Contrarisk Security Podcast #0042: Securing SMEs
Do too many small and medium-size enterprises (SMEs) believe that security is something only big firms need to worry about? In this interview, Colin Tankard, managing director of Digital Pathways, explains that, indeed, many firms believe themselves to be too small and uninteresting to attract the attention of hackers. This is in spite of endless headlines about breaches and warning from industry and government bodies about the business impact of an attack.
Contrarisk Security Podcast #0041: The battle for privacy
Privacy in the digital realm has become a hot topic. There has always been a debate about to what degree law enforcement and intelligence agencies should be allowed to snoop on what many of us would consider private communications. But that discussion became supercharged following the leaks by Edward Snowden and seem to be coming to a head, not least with recent court battles between Apple and the FBI. In this interview, Javvad Malik of AlienVault shares his thoughts about the issues being raised by the fight between tech companies and the authorities.
Contrarisk Security Podcast #0040: Exploiting security data
Is the concept of ‘defence in depth’ outdated? In this interview, Matt Alderman of Tenable Network Security explains that, while organisations may have a lot of security solutions – such as firewalls, intrusion detection and anti-malware – they’re not necessarily using the systems in the most effective way. Rather than just dump the information these point solutions give you into a Security Information and Event Management (SIEM) system, hoping you can make sense of it, maybe it’s time to adopt ‘big data’ methods.
Contrarisk Security Podcast #0039: Open source security
A large proportion of software development relies on open source frameworks and libraries. But vulnerabilities like Shellshock and Heartbleed has tarnished the reputation of open source code. In this interview, Patrick Carey of Black Duck explains how organisations can continue to benefit from the power and speed of implementation that open source code has to offer, while also ensuring their own safety. Through the careful of shared sources of vulnerability data – and especially by collaborating in open source development – developers can use open source libraries and frameworks to the full without unnecessarily exposing themselves to danger.
Contrarisk Security Podcast #0038: Security Operations Centres
Many organisations are centralising and concentrating their cyber-security efforts in Security Operation Centres (SOCs). The aim is to provide a more coherent and comprehensive view of the organisation’s neyworks, and enable a focused and timely response in the event of an attack. But are they doing it right? And will these SOCs bring the benefits that organisations imagine they will? In this interview, Luke Jennings at Countercept by MWR InfoSecurity explains that running an effective SOC means having the right data – and the right people.
Contrarisk Security Podcast #0037: Healthcare app insecurity
Mobile apps have become a focus for cyber-criminals – and that’s bad enough. But when the apps that are stealing your personal information are also handling your healthcare data, that adds an extra sense of urgency to the problem. Stephen McCarney of Arxan Technologies explains how a recent analysis of healthcare apps found many of them to have serious flaws. And one of the most worrying is a lack of binary code protection, which could lead to trojanised apps.
View the show notes ->
Contrarisk Security Podcast #0036: Securing the Internet of Things
The Internet of Things (IoT) is already a reality – but is anyone giving proper thought to security? In this interview, Cesare Garlati of the prpl Foundation explains how challenging it can be to add security to embedded devices. And he argues that virtualisation technologies, using a thin hypervisor layer, can provide the secure boot and root of trust needed to ensure that only genuine code gets run.
Contrarisk Security Podcast #0035: Security guarantees
When you buy a security product or service, why doesn’t it come with a money-back guarantee should you get hacked? Jeremiah Grossman, founder of WhiteHat Security, thinks that it should. He believes that the risks and vulnerabilities in certain areas of IT security are so well understood, and can be tested to such a reasonable degree, that it makes sense for security firms to offer guarantees.
Contrarisk Security Podcast #0034: Web application vulnerabilities
Web application frameworks are now mature and sophisticated. But are too many developers depending on them too much to provide security for web applications? Sasha Zivojinovic of Context Information Security believes that developers don’t always understand how user-provided data is going to be used within the application, and this can make them highly vulnerable.
Contrarisk Security Podcast #0033: DDoS and information security
Organisations usually view distributed denial of service (DDoS) attacks as an availability problem, often linked to extortion. But as Dave Larson, COO of Corero Network Security explains in this interview, they are increasingly being used as part of multi-vector attacks designed to steal your data. And they are becoming easier to mount, putting them within reach of all kinds of malicious actors, from nation states down to individuals.
Contrarisk Security Podcast #0032: Smart buildings
The Internet of Things is finally here and one manifestation is the ‘smart’ building. But as physical and data security converge, and more and more systems acquire web interfaces, are we simply opening up ever more systems to attack? In this interview, Colin Tankard of Digital Pathways explains how building systems lack common protocols and have often been developed with no consideration for security issues.
Contrarisk Security Podcast #0031: Smarter alerts
Attacks keep coming, and breaches of security seem almost inevitable. So maybe our focus should shift to how we detect intrusions once the attackers have got in. As Mark Kedgley, CTO of New Net Technologies, explains in this interview, there’s no such thing as 100% security. You need to spot malicious activity on your networks when it happens – as soon as it happens. File Integrity Monitoring (FIM) is one way of going about it but it can lead to a lot of false positives. So we need to be smarter about what kinds of alerts are generated, and learn what ‘good’ changes look like.
Contrarisk Security Podcast #0030: Vulnerability monitoring
Daniel Raskin of ForgeRock explains how identity management has evolved into something far more complex – and more directly related to business agility and competitiveness – than the old days of Active Directory and LDAP. Context is essential, he says, and much IM is now very customer-centric. Meanwhile, Colin Tankard of Digital Pathways discusses the dilemma we’re facing in the realm of privacy. While many of us turn to encryption to keep us safe on the Internet, law enforcement and intelligence agencies lament their ability to see what we are up to.
Contrarisk Security Podcast #0029: Vulnerability monitoring
In the race between us patching our computers and malicious hackers exploiting vulnerabilities, the bad guys win all too often. Why are we so bad at patching? And is it always lack of awareness of the dangers? Or is there a conflict between the desires of the security department and the needs of the business? In this interview, Gavin Millard of Tenable Network Security explains how continuous monitoring for software vulnerabilities is the key to making your systems safer.
Contrarisk Security Podcast #0028: The mobile menace
Is Android the security disaster some people are claiming? In this interview with Sean Newman of Sourcefire, we discover how the best way to view the supposed menace of mobile devices in the workplace is to stop regarding them as a separate security issue. Once connected, they’re just another device sending and receiving data.
Contrarisk Security Podcast #0027: Masking sensitive data
There’s lots of talk about putting security close to the data. One way of doing this is data masking, which obscures or modifies data as it is used according to a set of rules. We spoke with Amit Walia of Informatica about how this technology works and what it offers.
Contrarisk Security Podcast #0026: Evolving DDoS
Distributed Denial of Service (DDoS) attacks have been with us for a long time. But is the nature of the attacks evolving, and how is this presenting new threats? We interview Dave Larson, CTO of Corero Network Security, who explains that DDoS is now commonly seen as part of hybrid attacks, with the denial of service often being just a cover for other, more worrying exploits. And as organisations move more and more of their IT capability to shared datacentres and cloud services, it’s becoming more common for them to suffer from DDoS even if they are not the intended target.
Previous podcasts – available on Soundcloud
ContraRisk Security Podcast #0025: Software flaws and change management – Software flaws are at the root of many security exploits, yet developers continue to make simple, easily fixed errors. Is this an educational problem, the result of excessive pressure to get code out of the door, or are there more deep-seated cultural issues? Justin Clarke, director and co-founder of Gotham Digital Science and London chapter leader of OWASP explains how we need to give developers better tools to work with, but there’s also a need for a change in mindset. Change management is another key issue, in that changes to systems and networks often go undocumented, which makes it impossible for you to know what your security situation really is. Michael Fimin of Netwrix argues that all changes on a system need to be logged automatically, but that you also need help in understanding which changes are the most significant. View the show notes ->
ContraRisk Security Podcast #0024: A return on your security investment – Information security is usually thought of as an insurance policy – something that costs you money but doesn’t directly contribute to profitability. So is it possible to talk about, and even calculate, the Return on Investment (ROI) for all that money you’re spending on firewalls, IPS, SIEM, anti-malware and skilled professionals to run them? Colin Tankard of Digital Pathways believes that, if you start thinking in terms of improved business processes, the answer is yes. View the show notes ->
ContraRisk Security Podcast #0023: M2M and malware detection – Outside of scare stories surrounding Scada systems, machine-to-machine (M2M) security doesn’t hit the headlines often. But as Professor Jon Howes of Beecham Research explains, it’s not only a critical area, becoming more important by the day, but also has a lot to teach us about securing the Internet of Things. In this episode, we also speak to Marco Cova of Lastline about his company’s innovative approach to malware detection on networks, in which malicious software is spotted as it tries to execute its commands on the processor. View the show notes ->
ContraRisk Security Podcast #0022: Security visibility and protecting your data – Will 2014 be the year of security visibility? Corey Nachreiner of WatchGuard explains why he thinks being able to visualise your networks and the activity on them will be key to security developments in the year ahead. Meanwhile Jason Hart of SafeNet explains that your defences should no longer be focused around the technology you own, but the data on it. And there are two key aspects to this – controlling access to the data, and encryption. View the show notes ->
ContraRisk Security Podcast #0021: Cloud security and PCI DSS 3.0 – Even for those organisations that have embraced the cloud, security can be a fuzzy issue, and many end up trusting in the security offered by their cloud service providers. But Colin Tankard of Digital Pathways, speaking with Steve Mansfield-Devine, argues that you’re better off separating the security element and either managing that yourself or handing it to a managed services provider. And with the advent of the new version of PCI DSS, Sam Maccherola of Guidance Software explains to Tracey Caldwell how the new rules will improve payment security and what businesses need to do to prepare for them. View the show notes ->
ContraRisk Security Podcast #0020: Rogue insiders and cybercrime co-operation – John Lyons of the International Cyber Security Protection Alliance (ICSPA) talks to Steve Mansfield-Devine about the sudden freeze in co-operation between nations and law enforcement operations following the Edward Snowden NSA leaks – and the impact this is having on fighting cybercrime. He also shares his views on the need to educate people about cyber-threats, and his feelings about Bitcoin, and why he thinks it should be shut down. And Alan Kessler of Vormetric talks to Tracey Caldwell about the insider threat and the results of his company’s recent research into the problem. He explains why organisations need to have better control over who has what privileges. View the show notes ->
ContraRisk Security Podcast #0019: The evolution of pen-testing – As new threats emerge, technology evolves and organisations’ IT environments become ever more complex, how is penetration testing changing to meet these challenges? In this interview, Mark Raeburn of Context Information Security explains how pen-testing increasingly uses an aggressive ‘red team’ approach to help answer the question organisations are now asking ‘am I secure?’ And he argues that pen-testing needs to be integrated more into firms’ development and management processes. View the show notes ->
ContraRisk Security Podcast #0018: Encrypted comms and BYOD – The information security business isn’t short on qualifications and certifications, but does it have the right ones? In this interview, we talk to Ian Glover, president of CREST, the not-for-profit organisation that provides standards and certifications in areas like penetration testing, about the need for greater professionalism in the infosec business, and the moves being made to provide more ways for young people to enter the industry and progress through it. View the show notes ->
ContraRisk Security Podcast #0017: Encrypted comms and BYOD – Silent Circle has recently dropped its secure email service, in the wake of the NSA Prism revelations, but still offers encrypted voice and text communications. Jon Callas, CTO, explains why such services are needed and how they work. And Seth Hallem, CEO of Mobile Helix, explains why organisations are doing BYOD and mobile security wrong. They’re making the mistake of focusing on the devices rather than the people using them, he says. View the show notes ->
ContraRisk Security Podcast #0016: DDoS and trust on the Internet – According to Mick Ebsworth of Integralis, while people continue to shop and bank online, not everyone has faith in Internet-based businesses to keep their personal data secure. Firms need to do a lot more to educate users – not about the risks, of which most of them are already aware – but what they can do to make themselves more secure. And firms need to look more closely at their own business processes, too. Meanwhile, Distributed Denial of Service (DDoS) attacks are on the rise. Etienne Greeff of SecureData explains that firms need to take a more risk-based approach to the problem, which is likely to affect them sooner or later, and how you deal with skills shortages. View the show notes ->
ContraRisk Security Podcast #0015: Prism and the cost of surveillance – The NSA’s Prism programme has caused a fierce debate about civil liberties. One aspect that has had little attention, however, is the cost of such programmes. These costs could include the overheads that result from the inevitable large number of false positives that arise when automated tools are used against very large amounts of communications surveillance data. Not only does this involve expensive analysts, but what happens when lawsuits start flying? And what is the cost of large-scale and indiscriminate network monitoring in terms of public trust? Siraj Ahmed Shaikh, reader in cyber-security at Coventry University, discusses all this, and more. View the show notes ->
ContraRisk Security Podcast #0014: The continuous security model – In many organisations, security is in a bit of a mess. Solutions have been layered on to counter a variety of threats against a variety of assets. But the result is a configuration management and upgrade nightmare. According to Dominic Storey of Sourcefire, your security planning needs to take account of all phases of an attack – before, during and after. With the security environment being so complex, how do you make sure you have the right security solution for your organisation and the threats you actually face? According to Storey, the answer is in a ‘continuous security model’ in which security systems are fully joined up throughout the before, during and after phases of an attack – and retrospectively so you can find where problems originated. View the show notes ->
ContraRisk Security Podcast #0013: Proactive security and strong identity – A recent survey found that administrators are less confident than ever about securing their servers. Michael Bilancieri of Bit9 talks to us about the disappearance of the traditional perimeter and how this is making administrators nervous. Organisations have been layering on security, but the effect is to make the security stack unmanageable, as well as having too great an impact on system performance. What’s needed, he says, is a more proactive approach. Establishing a user’s identity is key to security, and we’ve seen increasing use of technologies like two-factor authentication (2FA). But what does the term ‘identity is the new perimeter’ actually mean? And how can you use strong identity technologies to benefit the organisation? Tim Brooks of Signify explains. View the show notes ->
ContraRisk Security Podcast #0012: Phishing & security awareness – Phishing is a pernicious threat, and on the rise. Making employees aware of the dangers requires more than the occasional classroom lecture – it might mean attacking your staff on a regular basis, explains Joe Ferrara of Wombat Security Technologies. And we seem to be having trouble getting both organisations and the general public to take security seriously. Colin Tankard of Digital Pathways thinks we need regulators with more teeth, and education of the public so that they start demanding better security by organisations. View the show notes ->
ContraRisk Security Podcast #0011: Socioware – Microsoft recently warned about Man in the Browser (MitB) malware exploiting Facebook sessions. When a user is infected – often by drive-by downloads on infected or malicious sites – the malware uses authenticated sessions on Facebook to post messages, ‘like’ pages and get up to general mischief. But this wasn’t the first MitB attack to target social networking services. One person who’s been following this attack vector is Aditya Sood, a security practitioner and PhD candidate at Michigan State University. He explains why this form of attack is so effective, and why implementing countermeasures is tricky. View the show notes ->
ContraRisk Security Podcast #0010: APTs – Everyone seems to have a different idea about what we mean by Advanced Persistent Threat (APT). Some people insist it’s just a marketing term while others believe the threat they pose to be very real. But as Filippo Cassini of Fortinet explains to Steve Mansfield-Devine, there’s no doubt that attackers are using sophisticated methods that are highly targeted against certain organisations. He explains what he means by ‘advanced’ and ‘persistent’ and what you can do to detect such attacks and mitigate them. And he touches on how the recent attacks on South Korea were a form of APT, but with a twist. View the show notes ->
ContraRisk Security Podcast #0009: Social engineering – Do we focus too much on security and not enough on people? Social engineering is an age-old problem, but it’s not going away. And while many threats can be as crude as a badly spelled phishing email, there is a trend toward more targeted campaigns that are harbingers of something more serious. David Emm, senior security researcher at Kaspersky Lab, explains to Tracey Caldwell that many of today’s sophisticated attacks on organisations start with ‘hacking the human’. By tricking staff into compromising corporate security, attackers get a foothold in the organisation. The answer is to take people’s behaviour, but this is difficult and it’s not going to happen overnight. And changes need to be made at all levels of the organisation. View the show notes ->
ContraRisk Security Podcast #0008: Old and new threats – Much of the attention in the infosecurity world is on new and exotic threats. But the Information Security Forum (ISF) has just published a report highlighting the dangers of the threats you already know about – but maybe haven’t yet properly addressed. Steve Durbin, global VP for the ISF, talks to Tracey Caldwell about how the ‘traditional’ threats have matured, and how organisations need to come to grips with, and properly understand, the risks, take responsibility for them and get all parts of the business talking to each other. View the show notes ->
ContraRisk Security Podcast #0007: Black Hat EU: iOS pen-testing and attacking SSL – At Black Hat Europe, Vivek Ramachandran, best known for his work on wifi security, presented a workshop on pen-testing iOS apps, and discusses why we need to stop thinking of Android as the only vulnerable mobile platform. He also touches on the continuing sorry state of wifi security. And Tal Be’ery of Imperva discusses how the CRIME exploit of SSL encryption has been updated to TIME, making encrypted web sessions vulnerable without needing to be man in the middle. View show notes ->
ContraRisk Security Podcast #0006: Black Hat EU: Kali Linux – Offensive Security used Black Hat Europe 2013 to introduce Kali, an enterprise-friendly evolution of its famous BackTrack Linux distro, and Rapid7 is supporting Metasploit on the platform. Mati Aharoni of Offensive Security and Christian Kirch of Rapid7 explain the thinking behind the greater focus on enterprise users and what the platform can offer. View show notes ->
ContraRisk Security Podcast #0005: Black Hat EU: SQLi – To kick off our coverage of Black Hat Europe 2013 we have an interview with Sumit ‘sid’ Siddharth, head of penetration testing for 7Safe (now part of PA Consulting), who regularly runs training sessions at security events. He gave a course on SQL injection on the first training day of Black Hat Europe. And he explained to Steve Mansfield-Devine why SQLi is still with us after all these years, and why new exploits are appearing all the time. He also shares his feelings about the value of events like Black Hat, and the importance of the industry sharing information and insights. View show notes ->
ContraRisk Security Podcast #0004: Biometric identity in the developing world – Alan Gelb, a senior fellow at the Center for Global Development, talks to Tracey Caldwell about the role that biometric technology can play in developing countries. Many people in the world’s poorer countries have no official identity, which prevents access to entitlements such as health care, benefits and voting rights. Biometric ID programmes, using technologies such as fingerprint or iris recognition, can help solve this problem, but not all are successful. We find out why. View show notes ->
ContraRisk Security Podcast #0003: Security skills and certification – John Colley of (ISC)2 discusses the organisation’s new research into security skills in the UK and why there aren’t enough properly trained staff to go around. And Colin Tankard of Digital Pathways offers his opinion of the value of product certification by government information assurance body CESG. View show notes ->
ContraRisk Security Podcast #0002: Keys, certs, web vulns & critical infrastructure – Jeff Hudson of Venafi explains why managing encryption keys and certificates is so difficult – and examines the cost of getting it wrong. Rhodri Davies of HP discusses the problem of keeping fast-developing websites secure. And ContraRisk journalists Steve Gold and Danny Bradbury talk to host Steve Mansfield-Devine about Barack Obama’s call for critical infrastructure security, Github’s problems with credentials and Canadian snooping laws. View show notes ->
ContraRisk Security Podcast #0001: Java and rogue clouds – We talk to Ross Barrett of Rapid7 about problems with Java, and to Richard Walters of SaaSID about the dangers posed by unauthorised cloud use and shadow IT. View show notes ->