Synopsis

  This is the first part of a 3-part (3 x 30 minute segments) holiday episode that was aired LIVE, where Will, Scott and I talk about what significant things happened in 2011, and what we should be looking forward to in 2012.  No predictions, no propaganda, just hard-hitting, amusing, and often nostalgic discussion about the realities of living in an ever-more connected world as we go into 2012.  I hope you enjoy the podcast series if you missed it live.  In the future, look for announcements of live episodes on my (@Wh1t3rabbit) podcast feed and join in the discussion!

Guests

• Will Gragido: In addition to being a great guy, and a personal friend of mine ...An information security and risk management professional with over 17 year’s professional industry experience, Mr.Gragido brings a wealth of knowledge and experience to bear. Working in a variety of roles, Mr.Gragido has deep expertise and knowledge in operations, analysis, management, professional services & consultancy, pre-sales / architecture and business development within the information security industry.  Will currently serves as the Senior product-line manager for HP Enterprise Security TippingPoint.
• Scott Clark: Scott Clark brings more than 16 years of leadership experience to Vyatta as its Senior Director of Worldwide Channels. In this role, he is responsible for creating and managing Vyatta’s emerging Worldwide channel, as well as evaluating future channel opportunities. In addition to his role at Vyatta, Scott also serves as the Chapter President of the Cloud Security Alliance in Chicago.

Synopsis

  On this edition of the podcast, Kris Herrin joins me from the ISSA International Conference to talk about his unenviable role as Chief Information Security Officer of Heartland Payment Systems during one of the most epic data breaches in history.  For those of you who didn't live in a cave - Kris and his organization turned the ship around ...not only that - this incident was used to help the organization find religion in Information Security and sound risk management practices.  Now as Heartland leads the payment industry in security - Kris talks about his ascention through the tanks to CTO, and how getting in front of the bull made all the difference.

  You do not want to miss this episode!

Guest

• Kris Herrin:  Mr. Herrin is a recognized technology and security executive with international leadership experience in large and small publically traded companies. Leveraging an extensive history of security, audit, and governance, he brings high energy and a risk-based view to delivering secure and reliable technology solutions to business problems. Mr. Herrin’s experience includes transforming traditional IT into a mature, ITIL-oriented service organization, building domestic and Asia-based organizations, and IT crisis management.

Synopsis

  My guest David Elfering (@icxc on Twitter) and I go all over the map covering various SecBiz related topic, and come up with a fantastic set of quotes including: "No matter how long you hold the light bulb up, the world will not revolve around InfoSec" and other gems.  We talk through how to present to a business group or executive, the communication and written skills required and various other topics related with bridging the business - security gap.  This is a great episode to listen to - we cover a lot of ground.

Guest

• David Elfering (@icxc) - David is the Senior Director of Information Security over at Werner Enterprises out of Omaha, NB.  David is a verteran of the IT industry providing leadership at corporate level, building and leading the security program and infrastructure for a two billion dollar, multi-national corporation. Experience at community, state and national levels with FBI Infragard, Nebraska Infrastructure Protection Council and the SANS Institute. Able to translate information security practices to business advantage. Experienced speaker, instructor and mentor. Member ISSA CISO Executive Forum. CRISC #1115272

Synopsis

  In this edition of the podcast, I sit down with Jeff Moss (@TheDarkTangent) to talk about all of the interesting evolutions currently going on in the Internet age.  As one of the people who has watched the cyber punk culture evolve from the dark culture of hacking for curiosity, through the "dot com boom" and now into mainstream business, and he has some interesting commentary on how we've evolved as a culture and a group.  We also talk through some interesting hacker vs. government regulation topics, and IPv6 of course!  Listen in, and hear all the really exciting things Jeff has to say.

Guest

• Jeff Moss (@TheDarkTangent) - In addition to being the founder of the Black Hat and Defcon hacker conferences, Jeff is now a part of the Department of Homeland Security Advisory Council since 2009.  Currently Jeff is the Chief Security officer at ICANN, the Internet names and assigned numbers authority.

Synopsis

  This is perhaps the most important podcast I've recorded to date, and probably will record for some time.  The guests on my show in this episodes are not only privacy experts, but people who deal with digital privacy every day ...and are just as appalled as I am about the rapid erosion of privacy in the modern digital age.  From 4Square to the automated toll collection system - you're being tracked when you tweet, drive, and buy discount paper towels at your local market ...and technology is facilitating the privacy you're willfully giving up.

  STOP the madness!  This episode just scratches the surface on all the different methods we're giving away our reasonable expectation of privacy, and how corporations and governments are hastening its demise.

Guests

My guests on this podcast wished to remain anonymous (lower-case A) except for their Twitter handles.  Join me in thanking them for their time, thought, and insight.

• theprez98
• grecs
• infojanitor

Links

• OnStar spying on drivers/passengers - http://www.autoblog.com/2011/09/21/gms-onstar-now-spying-on-your-car-for-profit-even-after-you-uns/
• Divorce cases swayed by FaceBook, social media - http://www.knoxnews.com/news/2010/jul/25/in-the-age-of-facebook-divorce-battles-go/?print=1

Synopsis

  This week I host Bryan Stiekes, a distinguished technologist with HP ...and not a security guy by trade.  Bryan has been a part of IT for a very long and distinguished career, with a background in networking and architecture.  Bryan's premise is that Information Security is at its core fundamentelly broken ...and I can't say I disagree.  We discuss the different aspects of what's been wrong with modern information security, and whether this is a good time to be in the 'business' of IT.

  This is a fascinating conversation for anyone who's feeling lost in IT Security ...and looking for some light at the end of the dark tunnel we've managed to wander into.

Guest

• Bryan Stiekes - Distinguished Technologist Hewlett Packard - Bryan Stiekes is an HP Distinguished Technologist with a focus on network strategy and cloud services architecture. Bryan has deep experience in secure networking and in multi-tenant services architecture to this role. Recently he's been focusing on the emerging 'as-a-Service' ecosystem and how that ecosystem impacts enterprise network and security models... and a Jedi Master.

Synopsis

  This is the first MicroCast, a new 15-minute format jammed packed with a series of great topics.  This time around, Jack Nichelson joins me and tells us how Bruce Lee feels about IT Security (this is a great quote!), why really good IT Security is just really good IT, and whether we will all be replaced by "Cyber-Insurance" policies.  Yikes ... this is definitely 15 minutes you'll be happy you listened.

Guest:

• Jack Nichelson - Jack is an information security officer at a very large industrial enterprise.  Jack's background is not IT Security, but he is a venteran of technology, and a master story-teller.  Jack can be found on Twitter as "@jack0lope".
  

Synopsis

  This is a special episode for anyone who's feeling like "Information Security" in their small business is impossible.  My guests and I talk through how to make information security a proper entity that can both serve the business need, and be respected; more than just survival, it's about making security thrive in the small business.  Michael potificates on what makes the security community such a valuable resource to security managers in his position, and we go into what advice you could give a vendor selling into a small business ... what a fascinating discussion!

Guests

• J.W. Goerlich - Network and Security Manager for a midwestern financial organization
  Wolfgang has 15 years in IT, with a InfoSec focus for the past 5 years. He has a deep background in risk management and business continuity for SMB firms.
• Michael Allen - Information Systems Security Officer for a Jamaican-based financial Institution. Michael has over 8 years experience in IT, with a focus on Infosec during the last 4 years. He has a strong background in application development with a keen interest in penetration testing, software security assurance and network security.

Links

• The "SecBiz" group on LinkedIn: http://www.linkedin.com/groups/SecBiz-4001160?gid=4001160&trk=hb_side_g
  

Synopsis

  Over the past year and a half of so, I've been pushing hard to change the paradigm around secure software - specifically the testing aspect of it to incorporate a much heavier emphasis on quality assurance.  That conversation spilled over into an OWASP conversation, which lead Glenn, Rohit and I to sit down and record this conversation we had - as we appear to be of like mind.  While it's not trivial to incorporate security testing into quality assurance, it's not impossible, and in fact, more practical than you may think.

  In this segment we discuss what security testing in a QA team looks like, how it's potentially split up, and whether we can really and truly make it work.  Glenn provides his practical perspective being an implementer of this methodology, while Rohit and I provide an across-the-industry discussion and commentary.

  I think you'll find this podcast episode fascinating, especially if you're struggling with the QA/Security relationship.

Guests

• Rohit Sethi - VP Product Development at SD Elements (http://www.sdelements.com)
  Rohit Sethi is a specialist in building security controls into the software development life cycle (SDLC). Rohit is a SANS course developer and instructor on Secure J2EE development. He has spoken and taught at FS-ISAC, RSA, OWASP, Shmoocon, CSI National, Sec Tor, Infosecurity New York and Toronto, TASK, the ISC2's Secure Leadership series conferences, and many others. Mr. Sethi has written articles for Dr. Dobb's Journal, TechTarget, Security Focus and the Web Application Security Consortium (WASC), and he has been quoted as an expert in application security for ITWorldCanada and Computer World. He also leads the OWASP Design Patterns Security Analysis project. 
• Glenn Leifheit - Lead Information Security Consultant at FICO (http://www.fico.com)
  Glenn Leifheit, CISSP, CSSLP is a Senior Security Architect at FICO. He has worked in developing, managing, architecting and securing large scale applications for over 15 years. His day is spent rolling out an Enterprise secure software development lifecycle and managing PCI requirements as well as secure software reviews. Glenn is active in the Technology community as the Co-Chair of (ISC)2 Application Security Advisory Board, President of TechMasters Twin Cities, as an active member of IASA (International Association of Software Architects) and OWASP (Open Web Application Security Project) as well as a regional speaker evangelizing secure software. Glenn's blog is located at www.glennleifheit.com. 

Links

• No links for this podcast...

Synopsis

This edition of the podcast doesn't hold back.  We ask "Can someone be hacked out of business?" and as usual we don't really like the answers we come up with.  While Martin, Rob and I have been in most every aspect of security for just over a combined 3 decades, we end up with a conslusion that I don't think any of us are comfortable with ...at least not that we were willing to say out loud, until now.  So is it possible?  Is DigiNotar being "hacked out of business" as Dark Reading suggests all FUD?  Listen and find out where we go with this topic!

Guests

• Rob Hale (UK) - An entrepreneur and industry commentator, Rob has over 12 years of experience working in the Security industry, with integrators, channel partners and vendors, providing advice and solutions for Enterprises & Government agencies to secure their networks, systems and data from internal and external threats.
• Martin McKeay - Security Evangelist, Akamai
• Rafal Los (aka the "Wh1t3 Rabbit) - HP Enterprise & Cloud Security Strategist

Links

• The DarkReading story that started us thinking: http://www.darkreading.com/authentication/167901072/security/attacks-breaches/231601790/diginotar-hacked-out-of-business.html
• The company Rob brought up which actually was hacked out of business (Distribute IT)- http://risky.biz/distributeit

This is the inaugural podcast episode of Down the Rabbithole.

Our podcast focuses on security, but from a business perspective and shines a light on the often misunderstood connection between Information Security and "business".

Today's guests were:

• Chris Nickerson - Founder, Lares Consulting
• Will Gragido - Lead Researcher, HP TippingPoint DV Labs
• Martin McKeay - Security Evangelist, Akamai

The topic for today's podcast was the question: "Everyone's getting hacked, should I panic?" ...and we also mention the HP TippingPoint DVLabs 1st Half 2011 Cyber Threat Report.

Links:

• Chris Nickerson mentions his "12-step blog post" > http://www.laresblog.com/2010/04/confessions-of-secaddict.html
• Martin McKeay mentions Sony's "lawyer approach" > http://arstechnica.com/gaming/news/2011/09/mandatory-ps3-update-removes-right-to-join-in-a-class-action-lawsuit.ars
• HP TippingPoing DV Labs 2011 Mid-Year Top Cyber Security Risks Report > http://www.hpenterprisesecurity.com/collateral/report/CyberSecurityRisksReport.pdf

Phil Cox joins Rafal (aka Wh1t3 Rabbit) and Martin McKeay and a gallery of others dicussing the issues with the very nebulous term "Cloud Security", and what it means, and how we as vendors can realistically help the consumers of cloud get a handle on what the heck this all means.

Fascinating conversation ensues.