The Cyber Threat Perspective

Explore the intriguing world of cybersecurity as experts dissect the differences between penetration testing, purple team exercises, and red team engagements. Discover the critical role of standardized terminology in aligning security needs with client expectations. Learn how public information can be a double-edged sword, posing risks that attackers can exploit. Dive into the dynamic interplay of red, blue, and purple teams, illuminating collaborative strategies to enhance an organization's security posture and resilience.

In this episode, Spencer and Tyler discuss Tyler's journey from working at Home Depot to getting a job as  a Penetration Tester. They also share first-hand advice for those that are looking to break into this exciting field.Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://click.spenceralessi.com/mylinks Work with Us: https://securit360.com

In this episode, Darrius and Brad look at the current state of web application penetration testing, why it is how it is, and what you can do if you want to break into the field. Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.comBlog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://click.spenceralessi.com/mylinks Work with Us: https://securit360.com

In this episode, Brad and Darrius talk about some of the buzz around recent changes in privacy regulation/law and how it may impact other market verticals such as banking, law firms, and retail. Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.comBlog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://click.spenceralessi.com/mylinks Work with Us: https://securit360.com

In this episode Spencer shares his affinity for PingCastle. If you are in IT, if you're a sysadmin or network admin or have any kind of responsibility for the security of your environment. I encourage you to have a look at PingCastle. Not only can it be used to find VERY severe vulnerabilities, but you can use it to track progress over time and show leadership you're doing the work. We also talk about some of my favorite ways to use this tool on penetration tests. Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://click.spenceralessi.com/mylinks Work with Us: https://securit360.com

In this episode Brad and Spencer discuss some of the more, interesting, pentest engagements they've been on. The goal of this episode is to reflect on some of the significant vulnerabilities and "cool" attacks we've performed on pentests, yes, but it's also an important reminder that if we don't remember history we are bound to repeat it. Yes we are total nerds and no we're not going to apologize for that ;)Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://click.spenceralessi.com/mylinks Work with Us: https://securit360.com

In this episode, Brad and Spencer discuss the newly released information surrounded the 2022 LastPass data breach. They discuss potential controls that may have prevented the incident and recommendations for protecting your own organization against this kind of threat.https://support.lastpass.com/download/lastpass-blog-securityhttps://support.lastpass.com/help/what-data-was-accessedBlog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://click.spenceralessi.com/mylinks Work with Us: https://securit360.com

Explore the dark side of vulnerability management as the hosts discuss the limitations of tools like Nessus. Discover how overlooked vulnerabilities can be exposed through methods like penetration testing and source code review. Learn the importance of proactive security assessments before deployment. Delve into the complexities of red teaming and the significance of internal cybersecurity processes. Uncover hidden risks associated with application servers that typical scans might miss, emphasizing a comprehensive cybersecurity strategy.

In this episode, Brad and Darrius discuss recent and upcoming changes made to the BurpSuite line of products. If you're a web application penetration tester or just interested in web application security, check this out, it's a game-changer.PortSwigger Post: https://portswigger.net/blog/burp-suite-roadmap-update-january-2023Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.comBlog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://click.spenceralessi.com/mylinks Work with Us: https://securit360.com

Brad and Spencer debunk common myths about password security and highlight the flaws in current standards. They argue for longer and stronger passwords, addressing the cognitive overload that leads to weak choices. The discussion critiques outdated practices in financial institutions and the reliance on user compliance. They urge a shift from blaming users to implementing layered defenses in cybersecurity. The podcast also debates methods for managing passwords, advocating for password managers over simplistic solutions.