It's been said over and over again, when it comes to cybersecurity, "humans are the weakest link."
(Actually, that's not exactly accurate, but we'll save that conversation for a potential bonus blog entry!)
It's easy for me to burn through podcast episodes. I gobble down CYBER, Darknet Diaries, Malicious Life, and Hackable? as quickly as new episodes are released. Adam Grant, Gretchen Rubin, Derek Thompson, and some other folks keep the non-cybersecurity part of my brain occupied, but I felt like I needed to get addicted to find another cybersecurity podcast to add to the stable. There are plenty of cybersecurity business-related podcasts out there, and I know that side of cybersecurity is important, but, well, I subscribe to them and then never listen after trying an episode...and...I just want something that has more storytelling involved (see the previous blog entry "It Was a Dark and Stormy Night") I like danger and excitement and fear. I also felt like my current lineup didn't include enough social engineering, which is how I got interested in cybersecurity to begin with.
Hacking Humans to the rescue!
Hacking Humans is a weekly podcast (new episodes drop every Thursday) by The CyberWire, an independent cybersecurity news site that is sponsored by seemingly every security vendor known to humankind. That said, CyberWire does seem to be maintaining their editorial independence. At least they are very open about the sponsorship. The primary sponsor for the Hacking Humans podcast is the security awareness training company KnowBe4 - you will soon memorize all their ads and the jingles.
The hosts for Hacking Humans are Dave Bittner and Joe Carrigan. Dave works for CyberWire and Joe is involved with the Johns Hopkins Information Security Institute as a senior security engineer. For anyone unfamiliar with Johns Hopkins University, here is their library:
I've been there. It's in Baltimore. It looks exactly like that. One feels smart just standing in it.
Dave and Joe both have pleasant voices, which we know is key for me. The hosts don't tell stories, exactly - the format is more like a morning talk show - the kind where two or three guys tackle sports, for instance - but instead of sports it's cybersecurity. Their banter is very engaging. When I had satellite radio activated in my car I would listen to the talk shows on the POTUS channel, such as Julie Mason and Michael Smerconish, and Hacking Humans has that feel.
The episodes typically begin with a listener email/letter, which the hosts discuss, followed by some headline news, which always contain some basic explanations of security concepts that arise in the news item. They don't talk down to anyone but they aren't talking over folks' heads, either. They explain how social engineering attacks are working without using Cialdini words like "scarcity". The hosts take turns telling the stories. My favorite segment is what they call "Catch of the Day" where listeners send in phishing examples and the hosts discuss how to tell the example is a phish. There seem to be a lot of scammers who like to portray themselves as military service women (quite badly). The hosts continue the episode with a guest interview and then discuss between themselves after the interview is over.
I definitely feel like I've learned something (or reinforced something) after listening. The cyber insurance episode stands out as one that I felt I needed to recommend to friends who are in cybersecurity. Business Email Compromise (BEC) isn't typically covered by cyber insurance because that's a fraud situation. Cyber insurance covers hacking - although I (and the hosts) think a case could be made that BEC is hacking humans. Theft of intellectual property is also not typically covered by cyber insurance because it's an intangible. Cyber insurance is a type of SLA, really, so have lawyers ready to go through every line.
The podcast is available through nearly every podcast avenue there is, including their website. They provide a transcript, so you can listen without having to worry about taking notes.
The latest episode, #50, "People aren't perfectly rational", features research from Elissa Redmiles, who does some really interesting work connecting social sciences and behavioral economics with security and privacy (check out her article about why users don't install updates. At one point she noted, "we often as security professionals don't make particularly economically backed tradeoffs when we're thinking about asking people to do security. So we're sort of asking people to do a never-ending list of things without archiving old ones or measuring exactly how much this new behavior is going to help someone. So eventually users become overwhelmed, and then they just try to pick between behaviors on their own, which they may not be very well-equipped to do." She backed that up with research in line with the latest NIST 800-63-3 recommendations to only require password changes in the event of a breach. Elissa has discovered that enforcing password changes on a schedule leads to users re-using passwords across sites, which is worse than having the same password for a year. She also discussed some findings about motivations for using two-factor authentication and the folly of telling users to not click on links. I was eating this up because I love behavioral economics!
Hacking Humans has been renewed for a second season so I will be able to continue to feed my brain with social engineering podcast episodes!