Cyber Security Weekly Podcast
Episode 346 - Cybersecurity Resilience vs. The Meteors
Dave has 30 years of industry experience. He has extensive experience in IT security operations and management.
He is the founder of the security site Liquidmatrix Security Digest & podcast as well as the host of DuoTV and the Plaintext podcast. He is currently a member of the board of directors for BSides Las Vegas.
Previously he served on the board of directors for (ISC)2 as well as being a founder of BSides Toronto conference. Dave has been a DEF CON speaker operations goon for over 10 years. Lewis also serves on the advisory board for the Black Hat Sector Security Conference and the CFP review board for 44CON.
He is currently working towards his graduate degree at Harvard. Dave has previously written columns for Forbes, CSO Online, Huffington Post, The Daily Swig and others. For fun he is a curator of small mammals (his kids) plays bass guitar, grills, is part owner of a whisky distillery and a soccer team.
In this interview, Dave Lewis shares his highlights from his keynote presentation at SINCON 2023, the first cybersecurity conference in Singapore for the year 2023.
Globalisation and supply chain attacks - He shared his thoughts on how threat actors have exploited globalisation of supply chain: that as organisations move to a cloud-based iteration “for everything” and thereby extending targets of opportunities for the attackers. This means that we have extended from protecting the “four walls” to an “unfathomable number of walls”. In particular, as we digitalise, we have to “make sure we are not outpacing security”, and that we understand our fallback position if “there’s a global catastrophe and we have to cut off from the rest of the world.” One example is critical infrastructure, where there is “accumulated security debt” (e.g. deprecated applications) and where “stakes are higher”.
Zero trust - Dave stressed that “zero trust” is an “iterative process” and there is “no end state”. Rather, it is about reducing the risks and addressing the core fundamentals from 30 years ago – managing our core users, our network segmentation, critical applications in our environment.
Cybersecurity skills and resources - Dave also shared how we need “more adults at the table”, that maturing our cybersecurity posture requires more senior level involvement. He also advised that we need to “get away from the “sensationalisation” of the hacker culture” – that cybersecurity is not strictly the hacker sub-culture.
Cyber threat landscape - Using Wannacry as an example, Dave noted that the SMBv1 vulnerability had been known but remained unfixed for 10 years. This “security debt” was an example of how we as cybersecurity practitioners tend to “lose our focus collectively”. As we are at that “juncture where we have to figure out how we are going to mature as an industry and be able to handle these risks in a coherent fashion”, he predicted that “we will keep making the same mistakes for a while.”
Further, referencing how the ransomware have evolved since the first version by Dr Joseph Popp in 1989, he said “financial motivation will not go away, it is just how they are going to get their money.”
Recorded 5th January 2023, 11.30am, VOCO hotel, Singapore.