Thursday, July 22, 2021

Episode #56 You Got Breached, Congratulations.

You Got Breached, Congratulations. 

You’re NOT a special snowflake
You can’t go round pouting
You don’t need to find anyone to blame
No, the Russians probably didn’t do it
No, I don’t need tagging in the post
Yes, likely you DO need to change some things
No, you probably couldn’t have stopped it
Yes, you could have likely detected it sooner
Yes, you could probably have remediated it faster
No, don’t you DARE blame the users!
No, your annual training for 30 mins isn’t effective (it sucks)
Yes, you can recover from it (hopefully)
No, it won’t kill you JUST yet, wait a few more years though…
More budget? Stop wining and spend what you have wisely
Yes, it means you have to roll up your sleeves
Yes, interns or apprentices can help remediate this
Yes, get off your ass, it got pwned, get over it
No, you’re still NOT a special snowflake.

You’re JUST like all the other breaches
You can sit down and plan
You should go look in the mirror
You likely did it to yourself, we’ll get to that.
Yes, you can reach out for help and advice
NO, you don’t need to buy everyone’s cyber-crap
NO, everyone’s cyber-crap isn’t going to stop it either
YES, it would be good to know what you actually have
YES, it would be great to know WHERE your data IS
Yep, IF you can track it back, it probably starts on a users machine
Yes, ongoing education HELPS (doesn’t fix, but helps)
Yes, you can recover from it (get the basics in order)
Yes, we are working on hacking the chips in humans, fun eh?
Nope, don’t expect more money, so work smarter
Yes, it means you can now get your house in order, good!
Yes, you can probably justify headcount but save $$ and get folk TO train
Yea, it sucks, sorry, but it’s the way of the new world.
And no, you’re not special, you CAN however be a good example.

Get the basics sorted out BEFORE your ass is delivered TO you on a silver platter

* Assets, what do you have?
* Assets, where are they?
* Who’s got access to them, and why?
* What DO they do, what is their purpose?
* What’s on them?
* Which ones do you need to care about?

Got it? Good, now go get a cuppa tea or coffee and go deal with it…. I’m going to go make breakfast.

‘all for now


All this and more tonight on the Security Shit Show.
10 pm Central, 21:00 mountain

Thursday, July 8, 2021

Episode #55 To Code Scan or Not to Code Scan That is the Question


This last year we have seen a huge uptick in attacks leveraging compromised software as the means of getting exploits to the end points. 

With more and more companies relaying on managed services to run their day-to-day operations, understanding the security of the management tools being used and the security practices of those who make the tools is more important than ever.

We have tried for years to close the gap between development, operations and security that journey has led us to what we now call DevSecOps or said the long way Development Security Operations, this has worked to a varying degree but is still not adequate for the increased threat we face.

Just like we preach all the time to focus on the fundamentals, we usually talk about the fundamentals in the context of network, end point and organizational risk, tonight we are going to take a deeper dive into a specific fundamental Development security practices.

How do you develop software that is secure by design? how do you test the software to insure the least possible chance for a vulnerability to slip through into the release? How do you ensure the security of your code base? And do not get me started on the use of 3rd party got from GitHub without understanding what it does beyond the narrow need for a handful of functions. How do you control and manage in a way that is non disruptive to the business, innovation and development velocity?

Is there a way to simplify securing code and ultimately the products that use that code to function?

All this and more tonight on the Security Shit Show with Chris Roberts Evan Francen and myself

10 pm central, 9pm mountain time

Episode #71 You talkin' to me? You talkin' to me? You talkin' to me? Then who the hell else are you talkin' to? You talkin' to me? Well, I'm the only one here. Who do the f*** do you think you're talking to? Oh, yeah? Ok.

Every time I encounter an ego in our industry, I immediately think they are channeling their inner Robert Denerio. Or when I run into a vend...