BrakeSec Education Podcast

Full show notes are available here: https://docs.google.com/document/d/14dCpXeQ520IcZC3m007zVPhlIPXKgfv0LkqVnbDx0fc/edit?usp=sharing   EO from President Biden asked for a plan to create Zerotrust implementation in the next 90 days (well, 70ish days now… as of 23 May)https://twitter.com/SecuritySphynx/status/1390475868032618496   @securitySphynx   “CIO: Zero Trust is the way…”   What is the optimal configuration (read: easiest) zero trust config?   Are there different ways to implement Zero Trust?`   https://solutions.pyramidci.com/blog/posts/2021/february/the-swiss-cheese-approach/   https://tulsaworld.com/opinion/columnists/zero-trust-security-assume-that-everyone-and-everything-on-the-internet-is-out-to-get/article_f6bdbfad-1aae-5063-8ac0-6a1faf5a244c.html   https://www.reddit.com/r/devops/comments/bqo6kp/open_source_or_cheap_zero_trust_beyondcorp/   https://opensource.com/article/17/6/4-easy-ways-work-toward-zero-trust-security-model   https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf   What is ZTA Who are your users? Devices in use?  Device attestation/health checks Applications exist? Not just into/out of the traditional LAN network - do you understand dependencies of applications and databases and how the traffic flows? Connections exist? What  Where is the data/traffic? coming from? Going to? When is this activity occurring and what is expected? WHY: Need to balance the access to technical resources in a rapidly evolving and dynamic business landscape that ceases to exist within the confines of normal security perimeters. Mobile workforce - how much work can you get done without ever getting on the VPN?  Blockers   Technical Debt   IT Hygiene Zero Trust REQUIRES the pre-work of establishing baselines. You cannot detect abnormality in the absence of normality. Policy should exist to drive what the specifications of a baseline system, server, application, etc will be. Network traffic, endpoint performance, SIEM tuning, endpoint agent/software accountability ZTA is less useful if you're not doing basic patching, application updates, and allowing local admin on the system level). Not designed with this approach in mind, and often costly to modernize. Legacy Systems:  Where are your assets and how are they used? A “rough estimate” of endpoints is never good enough. What are you logging? What AREN’T you logging? Asset Management Stale accounts, service accounts, HR Workflows for onboarding/offboarding Limitations of admin rights Local admin/password expiration issues for sales/travelling employees User rights auditing Human resources/talent Politics: Getting support/$$$/Buy-in for retrofitting applications that are “working just fine” is a huge political/business hurdle. SaaS/PaaS/etc offerings What can you move from traditional off-prem solutions to cloud-based services (more up to date, regularly reviewed for security vulnerabilities, offloading responsibility of maintenance, SSO capabilities) Where to go from here:   AAA requirements   MFA is a MUST. No, it's not perfect, but it is one more layer in efficacy. Identify data owners, make them responsible for RBAC development with technical departments. Quantify risk associated with mishandled resources for crown jewels (see previous section on politics). Change control around permissions, access Security as an active participant in the development/acquisition of new products, software, services, or organizations Like remodeling a house, it is much easier to build security into the process than hire someone to retrofit it later.. Have discussions around REAL RBAC needs BEFORE implementing a solution. It is easier to expand permissions than it is to take them away.  Resist the idea that the easy button of broad stroke permissions is always the right choice. What auditing are you doing? Have you baselined behavior? Where are your logs going, and WHO IS RESPONSIBLE FOR REVIEWING THEM.  Asset Inventory (again)... Then… HIDS/Firewall Patch Applocker/Application Controls Lather, rinse, repeat.  It’s hard, it’s time-consuming, and it requires a LOT of support for business unit owners. DLP Classification Capture metrics, then set KPIs and regular check ins to reduce MTTP/MTTR/MTTD Manage the Endpoint: Stop thinking about the perimeter as your weakest point. The endpoint is critical and increasingly vulnerable, mobile, out of traditional “control”.  Real time, actionable data and capabilities are critical to remediation and progress.   Would you like to know more? https://www.beyondtrust.com/blog/entry/why-zero-trust-is-an-unrealistic-security-model     Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

part 2: CTF OSINT discussion How people will give additional information, even if they aren't receiving points for it. Gamifying and motivating people to 'do the right thing', like offering a chance to win a lottery for a covid vaccine, or free sports tickets to get a shot, or gift cards when reporting phishes.   Joe Gray @C_3PJoe   OSINTION https://theosintion.com  New book… ship date? How to get it? https://www.amazon.com/Practical-Social-Engineering-Joe-Gray/dp/171850098X/ https://nostarch.com/practical-social-engineering    "Gray provides a very accessible look at social engineering that should be essential reading for pentesters and ethical hackers." — Ian Barker, BetaNews   Story (Bryan: found my shipmate from the Navy)   Gathering OSINT (what is ethically too far?)   OSINT heartbeat https://matrix.berkeley.edu/research-article/berkeley-protocol-open-source-investigations/ https://hunter.io/ https://halalgoogling.com/   The OSINTion Discord: https://discord.gg/p78TTGa  stick/carrot interactions https://www.aamc.org/news-insights/dollars-doughnuts-will-incentives-motivate-covid-19-vaccination  How do we motivate or create the desire?    Ohio Covid lottery - https://www.dispatch.com/story/news/2021/05/13/ohio-covid-vaccine-lottery-heres-how-you-can-win/5071370001/ Art sessions with Ms. Berlin     Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Elizabeth Wharton: @lawyerliz on Twitter Executive Order: (https://www.americanbar.org/groups/public_education/publications/teaching-legal-docs/what-is-an-executive-order-/) “An executive order is a signed, written, and published directive from the President of the United States that manages operations of the federal government. They are numbered consecutively, so executive orders may be referenced by their assigned number, or their topic. Other presidential documents are sometimes similar to executive orders in their format, formality, and issue, but have different purposes. Proclamations, which are also signed and numbered consecutively, communicate information on holidays, commemorations, federal observances, and trade. Administrative orders—e.g. memos, notices, letters, messages—are not numbered, but are still signed, and are used to manage administrative matters of the federal government. All three types of presidential documents—executive orders, proclamations, and certain administrative orders—are published in the Federal Register, the daily journal of the federal government that is published to inform the public about federal regulations and actions. They are also catalogued by the National Archives as official documents produced by the federal government. Both executive orders and proclamations have the force of law, much like regulations issued by federal agencies, so they are codified under Title 3 of the Code of Federal Regulations, which is the formal collection of all of the rules and regulations issued by the executive branch and other federal agencies. Executive orders are not legislation; they require no approval from Congress, and Congress cannot simply overturn them. Congress may pass legislation that might make it difficult, or even impossible, to carry out the order, such as removing funding. Only a sitting U.S. President may overturn an existing executive order by issuing another executive order to that effect.” https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ Another Review: https://www.atlanticcouncil.org/blogs/new-atlanticist/markup-our-experts-annotate-bidens-new-executive-order-on-cybersecurity/ https://www.insurancejournal.com/news/national/2021/05/21/615373.htm     Within 60 days of the date of this order, the head of each agency shall:        (i) update existing agency plans to prioritize resources for the adoption and use of cloud technology as outlined in relevant OMB guidance;        (ii)   develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance, describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them; and Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.  Within 90 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA, in consultation with the Attorney General, the Director of the FBI, and the Administrator of General Services acting through the Director of FedRAMP, shall establish a framework to collaborate on cybersecurity and incident response activities related to FCEB cloud technology, in order to ensure effective information sharing among agencies and between agencies and CSPs. SBOM!  Dr. Allan Friedman on BrakeSec https://brakeingsecurity.com/2020-031-allan-friedman-sbom-software-transparency-and-knowing-how-the-sausage-is-made http://brakeingsecurity.com/2020-032-dr-allan-friedman-sbom-software-transparency-and-how-the-sausage-is-made-part-2   providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website;        (viii)  participating in a vulnerability disclosure program that includes a reporting and disclosure process;        (ix) attesting to conformity with secure software development practicesWithin 270 days of the date of this order, the Secretary of Commerce acting through the Director of NIST, in coordination with the Chair of the Federal Trade Commission (FTC) and representatives of other agencies as the Director of NIST deems appropriate, shall identify IoT cybersecurity criteria for a consumer labeling program, and shall consider whether such a consumer labeling program may be operated in conjunction with or modeled after any similar existing government programs consistent with applicable law.  The criteria shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone, and shall use or be compatible with existing labeling schemes that manufacturers use to inform consumers about the security of their products.  The Director of NIST shall examine all relevant information, labeling, and incentive programs and employ best practices.  This review shall focus on ease of use for consumers and a determination of what measures can be taken to maximize manufacturer participation. https://thehill.com/opinion/technology/553891-our-cybersecurity-industry-best-practices-keep-allowing-breaches?rl=1 Rebuttal to “The Hill article”: https://soatok.blog/2021/05/19/a-balanced-response-to-allen-gwinn/  thank you Brian Harden (@_noid) Author’s ‘apology’: https://twitter.com/2wiredSecurity/status/1395531110436704258     Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Joe Gray @C_3PJoe   OSINTION https://theosintion.com  New book… ship date? How to get it? https://www.amazon.com/Practical-Social-Engineering-Joe-Gray/dp/171850098X/ https://nostarch.com/practical-social-engineering    "Gray provides a very accessible look at social engineering that should be essential reading for pentesters and ethical hackers." — Ian Barker, BetaNews   Story (Bryan: found my shipmate from the Navy)   Gathering OSINT (what is ethically too far?)   OSINT heartbeat https://matrix.berkeley.edu/research-article/berkeley-protocol-open-source-investigations/ https://hunter.io/ https://halalgoogling.com/ The OSINTion Discord: https://discord.gg/p78TTGa   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Updates to the Linux kernel controversy: https://lwn.net/SubscriberLink/854645/334317047842b6c3/   @pageinSec on Twitter   Dan Kaminsky obit: https://www.theregister.com/2021/04/25/dan_kaminsky_obituary/   Spencer Geitzen: http://brakeingsecurity.com/2018-024-pacu-a-tool-for-pentesting-aws-environments   https://en.wikipedia.org/wiki/Milgram_experiment   https://lore.kernel.org/lkml/20210421130105.1226686-1-gregkh@linuxfoundation.org/   https://cse.umn.edu/cs/statement-cse-linux-kernel-research-april-21-2021 https://www.labbott.name/blog/2021/04/21/breakingtrust.html Seems like a number of patches were added (~190) and each had to be reviewed to ensure badness   https://twitter.com/UMNComputerSci/status/1384948683821694976 response to researchers   Linux Kernel mailing list: https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/   https://danielmiessler.com/blog/explaining-threats-threat-actors-vulnerabilities-and-risk-using-a-real-world-scenario/ https://twitter.com/SarahJamieLewis/status/1384871385537908736 @sarahJamieLewis shows the change they submitted in their paper: https://twitter.com/SarahJamieLewis/status/1384876050207940608 https://twitter.com/SarahJamieLewis/status/1330671897822982144/photo/1 https://twitter.com/SarahJamieLewis/status/1384880034146574341/photo/1 https://web.archive.org/web/20210421145121/https://www-users.cs.umn.edu/~kjlu/papers/crix.pdf (appears the researcher deleted this paper from their site.) https://web.archive.org/web/20210422144500/https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc.pdf (researcher deleted this paper from their site.)“Throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns. This is an important lesson we learned---Do not trust ourselves on determining human research; always refer to IRB whenever a study might be involving any human subjects in any form. We would like to thank the people who suggested us to talk to IRB after seeing the paper abstract.”   https://github.com/QiushiWu/qiushiwu.github.io NSF Grant application (thank you Page!) https://www.nsf.gov/awardsearch/showAward?AWD_ID=1931208&HistoricalAwards=false    NSF IRB requirements (from 2007): https://www.nsf.gov/pubs/2007/nsf07006/nsf07006.jsp Might be more recent - Human Subjects | NSF - National Science Foundation The researchers issued an apology today 25 April: https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/ *thanks to Zach Whittacker’s security mailing list..*   https://twitter.com/argvee Thought provoking question for your show: is it realistically possible for an organization to build and scale a culture of code review that catches malicious insertions through (1) expert analysis; (2) adversarial mindset?   Co-author of : https://www.amazon.com/Building-Secure-Reliable-Systems-Implementing/dp/1492083127 Introduction of bugs (meaningful or otherwise) caused more work for devs.   Revert: https://lkml.org/lkml/2021/4/21/454 Quick overview of using deception in research from Duke’s IRB: Using Deception in Research | Institutional Review Board (duke.edu)   Is this better? Where’s the line on this? https://www.bleepingcomputer.com/news/security/emotet-malware-nukes-itself-today-from-all-infected-computers-worldwide/

@pageinSec on Twitter   Dan Kaminsky obit: https://www.theregister.com/2021/04/25/dan_kaminsky_obituary/   Spencer Geitzen: http://brakeingsecurity.com/2018-024-pacu-a-tool-for-pentesting-aws-environments   https://en.wikipedia.org/wiki/Milgram_experiment   https://lore.kernel.org/lkml/20210421130105.1226686-1-gregkh@linuxfoundation.org/   https://cse.umn.edu/cs/statement-cse-linux-kernel-research-april-21-2021 https://www.labbott.name/blog/2021/04/21/breakingtrust.html Seems like a number of patches were added (~190) and each had to be reviewed https://twitter.com/UMNComputerSci/status/1384948683821694976 response to researchers Linux Kernel mailing list: https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/ https://danielmiessler.com/blog/explaining-threats-threat-actors-vulnerabilities-and-risk-using-a-real-world-scenario/ https://twitter.com/SarahJamieLewis/status/1384871385537908736 @sarahJamieLewis shows the change they submitted in their paper: https://twitter.com/SarahJamieLewis/status/1384876050207940608 https://twitter.com/SarahJamieLewis/status/1330671897822982144/photo/1 https://twitter.com/SarahJamieLewis/status/1384880034146574341/photo/1 https://web.archive.org/web/20210421145121/https://www-users.cs.umn.edu/~kjlu/papers/crix.pdf (appears the researcher deleted this paper from their site.) https://web.archive.org/web/20210422144500/https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc.pdf (researcher deleted this paper from their site.)“Throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns. This is an important lesson we learned---Do not trust ourselves on determining human research; always refer to IRB whenever a study might be involving any human subjects in any form. We would like to thank the people who suggested us to talk to IRB after seeing the paper abstract.” https://github.com/QiushiWu/qiushiwu.github.io NSF Grant application (thank you Page!) https://www.nsf.gov/awardsearch/showAward?AWD_ID=1931208&HistoricalAwards=false  NSF IRB requirements (from 2007): https://www.nsf.gov/pubs/2007/nsf07006/nsf07006.jsp Might be more recent - Human Subjects | NSF - National Science Foundation The researchers issued an apology today 25 April: https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/ *thanks to Zach Whittacker’s security mailing list..*   https://twitter.com/argvee Thought provoking question for your show: is it realistically possible for an organization to build and scale a culture of code review that catches malicious insertions through (1) expert analysis; (2) adversarial mindset? Co-author of : https://www.amazon.com/Building-Secure-Reliable-Systems-Implementing/dp/1492083127   Introduction of bugs (meaningful or otherwise) caused more work for devs. Revert list of 190 patches (threaded): https://lkml.org/lkml/2021/4/21/454  Quick overview of using deception in research from Duke’s IRB: Using Deception in Research | Institutional Review Board (duke.edu) Is this better? Where’s the line on this? https://www.bleepingcomputer.com/news/security/emotet-malware-nukes-itself-today-from-all-infected-computers-worldwide/

Chrome Blocks Port 10080 to Prevent Slipstreaming Hacks - E Hacking News - Latest Hacker News and IT Security News https://www.reddit.com/r/netsec/comments/jlu3cf/nat_slipstreaming/   Samy Kamkar - NAT Slipstreaming v2.0 Slack and Discord are Being Hijacked by Hackers to Distribute Malware - E Hacking News - Latest Hacker News and IT Security News   Texan's alleged Amazon bombing effort fizzles: Militia man wanted to take out 'about 70 per cent of the internet' • The Register   Pwn2Own 2021: Hackers Offered $200,000 for Zoom, Microsoft Teams Exploits | SecurityWeek.Com   https://twitter.com/k8em0/status/1381258155485585409 https://twitter.com/alisaesage/status/1380797761801445376?s=20 infosecCampout 2021   Hackers Who Paint WWHF  Way west https://pastebin.com/2eYY6trD (for training students) @lintile @infosecroleplay

Reparations.tech *Public Safety Coordinators-Field Operations (Road Incidents)-Specialized Buildings (The Library, Medical Facilities, CCR)*Public Safety OfficersA. Discuss Training-SOP Creation *SOPs are very custom and dependent on the organization. There are no “NIST” standards. [IN CYBER: Frameworks for Physical Security --->     ]  *Think on your feet, many plans often get thrown out the window. *Creating policies due to unforeseen incidents -Physical Security Assessments: Fire Panels, AED, Roof Accesses  *The Checklist: Baseline configuration of the operations for a building *Locksmith Troubleshooting *Lack of Funding (Historically) + Ways to Address this In-House    Talking to Strangers: What We Should Know about the People We Don't Know: Gladwell, Malcolm: 9780316478526: Amazon.com: Books   Situational Awareness(?) “What is Situational Awareness?”  -There’s a lack of good training to discuss their own physical security *Ph.Ds leaving car doors wide open, blaming safety officers when they mess up *Common sense is not so common *Scenarios don’t always cover every event *Dead bodies, car accidents, people streaking (lol), medical issues -Policies can be simple, like opening a car door *Need to vet whether the person is actually their car Have you seen both good and bad training on situational awareness? Does it seem to differ between physical and cyber security? Summary of the Clery Act | Clery Center“The Clery Act is a consumer protection law that aims to provide transparency around campus crime policy and statistics. In order to comply with Clery Act requirements, colleges and universities must understand what the law entails, where their responsibilities lie, and what they can do to actively foster campus safety.” C.Real Life examples of Physical Security Blunders  Death of Elisa Lam - Wikipedia Crime Scene: The Vanishing at the Cecil Hotel - Wikipedia STORY: Person called a SOC, asked to get into their car ( but not their vehicle) Performing multiple sweeps of common areas to prevent squatting  Staff “tripping” alarms  Deceased Faculty + No Sleeping Policy Working as a Team  *Escalation Management    *Police are often increase tensions when de-escalation is needed. *Working as a team *Locksmith Team + Public Safety Team *Looking for talent in unexpected places to transfer over to CyberSecurity (Build the Bridge) Lockpicking Community: [insert folks on twitter / youtube] companies heading back to work What should IT or Security think about for your businesses that may not have had people in for 6-9 months? If companies don’t have cameras or physical controls, should they think about looking at improving? Connect with Us! Liana McCrea: @GeecheeThreat (Twitter)  + LinkedIn Garrison Yap: Garrisony75 (Twitter) + LinkedIn What is physical security? How to keep your facilities and devices safe from on-site attackers | CSO Online Physical security - Wikipedia 5 Ways IT Managers Can Work with Their Physical Security Counterpart (stanleysecuritysolutions.com) 12 Security Camera System Best Practices – Cyber Safe (een.com) What is Physical Security? Measures & Planning Guide + PDF (openpath.com)   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Bios for guests   Reparations.tech *Public Safety Coordinators -Field Operations (Road Incidents) -Specialized Buildings (The Library, Medical Facilities, CCR) *Public Safety Officers A. Discuss Training -SOP Creation *SOPs are very custom and dependent on the organization. There are no “NIST” standards.[IN CYBER: Frameworks for Physical Security --->     ]  *Think on your feet, many plans often get thrown out the window. *Creating policies due to unforeseen incidents -Physical Security Assessments: Fire Panels, AED, Roof Accesses  *The Checklist: Baseline configuration of the operations for a building *Locksmith Troubleshooting *Lack of Funding (Historically) + Ways to Address this In-House    Talking to Strangers: What We Should Know about the People We Don't Know: Gladwell, Malcolm: 9780316478526: Amazon.com: Books   Situational Awareness (?) “What is Situational Awareness?”  -There’s a lack of good training to discuss their own physical security *Ph.Ds leaving car doors wide open, blaming safety officers when they mess up *Common sense is not so common *Scenarios don’t always cover every event *Dead bodies, car accidents, people streaking (lol), medical issues-Policies can be simple, like opening a car door *Need to vet whether the person is actually their car Have you seen both good and bad training on situational awareness? Does it seem to differ between physical and cyber security? Summary of the Clery Act | Clery Center“The Clery Act is a consumer protection law that aims to provide transparency around campus crime policy and statistics. In order to comply with Clery Act requirements, colleges and universities must understand what the law entails, where their responsibilities lie, and what they can do to actively foster campus safety.” C.Real Life examples of Physical Security Blunders  Death of Elisa Lam - Wikipedia Crime Scene: The Vanishing at the Cecil Hotel - Wikipedia STORY: Person called a SOC, asked to get into their car ( but not their vehicle) Performing multiple sweeps of common areas to prevent squatting  Staff “tripping” alarms  Deceased Faculty + No Sleeping Policy Working as a Team  *Escalation Management    *Police are often increase tensions when de-escalation is needed. *Working as a team *Locksmith Team + Public Safety Team *Looking for talent in unexpected places to transfer over to CyberSecurity (Build the Bridge) Lockpicking Community: [insert folks on twitter / youtube] companies heading back to work What should IT or Security think about for your businesses that may not have had people in for 6-9 months? If companies don’t have cameras or physical controls, should they think about looking at improving? Connect with Us! Liana McCrea: @GeecheeThreat (Twitter)  + LinkedInGarrison Yap: Garrisony75 (Twitter) + LinkedIn What is physical security? How to keep your facilities and devices safe from on-site attackers | CSO Online Physical security - Wikipedia 5 Ways IT Managers Can Work with Their Physical Security Counterpart (stanleysecuritysolutions.com) 12 Security Camera System Best Practices – Cyber Safe (een.com) What is Physical Security? Measures & Planning Guide + PDF (openpath.com)

In this episode: knowing your audience - discussing the IR impact how did this happen? how deep do you want to tailor your potential discussion? Every level must be asking "what, when, why, how?", not just those in the trenches does the level of incident mean that communication scales accordingly? And much more!   Dr. Catherine J. Ullman (@investigatorchi) Incident Response communications Reminders: Patreon Jeff T. just became a $2 patron! Accepted to CircleCityCon on IR communications! Bsides Rochester Security B-Sides Rochester   Spoke at SeaSec meetups: Qualys Update on Accellion FTA Security Incident | Qualys Security Blog Security Advisory | SolarWinds Family Educational Rights and Privacy Act (FERPA)   It’s important to share necessary information with senior level people and higher ups, but is there a thing as ‘oversharing’?  How do you toe the line between oversharing and nothing at all? In higher Ed, are you beholden to different disclosure requirements than businesses? What is Server Side Request Forgery (SSRF)? | Acunetix 13 Beautiful Tools to Create Status Pages for your Business (geekflare.com) Laying communication groundwork Status pages (notifying users) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec