Error Code

For the last twenty years we’ve invested in software security without parallel development in firmware security. Why is that? Tom Pace, co-founder and CEO of NetRise, returns to Error Code to discuss the need for firmware software bills of materials, and why Zero Trust is a great idea yet so poorly implemented. As in Episode 30, Tom is a straight shooter, imparting necessary truth bombs about our industry. Fortunately he’s optimistic about our future.

That camera above your head might not seem like a good foreign target, yet in the Ukraine there’s evidence of Russian-backed hackers passively counting the number of foreign aid workers at the local train stations. Andrew Hural of UnderDefense talks about the need to secure everything around a person, everything around an organization, and everything around a nation because every one can be a target.

A critical skills gap in Operational Technology security could have a real effect on your water supply and other areas of the critical infrastructures. Christopher Walcutt from DirectDefense explains how the IT OT convergence, and the lack of understanding of what OT systems are, might be contributing to the spate of water systems attacks in 2024.

When critical infrastructure is shut down due to ransomware or some other malicious attack, who gets notified and when? Chris Warner, from GuidePoint Security, discusses the upcoming Cyber Incident Reporting for Critical Infrastructure Act or CIRCIA and what it will mean for critical infrastructure organizations.

When an enterprise network goes down, you call in the Incident Response team and they do forensics. When your SCADA goes down, who do you call? Meet Lesley Carhart, technical director of incident response at Dragos, who focuses on products and services for the non standard part of cybersecurity. That means things like performing digital forensics on SCADA, industrial control systems, and critical infrastructure. There’s still some normal enterprise computing involved, but very often the stories told by practitioners are … well, just plain weird. 

This is a story about how organizations are moving their SCADA systems to the cloud and how they need to secure them or they’ll be attacked. Chris Doman, co-founder and CTO of Cado Security discusses the new NSC guidelines on SCADA in the Cloud and whether the guidelines are prescriptive enough.

If you knock down an email server, you could stand up a parallel server or you could find workarounds. If you knock down a factory floor, there is no real parallel, alternative to a factory floor.  Dane Grace, product manager at Brinqa talks about how the risks to OT carries with it an outsized kinetic response in the real world. For example, what would happen if someone managed to put a botnet on a defibrillator?

One of the problems with security is ROI. If I put in next gen this and next gen that and no security events happen, am I justified in making those expenditures? How do you quantify a risk like that?  Padraic O’Reilly, founder and Chief Innovation Officer at CyberSaint, walks us through the risk analysis for IoT and OT systems, and why it’s important to understand this as we secure our critical infrastructure.

This is the story of how a researcher turns commercial and commonly used EDRs and Cloud-based backup systems into wipers against the very data they’re designed to protect. Or Yair, security research team lead at Safe Breach, talks about his two presentations at SecTor 2023 that consider how to turn common security tools into potentially malicious weapons.

There’s a lot of talk about using AI and LLM in security. For example, could ChatGPT detect the vulnerable spots for power for analysis in particular pieces of code using Advanced Encryption Standard?  Witold Waligora, CEO of CloudVA, talks about his Black Hat Europe presentation, How We Taught ChatGPT-4 to Break mbedTLS AES With Side-Channel Attacks.