Synopsis

  This special episode of Down the Rabbithole is sponsored exclusively by HP Canada, and I wanted to thank them for hosting this fantastic event!  In this episode I sat down with Charlie Bess and EG Nadhan to talk about Cloud Computing.  Now, this isn't your standard cloud discussion ... no my friends, these are two of the top technologists HP has to offer from the labs and services organizations talking about the paradigm shifts in computing that "the cloud" offers.  We talk through business adoption, getting over the "it's cheaper" mentatlity, security ... and even some of the things learned here at the event in Montreal.

  What a fantastic opportunity to pick the brains of some extremely smart people, and hear their responses to one of the most difficult and rewarding business shifts in technology in the last 10 years.  You're not going to want to miss this.

Guests

• EG Nadhan - Distinguished Technologist, HP Enterprise Services
  
• Charlie Bess - Fellow, HP Labs

Synopsis

  This month's cal lkicks off 2012 with a big question - "Do security professionals follow their own policies?" ... and as we talk through this issue we discover that there are other subtleties to this question.  Does it make sense for Information Security to have separate accounts for general and administrative access?  Does a securit policy fail if it does not account for 'exceptions' to that policy - legitimate exceptions?  What about an exception policy that allows information security professionals to navigate complex policy issues and receive 'allowances' to do their jobs without being limited by the general user policy?

  These are complex questions that we tackle, and offer some guidance for ... and in the end, things aren't as simple and black-and-white as we'd all like ... you'll just  have to listen to hear the advice we dispense!

Guest

• [Co-Host] Michelle Klinger of EMC Consulting joins me to co-moderate the first SecBiz 2012 monthly call.  Michelle is currently a consultant with EMC.
  

Synopsis

This episode with Jeff was awesome, recorded at the OWASP LASCON security conference, I got a chance to sit down with Jeff in person and talk shop.  I always learn something, but in this podcast Jeff dispensed his usual wisdom in buckets, I could barely write this stuff down fast enough.  We covered the raising of the "information security table stakes", and what the last 15 years have meant to the information security profession in terms of evolution.  We went into a discussion on how information security can avoid being a cost center and feeling the traditional expansion and contraction with workload and economic times, and I learned what the phrase "it was a business decision" really means.  In case you need one more compelling reason, Jeff brought up yet another gem when he discussed how the business pushes the boulder off the cliff, then expects information security to change its trajectory mid-fall ... you're not going to want to miss this.  I had a wonderful time catching up with Mr. Reich, and you'll enjoy this podcast, that's a promise.

Guest

• Jeff Reich - (hint: it's prounounced "rich") - A solid history of developing and providing expertise and leadership on information security and all associated disciplines by integrating Managed Risk into the business in the energy, manufacturing, technology and financial services industries. Successfully created and implemented comprehensive Security and Risk Management Infrastructure for a large oil and gas company as well as four of the largest Internet and e commerce providers in their respective industries. Holds a national reputation of excellence through results, publications and presentations of value. Known for ability to hire, train and inspire high performance teams that support and help drive the core business structures. [LinkedIn: http://www.linkedin.com/in/jreich]
  
  In addition to that, I've known Jeff for a very, very long time throughout his illustrious career, and have always been amazed by his ability to dispense one-liner wisdom, like this one on a recent blog post on "The compliance hamster wheel": "I have been saying for years that simply chasing compliance is like chasing your tail.  You probably won't catch it and if you do, it will hurt."

Synopsis

  This is the first part of a 3-part (3 x 30 minute segments) holiday episode that was aired LIVE, where Will, Scott and I talk about what significant things happened in 2011, and what we should be looking forward to in 2012.  No predictions, no propaganda, just hard-hitting, amusing, and often nostalgic discussion about the realities of living in an ever-more connected world as we go into 2012.  I hope you enjoy the podcast series if you missed it live.  In the future, look for announcements of live episodes on my (@Wh1t3rabbit) podcast feed and join in the discussion!

Guests

• Will Gragido: In addition to being a great guy, and a personal friend of mine ...An information security and risk management professional with over 17 year’s professional industry experience, Mr.Gragido brings a wealth of knowledge and experience to bear. Working in a variety of roles, Mr.Gragido has deep expertise and knowledge in operations, analysis, management, professional services & consultancy, pre-sales / architecture and business development within the information security industry.  Will currently serves as the Senior product-line manager for HP Enterprise Security TippingPoint.
• Scott Clark: Scott Clark brings more than 16 years of leadership experience to Vyatta as its Senior Director of Worldwide Channels. In this role, he is responsible for creating and managing Vyatta’s emerging Worldwide channel, as well as evaluating future channel opportunities. In addition to his role at Vyatta, Scott also serves as the Chapter President of the Cloud Security Alliance in Chicago.

Synopsis

  On this edition of the podcast, Kris Herrin joins me from the ISSA International Conference to talk about his unenviable role as Chief Information Security Officer of Heartland Payment Systems during one of the most epic data breaches in history.  For those of you who didn't live in a cave - Kris and his organization turned the ship around ...not only that - this incident was used to help the organization find religion in Information Security and sound risk management practices.  Now as Heartland leads the payment industry in security - Kris talks about his ascention through the tanks to CTO, and how getting in front of the bull made all the difference.

  You do not want to miss this episode!

Guest

• Kris Herrin:  Mr. Herrin is a recognized technology and security executive with international leadership experience in large and small publically traded companies. Leveraging an extensive history of security, audit, and governance, he brings high energy and a risk-based view to delivering secure and reliable technology solutions to business problems. Mr. Herrin’s experience includes transforming traditional IT into a mature, ITIL-oriented service organization, building domestic and Asia-based organizations, and IT crisis management.

Synopsis

  My guest David Elfering (@icxc on Twitter) and I go all over the map covering various SecBiz related topic, and come up with a fantastic set of quotes including: "No matter how long you hold the light bulb up, the world will not revolve around InfoSec" and other gems.  We talk through how to present to a business group or executive, the communication and written skills required and various other topics related with bridging the business - security gap.  This is a great episode to listen to - we cover a lot of ground.

Guest

• David Elfering (@icxc) - David is the Senior Director of Information Security over at Werner Enterprises out of Omaha, NB.  David is a verteran of the IT industry providing leadership at corporate level, building and leading the security program and infrastructure for a two billion dollar, multi-national corporation. Experience at community, state and national levels with FBI Infragard, Nebraska Infrastructure Protection Council and the SANS Institute. Able to translate information security practices to business advantage. Experienced speaker, instructor and mentor. Member ISSA CISO Executive Forum. CRISC #1115272

Synopsis

  In this edition of the podcast, I sit down with Jeff Moss (@TheDarkTangent) to talk about all of the interesting evolutions currently going on in the Internet age.  As one of the people who has watched the cyber punk culture evolve from the dark culture of hacking for curiosity, through the "dot com boom" and now into mainstream business, and he has some interesting commentary on how we've evolved as a culture and a group.  We also talk through some interesting hacker vs. government regulation topics, and IPv6 of course!  Listen in, and hear all the really exciting things Jeff has to say.

Guest

• Jeff Moss (@TheDarkTangent) - In addition to being the founder of the Black Hat and Defcon hacker conferences, Jeff is now a part of the Department of Homeland Security Advisory Council since 2009.  Currently Jeff is the Chief Security officer at ICANN, the Internet names and assigned numbers authority.

Synopsis

  This is perhaps the most important podcast I've recorded to date, and probably will record for some time.  The guests on my show in this episodes are not only privacy experts, but people who deal with digital privacy every day ...and are just as appalled as I am about the rapid erosion of privacy in the modern digital age.  From 4Square to the automated toll collection system - you're being tracked when you tweet, drive, and buy discount paper towels at your local market ...and technology is facilitating the privacy you're willfully giving up.

  STOP the madness!  This episode just scratches the surface on all the different methods we're giving away our reasonable expectation of privacy, and how corporations and governments are hastening its demise.

Guests

My guests on this podcast wished to remain anonymous (lower-case A) except for their Twitter handles.  Join me in thanking them for their time, thought, and insight.

• theprez98
• grecs
• infojanitor

Links

• OnStar spying on drivers/passengers - http://www.autoblog.com/2011/09/21/gms-onstar-now-spying-on-your-car-for-profit-even-after-you-uns/
• Divorce cases swayed by FaceBook, social media - http://www.knoxnews.com/news/2010/jul/25/in-the-age-of-facebook-divorce-battles-go/?print=1

Synopsis

  This week I host Bryan Stiekes, a distinguished technologist with HP ...and not a security guy by trade.  Bryan has been a part of IT for a very long and distinguished career, with a background in networking and architecture.  Bryan's premise is that Information Security is at its core fundamentelly broken ...and I can't say I disagree.  We discuss the different aspects of what's been wrong with modern information security, and whether this is a good time to be in the 'business' of IT.

  This is a fascinating conversation for anyone who's feeling lost in IT Security ...and looking for some light at the end of the dark tunnel we've managed to wander into.

Guest

• Bryan Stiekes - Distinguished Technologist Hewlett Packard - Bryan Stiekes is an HP Distinguished Technologist with a focus on network strategy and cloud services architecture. Bryan has deep experience in secure networking and in multi-tenant services architecture to this role. Recently he's been focusing on the emerging 'as-a-Service' ecosystem and how that ecosystem impacts enterprise network and security models... and a Jedi Master.

Synopsis

  This is the first MicroCast, a new 15-minute format jammed packed with a series of great topics.  This time around, Jack Nichelson joins me and tells us how Bruce Lee feels about IT Security (this is a great quote!), why really good IT Security is just really good IT, and whether we will all be replaced by "Cyber-Insurance" policies.  Yikes ... this is definitely 15 minutes you'll be happy you listened.

Guest:

• Jack Nichelson - Jack is an information security officer at a very large industrial enterprise.  Jack's background is not IT Security, but he is a venteran of technology, and a master story-teller.  Jack can be found on Twitter as "@jack0lope".
  

Synopsis

  This is a special episode for anyone who's feeling like "Information Security" in their small business is impossible.  My guests and I talk through how to make information security a proper entity that can both serve the business need, and be respected; more than just survival, it's about making security thrive in the small business.  Michael potificates on what makes the security community such a valuable resource to security managers in his position, and we go into what advice you could give a vendor selling into a small business ... what a fascinating discussion!

Guests

• J.W. Goerlich - Network and Security Manager for a midwestern financial organization
  Wolfgang has 15 years in IT, with a InfoSec focus for the past 5 years. He has a deep background in risk management and business continuity for SMB firms.
• Michael Allen - Information Systems Security Officer for a Jamaican-based financial Institution. Michael has over 8 years experience in IT, with a focus on Infosec during the last 4 years. He has a strong background in application development with a keen interest in penetration testing, software security assurance and network security.

Links

• The "SecBiz" group on LinkedIn: http://www.linkedin.com/groups/SecBiz-4001160?gid=4001160&trk=hb_side_g
  

Synopsis

  Over the past year and a half of so, I've been pushing hard to change the paradigm around secure software - specifically the testing aspect of it to incorporate a much heavier emphasis on quality assurance.  That conversation spilled over into an OWASP conversation, which lead Glenn, Rohit and I to sit down and record this conversation we had - as we appear to be of like mind.  While it's not trivial to incorporate security testing into quality assurance, it's not impossible, and in fact, more practical than you may think.

  In this segment we discuss what security testing in a QA team looks like, how it's potentially split up, and whether we can really and truly make it work.  Glenn provides his practical perspective being an implementer of this methodology, while Rohit and I provide an across-the-industry discussion and commentary.

  I think you'll find this podcast episode fascinating, especially if you're struggling with the QA/Security relationship.

Guests

• Rohit Sethi - VP Product Development at SD Elements (http://www.sdelements.com)
  Rohit Sethi is a specialist in building security controls into the software development life cycle (SDLC). Rohit is a SANS course developer and instructor on Secure J2EE development. He has spoken and taught at FS-ISAC, RSA, OWASP, Shmoocon, CSI National, Sec Tor, Infosecurity New York and Toronto, TASK, the ISC2's Secure Leadership series conferences, and many others. Mr. Sethi has written articles for Dr. Dobb's Journal, TechTarget, Security Focus and the Web Application Security Consortium (WASC), and he has been quoted as an expert in application security for ITWorldCanada and Computer World. He also leads the OWASP Design Patterns Security Analysis project. 
• Glenn Leifheit - Lead Information Security Consultant at FICO (http://www.fico.com)
  Glenn Leifheit, CISSP, CSSLP is a Senior Security Architect at FICO. He has worked in developing, managing, architecting and securing large scale applications for over 15 years. His day is spent rolling out an Enterprise secure software development lifecycle and managing PCI requirements as well as secure software reviews. Glenn is active in the Technology community as the Co-Chair of (ISC)2 Application Security Advisory Board, President of TechMasters Twin Cities, as an active member of IASA (International Association of Software Architects) and OWASP (Open Web Application Security Project) as well as a regional speaker evangelizing secure software. Glenn's blog is located at www.glennleifheit.com. 

Links

• No links for this podcast...

Synopsis

This edition of the podcast doesn't hold back.  We ask "Can someone be hacked out of business?" and as usual we don't really like the answers we come up with.  While Martin, Rob and I have been in most every aspect of security for just over a combined 3 decades, we end up with a conslusion that I don't think any of us are comfortable with ...at least not that we were willing to say out loud, until now.  So is it possible?  Is DigiNotar being "hacked out of business" as Dark Reading suggests all FUD?  Listen and find out where we go with this topic!

Guests

• Rob Hale (UK) - An entrepreneur and industry commentator, Rob has over 12 years of experience working in the Security industry, with integrators, channel partners and vendors, providing advice and solutions for Enterprises & Government agencies to secure their networks, systems and data from internal and external threats.
• Martin McKeay - Security Evangelist, Akamai
• Rafal Los (aka the "Wh1t3 Rabbit) - HP Enterprise & Cloud Security Strategist

Links

• The DarkReading story that started us thinking: http://www.darkreading.com/authentication/167901072/security/attacks-breaches/231601790/diginotar-hacked-out-of-business.html
• The company Rob brought up which actually was hacked out of business (Distribute IT)- http://risky.biz/distributeit