BrakeSec Education Podcast

Having a more secure network by deploying tools can be no easy task. This week, we show you a tool, Security Onion, that can give you an IDS and log analysis tool in less than 20 minutes.  http://blog.securityonion.net/p/securityonion.html

When you're working with network infrastructure, there's a real need for proper configuration management, as well as having a proper baseline to work from. Mr. Boettcher and I continue through the SANS Top25 Critical Security Controls. #10 and #11 are all dealing with network infrastructure. Proper patches, baselines for being as secure as possible. Since your company's ideal security structure needs to be a 'brick', and not an 'egg'.  

We continue our journey on the 24 Deadly Programming Sins. If you listened to last week's podcast, we introduced the book we were using as a study tool: http://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751 This week is on command injection. We first discussed command injection as part of our OWASP Top 10 for 2013, but you'll be surprised just how easy devs compile conditions that allow for command injection into their code as well.

Code Audits are a necessary evil. Many organizations resort to using automated tools, but tools may not find all issues with code. Sometimes, you need to take a look at the code yourself.  Mr. Boettcher and I begin going through the book "24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them" What we covered this week is "buffer overruns", we discuss what they are, and how they occur. Get ready for a crash course in code audits. The book is not required, but it definitely helps when we are discussing concepts. We also mentioned our new Patreon account, so if you are a listener, and want to support what we do, you can give on a per month schedule. Donations are entirely optional, and if you don't wish to give, that's fine too.   24 Deadly Sins on Amazon: http://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751/ref=sr_1_1?ie=UTF8&qid=1430622916&sr=8-1&keywords=24+deadly+sins+of+software+security+programming+flaws+and+how+to+fix+them   https://cwe.mitre.org/    

When you're faced with major projects, or working to understand why your IDS fails every day at the same time, there must be a way to work that out. Or when you must do the yearly business continuity failover, you need a process oriented framework to track and ensure changes are committed in a sane, orderly manner. ITIL is a completely versatile, flexible framework that scales with your organization. You can also use it with your software development lifecycle. You can use it to enhance major projects and security initiatives. Tim Wood joins us for the second part of his interview. We discuss Change Management, Problem Management and making inter-departmental SLAs a reality for proper management of changes.   Tim Wood's Presentation: https://drive.google.com/file/d/0B-qfQ-gWynwiVS0zLTZidml0VzA/view?usp=sharing (view only)

Much of InfoSec and Compliance is all about processes, procedures, controls, audits, and the proper management of all of these.  To do so, you need a proper framework to make these as seamless as possible. ITIL is one of these types of frameworks. We introduce Mr. Tim Wood on the podcast, who has over 20 years of ITIL experience and began ITIL implementations in banks and Healthcare systems in the United Kingdom. He currently works with different industries to change culture and make an ITIL a reality. This week, we go over the History of ITIL, and understand the various incarnations from v1.0 to v3.0. You quickly understand where security will start fitting into all those facets of the ITIL framework.   Tim Wood's Presentation: https://drive.google.com/file/d/0B-qfQ-gWynwiVS0zLTZidml0VzA/view?usp=sharing (view only)

Special interview this week! On the heels of their uber successful KickStarter campaign, we brought co-founder Ryan and one of the technical editors Anthony in to discuss what Cybrary is. We also discuss ways you can leverage it in your own business to get quality security awareness training, as well as train up your employees on infosec topics that can benefit your company and employees. You can find out more at http://www.cybrary.it

It's that time of year again...  when all the reports come out that shows how various industries did over the last year. Brakeing Down Security went over the results of the Verizon PCI report.  Did companies do worse this year, or could they have actually improved? Listen to our analysis, and what companies can do to learn from this, and how you can use this report to help get a leg up when your QSA comes calling.    http://www.verizonenterprise.com/pcireport/2015/   Pay IRS using "Snapcard": http://www.coindesk.com/pay-taxes-bitcoin-snapcard-pay-irs/   According to the US Internal Revenue Service (IRS), virtual currencies are treated as "Property": http://www.irs.gov/uac/Newsroom/IRS-Virtual-Currency-Guidance

We continue our trek down the list of SANS Top 20 Critical Security Controls this week with #12 and #13 - Boundry Defense, and Controlled use of Administrative Privileges.  Learn what you can do to shore up your network defenses, and how to handle admin privileges... When to give that kind of access, and how to make privileged access as secure as possible while still allowing administrators to do their work.     https://www.sans.org/media/critical-security-controls/CSC-5.pdf     http://www.openspf.org/   https://4sysops.com/

We invited the organizers of the "TheLab.ms", a Dallas, Texas based hacker/makerspace on the podcast to talk about why they wanted to start a makerspace, the costs and plans to setup a hacker space, and some of the things you can do with a makerspace. We also understand the sense of community and the learning environment gained from these places.  If you are looking to start a 'space in your area, or looking to understand why they are needed in a community, you'll want to listen to Roxy, Sean, and Jarrod talk about the highs and lows and even some of the gotchas in setting up a space.