DtSR Episode 145 - NewsCast for June 1st, 2015

06/01/15 • 49 min

Apologies to anyone who is having issues downloading this episode!

In this episode...

The ACLU encourages the government to get into bug bounties
- Read the original letter: https://www.aclu.org/sites/default/files/field_document/aclu_-_iptf_recommendations_submitted.pdf
- Points 1 & 2 are at sane
- Point 3 makes a hard left into into crazy-town
- http://thehill.com/policy/technology/243265-aclu-says-government-should-offer-rewards-for-finding-security-flaws-on-its
The massive taxpayer data fraud (not really a breach) is believed to be the work of Russia, says the IRS
- Does it really matter?
- Was this a breach or an abuse of functionality?
- Would your company have caught this?
- http://www.cnn.com/2015/05/27/politics/irs-cyber-breach-russia/index.html
CareFirst says their recent breach affects only about 1.1M people
- Healthcare is clearly in the "bad guys" target zone
- Quick to point out what the attackers did not get access to
- Of course it was a sophisticated cyberattack
- http://abcnews.go.com/Technology/wireStory/carefirst-data-breach-affects-11m-people-31187250
CNA Financial business unit refusing to pay out claim to Cottage Health System
- Claims hospital "failed to continuously implement procedures and risk controls identified"
- CNA unit alleges many failures -- but is this fair?
- http://www.businessinsurance.com/article/20150515/NEWS06/150519893

>>> If you're reading this, consider clicking the link above to support the show!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHq
LinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
X/Twitter: https://twitter.com/dtsr_podcast

Apologies to anyone who is having issues downloading this episode!

In this episode...

The ACLU encourages the government to get into bug bounties
- Read the original letter: https://www.aclu.org/sites/default/files/field_document/aclu_-_iptf_recommendations_submitted.pdf
- Points 1 & 2 are at sane
- Point 3 makes a hard left into into crazy-town
- http://thehill.com/policy/technology/243265-aclu-says-government-should-offer-rewards-for-finding-security-flaws-on-its
The massive taxpayer data fraud (not really a breach) is believed to be the work of Russia, says the IRS
- Does it really matter?
- Was this a breach or an abuse of functionality?
- Would your company have caught this?
- http://www.cnn.com/2015/05/27/politics/irs-cyber-breach-russia/index.html
CareFirst says their recent breach affects only about 1.1M people
- Healthcare is clearly in the "bad guys" target zone
- Quick to point out what the attackers did not get access to
- Of course it was a sophisticated cyberattack
- http://abcnews.go.com/Technology/wireStory/carefirst-data-breach-affects-11m-people-31187250
CNA Financial business unit refusing to pay out claim to Cottage Health System
- Claims hospital "failed to continuously implement procedures and risk controls identified"
- CNA unit alleges many failures -- but is this fair?
- http://www.businessinsurance.com/article/20150515/NEWS06/150519893

In this episode...

David Shearer, Executive Director for ISC2 joins us to talk about the results of the ISC2 2015 Information Security Workforce Study
We ask David to highlight some of the results
We discuss how malware and application security were identified as top threats 3 years in a row -- and what's to be done about this
We discuss the major discrepancy between priorities from this survey and recent CIO surveys
We discuss the importance of communication skills (identified in the survey) while leadership and business management are far down the scale
We discuss with David how under his leadership ISC2 can build a much tighter alignment to business -- not just more security certifications

Guest

David Shearer - David Shearer has more than 27 years of business experience including the chief operating officer for (ISC)2, associate chief information officer for International Technology Services at the U.S. Department of Agriculture, the deputy chief information officer at the U.S. Department of the Interior, and the executive for architecture, engineering and technical services at the U.S. Patent and Trademark Office. Shearer has been responsible for managing and providing services via international IT infrastructures, and he has implemented large-scale SAP Enterprise Resource Planning (ERP) projects. Shearer holds a B.S. from Park College, a M.S. from Syracuse University, management and technical certificates from the U.S. National Defense University, and he is a U.S. federal executive presidential rank award recipient. As (ISC)2 Executive Director, Shearer is responsible for the overall direction and management of the organization.

In this episode...

Defenders are set up to fail? how and why
How do we fill forensics and IR positions?What skills and qualifications do forensics/IR need to have?
How can enterprises get better at IR from where they are today?
How do we solve some of the problems plaguing the security industry?

Guest

Andrew Case ( @attrc ) - Andrew Case is a senior incident response handler and malware analyst.He has conducted numerous large-scale investigations that span enterprises and industries. Andrew's previous experience includes penetration tests, source code audits, and binary analysis. He is a core developer on the Volatility memory analysis framework and co-author of the highly popular and technical forensics analysis book "The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory".