Monday, December 21, 2015
2015-053: 2nd annual podcaster party
This week, we went off the tracks a bit with our friends at Defensive Security Podcast, and PVC Security Podcast. We discussed a bit of news, talked about how our podcasts differ from one another, the 'lack of infosec talent', and sat around talking about anything we wanted to.
Sit back with some eggnog, and let your ears savor the sounds of the season. Many thanks to Andrew Kalat, Jerry Bell, Edgar Rojas, Paul Jorgensen, and co-host Brian Boettcher for getting together for some good natured fun.
WARNING: There is adult language, and themes, so if you have little ones around, you might want to skip this one until after bedtime.
Happy Holidays from Brakeing Down Security Podcast.
Here is a new episode of Brakeing Down Security!
Wednesday, December 16, 2015
2015-052: Wim Remes-ISC2 board member
I got a hold of Mr. Wim Remes, because he was elected to the ISC board in November 2015. Having certified as a CISSP myself, and having seen a lot of changes in the way that the CISSP has changed.
Recent changes to the CISSP included changing the long-standing 10 domains down to 8 domains, plus a major revamp to all of them.
I wanted to know what Mr. Remes' plans were for the coming term, how the board works, and how organizations like ISC2 drive change in the industry. I also asked Wim how he is trying to ensure that CISSP and the other certs are going to remain current and competitive.
This is a great interview if you're looking to get your #CISSP or any other ISC2 cert, or you currently have an #ISC2 #certification and want to get knowledge of the workings of ISC2 and the board.
Mr. #Remes' Twitter: @wimremes
ISC2 official site: http://www.isc2.org
Direct Link:
iTunes:
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Join our Patreon!: https://www.patreon.com/bds_podcast
Comments, Questions, Feedback: bds.podcast@gmail.com
Here is a new episode of Brakeing Down Security!
Wednesday, December 9, 2015
2015-051-MITRE's ATT&CK Matrix
#MITRE has a Matrix that classifies the various ways that your network can be compromised. It shows all the post-exploitation categories from 'Persistence' to 'Privilege Escalation'. It's a nice way to organize all the information.
This week, Mr. Boettcher and I go over "#Persistence" and "#Command and #Control" sections of the Matrix.
Every person who attacks you has a specific method that they use to get and keep access to your systems, it's as unique as a fingerprint. Threat intelligence companies call it TTP (#Tactics, #Techniques, and #Procedures), we also discuss the Cyber #KillChain, and where it came from.
#ATT&CK Matrix: https://attack.mitre.org/wiki/Main_Page
Tactics, Techniques, and Procedures (shows patterns of behavior) https://en.wikipedia.org/wiki/Terrorist_Tactics,_Techniques,_and_Procedures
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf -- Cyber Kill Chain paper that inspired the ATT&CK Matrix
Direct Link:
iTunes:
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Join our Patreon!: https://www.patreon.com/bds_podcast
Comments, Questions, Feedback: bds.podcast@gmail.com
Here is a new episode of Brakeing Down Security!
Thursday, December 3, 2015
2015-049-Can you achieve Security Through Obscurity?
That's the question many think is an automatic 'yes'. Whether your Httpd is running on port 82, or maybe your fancy #wordpress #module needs some cover because the code quality is just a little lower than where it should be, and you need to cover up some cruft
This week, Mr. Boettcher and I discuss reasons for obscuring for the sake of security, when it's a good idea, and when you shouldn't #obscure anything (hint: using #ROT-14, for example)
#encryption #security #infosec
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-049-Security_by_Obscurity.mp3
iTunes:
Mr. Boettcher's Twitter: http://www.twitter.com/boettcherpwned
Bryan's Twitter: http://www.twitter.com/bryanbrake
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Join our Patreon!: https://www.patreon.com/bds_podcast
Comments, Questions, Feedback: bds.podcast@gmail.com
Here is a new episode of Brakeing Down Security!
Thursday, November 26, 2015
2015-048: The rise of the Shadow... IT!
Cheryl Biswas gave a great talk last month at Bsides Toronto. I was intrigued by what "Shadow IT" and "Shadow Data" means, as there appears to be some disparity. Why can't you write policy to enforce standards? As easy as it sounds, it's quickly becoming a reason young talented people might skip your company. Who wants to use Blackberries and Gateway laptops, when sexy new MacBook Airs and iPhone 6S exist?
This also leads to the issue of business data being put on personal devices, which as anyone knows can cause a whole host of additional issues. Malware installed on personal devices can make for sharing business secrets a cinch.
So, while Mr. Boettcher was working, I managed to wrangle a quick interview with Cheryl out of her offices in Toronto, Ontario.
Cheryl gave us some great audio, and when you're done, you can watch her Bsides Toronto talk.
Direct Link:
iTunes Link:
Cheryl's Twitter: https://www.twitter.com/3ncr1pt3d
Cheryl's BsidesTO talk: https://www.youtube.com/watch?v=q0pNWpWFKBc
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Join our Patreon!: https://www.patreon.com/bds_podcast
Comments, Questions, Feedback: bds.podcast@gmail.com
Friday, November 20, 2015
2015-047-Using BSIMM framework to measure your software security lifecycle
Business Security in Maturity Model (#BSIMM) is a #framework that is unique in that it gives your company a measuring stick to know how certain industry verticals.
We didn't want to run through all 4 sections of the BSIMM, so this time, we concentrated on the #software #security standards, the "Deployment" section specifically...
BSIMMV6 download (just put junk in the fields, and download ;) ): https://www.bsimm.com/download/
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-047_BSIMM.mp3
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Comments, Questions, Feedback: bds.podcast@gmail.com
Wednesday, November 11, 2015
2015-046: Getting Security baked in your web app using OWASP ASVS
During our last podcast with Bill Sempf (@sempf), we were talking about how to get developers to understand how to turn a vuln into a defect and how to get a dev to understand how vulns affect the overall quality of the product.
During our conversation, a term "ASVS" came up. So we did a quick and dirty session with Bill about this. It's a security #requirements #document that ensures that projects that are being scoped out are meeting specific security requirements. This can be a valuable ally when your company is creating products or software applications. Bill explains with us this week exactly how you incorporate this into your Secure #SDLC #lifecycle
#project #management #security #architect
Direct Link: http://traffic.libsyn.com/brakeingsecurity/sempf2.mp3
iTunes Link:
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Bill's Bside Columbus talk on ASVS: http://www.irongeek.com/i.php?page=videos/bsidescolumbus2015/defense00-got-software-need-a-security-test-plan-got-you-covered-bill-sempf
Bill's Blog: http://www.sempf.net
Bill's Twitter: http://www.twitter.com/sempf
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Subscribe to:
Comments (Atom)