Regulators have to invest a considerable amount of time in keeping legislation and policy up to date regarding technology and AI, but it’s not easy. We need floor debates, not for sound bytes or for political gain, but to move policy forward.

Today’s guest is Bruce Schneier. Bruce is an internationally renowned security technologist called The Security Guru by The Economist. He is the author of over a dozen books including his latest, A Hacker’s Mind. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. He is a fellow at the Berkman-Klein Center for Internet and Society at Harvard University, a lecturer in Public Policy at Harvard Kennedy School, a board member of the Electronic Frontier Foundation and AccessNow, and an advisory board member of EPIC and VerifiedVoting.org.

• [1:40] - Bruce shares what he teaches at Harvard and the current interest in policy.
• [4:27] - The notion that tech can’t be regulated has been very harmful.
• [6:00] - Typically, the United States doesn’t regulate much in tech. Most regulation has come from Europe.
• [7:52] - AI is a power magnification tool. Will the uses empower the already powerful or democratize power?
• [9:16] - Bruce describes loopholes and how AI as a power magnification tool can mean something different in different situations.
• [12:06] - It will be interesting to watch AI begin to do human cognitive tasks because they will do them differently.
• [13:58] - Bruce explains how AI collaboration can be a real benefit.
• [16:17] - Like every text writer, AI is going to become a collaborative tool. What does this mean for writing legislation?
• [17:18] - AI can write more complex and detailed laws than humans can.
• [21:27] - AI regulation will be skewed towards corporations. Bruce explains how public AI could work.
• [23:46] - Will AI help the defender or the attacker more?
• [26:19] - AI can be good against legacy, but we need some sort of infrastructure.
• [29:27] - There’s going to be a need for proof of humanity.
• [32:29] - It is hard to know what people can do to help move regulation along. Ultimately, it is a political issue.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Schneier on Security

Security risks are dynamic. Projects, employees, change, tools, and configurations are modified. Many companies utilize PEN testers on an annual basis, but as quickly as systems are revised, you may need to implement threat emulation for regular monitoring.

Today’s guest is Andrew Costis. Andrew is the Chapter Lead of the Adversary Research Team at Attack IQ. He has over 22 years of professional industry experience and previously worked in the Threat Analysis Unit Team at Firmware, Carbon Black, and Logrhythm Labs, performing security research, reverse engineering malware, and tracking and discovering new campaigns and threats. Andrew has delivered various talks at DefCon, Adversary Village, Black Hat, B Side, Cyber Risk Alliance, Security Weekly, IT Pro, Bright Talk, SE Magazine, and others.

• [1:14] - Andrew shares his background and what he currently does in his career at Attack IQ.
• [3:49] - At the time of this recording, there has been a major global security panic.
• [6:06] - There are many programs that we use on a regular basis that we don’t always consider the security of.
• [8:09] - Historically, companies would pay for an external pen test. Andrew describes the purpose of this and how they usually went.
• [9:33] - Pen tests and threat emulation do not need to be limited to just once a year.
• [10:45] - Andrew’s team is in the business of testing post-breached systems. But they preach prevention.
• [11:55] - Attackers are lazy in the sense that they will reuse the same strategies over and over again.
• [14:13] - Many programs we use may be caught in the crosshairs of attacks and vulnerabilities in other companies.
• [16:41] - Andrew discusses the frequency of really critical CVEs.
• [19:01] - What do attackers go after when they’ve breached a system?
• [21:04] - The priority for attackers is to get in quickly and make the victim’s data unavailable.
• [22:24] - A lot of people are under the impression of vulnerability testers. “Fire and forget it” is not a beneficial mindset.
• [24:56] - If we run every test, the amount of data will be overwhelming.
• [27:03] - In his experience, there has been client testing that has been overwhelmingly easy to breach.
• [29:07] - There are also organizations that have done a fantastic job. However, vulnerabilities will still be found.
• [30:18] - The red team is not going to be able to cover your entire organization.
• [32:15] - Threat emulation and pen testing are technically the same thing. Andrew explains how she sees the difference.
• [33:50] - How are vulnerabilities and tests prioritized?
• [36:19] - Andrew describes the things his team works on and their objectives for customers and clients.
• [38:34] - The outage at the time of this recording had a big impact. It gave a really good idea of what could happen if it were a real security breach.
• [41:37] - There are a ton of free resources out there. The primary resource at Attack IQ is the free Attack IQ Academy.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Andrew Costis at Attack IQ

Ransomware may not be on your machines due to your negligence or mistakes. It could be there because of third-party software you are utilizing. Do you know what to do if this happens to you?

Today’s guest is Amitabh Sinha. Amitabh has a PhD in Computer Science and more than 20 years of experience in enterprise software, end-user computing, mobile, and database software. He co-founded Workspot in 2012. He was the General Manager of Enterprise Desktop and Applications at Citrix Systems. In his five years at Citrix, he was the VP of Product Management for XenDesktop and VP of Engineering for the Advanced Solutions Group.

• [1:03] - Amitabh shares his background and current role and contributions at Workspot.
• [4:35] - The first sign of ransomware in an organization is widespread blue screens and Microsoft machines shutting down.
• [5:40] - How does ransomware find its way to a device?
• [6:59] - Ransomware in your organization is not necessarily your fault.
• [10:37] - Amitabh describes how he has helped client organizations back up and running after having been infected with ransomware.
• [13:11] - Typically, it is not recommended to pay the ransomware, but it may be a viable option for some organizations.
• [15:59] - Most small companies are not prepared to prevent or handle ransomware.
• [17:34] - In most large companies, not all PCs are up to date on security patches.
• [20:41] - Cloud storage is much safer and can be accessed on other physical machines in the event that ransomware shuts down an organization.
• [24:41] - For those who work from home, sometimes multiple machines makes things even more complicated.
• [27:35] - What are you willing to pay to not have something happen? That’s how ransomware takes advantage of people.
• [31:20] - For small companies, there is typically an architectural solution, but that isn’t always viable for large organizations.
• [33:14] - Consider the critical functions of your organizations and what a plan could be if computers were not accessible.
• [34:37] - These types of attacks are more and more frequent.
• [36:44] - Amitabh is confident that AI will make preventing ransomware even more challenging.
• [40:38] - Most people have accepted that a lot, if not all, their information has already been leaked on the internet. But businesses are particularly vulnerable.
• [42:30] - A whole organization can be drastically impacted by just one machine being hit by ransomware.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Amitabh Sinha on LinkedIn
• Workspot.com