BrakeSec Education Podcast

 "Always Be Closing" is the mantra that Alec Baldwin's character "Blake" intones in the movie "#GlenGarry #Glen #Ross". Ironically, the film about 4 men selling was a failure in the theaters. A lot of times as #blue #teamers, we find ourselves in the sights of a #sales person, or often enough, we are inviting them into our conference rooms to find out how their widget will help save the day. There's an art to the concept of selling, honed over the past 500,000 years, since Ugg tried to convince Oog that his wheel would revolutionize work... We asked Ms. Amanda Berlin (@infosystir) to join us this week, for her expertise at working at an security company, as well as someone who sells products, to discuss how and why sales and sales engineers do what they do. I posit that there must be 'decision tree' or script that most follow in an effort to make a sale, and how to confront the pushy sales pitch head on, or in Amanda's way, to avoid it altogether. We discuss Amanda's book she co-wrote with Lee Brotherston, whom we've had on our show before. Their #O'Reilly #book is on pre-sale right now, so you can order "The #Defensive #Security #Handbook" here: http://shop.oreilly.com/product/0636920051671.do Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-049-amanda_berlin_the_art_of_the_sale_decision_making_trees.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-049-amanda-berlin-art/id799131292?i=1000378988303&mt=2 Youtube: https://www.youtube.com/watch?v=v0llOSXfzBg   Special deal for our #BrakeSec Listeners: "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box (#HITB) Amsterdam conference, which will take place between 10 to 14 April 2017. The Call For Papers (#CFP) is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! Join our Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

As part of our ongoing discussion about the #SDLC and getting security baked in as far left as possible, Joe Gray, host of the  Advanced Persistant Security #Podcast (find it at https://advancedpersistentsecurity.net/), Mr. Boettcher, and I sat down with Dr. Gary McGraw, author of "Software Security: Building Security In" to discuss his book. We are also doing this book as part of the Brakeing Security Book Club (check out our #Slack channel for more information). Gary walks us through the 7 Kingdoms of getting more security in, including doing automated and manual code audits, proper penetration testing of the application at various stages (testing), documentation (if you don't know it works, how can you test it?), and your Security Operations people, monitoring for things once it goes into production.  Also, find out what Chapter he thinks you should skip altogether... the answer may surprise you... :) Join Mr. Gray, Mr. Boettcher, and I for a discussion with a true leader in the software and application security industry. Buy the book on Amazon: https://www.amazon.com/Software-Security-Building-Gary-McGraw/dp/0321356705 Check out Gary's Website at https://www.garymcgraw.com/, and check out Gary's own podcast the Silver Bullet Security Podcast at https://www.garymcgraw.com/technology/silver-bullet-podcast/ Gary's twitter is @cigitalgem Joe Gray's twitter is @C_3PJoe Special deal for our #BrakeSec Listeners: "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 10 to 14 April 2017. The Call For Papers (#CFP) is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount". Brakeing Down Security thanks Sebastian Paul Avarvarei and all the organizers of Hack In The Box (#HITB) for this opportunity! Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-048-Gary_McGraw_Securing_Your_SDLC_and_guest_host_Joe_Gray.mp3 iTunes:  https://itunes.apple.com/us/podcast/2016-048-dr.-gary-mcgraw-building/id799131292?i=1000378548363&mt=2 YouTube: https://www.youtube.com/watch?v=x65yL5_Hpi4 Join our Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Just a quick episode this week... As part of the Brakesec Book Club (join us on our #Slack Channel for more information!) we are discussing Dr. Gary McGraw's book "Software Security: Building Security In" (Amazon Link: https://is.gd/QtHQcM) We talk about the need to inserting security into your company's #SDLC... but what exactly can be done to enable that? I talk about abuse cases, #risk #analysis, creating test cases, pentesting, and #security #operations are all methods to do so. Finally, I discovered a blog talking about ways to discover configuration errors on Linux systems that might allow #privilege #escalation to occur. Using these tools as part of your hardening processes could lower the risk of a bad actor gaining elevated privileges on your *unix hosts http://rajhackingarticles.blogspot.com/2016/11/4-ways-to-get-linux-privilege-escalation.html You can find the github of this script and the audit software that I mentioned below: https://github.com/rebootuser/LinEnum.git     #Lynis (from CISOfy: https://cisofy.com/lynis/   Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-047-inserting_security_into_the_SDLC_finding_Linux_priv_esc.mp3   #iTunes: https://itunes.apple.com/us/podcast/2016-047-inserting-security/id799131292?i=1000378329598&mt=2   #YouTube:  https://www.youtube.com/watch?v=Kd_ZzvVNqoA   #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582  

This week, Mr. Boettcher found himself with an interesting conundrum concerning what happened when he converted a Windows DOCX file to a PDF using a popular #PDF converter software. We discuss what happened, how Software Restriction Policy in Windows kept him safe from a potential malware infection, and about the logging that occurred. After that, we discuss some recent vulnerabilities, like the BlackNurse Resource Exhaustion vulnerability and how you can protect your infrastructure from a DDoS that can occur from someone sending your firewall 300 packets a second... which anyone can do. We discuss Robert Graham's recent run-in with a new surveillance camera and how it was pwned in less time than you think. And learn about the 'buenoware' that has been released that 'patches' IoT and embedded devices... But does it do more harm than good, and is it legal? All that and more this week on Brakeing Down Security Podcast!  Check out our official #Slack Channel! Sign up at https://brakesec.signup.team Next Book Club session is 29 November 2016. Our current book for study is 'Software Security: Building Security In' by Dr. Gary McGraw  https://www.amazon.com/Software-Security-Building-Gary-McGraw/dp/0321356705  (ebook is available of Safari books online)   BlackNurse https://nakedsecurity.sophos.com/2016/11/17/blacknurse-revisited-what-you-need-to-know/ http://researchcenter.paloaltonetworks.com/2016/11/note-customers-regarding-blacknurse-report/ http://www.netresec.com/?page=Blog&month=2016-11&post=BlackNurse-Denial-of-Service-Attack   Recent tweet from @boettcherpwned about infected docx with macros and we discuss why Foxit PDF runs the macros and open_document: https://twitter.com/boettcherpwned/status/799726266693713920 Brakesec Podcast about Software Restriction Policy and Application Whitelisting on Windows: http://traffic.libsyn.com/brakeingsecurity/2016-018-software_restriction_policy-applocker.mp3 Rob Graham @errataBob: new camera pwned by #Mirai botnet and others within 5 minutes: https://twitter.com/newsyc200/status/799761390915424261   #BlackNurse https://nakedsecurity.sophos.com/2016/11/17/blacknurse-revisited-what-you-need-to-know/ http://researchcenter.paloaltonetworks.com/2016/11/note-customers-regarding-blacknurse-report/ http://www.netresec.com/?page=Blog&month=2016-11&post=BlackNurse-Denial-of-Service-Attack ICMP Type 3, Code 3 (Destination Port unreachable)  http://www.faqs.org/rfcs/rfc792.html #SHA1 deprecated on website certs by Chrome on 1 January 2017 http://www.darkreading.com/operations/as-deadline-looms-35-percent-of-web-sites-still-rely-on-sha-1/d/d-id/1327522 #Benevolent #malware (buenoware) https://isc.sans.edu/diary/Benevolent+malware%3F+reincarnaLinux.Wifatch/21703 #Atombombing http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions https://breakingmalware.com/injection-techniques/atombombing-cfg-protected-processes/ http://www.pandasecurity.com/mediacenter/malware/atombombing-windows-cybersecurity/   Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-046-Black_Nurse_buenoware_IoT_pwnage.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-046-blacknurse-buenoware/id799131292?i=1000378076060&mt=2 Youtube: https://www.youtube.com/watch?v=w-FEJuWGXaQ   #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

During a Security Incident, or in the course of an investigation, it may become necessary to gather evidence for further use in a possible court case in the future. But if you don't have 4-10,000 dollars USD for fancy forensic software, you'll need to find methods to preserve data, create proper integrity, and have a proper custody list to show who handled the data, how it was collected, etc. This podcast was not meant to turn you into an expert, but instead to go over the finer points of the process, and even where you should turn to if you need help. Certified Ethical Hacker book I was referencing in the show: http://www.wiley.com/WileyCDA/WileyTitle/productCd-1119252245,miniSiteCd-SYBEX.html Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-044-Evidence_chain_of_custody_data_integrity.mp3 #YouTube: https://www.youtube.com/watch?v=aJA2ry6npKI #iTunes: https://itunes.apple.com/us/podcast/2016-044-chain-custody-data/id799131292?i=1000377566298&mt=2 #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

  **Brakeing Down Security has a Slack channel now... just go to https://brakesec.signup.team and follow the instructions to have the bot add you to our show's official channel.** Every year, organizations come out with industry reports that show how well or, more often than not, how poorly we are doing. We always even reviewing the BSIMM report, because it's an unvarnished, and a good measure of a good number of industry verticals, like finance, manufacturing, cloud, and even companies that make IoT devices. Join Mr. Boettcher and I this week as we go over the findings of the report, discuss what got better, what still sucks, and what shouldn't we fault companies for not having. We also have a teachable moment when I discuss a security paux fas that happened to me (Bryan) recently regarding an email account and my Skype. 2 factor authentication is your friend, and if it's available, use it. Mr. Boettcher discusses some recent malware that has reared it's ugly head, and how to detect it. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-043-BSIMMv7.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-043-bsimmv7-teachable/id799131292?i=1000377394890&mt=2 YouTube: https://www.youtube.com/watch?v=I3FLSLSSb_Y   #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582  

Join us for a special episode this week! I (Bryan) was able to attend my first Source Seattle convention. Two days of talks, technical and non-technical, combining red/blue team concepts, as well as professional development, to help you navigate the corporate waters easier. I was able to interview a number of people from the conference. You can see a partial list of them here: http://www.sourceconference.com/single-post/2016/09/30/SOURCE-Seattle-Highlights Interviewed Chip McSweeney from OpenDNS (@chipmcmalware) and Rob Cheyne about the conference and got a bit of information about Chip's talk on "Domain Generating Algorithms" (DGA) that #malware use for domain C&C, and how to detect and reverse certain algos. Rob Cheyne is the organizer of Source, so we talked a bit about the history and difficulties putting on 3 of these a year, and what makes the "Source" conference format so different. Masha Sedova was one of the keynote speakersto discuss how she gamified her information security program and got everyone involved. Really excellent talk about changing organizational behavior. Rob Fuller gave two days of Metasploit training, to show the versatility and to teach about the effectiveness of this tool. I also ask if Metasploit has reached it's end, since it's easily detected in many environments. Rob is a great interview and gives me his unvarnished opinion. Mike Shema from https://cobalt.io/ discussed expanding and tailoring your bug bounty program to suit your organization and to ensure that your bug bounty program is mature. Using private bug bounties, and ensuring proper follow through in a timely manner can ensure maximum bang for the buck. Last but not least, Deidre Diamond who did a keynote about 'Words to Stop Using now'. Deidre is the CEO of a national cyber security staffing company (Cyber Security Network) and Founder of a not-for-profit that empowers women in the infosec industry. Hear her thoughts on how leadership training is needed in the corporate environment, I ask her why we still need recruiters with hiring sites and why job descriptions are still a thorn in everyone's sides. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-042-Source_Seattle_2016_audio.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-042-audio-from-source/id799131292?i=1000377063127&mt=2 YouTube: https://www.youtube.com/watch?v=sj_SD2k7zXw #RSS: http://www.brakeingsecurity.com/rss #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582    

Ben Johnson has been around the industry for a good while, and has seen a lot of ugly things in our industry. Ben had written a recent blog post (https://www.carbonblack.com/2016/08/12/benvlog-3-negative-forces-driving-security/) detailing the issues that seem to plague many companies and many people in the infosec community. We talked about these issues in depth, and how companies and even the employees in a company can ease some of their burdens, and how they can make some changes to make your company culture better.   Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-041-Ben_johnson.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-041-ben-johnson-company/id799131292?i=1000376744922&mt=2 YouTube: https://www.youtube.com/watch?v=HrTPH97-YIY   #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

If you work in a #DevOps environment, you're on one side of the fence... you're either with the devs, you have freedom to make changes, and everything is great. If you're on the Security and/or Compliance side, it's a desolate wasteland of watching people play fast and loose with policies, no one documenting anything, and you're seen as a 'barrier' to getting the new hotness out. But does it have to be that way? This week, we sat down with DevOps veterans Gene Kim and Josh Corman to discuss how we can make security, compliance, and DevOps to play nice with one another. Gene Kim's new book (excerpt): http://itrevolution.com/handbook-excerpt   Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-040-Gene_Kim-Josh_Corman-Getting_Security-and_DevOps_playing_nice.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-040-gene-kim-josh-corman/id799131292?i=1000376417012&mt=2 YouTube:  https://www.youtube.com/watch?v=fOuSRYJtiKo   #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Join us this week as Robert Hurlbut (@roberthurlbut on Twitter), is an independent consultant with over 25 years of application experience, helps us understand best methods to getting developers on the same level as security professionals with application security flaws. We also discuss some of the soft skills involved in bringing new concepts to organizations, like teaching proper coding conventions, changing up the development lifecycle, and helping to improve the skills of developers and managers.   Robert's Website is chock full of good information about threat modeling and secure coding practices at http://www.roberthurlbut.com     Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-039-Robert_Hurlbut-threat_modeling_and_analysis.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-039-robert-hurlbut-threat/id799131292?i=1000376171899&mt=2 YouTube: https://www.youtube.com/watch?v=P5jEVJTymOg     #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582