Paul's Security Weekly #554
This week, Katherine Teitler, the Director of Content for MISTI, joins us to talk about past and future Infosec World events. Our next interview features Masha Sedova, the co-founder of Elevate Security, to discuss security awareness training. Masha is giving a keynote talk at the upcoming SOURCE Boston conference titled "Using Behavioral Science To Secure Your Organization". In the security news this week, thinking differently about the relationship between security and development, EEG devices are vulnerable, new Cisco IOS exploits, and if you're running older Intel chips you may never see a Spectre patch. All that and more ion this episode of Paul's Security Weekly.
Recorded April 5, 2018 at G-Unit Studios in Rhode Island!
- Go to itpro.tv/securityweekly and use the code Secweekly30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription.
- Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
- Check out SOURCE Boston 2018 from May 9th - 10th! Go to sourceconference.com and register using the code SW75WMKW to get a $75 discount!
- The webcast with Distil Networks on 9 Ways To Protect Your Business, is being held on Wednesday, April 25th. Register now at securityweekly.com/distilnetworks.
Interview: Katherine Teitler - 6:00PM-6:45PM
- What were some of the most popular talks at Infosec World this year?
- For the fist time INfosec World features a capture the flag event, how did that go and what did people win?
- What was your greatest challenge and how did you overcome it?
- What advice do you have for those in the community who are planning on running a security conference?
- Breaches are in the headlines more than ever before, how can you avoid being the "security scapegoat"?
- What's in store for future conferences, and especially Infosec World Orlando 2019?
Interview: Masha Sedova, Elevate Security - 6:45-7:45PM
- How did you get your start in information security?
- How do we get our employees to care about security?
- How importantant is the gamification of security awareness training?
- Some believe that end user security awareness is not worth the effort because the attacker only needs to fool one user, what are your thoughts on this opinion?
- Employees tend to come and go, including those that posses a high level of security awareness, how should we combat this problem?
- How does awareness differ from training and how can we use them together effectively?
- Some organizations consider the strategy of punishing employees for security vioaltions, why is this a bad idea?
- Others choose to reward, however what are some examples of a poor reward system vs. an excellent reward system?
Security News - 7:45PM-8:30PM
- Intel drops plans to develop Spectre microcode for ancient chips - Core 2 processors are no longer scheduled to receive updates, and, while some first generation Core products have microcode updates available already, others have had their update cancelled.
- Critical remote code execution vulnerabilities impact Natus medical devices - The firm's electroencephalogram (EEG) offerings are described as "leading-edge features you want in critical care." The systems include amplifier ports compatible with USB and TCP/IP cables, while the NeuroWorks software connects to monitoring equipment to record data in SQL databases.
- Critical flaw leaves thousands of Cisco Switches vulnerable to remote hacking - The stack-based buffer overflow vulnerability (CVE-2018-0171) resides due to improper validation of packet data in Smart Install Client, a plug-and-play configuration and image-management feature that helps administrators to deploy (client) network switches easily.
- VirusTotal launches 'Droidy' sandbox to detect malicious Android apps - Android Sandbox performs both static and dynamic analysis to automatically detect suspicious applications by executing and monitoring applications in a simulated Android OS environment.
- Cloudflares 22.214.171.124 promises to make DNS more secure
- Facebook and Twitter may be forced to identify bots - according to California lawmakers. They’ve introduced a bill that would give online platforms such as Facebook and Twitter three days to investigate whether a given account is a bot, to disclose that it’s a bot if it is in fact auto-generated, or to remove the bot outright.
- Four Gas Pipeline Firms Hit in Attack on Their EDI Service Provider
- How Security Can Bridge the Chasm with Development - I believe we need to move past the old way of thinking about this problem (for example, just go have some beers with your developers, etc...). Devops, at its core, blends development with IT and with security into value streams. Once more organizations implement this model, we'll stop seeing development, IT and security working in silos.
- A new Mirai-style botnet is targeting the financial sector
- Hooray! Facebook ditches searching for people by phone number or email
- Python Regex Cheat Sheet
- New Android Malware Secretly Records Phone Calls and Steals Private Data