BrakeSec Education Podcast

End of year podcast   Blumeria sponsorship NEWS:   IT company SolarWinds says it may have been hit in 'highly sophisticated' hack | Reuters   FireEye hacked: US cybersecurity firm FireEye hit by 'state-sponsored' attack - BBC News     https://krypt3ia.wordpress.com/ - 16 december 2020   Microsoft flexing muscle to shutdown c2: Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach - GeekWire   Little-known SolarWinds gets scrutiny over hack, stock sales (apnews.com)   FireEye, GoDaddy,and Microsoft create kill switch for SolarWinds backdoorSecurity Affairs   US Gov has hacked: US government agencies hacked; Russia a possible culprit (apnews.com)   Not mentioned during the podcast: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor | FireEye Inc   Not trying to spread FUD, but would infiltration by using FOSS tools be easier than Solarwinds?   Time to remove Nano Adblocker and Defender from your browsers (except Firefox) - gHacks Tech News   System oriented programming - Cloud-Sliver (cloud-sliver.com)  Google Cloud (over)Run: How a free trial experiment ended with a $72,000 bill overnight • The Register   G’bye Flash… Adobe releases final Flash Player update, warns of 2021 kill switch (bleepingcomputer.com) IT workers worried about AI making them obsolete…  IT Workers Fear Becoming Obsolete in Cyber Roles - Infosecurity Magazine (infosecurity-magazine.com)   Vulnerabilities Found in Multiple GE Imaging Systems - Infosecurity Magazine (infosecurity-magazine.com)   Qbot malware switched to stealthy new Windows autostart method (bleepingcomputer.com) https://www.atlasobscura.com/places/encryption-lava-lamps - “The randomness of this wall of lava lamps helps encrypt up to 10 percent of the internet. “   It’s been the year of the business continuity program this year… and how agile yours is. --thoughts?   Future? Bryan: Companies that are ‘all in’ on remote work will back track. Amanda: I think we’ll see way more keep the wfh now that they realize it saves $$   heck out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

BrakeSec Sponsored Interview with Nathanael Iversen   Questions, comments, and other content goes here:   Illumio Nathanael Iversen BDS Podcast Messaging   Topic: Overview of development and deployment of micro-segmentation   Where does segmentation fit into your security strategy?  Micro-segmentation is a preventive measure deployed to create and enforce access at the workload layer. It does not replace identity and access management (IAM), perimeter firewalls, or patching but complements such solutions. Because traditional network segmentation is done with network devices, it only works when the traffic passes through that control point. Micro-segmentation, on the other hand, shifts the enforcement point from the network onto the individual servers and hosts. The means that segmentation policy can be much more granular and can encompass all inbound and outbound traffic, not just the traffic leaving a network zone, VLAN, or environment. Micro-segmentation is a great deterrent for hackers. More organizations are implementing micro-segmentation as an essential part of a defense-in-depth strategy. According to a recent survey of over 300 IT professionals, 45% currently have a segmentation project or are planning one.    The keys to a successful micro-segmentation deployment: As with any security control, it’s important to balance the strategy of the business with the need to secure it. There are several key functions and abilities to consider to ensure your deployment goes smoothly: Visibility with application context Scalable architecture  Abstracted security policies Granular controls  Consistent policy framework across your compute estate Integration with security ecosystem   Preventative Cybersecurity There are three broad preventive security actions: First is controlling the ability to reach the device or target service via the network. Clearly, if you cannot even get to the sensitive data or application, then no amount of vulnerabilities will permit compromise. Often terms like firewall, access control lists (ACLs), VLANs, zones, and the like describe these capabilities. This function is generally implemented by the network team or a dedicated network security team. The second broad action available controls the ability to access a device, data or service once you get there. This covers the entire world of credentials, user accounts, permissions, authentication, authorization, tokens, API keys, etc. If you get to the front door of my house and it is locked, you can’t gain access unless you have the right key. The third broad strategy addresses the fact that often malicious behavior exploits some bug or weakness. So, if one can remove vulnerable code, then in many cases, malicious intent can’t be realized. This involves patching, replatforming applications to stronger platforms, doing code reviews, and more.   Potential questions: What is micro-segmentation? How long has it been around? Can micro-segmentation be used in conjunction with other cybersecurity tools? Like firewalls?  How does micro-segmentation operate in different environments? How does development and deployment differ in the cloud vs. on-prem? What does a successful micro-segmentation deployment look like?  Tell us about the common challenges people face in their micro-segmentation projects. What misconceptions do people have about micro-segmentation? What is the difference between having a proactive vs. reactive security strategy? Can you explore the ‘cost’ of preventative cybersecurity in 2020? I.e., how much can your organization save by preventing breaches, vs. paying off ransomware attackers? Or losing customer trust via a public breach? What does micro-segmentation adoption look like as we head into the new year? What is the future of micro-segmentation?  Segmentation of database areas? Logs?

https://www.hak4kidz.com/activities/cdcedu.html Online CTF training using Cisco’s Workshop platform. They did something similar in Spring of 2020. There will be an online panel where kids can ask questions about information security. Occurs on December 12th. Check out the link for more info. Robert M. for upping his patreon to $5 Top 25 Data Security Podcasts You Must Follow in 2020 (feedspot.com) @byt3bl33d3r (Marcello Salvati) @porchetta_ind (porchetta Industries) info@porchetta.industries   Wanna sponsor CrackMapExec? Sponsor @byt3bl33d3r on GitHub Sponsors Github sponsors: GitHub Sponsors Introducing Sponsorware: How A Small Open Source Package Increased My Salary By $11k in Two Days | Caleb Porzio How is this different than shareware? “As a developer of one of these tools, you obviously start questioning your life decisions after a while. Especially after putting so much time into these projects.” Adblockers installed 300,000 times are malicious and should be removed now | Ars Technica (spent years supporting the app… the vitriol from ‘unpaid customers’ is deafening… Should be required reading for anyone wanting to open source anything.) [Announcement] Recent and upcoming changes to the Nano projects · Issue #362 · NanoAdblocker/NanoCore (github.com) Business model for typical opensource projects. Where’s the chain broken at? Devs who expect help/support for their project? “Many eyes make for less vulns” (LOL, sounds good, not true anymore --brbr) What is the ‘status quo’ of OSS infosec/hacking tool developer community (in your opinion)? Pull requests, what is ‘meaningful’ contributions? What is the definition of ‘widely-used’? Why support widely-used OSS hacking tools? (2) Marcello on Twitter: "Well also be encouraging community contributions to those same tools by giving out 1 @offsectraining training voucher per quarter to whoever submits the most meaningful pull request to any of the tools in the @porchetta_ind Discord server" / Twitter And now for something completely different... (porchetta.industries) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP #porchetta #training #sponsorship #github #opensource #crackmapexec #byt3bl33d3r #marcelloSalvati

https://www.hak4kidz.com/activities/cdcedu.html Online CTF training using Cisco’s Workshop platform. They did something similar in Spring of 2020. There will be an online panel where kids can ask questions about information security. Occurs on December 12th. Check out the link for more info. Robert M. for upping his patreon to $5 Top 25 Data Security Podcasts You Must Follow in 2020 (feedspot.com) @byt3bl33d3r (Marcello Salvati) @porchetta_ind (porchetta Industries) info@porchetta.industries   Wanna sponsor CrackMapExec? Sponsor @byt3bl33d3r on GitHub Sponsors Github sponsors: GitHub Sponsors Introducing Sponsorware: How A Small Open Source Package Increased My Salary By $11k in Two Days | Caleb Porzio How is this different than shareware? “As a developer of one of these tools, you obviously start questioning your life decisions after a while. Especially after putting so much time into these projects.” Adblockers installed 300,000 times are malicious and should be removed now | Ars Technica (spent years supporting the app… the vitriol from ‘unpaid customers’ is deafening… Should be required reading for anyone wanting to open source anything.) [Announcement] Recent and upcoming changes to the Nano projects · Issue #362 · NanoAdblocker/NanoCore (github.com) Business model for typical opensource projects. Where’s the chain broken at? Devs who expect help/support for their project? “Many eyes make for less vulns” (LOL, sounds good, not true anymore --brbr) What is the ‘status quo’ of OSS infosec/hacking tool developer community (in your opinion)? Pull requests, what is ‘meaningful’ contributions? What is the definition of ‘widely-used’? Why support widely-used OSS hacking tools? (2) Marcello on Twitter: "Well also be encouraging community contributions to those same tools by giving out 1 @offsectraining training voucher per quarter to whoever submits the most meaningful pull request to any of the tools in the @porchetta_ind Discord server" / Twitter And now for something completely different... (porchetta.industries) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP #porchetta #training #sponsorship #github #opensource #crackmapexec #byt3bl33d3r #marcelloSalvati

Sébastien Dudek -  @FlUxIuS @penthertz Why we are here today? Software Defined Radio (sdr-radio.com) What kind of hardware or software do you need? Why would a security professional want to know how to use SDR tools and attacks? What other kinds of attacks can be launched? (I mean, other than replay type attacks) Door systems (badge systems) NFC? Contactless credit card attacks  Smart building/home control systems Bluetooth attacks Point Of Sale systems Cellular radio 3g/4g/5g Industrial control systems Home appliances Medical telemetry systems Drones! LoRa - Wikipedia DASH7 - Wikipedia - custom TCP stack for LoRa Vehicle-to-grid - Wikipedia (V2G) Automatic Wireless Protocol Reverse Engineering | USENIX   Hunting mobile devices endpoints - the RF and the Hard way | Synacktiv - Sébastien Dudek   How Can Drones Be Hacked? The updated list of vulnerable drones & attack tools | by Sander Walters | Medium Carrier Aggregation explained (3gpp.org)  Mobile phone jammer - Wikipedia World’s top hackers meet at the first 5G Cyber Security Hackathon - Security Boulevard Supply chain attacks - systems tend to use wireless chipsets or protocols   LTE-torpedo-NDSS19.pdf (uiowa.edu)  -privacy attacks on 4g/5g networks using side channel information How does someone make a faraday cage on the cheap? (mentioned in one of your class agendas) Lots of IoT devices use your typical home wifi connection, can’t you just sniff packets to get what you need? Replay attacks on car fobs: Jam and Replay Attacks on Vehicular Keyless Entry Systems (s34s0n.github.io) Attacks on Tesla wireless entry: Tesla’s keyless entry vulnerable to spoofing attack, researchers find - The Verge Garage door opener attacks: How to Hack a Garage Door in Under 10 Seconds and What You Can Do About It - ITS Tactical   Kid’s toy opens garage doors: This Hacked Kids' Toy Opens Garage Doors in Seconds | WIRED   What are the current limitations to testing wireless and RF related systems? What about custom wireless implementations? Cellular? Zigbee? I’m a wireless manufacturer of some kind of device. I’m freaked now by hearing you talk about how easy it is to attack wireless systems. What are some things I could do to ensure that the types of attacks we discussed here cannot affect me? Wireless defense system? https://www.researchgate.net/publication/321491751_Security_Mechanisms_to_Defend_against_New_Attacks_on_Software-Defined_Radio List of SDR software: The BIG List of RTL-SDR Supported Software (rtl-sdr.com)

**Apologies on the Zoom issues** This is the 2nd of 3 sponsored podcast interviews with Illumio about Their zero trust product.  Katey Wood is the Director of Product Marketing at Illumio. https://www.linkedin.com/in/kateywood/ Topic: Conversation on segmentation and ransomware Topic Background:  The attack surface and vulnerabilities are on the rise, along with cyber attacks Why? Remote everything - cloud collaboration (including processing PII) is the new normal and that means the attack surface is heightened. This requires appropriate network, cloud, and endpoint security. Double ransom with #data #exfiltration -- more attackers are exfiltrating customer data from businesses and (if ransom is withheld) extorting consumers directly through bitcoin - often in the headlines. Privacy is a chief security concern now more than ever before, as remote everything continues and #cyberattacks and #ransomware attacks skyrocket. For businesses, Covid and the new WFH normal means even more vulnerabilities and greater incentive to pay an even higher ransom to avoid privacy law penalties and class-action litigation. Enter Segmentation. Perimeter security is important, but unfortunately, we all know that alone it’s not enough (i.e. breach, after breach, after high-profile breach). #ZeroTrust the assume breach mentality/default deny are philosophies that take security deeper to protect organizations from a threat moving laterally within their environment. This is helpful because it’s often not the initial point of breach that causes so much damage – it’s the breach spreading to more critical data and assets that’s so destructive. #Network #segmentation is a crucial control to secure critical data and PII, by ring-fencing applications with patient or client data. Implementing Zero Trust security policies limits access to only allowed parties with a legitimate business purpose and stops the attacker from moving freely across the network to the most valuable data. #Illumio helps #healthcare, academic, and other critical industries keep their crown jewels safe through better, more scalable micro-segmentation that decouples Zero Trust from the constraints of the network by implementing it on the workload.   Vertical ‘Brakedown’ - Healthcare and Education Businesses in the healthcare and education industry often have large numbers of customers and employees, and handle large volumes of PII, are especially at risk. Both have already been under scrutiny for privacy concerns around PII for years, through regulations like #HIPAA in healthcare and #FERPA in education (and now #CCPA). Now that distance learning is the norm and medical records have gone largely electronic, it’s even easier for attackers to move between systems if there are no network segmentation access policies in place to prevent it.   Potential Questions:  Customer data cases:   ‘Dead data’   With today’s workforce largely remote, tell me what that means from a security standpoint. What challenges are businesses facing to protect important data/PII? What is that data “worth” and what are the consequences of falling victim to a ransomware attack or similar event from a bad actor? Talk to me about the “assume breach mentality.” What does that mean and how can you/why should you use this philosophy in your approach to security? How does segmentation relate to compliance? How do the two go hand in hand? How does segmentation protect organizations against large scale breaches? In terms of cost, is segmentation a sizable investment for SMBs? Is it a worthwhile investment, in terms of dollars saved from ransomware attacks? #Segmentation is often thought of as a big (perhaps cumbersome) project – how do you suggest organizations make it more scalable? How does segmentation protect end users?  

Phillip Wylie @philipwylie  and kim Crawley @kim_crawley Amazon: The Pentester BluePrint: Your Guide to Being a Pentester: 9781119684305: Computer Science Books @ AmazonSmile November 24th for paper copy Steven levy: Hackers: Heroes of the Computer Revolution: Steven Levy: 9781449388393: Amazon.com: Books Why did you write the book? What is a pentester? Skills needed Education of hacker Building a lab Kali linux Pentester Framework Docker OWASP Juice Box Vulnhub Overthewire  PicoCTF   Developing a plan Gaining experience Gaining employmen Better hiring - Sarah on Twitter: "I want more women and enbies in pentesting/red teaming. I would really like to know how to do that. But as teams usually only hire people with experience, I’m at a bit of a loss for how to get people into the field at all. (I would like to not be an exception)" / Twitter Hacking is not Crime - hackivist org? https://www.hackingisnotacrime.org/ Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP    

“Between stimulus and response there is a space. In that space is our power to choose our response. In our response lies our growth and our freedom. --Victor Frankl https://smile.amazon.com/Mans-Search-for-Meaning-audiobook/dp/B0006IU470   https://twitter.com/conordsherman   Conor Sherman - IR stories and more  Security Strategy and Incident Response, eZCater Confident Defense Podcast - https://www.confidentdefense.com/podcast https://www.linkedin.com/in/conordsherman/   Agenda:  Bio (How did I get here?)   Prior preparation and planning prevents poor performance - https://military.wikia.org/wiki/7_Ps_(military_adage)  Discover Unique malware FIN 6 - https://www.zdnet.com/article/cybercrime-group-fin6-evolves-from-pos-malware-to-ransomware/ FIN 7 - https://threatpost.com/fin7-retools/149117/  CCPA - https://oag.ca.gov/privacy/ccpa CIS 20 is ‘reasonable security program’ per California AG - https://www.prnewswire.com/news-releases/california-attorney-general-concludes-that-failing-to-implement-the-center-for-internet-securitys-cis-critical-security-controls-constitutes-a-lack-of-reasonable-security-300223659.html  IBM breach cost: “Cost Of  A data Breach” (Search This) https://newsroom.ibm.com/2020-07-29-IBM-Report-Compromised-Employee-Accounts-Led-to-Most-Expensive-Data-Breaches-Over-Past-Year    Cloud Infra Compliance-  Governance as Code - https://www.cio.com/article/3277611/governance-as-code-keeping-pace-with-the-rate-of-change-in-the-cloud.html  “In the future, governance as code will be the backbone driving our IT systems and services. It will enable us to deliver consistent, efficient and highly repeating business outcomes at the lowest possible cost, with the maximum availability and security, while also allowing our people to expand into new and higher value-add roles across business.”   Detection as Code  “Freedom within Limits” - Security as Solutions Engineers https://www.howwemontessori.com/how-we-montessori/2020/02/freedom-within-limits-what-it-looks-like-in-our-home-with-three-children.html    Sigma: https://github.com/Neo23x0/sigma  “Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file.”   Japan CIRT event ID whitepaper: https://www.jpcert.or.jp/english/pub/sr/DetectingLateralMovementThroughTrackingEventLogs_version2.pdf  https://jpcertcc.github.io/ToolAnalysisResultSheet/   https://shield.mitre.org/  “Shield is an active defense knowledge base MITRE is developing to capture and organize what we are learning about active defense and adversary engagement. Derived from over 10 years of adversary engagement experience, it spans the range from high level, CISO ready considerations of opportunities and objectives, to practitioner friendly discussions of the TTPs available to defenders.” IR Playbooks -   process of creating them (probably the hardest) Implementation Tabletop exercise (length, stakeholders, crafting a scenario to compare against)   What if an org has nothing? “We just blow up the environment and start over."   RTO/RPO metrics: How long can you survive as a company with an outage? How long does it take to get back online and operational? What’s your appetite for the risk of that?   Lots of dependencies to creating    https://swimlane.com/blog/incident-response-playbook   Tabletop discussion -   sponsors involved Initiating condition Threat modeling Process steps Best practices and local policies End state - what is the goal? (eradicate infection, back to operating status) Relation to governance/regulatory reqs. (do we have to report? What do we report? Fallout from incident, etc) Lessons Learned   https://sbscyber.com/resources/7-steps-to-building-an-incident-response-playbook (seems like there are different methodologies)   Why are the things that will give organizations the biggest benefit over time the cause of the most consternation?   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP

Previous Election Security podcast: https://brakeingsecurity.com/2018-042-election-security-processes-in-the-state-of-ohio    Jeremy Mio (@cyborg00101)   https://itsecurity.cuyahogacounty.us/   Ohio Counties Meet LaRose's Deadline to Strengthen Election Security - Ohio Secretary of State (ohiosos.gov)  (added cybersecurity Directives during 2018 last podcast -jmio) Directive 2018-15 (6/21/18) - Cybersecurity  EI-ISAC Membership, DHS Services, IDS (Albert) Monitoring, Elections Infrastructure Security Assessment, Secure Online Services (DDoS Protection), examples via the State: Win10, DB Monderization, MFA, Cloud Email Pilot, IT Support Pilot Directive 2018-30 (9/28/18) - Reminder and Additional Clarifications   Einstein (US-CERT program) - Wikipedia Albert Program (added new cybersecurity Directives since last podcast  -jmio) Directive 2019-07 (5/06/19) - Specifics on security event reporting (expansion on 2017 Directive) Directive 2019-08 (6/11/19) - Expansion on 2018 and technical guides  Continuing 2018 requirements: EI-ISAC members, phishing tests, vulnerability scanning, continue to secure online systems (TLS/DDoS) Remediate all high priority findings from 2018 assessment by 1/31/2020 Additional technical requirements Additional DHS Services requested by 7/19/2019 (mitigate high findings by 1/31/20): Risk and Vulnerability assessment, Remote Pen Test, Arch Design Review, Cyber Threat Hunt Others: 2019 TTX, required all to use .US or .GOV domain, Annual assessments and background checks, Technical procurement guide, DMARC   LaRose issues directive to set a new standard for election security in 2020 (added -jmio) LaRose Announces Pick For Chief Information Security Officer Directive 2020-12 (7/14/20): Additional cybersecurity (and others) requirements by 8/28/2020 Cybersecurity Liaisons Extended IDS Albert funding and SIEM Services New: EDR and MDBR by 8/28/2020 (and additional push for DMARC) Securing Online Services and WAF, and requiring DHS Services Annually Vulnerability Management: Critical and High SLA Continue Annual cybersecurity training and background checks (including vendor/contractors), Physical Security Training Emergency Planning with local EMA and Sheriff    Vuln disclosure policy: Vulnerability Disclosure Policy - Ohio Secretary of State (ohiosos.gov) Did anyone think to pentest the vuln acceptance form? (lol, layers in layers --brbr)   8/11/20: LAROSE ISSUES FIRST IN THE NATION SECRETARY OF STATE VULNERABILITY DISCLOSURE POLICY (added -jmio)   DHS Vulnerability Disclosure Policy Directive Ohio to ramp up election security with new federal funds | TheHill “Ohio has taken steps to combat those types of threats. In October, Ohio Gov. Mike DeWine (R) signed into law a measure that required post-election audits to ensure the accuracy of the vote count, and created a “civilian cyber security reserve” to defend against potential cyberattacks. Directive 2020-12 - “Cybersecurity Liaisons” (added -jmio) LaRose says invitation to hackers will set new election security standard; expert says it's risky (wcpo.com) “His [secretary of state LaRose] first-of-its-kind Vulnerability Disclosure Policy invites Ohio’s crop of “white-hat” hackers — the good guys, opposite malevolent “black-hat” hackers — to break into the state’s election system, find bugs and report them so officials can ensure they’re fixed by Election Day. There are some strings attached: White hats aren’t allowed to phish for information or tamper with electronic county voter registration systems, and actual voting machines — legally barred from being connected to the internet — are off-limits. If they do find sensitive information, they’re expected to report it.” How did the threat model shift from the last time we talked? What has changed in terms of organization and threats? You mentioned 4-5 different voting regions last time, all with different levels of technology. Any updates on the tech?  How did covid change how voting occurred?  How have you leveraged the Elections Infrastructure ISAC (EI-ISAC) in passing along threats and sharing information? LAROSE TAKES ACTION IN RESPONSE TO IRANIAN CYBER THREATS (added -jmio) Has insider threat been part of your threat model and what has your group done to minimize the chances? (why does it feel like the Oscars has more scrutiny in terms of voting security than the US democratic process? --brbr) What does physical security look like in terms of people going to the polls? (wasn’t sure if that was something in your purview --brbr) (this is not (Election Board and Sheriff), but can discuss high level -jmio) Using hardware domain block services? Malicious Domain Blocking and Reporting (MDBR) Newest Service for U.S. SLTTs (cisecurity.org) LaRose Setting New Standard For Election Security - Ohio Secretary of State (ohiosos.gov) 88 election districts will have access to domain blocking tech (mandated to start by 28 August 2020), cybersecurity experts. Can you give us an update on any of what was mentioned in the press release Ohio's vulnerability disclosure program for elections indicates 'maturity' (added -jmio)   “LaRose in recent months has also implemented statewide use of endpoint detection monitoring software and required counties to develop contingency plans for any incident that disrupts the voting process.”   Background checks

Phil Beyer -  Bio (CISO at Etsy) Importance on books about behavioral science. “Thinking Fast and Slow”: https://smile.amazon.com/Thinking-Fast-Slow-Daniel-Kahneman/dp/0374533555  “Predictably irrational”: https://smile.amazon.com/Predictably-Irrational-Revised-Expanded-Decisions/dp/0061353248/ http://humanhow.com/list-of-cognitive-biases-with-examples/ Influence: the Psychology of Persuasion: https://smile.amazon.com/Influence-Psychology-Persuasion-Robert-Cialdini/dp/006124189X Brain at Work: https://smile.amazon.com/Your-Brain-Work-Revised-Updated/dp/0063003155/ Atomic habits: https://smile.amazon.com/Atomic-Habits-Proven-Build-Break/dp/0735211299/ Tiny habits: https://smile.amazon.com/Tiny-Habits-Changes-Change-Everything/dp/0358003326/  New leaders 100 day action plan: https://smile.amazon.com/New-Leaders-100-Day-Action-Plan/dp/1119223237/  Podcasts: Manager Tools Podcast: https://manager-tools.com  Career Tools Podcast: https://www.manager-tools.com/all-podcasts?field_content_domain_tid=5 Seth Godin Akimbo: https://www.akimbo.link/ Masters of scale: https://mastersofscale.com/ Habit stacking -  Temptation bundling -  Availability Heuristic: https://en.wikipedia.org/wiki/Availability_heuristic Brian’s Recommendations: Extremely Popular Delusions and the Madness of Crowds: https://www.amazon.com/Extraordinary-Popular-Delusions-Madness-Crowds/dp/1463740514 Big 9: https://www.amazon.com/Big-Nine-Thinking-Machines-Humanity/dp/154177373X  Bryan’s Book Recommendations:  Malcolm Gladwell’s Talking to Strangers: https://smile.amazon.com/Talking-to-Strangers-audiobook/dp/B07NJCG1XS  The Effective Manager by Mark Horstman: https://smile.amazon.com/The-Effective-Manager-audiobook/dp/B071JSWHBJ ADKAR: A Model for Change in Business, Government and our Community https://smile.amazon.com/ADKAR-Change-Business-Government-Community/dp/1930885504   Improved interviews online First 90 days as CISO First 90 day plan: https://www.manager-tools.com/2012/06/90-day-new-job-plan-overview Capability Assessment: https://www.strategyand.pwc.com/gx/en/unique-solutions/capabilities-driven-strategy/capabilities-assessment.html  Socratic method: https://en.wikipedia.org/wiki/Socratic_method Impacts to make Building rapport with new directs Creating a new relationship ‘budget’ with manager/board, colleagues Planning your strategy to make meaningful change in the org as a whole Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP