Hacked Off

Following audience responses to Pod 107 with Jason Blake, Secarma Jen Williams has circled back to do a deeper dive into the PSTI legislation and IoT devices. With the legislation going live at the end of April, any manufacturers that have not yet found a successful route to show compliance should listen to this podcast which goes into finer detail with Jason Blake. As IASME's IOT scheme manager, Jason shares a selection of ways to navigate the legislation and he and Jen discuss the ways to approach an accreditation that will also help any business and their devices to improve on the journey. They also look at the wider implications around unsecured internet devices and the likelihood that governing bodies will levy some large fines early on to impress the importance of complying on manufacturers. For more information regarding IOT and the PSTI legislation you can check out the resources section of the secarma.com website at https://secarma.com/resources/iot-and-psti/

Secarma Head of Testing, Simon Chapman, takes over the hosting duties as the Hacked Off podcast returns. Episode 107 focuses on IoT and the new regulations that are forcing manufacturers to place security at the heart of their devices. Simon interviews Jason Blake, IOT scheme manager at IASME and Jen Williams who heads up consultancy services at Secarma. Jason talks us through the diverse world of IoT devices, from smart letter boxes to B2B moisture content monitors for farmers and explains why the need for tighter security regulation is long overdue. Jen approaches the subject from a consumer perspective and poses the risks of a home network that has dozens of ‘always on' devices connected and the average consumers understanding of this situation. How do we give consumers a confidence around IoT that has perhaps been eroded of late? The panel discuss IASME's IoT Cyber Secure Scheme and why it's one of the simplest ways for manufacturers to give their devices the security health checks that they need. You can find more IoT resources, particularly around the PSTI legislation at https://secarma.com/resources/iot-and-psti/ You can find out more about the IASME IoT scheme on their website at https://iasme.co.uk/internet-of-things/ Or on Secarma's website at https://secarma.com/cybersecurity-services/consultancy/iot-cyber-scheme/

In this episode of Hacked Off, Holly interviews Simon McNamee - Secure Impact's Security Technology Lead. This week, they discuss what issues security experts often encounter when working with businesses; both those with a high level of security maturity, as well as those just starting off on that journey. Holly and Simon offer some sage advice to organisations about getting the most out of their security services - it all starts with understanding the difference between these services and recognising what your business is ready for - and they also share some of their own experiences from different on-site engagements. 1:00 Defining Value 7:00 What happens when nothing happens? 10:50 Goals 13:42 Cyber Essentials & beyond 17:35 Are you ready for a pentest? 22:50 Simulating the bad guys 30:40 Creating a distraction 35:50 Not every attack is ransomware Listening time: 43 minutes Host: Holly Grace Williams, on behalf of Secarma Guest: Simon McNamee, Security Technology Lead at Secure Impact Ltd Connect with Simon: www.linkedin.com/in/samcnamee Secure Impact: www.secure-impact.com Our website: www.secarma.com Tweet us: www.twitter.com/Secarma Events: www.eventbrite.co.uk/o/secarma-ltd-31129456455

For some organisations, using Security Operation Centre services is a great way to minimise the impact of a possible cyberattack. Moving quickly and effectively, SOCs can detect, analyse and respond to breaches if an organisation doesn't have the resources to do so themselves. In this episode we spoke to Rob Demain – founder and CEO at e2e-assure – about the role of SOCs, today's diverse threat landscape, and the importance of research and development when working in cybersecurity. 02:00 Why SOCs? 06:00 Building trust 13:35 Keeping up-to-date 15:40 Delivering the service 23:20 When disaster strikes 29:20 Working with SMEs 33:55 Security risks Listening time: 42 minutes Host: Holly Grace Williams, MD at Secarma Guest: Rob Demain, founder and CEO at e2e-assure Connect with Rob: www.linkedin.com/in/rob-demain-01733468 e2e-assure: https://www.e2e-assure.com/ Our website: www.secarma.com Tweet us: www.twitter.com/Secarma Events: www.eventbrite.co.uk/o/secarma-ltd-31129456455

In the cybersecurity world, the digital forensics dept acts as the Crime Scene Investigation team for a business that has fallen foul of a cyber-criminal. DFI techniques are used to investigate and rectify the problems caused by the hack, and/or bring the perpetrator to justice. Similarly to traditional forensics, cyber incident response teams can find data to use as evidence in the investigation. In this episode, we talk to David Barr – Principle CIRT Consultant at Secure Impact – about the day-to-day of digital forensics, how the scene is evolving, and what to expect from his talk at UnLocked: London Olympia. 00:35 Working in Digital Forensics 07:20 Research 09:20 Investigating the Incident 15:25 When is Digital Forensics needed? 20:10 Is Digital Forensics Evolving? 21:25 Preparing for Forensics Investigations 24:50 UnLocked: London Olympia 28:30 Careers in Digital Forensics If this episode was of interest to you, you can catch more of David at UnLocked: London Olympia on the 28th September. Tickets here: https://www.eventbrite.co.uk/e/unlocked-london-olympia-2021-tickets-153829914415 Listening time: 31 minutes Host: Holly Grace Williams, MD at Secarma Guest: David Barr, Principle CIRT Consultant at Secure Impact Connect with David: https://www.linkedin.com/in/david-barr-a2a639121/ Secure Impact: https://www.secure-impact.com/ Our website: www.secarma.com Tweet us: www.twitter.com/Secarma Events: www.eventbrite.co.uk/o/secarma-ltd-31129456455

Valuing your SME as ‘too small to get hacked' can leave you complacent and open to attacks, with little to no defences in place. For those who find cybersecurity daunting, there are organisations out there, ready to help. In this episode, we talk to Declan Doyle – head of Ethical Hacking at the Scottish Business Resilience Centre – about cyber resilience, misconceptions around who can get hacked, and understanding clients to best help them stay secure. 00:26 What is the SBRC? 01:35 Resilience 02:55 Helping out 05:35 Misconceptions around size 07:49 Optics and tailoring services 19:55 Different pathways in Cyber 26:50 Engaging with SBRC Listening time: 31 minutes Host: Holly Grace Williams, MD at Secarma Guest: Declan Doyle, head of Ethical Hacking at the Scottish Business Resilience Centre (SBRC) Connect with Declan: https://www.linkedin.com/in/declandoyle/ SBRC: https://www.sbrcentre.co.uk/ Our website: www.secarma.com Tweet us: www.twitter.com/Secarma Events: www.eventbrite.co.uk/o/secarma-ltd-31129456455

The medium of cyber-attacks is code, but the mastermind that drives them is always human intelligence. Systems are created by people, and automated tech still can't understand every nuance that humans embed into them. In this episode, we talk to Nick Blundell – head of R&D at AppCheck – about the pros and cons of vulnerability scanning, how hackers can enter weak systems and the need for a blended approach. 00:50 Will automation take over? 04:25 Scanning or Pentesting: the pros and cons 17:30 Issues with automation 22:00 Weak systems 52:50 A blended testing approach Listening time: 1 hour 5 minutes Host: Holly Grace Williams, MD at Secarma Guest: Nick Blundell, head of R&D at Appcheck Appcheck: https://appcheck-ng.com/ Our website: www.secarma.com Tweet us: www.twitter.com/Secarma Events: www.eventbrite.co.uk/o/secarma-ltd-31129456455

In a time of record unemployment due to the pandemic, it's strange that cybersecurity job openings receive so little applicants and take 20% longer to fill than typical IT roles. Is there a cyber skills shortage, or are we simply looking in the wrong places? In this episode, we talk to Greg van der Gaast – CISO at Scoutbee GMBH and author of Rethinking InfoSec – about how we can rethink the cyber hiring process and role requirements, in order to find many more suitable candidates. We also touch on diversity, the role of HR, and building stronger enterprising teams. 00:28 Security in supply discovery 02:30 Rethinking InfoSec 09:20 Synergy 12:00 Resourceful recruitment 17:50 Finding the right fit 20:18 Health, safety, and growth 27:44 The role of HR Listening time: 32 minutes Host: Holly Grace Williams, MD at Secarma Guest: Greg van der Gaast, CISO at Scoutbee GMBH and author of Rethinking InfoSec Scoutbee GMBH: https://www.linkedin.com/company/scoutbee/ Connect with Greg: https://www.linkedin.com/in/gregvandergaast/ Our website: www.secarma.com Tweet us: www.twitter.com/Secarma Events: www.eventbrite.co.uk/o/secarma-ltd-31129456455

To celebrate Hacked Off's 100th episode, we spoke with Jai Aenugu – founder of TechForce Cyber - a highly regarded cybersecurity resilience organisation with offices in both Edinburgh and Aberdeen. This week's podcast features conversation around what sets Scotland apart in terms of cybersecurity, doing one thing and doing it really well, plus security essentials for SMEs, and an overview of the NotPetya and Kaseya cyber-attacks. 0:49 Cybersecurity in Scotland 4:45 Why found an InfoSec business? 7:00 The Kasaya attack 10;10 Minimising impact 14:00 Don't plan for ransomware 19:45 Security bias 25:00 When phishing turns foul 30:30 Risk 37:00 The baseline and beyond 41:00 Look after the customer Listening time: 46 minutes Host: Holly Grace Williams, MD at Secarma Guest: Jai Aenugu, Founder of TechForce Cyber TechForce Cyber: www.techforce.co.uk Contact: hello@techforce.co.uk Connect with Jai: www.linkedin.com/in/jai23155/?originalSubdomain=uk Our website: www.secarma.com Tweet us: www.twitter.com/Secarma Events: www.eventbrite.co.uk/o/secarma-ltd-31129456455

Workplace security training can be hit or miss; to keep your business safe, your awareness training needs to be memorable, but a conventional annual security presentation on passwords and phishing scams can be tedious and forgettable. In this episode, we talk to Ian Murphy – founder and content creator at CyberOff, and co-founder of LMNTRIX – about how we can utilise engaging, out-of-the-box content to revamp security training and get the general population excited about security practices. 00:50 Creating engaging content 06:48 The need for a new approach 15:00 Context, content and culture 19:45 Attracting an audience 21:40 What's going wrong? 24:15 The need for good communication 30:53 Building content 37:20 Valuing time and skills Listening time: 45 minutes Host: Holly Grace Williams, MD at Secarma Guest: Ian Murphy, Founder of CyberOff and Co-Founder of LMNTRIX CyberOff: www.cyberoff.co.uk LMNTRIX: www.lmntrix.com Connect with Ian: www.linkedin.com/in/ianmurphy Our website: www.secarma.com Tweet us: www.twitter.com/Secarma Events: www.eventbrite.co.uk/o/secarma-ltd-31129456455

Security awareness training is a common requirement in most businesses, but oftentimes it can be difficult to effectively teach employees how to recognise and respond to security risks. In this episode, we speak with Javvad Malik – Security Awareness Advocate at KnowBe4, co-founder of Security B-Sides London and cybersecurity blogger – about the variety of risks out there, the challenges of security awareness training, and how best to promote it. 00:28 What is a Security Awareness Advocate? 02:45 Challenges 11:14 Messaging 16:20 Importance of Security Champions 19:25 Minimising risk 21:45 Lesser-known types of phishing attacks 29:20 Promotion 38:10 The fear of embarrassment 40:40 Bias and the role of marketing Listening time: 46 minutes Host: Holly Grace Williams, MD at Secarma Guests: Javvad Malik, Security Awareness Advocate at KnowBe4 KnowBe4: www.knowbe4.com Connect with Javvad: www.linkedin.com/in/javvad/ Javvad on Twitter: www.twitter.com/J4vv4d Resources: Daniel Kahneman's Ted Talk: https://www.ted.com/talks/daniel_kahneman_the_riddle_of_experience_vs_memory Our website: www.secarma.com Tweet us: www.twitter.com/Secarma Events: www.eventbrite.co.uk/o/secarma-ltd-31129456455

Studies in recent years have revealed how little diversity there is within the cybersecurity industry, with women making up only 8% of the cyber workforce in the UK. In this episode, we speak with Dr Andrea Cullen and Lorna Armitage – co-founders of cyber training organisation CAPSLOCK – about the difficulties of getting into cyber, the need for accessibility and inclusivity in the industry, and recruitment advice for organisations and those wanting to get hired. 02:52 Obstacles for those wanting to enter the industry 09:33 Cyber skills 14:05 Building confidence 16:35 Breaking into cyber 21:32 Imposter syndrome and conquering fears 31:14 Finding yourself and your strengths 36:14 The importance of finding a good fit 39:21 Advice for those wanting to get into the industry and recruiters Listening time: 44 minutes Host: Holly Grace Williams, MD at Secarma Guests: Dr Andrea Cullen and Lorna Armitage, co-founders of CAPSLOCK CAPSLOCK: https://www.capslock.ac Connect with Andrea: https://www.linkedin.com/in/dr-andrea-c-57a29522/ Connect with Lorna: https://www.linkedin.com/in/lorna-armitage/ Our website: www.secarma.com Tweet us: www.twitter.com/Secarma Events: www.eventbrite.co.uk/o/secarma-ltd-31129456455

Over the past year and a half, the event industry have had to adapt like never before, and this led to many events going online via webinars, digital roundtables, and large-scale virtual conferences. In this episode, we interviewed Natasha Taylor - Senior Conference Producer at DTX - about what makes a successful cybersecurity event, networking from home, and what the future of tech conferences could look like. 0.40 Preparation is everything 4:36 What makes a good panel or presentation? 8:50 It's good to disagree 14:55 Overcoming obstacles 17:20 Technical difficulties 22:30 Why you should give public speaking a go 26:00 Finding a balance 34:20 The future of networking Listening time: 45 minutes Host: Holly Grace Williams, MD at Secarma Guest: Natasha Taylor, Senior Conference Producer at DTX Europe & DTX Manchester DTX Europe: www.dt-x.io/europe/en/page/dtx-europe DTX 360: www.dtx360.io/live/en/page/home Connect with Natasha: www.linkedin.com/in/natasha-taylor-6969a0a9 Our website: www.secarma.com Tweet us: www.twitter.com/Secarma Events: www.eventbrite.co.uk/o/secarma-ltd-31129456455

This week, Holly is joined by Clean.io's Kathleen Booth to talk about how the very methods that marketing teams use to bring in customers may also attract the unwanted attention of cyber-criminals. Whether it's third party plug-ins, digital ads, or even a stray tweet - hackers can corrupt your marketing department's efforts and attack your organisation. Thankfully, there are ways to balance robust business security without cutting your marketing team off at the knees. Listen to this week's interview for discussion around innovative yet secure marketing strategies, the importance of cybersecurity awareness training, and why marketers and security staff should be best friends. 0.20 About Clean.io 2:47 3rd party code: what are the risks? 13:00 Broaden your security awareness training 21:00 Marketing + Security 29:10 The attack surface 31:55 Good cyber hygiene 32:55 The keys to the kingdom 35:55 How it feels to be hacked Listening time: 42 minutes Host: Holly Grace Williams, MD at Secarma Guest: Kathleen Booth, VP Marketing at Clean.io Find out more here: www.clean.io Kathleen's podcast: https://inboundsuccesspodcast.com Connect with Kathleen: www.linkedin.com/in/kathleenslatterybooth Our website: www.secarma.com Tweet us: www.twitter.com/Secarma Events: www.eventbrite.co.uk/o/secarma-ltd-31129456455

This week, Holly speaks with Patricia Keating, founder of Tech Manchester - a start-up hub designed to upskill Manchester-based entrepreneurs, nurture their ideas, and connect them with investors. They discuss cybersecurity for start-ups, the tech business landscape in Manchester, and how virtual conferencing allows you to be in two places at once. 1:20 Working with start-ups 3:55 Is London the only tech hub? 5:30 Common misconceptions 7:55 Mentoring tech business founders 12:00 What does "failing" mean? 16:00 Work-life balance 22:35 Crisis spawns innovation 30:05 Working from home means working anywhere 34:00 Sharing the journey Listening time: 36 minutes Host: Holly Grace Williams, MD at Secarma Guest: Patricia Keating, Founder of Tech Manchester Find out more here: www.techmanchester.co.uk Patricia's podcast: www.podcasts.apple.com/gb/podcast/fastforward/id1438089653 Our website: www.secarma.com Tweet us: www.twitter.com/Secarma Events: www.eventbrite.co.uk/o/secarma-ltd-31129456455

This week, Holly delves deeper into the topic of security higher education and training with Dr Dan Prince - Senior Lecturer in Security and Protection Science at Lancaster University's School of Computing and Communications. Together, they discuss the challenges that the mentors of today have when teaching the security experts of tomorrow, how to prepare students for threats that may not exist, and how thinking differently may be the key to keeping one step ahead of threat actors. 1:00 Preparing the next generation 4:30 Creating the framework for a Masters in security 9:55 Where is the line? 17:15 Know your enemy 20:40 Working with the NCSC 29:30 Bridging the disconnect 34:00 Taking notes from R2-D2 36:00 How does Lancaster University engage with companies? Listening time: 43 minutes Host: Holly Grace Williams, MD at Secarma Guest: Dr Dan Prince, Senior Lecturer at Lancaster University Contact Dan here: www.linkedin.com/in/drdanielprince You can find more info about Lancaster University's security research centre here: www.lancaster.ac.uk/scc Our website: www.secarma.com Tweet us: www.twitter.com/Secarma Events: www.eventbrite.co.uk/o/secarma-ltd-31129456455

Recently, the University of Salford announced their partnership with Tanium, to help the education institution improve their security against an increase of attacks. Universities have been high up on the target list for threat actors over the course of the pandemic, and these nefarious parties aren't slowing down anytime soon. In this episode, Holly interviews Mark Wantling - the University of Salford's CISO, as well as Chris Vaughan of Tanium to understand more about their partnership and trade tips on protecting the education sector from cyber-attacks. 1:00 Security challenges in higher education 3:40 Joiners, movers, and leavers 8:30 Are the basics really all that basic? 13:10 How Covid-19 has pushed digital transformation 15:00 Visibility is key 22:00 Your whole security team vs a single pentester 33:00 Are universities sitting ducks for cybercriminals? 37:45 Should you pay the ransom? 40:00 Stop calling it a ransomware attack 45:50 Are you setting the bar high enough? 57:30 Timing is everything 59:00 Closing remarks Listening time: 60 minutes Host: Holly Grace Williams, MD at Secarma Guests: Mark Wantling, CISO at the University of Salford Chris Vaughan, Technical Account Manager at Tanium More info on Salford & Tanium's partnership: www.tanium.com/customers/university-of-salford www.tanium.com/press-releases/tanium-helps-protect-the-university-of-salford-from-surge-of-cyberattacks Contact Mark here: www.linkedin.com/in/mark-wantling-7b149690 More about the University of Salford: www.salford.ac.uk Contact Chris and other Tanium reps here: www.tanium.com Our website: www.secarma.com Tweet us: www.twitter.com/Secarma Events: www.eventbrite.co.uk/o/secarma-ltd-31129456455 NCSC approved security tips: www.ncsc.gov.uk/collection/10-steps

Although our specialty is penetration testing, there's a wide variety of interesting roles available within the security industry. In this episode, Holly sits down with Evan Jones of Complete Cyber, to explore the ins and outs of security architecture. Over the course of the conversation, they discuss the skills necessary to become a security architect, the benefits of using a pen and paper to map out possible threats, and Evan also explains how solution architecture is a lot like a Rubik's cube... somehow. 0:35 Transferring your skills 3:30 What is a security architect? 15:00 What makes a good security architect? 17:00 Dear customers, help us help you 30:30 Threat modelling with a pen and paper 44:20 Very naughty people and adapting to your audience 46:00 The 6th face of the cube Listening time: 50 minutes Host: Holly Grace Williams, MD at Secarma Guest: Evan Jones, Lead Security Architect at Complete Cyber Find out more here: www.completecyber.co.uk www.twitter.com/completecyber Our website: www.secarma.com Tweet us: www.twitter.com/Secarma Events: www.eventbrite.co.uk/o/secarma-ltd-31129456455

In last week's episode we talked about how security professionals can leverage their skills to get into cyber, but how do you obtain those skills in the first place? Enter Jonathan Slater, co-founder of CapsLock and our guest for today. In this episode, we discuss his journey from nuclear, to recruitment, to co-founding a disruptive education model that's designed to help everyone from bus drivers to web developers gain a qualification - and most importantly, employment - in cybersecurity. We also take a deep dive into how candidates can make themselves more attractive to hiring managers, diversity in cyber, and the benefits of starting all over again. 3:15 Stepping down to step up 5:50 Roles to work towards 14:00 Group projects 20:00 Communication, communication, communication 22:30 Increasing your employability 26:15 Sidebar - what is DevSecOps? 31:40 Diversity in cyber 35:15 Reskilling recommendations 36:50 Different roles, sectors, and company sizes 41:30 Standing out from the crowd Listening time: 50 minutes Host: Holly Grace Williams, MD at Secarma Guest: Jonathan Slater, Co-founder of CapsLock Find out more here: www.capslock.ac Our website: www.secarma.com Tweet us: www.twitter.com/Secarma Events: www.eventbrite.co.uk/o/secarma-ltd-31129456455

In this episode, Holly interviews Jay Jay Davey - SOC Analyst at CyberClan and founder of NoxCyber - a one stop page of career advice for aspiring cyber security professionals, with resources to help you get into the industry. We spoke with him about the different routes into cyber, as well as what to do once you're in. Listen to this episode for career advice, CV tips, and why explaining what networks are to your parents could lead you being a CEO's shoulder to cry on one day. 1:05 About NoxCyber 2:40 Getting into cybersecurity 7:15 Getting hired 13:05 The different roles in cyber 22:30 Are mentors vital? 26:35 Public speaking 37:00 Develop your writing skills and promote yourself 40:10 The importance of emotional intelligence in cyber Listening time: 43 minutes Host: Holly Grace Williams, MD at Secarma Guest: Jay Jay Davey, founder of NoxCyber Find Jay Jay here: www.noxcyber.co.uk www.linkedin.com/in/noxcyber Our website: www.secarma.com Tweet us: www.twitter.com/Secarma Events: www.eventbrite.co.uk/o/secarma-ltd-31129456455

In this episode, Holly sits down with Shauni - our Marketing Manager - to discuss how she promotes technical services to a non-technical audience. Marketers in the security industry have a pretty big task on their hands; as technical people - cybersecurity is our passion (hence last week's 55 minute rant about security policies), but how do you create content that appeals to CEOs and other non-technical decision makers? Over the course of the conversation, we discuss Shauni's journey from fashion marketing to cybersecurity, what she has in common with a lot of penetration testers, and how much marketing fluff is too much. 1:30 How did you get into cybersecurity? 4:30 What's the goal of a marketer? 6:00 Do you consider yourself to be technical? 12:15 Is cybersecurity an intimidating industry? 14:30 Sharing knowledge 18:45 Are InfoSec marketers and penetration testers that different? 25:50 Making content accessible 30:40 You've gotta start somewhere Listening time: 32 minutes Host: Holly Grace Williams, MD at Secarma Guest: Shauni Adekoya, Marketing Manager at Secarma Tweet us: www.twitter.com/Secarma Events: www.eventbrite.co.uk/o/secarma-ltd-31129456455 Blogs: www.secarma.com/blog News: www.secarma.com/news

In this episode, Holly and Michael have an in-depth discussion - okay, maybe it's a little bit of a rant - about security policies. Many organisations' cybersecurity policies are rarely given the attention they deserve, despite them being such an important part of protecting your business. Over the course of this conversation, Holly and Michael take a look at policy building and reviewing, common mistakes that organisations tend to make, and why you should be worried if no one on your team has any questions after "reading" through the policy... 0:15 Policy review 3:20 Rethink your security policy 11:00 Exceptions to the rule(s) 14:30 Does everyone in your organisation understand your security policy? 22:30 Are your rules made to be broken? 24:20 Our recommendations 27:00 What counts as a major system change? 31:35 Vulnerabilities and hardening 38:20 What, where, when, and why 43:10 A security policy rant 45:00 Don't restrict your staff 52:50 To be continued... Listening time: 55 minutes Host: Holly Grace Williams, MD at Secarma Guest: Michael Ranaldo, vISM & CSMA Security Consultant at Secarma Our website: www.secarma.com Tweet us: www.twitter.com/Secarma Events: www.eventbrite.co.uk/o/secarma-ltd-31129456455 Security Awareness Training: www.secarma.com/cybersecurity-services/security-training/security-awareness-training

In this episode, Holly and Thomas discuss the MITRE ATT&CK framework and the multi-layered security strategies that organisations need to defend against threat actors. 0:58 What is the MITRE ATT&CK framework? 9:50 A real-world breach progresses in layers 11:50 Using MITRE ATT&CK 15:08 Communication is key 16:50 Vulnerability scan, penetration test, or red team? Yes. 30:23 How to get started Listening time: 34 minutes Host: Holly Grace Williams, MD at Secarma Guest: Thomas Ballin, Testing Team Lead at Secarma MITRE ATT&CK framework link: www.attack.mitre.org Our website: www.secarma.com

What are the benefits of gaining skills that are a little more broad to the niche that you do? In this episode, we have a discussion around certifications, training, and upskilling. We also provide a brief overview of our penetration testing training courses, which are a great resource for businesses that are looking to upskill their security and IT teams, as well as for tech savvy individuals that want to break into pentesting. 0:50 Holly's own experience with recent exams 4:45 Reasons to upskill 8:30 Breaking into the cybersecurity industry 9:40 Our Hacking & Defending training courses Listening time: 16 minutes Host: Holly Grace Williams, MD at Secarma Sign up for our upcoming Hacking & Defending Networks training course, a full day's hands on pentesting experience, hosted by our experts: https://bit.ly/3txOMoF Our website: www.secarma.com Our Security Training page: www.secarma.com/cybersecurity-services/security-training/ Find out more here: www.secarma.com/introducing-our-new-security-training-courses/

The Hacked Off podcast is back! In this episode, we sit down with Sarah and Sian from the NCSC's CyberFirst initiative to talk about the CyberFirst Girls competition. The National Cyber Security Centre is committed to developing the UK's next generation of IT professionals and has a number of fantastic initiatives designed to introduce 11 – 17 year olds to the fast-paced world of cybersecurity. Because we need the broadest mix of minds to tackle the security threats of tomorrow, and the NCSC’s CyberFirst Girls competition is all about developing that diverse talent pool. The competition is a girls-only event for 12-13 year olds who may be considering a future in cyber, and includes lots of fun activities that will test their problem solving skills to reveal if they have the aptitude required for a career in this exciting industry. Useful Links: Our website: www.secarma.com The latest cybersecurity and tech news: www.secarma.com/news CyberFirst: www.ncsc.gov.uk/cyberfirst/overview The CyberFirst Girls Competition: www.ncsc.gov.uk/cyberfirst/girls-competition Listening time: 37 minutes Hosted by: Holly Grace Williams, Managing Director at Secarma

It's the last podcast of the year, so Holly is revisiting some of our key guest interviews from 2020. We also couldn't do a 'A Year in Review' without discussing the impact of the pandemic on business security, and how now is the time to revisit your change management and risk register. Key points: 0'34 Our new training course 4'00 Lockdown and change management 6'49 Time to review the risk register 8'14 Security Awareness Training 10'52 What kind of attacks do we need to worry about? 15'58 Turning off antivirus 17'42 The future of phishing scams Useful Links: Our new training webinars and courses - https://www.eventbrite.co.uk/o/secarma-ltd-31129456455 Jenny Radcliffe's podcast - https://soundcloud.com/hackedoff/044-jenny-radcliffe-hacking-the-human Kevin Fielder's podcast - https://soundcloud.com/hackedoff/061-kevin-fielder-building-security-teams-and-culture Mike Koss's podcast - https://soundcloud.com/hackedoff/047-mike-koss-hear-no-evil-see-no-evil Jame Mckinlay's podcast - https://soundcloud.com/hackedoff/049-james-mckinley-why-i-turned-antivirus-off Listening time: 22 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma

Generally when you think of eCommerce attacks you probably think of theft of personal information and payment cards, when in fact there are many ways a hacker could attack your online store. Holly Grace discusses the most common threats to eCommerce businesses, and a few you may not have considered before! Key points: 0'47 CIA - Confidentiality, Integrity and Availability 1'38 Denial of Service Attacks 6'43 How to protect your business from Denial of Service Attacks 8'08 Compromising user/administration accounts 11'11 Preventing credential stuffing and horizontal brute force attacks 14'30 Moonpig's breach Listen Time: 18 minutes Host: Holly Grace Williams, MD at Secarma

Application Program Interfaces have increasingly become a target for hackers. With 6 of the OWASP Top 10 vulnerabilities being API related, it is no surprise that OWASP released their first list of API Security Top 10, last year. For those wanting to better understand the process of API penetration testing, Holly Grace takes you through the process, from scoping the job to which vulnerabilities to look out for. 0'16 What is an API? 2'11 Scoping an API test 4'11 Making API testing more efficient 5'54 What vulnerabilities are we looking for? 8'29 Rate limiting 9'52 The Google+ API bug Useful links: OWASP API Security Top 10 - https://owasp.org/www-project-api-security/ Listen Time: 12 minutes Host: Holly Grace Williams, MD at Secarma

Is your online store ready for Black Friday and Christmas shopping? Have you considered how automated bots, fake reviews, plugins and a data breach could wreak havoc over the busiest shopping period of the year? This podcast is a perfect starting point for eCommerce businesses wanting to secure their business ahead of the mad rush! 0'52 Preventing the use of automated bots and buying scripts. 3'33 How to avoid fake reviews 5'45 What we can learn from The British Airways data breach 10'09 Using Sub Resource Integrity(SRI)to prevent malicious scripting attacks 12'12 Be aware of plugins Listening time: 14 minutes Host: Holly Grace Williams, MD at Secarma

This month there has been a lot going on in the world of cybersecurity. With major IT firm Sopra Steria getting hit by a cyberattack, Apple paying out over $250,000 to a team of bug hunters for finding 55 vulnerabilities in Apple systems, as well as the USA indicting 6 Russian Intelligence Officers for a range of attacks such as attacks against the Ukrainian Power Grid and the 2017 NotPetya attack. Key Points: 0'20m Google Project Zero, Zero Days and Chrome Vulns 3'14m Fifty-five Apple Bugs and over $250,000 in bounty pay-outs 6'15m Hackney Council Hit by "Hack Attack" 8'06m Six GRU Officers indicted for major hacks 11'00m Sopra Steria hit by cyberattack Useful links: https://chromereleases.googleblog.com/ https://samcurry.net/ Listen Time: 14 minutes Host: Holly Grace Williams, MD at Secarma

Threat modelling is broader than just security, and DevSecOps is more than just secure code. Application Security Advocate, Alyssa Miller talks passionately about the importance of a collaborative approach to security, where implementing a culture of building efficiently and understand security as you go, can help with getting ahead of the game. 0'22 Alyssa Miller - the Application Security Advocate 2'20 What is threat modelling? 4'32 Where do you begin with threat modelling? 9'45 Continuous improvement - being more secure tomorrow than we are today! 13'39 The user story 19'32 It's not about WHO is hacking you, but WHAT they're hacking 23'04 Monitor, mitigate and protect 27'45 Implementing threat modelling into DevSecOps to make security more efficient Alyssa's Social Media: https://twitter.com/AlyssaM_InfoSec https://www.linkedin.com/in/alyssam-infosec/ https://alyssasec.com/ Listening Time: 38 minutes Hosted by: Holly Grace Williams, Managing Director at Secarma Guest: Alyssa Miller, Application Security Advocate at Snyk

Mobile Device Management increases security, reduces risk and plays an important role in Government certified assurance models. Holly Grace discusses the role of device management for Cyber Essentials, and the challenges that come with employees using their own devices at work. Key points: 1'08 What is Mobile Device Management (MDM)? 3'05 Device Management for Cyber Essentials 8'27 Bring your own device (BYOD) 11'30 Passwords, pass codes and pin numbers Listening Time: 14 minutes Hosted by: Holly Grace Williams, Managing Director at Secarma

We speak to fellow co-worker and Senior Security Consultant at Secarma, Joe Thorpe, who specialises in app testing. He gives us the low down on hacking mobile apps, how they're similar to web apps, which vulnerabilities are most common and how to choose the right testing for your mobile app. Key points: 0'43 What is mobile application testing? 3'43 Similarities to web application testing 4'49 Finding vulnerabilities in mobile apps 7'21 Hacking mobile apps with Frida and bypassing root detection 9'33 Choosing the right kind of testing for you mobile app 13'09 The Tinder app vulnerability 14'48 The most common vulnerabilities Useful links: Mobile App OWASP Top 10 - https://owasp.org/www-project-mobile-top-10/ Mobile Application Testing - https://www.secarma.com/services/penetration-testing/mobile-application-penetration-testing.html Listening Time: 17 minutes Hosted by: Holly Grace Williams, Managing Director at Secarma Guest: Joe Thorpe, Senior Security Consultant at Secarma

In September's Month in Review, Holly Grace is delighted to announce that this month's hacks aren't just all about ransomware! From political motivation to notoriety, she discusses the different kind of motives a hacker may have, and the kind of attacks they might use to get what they want. Key Points: 0'55 Financially Motivated: KuCoin Hack 3'07 Insider Threat: AT&T Hack 7'09 Politically Motivated: Op Payback 12'00 Different types of attacks Listening Time: 16 minutes Hosted by: Holly Grace Williams, Managing Director at Secarma

There's more to firewalls than simply installing them and leaving them to it! WatchGuard's Senior Sales Engineer Martin Lethbridge, joins Holly Grace Williams to discuss common firewall misconceptions, and how to get the most out of your firewall to ensure your organisation is safe. 0'22 Guest introduction 2'10 Firewall misconceptions - they aren't just for your network perimeter 6'52 Protecting your laptop on 'dirty networks' - working from home or remotely 11'59 Security vs convenience 17'43 The importance of VLAN and network segmentation 19'45 Don't just block it, monitor it, review it, maintain it 26'53 Deep packet inspection 38'41 Why you need to update your firewall 41'47 What you need to do when you go back to the office after lockdown Useful links: Martin's LinkedIn - https://www.linkedin.com/in/martinlethbridge/ Watchguard - https://www.guardsite.co.uk/ Firewall Configuration Security Review - https://www.secarma.com/services/cybersecurity-assessment/firewall-configuration-security-review.html Listening Time: 57 minutes Hosted by: Holly Grace Williams, Managing Director at Secarma Guest: Martin Lethbridge, Senior Sales Engineer at Watchguard

Although perimeter breaking vulnerabilities are quite rare they're certainly not unheard of - Firewalls aren't perfect systems and they can have vulnerabilities too. In this week's episode, Holly Grace looks at some previous critical vulnerabilities in firewalls and tries to highlight some key lessons learned. 4'37 The firewall vulnerability 'BEIGNCERTAIN' 7'22 Protecting your organisation against threat actors gaining internal network access 10'47 How to protect firewall interface Useful link: Firewall Configuration Security Review - www.secarma.com/services/cybersec…urity-review.html Listening time: 14 minutes Hosted by: Holly Grace Williams, Managing Director at Secarma

Our latest 'Intro' podcast takes a look at Firewall Security. Holly discusses different types of firewalls, the importance of network segmentation and Firewall Configuration Security Reviews, and how firewalls are targeted during a pentest. 1'30 How firewalls are they targeted during a Penetration Test? 8'29 Network segmentation 11'08 How threat actors jump between networks 13'56 Next Generation Firewalls 19'14 Web Application Firewalls Useful links: Firewall Configuration Security Review - https://www.secarma.com/services/cybersecurity-assessment/firewall-configuration-security-review.html Listening time: 24 minutes Hosted by: Holly Grace Williams, Managing Director at Secarma

From bribery to bug bounties! In August's Month in Review podcast, Holly Grace discusses the failed social engineering attack on a Tesla employee, and the uproar off the back of Slack's minimal payout to a researcher for a critical security bug. Key points: 1'20 The failed social engineering attack against Tesla 3'05 How to test your organisation against bribery 8'21 Critical security bug discovered through Slack's bug bounty program 10'06 How much is a bug worth? Let us know your thoughts on the Slack Bug Bounty over social media: Twitter - @Secarma LinkedIn - @Secarma Ltd Listening time: 15 minutes Hosted by: Holly Grace Williams, Managing Director at Secarma

Whilst Secarma perform Penetration Testing which is in-depth approach to security testing, organisations can get additional assurance through ongoing automated security scanning Nick Blundell, AppCheck's Head of R&D, joins us on our podcast to discuss how vulnerability scanners work, their pros and cons, and how they compliment Penetration Testing to achieve a balance of depth and frequency. 0'20 Nick's background 2'00 How do you map web applications? 4'52 How do scanners work 22'29 Making scanners more intelligent 28'02 Penetration Testing plus Vulnerability Scanning 30'52 Why is automated scanning hard? 53'17 How does a scanner handle authentication? Useful links: https://www.secarma.com/services/cybersecurity-assessment/vulnerability-scanning.html Listening Time: 1 hour Hosted by: Holly Grace Williams, Managing Director at Secarma Guest: Nick Blundell, Head of R&D at AppCheck

The OWASP Top 10 is a list of the 10 most common web application vulnerabilities. This podcast provides an introduction to this awareness document, and why it's so beneficial to organisations and their journey to better security. Key Points: 1'00 Who are the Open Web Application Security Project? 2'18 What is the OWASP Top 10? 7'55 The current OWASP Top 10 list 9'04 Why it's such a useful document 10'19 Other 'Top 10' lists 11'27 The OWASP Top 10 isn't the be all and end all! Listening time: 17 minutes Hosted by: Holly Grace Williams, Managing Director at Secarma

This podcast provides an excellent introduction to vulnerability scanning, covering how it works and what it tests. It discusses the benefits of vulnerabilities scanning and how alongside penetration testing, can provide an organisation with a more continuous testing model. Key points: 1’34 What is vulnerability scanning? 2’16 What does vulnerability scanning test 9’09 How a scanner grades a vulnerability 11’47 Pentesting v vulnerabilty scanning 14’40 The benefits of vulnerability scanning 24’09 Overview Listening time: 26 minutes Hosted by: Holly Grace Williams, Managing Director at Secarma

In July it was revealed that travel company CWT paid $4.5 million in ransom to cyber criminals. Whilst shocking, ransomware is unfortunately not new and not uncommon. Secarma’s MD, Holly Grace Williams, discusses why ransomware is such a popular option for cyber criminals and how companies can prepare for potential attacks with incident response training. Key Points: 1’05 Paying ransoms 2’00 Why is it always ransomware? 2’40 CWT’s ransom negotiation conversation 5’15 Incident response training for ransomware 10’22 The TikTok ban in the US 12’07 Technically, how would you ban TikTok? 15’09 Coming soon - Secarma Webinars! What content would you like to see in our webinars? Let us know on social or email us at enquiries@secarma.com. https://www.linkedin.com/company/secarma-uk/ https://twitter.com/Secarma Listening time: 18 minutes Hosted by: Holly Grace Williams, Managing Director at Secarma

After a brief break, the Hacked Off Podcast is back! If you missed our MD’s Trusted Tech Talks webinar last week, Holly Grace Williams summarises the key points of her presentation, Encryption isn’t Magic: Hackers Can Break It. She discusses why encryption is a little more complex than being on or off and the importance of configuring it correctly. Key points: 0’33 Introduction 4’20 Cyptography lasts a long time 7’44 Grading cryptographic weaknesses 11’30 How quickly can you crack passwords and how much does it cost? 17’45 What other hashes might we commonly come across? 22’45 The problem with password strength meters 24’30 Summary Listening time: 19 minutes Hosted by: Holly Grace Williams, Managing Director at Secarma

In today's episode we talk about penetration testing realism versus efficiency, and why sometimes aiming for a security test that exactly matches the options available to criminals isn't always possible and why sometimes it isn't always desirable. It's all about the context. Key points: 1'05 The motiviation behind an assessment is key 2'10 When realism is key 3'45 when total realism isn't possible 8'40 Technique-orientated vs goal-orientated 14'40 Fix the fundamentals first Listening time: 19 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma

Privacy is a right and it is important to protect that right, but operational security it hard. Mike Jones joins us again to talk all things OpSec and we cover some things to check to make sure your privacy is protected. Key Points: 1'30 Why is Privacy important? 4'20 Photos, GPS and Geotagging 10'15 Social Media settings 12'15 Removable Media 14'15 Communications security and Leaks 18'00 Privacy and Adult Entertainment 24'30 Balancing operational security and convinience 29'00 Cleaning up Data footprints 34'23 Situational Awareness 38'30 Burner Accounts Links: Operation Robin Sage - https://en.wikipedia.org/wiki/Robin_Sage Listening Time: 46 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma Guest: Mike Jones, Security Researcher

In today's episode we talk about incentivising your Security Team and making sure that the defensive team are getting praise for a job well done. As well as noting that the red team's job isn't over when they find a high impact vulnerability. Key Points: 0'49 There's more to staff retention than bonuses 1'40 The problem of the romanticisation of the red team 3'30 Measuring progress in security improvement 4'25 Purple Teaming may help reduce the gap 11'00 Empowering the defensive team 15'15 Measuring offensive teams Links: https://soundcloud.com/hackedoff/009-an-intro-penetration-testing-vs-red-teaming https://soundcloud.com/hackedoff/an-intro-cybersecurity-maturity-assessments Listening Time: 18 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma

Adam Louca joins us today to talk about how to get the most out of security products, and how to cut through the marketing to find out what works for you! Key Points: 0'30 What is a technologist? 2'05 Why do we have to cut through vendor noise? 4'21 How you can determine the truth of products 9'25 Planning for the unknown 12'00 How to know products are working 19'50 Network segmentation, antivirus, and other specifics 22'40 Gaining internal visibility 31'00 Blame: Users vs Products 34'00 The Security People vs Products Links: Mitre Att&ck Framework: https://attack.mitre.org/ Listening Time: 42 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma

Kevin Fielder joins us today discussing building security and building security teams. We talk risk appetite, balancing likelihood and impact, and team culture! 1'20 Where to start 4'00 Risk Appetite and moving quickly 11'13 Balancing appetite, likelihood and impact 15'15 Keeping the security team happy 18'45 Team Culture 25'45 Team Development and building Careers 38'25 How DevOps affects building security 48'12 Handling staff retention Listening Time: 54 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma

Today we have a Marc Avery, Kevin Fielder, and Sean Atkinson discussing how to build a business security strategy. We talk about cyber insurance, operational security, and building security in companies. As well as detours to talk about Equifax getting hit by Hurricane Irma, the problems of working from home, and company culture. 01'00 Guest Introductions 05'10 The security risk of the new baseline 15'00 Real-world attacks vs Click-bait News 18'22 Security Awareness Training for the Home 23'00 Pandemics and Business Continuity Plans 27'00 Risk Lifecycles - Revisiting Risk Exceptions 34'36 Cyber Insurance Benefits and Woes 48'05 Will cybersecurity be a priority in the near future? 52'15 Zero Trust: Marketing and Reality Links: "88% Working from Home" - https://www.gartner.com/en/newsroom/press-releases/2020-03-19-gartner-hr-survey-reveals-88--of-organizations-have-e Munich Massacre - https://www.nytimes.com/2017/08/30/sports/olympics/munich-olympic-massacre-1972-memorial-israeli-athletes.html Equifax Hit by Hurricane Irma - https://gracefulsecurity.com/equifax-breach-timeline/ NCSC Attribution Example - https://www.ncsc.gov.uk/news/russian-military-almost-certainly-responsible-destructive-2017-cyber-attack Listening Time: 60 minutes Host: Holly Grace Williams, Technical Director at Secarma

Mike Jones is a former member of anonymous, a former confidential informant, and is here to talk about building better security. We talk about everything from Cyber Prevent programmes to help people avoid becoming cyber criminals to becoming a better penetration tester. 01'12 Working with Anonymous 03'25 Meeting with the Suits 04'18 Working as a Confidential Informant 16'50 A hacker's impression of the legal system 20'40 Cyber Prevent Programme 25'50 Developing PenTesting Skills 32'20 Covering up breaches and vulnerabilities Listening Time: 44 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma

Many security guides out there presume that you're implementing security on an existing system or an existing product; look at what has been missed and improving things incrementally - but what if you're building something completely new? If it's a new product or a new company, things can be a different. When you're struggling with security many experts will tell you that you should have started sooner - but where exactly do you start? You can't PenTest a product before you've written your first line of code, so what should you do first? It's difficult to fit it all in without making an episode that goes on for days - but in today's episode Holly Grace looks at some of the common aspects to security starting with design and building up to implementation, and response. 2'35 Testing too late makes it harder 4'15 Design, Implementation, and Protection 5'30 Security Policy: Updates, Passwords, and Authentication 6'45 Awareness Training: Why the policy is that way 10'42 Policies and Implementation not matching 15'10 How frequently should you Pen Test? 19'05 Response: Logs, Alert, and Hunting Links Secarma's Cybersecurity Maturity Assessment - https://www.secarma.com/services/cybersecurity-assessment/maturity-assessment.html NIST Cybersecurity Framework - https://www.nist.gov/cyberframework NCSC Cyber Assessment Framework - https://www.ncsc.gov.uk/collection/caf/cyber-assessment-framework Listening Time: 24 minutes Hosted by: Holly Grace Williams, Technical Director at Secarma