DiscoverPwned: The Information Security Podcast
Pwned: The Information Security Podcast
Claim Ownership

Pwned: The Information Security Podcast

Author: Justin Fimlaid

Subscribed: 11Played: 55


Pwned is a weekly information security podcast addressing real-world cybersecurity and information security challenges. Each week we cover a new topic from cybersecurity, to information security, to best practices, to security technology, and how-to's.
22 Episodes
Not Invented Here Syndrome for Security
Show Notes: https://www.nuharborsecurity.comContact Me: @justinfimlaidLinkedIn: ever had an idea to advance your company or another companies securityposture?  And it's a really goodidea.  Like really good.  You do you your homework and dot the"I's" and cross the "T's" and your propose a superiorsolution that sets your organization up for, what you think, is long termsuccess?  When you propose your idea,someone passionately proposes an alternative weaker solution.  Or worse, people take shots at your ideatrying to make it look like swiss cheese for the apparent purpose of making analternate idea better?Ifyes, you might have seen and experienced the "Not Invented HereSyndrome".One of the more concise definitions of Not Invented Here Syndrome (NIHS) I've heard come from Techopedia:"Not invented here syndrome is a mindset or corporate culture that favors internally-developed products over externally-developed products, even when the external solution is superior.NIHS isfrequently used in the context of software development, where a programmer willoverlook all the attributes of an existing solution simplybecause it wasn't produced in-house."Another variantto NIHS is the micro variation comes when the security department or CISO isaccountable for security but doesn't have responsibility for security.  So if you are security professionalrecommending products/solutions that are always "shot down" by thosewith budget authority there could be a few reasons and Not Invented Here mightbe the cause.  NIHS can take a coupleforms (this list adapted from Techopedia):The other teams don't value the work of others.  They have pride in a negative way.They don't understand or unwilling to try to understand the benefits and lack confidence.Fear that their previous ideas aren't valued.Territorial battles, e.g. internal "turf wars".Fear of having to learn something new.Wanting to control the process.  Would rather "reinvent the wheel" to maintain control.Jealousy that they didn't think of the idea first.Belief that they can do a better job.The other teams don't value the work of others and believe they can do better.  They have pride in a positive way.There'salways the counter argument that the Security team always makes sub-tierrecommendations and IT rather keeps the proverbial security train on thetracks.Anyway,NIHS is a real thing and can really be barrier to completing an annualplan.  For organizations that don'tfoster innovation NIHS can really be present in the way the company operatesday to day.  There's some great articleson Not Invented Here and how some of the worlds longest standing companiesfoster innovation and work with external ideas to make their business grow.Some interesting links you might check out...
Without Wax: The Quest for Perfection
Show Notes: https://www.nuharborsecurity.comContact Me: @justinfimlaidLinkedIn: had an EnglishTeacher in  High School that was big onEtymology.  If you aren't familiar withEtymology, its history of how certain words came to be. What I like aboutEtymology is the stories behind certain words. This teacher was one the few teachers I actually liked in High School,and I hated English classes so I guess that says a lot.  One word, and one his lessons has alwaysstuck with me.  That word inSincere.  Sincere is from the Latin wordsSin Cera.  In Latin Sin is “without” andCera is “wax”.The story of SinCera dates back to ancient Roman times. The artistry from that time period was seen in statues and ornate marblepillars.  What was significant about thattime period is that artists were appreciated for their perfection.  An apprentice could work for most of theirlife in a specific craft, trade, or artistry…they’d only do that onething.  An apprentice might spend yearslearning how to pick the right type of marble, or they'd spend years learninghow to carve a specific type of statue, or spend years learning how to polish astatue.  The best artists were PERFECT.Whats interestingabout the best artists from Roman Times and the ones that sculpted Marble isthat they embodied perfection in their craft. They would carve perfect sculptures or perfect marble pillars.  For All the otherartists trying to make a name for themselves, who cut corners in their tradeand lacked experience used wax to cover their mistakes.  They would use wax to fill holes, cracks andmistakes.  The nice thing about wax is itcould be smoothed and polished to look like marble.  It could be plastered over and it could bepainted over.  For most buyers they couldnot determine which was artificial Sin Cera or with out wax.  And in some cases they’d never know until theartist was long gone.  Today when we say weare Sincere, it generally means we’re honest. But origins of Sincere also means you are without wax and perfect inyour craft.The reason I bringthis up, it seems to be relevant as of late. I see more folks and companies trying to capitalize on the Securitymarket.  I understand the push, it’scapitalism in full-swing.  However, I seefolks working in the security space who are really confused and are grantedtrust because of a title, position, or certification.  If you are in Security as a buyer orsupplier, whether inside your own company or a third party…and you claim to dosecurity, you need to actually do it. Let me clarify what I mean by that.What I mean by thatis you have an obligation to continuously learn because the threat landscape isconstantly shifting.  I realize everysubject matter expert started with 0 experience.  But what makes someone sincere in their craftisn’t the fact they have a job in the field, it’s the fact they’re a student ofthe craft and continually strive to be perfect. This means always learning and helping others bridge the securityknowledge gap. This means you can’t just dabble in security, it’s not a bulletitem on a website or on a resume.  We cando this, but we all have to put in the work and make everyone better.We have anobligation to get this right, if not for us then for the future generation sothey have a solid foundation to make things better.
Quickstart – Building a Security Program with the NIST Cybersecurity Framework
Show Notes: https://www.nuharborsecurity.comContact Me: @justinfimlaidLinkedIn: Everyone - I'mstarting to feel a little bad that the Government has been shutdown for solong.  I've hit the NIST site at least10-15 over the last couple weeks looking for a reference only to be met by awe're closed frowny face.  Anyway - assoon as I recorded this the government opened up…figures.   By the time this goes live NIST will be openagain.  If you're looking tobuild or enhance your security program. The NIST Cybersecurity Framework might be a good place to start.I see a lot ofcompanies looking to build their security or compliance programs aroundPCI-DSS, HIPAA, or FFIEC guidance to name a few.  It's good guidance but these regulations failto recognize an organized security capability. Meaning - there's no categorization that exists that says if you dothese group of security tasks you'll be better protected, or if you focus onthese groups of tasks you'll be better positioned to recover from a cyberevent.The NISTCybersecurity framework is organized exactly that way.  In absence of any regulation or compliancerequirement this framework might provide a nice step into budget conversationsor even establishing a common way to talk about cybersecurity within yourorganization or institution.To read more aboutthe NIST Cybersecurity Framework, check out my postat NuHarbor Security.
The Best Security Technology You Probably Aren’t Using
Show Notes: https://www.nuharborsecurity.comContact Me: @justinfimlaidLinkedIn: all thebreaches in the news as of late there’s been a lot of chatter about theshifting threat landscape. I saw a post on social earlier in the week that gotme thinking; if the threat landscape is shifting - why is it that and how doesthe collective industry slow things down so we can catch our breach and beproactive with security.  The one pieceof security tech I rarely see folks using is deception technology, but maybethe value of the tech is overlooked.The ideaof evolution and Darwinism is pretty established at this point. Whether you bebelieve in creation or evolution it doesn’t matter too much but what I want todial into is the concept of natural selection, if you aren’t familiar with termit’s the process whereby organisms better adapted to their environment tend tosurvive and produce more offspring.  Charles Darwin’s idea of natural selection is generally created as anevolutionist  theory BUT the point I wantto highlight is I think we can all agree is the common thread here whetheryou’re a evolutionist of creationist is…mutation.   As we, collectively, evolve as species andas all species we mutate we migrate and create a sense of genetic drift fromthe original DNA strains.   But at themost fundamental level genetic drift occurs from testing.   We test food, if it poisons us we die. Wetest our living environments, if it makes us sick we have a lower chance ofprocreation. If we’re dispositioned to reckless habits it could limit ourability to pass on our genetics and or lessons to the next generation if we’redead.Foundationallyspeaking this is a very long term testing effort as a species but, what happensif we couldn’t test.  What happens if thetest results were random.  I mean truly random.   What is something was gaming us all likesomething out of the Hunger Games?  Twopeople with the same genetic make up, eat the same berries - one gets poisonedand dies and the other doesn’t.  Whathappens those same two people with the same genetic make up live in anenvironment that makes one sick but not the other.  If this was the case, it would be incrediblyhard to “test” and evolve.  Now, whathappens if that same idea applied to castle defenses?The ideaof attacking castles is well documented over time and there’s a long history oraction and reaction. An attacker storms the front gate and gets in, thedefenders react and build a moat if they have a next time.  The defenders build the walls higher, theattackers build a siege tower to easily get soldiers over the walls.   The defenders build defense in depth andattackers create the Trojan horse.  Butwhat would happen if attack results were truly random, sometimes you go throughthe front gate…sometimes you didn’t. Sometimes the moat was a problem, sometimes it wasn’t.  Sometimes you “thought” you got the Trojanhorse in, but you actually didn’t.  Whatwould have happened if the attackers thought they were exploiting castledefense but were just wasting time and were delayed until the point they werekilled.  If this scenario was true - thenit’s safe to assume that the evolution of attacker techniques would beslowed…because let’s be honest, they don’t know what does or doesn’t work.  If this scenario were true - it’s also safeto assume the intellectual cultivation of castle siege and defense tactics andoverall “investment” in new attack or defense would be slowed because attackerstruly don’t have a relative sample size to test their hypothesis since theresults are random and not based on scientific fact.If you agree withthose ideas, the environment in medieval times didn’t exist to create randomresults but the technology exists today.
Benefits of a Security Certification & Equifax Security Breach
Show Notes: https://www.nuharborsecurity.comContact Me: @justinfimlaidLinkedIn: lot of companiesor agency executives are looking for a security certification or some kind ofassurance they can sleep well at night. Truth of the matter is no security firm would assert that their clientsare bullet proof from a cyber security breach. The threat landscape is shifting intraday and anything a security firmwould attest to today might be outdated by the time the team walks out of thebuilding.  In our industry today - thereis no certification that offers this level of warranty.  HITRUST, PCI-DSS, ISO27001, SOC Reports allensure that a process is in place not necessarily the rigor of the securitycontrol in place and value of said control in the long run. The Knox SecurityCertification, is the lone technical security certification but that also hasbounds to the warranty and very much requires that the company continue tomaintain the hygiene of their security posture as nothing in security is set itand forget it.Any potentially viable security certifications is in jeopardy because of this coupled with the fact there is so many people that misunderstand this concept.  Case in point is the Equifax security breach. If you don’t know Equifax, congratulations on making it out from under your rock and listening to this first.  Equifax is a large credit reporting bureau that holds credit and personal information for millions of people.  The breach, impacted over 140 million people…which to put that in perspective is also HALF the citizens in the US.Here’s the thing,Equifax has an ISO27001 certification. The certification was delivered by Ernstand Young and their EY CertifyPoint division. Some folks, including those atEquifax, seemed to think this certification shielded them from breach.  If you ever listened to any of my podcasts orread anything I’ve written related to ISO27001, you know that ISO27001 simplycertifies you’ve followed a framework and methodology to choose securitycontrols—not whether those controls are right and complete security controlsfor your environment.  To add one more,scope is a big component of ISO27001 and just because someone has an ISO 27001certification doesn’t mean it for the environment they say it is.  For example, some companies have an ISO27001certification on their broom closet and say it’s for the whole company.  The issue with thisEquifax situation is that E&Y, according to MarketWatch, issued an attestopinion that all security controls were complete and in place, which latercould not be supported.  Aside from thisnot being possible because it fails to acknowledge existance of the crystalball that predicts any and all zero day attacks, it’s also a conflict ofinterest and violation of any accreditation rules.To me this indicatesa huge lack of understanding OR purposeful negligence.Further, commentaryfrom former SEC Chiefs…I’m withholding names since I don’t know if quotes aretaken out of context BUT one head scratching quote, I’m paraphrasing,“there’s  question concerning how muchreliance should be placed on the ISO certification when assessing internalcontrols over financial reporting.”Uhh…you think? I canhelp out there…none.  There should be noreliance.  The context of the control isCOMPLETELY different than what you would expect for a SOX 302 or 404 control.This brings me tothe belief that there continues to be a huge and massive misunderstanding ofsecurity controls at the highest level of organizations and withinorganizations that are supposed to be a trusted security advisor.More often than notI see accounting firms fulfilling this assessment and assertion role withinbusiness.  BUT who did Equifax
5 Security Predictions for 2019
Show Notes: https://www.nuharborsecurity.comContact Me: @justinfimlaidLinkedIn: companies puttogether a "top predictions" for FY19.  Most are garbage.  There's a couple I think are decent but theyare few.Here's my top 5predictions for FY19.People will realize that SOAR (Security Orchestration and Automation Response) is not the security savior.  In fact, I'd be so bold to say it hinders the security industry by forcing security professionals to become distracted from doing the core and foundational security work.  Security takes work…plain and simple.  You have to eat some shit and grind it out.  That's the job.  There's no easy button for this.  While people are spending the year trying to figure out what to automate, they'll only get to December with little to show and year wasted. I often see SOAR being sold as the end all be all to the security talent short-comings…"no staff, no problems…just buy this solution and we'll solve it for you." BS.  In my experience, most companies don't have good security practices, and what happens when you automate broken processes…you break the process more times and faster.  Additionally, the fundamental thing that SOAR is missing is that security is often distributed within an organization, meaning…it's not one team rather a bunch of teams/departments doing their part of security.  The issue in corporate is that those departments DO NOT allow another group to dictate automatic configuration of technology they are responsible for. Lastly, folks are still trying to figure out security…never mind automate it.  Security teams still need to fundamentally understand the tedious parts of security before they can automate anything…and unfortunately, most people don't know what they don't knowNetwork visibility becomes an important thing. Yeah - this one has been around for a while but I think this is the year it picks up momentum. With distributed networks and IOT blowing up, I think folks will finally start to realize that you can't secure what you can't see and will finally own up to needing a solution that provides central visibility to all devices with an internet connection.  To date, I think this has been a bit of a luxury to have this level of visibilty but I think must folks have tried to cobble together make-shift or home grown solutions to get this level of visibility, so this year I think we'll see folks start to own it.Blockchain will become commoditized.  C'mon let's face it…there is ton of folks trying to tout how smart they are with innovative blockchain solutions.  Honestly…there's so many people trying to do this, and if someone can find useful use-cases then I foresee this becoming as commoditized as asymmetric and symmetric encryption for data protection late this year.  Other words, if someone can do something worthwhile, it become table stakes and no one will care anymore.  Scan-jockeys will be identified.  Contrary to what I hear every week - a vulnerability scan is not a Penetration Test. In the industry we call these folks who run a vulnerability scan and pass it off as a penetration test as Scan Jockey.  These are folks that don't really know how to pen test, so they choose a vulnerability scanner, run a scan and hope no one knows the difference.  Now, don't get me wrong, a vulnerability scan has a VERY valid use in security; in fact I think every organization should be doing vulnerability scans.  My issue is people faking to be a penetration tester.  I do see folks in industry becoming more educated in the difference between the two types of test, and I think later this calendar year more scan-jockeys will have a harder time in security as penetration testers, and people who actually spend time practicing their craft will get cr...
Download from Google Play
Download from App Store