Sunday, February 9, 2020

2020-005-Marcus J Carey, red team automation, and Tribe of Hackers book series


Brakeing Down Security Podcast on #Pandora-

https://www.pandora.com/podcast/brakeing-down-security-podcast/PC:27866

Marcus Carey https://twitter.com/marcusjcarey 

Prolific Author, Defender, Enterprise Architect at ReliaQuest

 

https://twitter.com/egyp7 

 

https://www.darkreading.com/vulnerabilities---threats/reliaquest-acquires-threatcare/d/d-id/1335950

 

“GreyMatter integrates security data from security incident and event manager (SIEM), endpoint detection and response (EDR), firewalls, threat intelligence feeds, and other security tools, and includes analysis functions and automation. Threatcare's technology — which will become a new feature on the platform — simulates how a specific threat or attack could target an organization's network in order to determine whether its security tools and settings are or are not actually working to thwart the threats.”

 

Security model - everyone’s is diff

    How do you work with your threat model?

    A proper threat model

 

Attack Simulation - 

    How is this different from doing a typical Incident Response tabletop? Threat modeling systems?

    How is this different than a pentest?

    Is this automated red teaming? How effective can automated testing be?

    Is this like some kind of constant scanning system?

    How does this work with threat intel feeds? 

    Can it simulate ransomware, or any attacks?

 

Hedgehog principles

    A lot of things crappily, and nothing good

 

Mr. Boettcher: “Why suck at everything…”

 

Atomic Red Team - https://github.com/redcanaryco/atomic-red-team 

ATT&CK Matrix - https://attack.mitre.org/matrices/enterprise/ 

 

Tribe of Hackers 

https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1793464189 -  Red Book

 

The Tribe of Hackers team is back with a new guide packed with insights from dozens of the world’s leading Red Team security specialists. With their deep knowledge of system vulnerabilities and innovative solutions for correcting security flaws, Red Team hackers are in high demand. Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity takes the valuable lessons and popular interview format from the original Tribe of Hackers and dives deeper into the world of Red Team security with expert perspectives on issues like penetration testing and ethical hacking.  This unique guide includes inspiring interviews from influential security specialists, including David Kennedy, Rob Fuller, Jayson E. Street, and Georgia Weidman, who share their real-world learnings on everything from Red Team tools and tactics to careers and communication, presentation strategies, legal concerns, and more

  • Learn what it takes to secure a Red Team job and to stand out from other candidates
  • Discover how to hone your hacking skills while staying on the right side of the law
  • Get tips for collaborating on documentation and reporting
  • Explore ways to garner support from leadership on your security proposals
  • Identify the most important control to prevent compromising your network
  • Uncover the latest tools for Red Team offensive security



https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1119643376 - Yellow Book

 

Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World is your guide to joining the ranks of hundreds of thousands of cybersecurity professionals around the world. Whether you’re just joining the industry, climbing the corporate ladder, or considering consulting, Tribe of Hackers offers the practical know-how, industry perspectives, and technical insight you need to succeed in the rapidly growing information security market. This unique guide includes inspiring interviews from 70 security experts, including Lesley Carhart, Ming Chow, Bruce Potter, Robert M. Lee, and Jayson E. Street.

  • Get the scoop on the biggest cybersecurity myths and misconceptions about security
  • Learn what qualities and credentials you need to advance in the cybersecurity field
  • Uncover which life hacks are worth your while
  • Understand how social media and the Internet of Things has changed cybersecurity
  • Discover what it takes to make the move from the corporate world to your own cybersecurity venture
  • Find your favorite hackers online and continue the conversation

 

https://smile.amazon.com/Tribe-Hackers-Security-Leaders-Cybersecurity/dp/1119643775 - Green Book

(Next out!)

Information security is becoming more important and more valuable all the time. Security breaches can be costly, even shutting businesses and governments down, so security leadership is a high-stakes game. Leading teams of hackers is not always easy, but the future of your organization may depend on it. In this book, the world’s top security experts answer the questions that Chief Information Security Officers and other security leaders are asking, including:

  • What’s the most important decision you’ve made or action you’ve taken to enable a business risk?
  • How do you lead your team to execute and get results?
  • Do you have a workforce philosophy or unique approach to talent acquisition?
  • Have you created a cohesive strategy for your information security program or business unit?

 

https://smile.amazon.com/Tribe-Hackers-Blue-Team-Cybersecurity/dp/1119643414 - Blue Book

(OUT SOON!)

Tribe of Hackers Blue Team goes beyond the bestselling, original Tribe of Hackers book and delves into detail on defensive and preventative techniques. Learn how to grapple with the issues that hands-on security experts and security managers are sure to build into their blue team exercises.

  • Discover what it takes to get started building blue team skills
  • Learn how you can defend against physical and technical penetration testing
  • Understand the techniques that advanced red teamers use against high-value targets
  • Identify the most important tools to master as a blue teamer
  • Explore ways to harden systems against red team attacks
  • Stand out from the competition as you work to advance your cybersecurity career

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!

Tuesday, February 4, 2020

2020-004-Marcus Carey, ShmooCon Report, threat simulation


 

Marcus Carey https://twitter.com/marcusjcarey 

Prolific Author, Defender, Enterprise Architect at ReliaQuest

https://twitter.com/egyp7 

https://www.darkreading.com/vulnerabilities---threats/reliaquest-acquires-threatcare/d/d-id/1335950

 

“GreyMatter integrates security data from security incident and event manager (SIEM), endpoint detection and response (EDR), firewalls, threat intelligence feeds, and other security tools, and includes analysis functions and automation. Threatcare's technology — which will become a new feature on the platform — simulates how a specific threat or attack could target an organization's network in order to determine whether its security tools and settings are or are not actually working to thwart the threats.”

 

Security model - everyone’s is diff

    How do you work with your threat model?

    A proper threat model

 

Attack Simulation - 

    How is this different from doing a typical Incident Response tabletop? Threat modeling systems?

    How is this different than a pentest?

    Is this automated red teaming? How effective can automated testing be?

    Is this like some kind of constant scanning system?

    How does this work with threat intel feeds? 

    Can it simulate ransomware, or any attacks?

 

Hedgehog principles

    A lot of things crappily, and nothing good

 

Mr. Boettcher: “Why suck at everything…”

 

Atomic Red Team - https://github.com/redcanaryco/atomic-red-team 

ATT&CK Matrix - https://attack.mitre.org/matrices/enterprise/ 

 

Tribe of Hackers 

https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1793464189 -  Red Book

 

The Tribe of Hackers team is back with a new guide packed with insights from dozens of the world’s leading Red Team security specialists. With their deep knowledge of system vulnerabilities and innovative solutions for correcting security flaws, Red Team hackers are in high demand. Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity takes the valuable lessons and popular interview format from the original Tribe of Hackers and dives deeper into the world of Red Team security with expert perspectives on issues like penetration testing and ethical hacking.  This unique guide includes inspiring interviews from influential security specialists, including David Kennedy, Rob Fuller, Jayson E. Street, and Georgia Weidman, who share their real-world learnings on everything from Red Team tools and tactics to careers and communication, presentation strategies, legal concerns, and more

  • Learn what it takes to secure a Red Team job and to stand out from other candidates
  • Discover how to hone your hacking skills while staying on the right side of the law
  • Get tips for collaborating on documentation and reporting
  • Explore ways to garner support from leadership on your security proposals
  • Identify the most important control to prevent compromising your network
  • Uncover the latest tools for Red Team offensive security



https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1119643376 - Yellow Book

 

Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World is your guide to joining the ranks of hundreds of thousands of cybersecurity professionals around the world. Whether you’re just joining the industry, climbing the corporate ladder, or considering consulting, Tribe of Hackers offers the practical know-how, industry perspectives, and technical insight you need to succeed in the rapidly growing information security market. This unique guide includes inspiring interviews from 70 security experts, including Lesley Carhart, Ming Chow, Bruce Potter, Robert M. Lee, and Jayson E. Street.

  • Get the scoop on the biggest cybersecurity myths and misconceptions about security
  • Learn what qualities and credentials you need to advance in the cybersecurity field
  • Uncover which life hacks are worth your while
  • Understand how social media and the Internet of Things has changed cybersecurity
  • Discover what it takes to make the move from the corporate world to your own cybersecurity venture
  • Find your favorite hackers online and continue the conversation

 

https://smile.amazon.com/Tribe-Hackers-Security-Leaders-Cybersecurity/dp/1119643775 - Green Book

(Next out!)

Information security is becoming more important and more valuable all the time. Security breaches can be costly, even shutting businesses and governments down, so security leadership is a high-stakes game. Leading teams of hackers is not always easy, but the future of your organization may depend on it. In this book, the world’s top security experts answer the questions that Chief Information Security Officers and other security leaders are asking, including:

  • What’s the most important decision you’ve made or action you’ve taken to enable a business risk?
  • How do you lead your team to execute and get results?
  • Do you have a workforce philosophy or unique approach to talent acquisition?
  • Have you created a cohesive strategy for your information security program or business unit?

 

https://smile.amazon.com/Tribe-Hackers-Blue-Team-Cybersecurity/dp/1119643414 - Blue Book

(OUT SOON!)

Tribe of Hackers Blue Team goes beyond the bestselling, original Tribe of Hackers book and delves into detail on defensive and preventative techniques. Learn how to grapple with the issues that hands-on security experts and security managers are sure to build into their blue team exercises.

  • Discover what it takes to get started building blue team skills
  • Learn how you can defend against physical and technical penetration testing
  • Understand the techniques that advanced red teamers use against high-value targets
  • Identify the most important tools to master as a blue teamer
  • Explore ways to harden systems against red team attacks
  • Stand out from the competition as you work to advance your cybersecurity career

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!

Wednesday, January 29, 2020

2020-003- Liz Fong Jones, tracking Pentesters, setting up MFA for SSH, and Developer Advocates


What is Honeycomb.io?

From the site: 

“Honeycomb is a tool for introspecting and interrogating your production systems. We can gather data from any source—from your clients (mobile, IoT, browsers), vendored software, or your own code. Single-node debugging tools miss crucial details in a world where infrastructure is dynamic and ephemeral. Honeycomb is a new type of tool, designed and evolved to meet the real needs of platforms, microservices, serverless apps, and complex systems.”

 

SSH 2FA gist https://gist.github.com/lizthegrey/9c21673f33186a9cc775464afbdce820

 

Honeycomb.io for digging into access logs & retracing what pentesters do.

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!

Wednesday, January 22, 2020

2020-002-Liz Fong-Jones discusses blog post about Honeycomb.io Incident Response


Ms. Berlin's appearance on #misec podcast - https://www.youtube.com/watch?v=Cj2IF0zn_BE with @kentgruber and @quantissIA

Blog post: 

https://www.honeycomb.io/blog/incident-report-running-dry-on-memory-without-noticing/

 

What is Honeycomb.io?

From the site: 

“Honeycomb is a tool for introspecting and interrogating your production systems. We can gather data from any source—from your clients (mobile, IoT, browsers), vendored software, or your own code. Single-node debugging tools miss crucial details in a world where infrastructure is dynamic and ephemeral. Honeycomb is a new type of tool, designed and evolved to meet the real needs of platforms, microservices, serverless apps, and complex systems.”

 

What are SLOs and how do you establish them? Are they anything like SLA (Service level agreements)?

 

Can you give us an idea of timeline? Length of time from issue to IR to resolution? 



Are the dashboards mentioned in the blogs post your operations dashboard?

[nope! hashtag no-dashboards]

 

Leading and lagging indicators ( IT and infosec call them detection and mitigation indicators)

    https://kpilibrary.com/topics/lagging-and-leading-indicators

 

How important is telemetry (or meta-telemetry, since it’s telemetry on telemetry, if I’m reading it right --brbr) in making sure you can understand issues?

 

Do you have levels of escalation? How do you define those?

 

When you declared an emergency, how did brainstorming help with addressing the issues? Do that help your org see the way to a proper fix?

    Did you follow any specific methodology? Did you have a warroom or web conference?

   

 

Communications:

https://twitter.com/lizthegrey/status/1192036833812717568

 

Can being over transparent be detrimental? 

 

Communication methods in an IR:

    Slack

    Phone Tree

    Ticket system

    Emails

   

    What does escalation look like for Ms. Berlin? Mr. Boettcher?  (stories or examples?)

 

Confirmation bias (or “it’s never in our house”) fallacy

    “I’ve seen and been a part of that, very prevalent in IT” --brbr

    Especially when the bias is based on previous outages/issues

 

From the blog: “We quickly found ourselves locked in a state of confirmation bias…”



Root Cause Analysis:

    Once you diagnosed the issue, how quickly was a fix pushed out?

    What kind of documentation or monitoring was generated/added to ensure this won’t happen again?

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!

Monday, January 13, 2020

2020-001- Android malware, ugly citrix bugs, and Snake ransomware


Educause conference: https://events.educause.edu/security-professionals-conference/2020/hotel-and-travel 

 

Amanda’s Training that everyone should come to!!! https://nolacon.com/training/2020/security-detect-and-defense-ttx

Follow twitter.com/infosecroleplay

 

Part 1: New year, new things

 

Discussion:

 

What happened over the holidays? What did you get for christmas?

 

PMP test is scheduled for 10 March



Proposal:  Anonymous Hacker segment

    Similar to “The Stig” on Top Gear. If you would like to come on and discuss any topic you would like. You’ll have anonymity, we won’t share your contact info

 

  1. Will allow people worried that they’ll be ridiculed to share their knowledge
  2. We can record your 20-30 segment whenever (will need audio/video for it)
  3. You can take a tutorial from another site (or your own) and review it for us
  4. 1-2 segments per month 
  5. We can discuss content prior to (we won’t put you on the spot)
  6. We do have a preliminary





News:

 

Google removed 1.7K+ Joker Malware infected apps from its Play Store                   

 

Full article: https://securityaffairs.co/wordpress/96295/malware/joker-malware-actiity.html

 

Excerpt:

Google revealed it successfully removed more than 1,700 apps from the Play Store over the past three years that had been infected with the Joker malware.

Google provided technical details of its activity against the Joker malware (aka Bread) operation during the last few years.

The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service, install malicious apps, generate fake reviews, and show ads.

The spyware is able to steal SMS messages, contact lists and device information along with to sign victims up for premium service subscriptions.

In October, Google has removed from Google Play 24 apps because they were infected with Joker malware, the 24 malicious apps had a total of 472,000 installs.

“Over the past couple of weeks, we have been observing a new Trojan on GooglePlay. So far, we have detected it in 24 apps with over 472,000+ installs in total.” 

 

apps typically fall into two categories: SMS fraud (older versions) and toll fraud (newer versions). Both of these types of fraud take advantage of mobile billing techniques involving the user’s carrier.” reads the post published by Google.

The newer versions of the Joker malware were involved in toll fraud that consist of tricking victims into subscribing to or purchasing various types of content via their mobile phone bill.



WAP billing: https://en.wikipedia.org/wiki/WAP_billing

Example: “pokemon go allows in-app purchases

Over 25,000 Citrix (NetScaler) endpoints vulnerable to CVE-2019-19781

 

Full Article: https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/

 

Excerpt:

On Friday, January 10, 2020, our honeypots detected opportunistic mass scanning activity originating from a host in Germany targeting Citrix Application Delivery Controller (ADC) and Citrix Gateway (also known as NetScaler Gateway) servers vulnerable to CVE-2019-19781. This critical vulnerability allows unauthenticated remote attackers to execute commands on the targeted server after chaining an arbitrary file read/write (directory traversal) flaw.

 

What type of organizations are affected by CVE-2019-19781?  (industries with typically poor or outdated security practices… --brbr)

4,576 unique autonomous systems (network providers) were found to have vulnerable Citrix endpoints on their network. We’ve discovered this vulnerability currently affects:

 

  • Military, federal, state, and city government agencies
  • Public universities and schools
  • Hospitals and healthcare providers
  • Electric utilities and cooperatives
  • Major financial and banking institutions
  • Numerous Fortune 500 companies

 

How is CVE-2019-19781 exploited and what is the risk?

This critical vulnerability is easy for attackers to exploit using publicly available proof-of-concept code. Various methods demonstrating how to exploit CVE-2019-19781 have been posted on GitHub by Project Zero India and TrustedSec. A forensic guide is available detailing how to check Citrix servers for evidence of a compromise.

Further exploitation of this vulnerability could be used to spread ransomware (similar to CVE-2019-11510) and cryptocurrency mining malware on sensitive networks. If multiple servers are compromised by the same threat actor, they could be weaponized for coordinated malicious activity such as DDoS attacks.

SNAKE #Ransomware Targets Entire Corporate Systems?

 

Full Article: https://www.ehackingnews.com/2020/01/snake-ransomware-targets-entire.html 

Excerpt:

 

The new Snake Ransomware family sets out to target the organizations’' corporate networks in all their entirety, written in Golang and containing a significant level of obfuscation, the observations and disclosure for the attacks were made by a group of security specialists from the MalwareHunterTeam.

 

The Ransomware upon successful infection subsequently erases the machine's Shadow Volume Copies before ending different processes related to SCADA frameworks, network management solutions, virtual machines, and various other tools.

 

After that, it continues to encrypt the machine's files while skirting significant Windows folders and system files. As a feature of this procedure, it affixes "EKANS" as a file marker alongside a five-character string to the file extension of each file it encrypts. The threat wraps up its encryption routine by dropping a ransom note entitled "Fix-Your-Files.txt" in the C:\Users\Public\Desktop folder, which instructs victims to contact "bapcocrypt@ctemplar.com" so as to purchase a decryption tool.

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!

Sunday, December 22, 2019

2019-046-end of the year, end of the decade, predictions, and how we've all changed


End of year, end of decade

    Are things better than 10 years ago? 5 years ago?

    If there was one thing to change things for the better, what would that be?

 

Good, Bad, Ugly 

Did naming vulns make things better?

    Which industries are doing a good job of securing themselves? Finance?

    What do you wished never happened (security/compliance wise)?

    Ransomware infections with no bounties

    Still have people believing “Nessus” is a pentest

 

https://nrf.com/

https://www.retailitinsights.com/eventscalendar/eventdetail/1c77d5c6-8625-4f2b-bb98-89cca6590c49 

https://monitorama.com/ 

https://www.apics.org/credentials-education/events

 

The Future

    PREDICTIONS!!!

    Bryan: The rise of the vetting programs  (Companies will want to vet content creators in their eco-systems)

    Cybuck: An uptick in surveillance tech; both disguised as cool home smart gadgets and straight up public safety.  Triggering a US GDPR type response.

Injection remains as the undisputed heavyweight champion of app sec vulnerability (OWASP top 10).  And wishful thinking...broken authentication moves lower, denial of service goes down. https://twitter.com/WeldPond/status/1207383327491137536/photo/1

JB: a major change in social media/generational shift in how we use it, legal or focus on new types of  mobile tech for example… Human networking in real-life in the age of ‘social’ ….“When you hire someone… you also hire their rolodex”  --- what do you think about this statement?  ..it’s role in InfoSec? Talent?

 

JB- shouted out https://github.com/redcanaryco/atomic-red-team (Invoke-Atomic framework with powershell now on Linux, OSX, and Windows)

 

JB - Link to hunting/stopping-human-trafficing org i mentioned :

Shoutout

 Sherrie Caltagirone, Executive Director, Global Emancipation Network @GblEmancipation

https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1569941622.pdf

 

Mentioned https://monitorama.com/ https://github.com/viq/air-monitoring-scripts (viq form brake sec )

 

       

Other topics

    Talk about where you were 10 years ago, and what you did to get where you are?

    Best Hacking tool?

    Best Enterprise Tool?

 

Recent news

https://www.zdnet.com/article/more-than-38000-people-will-stand-in-line-this-week-to-get-a-new-password/

https://www.phoronix.com/scan.php?page=news_item&px=CERN-MALT-Microsoft-Alternative 

https://www.iotworldtoday.com/2019/12/21/2020-predictions-apis-become-a-focus-of-iot-security/ 

https://www.jonesday.com/en/insights/2018/10/california-to-regulate-security-of-iot-devices 

News Stories from 2010 (see if they still make sense, or outdated)



https://www.infosecurity-magazine.com/magazine-features/what-makes-a-ciso-employable/

https://www.csoonline.com/article/2231454/verizon-s-2010-dbir--rise-in-misuse--malware-and-social-engineering.html

https://www.owasp.org/index.php/OWASPTop10-2010-PressRelease




Download here!

Tuesday, December 17, 2019

2019-045-Part 2-Noid, Dave Dittrich, empowered teams, features vs. security


The day after part 1

Keybase halted the spacedrop the day after the first podcast is complete...

 

Security failures in implementation

    “We need to push this to market, we’ll patch it later!”

 

Risk management discussion for project managers (PMP)

 

CIA Triad… where does ‘business goals’ fit? Security is at odds with the bottom line

    **Reference Noid’s Bsides Seattle talk and podcast earlier this year.**



Other companies that have made security mistakes in the name of business

 

Practical Pentest Labs storing passwords in the clear

https://twitter.com/mortalhys/status/1202867037120475136

https://web.archive.org/web/20191207132548/https://twitter.com/mortalhys/status/1202867037120475136 

https://twitter.com/piaviation/status/1202994484172218368



T-Mobile Austria partial password issues:

https://www.pcmag.com/news/360301/t-mobile-austria-admits-to-storing-passwords-partly-in-clear

    No one was championing security, because no one considered the problems with partial disclosure of the passphrase in an account.

    Marketing people on your socMedia accounts do NOT help allay security issues (cause they didn’t have escalation procedures for vuln disclosure)

        Insider threats could takeover accounts

 

Follow-up from last week’s show with Bea Hughes:

 

I liked the interesting docussion about security and DevOps teams with Bea Hughes in your recent podcast. When you mentioned you are taking your PMP for agile I'm surprised you did not mention the term "product owner".  You were asking who cares about security that you, as a security guy can talk to. Bea mentioned that it was the "stakeholders", but in the agile process the "product owner" is the team's advocate for the "stakeholders".

 

And, you also mentioned "PM", as in project manager. In an agile world, the typical PM role is minimized. Actually, the PM is removed entirely ideally in favor of empowered teams. Empowered teams understand that good products are reliable and secure. (Secure because the security CIA includes "availability" and "integrity" aka reliability.)

 

As Directory of DevOps for my 4,000 persons strong consulting company I'm working with our security team to push responsibility for security to our development teams. Empowering them to take the time and bear the costs of using security tools prior to release and during system operation is what we are working on now, as we roll into 2020. 

 

**If the ‘product owner’ or ‘empowered team’ does not consider security a priority/requirement, then who champions security? It only becomes a priority when something bad happens, like a breach. **

 

“Empowered teams”

 Some people aren’t fans:   https://hackernoon.com/the-surprising-misery-of-empowered-teams-35c3679cf11e

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

 


Download here!