174 episodes

Welcome to CISO Tradecraft®. A podcast designed to take you through the adventure of becoming a CISO. This podcast was started because G Mark Hardy and Ross Young felt impressed to help others take their Information Security Skills to an executive level. We are thrilled to be your guides to lead you through the various domains of becoming a competent and effective CISO.

CISO Tradecraft‪®‬ G Mark Hardy & Ross Young

    • Technology
    • 4.8 • 44 Ratings

Welcome to CISO Tradecraft®. A podcast designed to take you through the adventure of becoming a CISO. This podcast was started because G Mark Hardy and Ross Young felt impressed to help others take their Information Security Skills to an executive level. We are thrilled to be your guides to lead you through the various domains of becoming a competent and effective CISO.

    #174 - OWASP Top 10 Web Application Attacks

    #174 - OWASP Top 10 Web Application Attacks

    In this episode of CISO Tradecraft, host G. Mark Hardy delves into the crucial topic of the OWASP Top 10 Web Application Security Risks, offering insights on how attackers exploit vulnerabilities and practical advice on securing web applications. He introduces OWASP and its significant contributions to software security, then progresses to explain each of the OWASP Top 10 risks in detail, such as broken access control, injection flaws, and security misconfigurations. Through examples and recommendations, listeners are equipped with the knowledge to better protect their web applications and ultimately improve their cybersecurity posture.
    OWASP Cheat Sheets: https://cheatsheetseries.owasp.org/
    OWASP Top 10: https://owasp.org/www-project-top-ten/
    Transcripts: https://docs.google.com/document/d/17Tzyd6i6qRqNfMJ8OOEOOGpGGW0S8w32
    Chapters
    00:00 Introduction
    01:11 Introducing OWASP: A Pillar in Cybersecurity
    02:28 The Evolution of Web Vulnerabilities
    05:01 Exploring Web Application Security Risks
    07:46 Diving Deep into OWASP Top 10 Risks
    09:28 1) Broken Access Control
    14:09 2) Cryptographic Failures
    18:40 3) Injection Attacks
    23:57 4) Insecure Design
    25:15 5) Security Misconfiguration
    29:27 6) Vulnerable and Outdated Software Components
    32:31 7) Identification and Authentication Failures
    36:49 8) Software and Data Integrity Failures
    38:46 9) Security Logging and Monitoring Practices
    40:32 10) Server Side Request Forgery (SSRF)
    42:15 Recap and Conclusion: Mastering Web Application Security

    • 44 min
    #173 - Mastering Vulnerability Management

    #173 - Mastering Vulnerability Management

    In this episode of CISO Tradecraft, host G Mark Hardy delves into the critical subject of vulnerability management for cybersecurity leaders. The discussion begins with defining the scope and importance of vulnerability management, referencing Park Foreman's comprehensive approach beyond mere patching, to include identification, classification, prioritization, remediation, and mitigation of software vulnerabilities. Hardy emphasizes the necessity of a strategic vulnerability management program to prevent exploitations by bad actors, illustrating how vulnerabilities are exploited using tools like ExploitDB, Metasploit, and Shodan. He advises on deploying a variety of scanning tools to uncover different types of vulnerabilities across operating systems, middleware applications, and application libraries. Highlighting the importance of prioritization, Hardy suggests focusing on internet-facing and high-severity vulnerabilities first and discusses establishing service level agreements for timely patching. He also covers optimizing the patching process, the significance of accurate metrics in measuring program effectiveness, and the power of gamification and executive buy-in to enhance security culture. To augment the listener's knowledge and toolkit, Hardy recommends further resources, including OWASP TASM and books on effective vulnerability management.
    Transcripts: https://docs.google.com/document/d/13P8KsbTOZ6b7A7HDngk9Ek9FcS1JpQij
    OWASP Threat and Safeguard Matrix - https://owasp.org/www-project-threat-and-safeguard-matrix/
    Effective Vulnerability Management - https://www.amazon.com/Effective-Vulnerability-Management-Vulnerable-Ecosystem/dp/1394221207
    Chapters
    00:00 Introduction
    00:56 Understanding Vulnerability Management
    02:15 How Bad Actors Exploit Vulnerabilities
    04:26 Building a Comprehensive Vulnerability Management Program
    08:10 Prioritizing and Remediation of Vulnerabilities
    13:09 Optimizing the Patching Process
    15:28 Measuring and Improving Vulnerability Management Effectiveness
    18:28 Gamifying Vulnerability Management for Better Results
    20:38 Securing Executive Buy-In for Enhanced Security
    21:15 Conclusion and Further Resources

    • 22 min
    #172 - Table Top Exercises

    #172 - Table Top Exercises

    This episode of CISO Tradecraft, hosted by G Mark Hardy, delves into the concept, significance, and implementation of tabletop exercises in improving organizational security posture. Tabletop exercises are described as invaluable, informal training sessions that simulate hypothetical situations allowing teams to discuss and plan responses, thereby refining incident response plans and protocols. The podcast covers the advantages of conducting these exercises, highlighting their cost-effectiveness and the crucial role they play in crisis preparation and response. It also discusses various aspects of preparing for and executing a successful tabletop exercise, including setting objectives, selecting participants, creating scenarios, and the importance of a follow-up. Additionally, the episode touches on compliance aspects related to SOC 2 and the use of tabletop exercises to expose and address potential organizational weaknesses. The overall message underscores the importance of these exercises in preparing cybersecurity teams for real-world incidents.
    Outline & References:
    https://docs.google.com/document/d/13Qj4MOjPxWz9mhQCDQNBtoQwrXdTeIEf
    Transcripts: https://docs.google.com/document/d/1yfmZALQfkhQCMfp9ao3151P9L2XcEXFm/
    Chapters
    00:00 Introduction
    00:47 The Importance of Tabletop Exercises
    01:53 The Benefits of Tabletop Exercises
    03:06 How to Implement Tabletop Exercises
    05:30 The Role of Tabletop Exercises in Compliance
    08:24 The Participants in Tabletop Exercises
    09:25 The Preparation for Tabletop Exercises
    16:57 The Execution of Tabletop Exercises
    21:58 Understanding Roles and Responsibilities in an Exercise
    22:17 The Importance of a Hot Wash Up
    23:36 Creating an After Action Report (AAR)
    24:06 Implementing an Action Plan
    24:34 Example Scenario: Network Administrator's Mistake
    25:08 Formulating Targeted Questions for the Scenario
    26:36 The Role of Innovation in Tabletop Exercises
    27:11 The Connection Between Tabletop Exercises and Compliance
    29:18 12 Key Steps to a Successful Exercise
    30:43 The Importance of Realistic Scenarios
    34:05 The Role of Communication in Crisis Management
    37:33 The Impact of Cyber Attacks on Operations
    39:57 The Importance of Tabletop Exercises and How to Get Started
    40:35 Conclusion

    • 41 min
    #171 - Navigating Software Supply Chain Security (with Cassie Crossley)

    #171 - Navigating Software Supply Chain Security (with Cassie Crossley)

    In this episode of CISO Tradecraft, host G Mark Hardy converses with Cassie Crossley, author of the book on software supply chain security. Hardy explores the importance of cybersecurity, the structure of software supply chains, and the potential risks they pose. Crossley shares her expert insights on different software source codes and the intricacies of secure development life cycle. She highlights the significance of Software Bill of Materials (SBOM) and the challenges in maintaining the integrity of software products. The discussion also covers the concept of counterfeits in the software world, stressing the need for continuous monitoring and a holistic approach towards cybersecurity.
    Link to the Book: https://www.amazon.com/Software-Supply-Chain-Security-End/dp/1098133706?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2
    Transcripts: https://docs.google.com/document/d/1SJS2VzyMS-xLF0vlGIgrnn5cOP8feCV9
    Chapters
    00:00 Introduction
    01:44 Discussion on Software Supply Chain Security
    02:33 Insights into Secure Development Life Cycle
    03:20 Understanding the Importance of Supplier Landscape
    05:09 The Role of Security in Software Supply Chain
    07:29 The Impact of Vulnerabilities in Software Supply Chain
    09:06 The Importance of Secure Software Development Life Cycle
    14:13 The Role of Frameworks and Standards in Software Supply Chain Security
    17:39 Understanding the Importance of Business Continuity Plan
    20:53 The Importance of Security in Agile Development
    24:01 Understanding OWASP and Secure Coding
    24:20 The Importance of API Security
    24:50 The Concept of Shift Left in Software Development
    25:20 The Role of Culture in Software Development
    25:52 Exploring Different Source Code Types
    26:19 The Rise of Low Code, No Code Platforms
    28:53 The Potential Risks of Generative AI Source Code
    34:24 Understanding Software Bill of Materials (SBOM)
    41:07 The Challenge of Spotting Counterfeit Software
    41:36 The Importance of Integrity Checks in Software Development
    45:45 Closing Thoughts and the Importance of Cybersecurity Awareness

    • 46 min
    #170 - Responsibility, Accountability, and Authority

    #170 - Responsibility, Accountability, and Authority

    In this episode of CISO Tradecraft, the host, G Mark Hardy, delves into the concepts of responsibility, accountability, and authority. These are considered critical domains in any leadership position but are also specifically applicable in the field of cybersecurity. The host emphasizes the need for a perfect balance between these areas to avoid putting one in a scapegoat position, which is often common for CISOs. Drawing on his military and cybersecurity experiences, he provides insights into how responsibility, accountability, and authority can be perfectly aligned for the efficient execution of duties. He also addresses how these concepts intertwine with various forms of power - positional, coercive, expert, informational, reward, referent, and connection. The host further empathizes with CISOs often put in tricky situations where they are held accountable but lack the authority or resources to execute their roles effectively and provides suggestions for culture change within organizations to overcome these challenges.
    Transcripts: https://docs.google.com/document/d/1S8JIRztM6iaZonGv0qhtWY4vDyBfGhs-/
    Chapters
    00:00 Introduction
    00:22 Understanding Responsibility, Accountability, and Authority
    01:20 The Role of Leadership in Cybersecurity
    02:47 Exploring the Concepts of Responsibility, Authority, and Accountability
    03:08 Applying Responsibility, Authority, and Accountability to the CISO Role
    04:20 The Interplay of Responsibility, Authority, and Accountability
    11:57 Understanding Power and Its Forms
    12:43 The Impact of Power on Leadership and Influence
    24:04 The Role of Connection Power in Today's Digital Age
    24:40 Understanding Different Sources of Power
    25:13 The Power of Networking and Connections
    26:49 The Challenges of Being a CISO
    29:19 Understanding the Value of Your Role
    33:56 The Importance of Expert Power
    37:46 The Consequences of Ignoring Maintenance
    43:40 Aligning Responsibility, Accountability, and Authority
    44:39 The Importance of Legal Protections for CISOs
    45:30 Wrapping Up: Balancing Responsibility, Authority, and Accountability

    • 46 min
    #169 - MFA Mishaps

    #169 - MFA Mishaps

    In this episode of CISO Tradecraft, host G Mark Hardy discusses various mishaps that can occur with Multi-Factor Authentication (MFA) and how these can be exploited by attackers. The talk covers several scenarios such as the misuse of test servers, bypassing of MFA via malicious apps and phishing scams, violation of the Illinois Biometric Information Protection Act by using biometric data without proper consent, and potential future legal restrictions on biometric data usage. G Mark also highlights the significance of correct implementation of MFA to ensure optimum organizational security and how companies can fail to achieve this due to overlooking non-technical issues like legal consent for biometric data collection.
    Transcripts: https://docs.google.com/document/d/1FPCFlFRV1S_5eaFmjp5ByU-FCAzg_1kO
    References:
    Evil Proxy Attack- https://www.resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web
    Microsoft Attack - https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/microsoft-reveals-how-hackers-breached-its-exchange-online-accounts/amp/
    Illinois Biometric Law - https://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=095-0994
    Chapters
    00:00 Introduction
    00:43 Understanding Multi Factor Authentication
    01:05 Exploring Different Levels of Authentication
    03:30 The Risks of Multi Factor Authentication
    03:51 The Importance of Password Management
    04:27 Exploring the Use of Trusted Platform Module for Authentication
    06:17 Understanding the Difference Between TPM and HSM
    09:00 The Challenges of Implementing MFA in Enterprises
    11:25 Exploring Real-World MFA Mishaps
    15:30 The Risks of Overprivileged Test Systems
    17:16 The Importance of Monitoring Non-Production Environments
    19:02 Understanding Consent Phishing Scams
    30:37 The Legal Implications of Biometric Data Collection
    32:24 Conclusion and Final Thoughts

    • 33 min

Customer Reviews

4.8 out of 5
44 Ratings

44 Ratings

JoshSommers ,

So informative and logically organized

This podcast has been instrumental in transforming how I think about cyber and business risk. There’s not a lot of other podcasts that I’ve seen or heard from that enables you to go wider or deeper in your understanding. Thank you for the effort y’all put into these and what you’re doing for our community.

PerryBorenstein ,

Critical Information for Our Critical Infrastructure

The nature of the internet makes it incumbent on every organization to prevent intrusions, be they foreign or domestic. Corporate cybersecurity is not a business concern. It is a national Security concern.

For this reason, the information conveyed in this podcast should be on every cybersecurity professional’s listening list , from CISO to entry level security associateS just beginning their career.

There is no unimportant person when it comes to cybersecurity. Anyone who uses a computer connected to the internet can reign down catastrophe on an organization. It is up to cybersecurity personnel to prevent that from happening. G. Mark Hardy seems almost chosen to be the one that helps corporations stay safe.

It doesn’t hurt that he has a calm, reassuring, voice that conveys a message that this is doable, and that you are the one who can do it.

idavis7 ,

A great resource for those in the cyber world

This is such a great casual podcast for those looking to work their way into management in the cyber world. I recommend this to anyone who is interested!!

Top Podcasts In Technology

Lex Fridman Podcast
Lex Fridman
All-In with Chamath, Jason, Sacks & Friedberg
All-In Podcast, LLC
No Priors: Artificial Intelligence | Machine Learning | Technology | Startups
Conviction | Pod People
BG2Pod with Brad Gerstner and Bill Gurley
BG2Pod
Acquired
Ben Gilbert and David Rosenthal
Hard Fork
The New York Times

You Might Also Like

CISO Series Podcast
David Spark, Mike Johnson, and Andy Ellis
Cyber Security Headlines
CISO Series
CyberWire Daily
N2K Networks
Cybersecurity Today
ITWC
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
Johannes B. Ullrich
The New CISO
Steve Moore