In this episode Brad and Spencer discuss some of the more, interesting, pentest engagements they've been on. The goal of this episode is to reflect on some of the significant vulnerabilities and "cool" attacks we've performed on pentests, yes, but it's also an important reminder that if we don't remember history we are bound to repeat it. Yes we are total nerds and no we're not going to apologize for that ;)Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.com

In this episode, Brad and Spencer discuss the newly released information surrounded the 2022 LastPass data breach. They discuss potential controls that may have prevented the incident and recommendations for protecting your own organization against this kind of threat.https://support.lastpass.com/download/lastpass-blog-securityhttps://support.lastpass.com/help/what-data-was-accessedBlog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.com

Explore the dark side of vulnerability management as the hosts discuss the limitations of tools like Nessus. Discover how overlooked vulnerabilities can be exposed through methods like penetration testing and source code review. Learn the importance of proactive security assessments before deployment. Delve into the complexities of red teaming and the significance of internal cybersecurity processes. Uncover hidden risks associated with application servers that typical scans might miss, emphasizing a comprehensive cybersecurity strategy.

In this episode, Brad and Darrius discuss recent and upcoming changes made to the BurpSuite line of products. If you're a web application penetration tester or just interested in web application security, check this out, it's a game-changer.PortSwigger Post: https://portswigger.net/blog/burp-suite-roadmap-update-january-2023Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.comBlog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.com

Brad and Spencer debunk common myths about password security and highlight the flaws in current standards. They argue for longer and stronger passwords, addressing the cognitive overload that leads to weak choices. The discussion critiques outdated practices in financial institutions and the reliance on user compliance. They urge a shift from blaming users to implementing layered defenses in cybersecurity. The podcast also debates methods for managing passwords, advocating for password managers over simplistic solutions.

Explore practical strategies to enhance your cloud security game! Discover the vital role of access control in protecting your cloud environments, especially in Azure and Microsoft 365. Uncover the vulnerabilities in Azure Active Directory and learn how to thwart social engineering attacks. Find out why enabling audit logging and adopting a 'zero trust' approach is crucial. Plus, hear best practices for collaboration between development and security teams, ensuring your cloud infrastructure remains resilient and secure.

Discover the crucial steps to prepare for a penetration test, including establishing a strong password policy and managing access control. Dive into why testing your antivirus and EDR systems is essential for effective security measures. Learn about the importance of a secure test environment and realistic data configurations, while exploring the evolving landscape of social engineering and phishing tactics. The discussion is lightened with humor, ensuring an engaging experience while tackling these serious topics.

The discussion covers easy and effective strategies to strengthen Active Directory security. Topics include managing weak passwords and the importance of unique local admin passwords. The challenges faced by small IT teams and common misconfigurations are highlighted. Free tools like Pink Castle and Bloodhound are introduced as valuable resources for identifying vulnerabilities. Emphasis is placed on change control processes and consistent auditing to mitigate security risks in organizational environments.

Discover the ins and outs of External Penetration Testing and the essential role of the PTES framework. Delve into the world of Open Source Intelligence (OSINT) and learn how it can uncover vulnerabilities—especially for law firms. Explore different methods of external pentesting, including gray box and black box techniques, and the human element of social engineering that can lead to breaches. Get critical insights on reporting findings and the importance of effective communication. Plus, find tips on selecting the right testing partner!

In this episode Spencer and Darrius discuss the most recent LastPass Breach. We talk all about what happened, what it means to you and I as well as what it means for firms who use LastPass on an enterprise level. At the end we discuss some thoughts and opinions around with LastPass versus finding a new password vault product and some things to pay attention to if you're in the later boat.Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.com