacks09:32 -- Vulnerability Management Objectives15:50 -- Continuous Vulnerability Scanning and Remediation18:24 -- Practicality of Continuous Vulnerability Scanning22:37 -- Securing All Attack Surfaces, Especially IoT Devices and Cloud Assets25:57 -- Vulnerability Management Maturity Levels31:33 -- Apparent Disconnect Between Scanning and Visibility 36:15 -- Promptly Acting On Vulnerability Report Findings41:49 -- Selecting Appropriate Vulnerability Management Tools and Solutions43:55 -- Vulnerability Management Best Practices46:30 -- Final ThoughtsMemorable Ashley Leonard Quotes/Statements"We try and train most of our users not to log in an unknown USB device. But there have been cases where threat actors will take the USB devices and drop them in the parking lot of companies they're trying to breach. People will often pick up these USB sticks, wonder what's on it, walk into the office, and plug it in. It's shocking.""I would share that patching should not be a monthly process. Many companies do this kind of, "Oh, it's Patch Tuesday, so we're gonna go and deploy our patch Tuesday patches to our organization." It's not even a weekly process, this should be a continuous process.""New vulnerabilities are being published constantly, we have a whole threat research team that is constantly publishing new content. And if you're not scanning on a continuous basis, then your organization's exposed. So you really need to find technologies and partners that can do this kind of continuous vulnerability management for you.""In the past, after a vulnerability was publicly announced, it typically took three to seven days before you started to see attackers actually weaponizing these vulnerabilities and attacking, which meant you kind of had a week or so to get your act together, deploy the patches and make sure your organization was safe. It's now down to 24 hours. And that's a problem. That's a huge problem for most organizations, because, unless you are doing continuous vulnerability scanning and remediation, you're not going to be able to respond quickly enough, and your organization is going to be exposed. So you really need technology to step in here. And you need automation that you can use to deploy these patches to your most vulnerable assets as quickly as possible.""Patches don't get tested normally as much as a full release of a product; that's also a risk.""Automation can really help you respond quickly but also thoughtfully in the way that you go about remediating these patches.""Think carefully about the data, categorize how important it is, and think about where it's stored. And that's a really good starting place." "Threat actors are now using AI to analyze the exfiltrated data from the organization. And then using that data from the AI, for example, finding customer lists, and then contacting those customers, and getting those customers
Streamlining and Improving Security by Standardizing Identity Management
Oct 18 2023
Streamlining and Improving Security by Standardizing Identity Management
While cloud computing has become a great digitization enabler to enterprises, multiple clouds—especially when intersecting with on-premises systems and one another—can produce some challenges. Many organizations can end up with an "identity gridlock" of competing identity systems and protocols since each cloud platform cannot exchange access policy data with other cloud providers. It was an absolute pleasure having Gerry Gebel, Head of Standards at Strata Identity, join me to discuss the significance of standardizing identity management.Time Stamps00:02 -- Introduction02:09 -- Gerry Gebel's Professional Highlights04:15 -- Role of Standards in Identity and Access Management08:14 -- Avoiding Identity Gridlocks11:38 -- Competing Interests in Developing Standards14:49 -- Role of Standards in Achieving Fine-Grained Access Controls18:25 -- Rationale Behind Having Numerous Standards21:02 -- Senior Leadership Involvement in Standards Setting Process25:39 -- Streamlining and Standardizing Security28:07 -- Final ThoughtsMemorable Gerry Gebel Quotes/Statements"Standards allow for interoperability between domains that different organizations run, and this can provide the user with a lot of convenience.""Each of these cloud and computing platforms has its own way of defining and configuring access to resources. That's where the gridlock comes in because they're not interchangeable; they are not interoperable.""Realize that you're not standardizing the whole offering; you're standardizing different pieces that have maybe become a commodity.""It really comes down to having customers involved in the process, because they're the ones who ultimately, will, or will not purchase products. If there's a lock-in, or there's a lack of interoperability, the customer may choose to stay away from that product or solution.""You can be an active participant (in the standards-setting process) and look out for your own interests, rather than delegating that to someone else who may not represent the same point of view.""What is the purpose of creating these standards? And we've sort of alluded to that a couple of times here. I think that's where the enterprise perspective is very important. Because, as a programmer, as a developer, we can easily get lost in the weeds of the technology, you know, how do I write this Go routine? Or how do I write this API? And I think the enterprise perspective keeps the focus on what's the real business purpose for doing this. Does it enhance security? Does it give us vendor independence? Does it reduce risk in some way? Or does it enable new business? So I think it's important to have that [customer] voice in the conversation.""I would say from the enterprise administrative perspective, there's more capability to properly govern the deployment, the configurations, if you have standards involved, because it gives you more visibility of exactly what is connected to what and who has access to what. It gives you better visibility or reporting capability to show, "Oh, well, I'm compliant with these HIPAA rules, or I'm compliant with, you know, some of their financial rules." So, that's where the standards can be of great benefit in overall governance."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn:
How Informed is the Board of Directors on Cybersecurity Risks?
Oct 3 2023
How Informed is the Board of Directors on Cybersecurity Risks?
With the global cost of cybercrime expected to reach $10.5 trillion by 2025, cybersecurity has become a board-level imperative. According to the Diligent Institute survey 'What Directors Think,' board members ranked cybersecurity as the most challenging issue to oversee. Even though boards say cybersecurity is a priority, they have a long way to go to help their organizations become resilient to cyberattacks. Kayne McGladrey, Field CISO at Hyperproof and a senior IEEE member, sheds light on this important aspect of cybersecurity governance. The driving question being: How informed is the Board of Directors to provide effective oversight of cybersecurity governance?Time Stamps00:02 -- Introduction03:06 -- Kayne McGladrey's professional highlights04:01 -- 2023 Global CISO Survey Findings -- Do the Board of Directors have the necessary expertise to provide cybersecurity governance oversight?07:24 -- CISO and Board of Directors Relationship 14:22 -- Effectively Empowering the CISO20:07 -- Reasons for Board of Directors' Lack of Involvement 26:35 -- Board Members Cybersecurity Education and Training 45:27 -- Final ThoughtsMemorable Kayne McGladrey Quotes/Statements"Interestingly enough, fewer than half of the board members regularly interact with their CISOs. This is an indicator of a communication gap, and potential alignment issues between board members and CISOs, which is really hindering progress in cybersecurity.""I know a lot of businesses still see cybersecurity as a cost center. They don't see it as a strategic advantage.""I can think of a CISO who I was just chatting with at Blackhat this year, who turned down a job they matched on salary expectations. But, they matched on job expectations, and they matched culturally. They will be reporting as the CISO to the Director of IT, not to the CIO, not to the CEO, but they're going to report to some down-level director, and they wouldn't be offered directors and officers insurance either. So effectively, they'd only be a CISO in title and C-level executive in title only, but not in practice. They recognize they were being hired in as a scapegoat. I think that's a persistent problem that we've seen associated with how companies are recruiting CISOs.""I think CISOs should ideally report to the CEO or another C-level executive like the chief operating officer or chief financial officer. And that really allows for a direct line of communications to the top-level management and that emphasizes and underscores the importance of cybersecurity and strategic decisions.""Cyber risk is a business risk. Cyber is just an influence.""Boards think in terms of business risks. CISOs, unfortunately, don't often communicate in terms of business risks. CISOs often communicate a technical risk, like a risk of ransomware, or the risks associated with generative AI; those aren't risks; that's driving the communications gap. Literally how we talk as CISOs is part of what causes a lack of oversight on the part of the board because the board doesn't understand what it is that they should actually care about. And so, they disengage.""Don't go to the board and say I have a problem, because they're not there to solve your problem. They want to know what you're doing about the problem. Also, they want to know if it's going to materially affect the business, I think if you go there with a problem, a solution and a proposal, you're probably going to have a much better time."
Enhancing Incident Response Effectiveness
Sep 6 2023
Enhancing Incident Response Effectiveness
According to a 2023 IBM report, companies take 197 days to identify a breach and 69 days to contain one on average. The delay between infection, detection, and containment can cost businesses millions of dollars. Only 45% of the companies polled had an incident response plan in place. In this episode, Markus Lassfolk, VP of Incident Response, Truesec, and Morten von Seelen, Vice President of the Truesec Group, who have extensive hands-on experience in dealing with major cyber attack incidents, shed light on this very important subject matter. Time Stamps00:02 -- Introduction02:47 -- Markus Lassfolk professional highlights04:28 -- Morten von Seelen professional highlights06:17 -- What does incident response mean? Why is it important?09:10 -- Extent of organizational preparedness15:32 -- How should organizations prepare to help incident responders do their job better?20:49 -- What are the different roles associated with major incident response engagements? How do you build a team to handle these engagements and how you retain the talent?25:18 -- What are some of the most common mistakes that you see customers making?30:27 -- How effective are tabletop exercises?36:00 -- How important are security drills?37:21 -- How should organizations go about looking to identify real expertise in incident response?39:25 -- What kind of help can small companies get who don't have the budget? What would be your advice to them?42:58 -- When I was reviewing some industry reports, one survey finds that while only 45% of the companies polled had an incident response plan in place, 79% of the companies have insurance. So they're almost implying that many companies could be of the view that let's not worry about the incident response plan. If we have good insurance, we are covered. Can you dispel that myth?46:35 -- What's exciting, what's interesting, what are some challenges, what kind of mindset and skills one needs to have to pursue a career in incidence response? 51:23 -- Final thoughtsMemorable Markus Lassfolk Quotes/Statements"If organizations gets hit by ransomware, they are usually down for three weeks, 21 days, on average.""From a preparedness standpoint, it helps if the customer has secure and safe backups that we can use." "In most of the cases, customers are either totally unprepared, or they're not prepared in the right way.""During an engagement, having the log files will help us get answers of what's been going on in the breached environment. When we don't have the log files, it's so much harder, then we have to start looking at other things which takes more time, which sometimes does not provide the answers, and then we have to start guessing.""The best thing that the leadership team can do is to give the incident responders and the IT department the support and room to do their job and and not expect to have status meetings every 30 minutes or every two hour because that does not give us time to work and actually produce stuff." "We advise our customers to make sure that they identify the key personnel on their site and try to reduce the single point of failures in personnel as we call it, because in every incidents, when we come in and start working, we start to see a pattern; there is one person who has the answers to everything and who everyone points to. And that person is the single point of failure.""They (customers) start restarting or...
Cybersecurity in the Age of AI
Jul 12 2023
Cybersecurity in the Age of AI
While large language models such as ChatGPT can be used to write malicious code, AI tools are increasingly used to proactively detect and thwart cyber-attacks. There is growing recognition of AI’s potential to fight cybercrime. Ian L. Paterson, CEO, Plurilock, sheds light on how AI has impacted the cybersecurity industry, especially how Generative AI is changing the industry. Describing the role of the AI as a co-pilot, he says, "The way I think about leveraging AI is typically having a human do the first 10%, and the last 10%, an AI is really good at doing the 80% in the middle. So it's not a replacement for the human, but it's an enabler for that human and allows them to do more with less."Time Stamps00:02 -- Introduction02:26 -- Ian L. Paterson's professional highlights04:56 -- What is generative AI and how does it work?10:34 -- How can we protect ourselves from phishing attacks?16:12 -- Leveraging AI for behavioral biometrics21:21 -- What is generative AI? How are these tools being used to thwart cyber attacks?24:45 -- How do we speed up detection and remediation?28:20 -- Cybersecurity is a team sport and it is a team game32:29 -- Guidance and recommendations36:19 -- Final thoughtsMemorable Ian Paterson Quotes/Statements"What we see today is that large language models can appear as if they are themselves intelligent.""One of the chief dangers of this new (AI) type of technology is that you can now author convincing text at scale.""What we are seeing today is both an increase in the volume of attacks and an increase in the severity and the convincingness of some of these attacks. I call them multimodal attacks because you're using not only the modality of text but you can also use the modality of video or audio. I think we're going to have to deal with these types of attacks, with these problems, for many years to come.""You're not going to have a ransomware attack on Monday at 10 am when everybody's refreshed from the weekend; it's going to be Friday afternoon, it's going to be on Christmas Day, it's going to be when you don't want to deal with those types of situations.""You can certainly use large language models to accelerate or help cut down on some of the minutiae when writing code.""Large language models are being used as co-pilot in Security Operations Center, to do log analysis, to speed up monitoring, identification, and notification of potential threats.""We've always had this need in cybersecurity to increase productivity because there are not enough people to do the work needed to stay safe. So, AI will help, it will be a productivity boon.""The way I think about leveraging AI is you typically have a human do the first 10% and the last 10%, an AI is really good at doing the 80% in the middle. It's not a replacement for the human, but it's an enabler for that human and allows them to do more with less, and hopefully, highlight the area they need to focus on.""The reality is that cybersecurity is a team sport, and you need a host of products and solutions working in harmony to adequately address the threats out there and reduce the attack surface.""In summation, AI is good, we're certainly going to see cybersecurity-related innovations, but it's not going to replace the people it takes to deploy and leverage those solutions.""It's really about having that defense-in-depth strategy. I think that makes a difference between somebody with pretty good security and somebody with great security."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to...
Identity Orchestration Strategies and Best Practices
Jun 28 2023
Identity Orchestration Strategies and Best Practices
Cloud migration and remote work requirements are forcing organizations to modernize their applications and identity systems. Making the transition is both time-consuming and expensive using traditional software development practices. By decoupling applications from identity, orchestration can alleviate the burden while allowing companies to seamlessly mix and match different cloud providers as well as MFA and passwordless technologies. In this episode, Eric Olden, Co-founder and CEO at Strata Identity sheds light on identity orchestration strategies and best practices.  Time Stamps00:02 -- Introduction02:16 -- Eric Olden's professional highlights05:11 -- State of maturity of identity management, and where does identity orchestration fit in.08:13 -- When should an organization consider an identity orchestration strategy?11:33 -- Identity orchestration, a plug-and-play approach15:17 -- Use of the "adapter" metaphor to understand identity orchestration16:50 -- Identity Orchestration and Single Sign-On -- What is the nature of the relationship?18:47 -- Eliminating security vulnerabilities with application modernization and identity orchestration 22:06 -- Wide-scale implementation of passwordless authentication 25:47 -- Challenges and success factors in formulating and implementing identity orchestration strategies30:24 -- Guidance in selecting service providers and vendors 34:31 -- Making a business case for identity orchestration38:59 -- Final thoughtsMemorable Eric Olden Quotes/Statements"I see identity providers themselves, the IDPs, are today's hardware in that customers need them, they have to run something, but they don't want to be locked into any one thing. So, we've created an abstraction layer that allows you to decouple the applications from the identity provider. So you can mix and match and do different things.""Identity orchestration makes sense when you have more than one identity provider.""If you find yourself trying to modernize applications and move from legacy to modern, that's another really important use case for orchestration.""The abstraction layer allows you to avoid rewriting any of the applications because, from the application standpoint, the orchestration layer presents a facade that looks exactly like the application is expecting it before orchestration came in.""We're able to bring modern security to legacy applications and do that without ever changing them.""All of these five A's -- authentication, access, authorization, attributes, and audit, need to find their way into this new distributed environment.""Today, with orchestration, you no longer need an application-specific connector because all of the patterns in the protocols that the applications need are already part of the abstraction layer in the orchestration.""I told my developers, look, if you ever find yourself typing the word password in your code, stop, you're doing it wrong. So you need to back that up and figure out why someone was trying to bring a password in the first place and give them an alternative. So that is a bit of a heavy lift at the beginning, where you need to change people's mindsets.""The world today is about self-service, and you want to have things bought and not sold."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr....
Creating a Diverse Cybersecurity Workforce and Solving the Talent Shortage
Jun 14 2023
Creating a Diverse Cybersecurity Workforce and Solving the Talent Shortage
Recent cybersecurity workforce study reports reveal that a) there’s still a global shortage of 3.4 million workers in this field, and b) only 25% of the global cybersecurity workforce are women. In this episode, I had an engaging discussion with panelists Ashley Podhradsky, Vice President of Research and Economic Development at Dakota State University, and Kriti Arora, Security Global black belt, Threat Intelligence and External Attack Surface Management, Microsoft, North America, on attracting more talent, especially motivating and inspiring women to become cybersecurity professionals. One of the key messages that came out of the discussion was not to allow a certain stereotype or image to influence career decisions. A woman's innate traits and abilities, such as multitasking, problem-solving, organizational skills, curiosity, and the zeal to go above and beyond, will serve her very well as a cybersecurity professional.Here are links to some useful cybersecurity training and awareness resources:https://www.girlsecurity.orghttps://www.sans.orgwww.CybHER.orgWww.WiCyS.orghttps://www.isc2.orgTime Stamps00:02 -- Introduction03:33 -- Ashley Podhradsky's professional highlights04:59 -- Kriti Arora's professional highlights08:22 -- Dakota State University's cybersecurity initiatives11:30 -- Kriti Arora's exposure to cybersecurity education and her reflections on the learning experience14:17 -- Holistic approach and human element in cybersecurity17:21 -- Core cybersecurity offerings at educational institutions19:23 -- Cybersecurity awareness and training throughout the organization21:43 -- Gender discrimination in cybersecurity25:23 -- Cybersecurity stereotypes30:05 -- Cybersecurity skillsets33:19 -- Why women are likely to be very successful in cybersecurity37:38 -- Industry-academic partnership42:55 -- How would you promote cybersecurity to your female friends?45:08 -- Resources for cybersecurity education and training53:22 -- Final thoughtsMemorable Ashley Podhradsky Quotes/Statements"When I was in school, I was usually the only woman and I wanted to do what I could to help bring more women into this field. It's incredibly exciting and a wonderful environment to be in.""As I have a seat at the (senior leadership) table, I scooch over and make a seat for someone else; I find great job satisfaction and take immense pride in helping promote, support, and advance women in this field and be their champion.""Showcasing collegiate women to middle school girls in the near-peer mentoring model has been very positive for girls to understand that they can also be a part of this cybersecurity field and experience.""I've heard "No" a lot. But the only thing that tells me is that I'm talking to the wrong people. And I need to try something different and talk with someone else. And then I can get to that, "Yes.""If we're only focusing on the people who are in the right age group, right now, we're never going to solve the (woman in the cybersecurity workforce) problem, we have to...
Countering Insider Threats: Seven Science-Based Commandments
Apr 26 2023
Countering Insider Threats: Seven Science-Based Commandments
Research finds that there was a 44% increase in insider threat incidents across all types of organizations, and 56% of the reported incidents were due to negligence. Equally alarming is that the average annual cost to remediate a negligence incident was $6.6 million. Dr. Eric Lang, Ph.D., Director, Personnel and Security Research Center (PERSEREC), United States Department of Defense, draws upon his research to share some of the (science-based) commandments for understanding and countering insider threats. Emphasizing the criticality of human factors, Dr. Lang contends that "without individuals’ sincere commitments, the most extensive insider threat policies will fail."Time Stamps02:27 -- So Eric, let's first talk about yourself and your professional journey.04:36 -- What motivated you to write the article Seven [ Science-Based] Commandments for Understanding and Countering Insider Threats?07:51 -- The first commandment states that "Human factors are paramount. Thou shalt not worship technology above personal and social dynamics solutions." Tell us more about it.15:16 -- Moving along to your second commandment, you say, "Employees are an organization's greatest strength, especially for identifying insider threats. Thou shalt improve supervisory and co-worker reporting." Many employees are reluctant to report potential threats they encounter. I would assume organizations recognize the challenges and have appropriate structures and mechanisms in place to encourage more honest reporting. Your thoughts?20:45 -- Many psychological factors could come in the way of somebody alerting the organization about a possible insider threat. Thoughts?26:36 -- I will be very surprised if great organizations, when they make decisions to improve cybersecurity, governance, cybersecurity readiness, those decisions are not influenced by experts in human psychology, the clinical psychologist, or whoever the right person is. Thoughts?31:07 -- A reactive approach to cybersecurity governance doesn't cut it. Thoughts?38:37 -- So let me ask you, what do you think are any of the top three things that most employees care about for their job?43:33 -- Before we conclude, if you'd like to share a few final thoughts.Memorable Eric Lang Quotes/Statements"73% of the successful exfiltration incidents were conducted without using technology.""Technology is necessary but not sufficient, humans will find a way around it. And in this case, 73% succeeded in the exfiltration.""What was a common successful method for foreign adversaries to get sensitive US industrial information? The answer is they asked for it. It was a form of social engineering in very many cases.""Technology [often] misperforms not because of malicious intent, but because it was ill-developed.""So why do employees in an organization with a See Something Say Something policy, often hesitate to report? There are a number of social psychological factors such as 'don't be a snitch' cultural norm. They don't want a coworker to lose their job. They might have a fear of retaliation."Social psychologists often note an effect called "diffusion of responsibility" when people don't report a potential exfiltration incident."If you are aware of something of potential concern, and there are many other people also in the environment, you might think that many people have the same awareness I do, I'm sure someone else will report it. This is called "diffusion of responsibility" in social psychological research.""Policy is important, but the execution of it, and bringing employees into correct awareness and engagement is the most important...
Mitigating Risks from Unmonitored Communication Channels
Apr 14 2023
Mitigating Risks from Unmonitored Communication Channels
Significant fines in excess of $2 billion have been levied on organizations in the financial services sector for failing to capture, retain and supervise communications. This crackdown on non-compliant communications is the clearest indicator yet that regulators have lost patience with firms that still haven't addressed supervision and record-keeping risks that were exacerbated by the pandemic. In this episode, Garth Landers, Director of Global Product Marketing at Theta Lake, discusses how businesses can mitigate risks from unmonitored communication channels.Time Stamps02:20 -- Please share some highlights of your professional journey with the listeners.05:10 -- Different types of modern communication tools.12:05 -- The 2022 Modern Communications Compliance and Security report(produced by Theta Lake) finds that unmonitored communication channels remain the biggest risk. What are these risks?21:19-- What are some best practices in securing the different communication channels?28:47 -- Do you think an organization would be well served if they had written guidelines of the do's and don'ts when using certain channels and making that document readily available to all organizational members?34:09 -- It's about helping individuals do the right things so that the communication is secure, as compared to gotcha, you made a mistake, and you should have done better. Thoughts?36:51 -- I emphasize the importance of creating and sustaining a high-performance information security culture. Only when you create that culture, that work ethic, securing communication channels is sustainable in the long run.40:43 -- We are talking about a proactive approach driven by a change in the mind shift where the leaders are looking at this apparent challenge (securing communication channels) as a strategic opportunity.45:11 -- Can you address the archival and retrieval challenges? 52:00 -- If there were three or four takeaways that listeners should walk away with from today's discussion, what should they be?Memorable Garth Landers Quotes/Statements"Two-thirds of an organization believe that inside their organization, employees are using unmonitored communication channels.""Unmonitored communication channels pop up because, in many cases, organizations decide not to empower their employees, they give them a Zoom, or a Cisco WebEx or a Microsoft Teams, or a RingCentral, or a Slack, etc., but they don't fully enable them. They don't turn on chat, or they don't allow file sharing, polls, or whiteboards. This forces employees to adopt and use unmonitored communication channels.""From a process standpoint, don't take a top-down approach to implement modern collaboration platforms.""Research shows that, on average, at least four different unified/modern communication tools are being used by organizations.""Most end users are not engineered towards malfeasance and bad behavior, it's carelessness. And the greatest insider threat is that sort of carelessness, and lack of awareness.""Policy works best when it's not some sort of abstract reality that you pull out when a bad thing happens." "Technology is out there to get to that balance point of maximum productivity, productive IT but productive and efficient and compliant work as well."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Dr. Chatterjee's Professional Profile and Media Kit:...
Implementing Secure and Fast Authentication Processes
Mar 30 2023
Implementing Secure and Fast Authentication Processes
Traditional authentication methods are outdated and need many layers of code, which can take time and resources away from developer teams. If developments like FIDO2, WebAuthn, and passkeys are to be the cornerstones of a passwordless future, then every application (not just Apple, Google, and Microsoft) needs an easy way to adopt these methods and weave them into current user authentication flows. Slavik Markovich, Co-founder and CEO, Descope, discusses current and future authentication trends and the importance of building a low-code/no-code passwordless authentication solution for app developers.Time Stamps02:52 -- Slavic, share with us some background information, some highlights of your professional journey.04:19 -- What are the pain points when it comes to authentication?09:55 -- So Slavik, where are we headed in terms of the next stage or the next phase of evolution when it comes to more sophisticated authentication systems?16:01 -- What is that low code, no code, passwordless authentication solution that would make it feasible for developers to focus on developing solutions and functionalities?25:00 -- There are products in the market, open source or proprietary, that can help take away that additional pain or challenge of developing the authentication part of the solution. The developers can then focus on what they are good at, developing the product functionalities. Is that a fair, high-level representation of what you said?26:17 -- So where are we with biometric authentication? Have we made more progress?33:53 -- Are we further along in getting to that ideal goal where just compromising an account doesn't mean the end of the world or doesn't mean a major problem?36:55 -- Please share some final thoughts.Memorable Slavik Markovich Quotes/Statements"If you have a token that you use to authenticate, that's pretty secure, it's very hard to phish it, and it's very hard to steal it.""A lot of effort is being made in creating authentication around who you are versus what you know. So using biometrics-based authentication is a big step in that direction." "Use of passkeys, which allow a secure and somewhat frictionless way of authenticating, without having to remember anything." [Note: "With passkeys, users can sign in to apps and websites with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern, freeing them from having to remember and manage passwords"] (https://developers.google.com/identity/passkeys#)"Like everything in security, the devil is in the details.""There is an inherent tension between the security teams and the developers. You kind of try to solve it by bringing security into the development teams.""Security shouldn't become a bolt-on process but should be part of the architecture, design, review, and implementation.""Security doesn't sell your product. Eventually, features will sell your product.""Most developers are not security experts. So, if they implement authentication, there might be big holes that they cannot catch. Then, you end up with account compromises and stolen data from the application.""The biggest obstacle to biometric authentication is actually education.""The best password is no password."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Dr. Chatterjee's Professional Profile and Media Kit:
Proactive Resilient Approach to Cybersecurity
Mar 15 2023
Proactive Resilient Approach to Cybersecurity
It is well known that a proactive intelligence-driven approach to cyber governance is the way to go. But it is easier said than done. Embracing and sustaining such an approach requires high commitment, preparedness, and discipline. Kriti Arora, Security Global Black Belt, Threat Intelligence and Enterprise Attack Surface Management, Microsoft, shares her experiences guiding clients to adopt an intelligence-driven proactive approach to thwarting attacks. She also shares her passion for the field and the satisfaction of training and serving as a cyberwarrior.Time Stamps00:48 -- Before we get into the details of a proactive resilient approach to cybersecurity, how about sharing your professional journey? What got you into this field?03:58 -- You described yourself as a first-generation cyberwarrior during our planning meeting. I found that quite intriguing. Please expand.06:54 -- Can you shed some light on the different types of opportunities that a cybersecurity career can present to the first generation (of cyber warriors) or people trying to pivot from their existing careers into cybersecurity?11:14 -- Kriti, share with us briefly about your role at Microsoft? At a generic level, could you share what you do at Microsoft with the listeners?15:16 -- What is a proactive, resilient approach?18:08 -- Why do organizations vary in their level of proactiveness? What are some reasons?21:10 -- What are the five or six things one should do to get started on the path of proactiveness?27:43 -- Maintaining a log of security intelligence received, and actions taken might be very useful, especially when an organization is trying to defend itself in a court of law. What are your thoughts?34:24 -- Every organizational member has a role to play in securing the organization. Do you agree?36:28 -- Asset prioritization and data retention strategies are key aspects of proactive cybersecurity governance. What are your thoughts?40:59 -- What measures or metrics are useful in assessing proactive resilience?45:02 -- Please share some final thoughts and key messages for our listeners.Memorable Kriti Arora Quotes/Statements"So, at one moment, you're fighting crimes, doing these investigations like a detective, and researching a problem to find a solution. At another time, you could be troubleshooting a typical problem and providing customer support services.""The adaptive quality of the field is what makes it thrilling. That's what excites us, the cyber warriors, who are trying to experiment, learn new things, and save the world with different techniques and tactics.""I consider a proactive approach to be intelligence-driven and holistic. It represents a mind shift on how cyber threats are thwarted.""In this proactive approach, we focus on indicators of attackers; we try to keep a watch on the entire network and its processes. It's a holistic approach. I would not call it a technique; I would call it a mind shift because you need that mind shift to understand proactiveness. It's like being alert, thinking about the worst-case scenario, trying to prevent it or be prepared to recover from it quickly.""It's very important to focus on the attack surfaces, whether internal or external. A full or 360 view of your attack surface is very important." "Successful implementation and sustenance of a proactive resilient approach depend on a high level of cybersecurity awareness and knowledge.""Organizations must strive to be both secure and productive."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the...
The Challenges and Best Practices of Cyber Security in Emerging Markets
Mar 1 2023
The Challenges and Best Practices of Cyber Security in Emerging Markets
“While developed markets may today bear the brunt of cyber breaches, emerging markets are no less vulnerable. Their risks arise from weak processes and governance, the complexity of global supply chains, the need to remain low cost to attract investment, and the rapid adoption of technology without adequate cyber defenses.” Andre Keartland, Solutions Architect at Netsurit, Johannesburg, South Africa, speaks to these realities and offers guidance on managing cyber risks and implementing robust security solutions.Time Stamps00:49 -- We have a lot to talk about. But let's first talk about your professional journey.04:05 -- It would be beneficial if you shared with listeners what we mean by emerging markets. You could talk about that first before talking about the trends.07:20 -- Bottom line, it is my hunch that the cybersecurity phenomenon doesn't discriminate, every country, whether they are part of the emerging block or the developed block, the experiences are kind of similar. What do you think? What are your reactions?09:54 -- Research finds that risks to emerging markets arise from four areas: 1) the complexity of supply chains; 2) the need to remain low cost to attract investments; 3) the rapid spread of technology without adequate availability or awareness of training; and 4) weak regulations. Would you agree with these?15:46 -- Andre, you're based in South Africa. Let's say some of the listeners might be interested in working or starting a venture there. As they evaluate the business scene, the pros and cons, how should they look at cyber security as a risk factor? What would be your message to them?20:57 -- The initial bonding and acquaintance phase is challenging when establishing reliable outsourcing relationships. Andre, any thoughts on that?25:09 -- What can organizations in the developed world learn from organizations managing cybersecurity in emerging markets? 32:05 -- In developing markets, organizations are more alert, more hungry, and more motivated in putting in place the best possible cyber governance practices. So, the sharing of knowledge, the sharing of experiences can be hugely beneficial. Your thoughts?43:20 -- I always like to give my guests the final word. So now is your time for some final thoughts.Memorable Andre Keartland Quotes/Statements"There might be a perception that developed markets aren't as much of a target, which makes them more of a target because it makes it appealing for the attackers.""There's even a trend of attackers doing proof of concept of the threats inside an emerging market before they go mainstream and try to attack Fortune 500 companies in North America.""Threats have no boundaries; once they get going, they affect everybody.""A low cost model often drives economies in the developing markets. That leads to a mentality and an approach where the organizations will then say, well, let's try and cut our costs as much as possible; let's invest in the core of our products, product development, building, the factory. Supporting functions, like cybersecurity, like governance, become de-prioritized.""What I recommend in general, when going into any emerging market, and as somebody who's now done business in many, many different countries, you need to take a view of the legislative framework. You need to understand whether the local legal system enforces things like copyright, intellectual property, and privacy laws; sometimes, those are not high priorities in emerging markets.""The best way to get your skills is to build your skills, get the people in the door, put in place training programs, put in place...