Cover image of Brakeing Down Security Podcast
(87)

Rank #49 in Tech News category

Education
Technology
News
Tech News

Brakeing Down Security Podcast

Updated 2 months ago

Rank #49 in Tech News category

Education
Technology
News
Tech News
Read more

A podcast all about the world of Cybersecurity, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veterans.

Read more

A podcast all about the world of Cybersecurity, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veterans.

iTunes Ratings

87 Ratings
Average Ratings
75
7
4
0
1

Great Security Pod

By The Drewsk - Oct 05 2018
Read more
Great security podcast even for non-security IT folks. Give it a listen!

Amazing!

By elliott2k - Jun 21 2017
Read more
I love the podcast and the community behind it. Much love! 10/10

iTunes Ratings

87 Ratings
Average Ratings
75
7
4
0
1

Great Security Pod

By The Drewsk - Oct 05 2018
Read more
Great security podcast even for non-security IT folks. Give it a listen!

Amazing!

By elliott2k - Jun 21 2017
Read more
I love the podcast and the community behind it. Much love! 10/10
Cover image of Brakeing Down Security Podcast

Brakeing Down Security Podcast

Latest release on Aug 10, 2020

Read more

A podcast all about the world of Cybersecurity, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veterans.

Rank #1: 2017-002: Threat Lists, IDS/IPS rules, and mentoring

Podcast cover
Read more

In your environment, you deal with threats from all over the world. Many groups out there pool resources to help everyone deal with those #threats. Some come in the form of threat #intelligence from various intelligence companies, like #Carbon #Black, #FireEye, and #Crowdstrike.

But what if your company cannot afford such products, or are not ready to engage those types of companies, and still need need protections? Never fear, there are open source options available (see show notes below). These products aren't perfect, but they will provide a modicum of protection from 'known' bad actors, SSH trolls, etc.

We discuss some of the issues using them, discuss how to use them in your #environment.

Lastly, we discuss #mentorship. Having a good mentor/mentee relationship can be mutally beneficial to both parties. We discuss what it takes to be a good mentee, as well as a good mentor...

RSS: www.brakeingsecurity.com/rss

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2017-002-mentoring_threat_lists.mp3

iTunes:  https://itunes.apple.com/us/podcast/2017-002-threat-lists-ids/id799131292?i=1000380246554&mt=2

YouTube: https://www.youtube.com/watch?v=oHNrINl1oZE

----------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

----------

Show Notes:

HANGOUTS:  https://hangouts.google.com/call/w7rkkde5yrew5nm4n7bfw4wfjme

2017-002-Threat Lists, IDS/IPS rulesets, and infosec mentoring

  1. Threat Lists (didn’t have much time to research :/)
    1. THIS EXACTLY - http://blogs.gartner.com/anton-chuvakin/2014/01/28/threat-intelligence-is-not-signatures/   
      1. Don’t use threat list feeds (by IP/domain) as threat intelligence
      2. Can use them for aggressively blocking, don’t use for alerting
    2. https://isc.sans.edu/suspicious_domains.html
    3. https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
    4. http://iplists.firehol.org/
    5. https://zeltser.com/malicious-ip-blocklists/
    6. https://medium.com/@markarenaau/actionable-intelligence-is-it-a-capability-problem-or-does-your-intelligence-provider-suck-d8d38b1cbd25#.ncpmqp9cx
    7. Spamhaus: https://www.spamhaus.org/
    8. leachers
    1. Open rulesets - You can always depend on the kindness of strangers
      1. Advantage is that these are created by companies that have worldwide reach
      2. Updated daily
      3. Good accompanying documentation
    2. You can buy large rulesets to use in your own IDS implementation
      1. Depends on your situation if you want to go managed or do yourself
      2. Regardless you need to test them
    3. Managed security services will do this for you
      1. I don’t recommend unless you have a team of dedicated people or you don’t care about getting hacked- signatures are way too dynamic, like trying to do AV sigs all by yourself
      2. Only a good idea for one-off, targeted attacks
    4. DIY
  2. IDS/IPS rulesets
    1. https://securityintelligence.com/signature-based-detection-with-yara/
    2. http://yararules.com/
    3. http://resources.infosecinstitute.com/yara-simple-effective-way-dissecting-malware/
  3. Yara rules
    1. For Mentors
      1. Set expectations & boundaries
      2. Find a good fit
      3. Be an active listener
      4. Keep open communication
      5. Schedule time
      6. Create homework
      7. Don’t assume technical level
      1. Ask questions
      2. Do your own research
      3. Find a good fit
      4. Put forth effort
      5. It’s not the Mentor’s job to handhold, take responsibility for own learning
      6. Value their time
      7. Come to each meeting with an agenda
    2. For Mentees
    3. Mentoring frameworks?
  4. InfoSec Mentoring
    1. https://t.co/mLXjfF1HEr
    2. https://gist.github.com/AFineDayFor/5cdd0341a2b384c20e615dcedeef0741
  5. Podcasts (Courtesy of Ms. Hannelore)
    1. https://t.co/mLXjfF1HEr
    2. https://gist.github.com/AFineDayFor/5cdd0341a2b384c20e615dcedeef074

Jan 21 2017

1hr 5mins

Play

Rank #2: 2019-009- Log-MD story, Noid, communicating with Devs and security people-part1

Podcast cover
Read more

Log-MD story (quick one) (you’ll like this one, Mr. Boettcher)

    SeaSec East meetup

    "Gabe"

https://www.sammamish.us/government/departments/information-technology/ransomware-attack-information-hub/

New Slack Moderator (@cherokeeJB)

Shoutout to “Jerry G”

Mike P on Slack: https://www.eventbrite.com/e/adversary-tactics-red-team-operations-training-course-dc-april-2019-tickets-54735183407

www.Workshopcon.com/events and that we're looking for BlueTeam trainers please

Any chance you can tag @workshopcon. SpecterOps and lanmaster53 when you post on Twitter and we'll retweet

Noid - @_noid_

noid23@gmail.com

Bsides Talk (MP3) - https://github.com/noid23/Presentations/blob/master/BSides_2019/Noid_Seattle_Bsides.mp3

Slides (PDF)

https://github.com/noid23/Presentations/blob/master/BSides_2019/Its%20Not%20a%20Bug%20Its%20a%20Feature%20-%20Seattle%20BSides%202019.pdf

Security view was a bit myopic?

“What do we win by playing?”

Cultivating relationships (buy lunch, donuts, etc)

Writing reports

Communicating findings that resonate with developers and management

    Often pentest reports are seen by various facets of folks

    Many levels of competency (incompetent -> super dev/sec)

Communicating risk? Making bugs make sense to everyone…

The three types of power:

https://www.manager-tools.com/2018/03/three-types-power-and-one-rule-them-part-1

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Mar 12 2019

51mins

Play

Rank #3: 2015-023_Get to know a Security Tool: Security Onion!

Podcast cover
Read more

Having a more secure network by deploying tools can be no easy task. This week, we show you a tool, Security Onion, that can give you an IDS and log analysis tool in less than 20 minutes.

 http://blog.securityonion.net/p/securityonion.html

May 26 2015

37mins

Play

Rank #4: Reconnaissance: Finding necessary info during a pentest

Podcast cover
Read more

I had a healthy debate with Mr. Boettcher this week about the merits of doing recon for a pentest. Mr. Boettcher is a heavy duty proponent of it, and I see it as a necessary evil, but not one that I consider important.  We hash it out, and find some common ground this week.

People search links:

Spokeo - http://www.spokeo.com/

Pipl - https://pipl.com/

Sec Filings site: http://www.sec.gov/edgar/searchedgar/webusers.htm

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

Aug 25 2014

48mins

Play

Rank #5: 2016-047: Inserting Security into the SDLC, finding Privilege Escalation in poorly configured Linux systems

Podcast cover
Read more

Just a quick episode this week...

As part of the Brakesec Book Club (join us on our #Slack Channel for more information!) we are discussing Dr. Gary McGraw's book "Software Security: Building Security In" (Amazon Link: https://is.gd/QtHQcM)

We talk about the need to inserting security into your company's #SDLC... but what exactly can be done to enable that? I talk about abuse cases, #risk #analysis, creating test cases, pentesting, and #security #operations are all methods to do so.

Finally, I discovered a blog talking about ways to discover configuration errors on Linux systems that might allow #privilege #escalation to occur. Using these tools as part of your hardening processes could lower the risk of a bad actor gaining elevated privileges on your *unix hosts

http://rajhackingarticles.blogspot.com/2016/11/4-ways-to-get-linux-privilege-escalation.html

You can find the github of this script and the audit software that I mentioned below:

https://github.com/rebootuser/LinEnum.git     #Lynis (from CISOfy: https://cisofy.com/lynis/   Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-047-inserting_security_into_the_SDLC_finding_Linux_priv_esc.mp3   #iTunes: https://itunes.apple.com/us/podcast/2016-047-inserting-security/id799131292?i=1000378329598&mt=2   #YouTube:  https://www.youtube.com/watch?v=Kd_ZzvVNqoA

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FMhttps://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Nov 28 2016

19mins

Play

Rank #6: 2016-015-Dr. Hend Ezzeddine, and changing organizational security behavior

Podcast cover
Read more

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-015-Dr._Hend_Ezzeddine_and_finding_security_training_that_works.mp3

iTunes Link: https://itunes.apple.com/us/podcast/2016-015-dr.-hend-ezzeddine/id799131292?i=366936677&mt=2

Dr. Ezzeddine's slides from Bsides Austin (referenced during the interview): https://drive.google.com/file/d/0B-qfQ-gWynwiQnBXMnJVeko4M25pdk1Sa0JnMGJrZmltWlRr/view?usp=sharing

You open the flash animation, click click click, answer 10 security questions that your 5 year old could answer, get your certificate of completion... congratulations, you checked the compliance box...

But what did you learn in that training? If you can't remember the next day, maybe it's because the training failed to resonate with you?

Have you ever heard red team #pentester say that the weakest link in any business is not the applications, or the hardware, but the people? If they can't find a vulnerability, the last vulnerability is the people. One email with a poisoned .docx, and you have a shell into a system...

Targeted trainings, and the use of certain styles of #training (presentations, in-person, hand puppets, etc) can be more effective for certain groups. Also, certain groups should have training based on the threat they might be susceptible to...

Dr. Hend #Ezzeddine came by this week to discuss how she helps #organizations get people to understand security topics and concepts, to create a positive security culture. Maybe even a culture that will not click on that attachment...

**If you are planning on attending "Hack In The Box" in Amsterdam, The Netherlands on 23-27 May 2016, you can receive a 10% discount by entering 'brakesec' at checkout.

Get more information at the "Hack In The Box" conference by visiting:

http://conference.hitb.org/hitbsecconf2016ams/

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

On #Twitter: @brakesec @boettcherpwned @bryanbrake @hackerhurricane

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FMhttps://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Apr 16 2016

1hr 10mins

Play

Rank #7: Episode 3 - Alerts, Events, and a bit of incident response

Podcast cover
Read more

In this issue, we talked about upcoming podcasts with Michael Gough from MI2 Security discussing malware, and this week we get into everything about alerts, why they are important, types of alerts, levels that can occur, and even a bit of incident response in handling alerts.

Intro "Private Eye" and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

Jan 27 2014

33mins

Play

Rank #8: Episode 9: Framework for Improving Critical Infrastructure Cybersecurity

Podcast cover
Read more

This week, we got into some discussion about frameworks, and the different types of frameworks available (regulatory, "best practice", and process improvement)

We also looked at the new "Framework for Improving Critical Infrastructure Cybersecurity" ratified and released last month.

Does it meet with our high expectations? You'll just have to listen and find out.

http://www.nist.gov/cyberframework/

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

Mar 24 2014

33mins

Play

Rank #9: 2017-042-Jay beale, Hushcon, Apple 0Day, and BsidesWLG audio

Podcast cover
Read more

Ms. Berlin and Mr. Boettcher are on holiday this week, and I (Bryan) went to Hushcon (www.hushcon.com) last week (8-9 Dec 2017). Lots of excellent discussion and talks.

While there, our friend Jay Beale (@jaybeale) came on to discuss Hushcon, as well as some recent news. 

Google released an 0day for Apple iOS, and we talk about how jailbreaking repos seem to be shuttering, because there have not been as many as vulns found to allow for jailbreaking iDevices.

We also went back and discussed some highlights of the DFIR hierarchy show last week (https://brakesec.com/2017-041) and some of the real world examples of someone who has seen it on a regular basis. Jay's insights are something you shouldn't miss

Finally, Ms. Berlin went to New Zealand and gave a couple of talks at Bsides Wellington (@bsideswlg). She interviewed Chris Blunt (https://twitter.com/chrisblunt) and "Olly the Ninja" (https://twitter.com/Ollytheninja) about what makes a good con. 

Direct Link: https://brakesec.com/2017-042

*NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS

RSS: https://brakesec.com/BrakesecRSS

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

Join our #Slack Channel! Sign up at 

https://brakesec.com/Dec2017BrakeSlack

or DM us on Twitter, or email us.

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FMhttps://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

From our friends at Hack In the Box Amsterdam:

"We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training .  The CFP is open and the review board is already hard at work with the first submissions."     "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount".

--Show Notes--

https://github.com/int0x80/githump

http://ptrarchive.com/

https://hunter.io/

https://www.data.com/

https://techcrunch.com/2017/11/27/ios-jailbreak-repositories-close-as-user-interest-wanes/

https://securelist.com/unraveling-the-lamberts-toolkit/77990/

Dec 16 2017

1hr 6mins

Play

Rank #10: Nmap (pt1)

Podcast cover
Read more

So, I uploaded this little tutorial of nmap, a very nice tool I use on a regular basis, both at home and at work.

I did some basic scans, showed off the command line and the Windows 'Zenmap' version, as well as discussed some regularly used switches.

The next video I do about nmap will discuss more switches, the Nmap Scripting Engine (NSE), and how to format reports and the output nmap provides.

Nmap icon courtesy of livehacking.com

Jul 14 2014

17mins

Play

Rank #11: 2017-011-Software Defined Perimeter with Jason Garbis

Podcast cover
Read more

We talked with Jason Garbis this week about Software Defined Perimeter (SDP). Ever thought about going completely without needing a VPN? Do you think I just made a crazy suggestion and am off my medications? Google has been doing it for years, and organizations like the Cloud Security Alliance are expecting this to be the next big tech innovation. So much so, that they are already drafting version 2 of the SDP guidelines.

So after talking with a friend of mine about how they were trying to implement it, he suggested talking to Jason, since he was on the steering committee for it. While Jason does work for a company that sells this solution, our discussion with him is very vendor agnostic, and he even discusses an open source version of SDP that you could implement or test out as a PoC (details in show notes below).

This is a great topic to stay on top of, as one day, your CTO/CIO or manager will come by and ask about the feasibility of implementing this, especially if your company assets are cloud based...  So have a listen!

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3

Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

Itunes: (look for '2017-011') https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2

-----

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FMhttps://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

---

Show Notes:

https://en.wikipedia.org/wiki/Software_Defined_Perimeter

https://cloudsecurityalliance.org/group/software-defined-perimeter/

    Hmmm… seems like a standard created by companies selling their products for it

        Have a product, create a problem, fix the problem...

How much alike is this to things like ‘Beyondcorp’?

https://www.beyondcorp.com/

http://www.networkworld.com/article/3053561/security/learning-about-sdp-via-google-beyondcorp.html

De-perimeterization - removing all the bits ‘protecting’ your computer

    Treat your computers as ‘on the Internet’

https://en.wikipedia.org/wiki/De-perimeterisation

https://collaboration.opengroup.org/jericho/SPC_swhitlock.pdf

https://github.com/WaverleyLabs/SDPcontroller

2FA becomes much more important, or just plain needed, IMO --brbr

Questions:

    How will development of applications change when attempting to implement these technologies?

    If we allow deperimeterization of legacy apps (like Oracle products), with a complicated security model, how do you keep these older apps under control?

    Can this cut down on the “Shadow IT” issue? Does the user control the certs?

    How does this work with devices with no fully realized operating systems?

        Phones, HVAC, IoT

        Legacy SCADA or mainframes?

    What is the maturity level of a company to implement this?

        What minimum requirements are needed?

            Asset management?

            Policies?

        Who/how do you monitor this?

            More blinky boxes?

            Will WAFs and Web proxies still function as expected?

    Are there any companies companies were this is not a good fit?

        What’s the typical timeline for moving to this network model?

        What’s the best way to deploy this?

            Blow up old network, insert new network?

            Phase it in with new kit, replacing old kit?

    Compliance

        How do explain this to auditors?

            “We don’t have firewalls, that’s for companies that suck, we are 1337”

Other than “scalability” (which seems like regular solutions would have as well) I’d like to know what real value they provide

Mar 29 2017

52mins

Play

Rank #12: 2016-036: MSSP pitfalls, with Nick Selby and Kevin Johnson

Podcast cover
Read more

Nick Selby (@nselby on Twitter) is an independent consultant who works a wide variety of jobs.  During a recent engagement, he ran into an interesting issue after a company called him in to handle an incident response. It's not the client, it was with the Managed Security Service Provider (#MSSP). His blog post about the incident made big news on Twitter and elsewhere.

Nick's Blog Post: https://nselby.github.io/When-Security-Monitoring-Provides-Neither-Security-Nor-Monitoring/

So, we wanted to have Nick on to discuss any updates that occurred, and also asked an MSSP owner, Kevin Johnson, from SecureIdeas (@secureideas on Twitter), as Kevin is well versed with both sides, being a customer, and running an MSSP with his product, Scout (https://secureideas.com/scout/index.php)

We go over what an MSSP is (or what each person believes an MSSP is), we discuss the facts from Nick and his client's side, we try and put ourselves in the shoes of the MSSP, and if they handled the issue properly.

We also find out how Nick managed to save the day, the tools they used to solve the problem.  We did a whole podcast on it, and maybe it's time to re-visit that...

Finally, we discuss the relationship between an MSSP and the customer, what expectations each party should see from each other, and what are the real questions each should ask one another when you're searching out an MSSP.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-036-mssp-nick_selby-kevin_johnson.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-036-mssp-pitfalls-nick/id799131292?i=1000375157370&mt=2

YouTube:  https://www.youtube.com/watch?v=b1rEpaBAKpQ

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FMhttps://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Sep 11 2016

1hr 8mins

Play

Rank #13: 2017-036-Adam Shostack talks about threat modeling, and how to do it properly

Podcast cover
Read more

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-036-Adam_Shostack-threat_modeling.mp3

Adam Shostack has been a fixture of threat modeling for nearly 2 decades. He wrote the 'threat modeling' bible that many people consult when they need to do threat modeling properly.

We discuss the different threat modeling types (STRIDE, DREAD, Trike, PASTA) and which ones Adam enjoys using.

Mr. Boettcher asks how to handle when people believe an OS is better than another, how to do threat modeling to decide which OS should be the one to use.

Stay after for a special post-show discussion with Adam about his friend Stephen Toulouse (@stepto).

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FMhttps://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

SHOW NOTES:

Ideas and suggestions here:

Start with “What is threat modeling?”   What is it, why do people do it, why do organizations do it?

What happens when it’s not done effectively, or at all?

At what point in the SDLC should threat modeling be employed?

Planning?

Development?

Can threat models be modified when new features/functionality gets added?

Otherwise, are these just to ‘check a compliance box’?

Data flow diagram (example) -

process flow

External entities

Process

Multiple Processes

Data Store

Data Flow

Privilege Boundary

Classification of threats-

STRIDE - https://en.wikipedia.org/wiki/STRIDE_(security)

DREAD - https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model)

PASTA - https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf

Trike -  http://octotrike.org/

https://en.wikipedia.org/wiki/Johari_window

Butler Lampson, Steve Lipner link: https://www.nist.gov/sites/default/files/documents/2016/09/16/s.lipner-b.lampson_rfi_response.pdf

Escalation Of Privilege card game: https://www.microsoft.com/en-us/download/details.aspx?id=20303

NIST CyberSecurity Framework: https://www.nist.gov/cyberframework

Data Classification Toolkit - https://msdn.microsoft.com/en-us/library/hh204743.aspx

Microsoft bug bar (security) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307404.aspx

Microsoft bug bar (privacy) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307403.aspx

OWASP threat Modeling page: https://www.owasp.org/index.php/Application_Threat_Modeling

OWASP Threat Dragon - https://www.owasp.org/index.php/OWASP_Threat_Dragon

Emergent Design:  https://adam.shostack.org/blog/2017/10/emergent-design-issues/

https://www.researchgate.net/profile/William_Yurcik/publication/228634178_Threat_Modeling_as_a_Basis_for_Security_Requirements/links/02bfe50d2367e32088000000.pdf

Robert Hurlbut (workshop presenter at SourceCon Seattle) https://roberthurlbut.com/Resources/2017/NYMJCSC/Robert-Hurlbut-NYMJCSC-Learning-About-Threat-Modeling-10052017.pdf (much the same content as given at Source)

Adam’s Threat modeling book

http://amzn.to/2z2cNI1 -- sponsored link

https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998/ref=mt_paperback?_encoding=UTF8&me=

Is the book still applicable?

New book

What traps do people fall into?  Attacker-centered, asset-centered approaches

Close with “how do I get started on threat modeling?”

SecShoggoth’s Class “intro to Re”

Johari window? http://www.selfawareness.org.uk/news/understanding-the-johari-window-model

Oct 29 2017

1hr 34mins

Play

Rank #14: 2016-044: Chain of Custody, data and evidence integrity

Podcast cover
Read more

During a Security Incident, or in the course of an investigation, it may become necessary to gather evidence for further use in a possible court case in the future. But if you don't have 4-10,000 dollars USD for fancy forensic software, you'll need to find methods to preserve data, create proper integrity, and have a proper custody list to show who handled the data, how it was collected, etc.

This podcast was not meant to turn you into an expert, but instead to go over the finer points of the process, and even where you should turn to if you need help.

Certified Ethical Hacker book I was referencing in the show: http://www.wiley.com/WileyCDA/WileyTitle/productCd-1119252245,miniSiteCd-SYBEX.html

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-044-Evidence_chain_of_custody_data_integrity.mp3

#YouTube: https://www.youtube.com/watch?v=aJA2ry6npKI

#iTunes: https://itunes.apple.com/us/podcast/2016-044-chain-custody-data/id799131292?i=1000377566298&mt=2

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FMhttps://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Nov 07 2016

47mins

Play

Rank #15: 2015-022: SANS Top 25 Critical Security Controls-#10 and #11

Podcast cover
Read more

When you're working with network infrastructure, there's a real need for proper configuration management, as well as having a proper baseline to work from.

Mr. Boettcher and I continue through the SANS Top25 Critical Security Controls. #10 and #11 are all dealing with network infrastructure. Proper patches, baselines for being as secure as possible. Since your company's ideal security structure needs to be a 'brick', and not an 'egg'.

May 17 2015

56mins

Play

Rank #16: 2015-025: Blue Team Army, Powershell, and the need for Blue team education

Podcast cover
Read more

With last week's revelation from Microsoft that they will support SSH, understanding powershell has become more important than ever as a tool to be used by blue teamers, both for adminstration, and to understand how bad guys will use it for nefarious deeds on your network.

Part 2 of our interview with Mick Douglas discusses a bit more about the DEV522 class that he teaches for SANS, and why it seems that blue team (defenders) are not getting the training they should.  By being deficient in necessary skills, the knowledge between bad guys and the defenders widens. 

Jun 08 2015

34mins

Play

Rank #17: 2016-020-College Vs. Certifications Vs. Self-taught

Podcast cover
Read more

Dr. Matt Miller is a professor at the University of Nebraska at Kearney. We had him on to discuss a matter that seems to weigh heavily on the infosec community. What will a CS degree get you? What are you learning these days as a future code jockey? Is skipping college altogether better?

We discuss what he does to arm future developers with the tools necessary to get a job. We hear about what they also might be lacking in as well.

Dr. Miller is also spearheading a new cybersecurity degree track at his university. We discuss what it's like to head that up, and we even get into a bit of discussion on Assembly language.

ASM book used in the above class: http://www.drpaulcarter.com/pcasm/

Download here: http://www.drpaulcarter.com/pcasm/pcasm-book-pdf.zip

We also discuss free alternatives for learning out there, and how effective they are.

Show notes: https://docs.google.com/document/d/1Grimx_OCSURTktzM5QRKqsG9p9G5LljdleplH1DZQv4/edit?usp=sharing

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-020-College_vs_Certs_vs_self-taught.mp3

iTunes:  https://itunes.apple.com/us/podcast/2016-020-college-vs.-certifications/id799131292?i=1000369124337&mt=2

YouTube Playlist: https://www.youtube.com/playlist?list=PLqJHxwXNn7guMA6hnzex-c12q0eqsIV_K

RSS FEED: http://www.brakeingsecurity.com/rss

Dr. Miller's CSIT-301 course on Assembly: https://www.youtube.com/playlist?list=PLSIXOsmf9b5WxCMrt9LuOigjR9qMCRrAC

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @milhous30

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Player.FMhttps://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

May 21 2016

54mins

Play

Rank #18: Malware, Threat Intelligence, and Blue Team talks at cons -- with Michael Gough Pt.2

Podcast cover
Read more

We're back with part 2 of our discussion with Michael Gough.  Not only do we discuss more about malware, but we also ask Michael's opinion on how commercialized conventions like Black Hat and Defcon have gotten, how good threat intelligence feeds are, and why there aren't more defensive talks at cons.

Michael is currently slated to give a talk on logging at DerbyCon September 24th, 2014 on how logging can help to mitigate malware infections.

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

Sep 08 2014

36mins

Play

Rank #19: 2016-021: Carbon Black's CTO Ben Johnson on EDR, the layered approach, and threat intelligence

Podcast cover
Read more

Ben Johnson (@chicagoben on Twitter) has spent a good deal of time working on protecting client's endpoints. From his work at the NSA, to being the co-founder of Carbon Black (@carbonblack_inc).

We managed to have him on to discuss EDR (#Endpoint Detection and Response), TTP (#Tactics, Techniques, and Procedures), and #Threat #Intelligence industry.

Ben discusses with us the Layered Approach to EDR:

1. Hunting

2. Automation

3. Integration

4. Retrospection

5. Patterns of Attack/Detection

6. indicator-based detection

7. Remediation

8. Triage

9. Visibility

We also discuss how VirusTotal's changes in policy regarding sharing of information is going to affect the threat intel industry.

Ben also discusses his opinion of our "Moxie vs. Mechanisms" podcast, where businesses spend too much on shiny boxes vs. people.

Brakesec apologizes for the audio issues during minute 6 and minute 22. Google Hangouts was not kind to us :(

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-021-Ben_Johnson-Carbon_black-Threat_intelligence.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-021-carbon-blacks-cto/id799131292?i=1000369579669&mt=2

YouTube: https://youtu.be/I10R3BeGDs4

RSS: http://www.brakeingsecurity.com/rss

Show notes: https://docs.google.com/document/d/12Rn-p1u13YlmOORTYiM5Q2uKT5EswVRUj4BJVX7ECHA/edit?usp=sharing (great info)

https://roberthurlbut.com/blog/make-threat-modeling-work-oreilly-2016

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Player.FMhttps://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

May 29 2016

57mins

Play

Rank #20: 2020-001- Android malware, ugly citrix bugs, and Snake ransomware

Podcast cover
Read more

Educause conference: https://events.educause.edu/security-professionals-conference/2020/hotel-and-travel

Amanda’s Training that everyone should come to!!! https://nolacon.com/training/2020/security-detect-and-defense-ttx

Follow twitter.com/infosecroleplay

 

Part 1: New year, new things

Discussion:

What happened over the holidays? What did you get for christmas?

PMP test is scheduled for 10 March

Proposal:  Anonymous Hacker segment

    Similar to “The Stig” on Top Gear. If you would like to come on and discuss any topic you would like. You’ll have anonymity, we won’t share your contact info

  1. Will allow people worried that they’ll be ridiculed to share their knowledge
  2. We can record your 20-30 segment whenever (will need audio/video for it)
  3. You can take a tutorial from another site (or your own) and review it for us
  4. 1-2 segments per month 
  5. We can discuss content prior to (we won’t put you on the spot)
  6. We do have a preliminary

News:

 

Google removed 1.7K+ Joker Malware infected apps from its Play Store                   

Full article: https://securityaffairs.co/wordpress/96295/malware/joker-malware-actiity.html

Excerpt:

Google revealed it successfully removed more than 1,700 apps from the Play Store over the past three years that had been infected with the Joker malware.

Google provided technical details of its activity against the Joker malware (aka Bread) operation during the last few years.

The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service, install malicious apps, generate fake reviews, and show ads.

The spyware is able to steal SMS messages, contact lists and device information along with to sign victims up for premium service subscriptions.

In October, Google has removed from Google Play 24 apps because they were infected with Joker malware, the 24 malicious apps had a total of 472,000 installs.

“Over the past couple of weeks, we have been observing a new Trojan on GooglePlay. So far, we have detected it in 24 apps with over 472,000+ installs in total.” 

apps typically fall into two categories: SMS fraud (older versions) and toll fraud (newer versions). Both of these types of fraud take advantage of mobile billing techniques involving the user’s carrier.” reads the post published by Google.

The newer versions of the Joker malware were involved in toll fraud that consist of tricking victims into subscribing to or purchasing various types of content via their mobile phone bill.

WAP billing: https://en.wikipedia.org/wiki/WAP_billing

Example: “pokemon go allows in-app purchases

Over 25,000 Citrix (NetScaler) endpoints vulnerable to CVE-2019-19781

Full Article: https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/

Excerpt:

On Friday, January 10, 2020, our honeypots detected opportunistic mass scanning activity originating from a host in Germany targeting Citrix Application Delivery Controller (ADC) and Citrix Gateway (also known as NetScaler Gateway) servers vulnerable to CVE-2019-19781. This critical vulnerability allows unauthenticated remote attackers to execute commands on the targeted server after chaining an arbitrary file read/write (directory traversal) flaw.

 

What type of organizations are affected by CVE-2019-19781?  (industries with typically poor or outdated security practices… --brbr)

4,576 unique autonomous systems (network providers) were found to have vulnerable Citrix endpoints on their network. We’ve discovered this vulnerability currently affects:

  • Military, federal, state, and city government agencies
  • Public universities and schools
  • Hospitals and healthcare providers
  • Electric utilities and cooperatives
  • Major financial and banking institutions
  • Numerous Fortune 500 companies

 

How is CVE-2019-19781 exploited and what is the risk?

This critical vulnerability is easy for attackers to exploit using publicly available proof-of-concept code. Various methods demonstrating how to exploit CVE-2019-19781 have been posted on GitHub by Project Zero India and TrustedSec. A forensic guide is available detailing how to check Citrix servers for evidence of a compromise.

Further exploitation of this vulnerability could be used to spread ransomware (similar to CVE-2019-11510) and cryptocurrency mining malware on sensitive networks. If multiple servers are compromised by the same threat actor, they could be weaponized for coordinated malicious activity such as DDoS attacks.

SNAKE #Ransomware Targets Entire Corporate Systems?

Full Article: https://www.ehackingnews.com/2020/01/snake-ransomware-targets-entire.html

Excerpt:

The new Snake Ransomware family sets out to target the organizations’' corporate networks in all their entirety, written in Golang and containing a significant level of obfuscation, the observations and disclosure for the attacks were made by a group of security specialists from the MalwareHunterTeam.

The Ransomware upon successful infection subsequently erases the machine's Shadow Volume Copies before ending different processes related to SCADA frameworks, network management solutions, virtual machines, and various other tools.

After that, it continues to encrypt the machine's files while skirting significant Windows folders and system files. As a feature of this procedure, it affixes "EKANS" as a file marker alongside a five-character string to the file extension of each file it encrypts. The threat wraps up its encryption routine by dropping a ransom note entitled "Fix-Your-Files.txt" in the C:\Users\Public\Desktop folder, which instructs victims to contact "bapcocrypt@ctemplar.com" so as to purchase a decryption tool.

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Jan 13 2020

38mins

Play

2020-030- Mick Douglas, Defenses against powercat, offsec tool release, SRUM logs, and more!

Podcast cover
Read more

WISP.org donation page: https://wisporg.z2systems.com/np/clients/wisporg/donation.jsp

Mick Douglas (@bettersafetynet on Twitter)

Powercat: https://github.com/besimorhino/powercat

Netcat in a powershell environment

https://blog.rapid7.com/2018/09/27/the-powershell-boogeyman-how-to-defend-against-malicious-powershell-attacks/

https://www.hackingarticles.in/powercat-a-powershell-netcat/

Defenses against powercat? 

LolBins: https://www.cynet.com/blog/what-are-lolbins-and-how-do-attackers-use-them-in-fileless-attacks/

Sigma ruleset: https://www.nextron-systems.com/2018/02/10/write-sigma-rules/#:~:text=Sigma%20is%20an%20open%20standard,grep%20on%20the%20command%20line.

ElasticSearch bought Endgame; https://www.elastic.co/about/press/elastic-announces-intent-to-acquire-endgame

https://krebsonsecurity.com/2020/07/thinking-of-a-cybersecurity-career-read-this/

Twitter DM to @bettersafetynet:Hey... I wanna talk about @hrbrmstr's tweet on the show tonight as well...

https://twitter.com/hrbrmstr/status/1287442304593276929

My thinking is if Cisco and others didn't try to intentionally downplay vulnerabilities by announcing them on a Friday, would we be more likely to patch sooner? Also, greater need for testing of patches to ensure that 80% of your workforce rely on that technology now. What's worse? Patching on a Friday evening (after several hours explaining the vuln to a manager), and then having it fuck something up so you're up at crack of dawn Monday troubleshooting something missed Friday night because testing was rushed/not conducted because the CEO can't access email?

I have thoughts, I've added this to the show note google doc.

https://www.reddit.com/r/netsec/comments/hwaj6f/nmap_script_fot_cve20203452/  -- nmap PoC script?

Embargoed vulns…

Getting management buy-in to patch 

Aug 10 2020

1hr 23mins

Play

2020-029- Brad Spengler, Linux kernel security in the past 10 years, software dev practices in Linux, WISP.org PSA

Podcast cover
Read more

WISP.org PSA at 35m56s - 37m 19s

Agenda:Bio/background

Why are you here (topic discussion)

What is the Linux Security Summit North America

https://grsecurity.net/

Questions from the meeting invite:

This only affects people who want to use a custom kernel, correct? This doesn’t affect you if you are running bog-standard linux (debian, gentoo, Ubuntu) right?

What options do people have in cloud environments?

Does the use of microservices make grsecurity less worthwhile?

You mentioned ARM 64 processors in your first slide as making  significant security functionality strides. With Apple and Microsoft going to ARM based processors, what are some things you feel need to be added to the kernel to shore up Linux for ARM, since some purists enjoy an Apple device with Linux on it?

https://www.youtube.com/watch?v=F_Kza6fdkSU - Youtube Video

https://grsecurity.net/10_years_of_linux_security.pdf -- pdf slides

https://lwn.net/Articles/569635/ - Definition of KASLR 

LTS kernels moved from 2 years to 6 years - why?

6 years is pretty much “FOREVER” in software development. 

Patches get harder to backport, or worse;

Could introduce new vulnerabilities

Project Treble: https://www.computerworld.com/article/3306443/what-is-project-treble-android-upgrade-fix-explained.html

LTSI: https://ltsi.linuxfoundation.org/

4.4 XLTS is available until Feb2022 - 

If fixes and all bugs haven’t been backported (1,250 security fixes aren’t in the latest stable 4.4 kernel)

What are the “safe” kernels?

Has anything changed since the presentation you gave earlier in July 2020 

Syzkaller

Let’s discuss Slide 27 (what are those tems?)

“Is it improving code quality, or Is it making people lazier and more reliant on a tool to check code?”

Slide 29 audio, you mention that you use Syzkaller… why do you use it?

Exploitation Trends

Attackers still don’t care about whether a vulnerability has a CVE assigned or not

Don’t many vulnerabilities require some work to get to the kernel? And why should they work to get to the kernel?

https://www.bleepingcomputer.com/news/security/rewards-of-up-to-500-000-offered-for-freebsd-openbsd-netbsd-linux-zero-days/

500K IF the kernel vuln affects major distros (Centos, Ubuntu)

https://resources.whitesourcesoftware.com/blog-whitesource/top-10-linux-kernel-vulnerabilities

Why does Zerodium payout for kernel vulns lower than application vulns? Would it be fair to say that getting root/persistence is all that matters and you don’t need to worry about the kernel to do so?

Many of the new security features are protecting against bad programming practices? 

So by adding all these things, who are you securing systems against?  Bad actors, or devs who employ poor coding measures? 

Why do you think we see lower adoption rates of security 

Problem solving:

Halvar Flake: http://addxorrol.blogspot.com/2020/03/before-you-ship-security-mitigation.html

If we have time… 

Threat models in a kernel

Where do they go in the development lifecycle?

If kernel dev is an open environment, what precipitates the need for a kernel mitigation threat model

Is there an example somewhere that we can see? What is the format? Methodology?

Do you think static code analysis of the kernel is worthwhile at all?

Absolutely! We do a lot of it, including via the analysis resulting from compiling with LLVM, as well as via specific static analysis GCC plugins of our own.

OK, what about the large amount of false positives the analyzers generate? Do you get around with your custom plugins? Also do you use the analyzers included with Clang and GCC v.10 or 3rd products?

That's usually a property of the analysis itself -- some can have large false positive issues, others not. Ideally we try to limit that for the plugins we write (we just recently added one helpful for some kind of NULL ptr dereferences this week). My understanding is the public now also has access to the Coverity reports for the kernel? As far as GCC versions, yes we test with all versions from 4.5 to 10.

What do you think of proposed XPFO patch? https://lwn.net/Articles/784839/

The performance profile is a big problem, and it doesn't address that the same attack can be performed in a different way that it wouldn't handle (that limitation is also mentioned in the original paper). So we haven't invested in it at all with our own work.

how about git sha-256 security measures ?

Not my domain of expertise, but sounds like a good idea.

What is the status of KASLR on non-Intel architectures? ARMv7/v8?

It exists there as well, and is shipped in Android. It's also recently been added for PowerPC.

What dynamic analysis/testing tools do you use for the kernel?

We have a couple racks of hardware, including some new AMD EPYC2 systems dedicated entirely to testing and syzkaller fuzzing. We have syzkaller in place (along with backports of functionality to improve its functionality/coverage) for all kernels we support, as well as a good mix of physical/VM systems for major distros, and automated build/boot/functionality/regression testing in a number of configs across ARM/ARM64/MIPS/PowerPC/SPARC64/i386/x86_64.

Thanks! Do you write your own configs/definitions for syzkaller?

Yes, including some changes to the code to have it detect some of our specific kernel message (size_overflow, refcount, RAP, etc)

What do you think about LKRG? Also, does grsec provide any similar runtime protection/detection/security?

I think it's a good alternative to some other commercial security products, but it's not what our goal is with grsecurity. I like the author of LKRG, but heuristic-based security is always problematic as you can't perform the checks everywhere they need to be performed, or as often as they need to be performed. When an attacker knows the checks performed (or has a general idea), then it's easy to devise an attack that would bypass it, knowing how computationally complex it would be to detect. So in grsecurity we focus on providing real defense vs just having a chance to detect something after the fact.

Do you plan on implementing RAP on PowerPC Architecture?

We haven't seen any commercial interest in it, but RAP is technically architecture-independent. We've done some demos for non-x86 architectures, and also just recently (within the past month or so), released a version for i386.

For how long GRSecurity is planning to support 5.4 LTS and LTS generally? What do you think is a good rule of thumb?

We've always generally supported them for 3 years, regardless of upstream's support periods. We have an independent process for performing backports that involves looking at all the upstream commits and other sources of information, regardless of any stable/Fixes tags (basically a manual version of AUTOSEL).

What is your opinion of the recently proposed Function-Granular KASLR series?

Not a fan of *KASLR in the kernel in general. It tries to deal with a problem (poorly) that there already exists a much better solution for: CFI.

Could you comment on how well (relative to your x86 detailed knownledge) ARM and PPC security fixes are backported?

We have many years of reverse engineering experience (15+ on my end) across multiple architectures. We were the first to develop software-based PXN/PAN for ARM for instance. We've also developed functionality specifically for non-x86 architectures. Within the past 2 years or so, we added POWER9 support for REFCOUNT, and have the physical hardware on site (in additional to qemu-based testing) to perform the work. But yes, our backports cover all architectures we support.

What is your opinion on the use of BPF for security-purposes, i.e. security monitoring and newer approaches like KRSI? Enabling something like BPF solely for the use of security seems like it could backfire, given how invasive it is.

As long as it's not controllable by an unprivileged user, I think it's fine. Anything that avoids the hassle of having to upstream something in order to implement some new kind of security check, is a good idea. They'll still be limited by the LSM interface itself, so that would be the next barrier to go. With BTF, there's a lot of possibility there.

Regarding exploiting containers: isn't the issue with containers that they have very poor defaults and that people don't use the features they could? For example: mounting sysfs or procfs into a container or not adjusting seccomp/apparmor (or better(?) selinux) policies?

That's a problem, but the crucial problem is the shared kernel among all containers. If you look at past exploits, they've been in things like futex, mremap, waitid, brk, etc, all syscalls that would be allowed in nearly all of the most strict seccomp policies. The granularity of current seccomp policies is really not that great, and any sufficiently complex code will necessarily have exposure to a large part of kernel attack surface.

What do you think about the CIP Projects' focus on CVE tracking (especially for the kernel)?

It's a good initiative, but the main problem with the kernel is that most vulnerabilities in the kernel don't get a CVE in the first place. I know for certain that many of the security issues we've tweeted haven't had a CVE assigned. The ones that do are when a distro with the vuln present in their kernel spots it and requests one. Most vulnerabilities in recent kernels especially don't get CVEs requested, because distros aren't shipping them.

What's your opinion on SMACK? Any other reference implementation except Tizen?

Haven't used it myself, so no opinion one way or another, sorry Doesn't seem bad at least in terms of number of security fixes backported to it compared to other access control LSMs.

If you disable as many CONFIG_* options in your kernel config have you actually reduced your attack surface or is most of the vulnerable code not in modules?

Yes, this is a good approach particularly for upstream kernels. I would definitely recommend compiling your own kernel instead of using default distro configs (from a security perspective).

Under grsecurity, we have a feature that makes it actually a good idea to put as much functionality in modules as possible, as they can't be auto-loaded by unprivileged users. So the functionality is there if it's needed across a fleet of systems, without the downsides.

TARA analysis performed in Linux Kernel ?

I'm not familiar with this, sorry!

Is the poor state of LTS and XLTS security backports found in PPC and ARM as well as (presumably) what you report for x86?

It's somewhat of an across-the-board problem

Actually I hoped that you will tell about new cool features that appeared in grsecury. Can you share anything about your new kernel heap hardening?

It's called AUTOSLAB, and it's useful both for security (particularly against AEG and UAFs), but also for debugging.  Minimal performance impact, we've had one person mention their system feels faster now, and we actually had a bug in one of our routine benchmarks where the feature got enabled in the "minimal" config, yet still reported better benchmark results in all tests than an upstream kernel.  So a really nice performance profile, with some additional memory wastage in the MEMCG case, but nothing terrible.  Also non-invasive, as it's done through a GCC plugin.

Thanks for your talk, Brad! What would make you work for upstream?

We offered that already years ago, and none of the companies involved seemed to be interested.  So we're funded directly now by people that benefit from our work.

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#AmazonSmile: https://brakesec.com/smile

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Jul 31 2020

1hr 5mins

Play

2020-028-Shlomi Oberman, RIPPLE20, supply chain security discussion, software bill of materials

Podcast cover
Read more

Whitepaper: https://www.jsof-tech.com/ripple20/

[blog] Build your own custom TCP/IP stack: https://www.saminiir.com/lets-code-tcp-ip-stack-1-ethernet-arp/

Another custom TCP/IP stack: https://github.com/tass-belgium/picotcp

RIPPLE 20 Whitepaper: https://drive.google.com/file/d/1d3NNVCRPVFk0-V0HUO5CxWWVn9pYIvmF/view?usp=sharing

Agenda:

Part 1:

Background on the report

Why is it called RIPPLE20? What’s the RIPPLE about? 

Communications with Treck (and it’s Japanese counterpart)

Were you surprised about the reaction? Positive or negative?

Types of systems affected?

IoT

Embedded systems

SCADA

What precipitated the research?

What difficulties did you face in finding these vulns? Deadlines? 

What tools were used for analysis? (I think you mentioned Forescout --brbr)

What kind of extensibility are we talking about? TCP sizes? 

What did JSOF gain by doing this? 

What were the initial benefits of using the TCP/IP stack?

Speed? Size? Do these vulns affect other TCP/IP stacks? 

Did Treck give you access to source? Any specific requirements set by Treck? Any items that were off-limits? 

Updates since the report was released?

Are your vulns such that they can be detected online?

Part 2:

Supply chain issues

What should companies do when they don’t know what’s in their own tech stack?

https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/briefings/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf

Software bill of materials: https://en.wikipedia.org/wiki/Software_bill_of_materials

PicoTCP link above does not release all code, because they use binary blobs that make proper code review next to impossible

“Unfortunately we can't release all the code, a.o. because some parts depend on code or binaries that aren't GPL compatible, some parts were developed under a commercial contract, and some consist of very rough proof-of-concept code. If you want to know more about the availability under the commercial license, or the possibility of using our expert services for porting or driver development, feel free to contact us at picotcp@altran.com.”

BLoBs = https://en.wikipedia.org/wiki/Proprietary_device_driver

Vendor Contact

How many organizations are affected by these vulnerabilities? 

Are some devices and systems more vulnerable than others?

 How many are you still investigating to see if they are affected?

What’s the initial email look like when you tell a company “you’re vulnerable to X”?

Who are you dealing with initially? What is your delivery when you’re routed to non-technical people?

How did you tailor your initial response when you learned of the position of the person?

Lessons Learned: What would you have done differently next time?

Any additional tooling that you’d have used?

BlackHat talk: 05 August

What should companies do to reduce or mitigate the chances of the types of vulnerabilities found by your org?

https://cambridgewirelessblog.wordpress.com/2016/05/18/supply-chain-security-and-compliance-for-embedded-devices-iot/

https://blog.shi.com/solutions/embedded-hardware-supply-chain-attacks-embedded-system-attacks-how-to-stay-safe/

http://www.intrinsic-id.com/wp-content/uploads/2018/02/2016-A-Platform-Solution-for-Secure-Supply-Chain-and-Chip-Cycle-Management-Computer-Volume-49-Issue-8-Aug.-2016-Joseph-P.-Skudlarek-Tom-Katsioulas-Michael-Chen-%E2%80%93-Mentor-Graphics..pdf

https://www.supplychainservices.com/blog/major-security-risks-windows-embedded-users

https://www.bbc.com/news/business-32716802#:~:text=Japanese%20car%20giants%20Toyota%20and,March%202003%20and%20November%202007.

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Jul 24 2020

1hr

Play

2020-027-RIPPLE20 Report, supply chain security, responsible disclosure, software development, and vendor care.

Podcast cover
Read more

Whitepaper: https://www.jsof-tech.com/ripple20/

[blog] Build your own custom TCP/IP stack: https://www.saminiir.com/lets-code-tcp-ip-stack-1-ethernet-arp/

Another custom TCP/IP stack: https://github.com/tass-belgium/picotcp

RIPPLE 20 Whitepaper: https://drive.google.com/file/d/1d3NNVCRPVFk0-V0HUO5CxWWVn9pYIvmF/view?usp=sharing

Agenda:

Part 1:

Background on the report

Why is it called RIPPLE20? What’s the RIPPLE about? 

Communications with Treck (and it’s Japanese counterpart)

Were you surprised about the reaction? Positive or negative?

Types of systems affected?

IoT

Embedded systems

SCADA

What precipitated the research?

What difficulties did you face in finding these vulns? Deadlines? 

What tools were used for analysis? (I think you mentioned Forescout --brbr)

What kind of extensibility are we talking about? TCP sizes? 

What did JSOF gain by doing this? 

What were the initial benefits of using the TCP/IP stack?

Speed? Size? Do these vulns affect other TCP/IP stacks? 

Did Treck give you access to source? Any specific requirements set by Treck? Any items that were off-limits? 

Updates since the report was released?

Are your vulns such that they can be detected online?

Part 2:

Supply chain issues

What should companies do when they don’t know what’s in their own tech stack?

https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/briefings/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf

Software bill of materials: https://en.wikipedia.org/wiki/Software_bill_of_materials

PicoTCP link above does not release all code, because they use binary blobs that make proper code review next to impossible

“Unfortunately we can't release all the code, a.o. because some parts depend on code or binaries that aren't GPL compatible, some parts were developed under a commercial contract, and some consist of very rough proof-of-concept code. If you want to know more about the availability under the commercial license, or the possibility of using our expert services for porting or driver development, feel free to contact us at picotcp@altran.com.”

BLoBs = https://en.wikipedia.org/wiki/Proprietary_device_driver

Vendor Contact

How many organizations are affected by these vulnerabilities? 

Are some devices and systems more vulnerable than others?

 How many are you still investigating to see if they are affected?

What’s the initial email look like when you tell a company “you’re vulnerable to X”?

Who are you dealing with initially? What is your delivery when you’re routed to non-technical people?

How did you tailor your initial response when you learned of the position of the person?

Lessons Learned: What would you have done differently next time?

Any additional tooling that you’d have used?

BlackHat talk: 05 August

What should companies do to reduce or mitigate the chances of the types of vulnerabilities found by your org?

https://cambridgewirelessblog.wordpress.com/2016/05/18/supply-chain-security-and-compliance-for-embedded-devices-iot/

https://blog.shi.com/solutions/embedded-hardware-supply-chain-attacks-embedded-system-attacks-how-to-stay-safe/

http://www.intrinsic-id.com/wp-content/uploads/2018/02/2016-A-Platform-Solution-for-Secure-Supply-Chain-and-Chip-Cycle-Management-Computer-Volume-49-Issue-8-Aug.-2016-Joseph-P.-Skudlarek-Tom-Katsioulas-Michael-Chen-%E2%80%93-Mentor-Graphics..pdf

https://www.supplychainservices.com/blog/major-security-risks-windows-embedded-users

https://www.bbc.com/news/business-32716802#:~:text=Japanese%20car%20giants%20Toyota%20and,March%202003%20and%20November%202007.

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Jul 16 2020

48mins

Play

2020-026- WISP PSA, PAN-OS vuln redux, F5 has a bad weekend, vuln scoring, Twitter advice, and more!

Podcast cover
Read more

1st: WISP.org PSA from Rachel Tobac (@racheltobac) & @wisporg talking about #shareTheMicInCyber

#SAML PAN-OS: https://twitter.com/RyanLNewington/status/1278074919092289537

 F5 vulnerability:

https://www.wired.com/story/f5-big-ip-networking-vulnerability/

https://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/

F5 Mitigation (if patching is not immediately possible): https://twitter.com/TeamAresSec/status/1280590730684256258

Redirect 404 /

https://twitter.com/wugeej/status/1280008779359125504 - Tweet with PoC for the LFI and RCE

F5 Big-IP CVE-2020-5902 LFI and RCE

LFI

https:///tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd

or /etc/hosts

or /config/bigip.license

RCE

https:///tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=whoami

How to cope in a no-win situation:https://twitter.com/datSecuritychic/status/1280527467569008640

Semicolon in bash: https://docstore.mik.ua/orelly/unix3/upt/ch28_16.htm#:~:text=When%20the%20shell%20sees%20a,once%20at%20a%20single%20prompt.

Jul 08 2020

58mins

Play

2020-025-Cognizant breach, maze ransomware, PAN-OS CVE 2020-2021, SAML authentication walkthrough

Podcast cover
Read more

Thank you to Marcus Carey for his excellent guidance and leadership this week.

Cognizant breach: https://www.ehackingnews.com/2020/06/cognizant-reveals-employees-data.html

Maze ransomware write-up: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/

https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/authentication-types/saml

PAN-OS CVE 2020-2021 - 

We have been made aware of a serious issue with SAML on Palo Alto Networks PAN-OS

We strongly encourage our customers to upgrade to one of the following versions :

PAN-OS 8.1.15

PAN-OS 9.0.9

PAN-OS 9.1.3 and greater

This is a critical vulnerability with the only mitigation being to either turn OFF SAML or to upgrade the PAN-OS.

A CVE will be released on Monday ::  CVE-2020-2021

https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

Jun 29 2020

46mins

Play

2020-024-Bit of news, Ripple20 vulns, IoT Security, windows error codes, captchas used for evil, Marine Momma

Podcast cover
Read more

https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/

https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4657

https://www.blumira.com/logmira-windows-logging-policies-for-better-threat-detection/

How would we map this against the MITRE matrix?

Are there any MITRE attack types that are so similar that one attack can be two different things in the matrix?

https://www.us-cert.gov/ics/advisories/icsa-20-168-01

https://www.zdnet.com/article/ripple20-vulnerabilities-will-haunt-the-iot-landscape-for-years-to-come/

https://www.tenable.com/blog/cve-2020-11896-cve-2020-11897-cve-2020-11901-ripple20-zero-day-vulnerabilities-in-treck-tcpip

https://arstechnica.com/information-technology/2020/06/to-evade-detection-hackers-are-requiring-targets-to-complete-captchas/

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Jun 24 2020

49mins

Play

2020-023-James Nelson from Illumio, cyber resilence, business continuity

Podcast cover
Read more

James Nelson, VP of Infosec, Illumio

How has COVID-19 changed cybersecurity? Why is cyber resilience especially important now? What are the most important steps to ensure cyber-resiliency? How do you talk to business leaders about investing in cybersecurity to boost resiliency?

The best way for organizations to keep their ‘crown jewels’ secure is adopting a Zero Trust mindset. Organizations need to take advantage of adaptive security infrastructure that can scale to meet current and future organizational needs, and take steps to ensure even third-party hosted data is policy compliant.

Most CISOs don’t talk to the board all the time so they don’t understand that’s the conversation they want to have. By making sure that the security team’s spokesperson has an intelligent plan that shows how wrong things could go. Showing how money is directly connected to mitigating the risks is vital to getting the funding needed, and showing why an increase in spend coordinates with decrease of risk.

Cyber-Resilence-

https://en.wikipedia.org/wiki/Cyber_resilience

https://en.wikipedia.org/wiki/Business_continuity_planning#Resilience

https://www.darkreading.com/cloud/cyber-resiliency-cloud-and-the-evolving-role-of-the-firewall/a/d-id/1337206

Doug Barth and Evan Gilman - https://brakeingsecurity.com/2017-017-zero_trust_networking_with_doug_barth

part1 with Masha Sedova: https://traffic.libsyn.com/secure/brakeingsecurity/Masha_sedova-elevate_security-profiled-education-phishing-part1.mp3

Part2: https://traffic.libsyn.com/secure/brakeingsecurity/2020-019-masha_sedova-privacy-human_behavior-phishing-customized_training.mp3

https://www.helpnetsecurity.com/2017/08/24/assume-breach-world/

Key concepts:

Visibility into your environment

Controls necessary to repel attackers

Architecture of the network to create chokepoints (east/west, north/south isolation)

Threat modeling and regular threat assessment

Mechanisms to allow for rapid response

How long will current security controls hold a determined attacker at bay?

Business-wide Risk Management response can often determine resiliency in a Crisis/Breach situation.

Cyber-Resilence Framework (per NIST https://csrc.nist.gov/publications/detail/sp/800-160/vol-2/final)

What does “cyber resiliency” mean in the to the organization? To the department? To the individual? and what of the mission or business process the system is intended to support?

Which cyber resiliency objectives are most important to a given stakeholder? 

To what degree can each cyber resiliency objective be achieved? 

How quickly and cost-effectively can each cyber resiliency objective be achieved? 

With what degree of confidence or trust can each cyber resiliency objective be achieved? 

(What do we as security people do to ensure that all of these are properly answered? --brbr)

Architecture of systems:

Depending on the age of our information systems and technology stacks, cruft builds up or one-off systems are setup and forgotten. 

We (infosec industry) talk about shifting security left in a DevOps environment to ensure security gets put in, but should we do as an organization when we think about adding systems in terms of cyber-resilience? (It would seem that resilience may also be tied to the security or functionality in a piece of hardware and software. Proper understanding of all the systems capabilities/settings/options would be essential for drafting responses --brbr)

Some related and tangential suggestions for ideas/comments/themes/topics in case you feel like any fit into the conversation:

  • Comparison of security to the human immune system.
  • Does resilience (i.e., assume breach) imply there are failures you can recover from, yet other, existential risks you need to avoid? And what does that mean in practice?
  • How do you define “most valuable assets”? Value vs. obligations vs. ...?
  • Does a compliance mindset help or hinder resilience, and vice versa?
  • Referring back to a prior show, how does the human element contribute to resilience?
  • NIST doc makes a point that resilience only has meaning when it works across a system, how does this idea impact the cost of entry? And is there a tipping point for resilience?
  • Another point made is that speed should be viewed as an advantage. Is there an application of the OODA loop concept to resilience, then?
  • Cyber resilience resonates in other areas: Pandemics, natural disasters, and geo-political stressors. Could impact supply chain workforce effectiveness, other areas. Ransomware (which is cyber, but has other, knock-on effects).

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Jun 17 2020

48mins

Play

2020-022-Andrew Shikiar, FIDO Alliance, removing password from IoT, and discussing FIDO implementation

Podcast cover
Read more

Andrew Shikiar, executive director and CMO of the (Fast IDentity Online) FIDO Alliance.

What is FIDO?

“ open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. FIDO addresses the lack of interoperability among strong authentication devices and reduces the problems users face creating and remembering multiple usernames and passwords.”

Did any one event precipitate creation of the FIDO alliance?

UAF= https://fidoalliance.org/specs/fido-uaf-v1.2-rd-20171128/fido-uaf-protocol-v1.2-rd-20171128.html

U2F = https://en.wikipedia.org/wiki/Universal_2nd_Factor (yubikeys, tokens)

https://landing.google.com/advancedprotection/

FIDO supports biometrics - https://www.biometricupdate.com/202002/how-fido-based-biometric-technology-clears-up-the-iot-authentication-mess

FIDO certified software and companies: https://fidoalliance.org/fido-certified-showcase/

IBM: https://www.ibm.com/blogs/sweeden/fido2-conformance-why-its-a-big-deal/  -- 

Digital Identity Guidelines: Authentication and Lifecycle Management - digital ID framework

NIST guidelines that FIDO meets: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5

https://fidoalliance.org/certification/authenticator-certification-levels/

https://github.com/herrjemand/awesome-webauthn

https://fidoalliance.org/content/case-study/

https://loginwithfido.com/provider/

From a threat modeling perspective, how does ‘2fa’ occur when the authenticating method and the browser are on the same device?

Consumer education initiative https://loginwithfido.com/

IoT Devices- https://fidoalliance.org/internet-of-things/

https://blog.techdesign.com/fido-authentication-to-secure-iot-devices/

For Developers: https://fidoalliance.org/developers/   or https://webauthn.io/ - dev information about WebAuthN

https://github.com/herrjemand/awesome-webauthn

https://fidoalliance.org/events/ - upcoming webinars for FIDO related topics

NTT DOCOMO introduces passwordless authentication for d ACCOUNT

https://groups.google.com/a/fidoalliance.org/forum/#!forum/fido-dev

Jun 10 2020

43mins

Play

2020-021- Derek Rook, redteam tactics, blue/redteam comms, and detection of testing

Podcast cover
Read more

**If Derek told you about us at SANS, send a DM to @brakeSec or email bds.podcast@gmail.com for an invite to our slack**

OSCP/HtB/VulnHub is a game... designed to have a tester find a specific nugget of information to pivot or gain access to greater power on the system. 

Far different in the 'real' world.

Privilege escalation in Windows:

as of June 2020, many of these items still work, may not work completely in the future

even so, many of these may not work if other mitigating controls are in place

PENTEST METHODOLOGY : 

PTES -http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines

OSSTMM - https://www.isecom.org/OSSTMM.3.pdf

Redteam methodology: https://www.synopsys.com/glossary/what-is-red-teaming.html

https://www.fuzzysecurity.com/tutorials/16.html

https://medium.com/@Shorty420/enumerating-ad-98e0821c4c78

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md

Enumerate the machine

Services

Network connections

Users

Logins

Domains

Files

Software installed (putty, git, MSO, etc) older software may install with improper permissions

Service paths (along with users services are ran as)

Windows Features (WSL, SSH, etc)

Patch level (Build 1703, etc)

Wifi networks and passwords (netsh wlan show profile key=clear)

Powershell history

Bash History (if WSL is used)

Incognito tokens

Stored credentials (cmdkey /list)

Powershell transcripts (search text files for "Windows PowerShell transcript start")

Context for above: Understand how the users make use of the system, and how they connect to other systems, follow those paths to find lateral movement, misconfigurations, etc. Each new system or user will provide further information to loot or avenues to explore

Linux EoP: https://guif.re/linuxeop

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Enumeration

Mostly the same as above

Bash history or profile files

           Writable scripts (tampering with paths or environment variables)

Setuid/Setgid binaries

Sticky bit directories

Crontabs

Email spools

World writable/readable files

.ssh config files (keys, active sessions)

Tmux/screen sessions

Application secrets (database files, web files with database connectivity, hard coded creds or keys, etc)

VPN profiles

GNOME keyrings- https://askubuntu.com/questions/96798/where-does-seahorse-gnome-keyring-store-its-keyrings

Ways to defend against those kinds of EoP.

Something cool: https://www.youtube.com/playlist?playnext=1&list=PLnxNbFdr_l6sO6vR6Vx8sAJZKpgKtWaGX&feature=gws_kp_artist  -- high Rollers

Derek is speaking at SANS SUMMIT happening on 04-05 June (FREE!) - https://www.sans.org/event/hackfest-ranges-summit-2020

Ms. Berlin is speaking at EDUCAUSE - VIRTUAL (04 June) https://www.educause.edu/

Jun 01 2020

1hr 17mins

Play

2020-020-Andrew Shikiar - FIDO Alliance - making Cybersecurity more secure

Podcast cover
Read more

 Andrew Shikiar, executive director and CMO of the (Fast IDentity Online) FIDO Alliance.

What is FIDO?

“ open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. FIDO addresses the lack of interoperability among strong authentication devices and reduces the problems users face creating and remembering multiple usernames and passwords.”

Did any one event precipitate creation of the FIDO alliance?

UAF= https://fidoalliance.org/specs/fido-uaf-v1.2-rd-20171128/fido-uaf-protocol-v1.2-rd-20171128.html

U2F = https://en.wikipedia.org/wiki/Universal_2nd_Factor (yubikeys, tokens)

https://landing.google.com/advancedprotection/

FIDO supports biometrics - https://www.biometricupdate.com/202002/how-fido-based-biometric-technology-clears-up-the-iot-authentication-mess

FIDO certified software and companies: https://fidoalliance.org/fido-certified-showcase/

IBM: https://www.ibm.com/blogs/sweeden/fido2-conformance-why-its-a-big-deal/  -- 

Digital Identity Guidelines: Authentication and Lifecycle Management - digital ID framework

NIST guidelines that FIDO meets: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5

https://fidoalliance.org/certification/authenticator-certification-levels/

https://github.com/herrjemand/awesome-webauthn

https://fidoalliance.org/content/case-study/

https://loginwithfido.com/provider/

From a threat modeling perspective, how does ‘2fa’ occur when the authenticating method and the browser are on the same device?

Consumer education initiative https://loginwithfido.com/

IoT Devices- https://fidoalliance.org/internet-of-things/

https://blog.techdesign.com/fido-authentication-to-secure-iot-devices/

For Developers: https://fidoalliance.org/developers/   or https://webauthn.io/ - dev information about WebAuthN

https://github.com/herrjemand/awesome-webauthn

https://fidoalliance.org/events/ - upcoming webinars for FIDO related topics

NTT DOCOMO introduces passwordless authentication for d ACCOUNT

https://groups.google.com/a/fidoalliance.org/forum/#!forum/fido-dev

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

May 27 2020

42mins

Play

2020-019-Masha Sedova, customized training, phishing, ransomware, and privacy implications

Podcast cover
Read more

Masha Sedova - Founder, Elevate Security

Topic ideas from the PR company:

  1. Inability to measure human security behaviors leads to increased risk in our computing environments. For too long, we’ve accepted training completion and mock phishing data as a sufficient way to measure this risk. But where do the vulnerabilities and strengths truly lie? 

The secret is, security teams have installed tons of security tooling that can give insights into how our employees are behaving. But we just leave this data on the cutting room floor. Masha Sedova can talk about where to find this goldmine of data and what security teams can do to leverage this new found knowledge. 

Technology like vuln scanners or something more?

  1. Study after study shows that the reason why people don’t do things is not always because they don’t understand, it’s because they are not motivated. Motivating employees to change their cybersecurity behavior can seem like an overwhelming task but there are simple behavioral science techniques cybersecurity professionals can leverage to motivate employees to do the right thing. Masha Sedova will discuss the power of integrating elements of behavioral science into security in order to influence positive behavior. 

Motivation Theory (deming): https://en.wikipedia.org/wiki/W._Edwards_Deming#Key_principles

X&Y  https://en.wikipedia.org/wiki/Theory_X_and_Theory_Y

Ouchi Z theory https://en.wikipedia.org/wiki/Theory_Z_of_Ouchi

http://www.yourarticlelibrary.com/motivation/motivation-theories-top-8-theories-of-motivation-explained/35377

Masha’s suggested topics: 

Why do security teams have difficulty in understanding their human risk today? What are the blockers? 

What should security teams be measuring to get a holistic view of human risk? 

What's the difference between security culture, security behavior change, and security awareness? 

Is security culture a core capability in security defense? Why or why not?  

Quantifying risk…

Is investing in human training a waste of time?

Phishing - mock phish or real phishing

Pull data to see who is clicking on links

Send an ‘intervention’

Gotta move away from training

The ‘security team’ will save them…

https://www.ncsc.gov.uk/guidance/phishing

Books:

https://www.amazon.com/Nudge-Improving-Decisions-Health-Happiness/dp/014311526X

https://www.amazon.com/Drive-Surprising-Truth-About-Motivates/dp/1594484805/ref=sr_1_1?crid=2QQ59YRRU89YX&dchild=1&keywords=drive+daniel+pink&qid=1588733551&s=books&sprefix=drive%2Cstripbooks%2C240&sr=1-1

Reality broken: https://www.amazon.com/Reality-Broken-Games-Better-Change/dp/0143120611

People centric security: https://www.amazon.com/People-Centric-Security-Transforming-Enterprise-Culture/dp/0071846778/ref=sr_1_1?dchild=1&keywords=people+centric+security&qid=1588733580&s=books&sr=1-1

Deep thought: a Cybersecurity novela: https://www.ideas42.org/blog/project/human-behavior-cybersecurity/deep-thought-a-cybersecurity-story/

https://elevatesecurity.com/

@modmasha

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

May 20 2020

39mins

Play

2020-018- Masha Sedova, bespoke security training, useful metrics to tailor training

Podcast cover
Read more

Masha Sedova - Founder, Elevate Security

Inability to measure human security behaviors leads to increased risk in our computing environments. For too long, we’ve accepted training completion and mock phishing data as a sufficient way to measure this risk. But where do the vulnerabilities and strengths truly lie? 

The secret is, security teams have installed tons of security tooling that can give insights into how our employees are behaving. But we just leave this data on the cutting room floor. Masha Sedova can talk about where to find this goldmine of data and what security teams can do to leverage this new found knowledge. 

Study after study shows that the reason why people don’t do things is not always because they don’t understand, it’s because they are not motivated. Motivating employees to change their cybersecurity behavior can seem like an overwhelming task but there are simple behavioral science techniques cybersecurity professionals can leverage to motivate employees to do the right thing. Masha Sedova will discuss the power of integrating elements of behavioral science into security in order to influence positive behavior. 

Motivation Theory (deming): https://en.wikipedia.org/wiki/W._Edwards_Deming#Key_principles

X&Y: https://en.wikipedia.org/wiki/Theory_X_and_Theory_Y

Ouchi Z theory https://en.wikipedia.org/wiki/Theory_Z_of_Ouchi

http://www.yourarticlelibrary.com/motivation/motivation-theories-top-8-theories-of-motivation-explained/35377

Why do security teams have difficulty in understanding their human risk today? What are the blockers? 

What should security teams be measuring to get a holistic view of human risk? 

What's the difference between security culture, security behavior change, and security awareness? 

Is security culture a core capability in security defense? Why or why not?  

Quantifying risk…

Is investing in human training a waste of time?

Phishing - mock phish or real phishing

Pull data to see who is clicking on links

Send an ‘intervention’

Gotta move away from training

The ‘security team’ will save them…

https://www.ncsc.gov.uk/guidance/phishing

Books:

https://www.amazon.com/Nudge-Improving-Decisions-Health-Happiness/dp/014311526X

https://www.amazon.com/Drive-Surprising-Truth-About-Motivates/dp/1594484805/ref=sr_1_1?crid=2QQ59YRRU89YX&dchild=1&keywords=drive+daniel+pink&qid=1588733551&s=books&sprefix=drive%2Cstripbooks%2C240&sr=1-1

Reality broken: https://www.amazon.com/Reality-Broken-Games-Better-Change/dp/0143120611

People centric security: https://www.amazon.com/People-Centric-Security-Transforming-Enterprise-Culture/dp/0071846778/ref=sr_1_1?dchild=1&keywords=people+centric+security&qid=1588733580&s=books&sr=1-1

Deep thought: a Cybersecurity novela: https://www.ideas42.org/blog/project/human-behavior-cybersecurity/deep-thought-a-cybersecurity-story/

https://elevatesecurity.com/

@modmasha

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

May 13 2020

44mins

Play

2020-017-Cameron Smith, business decisions, and how it affects Security

Podcast cover
Read more

Cameron Smith @Secnomancer

Layer8conference is virtual (https://layer8conference.com/layer-8-is-online-this-year/)

https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final

CMMC:https://info.summit7systems.com/blog/cmmc

https://www.comptia.org/certifications/project - Project+

Cameron’s Smith = www.twitter.com/secnomancer

Cybersmith.com - Up by 14 April

Ask@thecybersmith.com

Cameron@thecybersmith.com

https://en.wikipedia.org/wiki/Christopher_Voss https://www.amazon.com/Never-Split-Difference-Negotiating-Depended/dp/0062407805

https://www.masterclass.com/classes/chris-voss-teaches-the-art-of-negotiation

https://www.masterclass.com/

https://www.autopsy.com/support/training/covid-19-free-autopsy-training/

https://www.youtube.com/playlist?list=PLg_QXA4bGHpvsW-qeoi3_yhiZg8zBzNwQ

 

“There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self.”― Ernest Hemingway  https://www.goodreads.com/quotes/76281-there-is-nothing-noble-in-being-superior-to-your-fellow

Original B-Sides Talk Blurb

SITREP: A Consultant's Perspective from the Trenches of InfoSec In this session you will hear war stories and lessons learned consulting for hundreds of clients across dozens of verticals at every level, from bootstrapped startups with garage beginnings to Fortune 50 companies and everything in between. We will cover life on the front lines in InfoSec, ranging from individual contributions and staying relevant in a rapidly evolving field all the way to how bad most orgs are at InfoSec and what we can do as practitioners to help make them better.

Speaking Goal

After my presentation is over, I want my audience to...

  • Feel better about where they are as an infosec practitioner
  • Understand that most of Cybersecurity is largely NOT about the latest hack or technique
  • Failing is OK as long as you learn from it

...so that ...

  • When they go back to their office / SOC / client engagements on Monday they focus on the things that matter to their organizations
  • Hopefully feel a little bit less that the work they are doing is boring, exhausting, unappreciated, or hopeless
Intro
  • Security is a really crazy industry
    • Like the wild west out here
    • Constant threats
    • Complacent or ignorant clients/dependents
    • Resource and budget constraints
  • Security is really complex
    • There are SO. MANY. MOVING. PIECES.
    • There is a never ending stream of new information to learn and new threats to face
    • Security always involves at LEAST 4 parts
      • The practitioner - Hopefully you have backup!
      • What you're protecting - Employer, Client, System, Application, Data, SOMETHING, etc
      • What you're protecting it from - External TAs, Internal TAs, Incompetence, Apathy, Plain Ol' Vanilla Constraints, etc
      • What you have to protect it with - Budgets, Time, Personnel, Training, Relationships, etc
  • Cybersecurity/Information Security is simultaneously an old and new/emergent discipline
    • Cyber History
      • Old
        • Nevil Maskelyne / Guglielmo Marconi wireless telegraphy attack and Morse code insults - 1903
        • Phreaking in the 1960s
        • ARPANET Creeper - 1971
        • Morris Worm - 1988
      • New
        • Gartner Coined term SOAR in 2017
          • Yeah... It's barely 3 years old.
          • Now you can literally find job openings with SOAR Engineering titles
        • DevSecOps - Amazon presentation in 2015? Not even in grade school yet.
        • Average enterprise is running 75 security tools in their environment (Cybersecurity almanac 2019)
    • Most cybersecurity professionals over 30 do not have degrees in cybersecurity
      • Many don't even have Computer Science or IT related degrees
      • This is it's own problem
        • Training cyber pros, Chris Sanders, cognitive crisis, etc.
          • BDS ep 2019-021 and 2019-022
    • Emergent disciplines are challenging by default
    • You chose to play the game on hard mode for your first play through

Security really isn't as complicated as most people think

  • Occult Phenomenon
    • Things we don't understand we imagine to be far more complex
    • Things we anticipate we imagine to be far worse than they are
  • Grass isn't greener
    • Most security departments aren't doing better than you are
    • Maturity models aren't magic

Establish Credibility

  • I have been in A LOT of client environments in the last 12 years
  • Last time I checked, I have more than 350 discrete client engagements under my belt
    • I have worked with hundreds of internal, external, and hybrid IT and Security solutions
    • I've met the same tired and beleaguered IT/Security personnel over and over again
      • SSDD, very little actually changes from place to place
  • In that time, I've learned quite a bit about what makes security work
  • I've learned even more about what NOT to do
  • I want to share some of that with you today so you can see how organizations of all shapes and sizes can fail
Very Large Company Examples
  • Big Four Bank Example
    • Situation
      • Four Local Branches in Midwest
      • Physical Security Assessment
        • How got onto site as cash machine servicer was incredibly easy
    • Problem
      • Absolute trust of vendors/vendor compromise
    • How do we as security practitioners fix it?
      • Good internal relationships with functional area leaders
      • Work closely with functional areas to left and to the right
        • Who? Operations? HR? Purchasing?
        • Every functional area and specifically the leadership
        • Improved communications and availability
        • 8 and Up
          • 'Gotta git gud' at the soft stuff
  • Top 50 Chain Restaurant Example
    • Situation
      • Doing Chip Reader refreshes across all ~600 locations for PCI Compliance during 2017 window
    • Problem
      • Poor project management on behalf of security team led to project failure
      • A security problem became an IT problem
      • Contractor to subcontractor to subcontractor added time and complexity
    • How do we as security practitioners fix it?
      • Security managers needs to be aware of how their projects impact others
      • Managing up
      • Security needs to be interdisciplinary
Government Examples
  • Police Department Example
    • Situation
      • City Administrator got Spear Phished
    • Problem
      • Spear phishing
      • Poor logging
    • How do we as security practitioners fix it?
      • Look for the most basic problems and try to fix them
      • Find or create solutions that provide basic capabilities
      • Cannot prevent the lowest hanging fruit directly, so impact what you can change
        • What you can actually do about phishing
        • Getting people to do something that you want them to do
  • Defense SubContractor Example
    • Situation
      • Working with MSP on security issues
      • “Do we have a SIEM” email?
    • Problem
      • Company executives have never done due diligence
      • Assumed that MSP had it under control
      • MSP just did what they normally do and within letter of their contract
    • How do we as security practitioners fix it?
      • Security needs to be proactive
Small Company Examples
  • Light Manufacturer Example
    • Situation
      • Server not working, Ransomware
      • Attackers pivoted through third party accountant access
    • Problem
      • Single Point of Failure (SPOF)
      • Vendor Compromise
    • How do we as security practitioners solve it?
      • IT problems become security problems on long enough timeline
      • Need to provide actual solutions to business problems
      • Security CANNOT be decoupled from business needs
  • Telecommunications Provider
    • Situation
      • Employee reports CEO was hacked
    • Problem
      • Employee panicked, emailed everyone
      • Escalated way beyond what was necessary
    • How do we as security practitioners solve it?
      • Employee education - Boring answer
      • What's actually under our control here?
        • Clear processes for security incidents
        • Clear communications channels for employees with IT and security groups
        • Knowledge management
  • Local NGO Example
    • Situation
      • Meeting with Executive Director regarding server failure
    • Problem
      • Mentions that she was sent security guidelines from global parent org
      • Got so overwhelmed reading it she just closed it and kept working on something else
    • How do we as security practitioners solve it?
      • We have to make this information digestible and accessible
      • We do NOT need to make already dense subject matter even more inaccessible
      • When cannot mandate compliance, how do you achieve compliance
        • More flies with honey than vinegar
        • Build relationships - Layer 8 strikes again

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

May 05 2020

1hr 8mins

Play

2020-016-Cameron Smith, Business decisions and their (in)secure outcomes - Part 1

Podcast cover
Read more

Cameron Smith @Secnomancer

Layer8conference is virtual (https://layer8conference.com/layer-8-is-online-this-year/)

https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final

CMMC:https://info.summit7systems.com/blog/cmmc

https://www.comptia.org/certifications/project - Project+

Cameron’s Smith = www.twitter.com/secnomancer

Cybersmith.com - Up by 14 April

Ask@thecybersmith.com

Cameron@thecybersmith.com

https://en.wikipedia.org/wiki/Christopher_Voss https://www.amazon.com/Never-Split-Difference-Negotiating-Depended/dp/0062407805

https://www.masterclass.com/classes/chris-voss-teaches-the-art-of-negotiation

https://www.masterclass.com/

https://www.autopsy.com/support/training/covid-19-free-autopsy-training/

https://www.youtube.com/playlist?list=PLg_QXA4bGHpvsW-qeoi3_yhiZg8zBzNwQ

 

“There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self.”― Ernest Hemingway  https://www.goodreads.com/quotes/76281-there-is-nothing-noble-in-being-superior-to-your-fellow

Original B-Sides Talk Blurb

SITREP: A Consultant's Perspective from the Trenches of InfoSec In this session you will hear war stories and lessons learned consulting for hundreds of clients across dozens of verticals at every level, from bootstrapped startups with garage beginnings to Fortune 50 companies and everything in between. We will cover life on the front lines in InfoSec, ranging from individual contributions and staying relevant in a rapidly evolving field all the way to how bad most orgs are at InfoSec and what we can do as practitioners to help make them better.

Speaking Goal

After my presentation is over, I want my audience to...

  • Feel better about where they are as an infosec practitioner
  • Understand that most of Cybersecurity is largely NOT about the latest hack or technique
  • Failing is OK as long as you learn from it

...so that ...

  • When they go back to their office / SOC / client engagements on Monday they focus on the things that matter to their organizations
  • Hopefully feel a little bit less that the work they are doing is boring, exhausting, unappreciated, or hopeless
Intro
  • Security is a really crazy industry
    • Like the wild west out here
    • Constant threats
    • Complacent or ignorant clients/dependents
    • Resource and budget constraints
  • Security is really complex
    • There are SO. MANY. MOVING. PIECES.
    • There is a never ending stream of new information to learn and new threats to face
    • Security always involves at LEAST 4 parts
      • The practitioner - Hopefully you have backup!
      • What you're protecting - Employer, Client, System, Application, Data, SOMETHING, etc
      • What you're protecting it from - External TAs, Internal TAs, Incompetence, Apathy, Plain Ol' Vanilla Constraints, etc
      • What you have to protect it with - Budgets, Time, Personnel, Training, Relationships, etc
  • Cybersecurity/Information Security is simultaneously an old and new/emergent discipline
    • Cyber History
      • Old
        • Nevil Maskelyne / Guglielmo Marconi wireless telegraphy attack and Morse code insults - 1903
        • Phreaking in the 1960s
        • ARPANET Creeper - 1971
        • Morris Worm - 1988
      • New
        • Gartner Coined term SOAR in 2017
          • Yeah... It's barely 3 years old.
          • Now you can literally find job openings with SOAR Engineering titles
        • DevSecOps - Amazon presentation in 2015? Not even in grade school yet.
        • Average enterprise is running 75 security tools in their environment (Cybersecurity almanac 2019)
    • Most cybersecurity professionals over 30 do not have degrees in cybersecurity
      • Many don't even have Computer Science or IT related degrees
      • This is it's own problem
        • Training cyber pros, Chris Sanders, cognitive crisis, etc.
          • BDS ep 2019-021 and 2019-022
    • Emergent disciplines are challenging by default
    • You chose to play the game on hard mode for your first play through

Security really isn't as complicated as most people think

  • Occult Phenomenon
    • Things we don't understand we imagine to be far more complex
    • Things we anticipate we imagine to be far worse than they are
  • Grass isn't greener
    • Most security departments aren't doing better than you are
    • Maturity models aren't magic

Establish Credibility

  • I have been in A LOT of client environments in the last 12 years
  • Last time I checked, I have more than 350 discrete client engagements under my belt
    • I have worked with hundreds of internal, external, and hybrid IT and Security solutions
    • I've met the same tired and beleaguered IT/Security personnel over and over again
      • SSDD, very little actually changes from place to place
  • In that time, I've learned quite a bit about what makes security work
  • I've learned even more about what NOT to do
  • I want to share some of that with you today so you can see how organizations of all shapes and sizes can fail
Very Large Company Examples
  • Big Four Bank Example
    • Situation
      • Four Local Branches in Midwest
      • Physical Security Assessment
        • How got onto site as cash machine servicer was incredibly easy
    • Problem
      • Absolute trust of vendors/vendor compromise
    • How do we as security practitioners fix it?
      • Good internal relationships with functional area leaders
      • Work closely with functional areas to left and to the right
        • Who? Operations? HR? Purchasing?
        • Every functional area and specifically the leadership
        • Improved communications and availability
        • 8 and Up
          • 'Gotta git gud' at the soft stuff
  • Top 50 Chain Restaurant Example
    • Situation
      • Doing Chip Reader refreshes across all ~600 locations for PCI Compliance during 2017 window
    • Problem
      • Poor project management on behalf of security team led to project failure
      • A security problem became an IT problem
      • Contractor to subcontractor to subcontractor added time and complexity
    • How do we as security practitioners fix it?
      • Security managers needs to be aware of how their projects impact others
      • Managing up
      • Security needs to be interdisciplinary
Government Examples
  • Police Department Example
    • Situation
      • City Administrator got Spear Phished
    • Problem
      • Spear phishing
      • Poor logging
    • How do we as security practitioners fix it?
      • Look for the most basic problems and try to fix them
      • Find or create solutions that provide basic capabilities
      • Cannot prevent the lowest hanging fruit directly, so impact what you can change
        • What you can actually do about phishing
        • Getting people to do something that you want them to do
  • Defense SubContractor Example
    • Situation
      • Working with MSP on security issues
      • “Do we have a SIEM” email?
    • Problem
      • Company executives have never done due diligence
      • Assumed that MSP had it under control
      • MSP just did what they normally do and within letter of their contract
    • How do we as security practitioners fix it?
      • Security needs to be proactive
Small Company Examples
  • Light Manufacturer Example
    • Situation
      • Server not working, Ransomware
      • Attackers pivoted through third party accountant access
    • Problem
      • Single Point of Failure (SPOF)
      • Vendor Compromise
    • How do we as security practitioners solve it?
      • IT problems become security problems on long enough timeline
      • Need to provide actual solutions to business problems
      • Security CANNOT be decoupled from business needs
  • Telecommunications Provider
    • Situation
      • Employee reports CEO was hacked
    • Problem
      • Employee panicked, emailed everyone
      • Escalated way beyond what was necessary
    • How do we as security practitioners solve it?
      • Employee education - Boring answer
      • What's actually under our control here?
        • Clear processes for security incidents
        • Clear communications channels for employees with IT and security groups
        • Knowledge management
  • Local NGO Example
    • Situation
      • Meeting with Executive Director regarding server failure
    • Problem
      • Mentions that she was sent security guidelines from global parent org
      • Got so overwhelmed reading it she just closed it and kept working on something else
    • How do we as security practitioners solve it?
      • We have to make this information digestible and accessible
      • We do NOT need to make already dense subject matter even more inaccessible
      • When cannot mandate compliance, how do you achieve compliance
        • More flies with honey than vinegar
        • Build relationships - Layer 8 strikes again

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Apr 29 2020

49mins

Play

2020-015-Tanya_Janca-Using Github Actions in your Devops Environment, workflow automation

Podcast cover
Read more

Github actions - https://github.com/features/actions

How are these written? 

It looks like a marketplace format? How do they maintain code quality?

What does it take setup the actions?

It looks like IFTTT for DevOps?

What kind of integrations does it allow for? Will it handle logins or API calls for you?

Is it moderated in some way? What’s the acceptance criteria for these?

What are you trying to accomplish by using Github Actions? What are the benefits of using these over XX product?

What is gained by using this?

Mention twitch Channel and when (join the mailing list)

Github actions “Twitch.tv/shehackspurple”

Coaching, Project Management, Scrum Management

Alice and Bob learn Application Security - Wylie - Fall/Winter 2020

Links:

https://shehackspurple.dev

https://mailchi.mp/e2ab45528831/shehackspurple

https://twitter.com/shehackspurple

https://dev.to/shehackspurple

https://medium.com/@shehackspurple

https://www.youtube.com/shehackspurple

https://www.twitch.tv/shehackspurple

https://www.linkedin.com/in/tanya-janca

https://github.com/shehackspurple/

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Apr 21 2020

57mins

Play

2020-014-Server Side Request Forgery defense, Tanya Janca, AppSec discussion

Podcast cover
Read more

Tanya's AppSec Course

https://www.shehackspurple.dev/server-side-request-forgery-ssrf-defenses

https://www.shehackspurple.dev

Server-side request forgery - https://portswigger.net/web-security/ssrf

What are differences between Stored XSS and SSRF? 

This requires a MITM type of issue?

Doesn’t stored XSS get stored on the server?

What conditions must exist for SSRF to be possible?

What mitigations need to be in place for mitigation of SSRF? CORS? CSP?

Would a WAF or mod_security be effective?

Can it be completely mitigated or are there still ways around it?

Part2 -next week

Github actions - https://github.com/features/actions

How are these written? 

It looks like a marketplace format? How do they maintain code quality?

What does it take setup the actions?

It looks like IFTTT for DevOps?

What kind of integrations does it allow for? Will it handle logins or API calls for you?

Is it moderated in some way? What’s the acceptance criteria for these?

What are you trying to accomplish by using Github Actions? What are the benefits of using these over XX product?

What is gained by using this?

Mention twitch Channel and when (join the mailing list)

Github actions “Twitch.tv/shehackspurple”

Coaching, Project Management, Scrum Management

Alice and Bob learn Application Security - Wylie - Fall/Winter 2020

Links:

https://shehackspurple.dev

https://mailchi.mp/e2ab45528831/shehackspurple

https://twitter.com/shehackspurple

https://dev.to/shehackspurple

https://medium.com/@shehackspurple

https://www.youtube.com/shehackspurple

https://www.twitch.tv/shehackspurple

https://www.linkedin.com/in/tanya-janca

https://github.com/shehackspurple/

Tanya Janca

https://SheHacksPurple.dev

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Apr 14 2020

48mins

Play

2020-013- part 2, education security, ransomware, april mardock, Nathan McNulty, and Jared folkins

Podcast cover
Read more

April Mardock - CISO - Seattle Public Schools

Jared Folkins - IT Engineer - Bend La Pine Schools

Nathan McNulty - Information Security Architect - Beaverton School District

OpSecEdu - https://www.opsecedu.com/

Slack

https://www.a4l.org/default.aspx

https://clever.com/

BEC - https://www.trendmicro.com/vinfo/us/security/definition/business-email-compromise-(bec)

https://www.k12cybersecurityconference.org/

https://acpenw.sched.com/

Bypassing security controls - https://www.goguardian.com/blog/technology/how-students-bypass-school-web-filters-and-how-to-stop-them/

https://community.spiceworks.com/topic/2077711-chromebook-google-docs-bypassing-filters

https://www.mobicip.com/blog/here%E2%80%99s-how-kids-bypass-apple%E2%80%99s-parental-control-tools

https://www.phantomts.com/2020/01/11/kids-can-bypass-communication-limit-feature-on-ios-13-3/

https://www.ocregister.com/2009/02/17/students-accused-of-changing-grades-using-teachers-password/

Security persons at education institutions of varying sizes.

https://www.darkreading.com/threat-intelligence/ransomware-crisis-in-us-schools-more-than-1000-hit-so-far-in-2019/d/d-id/1336634

https://www.forbes.com/sites/leemathews/2019/09/25/yet-another-u-s-school-district-has-been-ravaged-by-malware/

https://www.zdnet.com/article/texas-school-district-falls-for-scam-email-hands-over-2-3-million/

Why are schools soft targets?

Is money/budget the reason schools get the raw deal here?

Why is ransomware such an appealing attack?

How complex is the school environment?     Mobile, tablets, hostile users, hostile external forces

Adding technology too quickly? Outpacing the infrastructure in schools?

Just ideas for some questions. - Jared

Do you find vendors are very responsive in the education space when receiving a vulnerability report? https://www.edweek.org/ew/articles/2019/09/10/parent-who-criticized-his-sons-math-program.html When students, who you are trying to educate, when they are found doing something inappropriate, how do Districts handle it? https://ktvz.com/news/2017/11/08/mtn-view-hs-bomb-threat-traced-to-eugene-14-year-old/ What challenges do Security people in education face when partnering with their user base? Unlike a corporate setting, many educators and students need to install different software throughout the year, how is that handled? How did April, Nathan, and Jared meet?

Is the technology stack in your various school systems changed much in the last 10 years? Have you moved to cloud based, or do you still have an IT shack at the school systems with physical machines? 

Localadmins are not granted… (excellent!)

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Apr 07 2020

1hr 2mins

Play

2020-012-April Mardock, Nathan McNulty, Jared Folkins, school security, ransomware attacks

Podcast cover
Read more

April Mardock - CISO - Seattle Public Schools

Jared Folkins - IT Engineer - Bend La Pine Schools

Nathan McNulty - Information Security Architect - Beaverton School District

OpSecEdu - https://www.opsecedu.com/

Slack

https://www.a4l.org/default.aspx

https://clever.com/

BEC - https://www.trendmicro.com/vinfo/us/security/definition/business-email-compromise-(bec)

https://www.k12cybersecurityconference.org/

https://acpenw.sched.com/

Bypassing security controls - https://www.goguardian.com/blog/technology/how-students-bypass-school-web-filters-and-how-to-stop-them/

https://community.spiceworks.com/topic/2077711-chromebook-google-docs-bypassing-filters

https://www.mobicip.com/blog/here%E2%80%99s-how-kids-bypass-apple%E2%80%99s-parental-control-tools

https://www.phantomts.com/2020/01/11/kids-can-bypass-communication-limit-feature-on-ios-13-3/

https://www.ocregister.com/2009/02/17/students-accused-of-changing-grades-using-teachers-password/

Security persons at education institutions of varying sizes.

https://www.darkreading.com/threat-intelligence/ransomware-crisis-in-us-schools-more-than-1000-hit-so-far-in-2019/d/d-id/1336634

https://www.forbes.com/sites/leemathews/2019/09/25/yet-another-u-s-school-district-has-been-ravaged-by-malware/

https://www.zdnet.com/article/texas-school-district-falls-for-scam-email-hands-over-2-3-million/

Why are schools soft targets?

Is money/budget the reason schools get the raw deal here?

Why is ransomware such an appealing attack?

How complex is the school environment?    Mobile, tablets, hostile users, hostile external forces

Adding technology too quickly? Outpacing the infrastructure in schools?

Just ideas for some questions. - Jared

Do you find vendors are very responsive in the education space when receiving a vulnerability report?https://www.edweek.org/ew/articles/2019/09/10/parent-who-criticized-his-sons-math-program.html When students, who you are trying to educate, when they are found doing something inappropriate, how do Districts handle it?https://ktvz.com/news/2017/11/08/mtn-view-hs-bomb-threat-traced-to-eugene-14-year-old/ What challenges do Security people in education face when partnering with their user base?Unlike a corporate setting, many educators and students need to install different software throughout the year, how is that handled?How did April, Nathan, and Jared meet?

Is the technology stack in your various school systems changed much in the last 10 years? Have you moved to cloud based, or do you still have an IT shack at the school systems with physical machines? 

Localadmins are not granted… (excellent!)

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Mar 29 2020

48mins

Play

2020-011-Alyssa miller, deep fakes, threatmodeling for Devops environments, and virtual conferences

Podcast cover
Read more

https://twitter.com/AlyssaM_InfoSec/status/1159877471161839617?s=19

Looking forward to sharing my vision for ending the 60 year cycle of bad defense strategies in #infosec and my challenge to think about security in a more effective way. https://sched.co/TAqU

@dianainitiative

#DianaInitiative2019 #cdwsocial

@CDWCorp

1961 - MIT - CTSS - https://en.wikipedia.org/wiki/Compatible_Time-Sharing_System

Egg, coconut, brick ( my example of security --brbr)

Start with critical assets

    Layer outward, not perimeter in.

Medieval castles

    Create the keep, build out from that

    Active defenses

Dover Castle - https://en.wikipedia.org/wiki/Dover_Castle#/media/File:1_dover_castle_aerial_panorama_2017.jpg

Detection defenses - watchguards

Mitigation defenses - moats - give time/space to respond (network segmentation)

Active countermeasures - knights/archers/cannons 

DeepFake technology

Election year

Spoke at RSA

Business threat? 

        “Outsider trading”

            “Video of Elon talking about problems - fake…”

                Stocks tank - short

https://www.vice.com/en_us/article/ywyxex/deepfake-of-mark-zuckerberg-facebook-fake-video-policy

Could it be done strategically to destabilize things

Extort business leaders

    Fake videos used to extort 

Still difficult to create

    What’s the hurdles stopping it from being mainstream?

        Huge render farms?

https://www.youtube.com/watch?v=18LN7VQM1aw - deepfake Sharon Stone/ Steve Buscemi

Threat modeling in devSecOps

Agile env needs to be quick, fast, and 

Build it into user stories

Shostack’s method is a bit weighty

    How do we implement that in such a way to make dev want to do them?

Organizing Virtual cons

https://Allthetalks.online - April 15

        24 hour conference for charity

Talks, followed by interactive channels, community generation

Virtual Lobbycon

Comedian 

CFP is open 01 April 2020

Sticker swap!

    Bsides Atlanta

        27-29 March

https://bsidesatl.org/ - All virtual this weekend!

    Infosec Oasis

https://Infosecoasis.com - 18 April

https://mashable.com/article/zoom-conference-call-work-from-home-privacy-concerns/

https://www.theverge.com/2019/7/10/20689644/apple-zoom-web-server-automatic-removal-silent-update-webcam-vulnerability

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Mar 25 2020

1hr 10mins

Play

iTunes Ratings

87 Ratings
Average Ratings
75
7
4
0
1

Great Security Pod

By The Drewsk - Oct 05 2018
Read more
Great security podcast even for non-security IT folks. Give it a listen!

Amazing!

By elliott2k - Jun 21 2017
Read more
I love the podcast and the community behind it. Much love! 10/10