BrakeSec Education Podcast

Masha Sedova - Founder, Elevate Security   Topic ideas from the PR company:   Inability to measure human security behaviors leads to increased risk in our computing environments. For too long, we’ve accepted training completion and mock phishing data as a sufficient way to measure this risk. But where do the vulnerabilities and strengths truly lie?    The secret is, security teams have installed tons of security tooling that can give insights into how our employees are behaving. But we just leave this data on the cutting room floor. Masha Sedova can talk about where to find this goldmine of data and what security teams can do to leverage this new found knowledge.    Technology like vuln scanners or something more?         Study after study shows that the reason why people don’t do things is not always because they don’t understand, it’s because they are not motivated. Motivating employees to change their cybersecurity behavior can seem like an overwhelming task but there are simple behavioral science techniques cybersecurity professionals can leverage to motivate employees to do the right thing. Masha Sedova will discuss the power of integrating elements of behavioral science into security in order to influence positive behavior.      Motivation Theory (deming): https://en.wikipedia.org/wiki/W._Edwards_Deming#Key_principles   X&Y  https://en.wikipedia.org/wiki/Theory_X_and_Theory_Y   Ouchi Z theory https://en.wikipedia.org/wiki/Theory_Z_of_Ouchi   http://www.yourarticlelibrary.com/motivation/motivation-theories-top-8-theories-of-motivation-explained/35377   Masha’s suggested topics:    Why do security teams have difficulty in understanding their human risk today? What are the blockers?  What should security teams be measuring to get a holistic view of human risk?  What's the difference between security culture, security behavior change, and security awareness?  Is security culture a core capability in security defense? Why or why not?     Quantifying risk…   Is investing in human training a waste of time?   Phishing - mock phish or real phishing Pull data to see who is clicking on links Send an ‘intervention’   Gotta move away from training The ‘security team’ will save them…   https://www.ncsc.gov.uk/guidance/phishing   Books:   https://www.amazon.com/Nudge-Improving-Decisions-Health-Happiness/dp/014311526X   https://www.amazon.com/Drive-Surprising-Truth-About-Motivates/dp/1594484805/ref=sr_1_1?crid=2QQ59YRRU89YX&dchild=1&keywords=drive+daniel+pink&qid=1588733551&s=books&sprefix=drive%2Cstripbooks%2C240&sr=1-1   Reality broken: https://www.amazon.com/Reality-Broken-Games-Better-Change/dp/0143120611   People centric security: https://www.amazon.com/People-Centric-Security-Transforming-Enterprise-Culture/dp/0071846778/ref=sr_1_1?dchild=1&keywords=people+centric+security&qid=1588733580&s=books&sr=1-1   Deep thought: a Cybersecurity novela: https://www.ideas42.org/blog/project/human-behavior-cybersecurity/deep-thought-a-cybersecurity-story/ https://elevatesecurity.com/ @modmasha Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Masha Sedova - Founder, Elevate Security Inability to measure human security behaviors leads to increased risk in our computing environments. For too long, we’ve accepted training completion and mock phishing data as a sufficient way to measure this risk. But where do the vulnerabilities and strengths truly lie?  The secret is, security teams have installed tons of security tooling that can give insights into how our employees are behaving. But we just leave this data on the cutting room floor. Masha Sedova can talk about where to find this goldmine of data and what security teams can do to leverage this new found knowledge.    Study after study shows that the reason why people don’t do things is not always because they don’t understand, it’s because they are not motivated. Motivating employees to change their cybersecurity behavior can seem like an overwhelming task but there are simple behavioral science techniques cybersecurity professionals can leverage to motivate employees to do the right thing. Masha Sedova will discuss the power of integrating elements of behavioral science into security in order to influence positive behavior.  Motivation Theory (deming): https://en.wikipedia.org/wiki/W._Edwards_Deming#Key_principles X&Y: https://en.wikipedia.org/wiki/Theory_X_and_Theory_Y Ouchi Z theory https://en.wikipedia.org/wiki/Theory_Z_of_Ouchi http://www.yourarticlelibrary.com/motivation/motivation-theories-top-8-theories-of-motivation-explained/35377   Why do security teams have difficulty in understanding their human risk today? What are the blockers?  What should security teams be measuring to get a holistic view of human risk?  What's the difference between security culture, security behavior change, and security awareness?  Is security culture a core capability in security defense? Why or why not?   Quantifying risk… Is investing in human training a waste of time? Phishing - mock phish or real phishing Pull data to see who is clicking on links Send an ‘intervention’   Gotta move away from training The ‘security team’ will save them…   https://www.ncsc.gov.uk/guidance/phishing   Books: https://www.amazon.com/Nudge-Improving-Decisions-Health-Happiness/dp/014311526X https://www.amazon.com/Drive-Surprising-Truth-About-Motivates/dp/1594484805/ref=sr_1_1?crid=2QQ59YRRU89YX&dchild=1&keywords=drive+daniel+pink&qid=1588733551&s=books&sprefix=drive%2Cstripbooks%2C240&sr=1-1 Reality broken: https://www.amazon.com/Reality-Broken-Games-Better-Change/dp/0143120611 People centric security: https://www.amazon.com/People-Centric-Security-Transforming-Enterprise-Culture/dp/0071846778/ref=sr_1_1?dchild=1&keywords=people+centric+security&qid=1588733580&s=books&sr=1-1 Deep thought: a Cybersecurity novela: https://www.ideas42.org/blog/project/human-behavior-cybersecurity/deep-thought-a-cybersecurity-story/ https://elevatesecurity.com/ @modmasha Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Cameron Smith @Secnomancer   Layer8conference is virtual (https://layer8conference.com/layer-8-is-online-this-year/) https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final   CMMC:https://info.summit7systems.com/blog/cmmc https://www.comptia.org/certifications/project - Project+ Cameron’s Smith = www.twitter.com/secnomancer Cybersmith.com - Up by 14 April   Ask@thecybersmith.com Cameron@thecybersmith.com https://en.wikipedia.org/wiki/Christopher_Voss https://www.amazon.com/Never-Split-Difference-Negotiating-Depended/dp/0062407805 https://www.masterclass.com/classes/chris-voss-teaches-the-art-of-negotiation https://www.masterclass.com/   https://www.autopsy.com/support/training/covid-19-free-autopsy-training/ https://www.youtube.com/playlist?list=PLg_QXA4bGHpvsW-qeoi3_yhiZg8zBzNwQ   “There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self.”― Ernest Hemingway  https://www.goodreads.com/quotes/76281-there-is-nothing-noble-in-being-superior-to-your-fellow Original B-Sides Talk Blurb SITREP: A Consultant's Perspective from the Trenches of InfoSec In this session you will hear war stories and lessons learned consulting for hundreds of clients across dozens of verticals at every level, from bootstrapped startups with garage beginnings to Fortune 50 companies and everything in between. We will cover life on the front lines in InfoSec, ranging from individual contributions and staying relevant in a rapidly evolving field all the way to how bad most orgs are at InfoSec and what we can do as practitioners to help make them better. Speaking Goal After my presentation is over, I want my audience to... Feel better about where they are as an infosec practitioner Understand that most of Cybersecurity is largely NOT about the latest hack or technique Failing is OK as long as you learn from it ...so that ... When they go back to their office / SOC / client engagements on Monday they focus on the things that matter to their organizations Hopefully feel a little bit less that the work they are doing is boring, exhausting, unappreciated, or hopeless Intro Security is a really crazy industry Like the wild west out here Constant threats Complacent or ignorant clients/dependents Resource and budget constraints Security is really complex There are SO. MANY. MOVING. PIECES. There is a never ending stream of new information to learn and new threats to face Security always involves at LEAST 4 parts The practitioner - Hopefully you have backup! What you're protecting - Employer, Client, System, Application, Data, SOMETHING, etc What you're protecting it from - External TAs, Internal TAs, Incompetence, Apathy, Plain Ol' Vanilla Constraints, etc What you have to protect it with - Budgets, Time, Personnel, Training, Relationships, etc Cybersecurity/Information Security is simultaneously an old and new/emergent discipline Cyber History Old Nevil Maskelyne / Guglielmo Marconi wireless telegraphy attack and Morse code insults - 1903 Phreaking in the 1960s ARPANET Creeper - 1971 Morris Worm - 1988 New Gartner Coined term SOAR in 2017 Yeah... It's barely 3 years old. Now you can literally find job openings with SOAR Engineering titles DevSecOps - Amazon presentation in 2015? Not even in grade school yet. Average enterprise is running 75 security tools in their environment (Cybersecurity almanac 2019) Most cybersecurity professionals over 30 do not have degrees in cybersecurity Many don't even have Computer Science or IT related degrees This is it's own problem Training cyber pros, Chris Sanders, cognitive crisis, etc. BDS ep 2019-021 and 2019-022 Emergent disciplines are challenging by default You chose to play the game on hard mode for your first play through Security really isn't as complicated as most people think Occult Phenomenon Things we don't understand we imagine to be far more complex Things we anticipate we imagine to be far worse than they are Grass isn't greener Most security departments aren't doing better than you are Maturity models aren't magic Establish Credibility I have been in A LOT of client environments in the last 12 years Last time I checked, I have more than 350 discrete client engagements under my belt I have worked with hundreds of internal, external, and hybrid IT and Security solutions I've met the same tired and beleaguered IT/Security personnel over and over again SSDD, very little actually changes from place to place In that time, I've learned quite a bit about what makes security work I've learned even more about what NOT to do I want to share some of that with you today so you can see how organizations of all shapes and sizes can fail Very Large Company Examples Big Four Bank Example Situation Four Local Branches in Midwest Physical Security Assessment How got onto site as cash machine servicer was incredibly easy Problem Absolute trust of vendors/vendor compromise How do we as security practitioners fix it? Good internal relationships with functional area leaders Work closely with functional areas to left and to the right Who? Operations? HR? Purchasing? Every functional area and specifically the leadership Improved communications and availability 8 and Up 'Gotta git gud' at the soft stuff Top 50 Chain Restaurant Example Situation Doing Chip Reader refreshes across all ~600 locations for PCI Compliance during 2017 window Problem Poor project management on behalf of security team led to project failure A security problem became an IT problem Contractor to subcontractor to subcontractor added time and complexity How do we as security practitioners fix it? Security managers needs to be aware of how their projects impact others Managing up Security needs to be interdisciplinary Government Examples Police Department Example Situation City Administrator got Spear Phished Problem Spear phishing Poor logging How do we as security practitioners fix it? Look for the most basic problems and try to fix them Find or create solutions that provide basic capabilities Cannot prevent the lowest hanging fruit directly, so impact what you can change What you can actually do about phishing Getting people to do something that you want them to do Defense SubContractor Example Situation Working with MSP on security issues “Do we have a SIEM” email? Problem Company executives have never done due diligence Assumed that MSP had it under control MSP just did what they normally do and within letter of their contract How do we as security practitioners fix it? Security needs to be proactive Small Company Examples Light Manufacturer Example Situation Server not working, Ransomware Attackers pivoted through third party accountant access Problem Single Point of Failure (SPOF) Vendor Compromise How do we as security practitioners solve it? IT problems become security problems on long enough timeline Need to provide actual solutions to business problems Security CANNOT be decoupled from business needs Telecommunications Provider Situation Employee reports CEO was hacked Problem Employee panicked, emailed everyone Escalated way beyond what was necessary How do we as security practitioners solve it? Employee education - Boring answer What's actually under our control here? Clear processes for security incidents Clear communications channels for employees with IT and security groups Knowledge management Local NGO Example Situation Meeting with Executive Director regarding server failure Problem Mentions that she was sent security guidelines from global parent org Got so overwhelmed reading it she just closed it and kept working on something else How do we as security practitioners solve it? We have to make this information digestible and accessible We do NOT need to make already dense subject matter even more inaccessible When cannot mandate compliance, how do you achieve compliance More flies with honey than vinegar Build relationships - Layer 8 strikes again Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Cameron Smith @Secnomancer   Layer8conference is virtual (https://layer8conference.com/layer-8-is-online-this-year/) https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final   CMMC:https://info.summit7systems.com/blog/cmmc https://www.comptia.org/certifications/project - Project+ Cameron’s Smith = www.twitter.com/secnomancer Cybersmith.com - Up by 14 April   Ask@thecybersmith.com Cameron@thecybersmith.com https://en.wikipedia.org/wiki/Christopher_Voss https://www.amazon.com/Never-Split-Difference-Negotiating-Depended/dp/0062407805 https://www.masterclass.com/classes/chris-voss-teaches-the-art-of-negotiation https://www.masterclass.com/   https://www.autopsy.com/support/training/covid-19-free-autopsy-training/ https://www.youtube.com/playlist?list=PLg_QXA4bGHpvsW-qeoi3_yhiZg8zBzNwQ   “There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self.”― Ernest Hemingway  https://www.goodreads.com/quotes/76281-there-is-nothing-noble-in-being-superior-to-your-fellow Original B-Sides Talk Blurb SITREP: A Consultant's Perspective from the Trenches of InfoSec In this session you will hear war stories and lessons learned consulting for hundreds of clients across dozens of verticals at every level, from bootstrapped startups with garage beginnings to Fortune 50 companies and everything in between. We will cover life on the front lines in InfoSec, ranging from individual contributions and staying relevant in a rapidly evolving field all the way to how bad most orgs are at InfoSec and what we can do as practitioners to help make them better. Speaking Goal After my presentation is over, I want my audience to... Feel better about where they are as an infosec practitioner Understand that most of Cybersecurity is largely NOT about the latest hack or technique Failing is OK as long as you learn from it ...so that ... When they go back to their office / SOC / client engagements on Monday they focus on the things that matter to their organizations Hopefully feel a little bit less that the work they are doing is boring, exhausting, unappreciated, or hopeless Intro Security is a really crazy industry Like the wild west out here Constant threats Complacent or ignorant clients/dependents Resource and budget constraints Security is really complex There are SO. MANY. MOVING. PIECES. There is a never ending stream of new information to learn and new threats to face Security always involves at LEAST 4 parts The practitioner - Hopefully you have backup! What you're protecting - Employer, Client, System, Application, Data, SOMETHING, etc What you're protecting it from - External TAs, Internal TAs, Incompetence, Apathy, Plain Ol' Vanilla Constraints, etc What you have to protect it with - Budgets, Time, Personnel, Training, Relationships, etc Cybersecurity/Information Security is simultaneously an old and new/emergent discipline Cyber History Old Nevil Maskelyne / Guglielmo Marconi wireless telegraphy attack and Morse code insults - 1903 Phreaking in the 1960s ARPANET Creeper - 1971 Morris Worm - 1988 New Gartner Coined term SOAR in 2017 Yeah... It's barely 3 years old. Now you can literally find job openings with SOAR Engineering titles DevSecOps - Amazon presentation in 2015? Not even in grade school yet. Average enterprise is running 75 security tools in their environment (Cybersecurity almanac 2019) Most cybersecurity professionals over 30 do not have degrees in cybersecurity Many don't even have Computer Science or IT related degrees This is it's own problem Training cyber pros, Chris Sanders, cognitive crisis, etc. BDS ep 2019-021 and 2019-022 Emergent disciplines are challenging by default You chose to play the game on hard mode for your first play through Security really isn't as complicated as most people think Occult Phenomenon Things we don't understand we imagine to be far more complex Things we anticipate we imagine to be far worse than they are Grass isn't greener Most security departments aren't doing better than you are Maturity models aren't magic Establish Credibility I have been in A LOT of client environments in the last 12 years Last time I checked, I have more than 350 discrete client engagements under my belt I have worked with hundreds of internal, external, and hybrid IT and Security solutions I've met the same tired and beleaguered IT/Security personnel over and over again SSDD, very little actually changes from place to place In that time, I've learned quite a bit about what makes security work I've learned even more about what NOT to do I want to share some of that with you today so you can see how organizations of all shapes and sizes can fail Very Large Company Examples Big Four Bank Example Situation Four Local Branches in Midwest Physical Security Assessment How got onto site as cash machine servicer was incredibly easy Problem Absolute trust of vendors/vendor compromise How do we as security practitioners fix it? Good internal relationships with functional area leaders Work closely with functional areas to left and to the right Who? Operations? HR? Purchasing? Every functional area and specifically the leadership Improved communications and availability 8 and Up 'Gotta git gud' at the soft stuff Top 50 Chain Restaurant Example Situation Doing Chip Reader refreshes across all ~600 locations for PCI Compliance during 2017 window Problem Poor project management on behalf of security team led to project failure A security problem became an IT problem Contractor to subcontractor to subcontractor added time and complexity How do we as security practitioners fix it? Security managers needs to be aware of how their projects impact others Managing up Security needs to be interdisciplinary Government Examples Police Department Example Situation City Administrator got Spear Phished Problem Spear phishing Poor logging How do we as security practitioners fix it? Look for the most basic problems and try to fix them Find or create solutions that provide basic capabilities Cannot prevent the lowest hanging fruit directly, so impact what you can change What you can actually do about phishing Getting people to do something that you want them to do Defense SubContractor Example Situation Working with MSP on security issues “Do we have a SIEM” email? Problem Company executives have never done due diligence Assumed that MSP had it under control MSP just did what they normally do and within letter of their contract How do we as security practitioners fix it? Security needs to be proactive Small Company Examples Light Manufacturer Example Situation Server not working, Ransomware Attackers pivoted through third party accountant access Problem Single Point of Failure (SPOF) Vendor Compromise How do we as security practitioners solve it? IT problems become security problems on long enough timeline Need to provide actual solutions to business problems Security CANNOT be decoupled from business needs Telecommunications Provider Situation Employee reports CEO was hacked Problem Employee panicked, emailed everyone Escalated way beyond what was necessary How do we as security practitioners solve it? Employee education - Boring answer What's actually under our control here? Clear processes for security incidents Clear communications channels for employees with IT and security groups Knowledge management Local NGO Example Situation Meeting with Executive Director regarding server failure Problem Mentions that she was sent security guidelines from global parent org Got so overwhelmed reading it she just closed it and kept working on something else How do we as security practitioners solve it? We have to make this information digestible and accessible We do NOT need to make already dense subject matter even more inaccessible When cannot mandate compliance, how do you achieve compliance More flies with honey than vinegar Build relationships - Layer 8 strikes again Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Github actions - https://github.com/features/actions How are these written?  It looks like a marketplace format? How do they maintain code quality? What does it take setup the actions? It looks like IFTTT for DevOps? What kind of integrations does it allow for? Will it handle logins or API calls for you? Is it moderated in some way? What’s the acceptance criteria for these? What are you trying to accomplish by using Github Actions? What are the benefits of using these over XX product? What is gained by using this?   Mention twitch Channel and when (join the mailing list) Github actions “Twitch.tv/shehackspurple”   Coaching, Project Management, Scrum Management   Alice and Bob learn Application Security - Wylie - Fall/Winter 2020 Links: https://shehackspurple.dev https://mailchi.mp/e2ab45528831/shehackspurple https://twitter.com/shehackspurple https://dev.to/shehackspurple https://medium.com/@shehackspurple  https://www.youtube.com/shehackspurple   https://www.twitch.tv/shehackspurple https://www.linkedin.com/in/tanya-janca https://github.com/shehackspurple/   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Tanya's AppSec Course https://www.shehackspurple.dev/server-side-request-forgery-ssrf-defenses https://www.shehackspurple.dev Server-side request forgery - https://portswigger.net/web-security/ssrf What are differences between Stored XSS and SSRF?  This requires a MITM type of issue? Doesn’t stored XSS get stored on the server? What conditions must exist for SSRF to be possible? What mitigations need to be in place for mitigation of SSRF? CORS? CSP? Would a WAF or mod_security be effective? Can it be completely mitigated or are there still ways around it? Part2 -next week   Github actions - https://github.com/features/actions How are these written?  It looks like a marketplace format? How do they maintain code quality? What does it take setup the actions? It looks like IFTTT for DevOps? What kind of integrations does it allow for? Will it handle logins or API calls for you? Is it moderated in some way? What’s the acceptance criteria for these? What are you trying to accomplish by using Github Actions? What are the benefits of using these over XX product? What is gained by using this?   Mention twitch Channel and when (join the mailing list) Github actions “Twitch.tv/shehackspurple”   Coaching, Project Management, Scrum Management   Alice and Bob learn Application Security - Wylie - Fall/Winter 2020 Links: https://shehackspurple.dev https://mailchi.mp/e2ab45528831/shehackspurple https://twitter.com/shehackspurple https://dev.to/shehackspurple https://medium.com/@shehackspurple  https://www.youtube.com/shehackspurple   https://www.twitch.tv/shehackspurple https://www.linkedin.com/in/tanya-janca https://github.com/shehackspurple/ Tanya Janca   https://SheHacksPurple.dev   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

April Mardock - CISO - Seattle Public Schools Jared Folkins - IT Engineer - Bend La Pine Schools Nathan McNulty - Information Security Architect - Beaverton School District   OpSecEdu - https://www.opsecedu.com/ Slack   https://www.a4l.org/default.aspx    https://clever.com/    BEC - https://www.trendmicro.com/vinfo/us/security/definition/business-email-compromise-(bec)    https://www.k12cybersecurityconference.org/    https://acpenw.sched.com/  Bypassing security controls - https://www.goguardian.com/blog/technology/how-students-bypass-school-web-filters-and-how-to-stop-them/    https://community.spiceworks.com/topic/2077711-chromebook-google-docs-bypassing-filters  https://www.mobicip.com/blog/here%E2%80%99s-how-kids-bypass-apple%E2%80%99s-parental-control-tools    https://www.phantomts.com/2020/01/11/kids-can-bypass-communication-limit-feature-on-ios-13-3/    https://www.ocregister.com/2009/02/17/students-accused-of-changing-grades-using-teachers-password/    Security persons at education institutions of varying sizes.   https://www.darkreading.com/threat-intelligence/ransomware-crisis-in-us-schools-more-than-1000-hit-so-far-in-2019/d/d-id/1336634 https://www.forbes.com/sites/leemathews/2019/09/25/yet-another-u-s-school-district-has-been-ravaged-by-malware/    https://www.zdnet.com/article/texas-school-district-falls-for-scam-email-hands-over-2-3-million/ Why are schools soft targets? Is money/budget the reason schools get the raw deal here? Why is ransomware such an appealing attack?   How complex is the school environment?     Mobile, tablets, hostile users, hostile external forces   Adding technology too quickly? Outpacing the infrastructure in schools? Just ideas for some questions. - Jared   Do you find vendors are very responsive in the education space when receiving a vulnerability report? https://www.edweek.org/ew/articles/2019/09/10/parent-who-criticized-his-sons-math-program.html When students, who you are trying to educate, when they are found doing something inappropriate, how do Districts handle it? https://ktvz.com/news/2017/11/08/mtn-view-hs-bomb-threat-traced-to-eugene-14-year-old/ What challenges do Security people in education face when partnering with their user base? Unlike a corporate setting, many educators and students need to install different software throughout the year, how is that handled? How did April, Nathan, and Jared meet? Is the technology stack in your various school systems changed much in the last 10 years? Have you moved to cloud based, or do you still have an IT shack at the school systems with physical machines?    Localadmins are not granted… (excellent!)   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

April Mardock - CISO - Seattle Public Schools Jared Folkins - IT Engineer - Bend La Pine Schools Nathan McNulty - Information Security Architect - Beaverton School District   OpSecEdu - https://www.opsecedu.com/ Slack   https://www.a4l.org/default.aspx    https://clever.com/    BEC - https://www.trendmicro.com/vinfo/us/security/definition/business-email-compromise-(bec)    https://www.k12cybersecurityconference.org/    https://acpenw.sched.com/  Bypassing security controls - https://www.goguardian.com/blog/technology/how-students-bypass-school-web-filters-and-how-to-stop-them/    https://community.spiceworks.com/topic/2077711-chromebook-google-docs-bypassing-filters  https://www.mobicip.com/blog/here%E2%80%99s-how-kids-bypass-apple%E2%80%99s-parental-control-tools    https://www.phantomts.com/2020/01/11/kids-can-bypass-communication-limit-feature-on-ios-13-3/    https://www.ocregister.com/2009/02/17/students-accused-of-changing-grades-using-teachers-password/    Security persons at education institutions of varying sizes.   https://www.darkreading.com/threat-intelligence/ransomware-crisis-in-us-schools-more-than-1000-hit-so-far-in-2019/d/d-id/1336634 https://www.forbes.com/sites/leemathews/2019/09/25/yet-another-u-s-school-district-has-been-ravaged-by-malware/    https://www.zdnet.com/article/texas-school-district-falls-for-scam-email-hands-over-2-3-million/ Why are schools soft targets? Is money/budget the reason schools get the raw deal here? Why is ransomware such an appealing attack?   How complex is the school environment?    Mobile, tablets, hostile users, hostile external forces   Adding technology too quickly? Outpacing the infrastructure in schools? Just ideas for some questions. - Jared   Do you find vendors are very responsive in the education space when receiving a vulnerability report?https://www.edweek.org/ew/articles/2019/09/10/parent-who-criticized-his-sons-math-program.html When students, who you are trying to educate, when they are found doing something inappropriate, how do Districts handle it?https://ktvz.com/news/2017/11/08/mtn-view-hs-bomb-threat-traced-to-eugene-14-year-old/ What challenges do Security people in education face when partnering with their user base?Unlike a corporate setting, many educators and students need to install different software throughout the year, how is that handled?How did April, Nathan, and Jared meet? Is the technology stack in your various school systems changed much in the last 10 years? Have you moved to cloud based, or do you still have an IT shack at the school systems with physical machines?    Localadmins are not granted… (excellent!)   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

https://twitter.com/AlyssaM_InfoSec/status/1159877471161839617?s=19   Looking forward to sharing my vision for ending the 60 year cycle of bad defense strategies in #infosec and my challenge to think about security in a more effective way. https://sched.co/TAqU @dianainitiative #DianaInitiative2019 #cdwsocial @CDWCorp   1961 - MIT - CTSS - https://en.wikipedia.org/wiki/Compatible_Time-Sharing_System   Egg, coconut, brick ( my example of security --brbr)     Start with critical assets     Layer outward, not perimeter in. Medieval castles     Create the keep, build out from that     Active defenses   Dover Castle - https://en.wikipedia.org/wiki/Dover_Castle#/media/File:1_dover_castle_aerial_panorama_2017.jpg   Detection defenses - watchguards Mitigation defenses - moats - give time/space to respond (network segmentation) Active countermeasures - knights/archers/cannons  DeepFake technology Election year Spoke at RSA Business threat?          “Outsider trading”             “Video of Elon talking about problems - fake…”                 Stocks tank - short https://www.vice.com/en_us/article/ywyxex/deepfake-of-mark-zuckerberg-facebook-fake-video-policy  Could it be done strategically to destabilize things Extort business leaders     Fake videos used to extort    Still difficult to create     What’s the hurdles stopping it from being mainstream?         Huge render farms?   https://www.youtube.com/watch?v=18LN7VQM1aw - deepfake Sharon Stone/ Steve Buscemi   Threat modeling in devSecOps Agile env needs to be quick, fast, and  Build it into user stories Shostack’s method is a bit weighty     How do we implement that in such a way to make dev want to do them?   Organizing Virtual cons     https://Allthetalks.online - April 15         24 hour conference for charity Talks, followed by interactive channels, community generation Virtual Lobbycon Comedian  CFP is open 01 April 2020 Sticker swap!         Bsides Atlanta         27-29 March         https://bsidesatl.org/ - All virtual this weekend!               Infosec Oasis         https://Infosecoasis.com - 18 April   https://mashable.com/article/zoom-conference-call-work-from-home-privacy-concerns/   https://www.theverge.com/2019/7/10/20689644/apple-zoom-web-server-automatic-removal-silent-update-webcam-vulnerability     Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Dave Kennedy (@hackingDave) TrustedSec Released SEToolkit, Pentester Framework (PTF) PoC release for “Shitrix” bug (was disclosed after Google zero initiative India group) Jeff Snover, Lee Holmes - Powershell gods Arguments against release Tools are released are utilized by the ‘bad guys’ Tooling makes it more difficult to fingerprint who are who they say they are “Fuzzy Weasel Vs. Psycho Toads” Makes the bad guys job harder by making them have to create the PoC (presumably most bad actors are skids)     Arguments for release   Tools allow for teaching Blue team, and SIEM/logging systems to understand  Learning how something was created, being able to break down the vulnerability https://www.bleepingcomputer.com/news/security/new-evasion-encyclopedia-shows-how-malware-detects-virtual-machines/ Show #2:DerbyCom - Tell us about it Dave Kennedy Center for gaming and Leadship https://twitter.com/hackingdave/status/1220150360779710464?lang=en    Offensive Security Tool release (PowerShell Empire 3.0) Powershell is re-released, using Python:https://twitter.com/BCSecurity1/status/1209126652300709888    Initial tweet: https://twitter.com/taosecurity/status/1209132572128747520 “We believe that Powershell and Empire framework will remain a major threat vector employed by APTs, malware authors, and Red Teams.” SO WHY ARE YOU UPDATING IT? You are improving capabilities you explicitly say are *used by bad guys.* Scottie, beam me up from this bizarro world. Affirmations and evidence: https://twitter.com/taosecurity/status/1209287582439395330  Nope. One example: Iranian APT “CopyKittens” uses Powershell Empire. Incidentally, I found this example via @MITREattack . https://clearskysec.com/tulip/ https://twitter.com/michael_yip/status/1209151868036886528  One can innovate without sharing with the adversary no? It’s literally how the defense industry work or am I missing something?   https://twitter.com/michael_yip/status/1209247219796398083  … “Are we really justifying lowering the R&D cost of the adversary is the only way to attract talent to the defensive side. Not to mention - no one is saying developing OST is wrong. It’s the way they're being shared that’s problematic”     https://twitter.com/2sec4u/status/1209169724799623169?s=20  The whole idea is that actors can't just git clone an advanced post exploitation framework which bypasses 95% of organisations defences. It should cost actors time & money to bypass these defences but because red team keep releasing new stuff with bypasses... the cycle continues. Comments in Support of initial argument https://twitter.com/IISResetMe/status/1209180945011621889?s=20  I really _want_ to agree. ... but I also work in an org with million dollar budgets, a dozen full-time detection engineers and analysts and an army of devs and sysadmins, and even we are having a hard time keeping up - how does this arms race "help" non-F500 orgs? (later discussion does mention that he has a hard time seeing it as net negative) https://twitter.com/IISResetMe/status/1209183774182907904?s=20    https://twitter.com/cnoanalysis/status/1209169633460150272?s=20  “If we don’t create the offensive tools then the bad guys will!” That is a terrible argument for OST release. “We might as well do something that harms because someone else will do that eventually anyway...” there are so many logical fallacies I don’t have enough space Rebuttals https://twitter.com/r3dQu1nn/status/1209207550731677697  Limiting yourself by not exposing more tooling to defenders is NOT how to improve security. Yikes. The more exposure you provide defenders gives you more detection's/IOC's you can build to help defend against APT's. That's the whole point of Proactive security.   https://twitter.com/bettersafetynet/status/1209138002473160707 It's vital that we continue to sharpen our swords. The commoditization of attacker techniques allows better defense against what adversaries are doing.   https://twitter.com/dragosr/status/1209213064446279680  And this whole discussion ignores a simple fact that released information is way better than exploits passed around quietly or kept in stockpile caches regardless of anyone’s metric of responsibility (which is a debatable, very hypothetical line of what’s acceptable or not).   https://twitter.com/bettersafetynet/status/1209139099979923457 The very fact that you and others who are taking this side are trying to cajole and brow beat to this position shows how weak your argument is. MITRE ATT&CK took off like gang-busters not because they had a better trolling game, but because it was a great idea implemented well. https://twitter.com/bettersafetynet/status/1209139578579275776  It's odd that those who advocate this position point out these reports while ignoring all the vendor patches, all the hardening guidelines, basically all the technical defensive work that ops teams do. Nobody's doubting attackers use these techniques, we doubt your conclusions.   https://twitter.com/bettersafetynet/status/1209154592560353280  My stance is likely to tick off both sides here. I think there are times that limited release is good. But over and over, we've seen where vendors do not change until something is publicly released. It's odd that those who advocate this position point out these reports while ignoring all the vendor patches, all the hardening guidelines, basically all the technical defensive work that ops teams do. Nobody's doubting attackers use these techniques, we doubt your conclusions.   https://twitter.com/r3dQu1nn/status/1209346356151631873 Security is a service that can be improved with products. Having no security or limiting exposure to offensive tool sets increases the chances of a breach. Ethical hackers sole purpose is to help make Blue better. Which is why purple teams are a great resource for any company.   https://twitter.com/ippsec/status/1209354476072689664?s=20  To the people upset by public red team tools. If you cant detect open source tools than what chance do you have at detecting private one off tools. It’s much easier to automate a battle against 100 duck sized horses than it is to face off against a single horse sized duck. Defender Classification of PowerShell Empire 3.0 https://www.bc-security.org/post/the-empire-3-0-strikes-back   Is there a way to protect against it?   Where does this sit in the ATT&CK Matrix?  Features:    Enhanced Windows Evasion vs. Defender DPAPI support for “PSCredential” and “SecureString” AMSI bypasses JA3/S signature Randomization New Mimikatz version intergration   Curveball test (CryptoAPI test scripts) Dave’s new Esport initiative (opens in February): https://twitter.com/HackingDave/status/1220150360779710464   DERBYCON community updates Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec