
BrakeSec Education Podcast
A podcast about the world of Cybersecurity, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security professionals need to know, or refresh the memories of seasoned veterans.
Latest episodes

Dec 17, 2015 • 47min
2015-052: Wim Remes-ISC2 board member
I got a hold of Mr. Wim Remes, because he was elected to the ISC board in November 2015. Recent changes to the CISSP included changing the long-standing 10 domains down to 8 domains, plus a major revamp to all of them.
I wanted to know what Mr. Remes' plans were for the coming term, how the board works, and how organizations like ISC2 drive change in the industry. I also asked Wim how he is trying to ensure that CISSP and the other certs are going to remain current and competitive.
This is a great interview if you're looking to get your #CISSP or any other ISC2 cert, or you currently have an #ISC2 #certification and want to get knowledge of the workings of ISC2 and the board.
Mr. #Remes' Twitter: @wimremes
ISC2 official site: http://www.isc2.org
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-052-wim_remes-isc2.mp3
iTunes: https://itunes.apple.com/us/podcast/2015-052-wim-remes-isc2-board/id799131292?i=359103338&mt=2
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Join our Patreon!: https://www.patreon.com/bds_podcast
Comments, Questions, Feedback: bds.podcast@gmail.com

Dec 10, 2015 • 48min
2015-051-MITRE's ATT&CK Matrix
#MITRE has a Matrix that classifies the various ways that your network can be compromised. It shows all the post-exploitation categories from 'Persistence' to 'Privilege Escalation'. It's a nice way to organize all the information.
This week, Mr. Boettcher and I go over "#Persistence" and "#Command and #Control" sections of the Matrix.
Every person who attacks you has a specific method that they use to get and keep access to your systems, it's as unique as a fingerprint. Threat intelligence companies call it TTP (#Tactics, #Techniques, and #Procedures), we also discuss the Cyber #KillChain, and where it came from.
#ATT&CK Matrix: https://attack.mitre.org/wiki/Main_Page
Tactics, Techniques, and Procedures (shows patterns of behavior) https://en.wikipedia.org/wiki/Terrorist_Tactics,_Techniques,_and_Procedures
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf -- Cyber Kill Chain paper that inspired the ATT&CK Matrix
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-051-ATTACK_Matrix.mp3
iTunes: https://itunes.apple.com/us/podcast/2015-051-mitres-att-ck-matrix/id799131292?i=358670845&mt=2
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Join our Patreon!: https://www.patreon.com/bds_podcast
Comments, Questions, Feedback: bds.podcast@gmail.com

Dec 4, 2015 • 42min
2015-049-Can you achieve Security Through Obscurity?
That's the question many think is an automatic 'yes'. Whether your Httpd is running on port 82, or maybe your fancy #wordpress #module needs some cover because the code quality is just a little lower than where it should be, and you need to cover up some cruft
This week, Mr. Boettcher and I discuss reasons for obscuring for the sake of #security, when it's a good idea, and when you shouldn't #obscure anything (hint: using #ROT-14, for example)
#encryption #infosec
Show Notes: https://docs.google.com/document/d/1PioC2hnQHhm5Xd1SCT4ewvZmZiLcE5pGQuif4Tuk_zE/edit?usp=sharing
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-049-Security_by_Obscurity.mp3
Mr. Boettcher's Twitter: http://www.twitter.com/boettcherpwned
Bryan's Twitter: http://www.twitter.com/bryanbrake
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Join our Patreon!: https://www.patreon.com/bds_podcast
Comments, Questions, Feedback: bds.podcast@gmail.com

Nov 27, 2015 • 44min
2015-048: The rise of the Shadow... IT!
Cheryl Biswas gave a great talk last month at Bsides Toronto. I was intrigued by what "Shadow IT" and "Shadow Data" means, as there appears to be some disparity. Why can't you write policy to enforce standards? As easy as it sounds, it's quickly becoming a reason young talented people might skip your company. Who wants to use Blackberries and Gateway laptops, when sexy new MacBook Airs and iPhone 6S exist?
This also leads to the issue of business data being put on personal devices, which as anyone knows can cause a whole host of additional issues. Malware installed on personal devices can make for sharing business secrets a cinch.
So, while Mr. Boettcher was working, I managed to wrangle a quick interview with Cheryl out of her offices in Toronto, Ontario.
Cheryl gave us some great audio, and when you're done, you can watch her Bsides Toronto talk.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-048-Cheryl_Biswas_Shadow_IT.mp3
iTunes Link: https://itunes.apple.com/us/podcast/2015-048-rise-shadow...-it!/id799131292?i=357889684&mt=2
Cheryl's Twitter: https://www.twitter.com/3ncr1pt3d
Cheryl's BsidesTO talk: https://www.youtube.com/watch?v=q0pNWpWFKBc
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Join our Patreon!: https://www.patreon.com/bds_podcast
Comments, Questions, Feedback: bds.podcast@gmail.com

Nov 21, 2015 • 47min
2015-047-Using BSIMM framework to measure the maturity of your software security lifecycle
Business Security in Maturity Model (#BSIMM) is a #framework that is unique in that it gives your company a measuring stick to know how certain industry verticals stack to yours...
We didn't want to run through all 4 sections of the BSIMM, so this time, we concentrated on the #software #security standards, the "Deployment" section specifically...
BSIMMV6 download (just put junk in the fields, and download ;) ): https://www.bsimm.com/download/
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-047_BSIMM.mp3
iTunes: https://itunes.apple.com/us/podcast/2015-047-using-bsimm-framework/id799131292?i=357545342&mt=2
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Join our Patreon!: https://www.patreon.com/bds_podcast
Comments, Questions, Feedback: bds.podcast@gmail.com

Nov 10, 2015 • 37min
2015-046: Getting Security baked in your web app using OWASP ASVS
During our last podcast with Bill Sempf (@sempf), we were talking about how to get developers to understand how to turn a vuln into a defect and how to get a dev to understand how vulns affect the overall quality of the product.
During our conversation, a term "ASVS" came up. So we did a quick and dirty session with Bill about this. It's a security #requirements #document that ensures that projects that are being scoped out are meeting specific security requirements. This can be a valuable ally when your company is creating products or software applications. Bill explains with us this week exactly how you incorporate this into your Secure #SDLC #lifecycle
#project #management #security #architect
Direct Link: http://traffic.libsyn.com/brakeingsecurity/sempf2.mp3
iTunes Link: https://itunes.apple.com/us/podcast/2015-046-getting-security/id799131292?i=356958476&mt=2
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Bill's Bside Columbus talk on ASVS: http://www.irongeek.com/i.php?page=videos/bsidescolumbus2015/defense00-got-software-need-a-security-test-plan-got-you-covered-bill-sempf
Bill's Blog: http://www.sempf.net
Bill's Twitter: http://www.twitter.com/sempf
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Nov 4, 2015 • 46min
2015-045: Care and feeding of Devs, podcast edition, with Bill Sempf!
When you receive a #pentest or vuln scan report, we think in terms of #SQLi or #XSS. Take that report to your dev, and she/he sees Egyptian hieroglyphics and we wonder why it's so difficult to get devs to understand.
It's a language barrier folks. They think terms of defects or how something will affect the customer experience. We think in terms of #vulnerabilities, and what caused the issue. We need to find that common ground, and often, that will mean us heading into unfamiliar territory. It doesn't have to be 'us vs. them'. We are supposed to be a team.
Join us this week as we discuss that very topic with Bill #Sempf. Bill has spent nearly 25 years doing software development and security, working as an independent contractor for dozens of companies on hundreds of #software #projects. He helps us figure out how to speak 'dev', and to develop a mindset that will ensure you can get the most out of interactions with developers and coders.
Show notes: http://brakeingsecurity.com/2015-045-care-and-feeding-of-devs-podcast-edition-with-bill-sempf
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-045_Bill_Sempf-care_and_feeding_of_devs.mp3
Itunes: https://itunes.apple.com/us/podcast/2015-045-care-feeding-devs/id799131292?i=356366452&mt=2
Bill's #DerbyCon Talk "#Developers: Care and Feeding":
http://www.irongeek.com/i.php?page=videos/derbycon5/teach-me11-developers-care-and-feeding-bill-sempf
Bill's Blog: https://sempf.net/
Bill's Twitter: http://www.twitter.com/sempf
Check us out using the #TuneIn App!: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
#RSS: http://www.brakeingsecurity.com/rss

Oct 30, 2015 • 56min
2015-044-A MAD, MAD, MAD, MAD Active Defense World w/ Ben Donnelly!
It's a madhouse this week! We invited Ben Donnelly (@zaeyx) back to discuss a new software framework he's crafted, called #MAD Active Defense. Ben wants to make Active Defense simple enough for even the busiest blue teamer.
The interface takes it design from other well known #software frameworks, namely #Metasploit, #REcon-ng, and even a bit of #SET, he said.
We even did a quick demo of MAD, discussed the tenets of #Active #Defense, and talked about a little skunkworks project of Ben's that you will find enjoyable.
Direct Link: http://brakeingsecurity.com/2015-044-a-mad-mad-mad-mad-world-with-ben-donnelly
Promethean Security MAD GitHub: https://github.com/PrometheanInfoSec/MAD
Demo Video (~110MB): http://traffic.libsyn.com/brakeingsecurity/MAD_Ben_edited.mkv
Backup Demo Download (gDrive) site (~110MB): https://goo.gl/FtWlCM
Check us out using the TuneIn App!: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
RSS: http://www.brakeingsecurity.com/rss
#activeDefense #blueTeam #intrusionDefense #benDonnelly

Oct 22, 2015 • 45min
2015-043: WMI, WBEM, and enterprise asset management
WMI (Windows Management Instrumentation) has been a part of the Windows Operating system since Windows 95. With it, you can make queries about information on hosts, locally and even remotely.
Why are we talking about it? It's use in the enterprise and by admins is rarely used, but it's use in moving laterally by bad actors is growing in it's use. It's highly versatile, able to be scripted, and can even be used to cause triggers for when other programs run on a system.
Mr. Boettcher and I sit down and discuss the functions of #WMI, it's history, what classes and objects are, and ways you can leverage WMI to make your admins job much easier.
#assetmanagement #remotemanagement #wbem #wmi #windows
DerbyCon WMI talk: http://www.irongeek.com/i.php?page=videos/derbycon5/break-me12-whymi-so-sexy-wmi-attacks-real-time-defense-and-advanced-forensic-analysis-matt-graeber-willi-ballenthin-claudiu-teodorescu
Wbemtest: http://blogs.technet.com/b/chad/archive/2012/03/08/tip-45-wbemtest-the-underappreciated-tool.aspx
WMI documentation: https://msdn.microsoft.com/en-us/library/aa384642(v=vs.85).aspx
TuneIn podcast Link: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
RSS: http://www.brakeingsecurity.com/rss
Show notes

Oct 14, 2015 • 1h 12min
2015-042: Log_MD, more malware archaeology, and sifting through the junk
Just before #Derbycon, we invited Michael Gough (@hackerhurricane) to join us on the #podcast.
For the last 3-4 months, my co-host Brian and he were engaged in the creation of a software tool that would make #log #analysis of #windows systems quicker, and together they have achieved that with "Log-MD", short for Log Malicious Discovery.
For hosts infected with #Malware and #bots, they always leave a fingerprint of what they are doing behind. This software takes your system, configures it to get the maximum #logging output possible, then puts everything in a nice readable format, enabling you to filter out known good items, leaving you with bad items, or suspicious activity. This allows you to analyze #logfiles and find malware in less time than before. This will make #forensics of infected systems faster and more economical.
We do some discussion of #Log-MD, and then we have MIchael demo LOG-MD for us.
Video demo: https://youtu.be/0_J90sOVY8c
log-MD site: http://log-md.com/
RSS: http://www.brakeingsecurity.com/rss
iTunes: https://itunes.apple.com/us/podcast/2015-042-log-md-more-malware/id799131292?i=354715938&mt=2