Brakeing Down Security Podcast

Follow Brakeing Down Security Podcast
Share on
Copy link to clipboard

A podcast all about the world of Security, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veter…

Bryan Brake - CISSP | Information Security | Vuln Management


    • Feb 17, 2025 LATEST EPISODE
    • infrequent NEW EPISODES
    • 52m AVG DURATION
    • 460 EPISODES

    4.7 from 98 ratings Listeners of Brakeing Down Security Podcast that love the show mention: infosec podcasts, bds, slack channel, brake, great security, security podcast, bryan, brian, join, tools, information, community, team, nice, keep up the good work, topics, guys, favorite, excellent, job.


    Ivy Insights

    The Brakeing Down Security Podcast is a must-listen for anyone in the infosec industry, whether they are well-established innovators or just starting out. Hosted by Bryan and the BDS team, this podcast covers a wide range of topics related to data security and features conversations with leaders who have experienced success in the field. The practical and varied topics discussed on the show provide valuable information and insight into navigating the ever-shifting landscape of data security. What sets this podcast apart is that the hosts are actively involved in the security community, adding credibility to their discussions. Additionally, the podcast goes beyond theory by actually testing some of the issues discussed, making it a great way to stay up-to-date with the latest developments in infosec.

    One of the best aspects of The Brakeing Down Security Podcast is its wealth of talent and information within its community. The show's Slack channel is a valuable resource, allowing listeners to connect with like-minded individuals and further their knowledge in infosec. The hosts themselves are easy to listen to, providing entertainment along with their informative content. Each episode features guest speakers who offer valuable insights, making it suitable for listeners at any level in infosec.

    While there aren't many negative aspects to this podcast, one minor drawback could be that some episodes may not cater specifically to beginners in infosec. However, even though there is technical depth covered at times, the hosts do an excellent job of explaining concepts clearly without dumbing them down too much. Additionally, while some listeners may prefer shorter episodes, The Brakeing Down Security Podcast typically runs for about an hour or so - but every minute is well worth it.

    In conclusion, The Brakeing Down Security Podcast is a highly recommended listen for anyone interested in information security. With its practical topics, informative discussions with experienced leaders, engaging hosts, and supportive community behind it all - this podcast provides invaluable information that can benefit anyone working in infosec at any level. Whether you're a seasoned professional or just starting out, this podcast is a great resource for staying up-to-date and expanding your knowledge in the field of data security.



    Search for episodes from Brakeing Down Security Podcast with a specific topic:

    Latest episodes from Brakeing Down Security Podcast

    steam distributes malware in game form, RDP open from DOGE servers, hacking a supply chain for 50K

    Play Episode Listen Later Feb 17, 2025 61:47


    Youtube VOD: https://www.youtube.com/watch?v=zu_smyQGvG4  https://lcamtuf.substack.com/p/how-security-teams-fail https://cyberintel.substack.com/p/doge-exposes-once-secret-government https://x.com/SteamDB/status/1889610974484705314  – supply chain issues can crop up anywhere… are you blocking people from steam and popular software downloads online? https://www.landh.tech/blog/20250211-hack-supply-chain-for-50k/ https://medium.com/@cyberengage.org/rethinking-incident-response-from-picerl-to-dair-7b153a76e044 https://www.youtube.com/watch?v=3HRkKznJoZA

    Tanya Janca Talks secure coding, Semgrep Academy, and community building, and more!

    Play Episode Listen Later Jun 1, 2024 87:18


    Check out the BrakeSecEd Twitch at https://twitch.tv/brakesec Join the Discord! https://discord.gg/brakesec #youtube VOD (in 1440p): https://www.youtube.com/watch?v=axQWGyd79NM  Questions and topics: Bsides Vancouver discussion Semgrep Community and Academy Building communities What are ‘secure guardrails' Reducing barriers between security and developers How to sell security to devs: “hey, if you want to see us less, buy/use this?” “Security is your barrier, but we have goals that we can't reach without your help.” https://wehackpurple.com/devsecops-worst-practices-artificial-gates/  How are you seeing things like AI being used to help with DevOps or is it just making things more complicated? Not just helping write code, but infrastructure Ops, software inventories, code repo hygiene, etc? OWASP PNW https://www.appsecpnw.org/ Alice and Bob coming next year! Additional information / pertinent LInks (Would you like to know more?): shehackpurple.ca  Semgrep (https://semgrep.dev/) https://aliceandboblearn.com/ https://academy.semgrep.dev/ (free training) Netflix ‘paved roads': https://netflixtechblog.com/how-we-build-code-at-netflix-c5d9bd727f15 https://en.wikipedia.org/wiki/Nudge_theory  https://www.perforce.com/blog/qac/what-is-linting  https://www.youtube.com/watch?v=FSPTiw8gSEU  https://techhq.com/2024/02/air-canada-refund-for-customer-who-used-chatbot/  Show points of Contact: Amanda Berlin: @infosystir @hackershealth  Brian Boettcher: @boettcherpwned Bryan Brake: https://linkedin.com/in/brakeb  Brakesec Website: https://www.brakeingsecurity.com Youtube channel: https://youtube.com/@BrakeSecEd Twitch Channel: https://twitch.tv/brakesec  

    Josh Grossman - building Appsec programs, bridging security and developer gaps

    Play Episode Listen Later Apr 15, 2024 76:22 Transcription Available


    Youtube VOD: https://youtu.be/G3PxZFmDyj4   #appsec, #owasp, #ASVS, #joshGrossman, #informationsecurity, #SBOM, #supplychain, #podcast, #twitch, #brakesec, #securecoding, #Codeanalysis Questions and topics: 1. The background to the topic, why is it something that interests you? How do you convince developers to take your course? 2. What do you think the root cause of the gap is? 3. Who is causing the gaps? (‘go fast' culture, overzealous security, GRC requirements, basically everyone?) 4. Where do gaps begin? Is it the ‘need' to ‘move fast'? 5. What can devs do to involve security in their process? Sprint planning? SCA tools? 6. How have you seen this go wrong at organizations? 7. How important is it to have security early in the product development process? 8. What sort of challenges do you think mainstream security people face in AppSec scenarios? 9. How does Product Security differ from Application Security? (what if the product is an application?) 10. What are the key development concepts that security people need to be familiar with to effectively get involved in AppSec/ProdSec? 11.. How do you suggest a security team approach AppSec/ProdSec?                Leadership buy-in                Effective/valuable processes                Tools should achieve a goal 12. SBOM - NTIA is asking for it, How to get dev teams to care. 13. Key takeaways? Additional information / pertinent LInks (Would you like to know more?): BlackHat Training: https://www.blackhat.com/us-24/training/schedule/index.html#accelerated-appsec--hacking-your-product-security-programme-for-velocity-and-value-virtual-37218 https://www.walkme.com/blog/leadership-buy-in/ https://www.bouncesecurity.com/ https://www.teamgantt.com/blog/raci-chart-definition-tips-and-example https://www.cisa.gov/sbom SCA Tools https://chpk.medium.com/top-10-software-composition-analysis-sca-tools-for-devsecops-85bd3b7512dd  https://semgrep.dev/  https://www.linkedin.com/in/joshcgrossman  https://owasp.org/www-project-application-security-verification-standard/  https://github.com/OWASP/ASVS/tree/master/5.0 https://owasp.org/www-project-cyclonedx/ https://joshcgrossman.com/ PyCon talk about custom security testing: https://www.youtube.com/watch?v=KuNZzDjvMlg  Michal's Black Hat course - Accurate and Scalable: Web Application Bug Hunting: https://www.blackhat.com/us-24/training/schedule/index.html#accurate-and-scalable-web-application-bug-hunting-37210  https://www.blackhat.com/us-24/training/schedule/index.html#accurate-and-scalable-web-application-bug-hunting-372101705524544  ASVS website: https://owasp.org/asvs  Lightning talk I did recently about OWASP: https://www.bouncesecurity.com/eventspast#f86548cb37cb2a82728b1762bd1b7aee  Show points of Contact: Amanda Berlin: @infosystir @hackershealth  Brian Boettcher: @boettcherpwned Bryan Brake: https://linkedin.com/in/brakeb  Brakesec Website: https://www.brakeingsecurity.com Youtube channel: https://youtube.com/@brakeseced Twitch Channel: https://twitch.tv/brakesec

    Managing messaging with management, becoming a CISO with Mary Gardner from Goldiknox

    Play Episode Listen Later Apr 9, 2024 82:56 Transcription Available


    Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time based on new information and experiences and do not represent views of past, present, or future employers.   Recorded: 08 Apr 2024 Youtube VOD: https://www.youtube.com/watch?v=K8qApvsFtqw   Show Topic Summary: If you want to get in the mind of a board member, I submit to you my discussion with Mary Gardner we did last night on #brakesec #education. Join Mary and I as we discuss the functions of a board, messaging to various levels of leadership and teams, and what it takes to make that leap to being a CISO. And when you're done, and you need someone to help your org get more mature, contact the team at GoldiKnox. #cybersecurity #informationsecurity #ciso #leadership #GRC   Questions and topics: https://hbr.org/2023/05/boards-are-having-the-wrong-conversations-about-cybersecurity “Just 69% of responding board members see eye-to-eye with their chief information security officers (CISOs). Fewer than half (47%) of members serve on boards that interact with their CISOs regularly, and almost a third of them only see their CISOs at board presentations. “ They obviously have different priorities, so what brings everyone to the table to discuss? Are they even worried about security? Tactical goals vs. org goals and aligning them What are boards most worried about these days?  Staying relevant in the face of AI? What tech will protext them from the newest threats? GRC is forced security, security is completely optional, Compliance requires some sort of security   Additional information / pertinent LInks (Would you like to know more?): Research organizations (gartner, forrester, etc) https://goldiknox.com/  https://www.linkedin.com/pulse/board-needs-help-planning-cybersecurity-start-here-daniel-briley-k7xzc https://hbr.org/2022/11/is-your-board-prepared-for-new-cybersecurity-regulations https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-sentenced-three-years-probation-covering-data   Show points of Contact: Amanda Berlin: @infosystir @hackershealth  Brian Boettcher: @boettcherpwned Bryan Brake: https://linkedin.com/in/brakeb  Brakesec Website: https://www.brakeingsecurity.com Youtube channel: https://youtube.com/@brakeseced Twitch Channel: https://twitch.tv/brakesec Discord: https://discord.gg/brakesec

    p2-accidentalCISO, building trust in new places

    Play Episode Listen Later Feb 13, 2024 73:51


      Full Youtube VOD: https://www.youtube.com/watch?v=uX7odQTBkyQ      Questions and topics: Let's talk about Mindful Business Podcast What's the topics you cover? Topic #1: discuss your experiences when you were a new leader.  What worked? What didn't? What would you have done differently? Do you emulate your manager's style? What have been your go-to management resources?  What is a good piece of advice that you've been given or that you impart to others that relates to leadership? Topic #2: building/Operating SaaS products (we can discuss securing them, what functions should be table stakes (data structures, logging, etc) Topic #3: What are bare minimums for building ‘secure' Saas products in your particular field? And how do you balance security with a positive user experience (i. e. getting customers to buy into MFA/OAUTH, OTA updates Topic #4: Do many SaaS products get over-integrated? Is the need for integration override best practices in security?  Additional information / pertinent LInks (Would you like to know more?): Twitter/Mastodon: https://twitter.com/AccidentalCISO https://infosec.exchange/@accidentalciso The Mindful Business Security Show: https://www.mindfulsmbshow.com/ https://twitter.com/mindfulsmbshow Show points of Contact: Amanda Berlin: @infosystir @hackershealth  Brian Boettcher: @boettcherpwned Bryan Brake: https://linkedin.com/in/brakeb  Brakesec Website: https://www.brakeingsecurity.com Youtube channel: https://youtube.com/@brakeseced Twitch Channel: https://twitch.tv/brakesec

    AccidentalCISO on BrakeSecEd, talking Leadership, SaaS development, and Appsec

    Play Episode Listen Later Feb 2, 2024 29:35


    Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time based on new information, and do not represent views of past, present, or future employers.   Recorded: 28 Jan 2024 Youtube VOD: https://youtube.com/live/uX7odQTBkyQ Questions and topics: Let's talk about Mindful Business Podcast What's the topics you cover? Topic #1: discuss your experiences when you were a new leader.  What worked? What didn't? What would you have done differently? Do you emulate your manager's style? What have been your go-to management resources?  What is a good piece of advice that you've been given or that you impart to others that relates to leadership? Topic #2: building/Operating SaaS products (we can discuss securing them, what functions should be table stakes (data structures, logging, etc) Topic #3: What are bare minimums for building ‘secure' Saas products in your particular field? And how do you balance security with a positive user experience (i. e. getting customers to buy into MFA/OAUTH, OTA updates Topic #4: Do many SaaS products get over-integrated? Is the need for integration override best practices in security?  Additional information / pertinent LInks (Would you like to know more?): Twitter/Mastodon: https://twitter.com/AccidentalCISO https://infosec.exchange/@accidentalciso The Mindful Business Security Show: https://www.mindfulsmbshow.com/ https://twitter.com/mindfulsmbshow Show points of Contact: Amanda Berlin: @infosystir @hackershealth  Brian Boettcher: @boettcherpwned Bryan Brake: https://linkedin.com/in/brakeb  Brakesec Website: https://www.brakeingsecurity.com Youtube channel: https://youtube.com/@brakeseced Twitch Channel: https://twitch.tv/brakesec

    1st show of 2024! Our 10th Anniversary...

    Play Episode Listen Later Jan 9, 2024 59:35


    It's our 10th anniversary and the first show of our 2024 season! Amanda was on "7 minute security" https://7minsec.com/projects/podcast   Check out the complete VOD at https://youtu.be/vbmEtkxhAMg Explicit language warning   www.brakeingsecurity.com https://twitch.tv/brakesec https://bit.ly/brakesecyt  

    Brakesec Call to Action 2023

    Play Episode Listen Later Dec 18, 2023 2:51


    Youtube Video:  https://youtu.be/IUDPlQaQg8M https://forms.gle/rf145MoN7cskwMjf8   is the link to the survey. Your information (should you choose to identify yourself) will not be shared outside of the BrakeSec Team. Thank all of you for listening and for your input. RSS feed for the audio podcast is at https://www.brakeingsecurity.com/rss  website: https://www.brakeingsecurity.com 

    How to get more headcount, BLUFFs Vulnerability, and Ranty Clause debuts!

    Play Episode Listen Later Dec 4, 2023 79:11


    Show Topic Summary: Ms. Berlin proposes a question of how to gather more headcount with metrics, we discuss the BLUFFS bluetooth vulnerability, and “Ranty Claus” talks about CISA's remarks of putting the onus on device product makers to remove choice for customers and implement secure defaults. #youtube VOD: https://www.youtube.com/watch?v=emcAzTx9z0c  Questions and topics: https://cyberscoop.com/cisa-goldstein-secure-by-design/ https://hackaday.com/2023/12/02/update-on-the-bluffs-bluetooth-vulnerability/ Additional information / pertinent LInks (Would you like to know more?): https://cyberscoop.com/jen-easterly-secure-by-design/ https://www.cisa.gov/resources-tools/resources/stop-passing-buck-cybersecurity  Examples of companies forcing changes https://www.bleepingcomputer.com/news/microsoft/microsoft-will-roll-out-mfa-enforcing-policies-for-admin-portal-access/   https://github.com/aya-rs/aya - eBPF implementation in Rust https://ossfortress.io/   https://www.darkreading.com/endpoint-security/critical-logofail-bugs-secure-boot-bypass-millions-pcs  Show points of Contact: Amanda Berlin: @infosystir @hackershealth  Brian Boettcher: @boettcherpwned Bryan Brake: @bryanbrake on Mastodon.social, https://linkedin.com/in/brakeb  Brakesec Website: https://www.brakeingsecurity.com Twitter: @brakesec  Youtube channel: https://youtube.com/c/BDSPodcast Twitch Channel: https://twitch.tv/brakesec

    25Oct - okta breached (again), Energy company hit by supply chain attack, and you can help hire the best people

    Play Episode Listen Later Oct 26, 2023 45:53


    Subscribe on Twitch using Amazon Prime and watch us live: https://twitch.tv/brakesec Check out our VODs on Youtube: https://www.youtube.com/@BrakeSecEd  Join the BrakeSecEd discord: https://discord.gg/brakesec    News: https://www.darkreading.com/remote-workforce/1password-latest-victim-okta-customer-service-breach https://www.documentcloud.org/documents/24075435-bhi-notice https://www.bleepingcomputer.com/news/security/us-energy-firm-shares-how-akira-ransomware-hacked-its-systems/ https://www.bleepingcomputer.com/news/security/ransomware-isnt-going-away-the-problem-is-only-getting-worse/ https://www.shacknews.com/article/137505/ransomware-group-capcom-2020-arrested https://www.bleepingcomputer.com/news/security/flipper-zero-can-now-spam-android-windows-users-with-bluetooth-alerts/ https://www.nasdaq.com/articles/three-cybersecurity-sectors-that-resist-economic-downturns  

    NIcole Sundin - CPO at Axio - SEC compliance, usable security, setting up risk mgmt programs

    Play Episode Listen Later Sep 23, 2023 66:08


    Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time, and do not represent views of past, present, or future employers.   Guest Bio:  Nicole is the Chief Product Officer at Axio. Nicole has spent her career building awareness around the benefits of usable security and human-centered security as a way to increase company revenue and create a seamless user experience.   Youtube VOD Link: https://youtube.com/live/tFaAB9an47g   Questions and topics: Usable security: is it an oxymoron? What determines if the security is ‘usable' or no? We sacrifice security for a better UX, what can be done to alleviate that? Or is it some sort of sliding scale in “poor UX, amazing security or awesome UX, poor security” Examples of poor UX for ‘people': MFA, and password managers. SEC updates and ‘material events' and how that would affect security, IR, and other company reporting functions. Also, additional documentation (Regulation S-K Item 106) https://www.linkedin.com/posts/nicole-sundin-5225a1149_sec-adopts-rules-on-cybersecurity-risk-management-activity-7090065804083290112-ISD8 Are companies ready to talk about their cybersecurity? Can the SEC say “you're not doing enough?” What is ‘enough'? Are we heading toward yet another audit needed for public companies, similar to SOX? When does an 8-K get publicly disclosed? Materiality is based on a “reasonable investor”? So, you don't need to announce that until you're certain, and it's based on what you can collect? Cyber Risk Management and some good examples of how to set up a proper  cyber risk organization   Additional Links: https://csrc.nist.gov/CSRC/media/Projects/usable-cybersecurity/images-media/Is%20Usable%20Security%20an%20Oxymoron.pdf  http://web.mit.edu/Saltzer/www/publications/protection/Basic.html  https://www.sec.gov/news/press-release/2023-139  https://www.sec.gov/news/statement/munter-statement-assessing-materiality-030922  https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/sec-final-cybersecurity-disclosure-rules.html  https://www.nasa.gov/centers/ames/research/technology-onepagers/hc-computing.html  https://securityscorecard.com/blog/what-is-cyber-security-performance-management/  

    John Aron, letters of marque, what does a "junior" job look like with AI?

    Play Episode Listen Later Sep 3, 2023 85:21


    Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time, and do not represent views of past, present, or future employers.   Guest Bio: John is the CEO of Aronetics. An avid climber and runner, John has spoken at many conferences about topics like ZeroTrust, BIOS/UEFI security, communication security, and malware. Aronetics is a technology-enabled service provider.    Youtube VOD: https://youtube.com/live/5dIVTwVZLAU Linkedin VOD: https://www.linkedin.com/video/live/urn:li:ugcPost:7101738254823030784 Show Topic Summary:   John joins us to discuss “letters of Marque” in an effort for hackers to ‘hack back'... the overreliance on automation, and communication siloes. We also talk about what a ‘junior position' in infosec looks like with AI doing all the “Level 1 SOC Analyst” type roles normally given to someone fresh to the security industry.   Questions and topics: Is infosec over reliant on automation? Automation comes with its own challenges. Documentation woes Automation is usually found in userland   Aronetics' Thor provides defense and counter-offense tamper-proof technology digitally tied to    Letter of Marque - good idea, or geopolitical disaster waiting to happen? Siloes and communication -best ways to overcome those in an org and outside? How do we overcome siloing?   Overcoming security challenges?Identity management - 2FA is everywhere, there's already ways around 2FA, so what now? 3FA? Biometrics? Make everyone carry around physical tokens that we can lose?   Blog post: https://www.aronetics.com/post-quantum-cryptography/ What do we need to protect against? Nation states with quantum computers? Rubber hose cryptography?   Crime thrives in areas of low visibility. https://www.aronetics.com/unknown/    https://www.aronetics.com/inside-the-breach/ (threat detection - the crime thrives in low vis areas)   Show points of Contact: Brakesec Website: https://www.brakeingsecurity.com Youtube channel: https://youtube.com/c/BDSPodcast Twitch Channel: https://twitch.tv/brakesec Amanda Berlin: @infosystir@infosec.exchange (Mastodon) @hackershealth  Brian Boettcher: @boettcherpwned Bryan Brake: @bryanbrake on Mastodon.social

    Megan Roddie - co-author of "Practical Threat Detecion Engineering"

    Play Episode Listen Later Aug 25, 2023 106:53


    Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time, and do not represent views of past, present, or future employers. Buy here: https://subscription.packtpub.com/book/security/9781801076715 Amazon Link: https://packt.link/megan Youtube VOD: https://www.youtube.com/watch?v=p1_jQa9OQ2w   Show Topic Summary: Megan Roddie is currently working as a Senior Security Engineer at IBM. Along with her work at IBM, she works with the SANS Institute as a co-author of FOR509, presents regularly at security conferences, and serves as CFO of Mental Health Hackers. Megan has two Master's degrees, one in Digital Forensics and the other in Information Security Engineering, along with many industry certifications in a wide range of specialties. When Megan is not fighting cybercrime, she is an active competitor in Muay Thai/Kickboxing. She is a co-author of “Practical Threat Detection Engineering” from Packt publishing, on sale now in print and e-book. Buy here: https://subscription.packtpub.com/book/security/9781801076715   https://packt.link/megan ← Amazon redirect link that publisher uses if you want something easier on the notes   Questions and topics: Of the 3 models, which do you find you use more and why? (PoP, ATT&CK, kill chain) What kind of orgs have ‘detection engineering' teams? What roles are involved here, and can other teams (like IR) be involved or share a reverse role there? Lab setup requires an agent… any agent for ingestion or something specific?  How does Fleet or data ingestion work for Iot/Embedded device testing? Anything you suggest? How important is it to normalize your log output for ingestion? (app, web, server all tell the story) Additional information / pertinent LInks (Would you like to know more?): Unified Kill Chain: https://www.unifiedkillchain.com/ ATT&CK: https://attack.mitre.org/  D3FEND matrix BrakeSec show from 2021: https://brakeingsecurity.com/2021-023-d3fend-framework-dll-injection-types-more-solarwinds-infections  Pyramid of Pain: https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html https://www.securitymagazine.com/articles/98486-435-million-the-average-cost-of-a-data-breach  https://medium.com/@gary.j.katz (per Megan, ‘it's basically Chapter 11 of the book') Show points of Contact: Amanda Berlin: @infosystir @hackershealth  Brian Boettcher: @boettcherpwned Bryan Brake: @bryanbrake on Mastodon.social, Twitter, bluesky Brakesec Website: https://www.brakeingsecurity.com Twitter: @brakesec  Youtube channel: https://youtube.com/c/BDSPodcast Twitch Channel: https://twitch.tv/brakesec

    meeting new people, walking on your keyboard causes issues, even google gets phone numbers wrong.

    Play Episode Listen Later Jul 21, 2023 80:11


    Check out our sponsor (BLUMIRA) at https://blumira.com/brake youtube channel link: https://youtube.com/c/BDSPodcast Full video on our youtube Channel! https://www.youtube.com/watch?v=BkBeLuM_urk https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/ https://www.darkreading.com/remote-workforce/hacker-infected-foiled-by-own-infostealer https://therecord.media/cisa-warnings-adobe-microsoft-citrix-vulnerabilities https://www.itsecurityguru.org/2023/07/18/millions-of-keyboard-walk-patterns-found-in-compromised-passwords/ https://therecord.media/airline-customer-support-phone-number-fraud-google https://twitter.com/Shmuli/status/1680669938468499458 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 https://www.jdsupra.com/legalnews/tabletop-exercises-as-risk-mitigation-5278057/ https://www.darkreading.com/vulnerabilities-threats/linux-ransomware-poses-significant-threat-to-critical-infrastructure https://bevyengine.org/  - Rust game engine https://godotengine.org/ - a more mature Rust game engine https://flappybird.io/ - which I suck at, BTW Intro/outro music: "Flex" by Jeremy Blake Courtesy of YouTube Music Library (used with proper permissions)  

    Bsides Seattle and Austin, SecureBoot patch, and more

    Play Episode Listen Later May 27, 2023 72:36


    BrakeSec Show Outline – No Guest   Show Topic Summary (less than 300 words) Bsides Seattle and Bsides Austin   Youtube VOD: https://youtube.com/live/UGRaRSYj7kc    Questions and potential sub-topics (5 minimum): Bsides Seattle update and Bsides Austin Patching the unpatchable https://en.wikipedia.org/wiki/Parkerian_Hexad  Power and influence  (is power bad? Is influence?) 5.  https://deliverypdf.ssrn.com/delivery.php?ID=357001027119125105074103081006094117005092014048001013007086030071009081068110103025024041103038045036033080107020112080097022024073029064061065125002071028013110008011045013116002084024000066075067001126004101003027004086091007025096080019022003104&EXT=pdf&INDEX=TRUE (A Theory of Creepy: Technology, Privacy and Shifting Social Norms) (contact info for people to reach out later):   Additional information / pertinent Links (would you like to know more?): (contact info for people to reach out later): https://www.bleepingcomputer.com/news/security/microsoft-shares-guidance-to-detect-blacklotus-uefi-bootkit-attacks/ https://www.bleepingcomputer.com/news/security/malware-dev-claims-to-sell-new-blacklotus-windows-uefi-bootkit/   Show Points of Contact: Amanda Berlin: @infosystir @hackershealth  Brian Boettcher: @boettcherpwned Bryan Brake: @bryanbrake @bryanbrake@mastodon.social Website: https://www.brakeingsecurity.com Twitch: https://twitch.tv/brakesec Youtube: https://www.youtube.com/c/BDSPodcast  Email: bds.podcast@gmail.com  

    lynsey wolf, conducting insider threat investigations, CASB and UEBA utlization to good use.

    Play Episode Listen Later Apr 30, 2023 94:09


    Show Topic Summary (less than 300 words) Insider threat still exists, Lynsey Wolf talks with us about HR's role in insider threat, how prevalent investigations are in the post-pandemic work from home environment.   Questions and potential sub-topics (5 minimum): What is the difference between insider threat and insider risk? Motivators of insider threat (not much different than espionage,IMO -bryan)  (MICE: Money, Ideology, Compromise, and Ego.) https://thestack.technology/pentagon-leaks-insider-threat-sysadmin/  75% of all insider threats are being kicked off by HR departments. In short, it's proactive. “How did HR figure that out?” How are investigations normally initiated? What tools are they implementing to check users or predicting a disgruntled employee?” UEBA? CASB? Employee surveys that are ‘anonymous'? Someone who reported others and it was dismissed? What if HR ‘gets it wrong' or ‘it's a hunt to find people no into ‘groupthink' or ‘not a culture fit'? https://www.cbsnews.com/news/french-worker-fired-for-not-being-fun-at-work-wins-lawsuit-cubik-responds/ How can organizations be mindful of how and what data is collected to mitigate risk without affecting employee trust? And who watches the watchers to ensure data is handled responsibly? Are there any privacy guidelines companies need to understand before they implement such a system? (GDPR? CCPA? Privacy notices? Consent to monitoring on login? https://securiti.ai/blog/hr-employee-data-protection/ ) Are companies causing the thing they are protecting against? (making an insider threat because they've become repressive?) (hoping there's an ‘everything in moderation idea here… finding the happy medium between responsible ‘observability' and ‘surveillance') Lots of ‘insider threat' tools, including from EDR companies. Do companies do a good job of explaining to employees why you need EDR? Quiet Quitting - latest term for companies to use to describe “employee has a side gig”. How does this figure into insider threat? Is it assumed that people only have one ‘thing' they do, or did the lack of a commute give people more time during the pandemic to diversify? Solutions for employees? Separate their work and private/side gig? Learn what their contract states to keep conflicts of interest or your current/past employer from taking your cool side project/start-up idea away from you? Solutions for companies?   Additional information / pertinent Links (would you like to know more?): (contact info for people to reach out later): https://www.cisa.gov/detecting-and-identifying-insider-threats  https://venturebeat.com/data-infrastructure/how-observability-has-changed-in-recent-years-and-whats-coming-next/  https://ccdcoe.org/library/publications/insider-threat-detection-study/  https://resources.sei.cmu.edu/asset_files/TechnicalReport/2016_005_001_454627.pdf (insider threat ontology) https://www.intelligentcio.com/apac/2022/08/01/survey-reveals-organizations-see-malicious-insiders-as-a-route-for-ransomware/  https://www.helpnetsecurity.com/2022/04/08/organizations-insider-threats-issue/  https://www.fortinet.com/resources/cyberglossary/what-is-ueba  https://www.gartner.com/en/information-technology/glossary/cloud-access-security-brokers-casbs  https://thecyberwire.com/glossary/mice https://qohash.com/the-high-price-of-trust-the-true-cost-of-insider-threats/  https://abc7chicago.com/classified-documents-jack-teixeira-air-national-guard-arrest/13126206/ (Air National Guardsman accused in military records leak makes 1st court appearance - story still developing as of 16 April 2023) https://www.theverge.com/2020/8/4/21354906/anthony-levandowski-waymo-uber-lawsuit-sentence-18-months-prison-lawsuit    Show Points of Contact: Amanda Berlin: @infosystir @hackershealth  Brian Boettcher: @boettcherpwned Bryan Brake: @bryanbrake @bryanbrake@mastodon.social Website: https://www.brakeingsecurity.com Twitch: https://twitch.tv/brakesec  Youtube: https://youtube.com/c/BDSPodcast 

    3CX supply chain attack, Mark Russinovich and Sysinternals, CISA ransomware notifications, and emotional intelligence

    Play Episode Listen Later Apr 8, 2023 84:50


    Show Topic Summary (less than 300 words) 3CX supply chain attack, Mark Russinovich and Sysinternals, ransomware notifications from CISA, and emotional intelligence Youtube VOD: https://www.youtube.com/watch?v=afZHiBUr-2g  Questions and potential topics (5 minimum): https://www.straitstimes.com/tech/downloading-a-cracked-version-of-fifa-23-or-hogwarts-legacy-for-free-it-s-probably-malware  https://leadershipfreak.blog/2023/03/27/the-7-powers-of-questions/  https://securityintelligence.com/articles/is-it-time-to-hide-your-work-emails/  https://www.lollydaskal.com/leadership/what-remote-leaders-do-differently-to-be-successful/  https://www.lollydaskal.com/leadership/the-role-of-emotional-intelligence-in-leadership-why-it-matters/  https://www.cybersecuritydive.com/news/3cx-mandiant-investigate-supply-chain-attack/646543/  https://www.bleepingcomputer.com/news/security/openai-chatgpt-payment-data-leak-caused-by-open-source-bug/  https://www.cybersecuritydive.com/news/cisa-pre-ransomware-notification/646041/  https://www.sentinelone.com/labs/the-life-and-times-of-sysinternals-how-one-developer-changed-the-face-of-malware-analysis/    Additional information / pertinent Links (would you like to know more?): https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/  https://www.orangecyberdefense.com/global/blog/research/3cx-voip-app-supply-chain-compromise  https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/ https://www.linkedin.com/feed/update/urn:li:activity:7047156405715300352/  Sigma Rule - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_malware_3cx_compromise_susp_children.yml  https://en.wikipedia.org/wiki/Information_Sharing_and_Analysis_Center  https://www.cisa.gov/news-events/news/cisa-establishes-ransomware-vulnerability-warning-pilot-program  https://www.fda.gov/media/166614/download  https://www.amazon.com/Windows-Internals-Part-architecture-management/dp/0735684189  https://medium.com/@martin-thissen/llama-alpaca-chatgpt-on-your-local-computer-tutorial-17adda704c23    Show Points of Contact: Amanda Berlin: @infosystir @hackershealth  Brian Boettcher: @boettcherpwned Bryan Brake: @bryanbrake @bryanbrake@mastodon.social Website: https://www.brakeingsecurity.com Twitch: https://twitch.tv/brakesec Youtube: https://www.youtube.com/c/BDSPodcast  Email: bds.podcast@gmail.com 

    Dish Network is still busted, John Deere avoiding OSS requests, Is DAST dead?

    Play Episode Listen Later Mar 24, 2023 89:37


    Show Topic Summary (less than 300 words) Dish Network is still busted due to ransomware, your Pixel phone baseband RCE, Nothing runs like a Deere (away from OSS requests, anyway), and “Are we past DAST?”   Questions and potential sub-topics (5 minimum): https://techcrunch.com/2023/03/15/dish-customers-kept-in-the-dark-as-ransomware-fallout-continues/  https://medium.com/@cmanojshrestha/hack-any-social-media-account-using-cookie-stealing-attack-a6cdc4caafc1  https://boringappsec.substack.com/p/edition-18-the-diminishing-returns  https://www.theregister.com/2023/03/17/john_deere_sfc_gpl/  https://www.bleepingcomputer.com/news/security/alleged-breachforums-owner-pompompurin-arrested-on-cybercrime-charges/ (thanks D Mathews!) https://www.bleepingcomputer.com/news/security/microsoft-support-cracks-windows-for-customer-after-activation-fails/  https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.html    Additional information / pertinent Links (would you like to know more?): https://www.shopbiscoff.com/lotus-biscoff-xl-two-pack-case-bulk-size https://twitter.com/InfoSystir/status/1636847843683041280?s=20            Show Points of Contact: Amanda Berlin: @infosystir @hackershealth  Brian Boettcher: @boettcherpwned Bryan Brake: @bryanbrake @bryanbrake@mastodon.social Website: https://www.brakeingsecurity.com Twitch: https://twitch.tv/brakesec Youtube: https://www.youtube.com/c/BDSPodcast  Email: bds.podcast@gmail.com

    Nickolas Means talks about Security, Devops velocity, blameless orgs, and conferences infosec should attend

    Play Episode Listen Later Mar 4, 2023 74:50


      Guest info Name and Title: Nickolas Means, VP of Engineering at SYM Email/Social Media Contact: @nmeans on Twitter, @nmeans@ruby.social on Mastodon Time Zone (if other than Pacific): Central (Austin, TX)   Show Topic Summary / Intro We welcome Nickolas Means to the stream. Nick is the VP of Engineering at Sym, the adaptive access tool built for developers. He's been an engineering leader for more than a decade, focused on helping teams build velocity through trust and autonomy. He's also a regular speaker at conferences around the world, teaching more effective software development practices through stories of real-world engineering triumphs and failures. He's also the co-host of “Managing Up” a podcast with  Management tips, stories, and interviews to help navigate the challenges of managing creative and technical teams.   Questions and potential sub-topics (5 minimum): 'blameless environment' during an incident. We can discuss working an incident and if a 'blameless' environment the exception or the rule (stories from the trenches are always welcome) Building a compliance program without tanking your engineering velocity... I'd like to speak about that in terms of overall security (product security, scanning, license checks, and more) Is there a playbook to building more efficient dev and security teams? Can cross training dev in basic security, or security in sprint planning processes make a better experience for all? Will we ever solve ‘shifting left'? What does Shifting Left really mean to engineering teams, or is that a term security people created to try and speak ‘dev/eng'?  ‘Managing Up'... security is often asked to do a lot. Be STO when you don't manage the resources, timeline, etc. When teams are small, you're either in the operational/tactical, when management wants a ‘tactical/strategic' view. What can the overall business do to create a good working relationship out of the gate? “Make a dashboard” is all well and good, except when your org lacks maturity across the board. What are some realistic expectations management should have when the company is small?  (I will provide additional context during the stream)   Additional information / pertinent Links (would you like to know more?): https://managingup.show/ - Managing Up Podcast “Management tips, stories, and interviews to help navigate the challenges of managing creative and technical teams.“ https://symops.com/ - Adaptive access management tools built for engineers https://www.ted.com/talks/brene_brown_the_power_of_vulnerability?language=en https://www.terraform.io/ https://news.stanford.edu/2022/12/05/explains-recent-tech-layoffs-worried/    Show Points of Contact: Amanda Berlin: @infosystir @hackershealth  Brian Boettcher: @boettcherpwned Bryan Brake: @bryanbrake @bryanbrake@mastodon.social Website: https://www.brakeingsecurity.com Twitch: https://twitch.tv/brakesec  Youtube: https://youtube.com/c/BDSPodcast   

    SPECIAL INTERVIEW: John Aron and Jerod Brennen

    Play Episode Listen Later Feb 10, 2023 81:10


    BrakeSec Show Outline (all links valid as of 27 Jan 2023, subject to change)   Is it scheduled?  Yes || No|| Completed   Date:  2023/01/26   Guest info Name and Title: John Aron, Founder/CEO of Aronetics Email: john@aronetics.com Time Zone (if other than Pacific): Eastern Standard   Guest info Name and Title: Jerod Brennen Email: jerod@brennenconsulting.com Time Zone (if other than Pacific): EST   Show Topic Summary (less than 300 words) Clear the fog of marketing truths and viable solutions that actually deter and defend adversarial action.   Questions and potential sub-topics (5 minimum): Edge devices everywhere A paradigm culture shift is necessary How/What kind of culture shift is needed?  In 2007, Steve Jobs unveiled the iPhone with no mention of how to keep it safe While DARPA that created GPS, shares a sorry - not sorry       4. Working from Home or the office, how can you guarantee security with travel between both? This type of computing isn't possible in government circles. 5. The New York Times 2019 Fall Special - So the internet didn't turn out the way we hoped. How can we restore sanity and normalcy to using a computer when there is a persistent threat everywhere?  Who is under ‘persistent threat'?  6. Jerod: decentralization of technologies and empowering makers and people    Additional information / pertinent Links (would you like to know more?): Even Nobodies Have Fans Now. (For Better or Worse.) - The New York Times.pdf(local copy) (local copy defeats paywall) )

    Layoff discussions, another TMO breach, OneNote Malware, and more!

    Play Episode Listen Later Jan 24, 2023 83:04


    Lots of Layoffs (meta, Microsoft, Amazon, Sophos, Alphabet, Google) talk about the future effects of that, did it affect security? Attack surface management is risk management, Breaches and the TSA no-fly list leaked, and more! Full youtube video: https://www.youtube.com/watch?v=1Dgq8FpnWPw   Questions and/or potential sub-topics (5 minimum): Layoffs (fear, uncertainty, doubt), what it means for people,  https://www.lollydaskal.com/leadership/5-warning-signs-you-are-being-led-by-a-weak-leader/ “No fly list leaked” https://www.vice.com/en/article/93a4p5/us-no-fly-list-leaks-after-being-left-in-an-unsecured-airline-server Attack Surface Management: https://flashpoint.io/blog/what-is-attack-surface-management/ https://www.bleepingcomputer.com/news/security/beware-hackers-now-use-onenote-attachments-to-spread-malware/ https://securityaffairs.com/141102/hacking/eof-cisco-routers-exposed-rce.html https://www.linkedin.com/posts/threatintelligence_threat-intel-cheat-sheet-by-cyber-threat-activity-7021035081184026624-3GWH? (issues with "step 0")   Additional information / pertinent Links (would you like to know more?): https://www.sec.gov/ix?doc=/Archives/edgar/data/0001283699/000119312523010949/d641142d8k.htm  - TMO's 8k filing https://www.bleepingcomputer.com/news/security/verizon-notifies-prepaid-customers-their-accounts-were-breached/ https://en.wikipedia.org/wiki/Maia_arson_crimew https://discord.gg/brakesec      Show Points of Contact: Amanda Berlin: @infosystir @hackershealth  Brian Boettcher: @boettcherpwned Bryan Brake: @bryanbrake @bryanbrake@mastodon.social  Website: https://www.brakeingsecurity.com Twitch: https://twitch.tv/brakesec   

    GPS car hacks, Google Threat report, notable topics of 2020, satellite threat modelling, twitter breach(?)

    Play Episode Listen Later Jan 10, 2023 85:08


    topics What were the biggest stories of 2022? Any notable trends that you saw https://acut3.github.io/bug-bounty/2023/01/03/fetch-diversion.html (fetch Diversion) I got 5 million steps in 2022! Looking to jog/run 350 miles https://medium.com/@jdowde2/the-security-threat-of-and-in-file-path-strings-d75ee695eb3a  (danger of , and .. in file paths Google's threat Horizon's report     Additional information / pertinent Links (would you like to know more?): https://services.google.com/fh/files/blogs/gcat_threathorizons_full_jan2023.pdf (google's Threat Horizons report) https://securityboulevard.com/2023/01/google-cybersecurity-action-team-threat-horizons-report-5-is-out/  https://medium.com/malware-buddy/6-useful-infographics-for-threat-intelligence-240d6aca333e  https://www.vice.com/en/article/zmpx4x/hacker-monitor-cars-kill-engine-gps-tracking-apps youtube.c https://hbr.org/2016/09/excess-management-is-costing-the-us-3-trillion-per-year  https://thenewstack.io/circleci-secrets-catastrophe/ https://www.nbc29.com/2023/01/06/twitter-leak-exposes-235-million-email-addresses-hack/  https://www.vice.com/en/article/zmpx4x/hacker-monitor-cars-kill-engine-gps-tracking-apps    Show Points of Contact: Amanda Berlin: @infosystir @hackershealth  Brian Boettcher: @boettcherpwned Bryan Brake: @bryanbrake @bryanbrake@mastodon.social Website: https://www.brakeingsecurity.com Twitch: https://twitch.tv/brakesec   

    Josh-Whalen-risk-management-data_visualization-tools, value-creating activities -p2

    Play Episode Listen Later Dec 20, 2022 67:48


    Full stream video on Youtube: https://youtu.be/i1xpAfNFCvY John's Youtube channel, to find more training/contact information: https://www.youtube.com/channel/UC3ctyx980M8jLa_cEiQveLQ https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration ADKAR model: https://www.prosci.com/methodology/adkar CCE framework: https://inl.gov/cce/ Dashboard (non-sponsored link): https://monday.com Diagrammming tool: https://figma.com https://www.sciencedirect.com/topics/computer-science/system-analysis Amazon book: https://www.amazon.com/Engineering-Safer-World-Systems-Thinking/dp/0262533693

    John Whalen, data visualization tools, risk management, handling org risk-p1

    Play Episode Listen Later Dec 11, 2022 37:45


    Full stream video on Youtube: https://youtu.be/i1xpAfNFCvY   https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration ADKAR model: https://www.prosci.com/methodology/adkar CCE framework: https://inl.gov/cce/ Dashboard (non-sponsored link): https://monday.com Diagrammming tool: https://figma.com https://www.sciencedirect.com/topics/computer-science/system-analysis Amazon book: https://www.amazon.com/Engineering-Safer-World-Systems-Thinking/dp/0262533693  

    Interview with Infrared - one of the Seattle Community Network organizers

    Play Episode Listen Later Nov 22, 2022 52:28


    https://youtu.be/iW39Mugj4OM  -Full stream video (interview starts at 28m22s)   Broadcasted live on Twitch -- Watch live at https://www.twitch.tv/brakesec Seattle Community Network - https://seattlecommunitynetwork.org/ https://medium.com/seattle-community-network/    Check Bryan out on Mastodon! Mastodon

    JAMBOREE - an Android App testing platform from @operat0r -part2

    Play Episode Listen Later Nov 7, 2022 64:15


    introducing @operat0r talked a bit about mobile device hacking and rooting/jailbreaking phones for testing Grab the powershell script here: https://github.com/freeload101/Java-Android-Magisk-Burp-Objection-Root-Emulator-Easy   Check out the Youtube videos, including demo! Part2 is here: https://www.youtube.com/watch?v=RXgwUWpRuYA

    JAMBOREE - an Android App testing platform from @operat0r

    Play Episode Listen Later Oct 30, 2022 56:35


    introducing @operat0r talked a bit about mobile device hacking and rooting/jailbreaking phones for testing Grab the powershell script here: https://github.com/freeload101/Java-Android-Magisk-Burp-Objection-Root-Emulator-Easy   Check out the Youtube videos, including demo! Part 2 will be available soon! Part 1:  https://youtu.be/U5SFav9h1L4 

    07-oct-news-twitch streaming

    Play Episode Listen Later Oct 12, 2022 54:48


    https://www.bnbchain.org/en/blog/bnb-chain-ecosystem-update/ https://medium.com/@johnblatt23/uber-hack-reveals-weakness-in-the-human-firewall-8b44a87d43b4 https://securityintelligence.com/articles/what-to-know-honda-key-fob-vulnerability/ https://www.theregister.com/2022/10/07/binance_hack_566m/ https://www.bnbchain.org/en/blog/bnb-chain-ecosystem-update/ https://www.bbc.com/news/business-58193396 https://www.theverge.com/2022/4/18/23030754/beanstalk-cryptocurrency-hack-182-million-dao-voting https://www.coindesk.com/business/2022/10/06/celsius-top-execs-cashed-out-17m-in-crypto-before-bankruptcy/ https://jpgormally.medium.com/cybersecurity-is-a-successfully-failure-9bcf92a1bc88 https://www.bitsight.com/blog/zero-50k-infections-pseudomanuscrypt-sinkholing-part-1  

    Uber Breach, MFA fatigue, who can help communicate biz risk?

    Play Episode Listen Later Sep 19, 2022 69:10


    https://www.theverge.com/2022/9/16/23356213/uber-hack-teen-slack-google-cloud-credentials-powershell https://www.zdnet.com/article/uber-security-breach-looks-bad-potentially-compromising-all-systems/ https://twitter.com/RachelTobac/status/1571542949606957057   Twitter: @boettcherpwned @infosystir @brakeSec @bryanbrake www.brakeingsecurity.com Twitch: https://twitch.tv/brakesec  

    Manual Code reviews/analysis, post-infosec Campout discussion

    Play Episode Listen Later Sep 2, 2022 60:01


    checkout our website: https://www.brakeingsecurity.com Follow and subscribe with your Amazon Prime account to our Twitch stream: https://twitch.tv/brakesec   Twitter: @infosystir @boettcherpwned @bryanbrake @brakesec Find us on all your favorite podcast platforms! Please leave us a 5 star review to help us grow!

    Amanda's Sysmon Talk -p2

    Play Episode Listen Later Aug 15, 2022 42:43


    Part 2 of our discussion this week with Amanda, Brian, and Bryan on sysmon, We discuss use cases from her talk, and best ways to get sysmon integrated into your environment.   BrakeSec is: Amanda Berlin @infosystir Brian Boettcher @boettcherpwned Bryan Brake @bryanbrake https://www.brakeingsecurity.com   Our #twitch stream can be found at: Https://twitch.tv/brakesec (subscription is req'd to see full videos)

    Amanda's Sysmon Talk -p1

    Play Episode Listen Later Aug 7, 2022 37:13


    This week Amanda, Brian, and Bryan discuss sysmon, how it works to detect IOCs in your org, and how it extends beyond regular Windows event monitoring.   oh... and it's available for Linux too! BrakeSec is: Amanda Berlin @infosystir Brian Boettcher @boettcherpwned Bryan Brake @bryanbrake https://www.brakeingsecurity.com   Our #twitch stream can be found at: Https://twitch.tv/brakesec (subscription is req'd to see full videos)

    Tanya Janca, Securing APIs, finding Security Champions, and accepting Risk

    Play Episode Listen Later Jul 30, 2022 41:37


    Tanya Janca, also known as @SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security'. She is also the founder of We Hack Purple, an online learning academy, community and podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won countless awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives. https://wehackpurple.com   BrakeSec is: Amanda Berlin @infosystir Brian Boettcher @boettcherpwned Bryan Brake @bryanbrake www.brakeingsecurity.com https://twitch.tv/brakesec  

    Tanya Janca on secure coding practices, Swagger docs, and why documentation matters

    Play Episode Listen Later Jul 24, 2022 39:53


    Tanya Janca, also known as @SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security'. She is also the founder of We Hack Purple, an online learning academy, community and podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won countless awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives.   https://shehackspurple.ca/   BrakeSec is: Amanda Berlin @infosystir Brian Boettcher @boettcherpwned Bryan Brake @bryanbrake www.brakeingsecurity.com

    PYPI enables 2FA, some devs have a problem with this

    Play Episode Listen Later Jul 14, 2022 56:22


    Full #twitch VOD here (prime sub or paid sub required):  https://www.twitch.tv/videos/1528342722 https://github.com/untitaker/python-atomicwrites https://thehackernews.com/2022/07/pypi-repository-makes-2af-security.html Twitch streams (175+ hours of content!): Https://twitch.tv/brakesec www.brakeingsecurity.com Twitter: @infosystir @boettcherpwned @brakesec @bryanbrake

    JW Goerlich on Training, phishing exercises, security metrics,getting the most from user training

    Play Episode Listen Later Jul 5, 2022 41:08


    JW Goerlich -  “Wolfgang is a cyber security strategist and an active part of the Michigan security community. He co-founded the OWASP Detroit chapter and organizes the annual Converge and BSides Detroit conferences. Wolfgang has held roles such as the Vice President of Consulting, Security Officer, and Vice President of Technology Services. He regularly advises clients on topics ranging from risk management, incident response, business continuity, secure development life cycles, and more.”   https://jwgoerlich.com/   RSA talks and discussion Phishing tests -  https://www.securityweek.com/research-simulated-phishing-tests-make-organizations-less-secure https://hbr.org/2021/04/phishing-tests-are-necessary-but-they-dont-need-to-be-evil What are the goal of these tests?     That someone will click and activate (is that not a given?) What made them popular in the first place? Is this an example of management not taking security seriously, so we needed proof?   https://www.csoonline.com/article/3619610/best-practices-for-conducting-ethical-and-effective-phishing-tests.html FTA: “This will only undermine the efforts of cybersecurity teams as a whole, alienating the very people they aim to engage with, Barker adds. “People generally don't like to be tricked, and they don't usually trust the people who trick them. One counterargument I often hear is that criminals use emotive lures in a phish, so why shouldn't we? Well, criminals also cause physical damage to property, take systems offline, and disrupt services, but physical social engineers and pen-testers don't—for good reason. Simulations should not cause active harm.””   Is this part of a larger issue? Why do we treat these tests the way we do? Typical scenario?Mgmt does not believe or trust their internal people to tell them what is wrong, and takes a 3rd party source/product to tell them the same thing.     Are these stories Apocryphal? Or just my experience?

    RSA conference, Zero Trust, SSO, 2FA, and multi-cloud tenancy with J Goerlich

    Play Episode Listen Later Jun 25, 2022 34:08


    jon-dimaggio-part2-threat intel-hacking back-analyzing malware

    Play Episode Listen Later Jun 16, 2022 37:07


    Author of the #noStarch book "The Art of Cyberwarfare" (https://nostarch.com/art-cyberwarfare)  Topics: discusses his book,  threat intel as a service,  why people enjoy malware analysis? Should people 'hack back' and what legal issues are around that? How do you soften the messaging if you have an insider threat team? www.infoseccampout.com for more information about our 2022 conference in Seattle, WA on 26-28 August 2022! Our full 90 minute stream with Jon, including 30 minutes of audio you won't get on the audio podcast is available at the $5 USD Patreon level, or via our VOD at our Twitch Broadcast site (https://twitch.tv/brakesec) Twitch VOD Link: https://www.twitch.tv/videos/1308277609 Thank you to our Patreon and Twitch supporters for their generous donations and subs and bits!

    Jon DiMaggio_Art-of-cyberwarfare_hacking_back-insider-threat-messaging_P1

    Play Episode Listen Later Jun 9, 2022 41:25


    Author of the #noStarch book "The Art of Cyberwarfare" (https://nostarch.com/art-cyberwarfare)  Topics: discusses his book,  threat intel as a service,  why people enjoy malware analysis? Should people 'hack back' and what legal issues are around that? How do you soften the messaging if you have an insider threat team? www.infoseccampout.com for more information about our 2022 conference in Seattle, WA on 26-28 August 2022! Our full 90 minute stream with Jon, including 30 minutes of audio you won't get on the audio podcast is available at the $5 USD Patreon level, or via our VOD at our Twitch Broadcast site (https://twitch.tv/brakesec) Twitch VOD Link: https://www.twitch.tv/videos/1308277609 Thank you to our Patreon and Twitch supporters for their generous donations and subs and bits!

    news, infosystir's talk at RSA, conti has an 'image' problem

    Play Episode Listen Later May 24, 2022 45:42


      https://www.reuters.com/technology/tesla-cars-bluetooth-locks-vulnerable-hackers-researchers-2022-05-17/ https://portswigger.net/daily-swig/us-revises-policy-regarding-computer-fraud-and-abuse-act-will-not-prosecute-good-faith-research https://www.securityweek.com/conti-ransomware-operation-shut-down-after-brand-becomes-toxic https://portswigger.net/daily-swig/chicago-public-schools-data-breach-blamed-on-ransomware-attack-on-supplier https://www.helpnetsecurity.com/2022/05/23/protect-kubernetes-cluster/ https://www.darkreading.com/application-security/malicious-package-python-repository-cobalt-strike-windows-macos-linux   https://www.bleepingcomputer.com/news/security/fake-windows-exploits-target-infosec-community-with-cobalt-strike/ https://www.darkreading.com/application-security/6-scary-tactics-used-in-mobile-app-attacks  

    Mieng Lim, Ransomware actions, using insurance to offset risk, good IR/PR comms

    Play Episode Listen Later May 15, 2022 36:17


    Full VOD here (must subscribe to Twitch): https://www.twitch.tv/videos/1478955254   Mieng Lim, VP of Product at Digital Defense by HelpSystems Topic she will discuss: Outsmarting RaaS: Strategies to Implement Before, During, and After a Ransomware Attack Webinar: https://www.digitaldefense.com/resources/videos/webinar-outsmarting-raas-strategies-against-ransomware-attacks/ https://www.digitaldefense.com/blog/infographic-the-latest-ransomware-facts/ https://www.digitaldefense.com/wp-content/uploads/2020/07/Digital-Defense-Inc.-Ransomware-Infographic-070621.jpg https://www.digitaldefense.com/blog/the-terrifying-truth-about-ransomware/ Prepared questions from Mieng: Belief that “malicious actors today are using cutting edge techniques for the majority of attacks” Belief that “majority of compromises are via zero-day vulnerabilities” Organizations continue to leave systems unpatched with years old vulnerabilities Belief that “my organization doesn't have anything a malicious actor would be interested in…I'm not a target” My organization has cyber insurance and that's enough. “I don't have budget to buy all the products/hire the staff needed to protect my network.” https://www.techrepublic.com/article/initial-access-brokers-how-are-iabs-related-to-the-rise-in-ransomware-attacks/   https://www.pandasecurity.com/en/mediacenter/security/ransomware-statistics/ As new approaches to ransomware like double extortion continue to pay off, attackers are demanding higher ransom payouts than ever before. The average ransom demand in the first half of 2021 amounted to $5.3 million — a 518% increase compared to 2020. The average ransom payment has also increased by 82% since 2020, reaching a whopping $570,000 in the first half of 2021 alone. The FBI's Internet Crime Complaint Center (IC3) received 2,084 ransomware complaints in the first half of 2021. (FBI and CISA) At least one employee downloaded a malicious mobile application in 46% of organizations in 2021. (Check Point) https://www.marsh.com/us/services/cyber-risk/insights/ransomware-paying-cyber-extortion-demands-in-cryptocurrency.html @infosystir @boettcherpwned @bryanbrake (on Mastodon & Twitter) @brakeSec   Discord Invite! "please click OK to accept the Code of Conduct in the 'Rules-and-info' channel" https://discord.gg/brakesec #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast Apple Podcasts: https://podcasts.apple.com/us/podcast/brakeing-down-security-podcast/id799131292 #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec #Patreon:  https://brakesec.com/BDSPatreon #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    Mieng-Lim-Ransomware-Best-Practices-p1

    Play Episode Listen Later May 11, 2022 36:09


    Mieng Lim, VP of Product at Digital Defense by HelpSystems Topic she will discuss: Outsmarting RaaS: Strategies to Implement Before, During, and After a Ransomware Attack Webinar: https://www.digitaldefense.com/resources/videos/webinar-outsmarting-raas-strategies-against-ransomware-attacks/ https://www.digitaldefense.com/blog/infographic-the-latest-ransomware-facts/ https://www.digitaldefense.com/wp-content/uploads/2020/07/Digital-Defense-Inc.-Ransomware-Infographic-070621.jpg https://www.digitaldefense.com/blog/the-terrifying-truth-about-ransomware/ Prepared questions from Mieng: Belief that “malicious actors today are using cutting edge techniques for the majority of attacks” Belief that “majority of compromises are via zero-day vulnerabilities” Organizations continue to leave systems unpatched with years old vulnerabilities Belief that “my organization doesn't have anything a malicious actor would be interested in…I'm not a target” My organization has cyber insurance and that's enough. “I don't have budget to buy all the products/hire the staff needed to protect my network.” https://www.techrepublic.com/article/initial-access-brokers-how-are-iabs-related-to-the-rise-in-ransomware-attacks/   https://www.pandasecurity.com/en/mediacenter/security/ransomware-statistics/ As new approaches to ransomware like double extortion continue to pay off, attackers are demanding higher ransom payouts than ever before. The average ransom demand in the first half of 2021 amounted to $5.3 million — a 518% increase compared to 2020. The average ransom payment has also increased by 82% since 2020, reaching a whopping $570,000 in the first half of 2021 alone. The FBI's Internet Crime Complaint Center (IC3) received 2,084 ransomware complaints in the first half of 2021. (FBI and CISA) At least one employee downloaded a malicious mobile application in 46% of organizations in 2021. (Check Point) https://www.marsh.com/us/services/cyber-risk/insights/ransomware-paying-cyber-extortion-demands-in-cryptocurrency.html @infosystir @boettcherpwned @bryanbrake (on Mastodon & Twitter) @brakeSec   Discord Invite! "please click OK to accept the Code of Conduct in the 'Rules-and-info' channel" https://discord.gg/brakesec #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast Apple Podcasts: https://podcasts.apple.com/us/podcast/brakeing-down-security-podcast/id799131292 #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec #Patreon:  https://brakesec.com/BDSPatreon #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    Mick Douglas on threat intel, customer worries about being hacked, and more

    Play Episode Listen Later May 4, 2022 66:45


    @bettersafetynet @infosystir @boettcherpwned @bryanbrake @brakeSec   Discord Invite! "please click OK to accept the Code of Conduct in the 'Rules-and-info' channel" https://discord.gg/jhzm4bK9 #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast Apple Podcasts: https://podcasts.apple.com/us/podcast/brakeing-down-security-podcast/id799131292 #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec #Patreon:  https://brakesec.com/BDSPatreon #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    news, famers affected by ransomware, protestware for the 3rd time, trusting opensource

    Play Episode Listen Later Apr 26, 2022 51:40


    https://www.cyberscoop.com/dhs-bug-bounty-122-vulnerabilities-27-critical-hackers/ https://securityaffairs.co/wordpress/130564/hacking/atlassian-jira-authentication-bypass-issue.html     https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html https://www.coalfire.com/the-coalfire-blog/research-reveals-cyber-risk-is-the-best-language https://www.securityweek.com/audio-codec-made-apple-introduced-serious-vulnerabilities-millions-android-phones https://www.cnet.com/tech/mobile/verizon-wireless-customers-report-outages-across-us/ https://www.infosecurity-magazine.com/news/fbi-warns-us-farmers-of-ransomware/ https://www.bleepingcomputer.com/news/security/3-reasons-connected-devices-are-more-vulnerable-than-ever/ https://www.bleepingcomputer.com/news/security/third-npm-protestware-event-source-polyfill-calls-russia-out/ https://securityaffairs.co/wordpress/130497/security/cyber-insurance-global-riskenvironment.html https://securityaffairs.co/wordpress/130443/hacking/cisco-umbrella-default-ssh-key.html https://www.helpnetsecurity.com/2022/04/19/open-source-usage-trends/ https://gizmodo.com/cia-nsa-spies-tracked-anomaly-6-product-demo-1848830150 https://www.infosecurity-magazine.com/news/hackers-gain-admin-rights-with/ https://scottbarrykaufman.com/podcast/ Discord invite (must read and heed the Code of Conduct before admittance to the Discord. https://discord.gg/38eEBYNJ7B (good for 100 invites) Twitch stream: https://twitch.tv/brakesec    

    Mick Douglas discusses What2Log, and guidance in light of Okta incident

    Play Episode Listen Later Apr 21, 2022 42:41


    https://what2log.com/ https://twitch.tv/brakesec https://www.brakeingsecurity.com     @bettersafetynet @infosystir @boettcherpwned @bryanbrake @brakeSec

    logging analysis, log correlation, and threat analysis dicussion continues - p2

    Play Episode Listen Later Apr 10, 2022 35:34


    https://twitch.tv/brakesec www.brakeingsecurity.com @infosystir on Twitter @bryanbrake @boettcherpwned

    Amanda and Bryan discusses log analysis, finding, IOCs, and what to do about them.

    Play Episode Listen Later Apr 5, 2022 35:37


    https://twitch.tv/brakesec www.brakeingsecurity.com @infosystir on Twitter @bryanbrake @boettcherpwned

    Shannon Noonan and Stacey Cameron - process automation -p2

    Play Episode Listen Later Mar 22, 2022 75:34


    Shannon Noonan and Stacey Cameron - QoS Consulting https://www.bizagi.com/en/blog/digital-process-automation/4-ways-to-deliver-change-management-for-process-automation https://www.forrester.com/blogs/the-new-change-management-automated-and-decentralized/   https://www.tibco.com/reference-center/what-is-process-automation   https://kissflow.com/workflow/workflow-automation/an-8-step-checklist-to-get-your-workflow-ready-for-automation/   https://www.malwarearchaeology.com/cheat-sheets   https://overapi.com/   https://www.darkreading.com/attacks-breaches/8-character-passwords-can-be-cracked-in-less-than-60-minutes

    Shannon Noonan and Stacey Cameron - process automation

    Play Episode Listen Later Mar 12, 2022 59:24


    https://www.twitch.tv/brakesec Youtube video (full version): https://www.youtube.com/watch?v=eRwYB22XMNw Shannon Noonan and Stacey Cameron - QoS Consulting https://www.bizagi.com/en/blog/digital-process-automation/4-ways-to-deliver-change-management-for-process-automation https://www.forrester.com/blogs/the-new-change-management-automated-and-decentralized/   https://www.tibco.com/reference-center/what-is-process-automation   https://kissflow.com/workflow/workflow-automation/an-8-step-checklist-to-get-your-workflow-ready-for-automation/   https://www.malwarearchaeology.com/cheat-sheets   https://overapi.com/   https://www.darkreading.com/attacks-breaches/8-character-passwords-can-be-cracked-in-less-than-60-minutes

    K12SIX-project-Doug_Levin-Eric_Lankford-threat_intel-edusec-p2

    Play Episode Listen Later Mar 1, 2022 52:09


    For context, we at the K12 Security Information Exchange (K12 SIX) are a relatively new K12-specific ISAC – launched to help protect the US K12 sector from emerging cybersecurity risk. One of our signature accomplishments in our first year was the development and release of our ‘essential protections' series – an effort to establish baseline cybersecurity standards for schools. See: https://www.k12six.org/essential-cybersecurity-protections https://www.grf.org/ Global Resilience Federation We will help your industry develop or enhance a trusted threat information sharing community, obtain actionable intelligence, and support you in emergencies.   We all count on the resiliency of essential services - services from the electricity powering our homes and the connectivity of entertainment apps, to the legal systems and financial pipelines driving the global economy. But this infrastructure faces constant threats from hacktivists, criminals, and rogue states, and they are growing in sophistication.   Leveraging nearly 20 years of ISAC and ISAO expertise, GRF is a non-profit created to connect sharing communities, for mutual defense.     https://static1.squarespace.com/static/5e441b46adfb340b05008fe7/t/611d5fceff375d79ff4507c7/1629315022292/K12+SIX+Essential+Cybersecurity+Protections+2021+2022.pdf   https://theconversation.com/cybercriminals-use-pandemic-to-attack-schools-and-colleges-167619   https://edscoop.com/texas-school-paid-547k-ransomware-jam/    https://statescoop.com/ransomware-allen-texas-school-district-email-parents/    https://www.toptal.com/insights/innovation/cybersecurity-in-higher-education   https://www.highereddive.com/spons/inside-higher-educations-ransomware-crisis-how-colleges-and-universities/609688/   https://www.cnn.com/2022/01/07/politics/ransomware-schools-website/index.html https://www.13abc.com/2021/02/22/toledo-public-school-students-seeing-effects-of-massive-data-breach/ 2020 report: https://k12cybersecure.com/wp-content/uploads/2021/03/StateofK12Cybersecurity-2020.pdf   85-89% are underneath 2,500 students Omg: https://www.edweek.org/leadership/education-statistics-facts-about-american-schools/2019/01   https://www.youtube.com/watch?v=otv0KzkfLSc –Florida mom, daughter accused of rigging homecoming queen votes break silence l GMA   There are 130,930 public and private K-12 schools in the U.S., according to 2017-18 data from the National Center for Education Statistics (NCES). Here's how they break down:   All: 130,930 Elementary schools: 87,498 Secondary schools: 26,727 Combined schools: 15,804 Other: 901 What are some of the ways you go about addressing the challenge of even reaching smaller schools? Does the isac help?   How do you communicate major security events like log4j? Do you keep track of complications with certain software stacks?   Someone listening might say “hey, I'd love to help…” what/if any opportunities can the larger infosec community do to help your org?

    K12SIX's Eric Lankford and Doug Levin on helping schools get added security -p1

    Play Episode Listen Later Feb 22, 2022 42:28


    The K12 Security Information Exchange (K12 SIX) are a relatively new K12-specific ISAC – launched to help protect the US K12 sector from emerging cybersecurity risk. One of our signature accomplishments in our first year was the development and release of our ‘essential protections' series – an effort to establish baseline cybersecurity standards for schools. See: https://www.k12six.org/essential-cybersecurity-protections https://www.grf.org/ Global Resilience Federation We will help your industry develop or enhance a trusted threat information sharing community, obtain actionable intelligence, and support you in emergencies.   We all count on the resiliency of essential services - services from the electricity powering our homes and the connectivity of entertainment apps, to the legal systems and financial pipelines driving the global economy. But this infrastructure faces constant threats from hacktivists, criminals, and rogue states, and they are growing in sophistication.   Leveraging nearly 20 years of ISAC and ISAO expertise, GRF is a non-profit created to connect sharing communities, for mutual defense.     https://static1.squarespace.com/static/5e441b46adfb340b05008fe7/t/611d5fceff375d79ff4507c7/1629315022292/K12+SIX+Essential+Cybersecurity+Protections+2021+2022.pdf   https://theconversation.com/cybercriminals-use-pandemic-to-attack-schools-and-colleges-167619   https://edscoop.com/texas-school-paid-547k-ransomware-jam/    https://statescoop.com/ransomware-allen-texas-school-district-email-parents/    https://www.toptal.com/insights/innovation/cybersecurity-in-higher-education   https://www.highereddive.com/spons/inside-higher-educations-ransomware-crisis-how-colleges-and-universities/609688/   https://www.cnn.com/2022/01/07/politics/ransomware-schools-website/index.html https://www.13abc.com/2021/02/22/toledo-public-school-students-seeing-effects-of-massive-data-breach/ 2020 report: https://k12cybersecure.com/wp-content/uploads/2021/03/StateofK12Cybersecurity-2020.pdf   85-89% of school systems have 2,500 students or fewer Omg: https://www.edweek.org/leadership/education-statistics-facts-about-american-schools/2019/01   https://www.youtube.com/watch?v=otv0KzkfLSc –Florida mom, daughter accused of rigging homecoming queen votes break silence   There are 130,930 public and private K-12 schools in the U.S., according to 2017-18 data from the National Center for Education Statistics (NCES). Here's how they break down:   All: 130,930 Elementary schools: 87,498 Secondary schools: 26,727 Combined schools: 15,804 Other: 901 What are some of the ways you go about addressing the challenge of even reaching smaller schools? Does the isac help?   How do you communicate major security events like log4j? Do you keep track of complications with certain software stacks?   Someone listening might say “hey, I'd love to help…” what/if any opportunities can the larger infosec community do to help your org?

    Claim Brakeing Down Security Podcast

    In order to claim this podcast we'll send an email to with a verification link. Simply click the link and you will be able to edit tags, request a refresh, and other features to take control of your podcast page!

    Claim Cancel