BrakeSec Education Podcast

Spokesperson: Neil Patel (Sr. Technical Marketing Engineer)  Topic: Zero trust and segmentation market   http://brakeingsecurity.com/2020-023-jame-nelson-from-illumio-cyber-resilence-business-continuity   What is Zero Trust and why should companies adopt a Zero Trust philosophy?   Amanda: What are one of the more important steps someone should take when looking to implement zero trust? How does segmentation fit in a Zero Trust model? What are some of the challenges and benefits that come with segmentation?   Are there real-world examples of how segmentation has stopped a breach and how that relates to the Zero Trust philosophy?   How can Zero Trust principles help prevent the spread of ransomware or another security epidemic?   Do you need 100% asset mgmt already before implementing or is that part of what you do as well?   Integrations: you mentioned auth functions, but how integrated can Illumio go with your env? EDR? NDR? (saw on your site, you’re fully integrated with Crowdstrike falcon)   Tell us more about the Forrester Wave? What do the findings mean and why do they matter? https://www.illumio.com/resource-center/research-report/forrester-wave-zero-trust-2020  https://www.illumio.com/ Twitter: https://twitter.com/illumio LinkedIn: https://www.linkedin.com/company/illumio/mycompany/

Phil Beyer -  Bio (CISO at Etsy) Importance on books about behavioral science. “Thinking Fast and Slow”: https://smile.amazon.com/Thinking-Fast-Slow-Daniel-Kahneman/dp/0374533555  “Predictably irrational”: https://smile.amazon.com/Predictably-Irrational-Revised-Expanded-Decisions/dp/0061353248/ http://humanhow.com/list-of-cognitive-biases-with-examples/ Influence: the Psychology of Persuasion: https://smile.amazon.com/Influence-Psychology-Persuasion-Robert-Cialdini/dp/006124189X Brain at Work: https://smile.amazon.com/Your-Brain-Work-Revised-Updated/dp/0063003155/ Atomic habits: https://smile.amazon.com/Atomic-Habits-Proven-Build-Break/dp/0735211299/ Tiny habits: https://smile.amazon.com/Tiny-Habits-Changes-Change-Everything/dp/0358003326/  New leaders 100 day action plan: https://smile.amazon.com/New-Leaders-100-Day-Action-Plan/dp/1119223237/  Podcasts: Manager Tools Podcast: https://manager-tools.com  Career Tools Podcast: https://www.manager-tools.com/all-podcasts?field_content_domain_tid=5 Seth Godin Akimbo: https://www.akimbo.link/ Masters of scale: https://mastersofscale.com/ Habit stacking -  Temptation bundling -  Availability Heuristic: https://en.wikipedia.org/wiki/Availability_heuristic Brian’s Recommendations:Extremely Popular Delusions and the Madness of Crowds: https://www.amazon.com/Extraordinary-Popular-Delusions-Madness-Crowds/dp/1463740514 Big 9: https://www.amazon.com/Big-Nine-Thinking-Machines-Humanity/dp/154177373X  Bryan’s Book Recommendations:  Malcolm Gladwell’s Talking to Strangers: https://smile.amazon.com/Talking-to-Strangers-audiobook/dp/B07NJCG1XS  The Effective Manager by Mark Horstman: https://smile.amazon.com/The-Effective-Manager-audiobook/dp/B071JSWHBJ ADKAR: A Model for Change in Business, Government and our Community https://smile.amazon.com/ADKAR-Change-Business-Government-Community/dp/1930885504   Improved interviews online First 90 days as CISO First 90 day plan: https://www.manager-tools.com/2012/06/90-day-new-job-plan-overview Capability Assessment: https://www.strategyand.pwc.com/gx/en/unique-solutions/capabilities-driven-strategy/capabilities-assessment.html  Socratic method: https://en.wikipedia.org/wiki/Socratic_method Impacts to make Building rapport with new directs Creating a new relationship ‘budget’ with manager/board, colleagues Planning your strategy to make meaningful change in the org as a whole Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP

Introduce Katie (bio) (@k8em0) CEO and Owner, LutaSecurity The scope of the VCMM (what is it?) VCMM - Vulnerability Coordination Maturity Model  https://www.lutasecurity.com/vcmm Just covers the internal process? To ready an org for a bug bounty program or to accept vulns from security researchers? You mentioned not playing whack-a-mole, when it comes to responding at the beginning of a vuln disclosure program. Is the directing of different categories of bugs one of the things that goes into not having to just wait for the bugs to roll in? Will this work for internal security or red teams as well, or is this more suited to bug bounties? What’s the timeline for this process? “We need something for a product launch next week…” Stakeholders involved? CISO? Security team? IT? Devs? What precipitates the need for this? Maturity? Vuln Disclosure?  Are the ISO docs required for this to work, or will they assist in an easier outcome? https://blog.rapid7.com/2017/12/19/nist-cyber-framework-revised-to-include-coordinated-vuln-disclosure-processes/ https://www.rsaconference.com/industry-topics/video/bug-bounty-programs-arent-enough-for-todays-cyber-threats-katie-moussouris-rsac  10 worst jobs (popsci article): https://web.archive.org/web/20070712070214/https://www.popsci.com/popsci/science/0203101256a23110vgnvcm1000004eecbccdrcrd.html https://www.nbcnews.com/tech/security/how-teenage-fortnite-player-found-apple-s-facetime-bug-why-n963961 How does an org use this to communicate vulnerabilities in their own products?  What’s the bare minimum you need on this chart for a successful program? Are any facets more important than the others? Does anyone hit all 3s, or is that a pipedream? Incentive “no legal action will be taken”. People want money… not tours, not 10-point font. How do you convince ‘good’ bug writers to want to help you for a ‘thank you’? Should incentive be a ‘Level 3’ or would you consider it not ready for prime-time? https://www.zdnet.com/article/yahoo-changes-bug-bounty-policy-following-t-shirt-gate/ Vuln reporting Lots of Twitter fodder of companies that handle vuln disclosure poorly, even folks say that you shouldn’t bother and deal with a 3rd party. If a company is taking bugs and doing all the baseline items, what are some other things they could do to make security disclosure easier? Security.txt? Clearly stated bugs@ or Security@ (and not buried in 3 point font in the privacy policy, or ToS) SLA to reply to all bugs? Standardized disclosure form for discoveries? Slide Presentation Overview: https://7bb97855-c50f-4dce-9a1c-325268684c64.filesusr.com/ugd/ed9b4b_f04d16446542494887906777a39204bf.pdf ISO 29147:2018 - $150 USD https://www.iso.org/standard/72311.html ISO 30111:2019 - $95 USD https://www.iso.org/standard/69725.html ISO 27034-7:2018 - $150 USD https://www.iso.org/standard/66229.html  Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Introduce Katie (bio) (@k8em0) CEO and Owner, LutaSecurity The scope of the VCMM (what is it?) VCMM - Vulnerability Coordination Maturity Model  https://www.lutasecurity.com/vcmm Just covers the internal process? To ready an org for a bug bounty program or to accept vulns from security researchers? You mentioned not playing whack-a-mole, when it comes to responding at the beginning of a vuln disclosure program. Is the directing of different categories of bugs one of the things that goes into not having to just wait for the bugs to roll in? Will this work for internal security or red teams as well, or is this more suited to bug bounties? What’s the timeline for this process? “We need something for a product launch next week…” Stakeholders involved? CISO? Security team? IT? Devs? What precipitates the need for this? Maturity? Vuln Disclosure?  Are the ISO docs required for this to work, or will they assist in an easier outcome? https://blog.rapid7.com/2017/12/19/nist-cyber-framework-revised-to-include-coordinated-vuln-disclosure-processes/ https://www.rsaconference.com/industry-topics/video/bug-bounty-programs-arent-enough-for-todays-cyber-threats-katie-moussouris-rsac  10 worst jobs (popsci article): https://web.archive.org/web/20070712070214/https://www.popsci.com/popsci/science/0203101256a23110vgnvcm1000004eecbccdrcrd.html https://www.nbcnews.com/tech/security/how-teenage-fortnite-player-found-apple-s-facetime-bug-why-n963961 How does an org use this to communicate vulnerabilities in their own products?  What’s the bare minimum you need on this chart for a successful program? Are any facets more important than the others? Does anyone hit all 3s, or is that a pipedream? Incentive “no legal action will be taken”. People want money… not tours, not 10-point font. How do you convince ‘good’ bug writers to want to help you for a ‘thank you’? Should incentive be a ‘Level 3’ or would you consider it not ready for prime-time? https://www.zdnet.com/article/yahoo-changes-bug-bounty-policy-following-t-shirt-gate/ Vuln reporting Lots of Twitter fodder of companies that handle vuln disclosure poorly, even folks say that you shouldn’t bother and deal with a 3rd party. If a company is taking bugs and doing all the baseline items, what are some other things they could do to make security disclosure easier?Security.txt? Clearly stated bugs@ or Security@ (and not buried in 3 point font in the privacy policy, or ToS) SLA to reply to all bugs? Standardized disclosure form for discoveries? Slide Presentation Overview: https://7bb97855-c50f-4dce-9a1c-325268684c64.filesusr.com/ugd/ed9b4b_f04d16446542494887906777a39204bf.pdf ISO 29147:2018 - $150 USD https://www.iso.org/standard/72311.html ISO 30111:2019 - $95 USD https://www.iso.org/standard/69725.html ISO 27034-7:2018 - $150 USD https://www.iso.org/standard/66229.html  Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

FIND US NOW ON AMAZON MUSIC! https://music.amazon.com/podcasts/51b7da82-c223-4de4-8fc1-d1c3dd61984a/Brakeing-Down-Security-Podcast Shout to the organizers of Bsides Edmonton, Alberta, Canada for a great conference! Amanda’s social media take over this week Bryan's plumbing story (A tale of 3 toilets) https://www.infosecurity-magazine.com/news/corporate-data-on-personal-devices/ https://www.infosecurity-magazine.com/news/fatality-after-hospital-hacked/ https://fortune.com/2020/09/18/ransomware-police-investigating-hospital-cyber-attack-death/ Zerologon -  https://nakedsecurity.sophos.com/2020/09/17/zerologon-hacking-windows-servers-with-a-bunch-of-zeros/ US govt orders federal agencies to patch dangerous Zerologon bug by Monday, 21 September 11:59 EDT) https://www.zdnet.com/article/us-govt-orders-federal-agencies-to-patch-dangerous-zerologon-bug-by-monday/ Tweet mentioning not needing to reset passwords for access:https://twitter.com/_dirkjan/status/1307662409436475392 https://twitter.com/MsftSecIntel/status/1308941504707063808?s=20 Linux malware (drovorub) https://www.tripwire.com/state-of-security/featured/drovorub-malware/  https://www.zdnet.com/article/this-surprise-linux-malware-warning-shows-that-hackers-are-changing-their-targets/   Rampant Kitten‘s arsenal includes Android malware that bypasses 2FA   https://exploit.kitploit.com/2020/09/tp-link-cloud-cameras-ncxxx-bonjour.html https://www.infosecurity-magazine.com/news/former-pm-passport-phone-hacker/ https://threatpost.com/bluetooth-spoofing-bug-iot-devices/159291/ Good stuff: https://compass-security.com/fileadmin/Datein/Research/White_Papers/lateral_movement_detection_basic_gpo_settings_v1.0.pdf   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

https://www.kitploit.com/2020/05/web-hackers-weapons-collection-of-cool.html   https://www.ehackingnews.com/2020/09/hackers-attack-gaming-industry-sell.html   https://www.secjuice.com/windows-10-penetration-testing-os/ Nice to see stories about using Win10 as a pentest platform. Was always a PITA to update Kali or whatever. @secjuice One reason I enjoyed Dave Kennedy’s ‘pentester framework’ --brbr   https://www.ehackingnews.com/2020/09/a-new-security-vulnerability-discovered.html   https://www.zdnet.com/article/irs-offers-grants-to-contractors-able-to-trace-cryptocurrency-transactions-across-the-blockchain/   https://docs.microsoft.com/en-us/lifecycle/announcements/adobe-flash-end-of-support https://kbondale.wordpress.com/2020/09/13/lets-flatten-five-agile-fallacies/ Speak more to the need for process improvement. Trying to embrace a new ‘agile’ methodology is bunk.  Find inefficiencies, work to improve those, collect metrics to show improvements.   https://www.linkedin.com/pulse/intersection-change-management-project-paula-alsher/ Lead to an excellent segue to our book club.    By the book, https://brakesec.com/adkar - used books on Amazon going for less than $10 USD Thursday 17, 2020 -  7pm Pacific FEEDBACK: "Gotta say I’m really enjoying this book. It has my mind moving in so many directions - our team’s change initiatives and desires, the agency-level initiatives, other change leaders in our org and their tools/techniques and successes/failures."   https://securityscorecard.com/blog/the-cisos-guide-to-reporting-cybersecurity-to-the-board This came up during a discussion on our Slack. Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonSmile: https://brakesec.com/smile  #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

WWFH Class: (Ms. Berlin) “Breaching the Cloud” @dafthack   https://www.blackhillsinfosec.com/breaching-the-cloud-perimeter-w-beau-bullock/   https://wildwesthackinfest.com/wwhf-at-secure-wv/   IWCE 2020 panel: “Being a thought leader”   ADKAR class Book Club: 03 September 2020 7pm: https://smile.amazon.com/ADKAR-Change-Business-Government-Community/dp/1930885504/ref=sr_1_1?dchild=1&keywords=ADKAR&qid=1598543747&sr=8-1 TLS cert life is 13 months now (397 day) than now:https://www.bleepingcomputer.com/news/technology/you-have-two-days-left-to-purchase-2-year-tls-ssl-certificates/   Tesla and FBI prevented $1 million ransomware hack at Gigafactory Nevada https://electrek.co/2020/08/27/tesla-fbi-prevent-ransomware-hack-gigafactory-nevada/    Garmin Hack https://www.privateinternetaccess.com/blog/the-garmin-hack-could-have-been-a-disastrous-large-scale-privacy-breach/  https://hackerone.com/reports/783877 https://www.reddit.com/r/netsec/comments/iifh3r/remote_code_execution_in_slack_desktop_apps/   Reserved Campsites for InfosecCampout 2021   MHH Feel Good Boxes https://lovethesecookies.com/ Trojan - “not my fault” Segfaults and then injects DLLs @seaseceast

Ms. Berlin: Tabletop D&D exercise     Blumira is hiring https://www.blumira.com/career/lead-backend-engineer/  Allan Friedman - Director of Cybersecurity Initiatives, NTIA, US Department of Commerce   NTIA.gov - National Telecommunications and Information Administration   https://www.ntia.gov/sbom  SBOM guidance   Healthcare SBOM PoC - https://www.ntia.gov/files/ntia/publications/ntia_sbom_healthcare_poc_report_2019_1001.pdf   Allan’s talk at Bsides San Francisco: https://www.youtube.com/watch?v=9j1KYLfklMQ Questions (more may be added during the show, depending on answers given) What is NTIA? What is SBOM? Why do we need one? Is it poor communications between vendors?  Is there any difference between “Software transparency” and “Software bill of materials”?   How do you make an SBOM? What data formats make sharing easier? What does a company do with an SBOM?   Where in the development (hardware or software) would you be creating an SBOM?   You mention in your BSSF talk about ‘how detailed it should be’. Can you give us an example of a high level SBOM, versus a more detailed one? Does it become a risk/reward effort concerning detail?   IoT device creators are working with their 3rd parties, who are working with their 3rd parties. Someone at home with a webcam cannot easily ask for an SBOM, so how do we convince device makers to want to ask for them?   How do you get your 3rd party that is a multi-national corporation to supply you with the information you need to ?   As we saw with RIPPLE20, many companies don’t know what they have. How would SBOM help keep another RIPPLE20 from happening?   Rob Graham’s blog post highlighted that vulns like HeartBleed would not have been stopped.      How does this help us track potential vulns?    Sharing information     Best way to share information about IoT components?    Could an information sharing org (ISAC) track these more readily?   vendor assessments:     Vendor does not have an SBOM, any specific questions we might ask that will allow an org to get more resolution into a potential vendor?   Interesting feedback from NTIA’s RFC   Other SBOM types (clonedx, openbom, FDA’s CBOM)   Companies are out there creating SBOM, other government agencies have SBOM implementations. How do we keep this from being the XKCD “927” issue? https://xkcd.com/927/   non-US implementations of SBOM?   How do we get our companies to implement these?    SBOM could easily be something that could give hackers a lot of information about your org and depending on the information contained, I could see why you might not want to get super specific… Thoughts? What is a ‘Bill of Materials’? “A bill of materials (BOM) is a comprehensive inventory of the raw materials, assemblies, subassemblies, parts and components, as well as the quantities of each, needed to manufacture a product. In a nutshell, it is the complete list of all the items that are required to build a product.” SBOM - Definition    As of November 2019, an estimated 126 different platforms - https://www.postscapes.com/internet-of-things-platforms/ NTIA did an RFC on “promoting the sharing of Supply Chain Security Risk Information” https://www.ntia.gov/federal-register-notice/2020/request-comments-promoting-sharing-supply-chain-security-risk     https://www.ntia.gov/federal-register-notice/2020/comments-promoting-sharing-supply-chain-security-risk-information-0   Secure and Trusted Communications Network Act of 2019 (Act) - Calling it “CBOM”   Other groups working on similar: FDA https://www.fda.gov/media/119933/download   SPDX: LInux Foundation:https://spdx.org/licenses/    OpenBOM https://medium.com/@openbom/friday-discussion-why-boms-are-essential-for-the-iot-platform-e2c4bd397afd   https://github.com/CycloneDX/specification   https://www.fda.gov/medical-devices/digital-health/cybersecurity   https://www.fda.gov/regulatory-information/search-fda-guidance-documents/guidance-content-premarket-submissions-software-contained-medical-devices   Medical device IR Playbook: https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf   Companies are helping to get “CBOM” for devices: ““It can take anywhere from six months to a year for a new medical device to get its 510(k) clearance from the FDA,” said MedCrypt CEO Mike Kijewski in a news release”  https://www.medicaldesignandoutsourcing.com/medcrypt-acquires-medisao-in-medtech-cybersecurity-deal/   SBOM doesn’t work in DevOps: https://cybersecurity.att.com/blogs/security-essentials/software-bill-of-materials-sbom-does-it-work-for-devsecops   Intoto software development: https://www.intotosystems.com/ 510k process: https://www.drugwatch.com/fda/510k-clearance/   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonSmile: https://brakesec.com/smile  #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

  Ms. Berlin: Tabletop D&D exercise Blumira is hiring https://www.blumira.com/career/lead-backend-engineer/  Allan Friedman - Director of Cybersecurity Initiatives, NTIA, US Department of Commerce NTIA.gov - National Telecommunications and Information Administration https://www.ntia.gov/sbom  SBOM guidance Healthcare SBOM PoC - https://www.ntia.gov/files/ntia/publications/ntia_sbom_healthcare_poc_report_2019_1001.pdf Allan’s talk at Bsides San Francisco: https://www.youtube.com/watch?v=9j1KYLfklMQ Questions (more may be added during the show, depending on answers given) What is NTIA? What is SBOM? Why do we need one? Is it poor communications between vendors?  Is there any difference between “Software transparency” and “Software bill of materials”?   How do you make an SBOM? What data formats make sharing easier? What does a company do with an SBOM?   Where in the development (hardware or software) would you be creating an SBOM?   You mention in your BSSF talk about ‘how detailed it should be’. Can you give us an example of a high level SBOM, versus a more detailed one? Does it become a risk/reward effort concerning detail?   IoT device creators are working with their 3rd parties, who are working with their 3rd parties. Someone at home with a webcam cannot easily ask for an SBOM, so how do we convince device makers to want to ask for them?   How do you get your 3rd party that is a multi-national corporation to supply you with the information you need to ?   As we saw with RIPPLE20, many companies don’t know what they have. How would SBOM help keep another RIPPLE20 from happening?   Rob Graham’s blog post highlighted that vulns like HeartBleed would not have been stopped.  How does this help us track potential vulns?    Sharing information Best way to share information about IoT components?    Could an information sharing org (ISAC) track these more readily?   vendor assessments: Vendor does not have an SBOM, any specific questions we might ask that will allow an org to get more resolution into a potential vendor?   Interesting feedback from NTIA’s RFC   Other SBOM types (clonedx, openbom, FDA’s CBOM)   Companies are out there creating SBOM, other government agencies have SBOM implementations. How do we keep this from being the XKCD “927” issue? https://xkcd.com/927/   non-US implementations of SBOM?   How do we get our companies to implement these?    SBOM could easily be something that could give hackers a lot of information about your org and depending on the information contained, I could see why you might not want to get super specific… Thoughts? What is a ‘Bill of Materials’? “A bill of materials (BOM) is a comprehensive inventory of the raw materials, assemblies, subassemblies, parts and components, as well as the quantities of each, needed to manufacture a product. In a nutshell, it is the complete list of all the items that are required to build a product.” SBOM - Definition As of November 2019, an estimated 126 different platforms - https://www.postscapes.com/internet-of-things-platforms/ NTIA did an RFC on “promoting the sharing of Supply Chain Security Risk Information” https://www.ntia.gov/federal-register-notice/2020/request-comments-promoting-sharing-supply-chain-security-risk https://www.ntia.gov/federal-register-notice/2020/comments-promoting-sharing-supply-chain-security-risk-information-0 Secure and Trusted Communications Network Act of 2019 (Act) - Calling it “CBOM” Other groups working on similar: FDA https://www.fda.gov/media/119933/download   SPDX: LInux Foundation:https://spdx.org/licenses/    OpenBOM https://medium.com/@openbom/friday-discussion-why-boms-are-essential-for-the-iot-platform-e2c4bd397afd   https://github.com/CycloneDX/specification https://www.fda.gov/medical-devices/digital-health/cybersecurity https://www.fda.gov/regulatory-information/search-fda-guidance-documents/guidance-content-premarket-submissions-software-contained-medical-devices Medical device IR Playbook: https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf Companies are helping to get “CBOM” for devices: ““It can take anywhere from six months to a year for a new medical device to get its 510(k) clearance from the FDA,” said MedCrypt CEO Mike Kijewski in a news release”  https://www.medicaldesignandoutsourcing.com/medcrypt-acquires-medisao-in-medtech-cybersecurity-deal/ SBOM doesn’t work in DevOps: https://cybersecurity.att.com/blogs/security-essentials/software-bill-of-materials-sbom-does-it-work-for-devsecops Intoto software development: https://www.intotosystems.com/ 510k process: https://www.drugwatch.com/fda/510k-clearance/

WISP.org donation page: https://wisporg.z2systems.com/np/clients/wisporg/donation.jsp Mick Douglas (@bettersafetynet on Twitter) Powercat: https://github.com/besimorhino/powercat Netcat in a powershell environment https://blog.rapid7.com/2018/09/27/the-powershell-boogeyman-how-to-defend-against-malicious-powershell-attacks/ https://www.hackingarticles.in/powercat-a-powershell-netcat/ Defenses against powercat?  LolBins: https://www.cynet.com/blog/what-are-lolbins-and-how-do-attackers-use-them-in-fileless-attacks/ Sigma ruleset: https://www.nextron-systems.com/2018/02/10/write-sigma-rules/#:~:text=Sigma%20is%20an%20open%20standard,grep%20on%20the%20command%20line. ElasticSearch bought Endgame; https://www.elastic.co/about/press/elastic-announces-intent-to-acquire-endgame https://krebsonsecurity.com/2020/07/thinking-of-a-cybersecurity-career-read-this/ Twitter DM to @bettersafetynet:Hey... I wanna talk about @hrbrmstr's tweet on the show tonight as well... https://twitter.com/hrbrmstr/status/1287442304593276929 My thinking is if Cisco and others didn't try to intentionally downplay vulnerabilities by announcing them on a Friday, would we be more likely to patch sooner? Also, greater need for testing of patches to ensure that 80% of your workforce rely on that technology now. What's worse? Patching on a Friday evening (after several hours explaining the vuln to a manager), and then having it fuck something up so you're up at crack of dawn Monday troubleshooting something missed Friday night because testing was rushed/not conducted because the CEO can't access email? I have thoughts, I've added this to the show note google doc. https://www.reddit.com/r/netsec/comments/hwaj6f/nmap_script_fot_cve20203452/  -- nmap PoC script? Embargoed vulns… Getting management buy-in to patch